# How can I mount a nullfs inside a jail (iocage)?



## rainer_d (Oct 13, 2018)

I have the following in /etc/sysctl.conf:


```
security.jail.mount_allowed=1
#security.jail.param.allow.mount=1

security.jail.param.allow.mount.nullfs=1
security.jail.mount_nullfs_allowed=1

security.jail.param.allow.mount.devfs=1
security.jail.mount_devfs_allowed=1
```

and for the jail:


```
(jailhost </root>) 0 # iocage get all php70 |grep mount
allow_mount:1
allow_mount_devfs:1
allow_mount_nullfs:1
allow_mount_procfs:0
allow_mount_tmpfs:0
allow_mount_zfs:0
jail_zfs_mountpoint:none
mount_devfs:1
mount_fdescfs:1
mount_linprocfs:0
mount_procfs:0
mountpoint:readonly
```


Yet, I get a permission denied when I try to nullfs mount something inside the jail.

Is that even possible?


----------



## Lamia (Oct 14, 2018)

There might be a need for you to set the devfs.rules in /etc/ AND/OR setup a fstab file for the jail. It has to be mounted on boot.


----------



## rainer_d (Oct 14, 2018)

I've got

jail_devfs_enable="YES"
jail_devfs_ruleset="devfsrules_jail"
jail_nullfs_enable="YES"
(if the later exists at all)


```
(jailhost </root>) 0 # cat /etc/devfs.rules
# Devices usually found in a jail.
#
[devfsrules_jail=4]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path zfs unhide
```


----------



## ShelLuser (Oct 14, 2018)

It's been a while since I messed with devfs inside a jail but as far as I know you also need this:


```
#       sysvmsg = new;
#       sysvshm = new;
#       sysvsem = new;

#       devfs_ruleset = 2;
#       enforce_statfs = 1;
```
(uncommented of course).

See also jail(8).


----------



## SirDice (Oct 15, 2018)

You typically mount filesystem from the host. You can add filesystems specific for the jail to /etc/fstab.<jailname>. 

That said, it is possible to mount filesystems from within a jail. What exactly are you trying to mount?


----------



## Lamia (Oct 15, 2018)

SirDice: He said nullfs. Most likely, one or more apps require it. I get it done with the above suggestions though I use ezjail not iocage.


----------



## Rasaki Temidire (Oct 15, 2018)

Hi,

I have been setting up jails (using iocage) for Plex, NZBGet, Sonarr, Radarr, Lidarr, etc. who all need access to the same zfs datasets.  So I am using nullfs.  I have not had to concern myself with setting nullfs specific parameters for the jails.

From the host, I issue the following:


```
% doas iocage fstab -a <jail_name> <mountpoint_on_host> <mountpoint_on_jail> nullfs <permissions> 0 0

% doas iocage fstab -a darkhorse /medialake2/movies /mnt/movies nullfs rw 0 0
```

This seems to work well.


----------



## SirDice (Oct 15, 2018)

Lamia said:


> @SirDice: He said nullfs.


Yes. 


```
root@molly:~ # cat /etc/fstab.ports
/usr/src                /jails/j-ports/usr/src                  nullfs  ro      0       0
/usr/ports              /jails/j-ports/usr/ports                        nullfs  ro      0       0
/usr/ports/distfiles    /jails/j-ports/usr/ports/distfiles      nullfs  ro      0       0
/usr/ports/packages     /jails/j-ports/usr/ports/packages               nullfs  ro      0       0
/usr/local/poudriere/data       /jails/j-ports/data             nullfs  ro      0       0
/storage/release        /jails/j-ports/storage/release          nullfs  ro      0       0
/storage/release/11-stable      /jails/j-ports/storage/release/11-stable                nullfs  ro      0       0
```
All nullfs(5) from the host, for a jail named ports. They're all read-only but read/write shouldn't be a problem. This jail only runs a webserver to host them, it doesn't need write access. 


```
root@molly:~ # jls
   JID  IP Address      Hostname                      Path
     1  192.168.10.202  j-ports.dicelan.home          /jails/j-ports
```
If you can mount it, you can use /etc/fstab.<jailname>. The nice thing about this set up is that the filesystems are automatically mounted/unmounted when the jail starts/stops. _Most_ of the time you can get away with having the host mount whatever filesystem you need. Which is why I was interested to know what needs to be done from _inside_ the jail.


----------



## Lamia (Oct 15, 2018)

You got it SirDice. That's all about it. You may want to explicitly show the contents of a typical /etc/fstab.<jailname>
rainer_d good luck.


----------



## rainer_d (Oct 17, 2018)

So you need to mount it at the host-level.
I thought it was possible to issue the mount inside the jail.

OK, looking at the iocage fstab man-page, that's also cool.

Thanks.


----------



## Lamia (Oct 18, 2018)

You can't mount inside a jail but from the host before the jail boots.


----------

