Created attachment 246422 [details] Set mnt_exjail for an automounted ZFS snapshot Commit 88175af added a check for exported to correct jail, using a new mount field called mnt_exjail. This field is filled in when a file system is exported. Unfortunately, this filed is not filled in when /<dataset>/.zfs/snapshot/<snapshit-name> is automounted. As a result, access to this automounted snapshot is not allowed via NFS. The attached patch, which sets mnt_exjail for this case, seems to fix the problem. This patch is now on phabricator as D42672. I will leave this PR open until an errata for FreeBSD 14.0 is done to fix the problem.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=f5f277728adec4c5b3e840a1fb16bd16f8cc956d commit f5f277728adec4c5b3e840a1fb16bd16f8cc956d Author: Rick Macklem <rmacklem@FreeBSD.org> AuthorDate: 2023-11-23 15:23:33 +0000 Commit: Rick Macklem <rmacklem@FreeBSD.org> CommitDate: 2023-11-23 15:23:33 +0000 nfsd: Fix NFS access to .zfs/snapshot snapshots When a process attempts to access a snapshot under /<dataset>/.zfs/snapshot, the snapshot is automounted. However, without this patch, the automount does not set mnt_exjail, which results in the snapshot not being accessible over NFS. This patch defines a new function called vfs_exjail_clone() which sets mnt_exjail from another mount point and then uses that function to set mnt_exjail in the snapshot automount. A separate patch that is currently a pull request for OpenZFS, calls this function to fix the problem. PR: 275200 Reviewed by: markj MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D42672 sys/kern/vfs_mount.c | 35 +++++++++++++++++++++++++++++++++++ sys/sys/mount.h | 4 ++++ 2 files changed, 39 insertions(+)
Created attachment 246517 [details] Set mnt_exjail for an automounted ZFS snapshot This version of the patch should be safe when vfs_exjail_clone() is called just when a jail is dying.
The vfs_exjail_clone() part of the patch has been committed to main and will be MFC'd in 3 days. The ZFS part of the patch is being done as a pull request on OpenZFS.
A commit in branch stable/14 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=a7c25f0d064425bc7a3b170aa441fecf0ae38600 commit a7c25f0d064425bc7a3b170aa441fecf0ae38600 Author: Rick Macklem <rmacklem@FreeBSD.org> AuthorDate: 2023-11-23 15:23:33 +0000 Commit: Rick Macklem <rmacklem@FreeBSD.org> CommitDate: 2023-11-26 00:53:29 +0000 nfsd: Fix NFS access to .zfs/snapshot snapshots When a process attempts to access a snapshot under /<dataset>/.zfs/snapshot, the snapshot is automounted. However, without this patch, the automount does not set mnt_exjail, which results in the snapshot not being accessible over NFS. This patch defines a new function called vfs_exjail_clone() which sets mnt_exjail from another mount point and then uses that function to set mnt_exjail in the snapshot automount. A separate patch that is currently a pull request for OpenZFS, calls this function to fix the problem. PR: 275200 (cherry picked from commit f5f277728adec4c5b3e840a1fb16bd16f8cc956d) sys/kern/vfs_mount.c | 35 +++++++++++++++++++++++++++++++++++ sys/sys/mount.h | 4 ++++ 2 files changed, 39 insertions(+)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=7aaf39f6b3b0bc5cc171eac7ca118d17460ea5db commit 7aaf39f6b3b0bc5cc171eac7ca118d17460ea5db Author: Rick Macklem <rmacklem@FreeBSD.org> AuthorDate: 2023-11-23 15:23:33 +0000 Commit: Rick Macklem <rmacklem@FreeBSD.org> CommitDate: 2023-11-30 12:28:50 +0000 nfsd: Fix NFS access to .zfs/snapshot snapshots When a process attempts to access a snapshot under /<dataset>/.zfs/snapshot, the snapshot is automounted. However, without this patch, the automount does not set mnt_exjail, which results in the snapshot not being accessible over NFS. This patch defines a new function called vfs_exjail_clone() which sets mnt_exjail from another mount point and then uses that function to set mnt_exjail in the snapshot automount. A separate patch that is currently a pull request for OpenZFS, calls this function to fix the problem. PR: 275200 (cherry picked from commit f5f277728adec4c5b3e840a1fb16bd16f8cc956d) sys/kern/vfs_mount.c | 35 +++++++++++++++++++++++++++++++++++ sys/sys/mount.h | 4 ++++ 2 files changed, 39 insertions(+)
It looks like the ZFS component of the change has not yet landed in stable/13. That is, stable/13 doesn't have this commit: https://cgit.freebsd.org/src/commit/?id=acb33ee1c169bf1c1f687db18fa1815ffa68f246 Is there any reason we cannot cherry-pick it directly?
It appears the patch has now been MFC'd to stable/14 and stable/13, since emaste@ has committed the ZFS part to stable/13. It also appears that an EN to releng/14.0 is in progress. I will close this PR once that has happened. Thanks everyone for your help with this.
A commit in branch releng/14.0 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=4fd0162652a2e0f51aad99055ec837049febaee2 commit 4fd0162652a2e0f51aad99055ec837049febaee2 Author: Rick Macklem <rmacklem@FreeBSD.org> AuthorDate: 2023-11-23 15:23:33 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2023-12-04 15:45:11 +0000 nfsd: Fix NFS access to .zfs/snapshot snapshots When a process attempts to access a snapshot under /<dataset>/.zfs/snapshot, the snapshot is automounted. However, without this patch, the automount does not set mnt_exjail, which results in the snapshot not being accessible over NFS. This patch defines a new function called vfs_exjail_clone() which sets mnt_exjail from another mount point and then uses that function to set mnt_exjail in the snapshot automount. A separate patch that is currently a pull request for OpenZFS, calls this function to fix the problem. PR: 275200 Approved by: so Security: FreeBSD-EN-23:22.vfs (cherry picked from commit f5f277728adec4c5b3e840a1fb16bd16f8cc956d) (cherry picked from commit a7c25f0d064425bc7a3b170aa441fecf0ae38600) sys/kern/vfs_mount.c | 35 +++++++++++++++++++++++++++++++++++ sys/sys/mount.h | 4 ++++ 2 files changed, 39 insertions(+)
Fixed in 14.0-RELEASE-p2.