RE: Jail question
On Fri, 01 Mar 2013, Bernt Hansson wrote: On 2013-02-27 11:19, Bernt Hansson wrote: 2013-02-26 15:18, Teske, Devin skrev: Yes, this is possible. When I get into work, I'll share with you the recipe Please do share with us. Ok I rephrase my question. How do I install freebsd 4.9 in a jail on 8.3 amd64. Step 1. Download the following files/directories... bin/ catpages/ cdrom.inf compat1x/ compat22/ compat3x/ compat4x/ crypto/ dict/ doc/ games/ info/ manpages/ proflibs/ from: ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/old-releases/i386/4.9-RELEASE/ NOTE: For example, download those files/directories to /usr/repos/FreeBSD-4.9/4.9-RELEASE Step 2. Download my jail_build script from: http://druidbsd.sourceforge.net/download.shtml#jail_build Step 3: Run jail_build NOTE: If you put your downloaded files in /usr/repos/FreeBSD-4.9/4.9-RELEASE then jail_build will automatically find them and present 4.9 as an option. After selecting FreeBSD-4.9, it will then prompt you to enter the root directory where to unpack the jail to. When jail_build completes, you'll have a freshly unpacked FreeBSD-4.9 in the desired root directory. Step 4: Grab and install my vimage package: http://druidbsd.sourceforge.net/download.shtml#vimage About: http://druidbsd.sourceforge.net/vimage.shtml Step 5: Configure your vimage in /etc/rc.conf (see /etc/rc.conf.d/vimage for a sample). Example: vimage_enable=YES vimage_list=fbsd4_9 vimage_fbsd4_9_rootdir=/usr/jails/fbsd4_9 vimage_fbsd4_9_hostname=fbsd4_9 vimage_fbsd4_9_bridges=bge0 vimage_fbsd4_9_devfs_enable=YES vimage_fbsd4_9_procfs_enable=YES Step 6: [Pre-]configure the network interface for the visage Example: chroot /usr/jails/fbsd4_9 vi /etc/rc.conf NOTE: Since the vimage (aka vnet jail) isn't running yet, we use chroot instead of jexec. (Also note that the chroot is only for pedantic safety ... it prevents things such as what if /etc/rc.conf is a symlink to /etc/rc.conf.other -- without the chroot you'd accidentally edit the host machines /etc/rc.conf.other). Add the following: ifconfig_ng0_fbsd4_9=inet 192.168.1.123 netmask 255.255.255.0 defaultrouter=192.168.1.1 # or whatever fits your network # Don't forget /etc/resolv.conf # Don't forget to set sshd_enable=YES in rc.conf(5) if you want to be able to ssh into the vimage Step 7: Fix some binaries in the 4.9 distribution to work under the 8.3 kernel... Download my update411binaries.sh script (should work fine for 4.9 jails too) from... http://druidbsd.sf.net/download/update411binares.sh Step 8: Run update411binares.sh with a first argument of (for example) /usr/jails/fbsd4_9 Step 9: Fire up the vimage service vimage start fbsd4_9 Step 10: Check things out... jls ssh 192.168.1.123 jexec fbsd4_9 csh etc. etc. -- HTH Devin _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail question
2013-02-26 15:18, Teske, Devin skrev: Yes, this is possible. When I get into work, I'll share with you the recipe Please do share with us. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: Jail question
Got it... (script inline below) The first (and only) argument is to be a path to a 4.11 jail's root directory. For example, if you take a FreeBSD-4 box and rsync it to /usr/jails/myold4box on a FreeBSD-8 machine, you should then execute: update411binaries.sh /usr/jails/myold4box Then just configure the jail and fire it up. Of course, these are vnet jails. Further instructions on http://druidbsd.sf.net/vimage.shtml with my vimage package here: http://druidbsd.sf.net/download.shtml#vimage === #!/bin/sh if [ $( id -u ) != 0 ]; then echo Must run as root! 2 exit 1 fi if [ $# -lt 1 ]; then echo Usage: $0 directory 2 exit 1 fi dir=$1 if [ ! -d $dir ]; then echo $dir: No such file or directory 2 exit 1 fi mkdir -p $dir/libexec $dir/lib $dir/usr/lib for file in \ /bin/ps \ /libexec/ld-elf.so.1\ /lib/libm.so.5 \ /lib/libkvm.so.5\ /lib/libc.so.7 \ /sbin/ifconfig \ /lib/libbsdxml.so.4 \ /lib/libjail.so.1 \ /lib/libsbuf.so.5 \ /lib/libipx.so.5\ /sbin/route \ /usr/bin/top\ /lib/libncurses.so.8\ /usr/bin/netstat\ /usr/lib/libmemstat.so.3\ /lib/libutil.so.8 \ /usr/lib/libnetgraph.so.4 \ ; do cp -pfv $file $dir$file done -Original Message- From: Bernt Hansson [mailto:b...@bananmonarki.se] Sent: Wednesday, February 27, 2013 2:19 AM To: Teske, Devin Cc: questions FreeBSD Subject: Re: Jail question 2013-02-26 15:18, Teske, Devin skrev: Yes, this is possible. When I get into work, I'll share with you the recipe Please do share with us. _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: Jail question
Yes, this is possible. When I get into work, I'll share with you the recipe (I have a script called update4.sh which I run after building [or rsync'ing] a 4.x box to an 8.x box to become a vimage; note that I didn't say jail -- 4.x runs better as a VNET jail than a regular jail). We've not had much luck in running 4.x as a non-vnet jail under 8.x whereas vnet-jail works wonders (with a couple binaries replaced, like netstat, ifconfig, ps, and top for example). -- Devin From: owner-freebsd-questi...@freebsd.org [owner-freebsd-questi...@freebsd.org] on behalf of Bernt Hansson [b...@bananmonarki.se] Sent: Tuesday, February 26, 2013 5:23 AM To: questions FreeBSD Subject: Jail question Hello list! I would like to install an old version of freebsd let's say 4.6 in a jail. Is that possible. Host is 8.3-stable amd64 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail question
Bernt Hansson wrote:
I would like to install an old version of freebsd let's say 4.6 in a
jail. Is that possible.
