from:"Ruben van Staveren"

Re: children of ezjail managed jails

2021-03-21 Thread Ruben van Staveren via freebsd-jail

Hi Axel,

You mean nested jails?

I’m not sure what your use case is, but it is no longer possible to give ip 
addresses to those.

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=231773#c6 


Before the that change I used to have ezjails managed inside ezjails. I did not 
try the VIMAGE approach though

Best regards,
Ruben

> On 18 Mar 2021, at 11:27, Axel Rau  wrote:
> 
> Hi all,
> 
> is it possible to create children of jails, managed by ezjail, which are also 
> managed by ezjail?
> Can the basejail of the parent be used for that?
> Can I just set children.max and ezjail_jaildir ?
> 
> I just need the children to install different versions of some packages.
> I did not succeed with pkg install -r because of missing environment for pkg.
> 
> All help appreciated,
> Axel
> ---
> PGP-Key: CDE74120  ☀  computing @ chaos claudius
> 



signature.asc
Description: Message signed with OpenPGP

Re: fdescfs patch for working hierarchical jails

2014-09-27 Thread Ruben van Staveren

Hi James, others,

On 26 Sep 2014, at 21:28, James Gritton ja...@gritton.org wrote:

 On 9/25/2014 3:40 AM, Ruben van Staveren wrote:
 Hi,
 
 Could a committer have a look at 
 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192951 ?
 
 This enables fdescfs in hierarchical jails, would be nice to have this for 
 10.1
 
 Thanks!
 
 Best Regards,
 Ruben van Staveren
 
 This would have to go into current first, and then MFC.  Considering
 10.1 is getting close to release, I suspect it wouldn't be allowed in.

I agree, probably better to do it that way indeed.

 Also, I'm not sure I'd want to implement this in quite the proposed
 way: it might suffice (from a security viewpoint) to use the existing
 allow.mount.devfs for mounting fdescfs.

Wouldn’t that be misleading? It would be better to mop up the various 
pseudofses under the monicker allow.mount.pseudofs.



 
 - Jamie

- Ruben


signature.asc
Description: Message signed with OpenPGP using GPGMail

fdescfs patch for working hierarchical jails

2014-09-25 Thread Ruben van Staveren

Hi,

Could a committer have a look at 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192951 ? 

This enables fdescfs in hierarchical jails, would be nice to have this for 10.1

Thanks!

Best Regards,
Ruben van Staveren


signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: mounting fdescfs in a nested/hierarchical jail?

2014-08-21 Thread Ruben van Staveren

Hi Jamie, others,


On 21 Aug 2014, at 4:54, James Gritton ja...@gritton.org wrote:

 On 8/18/2014 6:26 AM, Ruben van Staveren wrote:
 Hi list,
 
 I have a FreeBSD 10 zfs based ezjail setup. In one of the jails I am using 
 ezjail again to set up a nested jail. My goal is to eventually have my jails 
 use these nested jails as containers for certain services.
 
 However, I am not able to mount a nested fdescfs. When I leave out fdesc, 
 the nested jail starts up just fine.
 
 There is no allow.mount.fdescfs. Do we need one?
 
 Cheers,
  Ruben
 
 That's probably the answer.  It seems a little inelegant to have this 
 proliferation of pesudo-fs type allowances, but it's the direction we've gone.

Ok, I’ve written a little patch for that. Seems to work on r268794

http://pastebin.com/5t9zEzkV

I am not sure about the consequences of having this permission.

Best Regards,
Ruben





signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: FreeBSD 10 + unbound + jail == nothing resolves

2014-08-14 Thread Ruben van Staveren


Marc,

can you try to disable DNSSEC? 

http://www.unbound.net/documentation/howto_turnoff_dnssec.html

(and add val-log-level: 2)

it might be that your upstream nameserver botches DNSSEC reply. To keep DNSSEC, 
uncomment inclusion of the generated forwarder configuration and have unbound 
query the root nameservers itself.

Cheers,
Ruben
 

On 14 Aug 2014, at 8:48, Marc Fournier scra...@hub.org wrote:

 
 Before I give up and just install bind (which I’d really like to avoid doing, 
 but it did work out of the box) … has anyone gotten this to run?
 
