11.3 to 12.0-BETA Jails upgrade and devfs rulesets

[MarkusT]

After updating to 12.0-BETA most of my jails do not start anymore.

As a first naive approach I first updated one of the jails from the GUI and then tried to upgrade it without success.

Using the CLI

Code:

iocage upgrade

command I learned that I first had to fetch the new 12.1 release. Actually 12.1 should work because TrueNAS 12.0-BETA should work with all 12.x releases.
After some minor errors the upgrade procedure ended and starting the jail resulted in an error referring to missing devfs rulesets. However, the GUI under Jail properties gives an option to set a devfs ruleset number. With

Code:

devfs rule showsets

I found out that the number 7 set in the GUI was not listed as a ruleset number anymore. Changing this number to 4 did allow me to start the jails again.

However, I have not understood the concept behind the devfs rulesets. Could anybody give me some insight into these devfs rulesets and perhaps tell me why the numbers have changed.

 

[Samuel Tai]

However, I have not understood the concept behind the devfs rulesets. Could anybody give me some insight into these devfs rulesets and perhaps tell me why the numbers have changed.

It's an ad hoc method of altering visibility of /dev/ devices inside the jail for ostensible security purposes. They're supposed to work so that visibility gets more restricted as you climb the ruleset index, so 0 is completely unrestricted. In 11.3, 5 was the highest you could go up in ruleset.

 

[MarkusT]

Thank you for the information. I guess I have to check which restrictions the different rulesets include.
Shouldn't these rulesets be included in any documentation of the new TrueNas. What can be found on general FreeBSD pages does not reflect any configured default rulesets.