Host server: FreeNAS-9.10 (FreeBSD 10.3-STABLE)
I've installed a jail, for backup purposes, mounting the to-be-backed-up filesystems of the FreeNAS host inside the jail.
Backing up using borgbackup to the remote server is working.
As both root and an unprivileged user, within the jail, I'm UNABLE to:
(1) mount the remote filesystem over sshfs:
$ sshfs remote_user@remote_host:remote_dir /mnt/restore
(2) mount the archive using borg mount:
$ borg mount \
--show-rc \
remote_user@remote_host:repo::archive /mnt/restore
Both (1) and (2) fail with:
mount_fusefs: /dev/fuse on /mnt/restore: Operation not permitted
fuse: failed to mount file system: No such file or directory
Even with /mnt/restore being owned by the user running the commands
Further info:
$ ls -la /dev/fuse
crw-rw---- 1 root operator 0xc5 May 11 11:22 /dev/fuse
$ id backup
uid=1001(backup) gid=1001(backup) groups=1001(backup),5(operator)
$ kldstat | grep fuse
32 1 0xffffffff821c9000 de7a fuse.ko
$ sysctl -a | grep fuse
vfs.fuse.kernelabi_minor: 8
vfs.fuse.kernelabi_major: 7
vfs.fuse.reclaim_revoked: 0
vfs.fuse.lookup_cache_enable: 1
vfs.fuse.lookup_cache_misses: 0
vfs.fuse.lookup_cache_hits: 0
vfs.fuse.sync_unmount: 1
vfs.fuse.enforce_dev_perms: 0
vfs.fuse.init_backgrounded: 1
vfs.fuse.filehandle_count: 0
vfs.fuse.iov_credit: 16
vfs.fuse.iov_permanent_bufsize: 524288
vfs.fuse.ticket_count: 0
vfs.fuse.version: 0.4.4
vfs.fuse.fix_broken_io: 0
vfs.fuse.sync_resize: 1
vfs.fuse.refresh_size: 0
vfs.fuse.mmap_enable: 1
vfs.fuse.data_cache_invalidate: 0
vfs.fuse.data_cache_enable: 1
vfs.fuse.node_count: 0
$ sysctl vfs.usermount
vfs.usermount: 1
I'd appreciate any suggestions in how to resolve this. Let me know if any details are missing to help diagnose. Thanks.
Best Answer
Short answer is no, you can't mount sshfs in a jail. SSHFS is based on FuseFS and FuseFS is not a jail-friendly file system. Please read below from man page of jail command.
You can check the filesystem flags with
lsvfs
command. The command outputs as below on FreeNAS.As you can see, fusefs has not a jail flag. So freebsd isn't assume that fusefs is a jail-friendly filesystem.
In this case, the only way is, mount the sshfs endpoint to the host machine, not a jail. In your case, It isn't a suggested option for FreeNAS. Maybe you could consider VM or Docker options. (for FreeNAS Corral or FreeNAS 11).
If you want to mount other jail-friendly filesystems, you have to add the following sysctls to jail options, and add
security.jail.enforce_statfs=1
orsecurity.jail.enforce_statfs=0
to global sysctls.