I too have no idea what "security.jail.param.*" is for (that's different than the proposed "security.jail.vnet"). -- Devin
________________________________ From: Andreas Nilsson [[email protected]] Sent: Tuesday, February 26, 2013 12:56 AM To: Teske, Devin Cc: Mailinglists FreeBSD Subject: Re: vnet jails and rc-scripts On Mon, Feb 25, 2013 at 6:42 PM, Teske, Devin <[email protected]<mailto:[email protected]>> wrote: My vimage package, available here: http://druidbsd.sourceforge.net/download.shtml#vimage<https://urldefense.proofpoint.com/v1/url?u=http://druidbsd.sourceforge.net/download.shtml%23vimage&k=%2FbkpAUdJWZuiTILCq%2FFnQg%3D%3D%0A&r=LTzUWWrRnz2iN3PtHDubWRSAh9itVJ%2BMUcNBCQ4tyeo%3D%0A&m=wZ08hZJzwkEioYsJo3noXlMWGOjHzP%2FBdZKxx1S2kT0%3D%0A&s=7d0b161083ed0e42ce398af3935d5f951550bdb597c45f2200d6d9ca338ca387> ...has a solution around that and you can read about it here: http://druidbsd.cvs.sourceforge.net/viewvc/druidbsd/pkgbase/freebsd/RELENG_8_3/sysutils/vimage/src/rc.conf.d/vimage?revision=1.1&view=markup<https://urldefense.proofpoint.com/v1/url?u=http://druidbsd.cvs.sourceforge.net/viewvc/druidbsd/pkgbase/freebsd/RELENG_8_3/sysutils/vimage/src/rc.conf.d/vimage?revision%3D1.1%26amp%3Bview%3Dmarkup&k=%2FbkpAUdJWZuiTILCq%2FFnQg%3D%3D%0A&r=LTzUWWrRnz2iN3PtHDubWRSAh9itVJ%2BMUcNBCQ4tyeo%3D%0A&m=wZ08hZJzwkEioYsJo3noXlMWGOjHzP%2FBdZKxx1S2kT0%3D%0A&s=09b6a6b097b21f15a0fc0b93b02ed8338e4fabd7ac20115276cc5c13a107485b> Interesting! Network scripts, ipfw, and other "nojail" services are started fine with my setup. Note that in my notes, we have a PR for adding a sysctl MIB (security.jail.vnet) for distinguishing vnet jails from non-vnet jails (from within the jail): http://www.freebsd.org/cgi/query-pr.cgi?pr=conf/149050<https://urldefense.proofpoint.com/v1/url?u=http://www.freebsd.org/cgi/query-pr.cgi?pr%3Dconf/149050&k=%2FbkpAUdJWZuiTILCq%2FFnQg%3D%3D%0A&r=LTzUWWrRnz2iN3PtHDubWRSAh9itVJ%2BMUcNBCQ4tyeo%3D%0A&m=wZ08hZJzwkEioYsJo3noXlMWGOjHzP%2FBdZKxx1S2kT0%3D%0A&s=9fc1073f7d7b4692b900b545115aa5de61efe2910bde35e3644eec4d9b3f075c> I think this is the best approach long-term). In essence, ultimately teach rcorder(8) about the difference between a jail and a vnet jail. I agree. However I still don't get the purpose of the security.jail.param.*. Are the to be set in loader.conf/sysctl.conf to influence default config of jails, or are the supposed to be per-jail ( from inside jail ) carriers of config? The PR seems to indicate it's not really clear. Also, man jail says: "The current set of available parameters can be retrieved via ``sysctl -d security.jail.param''. Any parameters not set will be given default values, often based on the current environment. The core parameters are: " and then lists some. For example jid. I take that to mean that the value of security.jail.param.jid from inside jail should return the jid of the jail. I just get 0. And security.jail.param.path is 1024, which is not at all the path of the jail... There seems to be quite a discrepancy between manpage and implementation. As another note: running named in a jail prohibits the use of chrooted named, as named rc-script takes jail to mean "cannot mount stuff", irregardless of the settings of allow.mount and allow.mount.devfs. Perhasps another PR or two is needed ;) Best regards Andreas -- Devin ________________________________________ From: [email protected]<mailto:[email protected]> [[email protected]<mailto:[email protected]>] on behalf of Andreas Nilsson [[email protected]<mailto:[email protected]>] Sent: Monday, February 25, 2013 8:55 AM To: Mailinglists FreeBSD Subject: vnet jails and rc-scripts Hello, while trying to set up a couple of vnet jails I ran into some problems: 1. The networking scripts are not run. 2. The firewall script ( ipfw ) is not run. Both are skipped since they have the nojail keyword. Is the only solution to remove that keyword to get them running from rc in a jail? With vnet jails it seems that a lot network related scripts should be allowed to run. Is there any work being done address this? Also, what is the sysctl security.jail.param.vnet supposed to tell me? Running it on the host gives 0 Running it in vnet jail gives 0 Running it in normal jail gives 0 which to me seems counter intuitive, as I would have expected it to be 1 in the vnet jail. Best regards Andreas _______________________________________________ [email protected]<mailto:[email protected]> mailing list https://urldefense.proofpoint.com/v1/url?u=http://lists.freebsd.org/mailman/listinfo/freebsd-jail&k=%2FbkpAUdJWZuiTILCq%2FFnQg%3D%3D%0A&r=Mrjs6vR4%2Faj2Ns9%2FssHJjg%3D%3D%0A&m=gcdnBfFT9%2FgDP4aiNb3SH%2B2HC58tTrjf3m0lz7RvTbo%3D%0A&s=2b3714f7bc212f52b740f1794fc5de6ca2cb7804242aa0c82db70297855aff70 To unsubscribe, send any mail to "[email protected]<mailto:[email protected]>" _____________ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. _____________ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[email protected]"
