xioustic
Dabbler
- Joined
- Sep 4, 2014
- Messages
- 23
Hello,
I've spent a few days on this and not too sure how to proceed, so reaching out for help. I'll put a $75 bounty on this issue payable in Bitcoin.
I want to use EncFS (Encrypted Filesystem) within a a jail. EncFS requires the usage of FUSE (Filesystem in Userspace) which is native to FreeBSD 10+ now; related is kernel module fuse.ko and device /dev/fuse.
My use case is running Gogs (basically a Github clone writen in Go) within a jail (this works fine) but I want to keep the application data encrypted at rest when the jail is not being used by using encfs prior to running the Gogs service.
A similar use case which might be more common is the usage of sshfs within a jail, which is a common utility today and also requires fuse. I believe similar steps to getting sshfs working within a jail would parallel the steps needed for getting encfs working within a jail. See manpages here: https://www.freebsd.org/cgi/man.cgi?query=sshfs&manpath=SuSE+Linux/i386+11.3
Progress:
- The fuse kernel module loads at boot without issue per
- I have fuse (
- I am able to see
- I have EncFS installed within the jail via
Roadblock:
My only additional lead at this point is to use
I have read conflicting information on adding devfs.rules for 'fuse' and its permissions, and also revolving around the 'operator' group, but no definitive steps on how to proceed. So now I'm reaching out for help.
I'd see if I could use encfs fine on the host machine first but I do not want to go that route anyway: I want the jail to have autonomy over when/how encfs mounts its directory(s).
Thanks for reading and your time.
I've spent a few days on this and not too sure how to proceed, so reaching out for help. I'll put a $75 bounty on this issue payable in Bitcoin.
I want to use EncFS (Encrypted Filesystem) within a a jail. EncFS requires the usage of FUSE (Filesystem in Userspace) which is native to FreeBSD 10+ now; related is kernel module fuse.ko and device /dev/fuse.
My use case is running Gogs (basically a Github clone writen in Go) within a jail (this works fine) but I want to keep the application data encrypted at rest when the jail is not being used by using encfs prior to running the Gogs service.
A similar use case which might be more common is the usage of sshfs within a jail, which is a common utility today and also requires fuse. I believe similar steps to getting sshfs working within a jail would parallel the steps needed for getting encfs working within a jail. See manpages here: https://www.freebsd.org/cgi/man.cgi?query=sshfs&manpath=SuSE+Linux/i386+11.3
Progress:
- The fuse kernel module loads at boot without issue per
kldstat
listing fuse.ko: Code:
[root@freenas] ~# kldstat | grep fuse.ko 2 1 0xffffffff81de6000 18210 fuse.ko
- I have fuse (
/dev/fuse
) available. Permissions as follows within host:Code:
[root@freenas] ~# ls -alh /dev/fuse crw-rw---- 1 root operator 0x56 May 1 15:12 /dev/fuse
- I am able to see
/dev/fuse
from within the jail:Code:
[root@freenas] ~# jexec 2 csh root@gogs:/ # ls -alh /dev/fuse crw-rw---- 1 root operator 0x56 May 1 15:12 /dev/fuse
- I have EncFS installed within the jail via
pkg install fusefs-encfs
:Code:
root@gogs:/ # encfs --version encfs version 1.9.1
Roadblock:
Code:
root@gogs:~ # encfs ~/.crypt ~/crypt EncFS Password: mount_fusefs: /dev/fuse on /root/crypt: Operation not permitted fuse: failed to mount file system: Operation not permitted fuse failed. Common problems: - fuse kernel module not installed (modprobe fuse) - invalid options -- see usage message
My only additional lead at this point is to use
sysctl vfs.usermount=1
, but with this enabled or disabled and restarting the jail I still hit the same roadblock above.I have read conflicting information on adding devfs.rules for 'fuse' and its permissions, and also revolving around the 'operator' group, but no definitive steps on how to proceed. So now I'm reaching out for help.
I'd see if I could use encfs fine on the host machine first but I do not want to go that route anyway: I want the jail to have autonomy over when/how encfs mounts its directory(s).
Thanks for reading and your time.