# How to make file systems visible in jail



## Youzhong Yang (Nov 13, 2017)

Hello,

I've been exploring FreeBSD for a few weeks. I am trying to do something that can be done easily in Linux docker or Solaris/illumos zone, but failed to find equivalent way of doing so in FreeBSD jail.

Suppose in the host I have the following mountpoints:
/vmgr
/vmgr/subdir1
/vmgr/subdir2
/vmgr/subdir3
...

All of the above are different zfs file systems (or datasets). New file systems could be created and old ones removed under /vmgr.

All I want to do is to have the jail instances see what the host can see, i.e. all under /vmgr, across file systems. zfs datasets delegation is not an option, because I want the host, and all jail instances all see the same mount points/directory structure.

In Linux, this can be done by specifying '--mount bind-propagation=shared,type=bind,source=/vmgr,target=/vmgr' when starting the docker instance; in Solaris/illumos, this can be achieved by mounting /vmgr through lofs (loopback file system) in the zone.

I read nullfs manual, it does not seem to help, because it won't cross file system boundaries.

Is this possible in FreeBSD?

Thanks,

--Youzhong


----------



## SirDice (Nov 13, 2017)

See jail(8):

```
enforce_statfs
             This determines what information processes in a jail are able to
             get about mount points.  It affects the behaviour of the
             following syscalls: statfs(2), fstatfs(2), getfsstat(2), and
             fhstatfs(2) (as well as similar compatibility syscalls).  When
             set to 0, all mount points are available without any
             restrictions.  When set to 1, only mount points below the jail's
             chroot directory are visible.  In addition to that, the path to
             the jail's chroot directory is removed from the front of their
             pathnames.  When set to 2 (default), above syscalls can operate
             only on a mount-point where the jail's chroot directory is
             located.
```


----------



## Youzhong Yang (Nov 13, 2017)

Setting enforce_statfs to 0 does make mount points available in the jail, but not accessible:


```
root@freebsd-dev:~ # df -h
Filesystem            Size    Used   Avail Capacity  Mounted on
zroot/ROOT/default    188G    4.1G    184G     2%    /
devfs                 1.0K    1.0K      0B   100%    /dev
zroot/tmp             184G     88K    184G     0%    /tmp
zroot/usr/home        184G     88K    184G     0%    /usr/home
zroot/usr/ports       184G    666M    184G     0%    /usr/ports
zroot/usr/src         184G    633M    184G     0%    /usr/src
zroot/var/audit       184G     88K    184G     0%    /var/audit
zroot/var/crash       184G     88K    184G     0%    /var/crash
zroot/var/log         184G    180K    184G     0%    /var/log
zroot/var/mail        184G     96K    184G     0%    /var/mail
zroot/var/tmp         184G     88K    184G     0%    /var/tmp
zroot                 184G     88K    184G     0%    /zroot
zroot/vmgr            184G     14M    184G     0%    /vmgr
zroot/vmgr/bse        184G    112K    184G     0%    /vmgr/bse
zroot/vmgr/yyang      184G    3.2M    184G     0%    /vmgr/yyang

root@freebsd-dev:~ # cat /usr/local/etc/ezjail/jailtest
export jail_jailtest_hostname="jailtest"
export jail_jailtest_ip="lo1|127.0.1.1,em0|172.30.212.248"
export jail_jailtest_rootdir="/usr/jails/jailtest"
export jail_jailtest_exec_start="/bin/sh /etc/rc"
export jail_jailtest_exec_stop=""
export jail_jailtest_mount_enable="YES"
export jail_jailtest_devfs_enable="YES"
export jail_jailtest_devfs_ruleset="devfsrules_jail"
export jail_jailtest_procfs_enable="YES"
export jail_jailtest_fdescfs_enable="YES"
export jail_jailtest_image=""
export jail_jailtest_imagetype=""
export jail_jailtest_attachparams=""
export jail_jailtest_attachblocking=""
export jail_jailtest_forceblocking=""
export jail_jailtest_zfs_datasets=""
export jail_jailtest_cpuset=""
export jail_jailtest_fib=""
export jail_jailtest_parentzfs=""
export jail_jailtest_parameters="persist allow.raw_sockets=1 enforce_statfs=0 allow.mount=1 allow.mount.zfs=1 allow.mount.procfs=1 allow.mount.devfs=1"
export jail_jailtest_post_start_script=""
export jail_jailtest_retention_policy=""

root@freebsd-dev:~ # cat /etc/fstab.jailtest
/usr/jails/basejail /usr/jails/jailtest/basejail nullfs ro 0 0
tmpfs /usr/jails/jailtest/samba-var tmpfs rw,mode=755,size=8192M 0 0

root@freebsd-dev:~ # ezjail-admin start jailtest

root@freebsd-dev:~ # ezjail-admin console jailtest

root@jailtest:~ # df -h
Filesystem             Size    Used   Avail Capacity  Mounted on
zroot/ROOT/default     188G    4.1G    184G     2%    /
devfs                  1.0K    1.0K      0B   100%    /dev
zroot/tmp              184G     88K    184G     0%    /tmp
zroot/usr/home         184G     88K    184G     0%    /usr/home
zroot/usr/ports        184G    666M    184G     0%    /usr/ports
zroot/usr/src          184G    633M    184G     0%    /usr/src
zroot/var/audit        184G     88K    184G     0%    /var/audit
zroot/var/crash        184G     88K    184G     0%    /var/crash
zroot/var/log          184G    180K    184G     0%    /var/log
zroot/var/mail         184G     96K    184G     0%    /var/mail
zroot/var/tmp          184G     88K    184G     0%    /var/tmp
zroot                  184G     88K    184G     0%    /zroot
zroot/vmgr             184G     14M    184G     0%    /vmgr
zroot/vmgr/bse         184G    112K    184G     0%    /vmgr/bse
zroot/vmgr/yyang       184G    3.2M    184G     0%    /vmgr/yyang
/usr/jails/basejail    188G    4.1G    184G     2%    /usr/jails/jailtest/basejail
tmpfs                  8.0G    4.0K    8.0G     0%    /usr/jails/jailtest/samba-var
devfs                  1.0K    1.0K      0B   100%    /usr/jails/jailtest/dev
fdescfs                1.0K    1.0K      0B   100%    /usr/jails/jailtest/dev/fd
procfs                 4.0K    4.0K      0B   100%    /usr/jails/jailtest/proc

root@jailtest:~ # ls -l /vmgr
ls: /vmgr: No such file or directory
```

If in the host I set the mountpoint of zfs dataset zroot/vmgr to /usr/jails/jailtest/vmgr, then yes, all of them are visible and accessible (/vmgr/...), but this only works for one jail instance.


----------

