Linux-only jail: yes it is possible

2010-03-02 Thread Baptiste Daroussin 
Hi,

I'm new to the list I just want to testify that linux-only jails are possible.

I just (a few days ago) managed to have Debian GNU/Linux Lenny in a jail on
FreeBSD 8-STABLE (last update should be january). It is not perfect but it
works. For now I've been able to make work ssh, apache, xinetd, cron. The only
tested thing that currently fail is ssysklogd because of tries entries in /dev.

Explaination in french are available here:
http://blog.etoilebsd.net/post/Emprisonner_une_debian_dans_un_FreeBSD

Here is a fast translation:

1/ Create the jail skeleton:
# mkdir /home/jails/debian
# mkdir /home/jails/debian/dev
# mkdir /home/jails/debian/proc
# mkdir /home/jails/debian/sys

2/ Load the linuxulator modules
# kldload linux
# kldload linprocfs
# kldload linsysfs
# kldload lindev

3/ Mount the requiered FS
# mount -t devfs none /home/jails/debian/dev
# mount -t linprocfs none /home/jails/debian/proc
# mount -t linsysfs none /home/jails/debian/sys

(note: I'm note sure lindev is important or not)

I use and OpenVZ debian image for my setup because I'm lazy
4/ fetch it
# fetch http://download.openvz.org/template/precreated/debian-5.0-x86.tar.gz

5/ unpack it 
# tar xvfp debian-5.0-x86.tar.gz -C debian --exclude dev* --exclude proc* \
--exclude sys*

now to be able to start the jail normally we only need one process to run (I
didn't really try to make it persistant with the persist keyword)

To take care of my lasyness, I created a /etc/rc and /etc/rc.shutdown on the
debian to be sure it can work with the jails init script ootb.

# echo /etc/init.d/cron start  /home/jails/debian/etc/rc
# chmod 755 /home/jails/debian/etc/rc
# echo /etc/init.d/cron stop  /home/jails/debian/etc/rc.shutdown
# chmod 755 /home/jails/debian/etc/rc.shutdown

in the rc.conf :
jail_debian_rootdir=/home/jails/debian
jail_debian_hostname=debian
jail_debian_ip=192.168.1.3
jail_debian_interface=nfe0
jail_debian_devfs_enable=YES
jail_debian_devfs_ruleset=devfsrules_jail
jail_debian_flags=-n debian

# /etc/rc.d/jail start debian # to start it

Here is the magic:
#jls
   JID  IP Address  Hostname  Path
   15  192.168.1.3 debian/home/jails/debian
#jexec debian uname -a
   Linux debian 2.6.16 FreeBSD 8.0-STABLE #3: Sun Jan 10 20:39:38 CET 
2010 i686 GNU/Linux
#jexec debian cat /etc/debian_version
   5.0.4

my main  usage is to be able to test my own C code on linux.

Hope it can help.

regards,
-
Bapt
___
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org

Re: Linux-only jail: yes it is possible

2010-03-03 Thread Baptiste Daroussin 
2010/3/3 Jack Carrozzo j...@crepinc.com

 So you're running a linux 'world' (binaries and dir structure) inside a
 jail'd BSD kernel? Or did you do some insane code to somehow run a linux
 kernel...


Linux world inside on jail on a freebsd host, IE linux-only jail :) no linux
kernel

cheers,
Bapt
___
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org

Re: Marking some FS as jailable

2013-02-14 Thread Baptiste Daroussin 
On Thu, Feb 14, 2013 at 07:58:52AM -0700, Jamie Gritton wrote:
 On 02/14/13 07:56, Baptiste Daroussin wrote:
  On Thu, Feb 14, 2013 at 07:40:58AM -0700, Jamie Gritton wrote:
  On 02/14/13 06:27, Baptiste Daroussin wrote:
  On Tue, Feb 12, 2013 at 10:06:29PM -0700, Jamie Gritton wrote:
  On 02/12/13 12:40, Baptiste Daroussin wrote:
 
  I would like to mark some filesystem as jailable, here is the one I 
  need:
  linprocfs, tmpfs and fdescfs, I was planning to do it with adding a
  allow.mount.${fs} for each one.
 
  Anyone has an objection?
 
  Would it make sense for linprocfs to use the existing allow.mount.procfs
  flag?
 
  Here is a patch that uses allow.mount.procfs for linsysfs and linprocfs.
 
  It also addd a new allow.mount.tmpfs to allow tmpfs.
 
  It seems to work here, can anyone confirm this is the right way to do it?
 
  I'll commit in 2 parts: first lin*fs, second tmpfs related things
 
  http://people.freebsd.org/~bapt/jail-fs.diff
 
  There are some problems. The usage on the mount side of things looks
  correct, but it needs more on the jail side. I'm including a patch just
  of that part, with a correction in jail.h and further changes in 
  kern_jail.c
 
  Thank you the patch has been updated with your fixes.
 
 One more bit (literally): PR_ALLOW_ALL in sys/jail.h needs updating.
 
