Re: running cron jobs setpriority permission denied

2022-03-09 Thread Sami Halabi 
Hi,
Thank You!! indeed that helped!

Sami

On Wed, Mar 9, 2022 at 11:03 AM Ronald Klop  wrote:

> It sounds similar to this issue.
>
> https://github.com/cbsd/cbsd/issues/437 "default nice 1 prevents cron in
> jail #437"
>
> Does that help?
>
> Regards,
> Ronald.
>
>
>
> *Van:* Sami Halabi 
> *Datum:* dinsdag, 8 maart 2022 22:00
> *Aan:* freebsd-sta...@freebsd.org, FreeBSD Current <
> freebsd-curr...@freebsd.org>, freebsd-jail@freebsd.org,
> freebsd-...@freebsd.org, Oleg Ginzburg 
> *Onderwerp:* running cron jobs setpriority permission denied
>
> Hi,
>
> I have a jail ran by cbsd which has a cronjob like this:
> * * * * * root /usr/local/directadmin/dataskq
>
> I see every minute this error logged in /var/log/messages:
> cron[71002]: setpriority 'root' (daemon): Permission denied
>
> I see in ps xau that it runs but at nobody user
>
> even when loggin to the jail I have:
> cron[68825]: setpriority 'root' (daemon): Permission denied
> login[68900]: setpriority 'root' (root): Permission denied
> jexec[69404]: setpriority 'root' (root): Permission denied
>
> # uname -a
> FreeBSD j5.sody.com 12.3-RELEASE-p1 FreeBSD 12.3-RELEASE-p1 GENERIC  amd64
>
> what am I missing?
>
> Sami
>
> --
> Sami Halabi
> Information Systems Engineer
> NMS Projects Expert, FreeBSD SysAdmin Expert
> Asterisk Expert
>
>

-- 
Sami Halabi
Information Systems Engineer
NMS Projects Expert, FreeBSD SysAdmin Expert
Asterisk Expert

running cron jobs setpriority permission denied

2022-03-08 Thread Sami Halabi 
Hi,

I have a jail ran by cbsd which has a cronjob like this:
* * * * * root /usr/local/directadmin/dataskq

I see every minute this error logged in /var/log/messages:
cron[71002]: setpriority 'root' (daemon): Permission denied

I see in ps xau that it runs but at nobody user

even when loggin to the jail I have:
cron[68825]: setpriority 'root' (daemon): Permission denied
login[68900]: setpriority 'root' (root): Permission denied
jexec[69404]: setpriority 'root' (root): Permission denied

# uname -a
FreeBSD j5.sody.com 12.3-RELEASE-p1 FreeBSD 12.3-RELEASE-p1 GENERIC  amd64

what am I missing?

Sami

-- 
Sami Halabi
Information Systems Engineer
NMS Projects Expert, FreeBSD SysAdmin Expert
Asterisk Expert

Re: linux debian jail - network problems

2022-02-24 Thread Sami Halabi 
Hi,
Thank you for your response.. I wonder if Is it really only netlink problem?
Their are fee problems in the logs.. I dont kbow if they all related only
to netlink (prctl immutable for example).. I also saw oncompatibilities in
socket.c 

Btw: I tried to enter the link you sent and it asked for username and
password.. its not public review?

Sami

בתאריך יום ו׳, 25 בפבר׳ 2022, 04:18, מאת Zhenlei Huang ‏<
zlei.hu...@gmail.com>:

> Hi,
> You can also track the WIP netlink feature,
> https://reviews.freebsd.org/D33975
>
> On Feb 25, 2022, at 4:05 AM, Sami Halabi  wrote:
>
> Hi,
> Added Current, maybe will be lucky ;)
>
> Anyone have idea how approach and fix this?
>
> Sami
>
> בתאריך יום ג׳, 22 בפבר׳ 2022, 23:30, מאת Sami Halabi ‏ >:
>
>> Hi all,
>> sorry for the cross post but I need help and I'm not sure where it hangs.
>>
>> I create linux jail (debian bullseye) via cbsd.
>> the jail is being populated with the debian userland..
>> so far so good... services running (sshd) and I can login to the jail, I
>> also can update packages and I can install apache httpd and all works fine
>> (apt install or make from src).
>> I also manage to install packages even if their scripts depend on "ip"
>> command that fails:
>> cbsd@j2> ip
>> Cannot open netlink socket: Address family not supported by protocol
>>
>> ifconfig show empty interfaces:
>> cbsd@j2> ifconfig
>> eth0: flags=4163  mtu 1500
>> ether 00:50:56:0a:b3:a0  (Ethernet)
>> RX packets 139798314  bytes 12029597009 (11.2 GiB)
>> RX errors 0  dropped 0  overruns 0  frame 0
>> TX packets 26879143  bytes 34400160833 (32.0 GiB)
>> TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
>>
>> lo0: flags=4169  mtu 16384
>> loop  (Local Loopback)
>> RX packets 28548  bytes 160312960 (152.8 MiB)
>> RX errors 0  dropped 0  overruns 0  frame 0
>> TX packets 28548  bytes 160312960 (152.8 MiB)
>> TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
>>
>> I know linux emulation doesn't implement netlink.. so what I do is fake
>> the response by replacing /bin/ip by a bash script that prints the correct
>> IP and fakes some other (needed by packages i Installed):
>> #!/bin/bash
>> if [ "$1" = "-o" ]; then
>> echo "1: eth0 inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0"
>> elif [ "$1" = "route" ]; then
>> if [ "$2" = "get" ]; then
>> echo "8.8.8.8 via  192.168.1.2   dev eth0  src
>> 192.168.1.2  "
>> else
>> echo "default via  192.168.1.2   dev eth0"
>> fi
>> else
>> echo "1: eth0:  mtu 1500 qdisc mq state
>> UP qlen 1000"
>> echo "  inet  192.168.1.2  /24 brd  192.168.1.255 scope global eth0"
>>
>>
>> still ifconfig shows no IP... its time to say it a regular jail and *NOT*
>> VNET.
>>
>> *however* package that pull ips via libraries fail..
>> eg: installed bind916 (name) in the logs I see these errors (relevant
>> only):
>> cbsd@j2> service named start
>> Starting domain name service...: namednamed: prctl(PR_SET_DUMPABLE)
>> failed: Invalid argument
>> cbsd@j2>
>>
>>
>> log file shows:
>> 22-Feb-2022 23:11:58.705 general: notice: BIND 9 is maintained by
>> Internet Systems Consortium,
>> 22-Feb-2022 23:11:58.705 general: notice: Inc. (ISC), a non-profit
>> 501(c)(3) public-benefit
>> 22-Feb-2022 23:11:58.705 general: notice: corporation.  Support and
>> training for BIND 9 are
>> 22-Feb-2022 23:11:58.705 general: notice: available at
>> https://www.isc.org/support
>> 22-Feb-2022 23:11:58.705 general: notice:
>> 
>> 22-Feb-2022 23:11:58.705 general: info: found 6 CPUs, using 6 worker
>> threads
>> 22-Feb-2022 23:11:58.705 general: info: using 6 UDP listeners per
>> interface
>> 22-Feb-2022 23:11:58.705 general: info: using up to 21000 sockets
>> 22-Feb-2022 23:11:58.715 general: info: loading configuration from
>> '/etc/bind/named.conf'
>> 22-Feb-2022 23:11:58.715 general: info: reading built-in trust anchors
>> from file '/etc/bind/bind.keys'
>> 22-Feb-2022 23:11:58.715 general: info: looking for GeoIP2 databases in
>> '/usr/share/GeoIP'
>> 22-Feb-2022 23:11:58.715 general: info: using default UDP/IPv4 port
>> range: [1024, 65535]
>> 22-Feb-2022 23:11:58.715 general: i