 I’ve searched Google, and can find next to nothing  … but I have to be 
 missing something obvious, else I would expect to find loads … or nobody is 
 acutally doing this …
 
 I tried the simple: 
 
 add local_unbound_enable=“YES” to rc.conf
 start up the service
 
 it modifies my /etc/resolv.conf, starts  up, but when I try to ‘drill’ a 
 domain, I get nothing back … checked /var/log/messages, only thing I see is 
 what appears to be the start up:
 
 Aug 14 07:19:02 97381 unbound: [44840:0] notice: init module 0: validator
 Aug 14 07:19:02 97381 unbound: [44840:0] notice: init module 1: iterator
 
 
 I’ve even tried running from the command line with ‘-d -vv’, and all I get is:
 
 /var/unbound # /usr/sbin/unbound -c/var/unbound/unbound.conf -d -vv
 [1407997717] unbound[45554:0] notice: Start of unbound 1.4.20.
 [1407997717] unbound[45554:0] debug: switching log to syslog
 
 I have it running on the host server, and it responsed perfectly well … I’ve 
 tried changing the ‘namserver’ setting in /etc/resolv.conf to be the IP of 
 the jail, vs localhost … as well as setting ‘interfaces’ in 
 /var/unbound/unbound.conf … no difference …
 
 Help?
 
 
 
 ___
 freebsd-jail@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-jail
 To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
 



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: can jail use 2 NICS?

2008-11-21 Thread Ruben van Staveren


Hi,

On 21 Nov 2008, at 21:23, Ruslan Ermilov wrote:


Hi,

Have been traveling, hence long no reply...

On Sun, Nov 16, 2008 at 02:10:35PM +, Bjoern A. Zeeb wrote:

So the basic idea could be to only have
jail_name_ip=
jail_name_ip6=

and each of them would have a format like:

  [iface|]address[/prefix]


I'd suggest [iface:] instead.


This will get a bit ambiguous when IPv6 addresses are used...


where iface and prefix are optional and prefix only makes sense if
iface is given?

If iface is given it means configure the address with prefix to the
given interface; if prefix is not given the default would be /32 for
ipv4 and /128 for ipv6.


Yes, and I prefer the prefix notation above the subnet mask one.
Related, I still need to look at ifconfig canonicalizing stuff like  
2001:888:1029::192.168.1.129 before operating on the interface  
structure.


This helps in ifconfig delete iface 2001:888:1029::192.168.1.129
currently this does not work because on ifconfig up the value is  
converted to 2001:888:1029::c0a8:181



So now this would give really long and complicated lines in rc.conf.
Do you think we could have something like the _aliasN for interface
addresses so that it would be like:

jail_name_ip=   # default
jail_name_ip_multi0=# second IP of the jail
jail_name_ip_multi1=# third IP of the jail
jail_name_ip_multi2=# 4th IP of the jail

and similar for IPv6?

(multi might not be the best suffix)

Something along those lines?


From a user point of view, it will make a messy configuration. it  
might be more preferable then to have something in the order of


jail name {
 iface iface
 prefix pfxlen
 addr [iface] addr1[/pfxlen]
 addr [iface] addr1[/pfxlen]
 ...
}

For Bjoern I think something like this in an /etc/jail.conf will mark  
a clear separation between rc.conf and jail management ?




Ruslan, what do you think about something like that? We could have
that for HEAD and 7 just now and add the _multiN support with the
multi-IP jail patches? Could you and Ruben work together to build
this?


I think this is a good idea.  My workaround with routes
I mentioned doesn't actually work, so currently we use
a version from HEAD on our production servers, and the
modified version of ezjail port that supports netmasks.


The route thing, is that the setfib configuration from HEAD ?



Cheers,
--
Ruslan Ermilov
[EMAIL PROTECTED]
FreeBSD committer


Regards,
Ruben


PGP.sig
Description: This is a digitally signed message part

Re: new set of multi-IPv4/v6/noIP jail patches

2008-06-20 Thread Ruben van Staveren



Maybe Im stupid, but I cant figure out the syntax in rc.conf for  
multiple ips.