Host is 8.3-stable amd64
Things like ps won't run, but you can copy static binaries from host:/rescue to
jail:/{bin,sbin} as appropriate and that helps a lot.
I just installed a 5.4-RELEASE/i386 jail on a 9.1-STABLE/amd64 system.
Mysqld would not run (dumped core), so I relocated that to a separate jail
running 9.1-STABLE/amd64
One gotcha I found is that while you can run an old i386 system in a jail on an
amd64 host, you can't build an amd64 kernel with COMPAT_AOUT, so if you have an
a.out binary from days of old, you need an i386 kernel.
Devin Teske wrote:
Yes, this is possible.
When I get into work, I'll share with you the recipe (I have a script called update4.sh
which I run after building [or rsync'ing] a 4.x box to an 8.x box to become a vimage; note that I
didn't say jail -- 4.x runs better as a VNET jail than a regular jail).
We've not had much luck in running 4.x as a non-vnet jail under 8.x whereas
vnet-jail works wonders (with a couple binaries replaced, like netstat,
ifconfig, ps, and top for example).
Devin,
Please share your script with us all (especially me :-) )
Thanks,
Danny
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail question
On 10/14/10 18:20, Matthew Law wrote: I have a single box on which I would like to run openvpn, smtp (postfix, dspam, greylist, clamav), imap (dovecot) apache22 and bind. This box also acts as a network gateway so it would give an attacker carte blanche to the internal nets if it was compromised, which makes me nervous. The plan is to run openvpn as the only unjailed service and the rest of the services in a single jail or their own jails. I have never touched jails before and I'm a bit unsure of the best way to go. I realise that I can jail a service or a copy of the whole system (service would be preferable for space efficiency) but I am unclear on how to deal with IP addresses in jailed environments and if I should create individual jails or a single jail for all services. At the moment I am leaning toward a single system jail for everything so I can keep the space in which openvpn runs as uncluttered as possible and also have a single postgres instance shared by the other services. Basically, if any of the public services in the jail are compromised I would like to make it very hard for the attacker to see the internal network. Since jails can do many things there are many helper utilities that can do much to simplify the process. If you can hack python, you can, for example, modify my script at http://ivoras.sharanet.org/stuff/mkjails.py which I've used to create a thousand very light-weight jails which are started and managed using only standard FreeBSD tools. In any case, read rc.conf(5) man page for the jail_* settings. If I use this scheme must I use separate public IPs for openvpn and the services jail or is it possible to use a single IP or some NAT/PAT scheme? -this box currently has 4 x NICs split into 2x lagg interfaces in failover mode (one public, one private), if that makes any difference This is the more complex question; I think that everything which needs direct access to the NIC (i.e. BPF, DHCP, IPFW, etc.) will need to be run on the host system. TCP services will work inside jails without problems, but with jails it's almost the same as if they were on another system. If you do use NAT you will have to configure it on the host. Instead, you can also use TCP proxies (like bsdproxy). It's up to you how much complexity do you want in your system, but for simplicity I would set up a single outward-facing IP address and then proxy TCP services where I need them. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail question
On Fri, 15 Oct 2010 09:32:44 -0400, Jerry freebsd.u...@seibercom.net wrote: On Fri, 15 Oct 2010 08:35:39 -0400 Fbsd8 fb...@a1poweruser.com articulated: Check out qjail. It has been submitted for addition to the ports collection, but the ports dept is very slow in performing their task of adding new ports to the system. So in the mean time you can get qjail from here. http://sourceforge.net/projects/qjail/files/ I have submitted new ports in the past and they were usually accepted and posted within a short period of time; usually 2 weeks or so. Perhaps there is a specific reason why this port has not been accepted/released into the ports system. Have you, or whom ever submitted the port, requested clarification as to why it has not been accepted/released? Before issuing a blank condemnation of the port's department it would seem like the logical course of action. If you don't receive a satisfactory reply with two weeks, then it might be worth escalating the matter. Just my 2¢. I'm pretty sure I've seen this conversation between the same people before. Ah, yes: http://www.mail-archive.com/freebsd-questions@freebsd.org/msg235282.html Noting that Aiza = FBSD8... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail question
