# A sharing folder between jails on ezjail



## Fawst (Sep 21, 2016)

Hello community, 

First,  I'm really impressed to see freebsd community, all around the world, ready to share. 

I starting with apologies,  if you see to much mistakes with my English. 

I started, since 2 months now, to "play" with FreeBSD, my purpose is to create a personal server for sharing files and media at home and outside. 

I will re-install FreeBSD from scratch and I have a clear mind of what I want, but even if I have read ton of things, I'm still not sure how to do it. 

OK, thank's Fawst, but what do you want? 

I want to set on FreeBSD 10.3 three jails with ezjail :

- nextcloud 
- pyload 
- plex 

And share across those jails a folder call media. 

I don't want this folder on my host, but inside one of previously mentioned jails and mounted inside the others. 

My question is, is it possible to mount this kind of folder? How can I do it? Basejail or flavors configuration? 

Thank you very much for your help.


----------



## SirDice (Sep 21, 2016)

It's possible to do this from one jail to another but it's tricky.  For example, what if the 'source' jail is down? How about updates or a complete reinstall of the jail? 

The simplest solution (simple usually works best) is to create the directory on the host. And then use nullfs(5) to mount this directory on each of the jails.

I have, for example, poudriere running on the host creating package repositories. And I have one simple jail with nginx that has the poudriere data directory mounted read-only using nullfs(5). That way I can safely allow access to the files through the jail's web server.


----------



## Fawst (Sep 21, 2016)

Thank you for your fast response

I don't want to create the folder on the host by a security purpose, but it is a simply personal guess. If a file containing malicious things and it's read from folder on host, my host will be hurt or only the jail who read it ?


----------



## Remington (Sep 21, 2016)

You also can use the mount option in /etc/fstab.nextcloud, /etc/fstab.pyload and /etc/fstab.plex.

Add the following line as an example:
/media   /jails/plex/media    nullfs ro 0 0

Putting media folder in /usr/basejail will not be any different then putting media folder in /mnt/media.  Using fstab will control what folders will be accessible to jails.  There's no way jails can access folders outside what is already defined in fstab.


----------



## Fawst (Sep 21, 2016)

If I undestrand well, Remington, I should do : 


```
cd /usr/basejail
```


```
mkdir media
```

Then in /etc/fstab.nextcloud 


```
# nextcloud will be used to manage files
```


```
/media /jails/nextcloud/media nullfs rw 0 0
```

Then in /etc/fstab.pyload 


```
# pyload will be used to download files
```


```
/media /jails/pyload/media nullfs rw 0 0
```

Then in /etc/fstab.plex 


```
# plex only need to read files in media
```


```
/media /jails/plex/media nullfs ro 0 0
```

That can be work ?


----------



## Remington (Sep 21, 2016)

In your fstab files, it will be like this:

```
/basejail/media  /jails/plex/media nullfs rw 0 0
```

You will also need to create a media folder in /jails/plex as well.

Basejail is read-only so you will need to make another mount for read-write functionality.


----------



## Fawst (Sep 21, 2016)

Thank you 

So, for the read-write I need to mount a folder in the host? 

I start to understand, thank you for your help


----------



## SirDice (Sep 21, 2016)

Fawst said:


> If a file containing malicious things and it's read from folder on host, my host will be hurt or only the jail who read it ?


It's a non-issue because the host can always read everything inside every jail. Malicious files in and of themselves are harmless, they're just a bunch of bytes. They don't spontaneously become active. As long as you don't _execute_ the malicious code the files will just sit there doing nothing.


----------



## Fawst (Sep 21, 2016)

On my limited knowledge, if Plex read the file it's like execute or not?


----------



## Remington (Sep 21, 2016)

Fawst said:


> Thank you
> 
> So, for the read-write I need to mount a folder in the host?
> 
> I start to understand, thank you for your help



Yes, fstab must use host's file system even full path for jails.  Mount will not work inside jail so everything must be done from host.


