I'm finding a systemic problem with VIMAGE jails in comparison to regular jails
in FreeBSD-8.1.
All of the following sysctl's appear to correctly affect regular jails (either
created via /etc/rc.d/jail or manually via jail(8)):
security.jail.mount_allowed
security.jail.chflags_allowed
security.jail.allow_raw_sockets
security.jail.sysvipc_allowed
security.jail.socket_unixiproute_only
security.jail.set_hostname_allowed
security.jail.jail_max_af_ips
Indeed, when interrogated within the jail, they show the value that was
inherited from the underlying host at jail startup.
However, none of the above sysctl's appear to be inherited by vnet jails.
These would be jails that are created with the "jail -c vnet ..." syntax of
jail(8) with VIMAGE enabled in the kernel.
Interrogating any of the above sysctl's from within a vnet jail always produces
the following default values, regardless of what you set the host values to and
regardless of how many times you bounce the vimage:
vnettest# sysctl security.jail | grep -v param
security.jail.enforce_statfs: 1
security.jail.mount_allowed: 1
security.jail.chflags_allowed: 0
security.jail.allow_raw_sockets: 0
security.jail.sysvipc_allowed: 0
security.jail.socket_unixiproute_only: 1
security.jail.set_hostname_allowed: 1
security.jail.jail_max_af_ips: 255
security.jail.jailed: 1
Any ideas are welcome.
I think I'm going to go delve into the jail(8) code now, because I've slogged
all through the kernel and can't find anything in the kernel that passes these
values from host to jail (it must be jail(8) that's doing this functionality).
--
Devin
NOTE: This comes on the back of trying to get nfsd running within a vimage
jail. I suspect that the lack of ability to change one or more of the above
sysctl's to be the reason why we can't get nfsd to fire-up. Firing up nfsd
within a vimage jail produces no results (no error status, no error text, no
log entries, nada, zip, zilch, nothing). rpcbind runs, mountd runs, but nfsd
refuses for some reason.
_____________
The information contained in this message is proprietary and/or confidential.
If you are not the intended recipient, please: (i) delete the message and all
copies; (ii) do not disclose, distribute or use the message in any manner; and
(iii) notify the sender immediately. In addition, please be aware that any
message addressed to our domain is subject to archiving and review by persons
other than the intended recipient. Thank you.
_____________
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[email protected]"
