Re: running cron jobs setpriority permission denied
Hi, Thank You!! indeed that helped! Sami On Wed, Mar 9, 2022 at 11:03 AM Ronald Klop wrote: > It sounds similar to this issue. > > https://github.com/cbsd/cbsd/issues/437 "default nice 1 prevents cron in > jail #437" > > Does that help? > > Regards, > Ronald. > > > > *Van:* Sami Halabi > *Datum:* dinsdag, 8 maart 2022 22:00 > *Aan:* freebsd-sta...@freebsd.org, FreeBSD Current < > freebsd-curr...@freebsd.org>, freebsd-jail@freebsd.org, > freebsd-...@freebsd.org, Oleg Ginzburg > *Onderwerp:* running cron jobs setpriority permission denied > > Hi, > > I have a jail ran by cbsd which has a cronjob like this: > * * * * * root /usr/local/directadmin/dataskq > > I see every minute this error logged in /var/log/messages: > cron[71002]: setpriority 'root' (daemon): Permission denied > > I see in ps xau that it runs but at nobody user > > even when loggin to the jail I have: > cron[68825]: setpriority 'root' (daemon): Permission denied > login[68900]: setpriority 'root' (root): Permission denied > jexec[69404]: setpriority 'root' (root): Permission denied > > # uname -a > FreeBSD j5.sody.com 12.3-RELEASE-p1 FreeBSD 12.3-RELEASE-p1 GENERIC amd64 > > what am I missing? > > Sami > > -- > Sami Halabi > Information Systems Engineer > NMS Projects Expert, FreeBSD SysAdmin Expert > Asterisk Expert > > -- Sami Halabi Information Systems Engineer NMS Projects Expert, FreeBSD SysAdmin Expert Asterisk Expert
running cron jobs setpriority permission denied
Hi, I have a jail ran by cbsd which has a cronjob like this: * * * * * root /usr/local/directadmin/dataskq I see every minute this error logged in /var/log/messages: cron[71002]: setpriority 'root' (daemon): Permission denied I see in ps xau that it runs but at nobody user even when loggin to the jail I have: cron[68825]: setpriority 'root' (daemon): Permission denied login[68900]: setpriority 'root' (root): Permission denied jexec[69404]: setpriority 'root' (root): Permission denied # uname -a FreeBSD j5.sody.com 12.3-RELEASE-p1 FreeBSD 12.3-RELEASE-p1 GENERIC amd64 what am I missing? Sami -- Sami Halabi Information Systems Engineer NMS Projects Expert, FreeBSD SysAdmin Expert Asterisk Expert
Re: linux debian jail - network problems
Hi, Thank you for your response.. I wonder if Is it really only netlink problem? Their are fee problems in the logs.. I dont kbow if they all related only to netlink (prctl immutable for example).. I also saw oncompatibilities in socket.c Btw: I tried to enter the link you sent and it asked for username and password.. its not public review? Sami בתאריך יום ו׳, 25 בפבר׳ 2022, 04:18, מאת Zhenlei Huang < zlei.hu...@gmail.com>: > Hi, > You can also track the WIP netlink feature, > https://reviews.freebsd.org/D33975 > > On Feb 25, 2022, at 4:05 AM, Sami Halabi wrote: > > Hi, > Added Current, maybe will be lucky ;) > > Anyone have idea how approach and fix this? > > Sami > > בתאריך יום ג׳, 22 בפבר׳ 2022, 23:30, מאת Sami Halabi >: > >> Hi all, >> sorry for the cross post but I need help and I'm not sure where it hangs. >> >> I create linux jail (debian bullseye) via cbsd. >> the jail is being populated with the debian userland.. >> so far so good... services running (sshd) and I can login to the jail, I >> also can update packages and I can install apache httpd and all works fine >> (apt install or make from src). >> I also manage to install packages even if their scripts depend on "ip" >> command that fails: >> cbsd@j2> ip >> Cannot open netlink socket: Address family not supported by protocol >> >> ifconfig show empty interfaces: >> cbsd@j2> ifconfig >> eth0: flags=4163 mtu 1500 >> ether 00:50:56:0a:b3:a0 (Ethernet) >> RX packets 139798314 bytes 12029597009 (11.2 GiB) >> RX errors 0 dropped 0 overruns 0 frame 0 >> TX packets 26879143 bytes 34400160833 (32.0 GiB) >> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 >> >> lo0: flags=4169 mtu 16384 >> loop (Local Loopback) >> RX packets 28548 bytes 160312960 (152.8 MiB) >> RX errors 0 dropped 0 overruns 0 frame 0 >> TX packets 28548 bytes 160312960 (152.8 MiB) >> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 >> >> I know linux emulation doesn't implement netlink.. so what I do is fake >> the response by replacing /bin/ip by a bash script that prints the correct >> IP and fakes some other (needed by packages i Installed): >> #!