Re: sysvipc in jails + CURRENT

2010-08-07 Thread Bjoern A. Zeeb 

On Thu, 22 Jul 2010, Isaac Levy wrote:

Hi ike,

long time no see.


I could be doing something stupid, or I've dug up an old bug, =
(http://www.mail-archive.com/freebsd-jail@freebsd.org/msg00859.html).

I cannot get good ol' trusty enforce_statfs to work, allowing me to see =
different mounts from within a jail.

--
The example jail command I'm using, (new-style),
 jail -c path=3D$JDIR host.hostname=3D$JHOSTNAME ip4.addr=3D$INET =
enforce_statfs=3D1 command=3D/bin/sh /etc/rc

I've tried everything- including attempting to change my sysctls over =
and over, (including /etc/sysctl.conf with rebooting).
Interestingly:
The old standard 'security.jail.enforce_statfs' was not something I =
could modify, *until* I put a sysctl value in /etc/sysctl.conf which was =
not 0 (1 or 2 both will let me set the sysctl value once the system is =
booted).
If I have security.jail.enforce_statfs=3D0, to my surprise, I cannot =
change that sysctl on the host system as I would usually expect.
(This is what makes me think this smells like a bug)

My extra mounts are UFS volumes, mounted right into the jail directory, =
(on another ufs volume).

What follows, are just machine stats if anyone wants them?

I'd love any thoughts, urls, no matter how brief...


I am confused but maybe I can help you with some explanation:

1) do not change the sysctl anywhere; that is neither in sysctl.conf
   nor by other magic or by hand.   The default on 8 and 9 should be
   2.  You can check that with sysctl security.jail.enforce_statfs
   still I think.

2) Creating a new jail
 jail -c path=/jail/j1 persist
   I can see:
 jexec 1 mount
192.168.5.1:/zoo/bz/HEAD on / (nfs)
   And
 jls -s -j 1 enforce_statfs
enforce_statfs=2
   confirms the default.

3) modifying the jail:
 jail -m jid=1 enforce_statfs=1
   I can now see:
 jexec 1 mount
192.168.5.1:/zoo/bz/HEAD on / (nfs)
devfs on /dev (devfs, local, multilabel)
192.168.5.1:/zoo/bz on /zoo/bz (nfs)
   And jls confirms that the modfication was successful:
 jls -s -j 1 enforce_statfs
enforce_statfs=1

4) If you lower the default by changing the sysctl, all your jails
   that have a higher level will be lowered as well.

5) But if you up the default again, they won't change back up.


I think that you are right, that there is a bug here, as 4) and 5)
should be working the other way round I think.


Anyway, the summary is: if you don't change the default a
jail -c enforce_statfs=1 ...
should just work fine.


Hope this helps.

/bz

--
Bjoern A. Zeeb   This signature is about you not me.
___
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org

Re: sysvipc in jails + CURRENT

2009-06-04 Thread Boris Samorodov 
On Wed, 03 Jun 2009 13:05:03 +0200 Henrik Lidström wrote:

 Quoting Bjoern A. Zeeb b...@zabbadoz.net:

  On Sun, 31 May 2009, Boris Samorodov wrote:
 
  Hi,
 
  has something changed at CURRENT with sysvipc jail handling?
  This jail has been working fine for almost a year.
 
  I've upgrade CURRENT to yesterday's sources and can't start
  postgresql in a jail anymore:
  - the jail -
  % tail -2 /var/log/messages
  May 31 18:22:47 pg postgres[55425]: [1-1] FATAL:  could not create
  shared memory segment: Function not implemented
  May 31 18:22:47 pg postgres[55425]: [1-2] DETAIL:  Failed system
  call was shmget(key=5432001, size=30384128, 03600).
  % sysctl security.jail.sysvipc_allowed
  security.jail.sysvipc_allowed: 0
  % grep sysvipc /etc/sysctl.conf
  security.jail.sysvipc_allowed=1
  - the host -
  % uname -a
  FreeBSD tba.bsam.ru 8.0-CURRENT FreeBSD 8.0-CURRENT #0: Sun May 31
  11:28:31 MSD 2009 r...@tba.bsam.ru:/usr/obj/usr/src/sys/TBA
  amd64
  % sysctl security.jail.sysvipc_allowed
  security.jail.sysvipc_allowed: 1
  -
 
  I'll look into that; possibly the default option is not properly taken
  into account for the new jail framework.
 
  /bz
 
  -- 
  Bjoern A. Zeeb  The greatest risk is not taking one.
  ___
  freebsd-jail@freebsd.org mailing list
  http://lists.freebsd.org/mailman/listinfo/freebsd-jail
  To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
 

 Somehow I cant email to the mailinglist(it doesnt show up), so I send
 directly to you.

 I also noticed the problem with security.jail.sysvipc_allowed as above.
 Also noticed that I from a jail now can see all filesystems (and that
 jls -v is broken, probably a problem with cpuset?).

