I figured since I've been kind of focusing on iocage stuff, that I would cover how I've been mounting other file systems into my jails. I want to start by saying that I'm not sure if this is even a good method at all. I didn't want to give jails permissions to mount anything from inside. I wanted to keep things as restricted as possible from inside the jail. I've used this technique mostly in my plex and samba jails so far. I know I haven't written anything about samba yet. I'm still playing with it currently.
So the way I start it by setting up a jail, and then going into the root file system (the one provisioned by iocage itself). From there I make an empty directory, just like any other mount point. For example:
So now I exit the jail and on the host system, I run a jls, you can use iocage list, but jls shows the filesystem path to the jail which makes it easier. For the following examples I'm just going to use the UUID that is in the iocage man page, and all other details are made up as well. The jls command should return something similar to:
JID IP Address Hostname Path 1 192.168.99.5 realjail1 /iocage/jails/adae47cb-01a8-11e4-aa78-3c970ea3222f/root
Now I take note of that path. I make two shell script for my jail. For now I have been using the jailname and up and down. So in this case realjail1-up and realjail1-down. An example of the up script is:
#!/bin/sh mount -t nullfs -o ro /hostfiles/iwant/toshare /iocage/jails/adae47cb-01a8-11e4-aa78-3c970ea3222f/root/mystuff
You can make it read only like I did, or leave it read write. Also good things to note about nullfs mounts are that any directory can be mounted. It does not have to be a dataset or separate file system. So if you have a mount point on the host that has pictures and music, but you only want to share the subdirectory with pictures to a specific jail, you can do that.
Now for an example of my down script:
#!/bin/sh umount /iocage/jails/adae47cb-01a8-11e4-aa78-3c970ea3222f/root/mystuff
Well that was easy. You can pretty much save these scripts wherever you like as long as they are executable and accessible by root. So not very limiting.
Now that you have the scripts, lets make them run when the jail starts and stops. First we start by looking at our jail parameters related to starting and stopping:
iocage get all realjail1 | grep exec exec_fib:0 exec_start:/bin/sh /etc/rc exec_stop:/bin/sh /etc/rc.shutdown exec_prestart:/usr/bin/true exec_prestop:/usr/bin/true exec_poststop:/usr/bin/true exec_poststart:/usr/bin/true exec_clean:1 exec_timeout:60 exec_jail_user:root exec_system_jail_user:0 exec_system_user:root
This is pretty much the default (as of the current version of iocage I have). The two parameters we want are exec_prestart and exec_poststop. I selected these because I want services inside the jail to see these mount points, and I can't do that with a poststart or a prestop, or I will get errors about missing files.
So now we set the values to the location of our script. For simplify of I have selected /usr/local/sbin to hold them. This is not necessarily a recommendation as it could get confusing to have them as runnable commands by users and it may interfere with packages or ports. But you should know your file systems better than I do, so pick a good spot that works for you. Once you settle on that run:
iocage set exec_prestart=/usr/local/sbin/realjail1-up iocage set exec_poststop=/usr/local/sbin/realjail1-down
Now the next time you restart the jail you should have your new file system. It's pretty much that easy. Of course there is the matter of ownership, since users and groups may or may not exist in your jail. You can create necessary users and groups inside your jail to make applications work with the new mount points. The ownership of files and directories however will still be controlled on the host system unless you have opted to make it a read write file system, in which case it can be modified from inside the jail. Again this is going to largely depend on what services you are running and what goals you have.
Hopefully this comes in handy for someone else. And if there is a better method great go ahead and use that. I, again, didn't want to delegate any control over the files to the jail, unless I specifically chose to.