/bin/bash >> if [ "$1" = "-o" ]; then >> echo "1: eth0 inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0" >> elif [ "$1" = "route" ]; then >> if [ "$2" = "get" ]; then >> echo "8.8.8.8 via 192.168.1.2 dev eth0 src >> 192.168.1.2 " >> else >> echo "default via 192.168.1.2 dev eth0" >> fi >> else >> echo "1: eth0: mtu 1500 qdisc mq state >> UP qlen 1000" >> echo " inet 192.168.1.2 /24 brd 192.168.1.255 scope global eth0" >> >> >> still ifconfig shows no IP... its time to say it a regular jail and *NOT* >> VNET. >> >> *however* package that pull ips via libraries fail.. >> eg: installed bind916 (name) in the logs I see these errors (relevant >> only): >> cbsd@j2> service named start >> Starting domain name service...: namednamed: prctl(PR_SET_DUMPABLE) >> failed: Invalid argument >> cbsd@j2> >> >> >> log file shows: >> 22-Feb-2022 23:11:58.705 general: notice: BIND 9 is maintained by >> Internet Systems Consortium, >> 22-Feb-2022 23:11:58.705 general: notice: Inc. (ISC), a non-profit >> 501(c)(3) public-benefit >> 22-Feb-2022 23:11:58.705 general: notice: corporation. Support and >> training for BIND 9 are >> 22-Feb-2022 23:11:58.705 general: notice: available at >> https://www.isc.org/support >> 22-Feb-2022 23:11:58.705 general: notice: >> >> 22-Feb-2022 23:11:58.705 general: info: found 6 CPUs, using 6 worker >> threads >> 22-Feb-2022 23:11:58.705 general: info: using 6 UDP listeners per >> interface >> 22-Feb-2022 23:11:58.705 general: info: using up to 21000 sockets >> 22-Feb-2022 23:11:58.715 general: info: loading configuration from >> '/etc/bind/named.conf' >> 22-Feb-2022 23:11:58.715 general: info: reading built-in trust anchors >> from file '/etc/bind/bind.keys' >> 22-Feb-2022 23:11:58.715 general: info: looking for GeoIP2 databases in >> '/usr/share/GeoIP' >> 22-Feb-2022 23:11:58.715 general: info: using default UDP/IPv4 port >> range: [1024, 65535] >> 22-Feb-2022 23:11:58.715 general: i
Re: linux debian jail - network problems
Hi, Added Current, maybe will be lucky ;) Anyone have idea how approach and fix this? Sami בתאריך יום ג׳, 22 בפבר׳ 2022, 23:30, מאת Sami Halabi : > Hi all, > sorry for the cross post but I need help and I'm not sure where it hangs. > > I create linux jail (debian bullseye) via cbsd. > the jail is being populated with the debian userland.. > so far so good... services running (sshd) and I can login to the jail, I > also can update packages and I can install apache httpd and all works fine > (apt install or make from src). > I also manage to install packages even if their scripts depend on "ip" > command that fails: > cbsd@j2> ip > Cannot open netlink socket: Address family not supported by protocol > > ifconfig show empty interfaces: > cbsd@j2> ifconfig > eth0: flags=4163 mtu 1500 > ether 00:50:56:0a:b3:a0 (Ethernet) > RX packets 139798314 bytes 12029597009 (11.2 GiB) > RX errors 0 dropped 0 overruns 0 frame 0 > TX packets 26879143 bytes 34400160833 (32.0 GiB) > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 > > lo0: flags=4169 mtu 16384 > loop (Local Loopback) > RX packets 28548 bytes 160312960 (152.8 MiB) > RX errors 0 dropped 0 overruns 0 frame 0 > TX packets 28548 bytes 160312960 (152.8 MiB) > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 > > I know linux emulation doesn't implement netlink.. so what I do is fake > the response by replacing /bin/ip by a bash script that prints the correct > IP and fakes some other (needed by packages i Installed): > #!/bin/bash > if [ "$1" = "-o" ]; then > echo "1: eth0 inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0" > elif [ "$1" = "route" ]; then > if [ "$2" = "get" ]; then > echo "8.8.8.8 via 192.168.1.2 dev eth0 src > 192.168.1.2 " > else > echo "default via 192.168.1.2 dev eth0" > fi > else > echo "1: eth0: mtu 1500 qdisc mq state > UP qlen 1000" > echo " inet 192.168.1.2 /24 brd 192.168.1.255 scope global eth0" > > > still ifconfig shows no IP... its time to say it a regular jail and *NOT* > VNET. > > *however* package that pull ips via libraries fail.. > eg: installed bind916 (name) in the logs I see these errors (relevant > only): > cbsd@j2> service named start > Starting domain name service...: namednamed: prctl(PR_SET_DUMPABLE) > failed: Invalid argument > cbsd@j2> > > > log file shows: > 22-Feb-2022 23:11:58.705 general: notice: BIND 9 is maintained by Internet > Systems Consortium, > 22-Feb-2022 23:11:58.705 general: notice: Inc. (ISC), a non-profit > 501(c)(3) public-benefit > 22-Feb-2022 23:11:58.705 general: notice: corporation. Support and > training for BIND 9 are > 22-Feb-2022 23:11:58.705 general: notice: available at > https://www.isc.org/support > 22-Feb-2022 23:11:58.705 general: notice: > > 22-Feb-2022 23:11:58.705 general: info: found 6 CPUs, using 6 worker > threads > 22-Feb-2022 23:11:58.705 general: info: using 6 UDP listeners per interface > 22-Feb-2022 23:11:58.705 general: info: using up to 21000 sockets > 22-Feb-2022 23:11:58.715 general: info: loading configuration from > '/etc/bind/named.conf' > 22-Feb-2022 23:11:58.715 general: info: reading built-in trust anchors > from file '/etc/bind/bind.keys' > 22-Feb-2022 23:11:58.715 general: info: looking for GeoIP2 databases in > '/usr/share/GeoIP' > 22-Feb-2022 23:11:58.715 general: info: using default UDP/IPv4 port range: > [1024, 65535] > 22-Feb-2022 23:11:58.715 general: info: using default UDP/IPv6 port range: > [1024, 65535] > 22-Feb-2022 23:11:58.715 network: info: no IPv6 interfaces found > 22-Feb-2022 23:11:58.715 general: error: ifiter_getifaddrs.c:79: > unexpected error: > 22-Feb-2022 23:11:58.715 general: error: getting interface addresses: > getifaddrs: Address family not supported by protocol > 22-Feb-2022 23:11:58.715 network: warning: not listening on any interfaces > *snip* > *snip* > 22-Feb-2022 23:11:58.735 general: error: socket.c:2405: unexpected error: > 22-Feb-2022 23:11:58.735 general: error: setsockopt(50, IP_RECVTOS) > failed: Protocol not available > 22-Feb-2022 23:11:58.735 general: notice: couldn't add command channel > 127.0.0.1#953: permission denied > 22-Feb-2022 23:11:58.735 general: error: socket.c:2405: unexpected error: > 22-Feb-2022 23:11:58.735 general: error: setsockopt(50, IP_RECVTOS) > failed: Protocol not available > 22-Feb-2022 23:11:58.735 general: notice: couldn't add
linux debian jail - network problems
Hi all, sorry for the cross post but I need help and I'm not sure where it hangs. I create linux jail (debian bullseye) via cbsd. the jail is being populated with the debian userland.. so far so good... services running (sshd) and I can login to the jail, I also can update packages and I can install apache httpd and all works fine (apt install or make from src). I also manage to install packages even if their scripts depend on "ip" command that fails: cbsd@j2> ip Cannot open netlink socket: Address family not supported by protocol ifconfig show empty interfaces: cbsd@j2> ifconfig eth0: flags=4163 mtu 1500 ether 00:50:56:0a:b3:a0 (Ethernet) RX packets 139798314 bytes 12029597009 (11.2 GiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 26879143 bytes 34400160833 (32.0 GiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo0: flags=4169 mtu 16384 loop (Local Loopback) RX packets 28548 bytes 160312960 (152.8 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 28548 bytes 160312960 (152.8 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 I know linux emulation doesn't implement netlink.. so what I do is fake the response by replacing /bin/ip by a bash script that prints the correct IP and fakes some other (needed by packages i Installed): #!/bin/bash if [ "$1" = "-o" ]; then echo "1: eth0 inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0" elif [ "$1" = "route" ]; then if [ "$2" = "get" ]; then echo "8.8.8.8 via 192.168.1.2 dev eth0 src 192.168.1.2 " else echo "default via 192.168.1.2 dev eth0" fi else echo "1: eth0: mtu 1500 qdisc mq state UP qlen 1000" echo " inet 192.168.1.2 /24 brd 192.168.1.255 scope global eth0" still ifconfig shows no IP... its time to say it a regular jail and *NOT* VNET. *however* package that pull ips via libraries fail.. eg: installed bind916 (name) in the logs I see these errors (relevant only): cbsd@j2> service named start Starting domain name service...: namednamed: prctl(PR_SET_DUMPABLE) failed: Invalid argument cbsd@j2> log file shows: 22-Feb-2022 23:11:58.705 general: notice: BIND 9 is maintained by Internet Systems Consortium, 22-Feb-2022 23:11:58.705 general: notice: Inc. (ISC), a non-profit 501(c)(3) public-benefit 22-Feb-2022 23:11:58.705 general: notice: corporation. Support and training for BIND 9 are 22-Feb-2022 23:11:58.705 general: notice: available at https://www.isc.org/support 22-Feb-2022 23:11:58.705 general: notice: 22-Feb-2022 23:11:58.705 general: info: found 6 CPUs, using 6 worker threads 22-Feb-2022 23:11:58.705 general: info: using 6 UDP listeners per interface 22-Feb-2022 23:11:58.705 general: info: using up to 21000 sockets 22-Feb-2022 23:11:58.715 general: info: loading configuration from '/etc/bind/named.conf' 22-Feb-2022 23:11:58.715 general: info: reading built-in trust anchors from file '/etc/bind/bind.keys' 22-Feb-2022 23:11:58.715 general: info: looking for GeoIP2 databases in '/usr/share/GeoIP' 22-Feb-2022 23:11:58.715 general: info: using default UDP/IPv4 port range: [1024, 65535] 22-Feb-2022 23:11:58.715 general: info: using default UDP/IPv6 port range: [1024, 65535] 22-Feb-2022 23:11:58.715 network: info: no IPv6 interfaces found 22-Feb-2022 23:11:58.715 general: error: ifiter_getifaddrs.c:79: unexpected error: 22-Feb-2022 23:11:58.715 general: error: getting interface addresses: getifaddrs: Address family not supported by protocol 22-Feb-2022 23:11:58.715 network: warning: not listening on any interfaces *snip* *snip* 22-Feb-2022 23:11:58.735 general: error: socket.c:2405: unexpected error: 22-Feb-2022 23:11:58.735 general: error: setsockopt(50, IP_RECVTOS) failed: Protocol not available 22-Feb-2022 23:11:58.735 general: notice: couldn't add command channel 127.0.0.1#953: permission denied 22-Feb-2022 23:11:58.735 general: error: socket.c:2405: unexpected error: 22-Feb-2022 23:11:58.735 general: error: setsockopt(50, IP_RECVTOS) failed: Protocol not available 22-Feb-2022 