Freebsd – Permission denied: fusefs inside freebsd (freenas) jail

freebsdfusesshfstruenas

Host server: FreeNAS-9.10 (FreeBSD 10.3-STABLE)

I've installed a jail, for backup purposes, mounting the to-be-backed-up filesystems of the FreeNAS host inside the jail.

Backing up using borgbackup to the remote server is working.

As both root and an unprivileged user, within the jail, I'm UNABLE to:

(1) mount the remote filesystem over sshfs:

$ sshfs remote_user@remote_host:remote_dir /mnt/restore

(2) mount the archive using borg mount:

$ borg mount \
    --show-rc \
    remote_user@remote_host:repo::archive /mnt/restore

Both (1) and (2) fail with:

mount_fusefs: /dev/fuse on /mnt/restore: Operation not permitted
fuse: failed to mount file system: No such file or directory

Even with /mnt/restore being owned by the user running the commands

Further info:

$ ls -la /dev/fuse
crw-rw----  1 root  operator  0xc5 May 11 11:22 /dev/fuse

$ id backup
uid=1001(backup) gid=1001(backup) groups=1001(backup),5(operator)

$ kldstat | grep fuse
32  1 0xffffffff821c9000 de7a  fuse.ko 

$ sysctl -a | grep fuse
vfs.fuse.kernelabi_minor: 8
vfs.fuse.kernelabi_major: 7
vfs.fuse.reclaim_revoked: 0
vfs.fuse.lookup_cache_enable: 1
vfs.fuse.lookup_cache_misses: 0
vfs.fuse.lookup_cache_hits: 0
vfs.fuse.sync_unmount: 1
vfs.fuse.enforce_dev_perms: 0
vfs.fuse.init_backgrounded: 1
vfs.fuse.filehandle_count: 0
vfs.fuse.iov_credit: 16
vfs.fuse.iov_permanent_bufsize: 524288
vfs.fuse.ticket_count: 0
vfs.fuse.version: 0.4.4
vfs.fuse.fix_broken_io: 0
vfs.fuse.sync_resize: 1
vfs.fuse.refresh_size: 0
vfs.fuse.mmap_enable: 1
vfs.fuse.data_cache_invalidate: 0
vfs.fuse.data_cache_enable: 1
vfs.fuse.node_count: 0

$ sysctl vfs.usermount
vfs.usermount: 1

I'd appreciate any suggestions in how to resolve this. Let me know if any details are missing to help diagnose. Thanks.

Best Answer

Short answer is no, you can't mount sshfs in a jail. SSHFS is based on FuseFS and FuseFS is not a jail-friendly file system. Please read below from man page of jail command.

It is not possible to mount(8) or umount(8) any file system inside a jail unless the file system is marked jail-friendly, the jail's allow.mount parameter is set, and the jail's enforce_statfs parameter is lower than 2.

You can check the filesystem flags with lsvfs command. The command outputs as below on FreeNAS.

root@freenas:~ # lsvfs
Filesystem                              Num  Refs  Flags
-------------------------------- ---------- -----  ---------------
nfs                              0x0000003a     0  network
msdosfs                          0x00000032     0  
nullfs                           0x00000029     1  loopback, jail
cd9660                           0x000000bd     0  read-only
procfs                           0x00000002     1  synthetic, jail
unionfs                          0x00000041     0  loopback
ufs                              0x00000035     0  
zfs                              0x000000de    11  jail, delegated-administration
devfs                            0x00000071     3  synthetic, jail
tmpfs                            0x00000087     3  jail
fdescfs                          0x00000059     1  synthetic, jail
fusefs                           0x000000ed     0  synthetic

As you can see, fusefs has not a jail flag. So freebsd isn't assume that fusefs is a jail-friendly filesystem.

In this case, the only way is, mount the sshfs endpoint to the host machine, not a jail. In your case, It isn't a suggested option for FreeNAS. Maybe you could consider VM or Docker options. (for FreeNAS Corral or FreeNAS 11).

If you want to mount other jail-friendly filesystems, you have to add the following sysctls to jail options, and add security.jail.enforce_statfs=1 or security.jail.enforce_statfs=0 to global sysctls.

allow.mount=true,allow.mount.nullfs=true,allow.mount...
Related Topic