----------



## Remington (Sep 21, 2016)

Fawst said:


> On my limited knowledge, if Plex read the file it's like execute or not?



It only reads the file.


----------



## SirDice (Sep 21, 2016)

Fawst said:


> On my limited knowledge, if Plex read the file it's like execute or not?


No. Just reading the bytes doesn't execute those bytes, it's just data being passed along. 

It is however possible if, for example, the audio player doesn't handle a file properly, a bug could trigger execution of code embedded within that file. However, this requires certain bugs in the process handling the audio stream, bad programming, a specially prepared file and a lot of bad luck.

The specially prepared file may trigger such a bug with application A but application B (which doesn't have this bug) will just read it and the embedded code would never be executed.


----------



## Fawst (Sep 21, 2016)

Oh nice, we start to get close to solved my questions but before can you tell me what is wrong with this following : 

I try this before writing to you, as I told you I play with FreeBSD  

I start by creating a media folder directly at root point


```
mkdir media
chmod 777 -r /media
```

I know, this is a really bad thing to perform a chmod 777 on a folder, but to try things, it's pretty stratefoward.

I had an external storage of /media on nextcloud, due to chmod 777 I had somes pictures in /media folder.

after that I mount /media in the plex jail 


```
mount_nullfs /media /jail/plex/mnt/media
```

Then I was able to see pictures added previously 

Next day I reboot the server and add new picture using the external storage on nextcloud, but when I perform 


```
cd /jail/plex/mnt/media
ls
```

I didn't see news pictures added, I saw only first pictures added. 

So what I missing ? put path in /etc/fstab.plex ?


----------



## SirDice (Sep 21, 2016)

Fawst said:


> So what I missing ? put path in /etc/fstab.plex ?


Yes, most likely. Mounts don't survive reboots, so when the system was rebooted the filesystem wasn't mounted anymore.


----------



## Fawst (Sep 21, 2016)

Thank you very musch for this reply.

To make things usefull, let resume.

If you want to share folder between jails, make it simply.



> The simplest solution (simple usually works best) is to create the directory on the host. And then use nullfs(5) to mount this directory on each of the jails.



But if you have question on security, don't worry, files will be only read.



> No. Just reading the bytes doesn't execute those bytes, it's just data being passed along.
> 
> It is however possible if, for example, the audio player doesn't handle a file properly, a bug could trigger execution of code embedded within that file. However, this requires certain bugs in the process handling the audio stream, bad programming, a specially prepared file and a lot of bad luck.
> 
> The specially prepared file may trigger such a bug with application A but application B (which doesn't have this bug) will just read it and the embedded code would never be executed.



In my case it's will look like this :

Create a media folder and add sub-folder you want.


```
mkdir media
cd /media
mkdir Films
mkdir Photos
mkdir TVShows
```

Then you change permission of your folder


```
chmod -R 760 /media
chown -R :www /media
```

with this group can read and write in this folder.

I suppose jails are already set and in each jails, in my case, nextcloud, plex and pyload all this service are runing with the same group www and a media folder was already create under /mnt.

We mount the folder media on each jails


```
mont_nullfs /media /usr/jail/plex/mnt/media
mont_nullfs /media /usr/jail/pyload/mnt/media
mont_nullfs /media /usr/jail/nexcloud/mnt/media
```

then we add this following path on each /etc/fstab.JAILNAME


```
vi /etc/fstab.plex
/media /usr/jail/plex/mnt/media nullfs ro 0 0
```


```
vi /etc/fstab.pyload
/media /usr/jail/pyload/mnt/media nullfs rw 0 0
```


```
vi /etc/fstab.nexcloud
/media /usr/jail/nextcloud/mnt/media nullfs rw 0 0
```

In nexcloud web interface add the folder media as an external storage.

If it's all correct you will be able to add or remove media files with nexcloud and pyload. But only read it from plex.

Do you think this is a correct way to do it ? If not, I will edit this post


----------



## Remington (Sep 21, 2016)

That's right.


----------