23:11:58.735 general: notice: couldn't add command channel 127.0.0.1#953: permission denied 22-Feb-2022 23:11:58.735 zoneload: info: managed-keys-zone: loaded serial 24 22-Feb-2022 23:11:58.735 zoneload: info: zone 0.in-addr.arpa/IN: loaded serial 1 22-Feb-2022 23:11:58.735 general: error: socket.c:2405: unexpected error: 22-Feb-2022 23:11:58.735 general: error: setsockopt(512, IP_RECVTOS) failed: Protocol not available 22-Feb-2022 23:11:58.735 general: error: socket.c:2405: unexpected error: 22-Feb-2022 23:11:58.735 general: error: setsockopt(513, IP_RECVTOS) failed: Protocol not available 22-Feb-2022 23:11:58.745 zoneload: info: zone 255.in-addr.arpa/IN: loaded serial 1 22-Feb-2022 23:11:58.745 zoneload: info: zone j1.royalshells.com/IN: loaded serial 2022022106 22-Feb-2022 23:11:58.745 notify: info: zone
9 netstat in a jail, 12 vs 13
Compile static binary of netstat and copy it to the jail may solve your problem. Sami בתאריך יום ה׳, 31 בינו׳ 2019, 20:09, מאת Christer Edwards < christer.edwa...@gmail.com>: > On Thu, Jan 31, 2019 at 9:29 AM Michael W. Lucas < > mwlu...@michaelwlucas.com> > wrote: > > > > > 12.0 jail on -current host: > > > > root@loghost:~ # sockstat -4 > > sockstat: struct xinpgen size mismatch > > root@loghost:~ # netstat -na -f inet > > netstat: kvm not available: /dev/mem: No such file or directory > > Some tcp sockets may have been deleted. > > Some udp sockets may have been deleted. > > > I have seen this happen anytime I have run a jail where the version does > not exactly match the host. sockstat always fails with 'sockstat: struct > xinpgen size mismatch' > > Very interested in a solution / patch / workaround myself. > > Christer > ___ > freebsd-jail@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org" > ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Configuring network without ezjail
hi, I think you need to configure the ip in the host first kater it'll be seen in the jail. using rf 1918 addreses means you need NAT in your router to have access the internet. rather than that using the term 'routing' is incorrecg unless you have multiple hops to get the packets to the router. Sami בתאריך 13 בדצמ׳ 2015 6:45 AM, "marcel"כתב: > > > On 12/12/2015 02:59, Michael B. Eichorn wrote: > > On Fri, 2015-12-11 at 21:44 -0500, Michael B. Eichorn wrote: > >> On Sat, 2015-12-12 at 02:08 +, marcel wrote: > >>> ... and I think I have enabling gateway, I wrote thins in both of > >>> my > >>> rc.conf (jail and host): > >>> > >>> gateway_enable="YES" > >>> > >>> Is it correct ? > >> You only need gateway_enable if you are doing routing, it is not > >> necessary for a typical jail setup. Most of the time you are just > >> adding an alias to the host's nic. > OK so if I want to my jail can access to internet I have to do routing, > right ? > >>> But I don't think I have DNS problems, my host correctly access to > >>> the > >>> internet and the resolv.conf of my jail and my host are same... > >>> > >>> On 12/12/2015 01:50, marcel wrote: > No I don't get to have an IP address... Yet I have writed this in > my > host's rc.conf: > > jail_enable="YES" > jail_list="thename" > jail_guantanamo_rootdir="thepath" > jail_guantanamo_hostname="thename" > jail_guantanamo_ip="192.168.0.12" > > and I use the command: > > jail thepath thename 192.168.0.12 /bin/csh > > to connect to my jail... > > On 11/12/2015 23:31, Dirk Engling wrote: > > On 12.12.15 01:19, marcel wrote: > > > >> I would like to know if it is possible to configure a jail's > >> network for > >> accessing to the World Wide Web but without ezjail ? > >> I have created my jail without ezjail (mkdir jail, make > >> installworld, > >> etc...) and I would like to continue without it if it's > >> possible... > > Sure, why doesn't it connect to the net? Does it have a RFC1918 > > IP? If > > so, you need to enable NAT. If not, did you enable gatewaying? > > Maybe you > > just have DNS problems, so is your resolv.conf set up properly? > > > > Without knowing what exactly is not working, I can not help > > you. > > > > erdgeist > >> I think you found some old instructions, assuming a 10.x system here > >> is > >> the boilerplate for a typical jail: > >> > >> rc.conf: > >> > >> jail_enable="YES" > >> > >> jail.conf: > >> > >> interface = re0; > >> mount.devfs; > >> exec.start = "/bin/sh /etc/rc"; > >> exec.stop = "/bin/sh /etc/rc.shutdown"; > >> > >> thenameofthejail { > >> host.hostname = host.domain.tld; > >> path = /the/path/to/the/jail > >> ip4.addr = 192.168.0.12; > >> } > >> > >> and start it up with > >> > >> # jail -c thenameofthejail > >> > >> And another handy tip you can avoid building a jail with make by > >> extacting the base.txz file found in places like the install media > >> into > >> the jail directory > OK, so my jail.conf look like your jail.conf and when I type jls my jail > have the IP 192.168.0.12 but when I type