The changes to jail and the jail rc script between 9 and 10 break ezjail image jails. Ezjail specifies the jailroot in an fstab file under /etc/fstab.jailname. The issue is that when the rc script autocreates /var/run/jail.jailname.conf it adds an entry to the mount parameter for procfs. The order that the jail command processes mounts is to mount things in the mounts config parameter first and them mount from fstab. When the root is in fstab this causes jail to try to mount proc before the root has been mounted, so mount returns an error because the directory ${jailroot}/proc does not exist. ezjail should probably be updated to create jail config files on 10+, however there is still an ordering issue if a user puts a mount in the config that is under a directory that is mounted in fstab. The ordering issue occurs in /usr/src/usr.sbin/jail/jail.c. The issue is that IP_MOUNT comes before IP__MOUNT_FROM_FSTAB. Of course reordering this would just break things in the opposite direction, so there would be an issue if a mount in fstab was under a mount that is in the config. # /usr/src/usr.sbin/jail/jail.c static const enum intparam startcommands[] = { IP__NULL, #ifdef INET IP__IP4_IFADDR, #endif #ifdef INET6 IP__IP6_IFADDR, #endif IP_MOUNT, IP__MOUNT_FROM_FSTAB, IP_MOUNT_DEVFS, IP_MOUNT_FDESCFS, IP_EXEC_PRESTART, IP__OP, IP_VNET_INTERFACE, IP_EXEC_START, IP_COMMAND, IP_EXEC_POSTSTART, IP__NULL }; # cat /var/run/jail.test3.conf # Generated by rc.d/jail at 2015-02-01 08:14:07 test3 { host.hostname = "test3"; path = "/usr/jails/test3"; ip4.addr += "10.2.1.152/32"; allow.raw_sockets = 0; exec.clean; exec.system_user = "root"; exec.jail_user = "root"; exec.start += "/bin/sh /etc/rc"; exec.stop = ""; exec.consolelog = "/var/log/jail_test3_console.log"; mount.fstab = "/etc/fstab.test3"; mount.devfs; mount.fdescfs; mount += "procfs /usr/jails/test3/proc procfs rw 0 0"; allow.mount; allow.set_hostname = 0; allow.sysvipc = 0; } # cat /etc/fstab.test3 /usr/jails/test3.device /usr/jails/test3 ufs rw 0 0 /usr/jails/basejail /usr/jails/test3/basejail nullfs ro 0 0
Created attachment 152526 [details] Add mount.procfs jail parameter The problem is already solved for devfs and fdescfs, which have separate back-compat parameters in jail(8). I don't know why procfs doesn't have the same kind of parameter, since it's in the same situation (old rc.d option needing to go into jail.conf). This patch adds mount.procfs, which works just like mount.devfs and mount.fdescfs, and uses it in rc.d/jail the same way as those do. Like the others, it runs after the jail's fstab.
A commit references this bug: Author: jamie Date: Fri Feb 6 17:54:55 UTC 2015 New revision: 278323 URL: https://svnweb.freebsd.org/changeset/base/278323 Log: Add mount.procfs jail parameter, so procfs can be mounted when a prison's root is in its fstab. Also fix a typo while I'm at it. PR: 197237 197066 MFC after: 3 days Changes: head/etc/rc.d/jail head/usr.sbin/jail/command.c head/usr.sbin/jail/config.c head/usr.sbin/jail/jail.8 head/usr.sbin/jail/jail.c head/usr.sbin/jail/jailp.h
A commit references this bug: Author: jamie Date: Tue Feb 10 01:05:54 UTC 2015 New revision: 278484 URL: https://svnweb.freebsd.org/changeset/base/278484 Log: MFC r278323: Add mount.procfs jail parameter, so procfs can be mounted when a prison's root is in its fstab. Also fix a typo while I'm at it. PR: 197237 197066 Changes: _U stable/10/ stable/10/etc/rc.d/jail stable/10/usr.sbin/jail/command.c stable/10/usr.sbin/jail/config.c stable/10/usr.sbin/jail/jail.8 stable/10/usr.sbin/jail/jail.c stable/10/usr.sbin/jail/jailp.h