Re: linux debian jail - network problems

2022-02-24 Thread Sami Halabi 
Hi,
Added Current, maybe will be lucky ;)

Anyone have idea how approach and fix this?

Sami

בתאריך יום ג׳, 22 בפבר׳ 2022, 23:30, מאת Sami Halabi ‏:

> Hi all,
> sorry for the cross post but I need help and I'm not sure where it hangs.
>
> I create linux jail (debian bullseye) via cbsd.
> the jail is being populated with the debian userland..
> so far so good... services running (sshd) and I can login to the jail, I
> also can update packages and I can install apache httpd and all works fine
> (apt install or make from src).
> I also manage to install packages even if their scripts depend on "ip"
> command that fails:
> cbsd@j2> ip
> Cannot open netlink socket: Address family not supported by protocol
>
> ifconfig show empty interfaces:
> cbsd@j2> ifconfig
> eth0: flags=4163  mtu 1500
> ether 00:50:56:0a:b3:a0  (Ethernet)
> RX packets 139798314  bytes 12029597009 (11.2 GiB)
> RX errors 0  dropped 0  overruns 0  frame 0
> TX packets 26879143  bytes 34400160833 (32.0 GiB)
> TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
>
> lo0: flags=4169  mtu 16384
> loop  (Local Loopback)
> RX packets 28548  bytes 160312960 (152.8 MiB)
> RX errors 0  dropped 0  overruns 0  frame 0
> TX packets 28548  bytes 160312960 (152.8 MiB)
> TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
>
> I know linux emulation doesn't implement netlink.. so what I do is fake
> the response by replacing /bin/ip by a bash script that prints the correct
> IP and fakes some other (needed by packages i Installed):
> #!/bin/bash
> if [ "$1" = "-o" ]; then
> echo "1: eth0 inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0"
> elif [ "$1" = "route" ]; then
> if [ "$2" = "get" ]; then
> echo "8.8.8.8 via  192.168.1.2   dev eth0  src
> 192.168.1.2  "
> else
> echo "default via  192.168.1.2   dev eth0"
> fi
> else
> echo "1: eth0:  mtu 1500 qdisc mq state
> UP qlen 1000"
> echo "  inet  192.168.1.2  /24 brd  192.168.1.255 scope global eth0"
>
>
> still ifconfig shows no IP... its time to say it a regular jail and *NOT*
> VNET.
>
> *however* package that pull ips via libraries fail..
> eg: installed bind916 (name) in the logs I see these errors (relevant
> only):
> cbsd@j2> service named start
> Starting domain name service...: namednamed: prctl(PR_SET_DUMPABLE)
> failed: Invalid argument
> cbsd@j2>
>
>
> log file shows:
> 22-Feb-2022 23:11:58.705 general: notice: BIND 9 is maintained by Internet
> Systems Consortium,
> 22-Feb-2022 23:11:58.705 general: notice: Inc. (ISC), a non-profit
> 501(c)(3) public-benefit
> 22-Feb-2022 23:11:58.705 general: notice: corporation.  Support and
> training for BIND 9 are
> 22-Feb-2022 23:11:58.705 general: notice: available at
> https://www.isc.org/support
> 22-Feb-2022 23:11:58.705 general: notice:
> 
> 22-Feb-2022 23:11:58.705 general: info: found 6 CPUs, using 6 worker
> threads
> 22-Feb-2022 23:11:58.705 general: info: using 6 UDP listeners per interface
> 22-Feb-2022 23:11:58.705 general: info: using up to 21000 sockets
> 22-Feb-2022 23:11:58.715 general: info: loading configuration from
> '/etc/bind/named.conf'
> 22-Feb-2022 23:11:58.715 general: info: reading built-in trust anchors
> from file '/etc/bind/bind.keys'
> 22-Feb-2022 23:11:58.715 general: info: looking for GeoIP2 databases in
> '/usr/share/GeoIP'
> 22-Feb-2022 23:11:58.715 general: info: using default UDP/IPv4 port range:
> [1024, 65535]
> 22-Feb-2022 23:11:58.715 general: info: using default UDP/IPv6 port range:
> [1024, 65535]
> 22-Feb-2022 23:11:58.715 network: info: no IPv6 interfaces found
> 22-Feb-2022 23:11:58.715 general: error: ifiter_getifaddrs.c:79:
> unexpected error:
> 22-Feb-2022 23:11:58.715 general: error: getting interface addresses:
> getifaddrs: Address family not supported by protocol
> 22-Feb-2022 23:11:58.715 network: warning: not listening on any interfaces
> *snip*
> *snip*
> 22-Feb-2022 23:11:58.735 general: error: socket.c:2405: unexpected error:
> 22-Feb-2022 23:11:58.735 general: error: setsockopt(50, IP_RECVTOS)
> failed: Protocol not available
> 22-Feb-2022 23:11:58.735 general: notice: couldn't add command channel
> 127.0.0.1#953: permission denied
> 22-Feb-2022 23:11:58.735 general: error: socket.c:2405: unexpected error:
> 22-Feb-2022 23:11:58.735 general: error: setsockopt(50, IP_RECVTOS)
> failed: Protocol not available
> 22-Feb-2022 23:11:58.735 general: notice: couldn't add