You might try this patch against /etc/rc.d/jail to help starting multi- 
IPv4/v6/no-IP jails


Just the 1st iteration

open issues

* add support for no-IP jails
* handle ipv6 addresses more cleanly (support notations like  
2001:888:1029::10.1.1.1, 2001:888:1029:0:0:0:0:1)


this is because you'll get address not assigned errors because  
ifconfig doesn't seem to make the v6 address canonical. This only  
happens when you stop the jail btw.


you'll need to stuff v6 stuff in _ipv6 variables though.


--- /etc/rc.d/jail	2008-06-20 12:48:19.0 +0200
+++ /usr/src/etc/rc.d/jail	2008-02-12 22:08:20.0 +0100
@@ -39,7 +39,6 @@
 	_procdir=${_rootdir}/proc
 	eval _hostname=\\$jail_${_j}_hostname\
 	eval _ip=\\$jail_${_j}_ip\
-	eval _ipv6=\\$jail_${_j}_ipv6\
 	eval _interface=\\${jail_${_j}_interface:-${jail_interface}}\
 	eval _exec=\\$jail_${_j}_exec\
 	eval _exec_start=\\${jail_${_j}_exec_start:-${jail_exec_start}}\
@@ -93,7 +92,6 @@
 	debug $_j mount enable: $_mount
 	debug $_j hostname: $_hostname
 	debug $_j ip: $_ip
-	debug $_j ipv6: $_ipv6
 	debug $_j interface: $_interface
 	debug $_j root: $_rootdir
 	debug $_j devdir: $_devdir
@@ -297,12 +295,7 @@
 			continue;
 		fi
 		if [ -n ${_interface} ]; then
-			for __ip in ${_ip}; do
-ifconfig ${_interface} alias ${__ip} netmask 255.255.255.255
-			done
-			for __ipv6 in ${_ipv6}; do
-ifconfig ${_interface} inet6 alias ${__ipv6} prefixlen 128
-			done
+			ifconfig ${_interface} alias ${_ip} netmask 255.255.255.255
 		fi
 		if checkyesno _mount; then
 			info Mounting fstab for jail ${_jail} (${_fstab})
@@ -358,7 +351,7 @@
 		fi
 		_tmp_jail=${_tmp_dir}/jail.$$
 		eval jail ${_flags} -i ${_rootdir} ${_hostname} \
-			$(echo ${_ip} ${_ipv6} | tr ' ' ',') ${_exec_start}  ${_tmp_jail} 21
+			${_ip} ${_exec_start}  ${_tmp_jail} 21
 
 		if [ $? -eq 0 ] ; then
 			_jail_id=$(head -1 ${_tmp_jail})
@@ -380,12 +373,7 @@
 		else
 			jail_umount_fs
 			if [ -n ${_interface} ]; then
-for __ip in ${_ip}; do
-	ifconfig ${_interface} -alias ${_ip}
-done
-for __ipv6 in ${_ipv6}; do
-	ifconfig ${_interface} inet6 ${_ipv6} -alias 
-done
+ifconfig ${_interface} -alias ${_ip}
 			fi
 			echo  cannot start jail \${_jail}\: 
 			tail +2 ${_tmp_jail}
@@ -416,12 +404,7 @@
 echo -n  $_hostname
 			fi
 			if [ -n ${_interface} ]; then
-for __ip in ${_ip}; do
-	ifconfig ${_interface} -alias ${_ip}
-done
-for __ipv6 in ${_ipv6}; do
-	ifconfig ${_interface} inet6 ${_ipv6} -alias
-done
+ifconfig ${_interface} -alias ${_ip}
 			fi
 			rm /var/run/jail_${_jail}.id
 		else




Regards,
Ruben



PGP.sig
Description: This is a digitally signed message part

Re: children of ezjail managed jails

Re: fdescfs patch for working hierarchical jails

fdescfs patch for working hierarchical jails

Re: mounting fdescfs in a nested/hierarchical jail?

Re: FreeBSD 10 + unbound + jail == nothing resolves

Re: can jail use 2 NICS?

Re: new set of multi-IPv4/v6/noIP jail patches

7 matches

Site Navigation

Mail list logo

Footer information