ifconfig in my jail I have no > ip... > > Oh and before I forget, the trickiest thing for me moving from ezjail > > to jail was updating. Assuming your jails are complete base systems and > > that you would like to use binary updates with freebsd-update, and you > > have completely sparated jails without any funny tricks to save space, > > here is Ike's simple jail update guide: > > > > edit the jail's freebsd-update.conf and change > > > > Components src world kernel > > -to- > > Components world > > > > then run freebsd-update like so: > > > > # freebsd-update -b /usr/jails/jaildir \ > > -f usr/jails/jaildir/etc/freebsd-update.conf \ > > -d /usr/jails/jaildir/var/db/freebsd-update fetch > > # freebsd-update -b /usr/jails/jaildir \ > > -f /usr/jails/jaildir/etc/freebsd-update.conf \ > > -d /usr/jails/jaildir/var/db/freebsd-update install > > > > Using the -f flag keeps the jail from using the host config since jails > > cannot update kernels anyway. And -d keeps jails and hosts from > > trampling each other which is nice if you want to do more than one at a > > time, or if you use freebsd-update cron. > Thanks for tip ! > ___ > freebsd-jail@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org" > ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: /lib/libc.so.7 unsupported file format
Hi, is there a simple way to interpret the data in /var/db/freebsd-update that sits inside a jail, from HOST and install the updates that already fetched somehow ? Sami On Thu, Oct 10, 2013 at 2:35 PM, Mark Felder f...@freebsd.org wrote: On Wed, Oct 9, 2013, at 23:22, Sami Halabi wrote: Hi, i have a box with FreeBSD-9.1-Release-amd64. I did freebsd-update to the host and to the jails in, one of them is 32bit and since then i get: root@6:/root # jexec 1 /bin/csh /lib/libc.so.7: unsupported file layout root@6:/root # i see /lib/libc.so.7 was updated as i read in some forums, i did: root@6:/root # ldconfig /lib /usr/lib /usr/local/lib root@6:/root # I also tried to do freebsd-update from the jail but install failed with chflags problem. I tried freebsd-update with -b and -c to point to the jail freebsd-update i /var by doing fetch in the jail and install from the host.. without success, For now i rolled back the changes. Any hints to workaround this? I'm not sure that freebsd-update is supported for doing updates of 32bit jails on 64bit hosts. You might have to do the upgrade yourself from source. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org -- Sami Halabi Information Systems Engineer NMS Projects Expert FreeBSD SysAdmin Expert ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: /lib/libc.so.7 unsupported file format
Hi, thanks for replying me so fast. what i ment is: 1. in the jail (32 bit) to do: freebsd-update fetch # ls /var/db/freebsd-update/ ./ ../ f465c3739385890c221dff1a05e578c6cae0d0430e46996d319db7439f884336-install@ filelist files/ install.TggE71/ pub.ssl serverlist serverlist_full serverlist_tried tINDEX.present tag root@sami:/ # root@sami:/ # more /var/db/freebsd-update/tag freebsd-update|i386|9.1-RELEASE|7|b3924864da0e125ff57d2f9894347dbc0e130ae32a0647126d5109dbc099981e|1420070400 root@sami:/ # 2. since inside the jail: root@sami:/ # freebsd-update install Installing updates...chflags: ///lib/libc.so.7: Operation not permitted root@sami:/ # not working because of chflags (maybe there is a sysctl that will allow a jail to chflags??) i thought that maybe there is some way to do it from outside the jail. unfortunattly doing simple: root@6:/root # freebsd-update -b /usr/jails/sami -d /usr/jails/sami/var/db/freebsd-update/ install No updates are available to install. Run '/usr/sbin/freebsd-update fetch' first. root@6:/root # i thought if there is some way to interpret the data and installing using the host (maybe manually somehow...), or even changing the chflags inside the jail to an executable that return success no matter what... Sami On Thu, Oct 10, 2013 at 2:55 PM, Mark Felder f...@freebsd.org wrote: On Thu, Oct 10, 2013, at 6:48, Sami Halabi wrote: Hi, is there a simple way to interpret the data in /var/db/freebsd-update that sits inside a jail, from HOST and install the updates that already fetched somehow ? freebsd-update uses binary patches. They are not entire files you could simply replace on your system. As you have witnessed, applying a binary patch intended for a 64bit binary to a 32bit binary has dire consequences. Unfortunately the data in /var/db/freebsd-update is completely worthless for your 32bit jail. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org -- Sami Halabi Information Systems Engineer NMS Projects Expert FreeBSD SysAdmin Expert ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: /lib/libc.so.7 unsupported file format
