jails Can't unmount zfs datasets in jail

[spork]

I'm stumped here - trying to delegate a zfs dataset to a jail (using another pool) within iocage...

My config has what appear to be all the proper settings to allow a root user in the jail to manage zfs, and it all seems to work, but I cannot unmount any datasets.

Here's the config:

{
    "allow_mount": 1,
    "allow_mount_devfs": 1,
    "allow_mount_zfs": 1,
    "basejail": 1,
    "boot": 1,
    "enforce_statfs": "0",
    "exec_created": "zfs set jailed=on data/jail-mounts/zfsmount; zfs jail ioc-zfsmount data/jail-mounts/zfsmount
",
    "host_hostname": "zfsmount",
    "host_hostuuid": "zfsmount",
    "last_started": "2021-11-09 00:22:58",
    "release": "12.2-RELEASE-p10"
}

I have the various sysctl-related settings, lowered "enforce_statfs" to 0 (also was trying with 1), and I run some "exec_created" hooks here to ensure that the dataset has the "jailed" parameter enabled and to tie the jail and dataset together.

It seems to work in every other way. I can create new datasets in the jail, destroy them, create snapshots, etc. It's just the unmount that fails (both 'zfs unmount data/jail-mounts/zfsmount' and 'umount /jailmount').

root@zfsmount:~ # mount | grep jailmount
data/jail-mounts/zfsmount on /zroot/iocage/jails/zfsmount/root/jailmount (zfs, local, nfsv4acls)
data/jail-mounts/zfsmount/PG on /zroot/iocage/jails/zfsmount/root/jailmount/PG (zfs, local, nfsv4acls)
root@zfsmount:~ # ls /jailmount/
foo    PG
root@zfsmount:~ # zfs unmount data/jail-mounts/zfsmount/PG
cannot unmount '/zroot/iocage/jails/zfsmount/root/jailmount/PG': Operation not permitted
root@zfsmount:~ #
root@zfsmount:~ # zfs unmount data/jail-mounts/zfsmount
cannot unmount '/zroot/iocage/jails/zfsmount/root/jailmount/PG': Operation not permitted
root@zfsmount:~ #
root@zfsmount:~ # umount /jailmount
umount: unmount of /zroot/iocage/jails/zfsmount/root/jailmount failed: Operation not permitted
root@zfsmount:~ # umount /jailmount/PG
umount: unmount of /zroot/iocage/jails/zfsmount/root/jailmount/PG failed: Operation not permitted

I'm totally not sure what I'm doing wrong here or if this is just some weird zfs/jail bug.

 

[SirDice]

Is the filesystem in use perhaps? Some service that's running and has files locked in that dataset?

 

[spork]

Is the filesystem in use perhaps? Some service that's running and has files locked in that dataset?

Nope - it's just an experiment, so I'm the only one in this vm, and I'm not mounting it anywhere that any daemon or anything would want to use it ("/jailmount").

 

[Alain De Vos]

Can you unmount from the host ?

 

[spork]

Can you unmount from the host ?

This is an interesting one...

I can, but only with "umount". If I use "zfs unmount data/jail-mounts/zfsmount", even with the jail stopped, the command returns without error, but the dataset remains mounted. This might just be normal zfs behavior for a dataset with the "jailed" property set though to prevent accidents?

Example:

[root@clweb1TEST /home/spork]# mount|grep jail-mount
[root@clweb1TEST /home/spork]#
[root@clweb1TEST /home/spork]# iocage start zfsmount
* Starting zfsmount
  + Started OK
  + Using devfs_ruleset: 1001 (iocage generated default)
  + Using IP options: ip4.saddrsel=1 ip4=new ip6.saddrsel=1 ip6=new
  + Starting services OK
  + Executing poststart OK
[root@clweb1TEST /home/spork]# mount|grep jail-mount
data/jail-mounts/zfsmount on /zroot/iocage/jails/zfsmount/root/jailmount (zfs, local, nfsv4acls)
data/jail-mounts/zfsmount/PG on /zroot/iocage/jails/zfsmount/root/jailmount/PG (zfs, local, nfsv4acls)
[root@clweb1TEST /home/spork]# iocage console zfsmount
root@zfsmount:~ # mount | grep jail-mounts
data/jail-mounts/zfsmount on /zroot/iocage/jails/zfsmount/root/jailmount (zfs, local, nfsv4acls)
data/jail-mounts/zfsmount/PG on /zroot/iocage/jails/zfsmount/root/jailmount/PG (zfs, local, nfsv4acls)
root@zfsmount:~ # logout
[root@clweb1TEST /home/spork]# iocage stop zfsmount
* Stopping zfsmount
  + Executing prestop OK
  + Stopping services OK
  + Removing devfs_ruleset: 1001 OK
  + Removing jail process OK
  + Executing poststop OK
[root@clweb1TEST /home/spork]# mount|grep jail-mount
data/jail-mounts/zfsmount on /zroot/iocage/jails/zfsmount/root/jailmount (zfs, local, nfsv4acls)
data/jail-mounts/zfsmount/PG on /zroot/iocage/jails/zfsmount/root/jailmount/PG (zfs, local, nfsv4acls)
[root@clweb1TEST /home/spork]# zfs unmount data/jail-mounts/zfsmount/PG
[root@clweb1TEST /home/spork]# zfs unmount data/jail-mounts/zfsmount
[root@clweb1TEST /home/spork]# mount|grep jail-mount
data/jail-mounts/zfsmount on /zroot/iocage/jails/zfsmount/root/jailmount (zfs, local, nfsv4acls)
data/jail-mounts/zfsmount/PG on /zroot/iocage/jails/zfsmount/root/jailmount/PG (zfs, local, nfsv4acls)
[root@clweb1TEST /home/spork]# umount /zroot/iocage/jails/zfsmount/root/jailmount/PG
[root@clweb1TEST /home/spork]# umount /zroot/iocage/jails/zfsmount/root/jailmount
[root@clweb1TEST /home/spork]# mount|grep jail-mount
[root@clweb1TEST /home/spork]#

 

[kr0m]

I am in the same situation, i can manage dataset from jail, mount/snapshot it, but i can't umount snapshots nor destroy snapshots.
I can manage snapshots of that dataset without problems from the physical host.

I have the following jail parameters:

allow.mount=1
allow.mount.zfs=1
enforce_statfs=1
exec.poststart = 'zfs jail PostgreSQL00 zroot/data_PostgreSQL00';

The dataset was created with the following commands:

zfs create -o mountpoint=/var/db/postgres/data15 -o canmount=noauto zroot/data_PostgreSQL00

And applied jail-friendly parameter:

zfs set jailed=on zroot/data_PostgreSQL00

Am i doing anything wrong? Maybe its a bug?

 

[Alain De Vos]

Maybe,

zfs-jail.8 — OpenZFS documentation

openzfs.github.io