Linux-only jail: yes it is possible
Hi, I'm new to the list I just want to testify that linux-only jails are possible. I just (a few days ago) managed to have Debian GNU/Linux Lenny in a jail on FreeBSD 8-STABLE (last update should be january). It is not perfect but it works. For now I've been able to make work ssh, apache, xinetd, cron. The only tested thing that currently fail is ssysklogd because of tries entries in /dev. Explaination in french are available here: http://blog.etoilebsd.net/post/Emprisonner_une_debian_dans_un_FreeBSD Here is a fast translation: 1/ Create the jail skeleton: # mkdir /home/jails/debian # mkdir /home/jails/debian/dev # mkdir /home/jails/debian/proc # mkdir /home/jails/debian/sys 2/ Load the linuxulator modules # kldload linux # kldload linprocfs # kldload linsysfs # kldload lindev 3/ Mount the requiered FS # mount -t devfs none /home/jails/debian/dev # mount -t linprocfs none /home/jails/debian/proc # mount -t linsysfs none /home/jails/debian/sys (note: I'm note sure lindev is important or not) I use and OpenVZ debian image for my setup because I'm lazy 4/ fetch it # fetch http://download.openvz.org/template/precreated/debian-5.0-x86.tar.gz 5/ unpack it # tar xvfp debian-5.0-x86.tar.gz -C debian --exclude dev* --exclude proc* \ --exclude sys* now to be able to start the jail normally we only need one process to run (I didn't really try to make it persistant with the persist keyword) To take care of my lasyness, I created a /etc/rc and /etc/rc.shutdown on the debian to be sure it can work with the jails init script ootb. # echo /etc/init.d/cron start /home/jails/debian/etc/rc # chmod 755 /home/jails/debian/etc/rc # echo /etc/init.d/cron stop /home/jails/debian/etc/rc.shutdown # chmod 755 /home/jails/debian/etc/rc.shutdown in the rc.conf : jail_debian_rootdir=/home/jails/debian jail_debian_hostname=debian jail_debian_ip=192.168.1.3 jail_debian_interface=nfe0 jail_debian_devfs_enable=YES jail_debian_devfs_ruleset=devfsrules_jail jail_debian_flags=-n debian # /etc/rc.d/jail start debian # to start it Here is the magic: #jls JID IP Address Hostname Path 15 192.168.1.3 debian/home/jails/debian #jexec debian uname -a Linux debian 2.6.16 FreeBSD 8.0-STABLE #3: Sun Jan 10 20:39:38 CET 2010 i686 GNU/Linux #jexec debian cat /etc/debian_version 5.0.4 my main usage is to be able to test my own C code on linux. Hope it can help. regards, - Bapt ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: Linux-only jail: yes it is possible
2010/3/3 Jack Carrozzo j...@crepinc.com So you're running a linux 'world' (binaries and dir structure) inside a jail'd BSD kernel? Or did you do some insane code to somehow run a linux kernel... Linux world inside on jail on a freebsd host, IE linux-only jail :) no linux kernel cheers, Bapt ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: Marking some FS as jailable
On Thu, Feb 14, 2013 at 07:58:52AM -0700, Jamie Gritton wrote: On 02/14/13 07:56, Baptiste Daroussin wrote: On Thu, Feb 14, 2013 at 07:40:58AM -0700, Jamie Gritton wrote: On 02/14/13 06:27, Baptiste Daroussin wrote: On Tue, Feb 12, 2013 at 10:06:29PM -0700, Jamie Gritton wrote: On 02/12/13 12:40, Baptiste Daroussin wrote: I would like to mark some filesystem as jailable, here is the one I need: linprocfs, tmpfs and fdescfs, I was planning to do it with adding a allow.mount.${fs} for each one. Anyone has an objection? Would it make sense for linprocfs to use the existing allow.mount.procfs flag? Here is a patch that uses allow.mount.procfs for linsysfs and linprocfs. It also addd a new allow.mount.tmpfs to allow tmpfs. It seems to work here, can anyone confirm this is the right way to do it? I'll commit in 2 parts: first lin*fs, second tmpfs related things http://people.freebsd.org/~bapt/jail-fs.diff There are some problems. The usage on the mount side of things looks correct, but it needs more on the jail side. I'm including a patch just of that part, with a correction in jail.h and further changes in kern_jail.c Thank you the patch has been updated with your fixes. One more bit (literally): PR_ALLOW_ALL in sys/jail.h needs updating. - Jamie Fixed thanks Bapt pgpvr3r728DU8.pgp Description: PGP signature