Hi, # sysctl security.jail.param.allow.chflags=1 security.jail.param.allow.chflags: 0 - 0 the sysctl is not working, maybe it should be set on /boot/loder.conf what i did is the following: 1. inside the jail a. i renamed /bin/chflags to /bin/chfalgs-old b. created /bin/chflags with the following: #!/bin/csh -f echo sami /dev/null 2. a freebsd-update install in the jail yeilds installing the updates with errors on /lib/libc.so.7 /usr/bin/login 3. i did freebsd-update rollback 4. in the host i did: a. chflags noschg /usr/jails/sami/lib/libc.so.7 b. chflags noschg /usr/jails/sami/usr/bin/login 5. in the jail i did: a. freebsd-update fetch b. freebsd-update install 6. in the host i did: a. chflags schg /usr/jails/sami/lib/libc.so.7 b. chflags schg /usr/jails/sami/usr/bin/login 7. inside the jail a. removed /bin/chflags b. i renamed /bin/chflags-old to /bin/chfalgs Worked for me. Thanks for trying to hel pme, Sami On Thu, Oct 10, 2013 at 3:06 PM, Mark Felder f...@freebsd.org wrote: On Thu, Oct 10, 2013, at 7:03, Sami Halabi wrote: Hi, thanks for replying me so fast. what i ment is: 1. in the jail (32 bit) to do: freebsd-update fetch # ls /var/db/freebsd-update/ ./ ../ f465c3739385890c221dff1a05e578c6cae0d0430e46996d319db7439f884336-install@ filelist files/ install.TggE71/ pub.ssl serverlist serverlist_full serverlist_tried tINDEX.present tag root@sami:/ # root@sami:/ # more /var/db/freebsd-update/tag freebsd-update|i386|9.1-RELEASE|7|b3924864da0e125ff57d2f9894347dbc0e130ae32a0647126d5109dbc099981e|1420070400 root@sami:/ # 2. since inside the jail: root@sami:/ # freebsd-update install Installing updates...chflags: ///lib/libc.so.7: Operation not permitted root@sami:/ # not working because of chflags (maybe there is a sysctl that will allow a jail to chflags??) i thought that maybe there is some way to do it from outside the jail. unfortunattly doing simple: root@6:/root # freebsd-update -b /usr/jails/sami -d /usr/jails/sami/var/db/freebsd-update/ install No updates are available to install. Run '/usr/sbin/freebsd-update fetch' first. root@6:/root # i thought if there is some way to interpret the data and installing using the host (maybe manually somehow...), or even changing the chflags inside the jail to an executable that return success no matter what... There is a sysctl for chflags: security.jail.param.allow.chflags and you can check if you have that access from within the jail via: security.jail.chflags_allowed I have not tried to do what you're attempting before simply because I've very rarely run 32bit jails on 64bit hosts. Hopefully this gets you in the right direction. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org -- Sami Halabi Information Systems Engineer NMS Projects Expert FreeBSD SysAdmin Expert ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
/lib/libc.so.7 unsupported file format
Hi, i have a box with FreeBSD-9.1-Release-amd64. I did freebsd-update to the host and to the jails in, one of them is 32bit and since then i get: root@6:/root # jexec 1 /bin/csh /lib/libc.so.7: unsupported file layout root@6:/root # i see /lib/libc.so.7 was updated as i read in some forums, i did: root@6:/root # ldconfig /lib /usr/lib /usr/local/lib root@6:/root # I also tried to do freebsd-update from the jail but install failed with chflags problem. I tried freebsd-update with -b and -c to point to the jail freebsd-update i /var by doing fetch in the jail and install from the host.. without success, For now i rolled back the changes. Any hints to workaround this? Thanks in advance, Sami ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: how to measure bandwidth per jail
Jnettop has the ability to: Measure bandwidth/packets in partecular intergace. Simply use: 0,1..9 to switch between interfaces. p to switch between packets/bandwidth b to measure in bytes/bits You better define your local ips in the .jnettop file, once that done your measurs would be more accurate specially when you aggregate traffic (in local/remote) by ip/protocol... Additional option is content filter mainly in web traffic. You can also add custom ips to measure using .jnettoo file. Sami On Mar 22, 2013 1:05 PM, Nicolas de Bari Embriz Garcia Rojas nb...@inbox.im wrote: Hi, I tried jnettop but is something like 'trafshow', I am searching something like vnstat, that could help me measure the rx/tx total consumed bandwidth. any ideas? On 03/21/2013 18:48, Sami Halabi wrote: Hi Try jnettop from ports... exactly what your looking at. However its old, so the counters are 32 bit rather than 64 which means its pretty effective on 100mbit links plus its cpu consumer by design Sami On Mar 21, 2013 8:27 PM, Nicolas de Bari Embriz Garcia Rojas nb...