linux debian jail - network problems

2022-02-22 Thread Sami Halabi 
Hi all,
sorry for the cross post but I need help and I'm not sure where it hangs.

I create linux jail (debian bullseye) via cbsd.
the jail is being populated with the debian userland..
so far so good... services running (sshd) and I can login to the jail, I
also can update packages and I can install apache httpd and all works fine
(apt install or make from src).
I also manage to install packages even if their scripts depend on "ip"
command that fails:
cbsd@j2> ip
Cannot open netlink socket: Address family not supported by protocol

ifconfig show empty interfaces:
cbsd@j2> ifconfig
eth0: flags=4163  mtu 1500
ether 00:50:56:0a:b3:a0  (Ethernet)
RX packets 139798314  bytes 12029597009 (11.2 GiB)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 26879143  bytes 34400160833 (32.0 GiB)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo0: flags=4169  mtu 16384
loop  (Local Loopback)
RX packets 28548  bytes 160312960 (152.8 MiB)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 28548  bytes 160312960 (152.8 MiB)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

I know linux emulation doesn't implement netlink.. so what I do is fake the
response by replacing /bin/ip by a bash script that prints the correct IP
and fakes some other (needed by packages i Installed):
#!/bin/bash
if [ "$1" = "-o" ]; then
echo "1: eth0 inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0"
elif [ "$1" = "route" ]; then
if [ "$2" = "get" ]; then
echo "8.8.8.8 via  192.168.1.2   dev eth0  src
192.168.1.2  "
else
echo "default via  192.168.1.2   dev eth0"
fi
else
echo "1: eth0:  mtu 1500 qdisc mq state UP
qlen 1000"
echo "  inet  192.168.1.2  /24 brd  192.168.1.255 scope global eth0"


still ifconfig shows no IP... its time to say it a regular jail and *NOT*
VNET.

*however* package that pull ips via libraries fail..
eg: installed bind916 (name) in the logs I see these errors (relevant only):
cbsd@j2> service named start
Starting domain name service...: namednamed: prctl(PR_SET_DUMPABLE) failed:
Invalid argument
cbsd@j2>


log file shows:
22-Feb-2022 23:11:58.705 general: notice: BIND 9 is maintained by Internet
Systems Consortium,
22-Feb-2022 23:11:58.705 general: notice: Inc. (ISC), a non-profit
501(c)(3) public-benefit
22-Feb-2022 23:11:58.705 general: notice: corporation.  Support and
training for BIND 9 are
22-Feb-2022 23:11:58.705 general: notice: available at
https://www.isc.org/support
22-Feb-2022 23:11:58.705 general: notice:

22-Feb-2022 23:11:58.705 general: info: found 6 CPUs, using 6 worker threads
22-Feb-2022 23:11:58.705 general: info: using 6 UDP listeners per interface
22-Feb-2022 23:11:58.705 general: info: using up to 21000 sockets
22-Feb-2022 23:11:58.715 general: info: loading configuration from
'/etc/bind/named.conf'
22-Feb-2022 23:11:58.715 general: info: reading built-in trust anchors from
file '/etc/bind/bind.keys'
22-Feb-2022 23:11:58.715 general: info: looking for GeoIP2 databases in
'/usr/share/GeoIP'
22-Feb-2022 23:11:58.715 general: info: using default UDP/IPv4 port range:
[1024, 65535]
22-Feb-2022 23:11:58.715 general: info: using default UDP/IPv6 port range:
[1024, 65535]
22-Feb-2022 23:11:58.715 network: info: no IPv6 interfaces found
22-Feb-2022 23:11:58.715 general: error: ifiter_getifaddrs.c:79: unexpected
error:
22-Feb-2022 23:11:58.715 general: error: getting interface addresses:
getifaddrs: Address family not supported by protocol
22-Feb-2022 23:11:58.715 network: warning: not listening on any interfaces
*snip*
*snip*
22-Feb-2022 23:11:58.735 general: error: socket.c:2405: unexpected error:
22-Feb-2022 23:11:58.735 general: error: setsockopt(50, IP_RECVTOS) failed:
Protocol not available
22-Feb-2022 23:11:58.735 general: notice: couldn't add command channel
127.0.0.1#953: permission denied
22-Feb-2022 23:11:58.735 general: error: socket.c:2405: unexpected error:
22-Feb-2022 23:11:58.735 general: error: setsockopt(50, IP_RECVTOS) failed:
Protocol not available
22-Feb-2022 23:11:58.735 general: notice: couldn't add command channel
127.0.0.1#953: permission denied
22-Feb-2022 23:11:58.735 zoneload: info: managed-keys-zone: loaded serial 24
22-Feb-2022 23:11:58.735 zoneload: info: zone 0.in-addr.arpa/IN: loaded
serial 1
22-Feb-2022 23:11:58.735 general: error: socket.c:2405: unexpected error:
22-Feb-2022 23:11:58.735 general: error: setsockopt(512, IP_RECVTOS)
failed: Protocol not available
22-Feb-2022 23:11:58.735 general: error: socket.c:2405: unexpected error:
22-Feb-2022 23:11:58.735 general: error: setsockopt(513, IP_RECVTOS)
failed: Protocol not available
22-Feb-2022 23:11:58.745 zoneload: info: zone 255.in-addr.arpa/IN: loaded
serial 1
22-Feb-2022 23:11:58.745 zoneload: info: zone j1.royalshells.com/IN: loaded
serial 2022022106
22-Feb-2022 23:11:58.745 notify: info: zone