 EXTBSD02-PROD# uname -a
 FreeBSD EXTBSD02-PROD.digidoc.com 8.0-CURRENT FreeBSD 8.0-CURRENT #6:
 Tue Jun  2 10:05:40 CEST 2009
 r...@extbsd02-prod.digidoc.com:/data01/obj/usr/src/sys/EXTBSD02  i386

 EXTBSD02-PROD# jls -v
 jls: unknown parameter: cpuset
 EXTBSD02-PROD#

 EXTBSD02-PROD# jls
JID  IP Address  Hostname  Path
  1  195.67.11.41INTDB01-PROD
 /data00/jails/INTDB01-PROD
  2  195.67.11.9 INTLOG01-PROD.digidoc.com
 /data00/jails/INTLOG01-PROD
  3  62.20.119.164   EXTNS01-PROD
 /data00/jails/EXTNS01-PROD
  4  62.20.119.230   PROXY03.digidoc.com   /data00/jails/PROXY03
 EXTBSD02-PROD# jexec 1 /bin/csh
 You have mail.
 INTDB01-PROD# mount -v
 /dev/da0s1a on / (ufs, local)
 devfs on /dev (devfs, local)
 /dev/da0s1e on /tmp (ufs, local, soft-updates)
 /dev/da0s1f on /usr (ufs, local, noatime, soft-updates)
 /dev/da0s1d on /var (ufs, local, noatime, soft-updates)
 /dev/da0s2a on /data00 (ufs, local, noatime, soft-updates)
 /dev/da1s1d on /data01 (ufs, local, noatime, soft-updates)
 tmpfs on /data00/jails/PROXY03/usr/local/squid/scan_dir (tmpfs, local)
 /data01/data/ports on /data00/jails/EXTNS01-PROD/usr/ports (nullfs,
 local, noatime)
 /data01/data/ports on /data00/jails/INTDB01-PROD/usr/ports (nullfs,
 local, noatime)
 /data01/data/ports on /data00/jails/INTLOG01-PROD/usr/ports (nullfs,
 local, noatime)
 /data01/data/ports on /data00/jails/INTSIM01-PROD/usr/ports (nullfs,
 local, noatime)
 /data01/data/ports on /data00/jails/PROXY03/usr/ports (nullfs, local, noatime)
 /data01/backup/INTDB01PROD/databases on
 /data00/jails/INTDB01-PROD/usr/backup (nullfs, local, noatime)
 devfs on /data00/jails/INTDB01-PROD/dev (devfs, local)
 procfs on /data00/jails/INTDB01-PROD/proc (procfs, local)
 devfs on /data00/jails/INTLOG01-PROD/dev (devfs, local)
 procfs on /data00/jails/INTLOG01-PROD/proc (procfs, local)
 devfs on /data00/jails/EXTNS01-PROD/dev (devfs, local)
 procfs on /data00/jails/EXTNS01-PROD/proc (procfs, local)
 devfs on /data00/jails/PROXY03/dev (devfs, local)
 procfs on /data00/jails/PROXY03/proc (procfs, local)
 INTDB01-PROD#

There is definitely some inconsistency. JAIL(8) at recent
CURRENT talk about security.jail.param.allow.sysvipc and
it is listed via sysctl -d security.jail.param. But seems
not to be used:
- at the jail -
# sysctl security.jail.param.allow.sysvipc
#
-


WBR
-- 
Boris Samorodov (bsam)
Research Engineer, http://www.ipt.ru Telephone  Internet SP
FreeBSD Committer, http://www.FreeBSD.org The Power To Serve
___
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org

sysvipc in jails + CURRENT

2009-05-31 Thread Boris Samorodov 
Hello List,


has something changed at CURRENT with sysvipc jail handling?
This jail has been working fine for almost a year.

I've upgrade CURRENT to yesterday's sources and can't start
postgresql in a jail anymore:
- the jail -
% tail -2 /var/log/messages
May 31 18:22:47 pg postgres[55425]: [1-1] FATAL:  could not create shared 
memory segment: Function not implemented
May 31 18:22:47 pg postgres[55425]: [1-2] DETAIL:  Failed system call was 
shmget(key=5432001, size=30384128, 03600).
% sysctl security.jail.sysvipc_allowed
security.jail.sysvipc_allowed: 0
% grep sysvipc /etc/sysctl.conf 
security.jail.sysvipc_allowed=1
- the host -
% uname -a
FreeBSD tba.bsam.ru 8.0-CURRENT FreeBSD 8.0-CURRENT #0: Sun May 31 11:28:31 MSD 
2009 r...@tba.bsam.ru:/usr/obj/usr/src/sys/TBA  amd64
% sysctl security.jail.sysvipc_allowed
security.jail.sysvipc_allowed: 1
-


WBR
-- 
bsam
___
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org