On Mon, Feb 25, 2013 at 6:42 PM, Teske, Devin <devin.te...@fisglobal.com>wrote:
> My vimage package, available here: > > http://druidbsd.sourceforge.net/download.shtml#vimage > > ...has a solution around that and you can read about it here: > > > http://druidbsd.cvs.sourceforge.net/viewvc/druidbsd/pkgbase/freebsd/RELENG_8_3/sysutils/vimage/src/rc.conf.d/vimage?revision=1.1&view=markup > > Interesting! > Network scripts, ipfw, and other "nojail" services are started fine with > my setup. > > Note that in my notes, we have a PR for adding a sysctl MIB > (security.jail.vnet) for distinguishing vnet jails from non-vnet jails > (from within the jail): > > http://www.freebsd.org/cgi/query-pr.cgi?pr=conf/149050 > > I think this is the best approach long-term). In essence, ultimately teach > rcorder(8) about the difference between a jail and a vnet jail. > I agree. However I still don't get the purpose of the security.jail.param.*. Are the to be set in loader.conf/sysctl.conf to influence default config of jails, or are the supposed to be per-jail ( from inside jail ) carriers of config? The PR seems to indicate it's not really clear. Also, man jail says: "The current set of available parameters can be retrieved via ``sysctl -d security.jail.param''. Any parameters not set will be given default values, often based on the current environment. The core parameters are: " and then lists some. For example jid. I take that to mean that the value of security.jail.param.jid from inside jail should return the jid of the jail. I just get 0. And security.jail.param.path is 1024, which is not at all the path of the jail... There seems to be quite a discrepancy between manpage and implementation. As another note: running named in a jail prohibits the use of chrooted named, as named rc-script takes jail to mean "cannot mount stuff", irregardless of the settings of allow.mount and allow.mount.devfs. Perhasps another PR or two is needed ;) Best regards Andreas > -- > Devin > > ________________________________________ > From: owner-freebsd-j...@freebsd.org [owner-freebsd-j...@freebsd.org] on > behalf of Andreas Nilsson [andrn...@gmail.com] > Sent: Monday, February 25, 2013 8:55 AM > To: Mailinglists FreeBSD > Subject: vnet jails and rc-scripts > > Hello, > > while trying to set up a couple of vnet jails I ran into some problems: > > 1. The networking scripts are not run. > > 2. The firewall script ( ipfw ) is not run. > > Both are skipped since they have the nojail keyword. Is the only solution > to remove that keyword to get them running from rc in a jail? > > With vnet jails it seems that a lot network related scripts should be > allowed to run. Is there any work being done address this? > > Also, what is the sysctl security.jail.param.vnet supposed to tell me? > Running it on the host gives 0 > Running it in vnet jail gives 0 > Running it in normal jail gives 0 > which to me seems counter intuitive, as I would have expected it to be 1 in > the vnet jail. > > Best regards > Andreas > _______________________________________________ > freebsd-jail@freebsd.org mailing list > > https://urldefense.proofpoint.com/v1/url?u=http://lists.freebsd.org/mailman/listinfo/freebsd-jail&k=%2FbkpAUdJWZuiTILCq%2FFnQg%3D%3D%0A&r=Mrjs6vR4%2Faj2Ns9%2FssHJjg%3D%3D%0A&m=gcdnBfFT9%2FgDP4aiNb3SH%2B2HC58tTrjf3m0lz7RvTbo%3D%0A&s=2b3714f7bc212f52b740f1794fc5de6ca2cb7804242aa0c82db70297855aff70 > To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org" > > _____________ > The information contained in this message is proprietary and/or > confidential. If you are not the intended recipient, please: (i) delete the > message and all copies; (ii) do not disclose, distribute or use the message > in any manner; and (iii) notify the sender immediately. In addition, please > be aware that any message addressed to our domain is subject to archiving > and review by persons other than the intended recipient. Thank you. > _______________________________________________ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"