Re: Marking some FS as jailable
On Sun, May 05, 2013 at 02:00:16AM +0100, Jase Thew wrote: On 14/02/2013 15:08, Baptiste Daroussin wrote: On Thu, Feb 14, 2013 at 07:58:52AM -0700, Jamie Gritton wrote: On 02/14/13 07:56, Baptiste Daroussin wrote: On Thu, Feb 14, 2013 at 07:40:58AM -0700, Jamie Gritton wrote: On 02/14/13 06:27, Baptiste Daroussin wrote: On Tue, Feb 12, 2013 at 10:06:29PM -0700, Jamie Gritton wrote: On 02/12/13 12:40, Baptiste Daroussin wrote: I would like to mark some filesystem as jailable, here is the one I need: linprocfs, tmpfs and fdescfs, I was planning to do it with adding a allow.mount.${fs} for each one. Anyone has an objection? Would it make sense for linprocfs to use the existing allow.mount.procfs flag? Here is a patch that uses allow.mount.procfs for linsysfs and linprocfs. It also addd a new allow.mount.tmpfs to allow tmpfs. It seems to work here, can anyone confirm this is the right way to do it? I'll commit in 2 parts: first lin*fs, second tmpfs related things http://people.freebsd.org/~bapt/jail-fs.diff There are some problems. The usage on the mount side of things looks correct, but it needs more on the jail side. I'm including a patch just of that part, with a correction in jail.h and further changes in kern_jail.c Thank you the patch has been updated with your fixes. One more bit (literally): PR_ALLOW_ALL in sys/jail.h needs updating. - Jamie Fixed thanks Bapt Hi, Is this functionality likely to make its way into HEAD and if so, do you have any idea as to the timescale? Regards, I would love to but I m still waiting for a security review noone has done yet ;( pgpPznhV0ei6S.pgp Description: PGP signature
Re: pkg install fails in jail with v 1.8.7
On Mon, Aug 22, 2016 at 02:46:21PM -0400, Thomas Thompson wrote: > Hello, > > I've run into an odd problem with pkg v 1.8.7 and jails on a FreeBSD 9.3 > server. I'm getting the same error as described in this thread from the > forums: https://forums.freebsd.org/threads/56490/ where package installs > fail and report two errors (snipped from jail install logs): > > pkg: dup2(rootfd): Invalid argument > > pkg: Fail to create /usr: Bad file descriptor > > It's not an FS issue as far as I can tell (fsck returns clean), and it goes > away if I lock the pkg version in the ezjail.current file before doing > updates and installing new packages: > > pkg lock -y pkg > > pkg 1.8.7 works fine on another server, and my google-fu isn't finding > anything obvious. Any help / pointers here would be greatly appreciated. > For reference / on the server is ufs. I have replied on the forum. Short version: running a 9.3 binary that uses things (discovered at build time) only available on 9.3 and not on 9.1. The fix: either upgrade your system or build your on set of packages on 9.1 Best regards, Bapt signature.asc Description: PGP signature
Debugging jails in dying state
Hi, Is there a way to debug/trace what a jail is doing in dying state. I have a couple of jails that takes very long in dying state even after all processes and tcp connections are dead. I can't find a way to figure what it is waiting for. Any clue? By very long I mean up to 20min! Best regards, Bapt signature.asc Description: PGP signature
Re: [call for testing] kmod-devctl-jail
On Fri, Jun 07, 2019 at 02:46:42AM +0200, Fabian Freyer wrote: > Hi all, > > I'd like to call for testing of the kernel module kmod-devctl-jail [1], > which adds devctl(4) support for jail state changes. The aim is to provide > some logging and/or auditing support as well as providing jail managers with > a way to get notified of jail state changes. > > I'm not yet clear as to whether this is something that could/should get > upstreamed into base, or should better live in ports. > > Please CC me when replying to this, as I am not subscribed to freebsd-jail@. > > Thanks, > Fabian > > [1] https://github.com/fubarnetes/kmod_devctl_jail.git At quick glance it clearly sounds like something that should be added to the official source tree. It does not sounds like something that will evolve of lot and needs to be updated on regular basis, meaning once it is in, so it should be fine. Best regards, Bapt signature.asc Description: PGP signature