 - Jamie

Fixed thanks

Bapt


pgpvr3r728DU8.pgp
Description: PGP signature

Re: Marking some FS as jailable

2013-05-05 Thread Baptiste Daroussin 
On Sun, May 05, 2013 at 02:00:16AM +0100, Jase Thew wrote:
 On 14/02/2013 15:08, Baptiste Daroussin wrote:
  On Thu, Feb 14, 2013 at 07:58:52AM -0700, Jamie Gritton wrote:
  On 02/14/13 07:56, Baptiste Daroussin wrote:
  On Thu, Feb 14, 2013 at 07:40:58AM -0700, Jamie Gritton wrote:
  On 02/14/13 06:27, Baptiste Daroussin wrote:
  On Tue, Feb 12, 2013 at 10:06:29PM -0700, Jamie Gritton wrote:
  On 02/12/13 12:40, Baptiste Daroussin wrote:
 
  I would like to mark some filesystem as jailable, here is the one I 
  need:
  linprocfs, tmpfs and fdescfs, I was planning to do it with adding a
  allow.mount.${fs} for each one.
 
  Anyone has an objection?
 
  Would it make sense for linprocfs to use the existing 
  allow.mount.procfs
  flag?
 
  Here is a patch that uses allow.mount.procfs for linsysfs and linprocfs.
 
  It also addd a new allow.mount.tmpfs to allow tmpfs.
 
  It seems to work here, can anyone confirm this is the right way to do 
  it?
 
  I'll commit in 2 parts: first lin*fs, second tmpfs related things
 
  http://people.freebsd.org/~bapt/jail-fs.diff
 
  There are some problems. The usage on the mount side of things looks
  correct, but it needs more on the jail side. I'm including a patch just
  of that part, with a correction in jail.h and further changes in 
  kern_jail.c
 
  Thank you the patch has been updated with your fixes.
 
  One more bit (literally): PR_ALLOW_ALL in sys/jail.h needs updating.
 
  - Jamie
 
  Fixed thanks
 
  Bapt
 
 
 Hi,
 
 Is this functionality likely to make its way into HEAD and if so, do you 
 have any idea as to the timescale?
 
 Regards,
 
I would love to but I m still waiting for a security review noone has done yet
;(


pgpPznhV0ei6S.pgp
Description: PGP signature

Re: pkg install fails in jail with v 1.8.7

2016-08-23 Thread Baptiste Daroussin 
On Mon, Aug 22, 2016 at 02:46:21PM -0400, Thomas Thompson wrote:
> Hello,
> 
> I've run into an odd problem with pkg v 1.8.7 and jails on a FreeBSD 9.3
> server.  I'm getting the same error as described in this thread from the
> forums:  https://forums.freebsd.org/threads/56490/ where package installs
> fail and report two errors (snipped from jail install logs):
> 
> pkg: dup2(rootfd): Invalid argument
> 
> pkg: Fail to create /usr: Bad file descriptor
> 
> It's not an FS issue as far as I can tell (fsck returns clean), and it goes
> away if I lock the pkg version in the ezjail.current file before doing
> updates and installing new packages:
> 
> pkg lock -y pkg
> 
> pkg 1.8.7 works fine on another server, and my google-fu isn't finding
> anything obvious.  Any help / pointers here would be greatly appreciated.
> For reference / on the server is ufs.

I have replied on the forum.
Short version: running a 9.3 binary that uses things (discovered at build time)
only available on 9.3 and not on 9.1. The fix: either upgrade your system or
build your on set of packages on 9.1

Best regards,
Bapt


signature.asc
Description: PGP signature

Debugging jails in dying state

2016-11-02 Thread Baptiste Daroussin 
Hi,

Is there a way to debug/trace what a jail is doing in dying state.

I have a couple of jails that takes very long in dying state even after all
processes and tcp connections are dead.

I can't find a way to figure what it is waiting for.

Any clue?

By very long I mean up to 20min!

Best regards,
Bapt


signature.asc
Description: PGP signature

Re: [call for testing] kmod-devctl-jail

2019-06-11 Thread Baptiste Daroussin 
On Fri, Jun 07, 2019 at 02:46:42AM +0200, Fabian Freyer wrote:
> Hi all,
> 
> I'd like to call for testing of the kernel module kmod-devctl-jail [1],
> which adds devctl(4) support for jail state changes. The aim is to provide
> some logging and/or auditing support as well as providing jail managers with
> a way to get notified of jail state changes.
> 
> I'm not yet clear as to whether this is something that could/should get
> upstreamed into base, or should better live in ports.
> 
> Please CC me when replying to this, as I am not subscribed to freebsd-jail@.
> 
> Thanks,
> Fabian
> 
> [1] https://github.com/fubarnetes/kmod_devctl_jail.git

At quick glance it clearly sounds like something that should be added to the
official source tree. It does not sounds like something that will evolve of lot
and needs to be updated on regular basis, meaning once it is in, so it should be
fine.

Best regards,
Bapt


signature.asc
Description: PGP signature