[nycbug-talk] freebsd jails: running nfs client?

Isaac Levy ike at lesmuug.org
Fri Mar 17 17:09:54 EST 2006 

Hi N.J.,

On Mar 17, 2006, at 4:42 PM, N.J. Thomas wrote:

> I know there are some people on the list whose jail-fu is quite  
> strong.
> I have a question for you guys: Is it possible to mount an NFS
> filesystem from inside a jail?

There's 2 ways to approach this:

1) Outside the jail (host system)
+ you are able to mount the nfs volume from the host, at a mount  
point within the jail instance userland.
It should be noted, however, that there are security implications  
doing anything from the host system, that is visible to the jailed  
systems, and this strategy throws in a lot of complexity and variables.

2) Inside the jail
- if you are using FreeBSD 4.x, no way jose (at least not in any  
supported fashion).
- if you are using FreeBSD 5.x, you should be able to- but I'll not  
comment on FreeBSD 5.x
+ if you are using FreeBSD 6.x, you should be able to.  It is  
noteworthy that you may want to adjust 'security.jail.enforce_statfs'  
with sysctl, to make certain applications within the jail can  
actually see the mount point! (like mount itself, or umount)


>
> jail(1) seems to imply that it is, but Googling gives me mixed results
> (some people say yes, other people say no).

I'd think some people would have troubles if the jail can't 'see' the  
mount point, with the statfs(2) syscall.

The jail(8) man page says it better than I can:

      security.jail.enforce_statfs
           This MIB entry determines which information processes in a  
jail are
           able to get about mount-points.  It affects the behaviour  
of the
           following syscalls: statfs(2), fstatfs(2), getfsstat(2) and
           fhstatfs(2) (as well as similar compatibility syscalls).   
When set
           to 0, all mount-points are available without any  
restrictions.  When
           set to 1, only mount-points below the jail's chroot  
directory are
           visible.  In addition to that, the path to the jail's  
chroot direc-
           tory is removed from the front of their pathnames.  When  
set to 2
           (default), above syscalls can operate only on a mount- 
point where
           the jail's chroot directory is located.


>
> I tried it and
> I can run "mount_nfs machine:/dir /foo" from a normal host just fine,
> but inside a jail it doesn't seem to work, I get:
>
>     mount_nfs: /foo: Operation not permitted

 From your host machine, try:

# sysctl security.jail.enforce_statfs=1

And then try the mount again inside the jail?

Also, I'm not sure, but NFS may require raw sockets?  The jail  
manpage explains this command:

# sysctl security.jail.allow_raw_sockets=1


>
> On a similar note, if NFS inside a jail is doable, I would presume  
> that
> running amd would work as well?

I would think so, but I've not done or seen it.  Give it a shot?

Good luck- report back!

Best,
.ike


>
> thanks,
> Thomas
>
> -- 
> N.J. Thomas
> njt at ayvali.org
> Etiamsi occiderit me, in ipso sperabo
> _______________________________________________
> % NYC*BUG talk mailing list
> http://lists.nycbug.org/mailman/listinfo/talk
> %Be sure to check out our Jobs and NYCBUG-announce lists
> %We meet the first Wednesday of the month
>

More information about the talk mailing list