9 netstat in a jail, 12 vs 13

2019-01-31 Thread Sami Halabi 
Compile static binary of netstat and copy it to the jail may solve your
problem.
Sami

בתאריך יום ה׳, 31 בינו׳ 2019, 20:09, מאת Christer Edwards <
christer.edwa...@gmail.com>:

> On Thu, Jan 31, 2019 at 9:29 AM Michael W. Lucas <
> mwlu...@michaelwlucas.com>
> wrote:
>
> >
> > 12.0 jail on -current host:
> >
> > root@loghost:~ # sockstat -4
> > sockstat: struct xinpgen size mismatch
> > root@loghost:~ # netstat -na -f inet
> > netstat: kvm not available: /dev/mem: No such file or directory
> > Some tcp sockets may have been deleted.
> > Some udp sockets may have been deleted.
>
>
> I have seen this happen anytime I have run a jail where the version does
> not exactly match the host. sockstat always fails with 'sockstat: struct
> xinpgen size mismatch'
>
> Very interested in a solution / patch / workaround myself.
>
> Christer
> ___
> freebsd-jail@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-jail
> To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
>
___
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"

Re: Configuring network without ezjail

2015-12-12 Thread Sami Halabi 
hi,
I think you need to configure the ip in the host first kater it'll be seen
in the jail.

using rf 1918 addreses means you need NAT  in your router to have  access
the internet.
rather than that using the term 'routing' is incorrecg unless you have
multiple hops to get the packets to the router.

Sami
בתאריך 13 בדצמ׳ 2015 6:45 AM,‏ "marcel"  כתב:

>
>
> On 12/12/2015 02:59, Michael B. Eichorn wrote:
> > On Fri, 2015-12-11 at 21:44 -0500, Michael B. Eichorn wrote:
> >> On Sat, 2015-12-12 at 02:08 +, marcel wrote:
> >>> ... and I think I have enabling gateway, I wrote thins in both of
> >>> my
> >>> rc.conf (jail and host):
> >>>
> >>> gateway_enable="YES"
> >>>
> >>> Is it correct ?
> >> You only need gateway_enable if you are doing routing, it is not
> >> necessary for a typical jail setup. Most of the time you are just
> >> adding an alias to the host's nic.
> OK so if I want to my jail can access to internet I have to do routing,
> right ?
> >>> But I don't think I have DNS problems, my host correctly access to
> >>> the
> >>> internet and the resolv.conf of my jail and my host are same...
> >>>
> >>> On 12/12/2015 01:50, marcel wrote:
>  No I don't get to have an IP address... Yet I have writed this in
>  my
>  host's rc.conf:
> 
>  jail_enable="YES"
>  jail_list="thename"
>  jail_guantanamo_rootdir="thepath"
>  jail_guantanamo_hostname="thename"
>  jail_guantanamo_ip="192.168.0.12"
> 
>  and I use the command:
> 
>  jail thepath thename 192.168.0.12 /bin/csh
> 
>  to connect to my jail...
> 
>  On 11/12/2015 23:31, Dirk Engling wrote:
> > On 12.12.15 01:19, marcel wrote:
> >
> >> I would like to know if it is possible to configure a jail's
> >> network for
> >> accessing to the World Wide Web but without ezjail ?
> >> I have created my jail without ezjail (mkdir jail, make
> >> installworld,
> >> etc...) and I would like to continue without it if it's
> >> possible...
> > Sure, why doesn't it connect to the net? Does it have a RFC1918
> > IP? If
> > so, you need to enable NAT. If not, did you enable gatewaying?
> > Maybe you
> > just have DNS problems, so is your resolv.conf set up properly?
> >
> > Without knowing what exactly is not working, I can not help
> > you.
> >
> >   erdgeist
> >> I think you found some old instructions, assuming a 10.x system here
> >> is
> >> the boilerplate for a typical jail:
> >>
> >> rc.conf:
> >>
> >>   jail_enable="YES"
> >>
> >> jail.conf:
> >>
> >>   interface = re0;
> >>   mount.devfs;
> >>   exec.start = "/bin/sh /etc/rc";
> >>   exec.stop = "/bin/sh /etc/rc.shutdown";
> >>
> >>   thenameofthejail {
> >> host.hostname = host.domain.tld;
> >>  path = /the/path/to/the/jail
> >> ip4.addr = 192.168.0.12;
> >>   }
> >>
> >> and start it up with
> >>
> >> # jail -c thenameofthejail
> >>
> >> And another handy tip you can avoid building a jail with make by
> >> extacting the base.txz file found in places like the install media
> >> into
> >> the jail directory
> OK, so my jail.conf look like your jail.conf and when I type jls my jail
> have the IP 192.168.0.12 but when I type ifconfig in my jail I have no
> ip...
> > Oh and before I forget, the trickiest thing for me moving from ezjail
> > to jail was updating. Assuming your jails are complete base systems and
> > that you would like to use binary updates with freebsd-update, and you
> > have completely sparated jails without any funny tricks to save space,
> > here is Ike's simple jail update guide:
> >
> > edit the jail's freebsd-update.conf and change
> >
> > Components src world kernel
> > -to-
> > Components world
> >
> > then run freebsd-update like so:
> >
> > # freebsd-update -b /usr/jails/jaildir \
> >   -f usr/jails/jaildir/etc/freebsd-update.conf \
> >   -d /usr/jails/jaildir/var/db/freebsd-update fetch
> > # freebsd-update -b /usr/jails/jaildir \
> >   -f /usr/jails/jaildir/etc/freebsd-update.conf \
> >   -d /usr/jails/jaildir/var/db/freebsd-update install
> >
> > Using the -f flag keeps the jail from using the host config since jails
> > cannot update kernels anyway. And -d keeps jails and hosts from
> > trampling each other which is nice if you want to do more than one at a
> > time, or if you use freebsd-update cron.
> Thanks for tip !
> ___
> freebsd-jail@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-jail
> To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
>
___
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"

Re: /lib/libc.so.7 unsupported file format

2013-10-10 Thread Sami Halabi 
Hi,
is there a simple way to interpret the data in /var/db/freebsd-update that
sits inside a jail, from HOST and install the updates that already fetched
somehow ?

Sami


On Thu, Oct 10, 2013 at 2:35 PM, Mark Felder f...@freebsd.org wrote:



 On Wed, Oct 9, 2013, at 23:22, Sami Halabi wrote:
  Hi,
  i have a box with FreeBSD-9.1-Release-amd64.
  I did freebsd-update to the host and to the jails in, one of them is
  32bit
  and since then i get:
 
  root@6:/root # jexec 1 /bin/csh
  /lib/libc.so.7: unsupported file layout
  root@6:/root #
 
  i see /lib/libc.so.7 was updated
 
  as i read in some forums, i did:
  root@6:/root # ldconfig /lib /usr/lib /usr/local/lib
  root@6:/root #
 
  I also tried to do freebsd-update from the jail but install failed with
  chflags problem.
 
  I tried freebsd-update with -b and -c to point to the jail freebsd-update
  i  /var by doing fetch in the jail and install from the host.. without
  success,
 
  For now i rolled back the changes.
 
  Any hints to workaround this?
 

 I'm not sure that freebsd-update is supported for doing updates of 32bit
 jails on 64bit hosts. You might have to do the upgrade yourself from
 source.
 ___
 freebsd-jail@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-jail
 To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org




-- 
Sami Halabi
Information Systems Engineer
NMS Projects Expert
FreeBSD SysAdmin Expert
___
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org

Re: /lib/libc.so.7 unsupported file format

2013-10-10 Thread Sami Halabi 
Hi,
thanks for replying me so fast.

what i ment is:
1. in the jail (32 bit) to do:
 freebsd-update fetch

# ls /var/db/freebsd-update/
./
../
f465c3739385890c221dff1a05e578c6cae0d0430e46996d319db7439f884336-install@
filelist
files/
install.TggE71/
pub.ssl
serverlist
serverlist_full
serverlist_tried
tINDEX.present
tag
root@sami:/ #

root@sami:/ # more /var/db/freebsd-update/tag
freebsd-update|i386|9.1-RELEASE|7|b3924864da0e125ff57d2f9894347dbc0e130ae32a0647126d5109dbc099981e|1420070400
root@sami:/ #

2. since inside the jail:
root@sami:/ # freebsd-update install
Installing updates...chflags: ///lib/libc.so.7: Operation not permitted
root@sami:/ #

not working because of chflags (maybe there is a sysctl that will allow a
jail to chflags??)

i thought that maybe there is some way to do it from outside the jail.

unfortunattly doing simple:
root@6:/root # freebsd-update -b /usr/jails/sami -d
/usr/jails/sami/var/db/freebsd-update/ install
No updates are available to install.
Run '/usr/sbin/freebsd-update fetch' first.
root@6:/root #

i thought if there is some way to interpret the data and installing using
the host (maybe manually somehow...), or even changing the chflags inside
the jail to an executable that return success no matter what...

Sami





On Thu, Oct 10, 2013 at 2:55 PM, Mark Felder f...@freebsd.org wrote:

 On Thu, Oct 10, 2013, at 6:48, Sami Halabi wrote:
  Hi,
  is there a simple way to interpret the data in /var/db/freebsd-update
  that
  sits inside a jail, from HOST and install the updates that already
  fetched
  somehow ?
 

 freebsd-update uses binary patches. They are not entire files you could
 simply replace on your system. As you have witnessed, applying a binary
 patch intended for a 64bit binary to a 32bit binary has dire
 consequences. Unfortunately the data in /var/db/freebsd-update is
 completely worthless for your 32bit jail.
 ___
 freebsd-jail@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-jail
 To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org




-- 
Sami Halabi
Information Systems Engineer
NMS Projects Expert
FreeBSD SysAdmin Expert
___
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org

Re: /lib/libc.so.7 unsupported file format

2013-10-10 Thread Sami Halabi 
Hi,

 # sysctl security.jail.param.allow.chflags=1
security.jail.param.allow.chflags: 0 - 0

the sysctl is not working, maybe it should be set on /boot/loder.conf

what i did is the following:
1. inside the jail
 a. i renamed /bin/chflags to /bin/chfalgs-old
 b. created /bin/chflags with the following:
 #!/bin/csh -f
 echo sami  /dev/null
2. a freebsd-update install in the jail yeilds installing the updates with
errors on /lib/libc.so.7  /usr/bin/login
3. i did freebsd-update rollback
4. in the host i did:
  a. chflags noschg /usr/jails/sami/lib/libc.so.7
  b. chflags noschg /usr/jails/sami/usr/bin/login
5. in the jail i did:
 a. freebsd-update fetch
 b. freebsd-update install
6. in the host i did:
  a. chflags schg /usr/jails/sami/lib/libc.so.7
  b. chflags schg /usr/jails/sami/usr/bin/login
7. inside the jail
 a. removed /bin/chflags
 b. i renamed /bin/chflags-old to /bin/chfalgs


Worked for me.

Thanks for trying to hel pme,
Sami



On Thu, Oct 10, 2013 at 3:06 PM, Mark Felder f...@freebsd.org wrote:

 On Thu, Oct 10, 2013, at 7:03, Sami Halabi wrote:
  Hi,
  thanks for replying me so fast.
 
  what i ment is:
  1. in the jail (32 bit) to do:
   freebsd-update fetch
 
  # ls /var/db/freebsd-update/
  ./
  ../
  f465c3739385890c221dff1a05e578c6cae0d0430e46996d319db7439f884336-install@
  filelist
  files/
  install.TggE71/
  pub.ssl
  serverlist
  serverlist_full
  serverlist_tried
  tINDEX.present
  tag
  root@sami:/ #
 
  root@sami:/ # more /var/db/freebsd-update/tag
 
 freebsd-update|i386|9.1-RELEASE|7|b3924864da0e125ff57d2f9894347dbc0e130ae32a0647126d5109dbc099981e|1420070400
  root@sami:/ #
 
  2. since inside the jail:
  root@sami:/ # freebsd-update install
  Installing updates...chflags: ///lib/libc.so.7: Operation not permitted
  root@sami:/ #
 
  not working because of chflags (maybe there is a sysctl that will allow a
  jail to chflags??)
 
  i thought that maybe there is some way to do it from outside the jail.
 
  unfortunattly doing simple:
  root@6:/root # freebsd-update -b /usr/jails/sami -d
  /usr/jails/sami/var/db/freebsd-update/ install
  No updates are available to install.
  Run '/usr/sbin/freebsd-update fetch' first.
  root@6:/root #
 
  i thought if there is some way to interpret the data and installing using
  the host (maybe manually somehow...), or even changing the chflags inside
  the jail to an executable that return success no matter what...
 

 There is a sysctl for chflags:

 security.jail.param.allow.chflags

 and you can check if you have that access from within the jail via:

 security.jail.chflags_allowed

 I have not tried to do what you're attempting before simply because I've
 very rarely run 32bit jails on 64bit hosts. Hopefully this gets you in
 the right direction.
 ___
 freebsd-jail@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-jail
 To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org




-- 
Sami Halabi
Information Systems Engineer
NMS Projects Expert
FreeBSD SysAdmin Expert
___
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org

/lib/libc.so.7 unsupported file format

2013-10-09 Thread Sami Halabi 
Hi,
i have a box with FreeBSD-9.1-Release-amd64.
I did freebsd-update to the host and to the jails in, one of them is 32bit
and since then i get:

root@6:/root # jexec 1 /bin/csh
/lib/libc.so.7: unsupported file layout
root@6:/root #

i see /lib/libc.so.7 was updated

as i read in some forums, i did:
root@6:/root # ldconfig /lib /usr/lib /usr/local/lib
root@6:/root #

I also tried to do freebsd-update from the jail but install failed with
chflags problem.

I tried freebsd-update with -b and -c to point to the jail freebsd-update
i  /var by doing fetch in the jail and install from the host.. without
success,

For now i rolled back the changes.

Any hints to workaround this?

Thanks in advance,
Sami
___
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org

Re: how to measure bandwidth per jail

2013-03-22 Thread Sami Halabi 
Jnettop has the ability to:
Measure bandwidth/packets in partecular intergace.
Simply use:
0,1..9 to switch between interfaces.
p to switch between packets/bandwidth
b to measure in bytes/bits
You better define your local ips in the .jnettop file, once that done your
measurs would be more accurate specially when you aggregate traffic (in
local/remote) by ip/protocol...

Additional option is content filter mainly in web traffic.

You can also add custom ips to measure using .jnettoo file.

Sami
On Mar 22, 2013 1:05 PM, Nicolas de Bari Embriz Garcia Rojas 
nb...@inbox.im wrote:

  Hi, I tried jnettop but is something like 'trafshow', I am searching
 something like vnstat, that could help me measure the rx/tx  total
 consumed bandwidth.

 any ideas?



 On 03/21/2013 18:48, Sami Halabi wrote:

 Hi
 Try jnettop from ports... exactly what your looking at.

 However its old, so the counters are 32 bit rather than 64 which means its
 pretty effective on 100mbit links
 plus its cpu consumer by design
 Sami
 On Mar 21, 2013 8:27 PM, Nicolas de Bari Embriz Garcia Rojas 
 nb...@inbox.im wrote:

 Hi, one strange behavior I notice (freeBSD 9.1) is that I don't see the
 Obytes per IP only for the bce0 interface, but I do for the cloned
 interface lo1:

 here is a link with the output of netstat -ib
 http://pastebin.com/arrRsM78

 any ideas ?

 regards.

 On 03/21/2013 18:12, Scott Lambert wrote:
  On Thu, Mar 21, 2013 at 01:26:13AM +, Nicolas de Bari Embriz
 Garcia Rojas wrote:
  Hi, any tool, idea or method for measuring the bandwidth consumed per
  jail ? (or by IP)
 
  What about using pflow ( pseudo-device pflow) any advice ?
  I found a thread about this topic yesterday via Google.  It was on
  the freebsd-...@frebbsd.org mailing list sometime in 2005 if I
  remember correctly.
 
  They came up with a few options
 
netflow,
 
counting rules in IPFW/pf/ipf
 
netstat -rni ( which gets you packet counts,
-rnbi gives you in-bytes and out-bytes)
 
bandwidthd (in ports I believe)
 
I suppose ntop could do similar things.
 
  My favorite option was netstat -rnbi | awk '{print $8,$11}' and
  feeding that to MRTG.  I have not gotten it implemented yet.
 
  One consideration is that on FreeBSD 8 and older, you don't get out
  traffic per IP address with netstat, as far as I can tell.  We're
  moving to FreeBSD 9 pretty quickly anyway.
 

 ___
 freebsd-jail@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-jail
 To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org



___
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org

Re: how to measure bandwidth per jail

2013-03-21 Thread Sami Halabi 
Hi
Try jnettop from ports... exactly what your looking at.

However its old, so the counters are 32 bit rather than 64 which means its
pretty effective on 100mbit links
plus its cpu consumer by design
Sami
On Mar 21, 2013 8:27 PM, Nicolas de Bari Embriz Garcia Rojas 
nb...@inbox.im wrote:

 Hi, one strange behavior I notice (freeBSD 9.1) is that I don't see the
 Obytes per IP only for the bce0 interface, but I do for the cloned
 interface lo1:

 here is a link with the output of netstat -ib http://pastebin.com/arrRsM78

 any ideas ?

 regards.

 On 03/21/2013 18:12, Scott Lambert wrote:
  On Thu, Mar 21, 2013 at 01:26:13AM +, Nicolas de Bari Embriz Garcia
 Rojas wrote:
  Hi, any tool, idea or method for measuring the bandwidth consumed per
  jail ? (or by IP)
 
  What about using pflow ( pseudo-device pflow) any advice ?
  I found a thread about this topic yesterday via Google.  It was on
  the freebsd-...@frebbsd.org mailing list sometime in 2005 if I
  remember correctly.
 
  They came up with a few options
 
netflow,
 
counting rules in IPFW/pf/ipf
 
netstat -rni ( which gets you packet counts,
-rnbi gives you in-bytes and out-bytes)
 
bandwidthd (in ports I believe)
 
I suppose ntop could do similar things.
 
  My favorite option was netstat -rnbi | awk '{print $8,$11}' and
  feeding that to MRTG.  I have not gotten it implemented yet.
 
  One consideration is that on FreeBSD 8 and older, you don't get out
  traffic per IP address with netstat, as far as I can tell.  We're
  moving to FreeBSD 9 pretty quickly anyway.
 

 ___
 freebsd-jail@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-jail
 To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org

___
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org

Re: VNET

2012-06-20 Thread Sami Halabi 
Thank you.

I want to use vnet jail for a specific subnet that I need to seperate from
the system.
so basicly i create a vlan + a bridged interface to the public.
these two (vlan+bridged interface- epair0a) will in in the vnet jail, so I
can do NAT only for that vlan going out.
This is the idea, as there are more interfaces in the system and there is
only one interface out...

so basicly it should be a firewall  Nat only between the specific lan and
the outside world.

Can this be accomplished otherway?

Sami

On Wed, Jun 20, 2012 at 5:43 PM, Alexander V. Chernikov 
melif...@freebsd.org wrote:

 On 19.06.2012 12:56, Sami Halabi wrote:

 Hi,

 I want to ask aout VNET jails, i read somehwre that I'm able to run IPFW,
 but not PF firewall in a cnet jail.
 is that correct?

 i want a vnet jail basicly for nat, so natd with ipfw + ipdivert is my

 1) You can do nat without vnet.
 2) ipfw nat is currently the easiest way to do nat.


  choice? or i can use pf somehow, I never used pf before,
 so i would like some advise here...

 Thanks in advance,



 --
 WBR, Alexander




-- 
Sami Halabi
Information Systems Engineer
NMS Projects Expert
FreeBSD SysAdmin Expert
___
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org

Re: Succesful patch on several hosts with RELENG_7

2008-10-24 Thread Sami Halabi 
I'm joining the compliments...
its for about 2 months now and working as a charm also...

bz,
Your great.. this feature MUST be in the official production fbsd for
everyone.
thanks for your efforts

Sami

On Fri, Oct 24, 2008 at 6:07 PM, Lorenzo Perone 
[EMAIL PROTECTED] wrote:


 Hi,

 Just wanted to give my feedback
 on Your patch bz_jail7-20080920-01-at150161.diff, which I got
 by reading this list, on

 http://people.freebsd.org/~bz/bz_jail7-20080920-01-at150161.diff

 Just patched several RELENG_7 hosts (FreeBSD 7.0-PRERELEASE,
 last one yesterday), and for the time being, it works like a
 charm. THANK YOU VERY MUCH for this patch and Your efforts,
 as this is a very important feature for me and for several
 others. I hope so much that it will be included into RELENG_7o
 fficially, and/or that You will be update it eventually,
 if necessary.

 Kudos, Regards  lots of free beer..