@inbox.im wrote: Hi, one strange behavior I notice (freeBSD 9.1) is that I don't see the Obytes per IP only for the bce0 interface, but I do for the cloned interface lo1: here is a link with the output of netstat -ib http://pastebin.com/arrRsM78 any ideas ? regards. On 03/21/2013 18:12, Scott Lambert wrote: On Thu, Mar 21, 2013 at 01:26:13AM +, Nicolas de Bari Embriz Garcia Rojas wrote: Hi, any tool, idea or method for measuring the bandwidth consumed per jail ? (or by IP) What about using pflow ( pseudo-device pflow) any advice ? I found a thread about this topic yesterday via Google. It was on the freebsd-...@frebbsd.org mailing list sometime in 2005 if I remember correctly. They came up with a few options netflow, counting rules in IPFW/pf/ipf netstat -rni ( which gets you packet counts, -rnbi gives you in-bytes and out-bytes) bandwidthd (in ports I believe) I suppose ntop could do similar things. My favorite option was netstat -rnbi | awk '{print $8,$11}' and feeding that to MRTG. I have not gotten it implemented yet. One consideration is that on FreeBSD 8 and older, you don't get out traffic per IP address with netstat, as far as I can tell. We're moving to FreeBSD 9 pretty quickly anyway. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: how to measure bandwidth per jail
Hi Try jnettop from ports... exactly what your looking at. However its old, so the counters are 32 bit rather than 64 which means its pretty effective on 100mbit links plus its cpu consumer by design Sami On Mar 21, 2013 8:27 PM, Nicolas de Bari Embriz Garcia Rojas nb...@inbox.im wrote: Hi, one strange behavior I notice (freeBSD 9.1) is that I don't see the Obytes per IP only for the bce0 interface, but I do for the cloned interface lo1: here is a link with the output of netstat -ib http://pastebin.com/arrRsM78 any ideas ? regards. On 03/21/2013 18:12, Scott Lambert wrote: On Thu, Mar 21, 2013 at 01:26:13AM +, Nicolas de Bari Embriz Garcia Rojas wrote: Hi, any tool, idea or method for measuring the bandwidth consumed per jail ? (or by IP) What about using pflow ( pseudo-device pflow) any advice ? I found a thread about this topic yesterday via Google. It was on the freebsd-...@frebbsd.org mailing list sometime in 2005 if I remember correctly. They came up with a few options netflow, counting rules in IPFW/pf/ipf netstat -rni ( which gets you packet counts, -rnbi gives you in-bytes and out-bytes) bandwidthd (in ports I believe) I suppose ntop could do similar things. My favorite option was netstat -rnbi | awk '{print $8,$11}' and feeding that to MRTG. I have not gotten it implemented yet. One consideration is that on FreeBSD 8 and older, you don't get out traffic per IP address with netstat, as far as I can tell. We're moving to FreeBSD 9 pretty quickly anyway. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: VNET
Thank you. I want to use vnet jail for a specific subnet that I need to seperate from the system. so basicly i create a vlan + a bridged interface to the public. these two (vlan+bridged interface- epair0a) will in in the vnet jail, so I can do NAT only for that vlan going out. This is the idea, as there are more interfaces in the system and there is only one interface out... so basicly it should be a firewall Nat only between the specific lan and the outside world. Can this be accomplished otherway? Sami On Wed, Jun 20, 2012 at 5:43 PM, Alexander V. Chernikov melif...@freebsd.org wrote: On 19.06.2012 12:56, Sami Halabi wrote: Hi, I want to ask aout VNET jails, i read somehwre that I'm able to run IPFW, but not PF firewall in a cnet jail. is that correct? i want a vnet jail basicly for nat, so natd with ipfw + ipdivert is my 1) You can do nat without vnet. 2) ipfw nat is currently the easiest way to do nat. choice? or i can use pf somehow, I never used pf before, so i would like some advise here... Thanks in advance, -- WBR, Alexander -- Sami Halabi Information Systems Engineer NMS Projects Expert FreeBSD SysAdmin Expert ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: Succesful patch on several hosts with RELENG_7
I'm joining the compliments... its for about 2 months now and working as a charm also... bz, Your great.. this feature MUST be in the official production fbsd for everyone. thanks for your efforts Sami On Fri, Oct 24, 2008 at 6:07 PM, Lorenzo Perone [EMAIL PROTECTED] wrote: Hi, Just wanted to give my feedback on Your patch bz_jail7-20080920-01-at150161.diff, which I got by reading this list, on http://people.freebsd.org/~bz/bz_jail7-20080920-01-at150161.diff Just patched several RELENG_7 hosts (FreeBSD 7.0-PRERELEASE, last one yesterday), and for the time being, it works like a charm. THANK YOU VERY MUCH for this patch and Your efforts, as this is a very important feature for me and for several others. I hope so much that it will be included into RELENG_7o fficially, and/or that You will be update it eventually, if necessary. Kudos, Regards lots of free beer.. Lorenzo ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to [EMAIL PROTECTED]
Multiple IPS - Freebsd 7.1
hi everyone, I saw a lot of messages about this so here is it - i just patched it (took me a day but okay :) i just downloaded the latest src using this sup file - cvsup: http://www.royalshells.com/download/freebsd/stable-supfile # cvsup stable-supfile i applied the following patch (which i changed to get to work with the current src): http://www.royalshells.com/download/freebsd/bz_jail7-20080727-11-at146062-Fixed_By_Sody_1.10.08.diff to patch do: # cd /usr/src # patch -p6 bz_jail7-20080727-11-at146062-Fixed_By_Sody_1.10.08.diff after done re-compile the kernel: # cp /usr/src/sys/netinet/in_pcb.h /usr/include/netinet/ # cp /usr/src/sys/sys/jail.h /usr/include/sys/ clean obj dir: --- # rm -Rf /usr/obj/* compile jail and jls: # cd /usr/src/usr.sbin/jail/ # make clean make depend make install # cd /usr/src/usr.sbin/jls/ # make clean make depend make install compile the kernel: - # cd /usr/src # make buildworld # make buildkernel KERNCONF=GENERIC # make installworld # make installkernel KERNCONF=GENERIC # mergemaster -U after reboot: # uname -a FreeBSD server.com 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #0: Tue Sep 30 20:03:00 UTC 2008 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC i386 # check the patch: # jail usage: jail [-hi] [-n jailname] [-J jid_file] [-s securelevel] [-l -u username | -U username] path hostname [ip[,..]] command ... # Enjoy. Sami ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Multiple IPS - Freebsd 7.1
bz, your right. i've posted that link :) Sami On Wed, Oct 1, 2008 at 2:08 PM, Bjoern A. Zeeb [EMAIL PROTECTED] wrote: On Wed, 1 Oct 2008, Sami Halabi wrote: Hi, i applied the following patch (which i changed to get to work with the current src): http://www.royalshells.com/download/freebsd/bz_jail7-20080727-11-at146062-Fixed_By_Sody_1.10.08.diff I do not know what the Fixed_By_Sody_1.10.08 part is but it's at least based on a backlevel patch of mine so I hope someone fixed the locking for 7.1-PRE. I had posted a patch for 7-STABLE (7.1-PRE) last month http://people.freebsd.org/~bz/bz_jail7-20080920-01-at150161.diff so taking that one you could have save yourself a lot of time I guess. In case you have changes it would be good to know what you did or what I do not have so the do not have forks as my version will hit HEAD soon and has changed (also the user space) since July. /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Multiple IPS - Freebsd 7.1
hi, i didn't try it. i just saw a new path from bz and tried it, now compiling, here is it: http://people.freebsd.org/~bz/bz_jail7-20080920-01-at150161.diff Sami royalshells.com, loyalness.com, On Wed, Oct 1, 2008 at 1:56 PM, Steven Hartland [EMAIL PROTECTED]wrote: I would dearly like to see this make the 7.1 release, multi IP's in order to support backend interfaces in jails, is something that we hit against all the time. Regards Steve - Original Message - From: Sami Halabi [EMAIL PROTECTED] To: freebsd-jail@freebsd.org Sent: Wednesday, October 01, 2008 12:21 PM Subject: Multiple IPS - Freebsd 7.1 hi everyone, I saw a lot of messages about this so here is it - i just patched it (took me a day but okay :) i just downloaded the latest src using this sup file - cvsup: http://www.royalshells.com/download/freebsd/stable-supfile # cvsup stable-supfile i applied the following patch (which i changed to get to work with the current src): http://www.royalshells.com/download/freebsd/bz_jail7-20080727-11-at146062-Fixed_By_Sody_1.10.08.diff to patch do: # cd /usr/src # patch -p6 bz_jail7-20080727-11-at146062-Fixed_By_Sody_1.10.08.diff after done re-compile the kernel: # cp /usr/src/sys/netinet/in_pcb.h /usr/include/netinet/ # cp /usr/src/sys/sys/jail.h /usr/include/sys/ clean obj dir: --- # rm -Rf /usr/obj/* compile jail and jls: # cd /usr/src/usr.sbin/jail/ # make clean make depend make install # cd /usr/src/usr.sbin/jls/ # make clean make depend make install compile the kernel: - # cd /usr/src # make buildworld # make buildkernel KERNCONF=GENERIC # make installworld # make installkernel KERNCONF=GENERIC # mergemaster -U after reboot: # uname -a FreeBSD server.com 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #0: Tue Sep 30 20:03:00 UTC 2008 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC i386 # check the patch: # jail usage: jail [-hi] [-n jailname] [-J jid_file] [-s securelevel] [-l -u username | -U username] path hostname [ip[,..]] command ... # Enjoy. Sami ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to [EMAIL PROTECTED] This e.mail is private and confidential between Multiplay (UK) Ltd. and the person or entity to whom it is addressed. In the event of misdirection, the recipient is prohibited from using, copying, printing or otherwise disseminating it or any information contained in it. In the event of misdirection, illegible or incomplete transmission please telephone +44 845 868 1337 or return the E.mail to [EMAIL PROTECTED] ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to [EMAIL PROTECTED]