# NFS mount from a jail



## rainbowwarrior (Jan 14, 2010)

Hi,

i have a NFS-Server on a remote machine and try to mount a nfs share from a jail. The Jail is allowed from the NFS-Server and i can see that my jail is really allowed:

```
rpc.mountd: authenticated mount request from 172.33.22.2:737 for /directory (/directory)
```

When i trying to mount, i get always this message:

```
mount -t nfs hostname:/directory/ /mnt
mount_nfs: /mnt, : Operation not permitted
```

I hope someone can help me.


----------



## DutchDaemon (Jan 14, 2010)

Are you permitted to mount something on /mnt?


----------



## bjs (Jan 14, 2010)

the best way to do this would to be to mount it from the jailhost


```
mount -t nfs hostname:/directory/ /jailhost/path/to/jail/mnt
```


----------



## rainbowwarrior (Jan 15, 2010)

> Are you permitted to mount something on /mnt?



No, i'm not.

I checked:

```
sysctl -a |grep -i security.jail.mount
security.jail.mount_allowed: 1
```



> the best way to do this would to be to mount it from the jailhost



Yes, i agree and this is running. But we won't do that. We would like to do this from a jailclient.

Thanks


----------



## rainbowwarrior (Jan 18, 2010)

Hi,

is there no possibility to mount a nfs drive from inside a jail?


----------



## SirDice (Jan 18, 2010)

From jail(1):


> *Jails and File Systems*
> It is not possible to mount(8) or umount(8) any file system inside a jail unless the file system is marked jail-friendly and the jail's allow.mount parameter is set.



I'm not sure NFS constitutes a jail-friendly filesystem.


----------



## rainbowwarrior (Jan 19, 2010)

May its not Jail-friendly, unfortunately i havn't a choice.


----------



## rainbowwarrior (Jan 19, 2010)

> the best way to do this would to be to mount it from the jailhost



This is a problem too. I cannot access some of the nfs shares from inside a jail.


----------



## rainbowwarrior (Jan 19, 2010)

Ups, i cannot edit my last post, im sorry. 

When i mount nfs shares on a jail host from other jails which are nfs-servers, then i cannot access them from inside a jail. Sounds weird, but's true, we have running nfs servers on jails.


----------



## SirDice (Jan 19, 2010)

Make sure mountd, rpcbind and nfsd are all bound to the jail's IP address. By default they will bind to all addresses.


----------



## rainbowwarrior (Jan 20, 2010)

Hi,

thanks for you're reply! 

At first i want to mount a NFS Share from inside a Jail. I would be happy, when anyone have an howto therefore. 

The second way i test at the moment is to mount nfs shares on a jail host into the jail client directory. 
When i mount nfs shares from for example a debian system, then i havn't any problem. I can access the share on the jail host and from the jail client. 

Wenn i mount a nfs share on a jail host from another jail ( from another jail host ), then i cannot access the share from the jail client. Sorry i can't explain it better...



> Make sure mountd, rpcbind and nfsd are all bound to the jail's IP address. By default they will bind to all addresses.



The Jail which provide the NFS Share is using unfsd:

```
rpcinfo -p
   program vers proto   port  service
    100000    4   tcp    111  rpcbind
    100000    3   tcp    111  rpcbind
    100000    2   tcp    111  rpcbind
    100000    4   udp    111  rpcbind
    100000    3   udp    111  rpcbind
    100000    2   udp    111  rpcbind
    100000    4 local    111  rpcbind
    100000    3 local    111  rpcbind
    100000    2 local    111  rpcbind
    100003    3   udp   2049  nfs
    100003    3   tcp   2049  nfs
    100005    1   udp   2049  mountd
    100005    3   udp   2049  mountd
    100005    1   tcp   2049  mountd
    100005    3   tcp   2049  mountd
```


```
cat /etc/rc.conf 
sshd_enable="YES"
rpcbind_enable="YES"
rpcbind_flags="-h ipfromjail"
mountd_enable="YES"
unfsd_enable="YES"
```

I started the unfsd as user www, with the option -l ipfromjail. 

But the bind IP-Adress make nothing different. When i access the share from jail client, i get permission denied. When i do a "ls -al" i cannot list the mounted directory.


----------



## SirDice (Jan 20, 2010)

unfsd?

Mountd and nfsd also need the -h flag to bind them to a specific IP address.


----------



## rainbowwarrior (Jan 20, 2010)

> unfsd?




```
file `type -p unfsd`
/usr/local/sbin/unfsd: ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), for FreeBSD 7.1, dynamically linked (uses shared libs), FreeBSD-style, not stripped
```


```
man unfsd | head -n 15
unfsd(8)							      unfsd(8)



NAME
       unfsd - NFS server process

SYNOPSIS
       /usr/sbin/unfsd [options]

DESCRIPTION
       The  unfsd program implements the MOUNT and NFS version 3 protocols. It
       listens for client requests, performs them on the local	filesystem  of
       the  server,  and  then	returns  the  results of the operations to the
       clients.
```

My colleague had with nfsd as a nfs-server inside a jail a problem, this i because we use unfsd. 



> Mountd and nfsd also need the -h flag to bind them to a specific IP address.



We use unfsd instead of nfsd. And unfsd have started with a ip bind option: 

```
root    79143  0.0  0.0  6692  1512  ??  SsJ  11:01AM   0:00.03 /usr/sbin/rpcbind -h jailip
www     79150  0.0  0.1  8780  5892  ??  SsJ  11:01AM   0:00.57 /usr/local/sbin/unfsd -l jailip
```


I added the flag for mountd too. But nothing changed.


----------



## SirDice (Jan 20, 2010)

Did you try it with the 'standard' fbsd nfsd?

Do note that nfsd and mountd are only needed on the server side. The client only needs rpcbind.


----------



## rainbowwarrior (Jan 20, 2010)

nfsd don't start in my jail


----------



## SirDice (Jan 20, 2010)

Make sure the kernel module is loaded on the host. Jails aren't allowed to load kernel modules.


----------



## rainbowwarrior (Jan 20, 2010)

```
kldstat 
Id Refs Address            Size     Name
 1    2 0xffffffff80100000 b4be40   kernel
 2    1 0xffffffff80c4c000 14d8     accf_http.ko
```

How can i load the correct kernel module?


----------



## SirDice (Jan 20, 2010)

GENERIC already has the NFSSERVER option. If you have a custom kernel you can add it. 
If you add *nfsserver_enable="YES"* to /etc/rc.conf it will load the kernel module automatically if needed.


----------



## venture37 (Apr 28, 2010)

SirDice said:
			
		

> unfsd?



net/unfs3 in ports


----------

