ZFS under FreeBSD lets one assign filesystems to a jail, such that an account in the jail with the appropriate privileges can access the filesystem, create new subordinate filesystems, and so forth. At least with 8-STABLE, these features are not integrated into the existing /etc/rc.d/jail script. The basic process looks something like:
sysctl -w security.jail.enforce_statfs=0
sysctl -w security.jail.mount_allowed=1
zfs set jailed=on <filesystem>
zfs jail <jid> <filesystem>
And also requires exposing the zfs device node inside the jail.
At the same time, there appear to be a profusion of tools out there (ezjail, jailer, warden, and generally /usr/ports/sysutils/*jail*) that claim to be easier/better/more powerful/etc, but most of which appear to only be lightly maintained and not really much of a win vs. the standard jail script.
I would like to avoid reinventing the wheel. Is there a jail management tool out there that is well integrated with ZFS? I'm looking for something that would take care of setting up the necessary devfs rules, sysctl settings, and zfs attributes when booting a jail…and ideally permit name-based references to jails, which while supported by many of the third-party tools is tragically missing from the stock jail script.
Best Answer
After poking around a little bit, it turns out that recent version of ezjail already have this support. The key parts are the following configuration options in
/usr/local/etc/ezjail.conf:And using
-c zfswhen creating a jail, like this:You associate ZFS datasets with a jail using the
ezjail-admin configcommand (you can't do this as part of thecreatecommand):This assumes you have set up the ZFS dataset and configured the appropriate sysctl settings and devfs rules to make this work.
Your ZFS dataset(s) need to have the
jailedoption set:You want the following in
/etc/sysctl.conf:And I use the following devfs ruleset for jails configured with ezjail: