Re: Sorry. Numpty alert! FreeBSD Jails... Help?
On 7 Jun 2011 at 21:03, Jack Raats wrote: - Original Message - Hi All. Total frustration here. Before I incinerate the luckless box and get my coat. For whatever reason, I can't get my head round how Exactly to create and use a jail, for a small webserver (Hiawatha) on FreeBSD V8.x First compile the complete system. (kernel and world) Then install ezjail form the ports Then edit ezjail.conf in /usr/local/etc enable ezjail in /etc/rc.conf Then creating the base system: ezjail-admin update -i ezjail-admin update -P after this you can create a jail using: ezjail-admin create hostname.domain.net ip_address_of_jail you can logon to your jail using: ezjail-admin console hostname.domain.net It's quite easy Grtz Jack The problem is Jack, that build / make etc don't run. Just saying compile the complete system is not much help, when as others have pointed out, part of the needed source collection is (was) missing. Re: It's quite easy. Only when you know how! Dave B ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Sorry. Numpty alert! FreeBSD Jails... Help?
On 7 Jun 2011 at 12:10, Chuck Swiger wrote: On Jun 7, 2011, at 11:53 AM, Dave wrote: For whatever reason, I can't get my head round how Exactly to create and use a jail, for a small webserver (Hiawatha) on FreeBSD V8.x Did you start with the Handbook? http://www.freebsd.org/doc/handbook/jails.html http://www.freebsd.org/doc/handbook/jails-build.html Yes, I have been there many times. It must be me, because I do not find it much if any help. Cant see the wood for all the trees or something. Like I said, the handbook is a good Reference, but not a How To. Plus, once I've gone and clicked on a few of the refereal links, it's way too easy to loose the plot, or ones place in the overall scheme of things.. You might also consider sysutils/ezjail; see: http://erdgeist.org/arts/software/ezjail [ ... ] I have (aledgedly) downloaded the Sys sources, and Ports. At least it sat there for ages after fumbling arround the sysinstall menu system (whoever designed that should be forced to use it! It's behaviour is apalling, flitting from one context to another with no warning, in a way such that you can't see what you've selected, without affecting the selection, or something else..) Anyway, trying to follow various instructions I found, and those pointed out to me by other helpful souls here (thanks Kaya and Peter.) But Whatever I do, I get a Don't know how to build world. Stop error. I am logged in as root, and AFIK have downloaded all the sys and ports sources.. How do I confirm that, are there trace logs kept somewhere? http://www.freebsd.org/doc/handbook/updating-upgrading.html http://www.freebsd.org/doc/handbook/ports-using.html As Andy and Kaya pointed out, I was missing the Base sources. As at some point, while fighting with the sysinstall menu system, the Base selection got un-selected. I think I have them now, but have not yet re-tried a build or make. Regards, -- -Chuck Thanks. Dave B. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Sorry. Numpty alert! FreeBSD Jails... Help?
On 7 Jun 2011 at 15:23, Jerry wrote: On Tue, 07 Jun 2011 19:53:13 +0100 Dave d...@g8kbv.demon.co.uk articulated: There is at the same time, not enough detailed info as to how to, and way too much detail of what there is. The Man pages are good references, but lousy how to's... (Sorry.) Many knowledgeable people consider man to simple be an acronym for, Much About Nothing. In any case, I assume you have read the documentation @: http://www.freebsd.org/doc/handbook/jails.html Perhaps you could list a few of the steps you have taken to a achieve your goal. -- Jerry jerry+f...@seibercom.net Hi. I was, as I found later, following this... http://www.freebsd.org/doc/handbook/jails-build.html But it failed at step 2, with dont know how to make ... Stop etc... Dave B ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Sorry. Numpty alert! FreeBSD Jails... Help?
On 8 Jun 2011 at 0:53, Julian H. Stacey wrote: and AFIK have downloaded all the sys and ports sources.. How do I confirm that, cd /usr/src make clean ; make cleandir ; make clean # gets rid of obj du -s -k 547684 . cant cd to /usr/src/share/info *** Error code 2 Stop in /usr/src. *** Error code 1 Stop in /urs/src. You have new mail. (Contents of the mail is the usual sustem/security stuff) I figure something else is missing, so didn't bother with anything else. Dave B find . -type d -print | wc 47344734 119623 cd /usr/ports du -s -k 477244 . find . -type d -print | wc 31883 31883 704477 are there trace logs kept somewhere? Not that I'm aware of, but I dont use sysinstall beyond minimum installs, (I get my src/ ports/ from my cvs tree which is delivered by ctm from mail) cvs -Q -R export -r RELENG_8_2_0_RELEASE src # du=548 M tgz=115 M cvs -Q -R export -r RELEASE_8_2_0 ports # du=475 M tgz= 49 M cvs -Q -R export -r RELEASE_8_2_0 doc # du=100 M tgz= 27 M Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultants Munich http://berklix.com Reply below, not above; indent with ; Cumulative like a play script. Send plain text format; Not quoted-printable, Not HTML, Not base 64. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Sorry. Numpty alert! FreeBSD Jails... Help?
On 08/06/2011 13:53, Dave wrote: As Andy and Kaya pointed out, I was missing the Base sources. As at some point, while fighting with the sysinstall menu system, the Base selection got un-selected. The best way to get along with sysinstall is not to use it. Or use it as little as possible. Install a really minimal system, then reboot and log into FreeBSD and do everything else from the system command line. sysinstall is not a system administration tool, and attempting to use it as such will lead to much needless suffering. Now, you may be wondering exactly /how/ to do the stuff you want from the command line. The Handbook is a really very good reference for that, or you can search the web or ask here. Getting hold of the latest system sources and compiling and installing FreeBSD from them is very well covered, as are alternative binary-only methods for those who do not want to spend time compiling. (Mind you, if you hate running a compiler, then FreeBSD is probably not for you: compile from source is the 'succeed where all else fails' typical last resort solution to many problems) Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
How to restrict jail's network access?
Hi: I'm planning to move services to run in jails. Two jails: 1: Mail related: postfix, cyrus imap and openldap 2: Web related: apache and postgresql No service should be able to connect out of the jail to remote hosts, except for postfix that need to connect out to port 25 for delivery to other domains. I don't want to allow a ssh out of a jail to the local node, as that could allow a compromised jail to jump to the host server - even if only theoretically. Both jails need to access the named that runs chrooted on the host server but may not access remote DNS services. Otherwise than this there is, any connection to remote nodes or the host server on the loopback interface must be blocked. I don't have extra IPs to create jails with separate interfaces, but there is no conflicting port assignments so this shouldn't be a problem. I have considered to isolate the jails by only offering a loopback interface and let the firewall impose these policies, but is this at all possible? How would you go about implementing the above policies? Thanks, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
ipv6 enabled and panic in 7.4-RELEASE
Hello list, I enabled ipv6 in a server running 7.4-RELEASE with amd64 generic kernel, and bge. I issued a static ipv6 address with prefix lenght 120 (according to my network administrator) and ipv6 default route in rc.conf, and issued '/etc/rc.d/network_ipv6 start'. ifconfig bge0: bge0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=9bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM ether 00:f5:0b:3d:3b:e4 inet6 fe80::217:a4ff:fe8d:33e8%bge0 prefixlen 64 scopeid 0x1 (ipv4 stuff) inet6 2a02:1823:1002:b1 prefixlen 120 (this is the static address) media: Ethernet autoselect (100baseTX full-duplex,flowcontrol,rxpause,txpause) status: active I enabled inet6 rules and in /etc/pf.conf like this: pass in on $ext_if inet6 proto tcp from any to $ext_if port http pass out on $ext_if inet6 proto tcp all pass out on $ext_if inet6 proto icmp6 all icmp6-type echoreq keep state pass in on $ext_if inet6 proto icmp6 all icmp6-type echoreq Locally, ipv6 seemed to work OK as I could ping6 localhost and hostname. However, ipv6 connections from outside were still being blocked by pf, so I was trying to solve that issue. At one point, I did a 'ping6 ipv6.google.com', after which the machine dropped the ssh connection. I connected to the console using ILO, only to see it rebooting. It was writing vmcore.0 at that point, which I interrupted using ctr-c, since I was not sure how long it would take. Now I have those files in /var/crash: bounds info.0 minfree vmcore.0 info.0 contains: Dump header from device /dev/da0s1b Architecture: amd64 Architecture Version: 2 Dump Length: 1812742144B (1728 MB) Blocksize: 512 Dumptime: Wed Jun 8 12:56:40 2011 Hostname: server Magic: FreeBSD Kernel Dump Version String: FreeBSD 7.4-RELEASE #0: Fri Feb 18 01:55:22 UTC 2011 r...@driscoll.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC Panic String: page fault Dump Parity: 2017522204 Bounds: 0 Dump Status: good The size of vmcore.0 is 767M. It is probably incomplete. In /var/log/messages I have: Jun 8 12:59:31 server savecore: reboot after panic: page fault Jun 8 12:59:31 server savecore: writing core to vmcore.0 I have not built a kernel locally, so will I be able to read the vmcore.0 using kgdb without local sources? Not sure if I can submit a PR for this either, thus I would like to learn more about this issue at first. I searched the freebsd bugs database, but found nothing really similar. Any help about how to handle this issue would be much appreciated. nick ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
root-portal compilation
There is no port for root-portal, i've tried to compile it manually without success. While trying to compile root-portal I get this error: process.h:59: error: extra qualification 'Procchange::' on member 'updated' *** Error code 1 Stop in /usr/home/user/root-portal-0.5.2/src/modules/process. *** Error code 1 Stop in /usr/home/user/root-portal-0.5.2/src/modules. *** Error code 1 Stop in /usr/home/user/root-portal-0.5.2/src. *** Error code 1 Stop in /usr/home/user/root-portal-0.5.2. Can someone reproduce the same problem? I've tried to patch it using thishttp://old.nabble.com/Bug-358277:-FTBFS-with-G++-4.1:-extra-qualification-p3525146.html but I still get errors... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
problem with german umlauts and gtk apps (maybe unicode issue)
hi there, for me the output of `locale -a` looks like this: LANG=en_GB.ISO8859-15 LC_CTYPE=de_DE.ISO8859-15 LC_COLLATE=en_GB.ISO8859-15 LC_TIME=de_DE.ISO8859-15 LC_NUMERIC=de_DE.ISO8859-15 LC_MONETARY=de_DE.ISO8859-15 LC_MESSAGES=en_GB.ISO8859-15 LC_ALL= when i do `touch ÄÖÜäöüß` this works great. i can see the correct characters under the console, X term and in gtk file dialogs. *however* when i save a file via the gtk save dialog (lets say from within chromium), the filename only gets displayed correctly in the gtk open dialog. saving a file ÄÖÜäöüß.html from chromium's gtk dialog returns the following under the console or an X term: otaku% ls|grep html|hd c3 84 c3 96 c3 9c c3 a4 c3 b6 c3 bc c3 9f 2e 68 |Ã.Ã.Ã.ÀöÌÃ..h| 0010 74 6d 6c 0a |tml.| 0014 when i start gnome and use the open dialog both the `touch`ed ÄÖÜäöüß file as well as the ÄÖÜäöüß.html saved by chromium looks fine. is gtk maybe switching to unicode when saving non-asciichars, instead to ISO8859-15? however when it accesses a filename it can understand unicode as well as ISO8859-15? can i instruct gtk to always use ISO8859-15 when saving filenames? cheers. alex -- a13x ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: problem with german umlauts and gtk apps (maybe unicode issue)
On Jun 8, 2011, at 12:57 PM, Alexander Best wrote: *however* when i save a file via the gtk save dialog (lets say from within chromium), the filename only gets displayed correctly in the gtk open dialog. saving a file ÄÖÜäöüß.html from chromium's gtk dialog returns the following under the console or an X term: otaku% ls|grep html|hd c3 84 c3 96 c3 9c c3 a4 c3 b6 c3 bc c3 9f 2e 68 |Ã.Ã.Ã.ÀöÌÃ..h| 0010 74 6d 6c 0a |tml.| 0014 That's a UTF-8 representation; c3 84 is Unicode U+00C4 aka LATIN CAPITAL LETTER A WITH DIAERESIS. when i start gnome and use the open dialog both the `touch`ed ÄÖÜäöüß file as well as the ÄÖÜäöüß.html saved by chromium looks fine. is gtk maybe switching to unicode when saving non-asciichars, instead to ISO8859-15? however when it accesses a filename it can understand unicode as well as ISO8859-15? Yes, that appears to be the case. can i instruct gtk to always use ISO8859-15 when saving filenames? Dunno. Fortunately, ISO 8859-15 can be stored on FreeBSD's UFS filesystem without lossage-- other character sets can't since UFS doesn't do Unicode per se, just UTF-8. Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Long Day's Journey into Bleep
On Wed, Jun 08, 2011 at 05:56:59PM -0700, Gary Kline wrote: I'm still bringing back the dozens of things I removed from ethic. And testing new ideas. But I have a general question: have any of you wizards who run your own domains or otherwise use a switch [or hub] *ever* had it just-quit?! It is solid-state. Yes, the box is within my feet/foot reach. I have accidently kicked it i suppose, but still. I think I've just had ports die one by one on a switch until it no longer worked. I don't think I've ever had the whole thing go poof for no evident reason. -- Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ] pgpdxTqjStEW3.pgp Description: PGP signature
Re: Long Day's Journey into Bleep
On 6/8/11 11:53 PM, Chad Perrin wrote: On Wed, Jun 08, 2011 at 05:56:59PM -0700, Gary Kline wrote: I'm still bringing back the dozens of things I removed from ethic. And testing new ideas. But I have a general question: have any of you wizards who run your own domains or otherwise use a switch [or hub] *ever* had it just-quit?! It is solid-state. Yes, the box is within my feet/foot reach. I have accidently kicked it i suppose, but still. I think I've just had ports die one by one on a switch until it no longer worked. I don't think I've ever had the whole thing go poof for no evident reason. Ditto. Most recently a Cisco switch had a rather useful port go into a really weird state that didn't really look broken but bits just...weren'tflowing. Took a while, and a lot of poking at the server in question, before we looked at each other and said, Wait, we've been assuming the switch works, what if it isn't. BTW, Gary, Linksys=Cisco is pretty much just a marketing thing and not a technology thing. --Jon Radel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Long Day's Journey into Bleep
On Thu, Jun 09, 2011 at 12:18:52AM -0400, Jon Radel wrote: Date: Thu, 09 Jun 2011 00:18:52 -0400 From: Jon Radel j...@radel.com Subject: Re: Long Day's Journey into Bleep To: freebsd-questions@freebsd.org X-Mailer: CommuniGate Pro CLI mailer On 6/8/11 11:53 PM, Chad Perrin wrote: On Wed, Jun 08, 2011 at 05:56:59PM -0700, Gary Kline wrote: I'm still bringing back the dozens of things I removed from ethic. And testing new ideas. But I have a general question: have any of you wizards who run your own domains or otherwise use a switch [or hub] *ever* had it just-quit?! It is solid-state. Yes, the box is within my feet/foot reach. I have accidently kicked it i suppose, but still. I think I've just had ports die one by one on a switch until it no longer worked. I don't think I've ever had the whole thing go poof for no evident reason. Ditto. Most recently a Cisco switch had a rather useful port go into a really weird state that didn't really look broken but bits just...weren'tflowing. Took a while, and a lot of poking at the server in question, before we looked at each other and said, Wait, we've been assuming the switch works, what if it isn't. Hm. WEll, I suppose stranger things have happened. If Chad has had his switch drop connections one-by-one---well, news to me! I figured, hey, solid- state will work forever and 20 years, whichever comes first. ... BTW, Gary, Linksys=Cisco is pretty much just a marketing thing and not a technology thing. Sure. But I've had luck++ with LinkSys for years, even before Cisco bought them out. --My new switch is an LG. See what happens. ... . --Jon Radel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix Journey Toward the Dawn, E-Book: http://www.thought.org The 8.51a release of Jottings: http://jottings.thought.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
sendmail || mail and SpamAssassin
This is the other question: how do I get the builtin SpanAssassin working? sendmail is working and I've built mail/p5-SpamAssassin [or whatever]. Still getting spam. Also, when /etc/mail/* starts up, on the console I notice a warning saying something like Can't find Xspamassassin All lower case after the first X. I keep getting Spanish language spam message and other junk or spam. I just need to figure out howto get the builtin or the port that kills this krap. thanks for any insights, gary -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix Journey Toward the Dawn, E-Book: http://www.thought.org The 8.51a release of Jottings: http://jottings.thought.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Long Day's Journey into Bleep
On Wed, Jun 08, 2011 at 10:21:13PM -0700, Gary Kline wrote: On Thu, Jun 09, 2011 at 12:18:52AM -0400, Jon Radel wrote: On 6/8/11 11:53 PM, Chad Perrin wrote: I think I've just had ports die one by one on a switch until it no longer worked. I don't think I've ever had the whole thing go poof for no evident reason. Ditto. Most recently a Cisco switch had a rather useful port go into a really weird state that didn't really look broken but bits just...weren'tflowing. Took a while, and a lot of poking at the server in question, before we looked at each other and said, Wait, we've been assuming the switch works, what if it isn't. Hm. WEll, I suppose stranger things have happened. If Chad has had his switch drop connections one-by-one---well, news to me! I figured, hey, solid- state will work forever and 20 years, whichever comes first. ... I've had it happen with no fewer than three switches. I've also seen an enterprise class Netgear switch issue a death scream of some sort over the network at the moment the fiber optic cable was removed from it, crashing the BigIron switch that ran the data center. . . . but Cisco switches are overpriced crap. We were disconnecting the Netgear to replace it with a Cisco that offered a lot more functionality, and administration turned out to be a fucking nightmare with that thing. It's like replacing Postfix with MS Exchange because you want integrated calendaring and all the other crap in the BusinessWeek full-page ad, then finding out that you basically need a full-time employee just to manage that one server. BTW, Gary, Linksys=Cisco is pretty much just a marketing thing and not a technology thing. Sure. But I've had luck++ with LinkSys for years, even before Cisco bought them out. --My new switch is an LG. See what happens. ... . In my (limited) experience, Linksys actually got more annoying after Cisco bought out the company. -- Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ] pgpIR3WwNtr47.pgp Description: PGP signature