 Lorenzo


 ___
 freebsd-jail@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-jail
 To unsubscribe, send any mail to [EMAIL PROTECTED]

___
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to [EMAIL PROTECTED]

Multiple IPS - Freebsd 7.1

2008-10-01 Thread Sami Halabi 
hi everyone,

I saw a lot of messages about this so here is it - i just patched it (took
me a day but okay :)

i just downloaded the latest src using this sup file - cvsup:
http://www.royalshells.com/download/freebsd/stable-supfile

# cvsup stable-supfile


i applied the following patch (which i changed to get to work with the
current src):
http://www.royalshells.com/download/freebsd/bz_jail7-20080727-11-at146062-Fixed_By_Sody_1.10.08.diff

to patch do:
# cd /usr/src
# patch -p6  bz_jail7-20080727-11-at146062-Fixed_By_Sody_1.10.08.diff

after done re-compile the kernel:
# cp /usr/src/sys/netinet/in_pcb.h /usr/include/netinet/
# cp /usr/src/sys/sys/jail.h /usr/include/sys/

clean obj dir:
---
# rm -Rf /usr/obj/*

compile jail and jls:

# cd /usr/src/usr.sbin/jail/
# make clean  make depend  make install
# cd /usr/src/usr.sbin/jls/
# make clean  make depend  make install

compile the kernel:
-
# cd /usr/src
# make buildworld
# make buildkernel KERNCONF=GENERIC
# make installworld
# make installkernel KERNCONF=GENERIC
# mergemaster -U

after reboot:
# uname -a
FreeBSD server.com 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #0: Tue Sep 30
20:03:00 UTC 2008 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC
i386
#

check the patch:
# jail
usage: jail [-hi] [-n jailname] [-J jid_file] [-s securelevel] [-l -u
username | -U username] path hostname [ip[,..]] command ...
#

Enjoy.

Sami
___
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Multiple IPS - Freebsd 7.1

2008-10-01 Thread Sami Halabi 
bz,
your right.
i've posted that link :)

Sami

On Wed, Oct 1, 2008 at 2:08 PM, Bjoern A. Zeeb 
[EMAIL PROTECTED] wrote:

 On Wed, 1 Oct 2008, Sami Halabi wrote:

 Hi,

 i applied the following patch (which i changed to get to work with the
 current src):

 http://www.royalshells.com/download/freebsd/bz_jail7-20080727-11-at146062-Fixed_By_Sody_1.10.08.diff


 I do not know what the Fixed_By_Sody_1.10.08 part is but
 it's at least based on a backlevel patch of mine so I hope
 someone fixed the locking for 7.1-PRE.

 I had posted a patch for 7-STABLE (7.1-PRE) last month
 http://people.freebsd.org/~bz/bz_jail7-20080920-01-at150161.diff
 so taking that one you could have save yourself a lot of time I guess.

 In case you have changes it would be good to know what you did
 or what I do not have so the do not have forks as my version will hit
 HEAD soon and has changed (also the user space) since July.

 /bz

 --
 Bjoern A. Zeeb  Stop bit received. Insert coin for new game.

___
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Multiple IPS - Freebsd 7.1

2008-10-01 Thread Sami Halabi 
hi,
i didn't try it.

i just saw a new path from bz and tried it, now compiling, here is it:
http://people.freebsd.org/~bz/bz_jail7-20080920-01-at150161.diff
Sami

royalshells.com, loyalness.com,

On Wed, Oct 1, 2008 at 1:56 PM, Steven Hartland [EMAIL PROTECTED]wrote:

 I would dearly like to see this make the 7.1 release, multi IP's in order
 to support backend interfaces in jails, is something that we hit against
 all the time.

   Regards
   Steve
 - Original Message - From: Sami Halabi [EMAIL PROTECTED]
 To: freebsd-jail@freebsd.org
 Sent: Wednesday, October 01, 2008 12:21 PM
 Subject: Multiple IPS - Freebsd 7.1


   hi everyone,

 I saw a lot of messages about this so here is it - i just patched it (took
 me a day but okay :)

 i just downloaded the latest src using this sup file - cvsup:
 http://www.royalshells.com/download/freebsd/stable-supfile

 # cvsup stable-supfile


 i applied the following patch (which i changed to get to work with the
 current src):

 http://www.royalshells.com/download/freebsd/bz_jail7-20080727-11-at146062-Fixed_By_Sody_1.10.08.diff

 to patch do:
 # cd /usr/src
 # patch -p6  bz_jail7-20080727-11-at146062-Fixed_By_Sody_1.10.08.diff

 after done re-compile the kernel:
 # cp /usr/src/sys/netinet/in_pcb.h /usr/include/netinet/
 # cp /usr/src/sys/sys/jail.h /usr/include/sys/

 clean obj dir:
 ---
 # rm -Rf /usr/obj/*

 compile jail and jls:
 
 # cd /usr/src/usr.sbin/jail/
 # make clean  make depend  make install
 # cd /usr/src/usr.sbin/jls/
 # make clean  make depend  make install

 compile the kernel:
 -
 # cd /usr/src
 # make buildworld
 # make buildkernel KERNCONF=GENERIC
 # make installworld
 # make installkernel KERNCONF=GENERIC
 # mergemaster -U

 after reboot:
 # uname -a
 FreeBSD server.com 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #0: Tue Sep 30
 20:03:00 UTC 2008 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC
 i386
 #

 check the patch:
 # jail
 usage: jail [-hi] [-n jailname] [-J jid_file] [-s securelevel] [-l -u
 username | -U username] path hostname [ip[,..]] command ...
 #

 Enjoy.

 Sami
 ___
 freebsd-jail@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-jail
 To unsubscribe, send any mail to [EMAIL PROTECTED]


 
 This e.mail is private and confidential between Multiplay (UK) Ltd. and the
 person or entity to whom it is addressed. In the event of misdirection, the
 recipient is prohibited from using, copying, printing or otherwise
 disseminating it or any information contained in it.
 In the event of misdirection, illegible or incomplete transmission please
 telephone +44 845 868 1337
 or return the E.mail to [EMAIL PROTECTED]


___
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to [EMAIL PROTECTED]