On Fri, 15 Oct 2010 13:38:17 -0400 bdsf...@att.net bdsf...@att.net articulated: On Fri, 15 Oct 2010 09:32:44 -0400, Jerry freebsd.u...@seibercom.net wrote: On Fri, 15 Oct 2010 08:35:39 -0400 Fbsd8 fb...@a1poweruser.com articulated: Check out qjail. It has been submitted for addition to the ports collection, but the ports dept is very slow in performing their task of adding new ports to the system. So in the mean time you can get qjail from here. http://sourceforge.net/projects/qjail/files/ I have submitted new ports in the past and they were usually accepted and posted within a short period of time; usually 2 weeks or so. Perhaps there is a specific reason why this port has not been accepted/released into the ports system. Have you, or whom ever submitted the port, requested clarification as to why it has not been accepted/released? Before issuing a blank condemnation of the port's department it would seem like the logical course of action. If you don't receive a satisfactory reply with two weeks, then it might be worth escalating the matter. Just my 2¢. I'm pretty sure I've seen this conversation between the same people before. Ah, yes: http://www.mail-archive.com/freebsd-questions@freebsd.org/msg235282.html Noting that Aiza = FBSD8... That PR would be: http://www.freebsd.org/cgi/query-pr.cgi?pr=148777, originally submitted on Tue, 20 Jul 2010 02:47:18 GMT by Joe Barbish j...@a1poweruser.com There was a posting to it on October 15, 2010 sans reply. One would be led to believe that there is a specific reason that it is stuck in the queue. Perhaps m...@freebsd.org would care to respond. -- Jerry ✌ freebsd.u...@seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail question
On Fri, October 15, 2010 2:54 pm, Ivan Voras wrote: Since jails can do many things there are many helper utilities that can do much to simplify the process. If you can hack python, you can, for example, modify my script at http://ivoras.sharanet.org/stuff/mkjails.py which I've used to create a thousand very light-weight jails which are started and managed using only standard FreeBSD tools. In any case, read rc.conf(5) man page for the jail_* settings. snip This is the more complex question; I think that everything which needs direct access to the NIC (i.e. BPF, DHCP, IPFW, etc.) will need to be run on the host system. TCP services will work inside jails without problems, but with jails it's almost the same as if they were on another system. If you do use NAT you will have to configure it on the host. Instead, you can also use TCP proxies (like bsdproxy). It's up to you how much complexity do you want in your system, but for simplicity I would set up a single outward-facing IP address and then proxy TCP services where I need them. Thanks for the helpful replies. I am experimenting with some ideas on a VM now. It certainly does seem more logical to have the firewall, VPN and NAT rules in the base system and everything else jailed. I can just about get by with Python and your script looks like it could be of use - thanks for sharing it. Matt. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail question
In freebsd-questions Digest, Vol 333, Issue 2, Message: 1
On Fri, 15 Oct 2010 13:38:17 -0400 bdsf...@att.net wrote:
On Fri, 15 Oct 2010 09:32:44 -0400, Jerry freebsd.u...@seibercom.net
wrote:
On Fri, 15 Oct 2010 08:35:39 -0400
Fbsd8 fb...@a1poweruser.com articulated:
Check out qjail. It has been submitted for addition to the ports
collection, but the ports dept is very slow in performing their task
of adding new ports to the system. So in the mean time you can get
qjail from here. http://sourceforge.net/projects/qjail/files/
I have submitted new ports in the past and they were usually accepted
and posted within a short period of time; usually 2 weeks or so. Perhaps
there is a specific reason why this port has not been accepted/released
into the ports system. Have you, or whom ever submitted the port,
requested clarification as to why it has not been accepted/released?
Before issuing a blank condemnation of the port's department it would
seem like the logical course of action. If you don't receive a
satisfactory reply with two weeks, then it might be worth escalating
the matter.
Just my 2¢.
I'm pretty sure I've seen this conversation between the same people before.
Ah, yes:
http://www.mail-archive.com/freebsd-questions@freebsd.org/msg235282.html
Noting that Aiza = FBSD8...
Also posting at various times as {fbsd1,fbsd_user,jo...@a1poweruser.com
= Joe Barbish, reputed author of qjail. Never admits to using aliases,
especially when appearing as 'someone else' in support of his position.
The thing that amazes me most about qjail is that there has never been
one single mention of it in freebsd-j...@freebsd.org, where jail kernel
work, utilities and usage are developed, debugged and discussed.
cheers, Ian___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail question
Matthew Law wrote: I have a single box on which I would like to run openvpn, smtp (postfix, dspam, greylist, clamav), imap (dovecot) apache22 and bind. This box also acts as a network gateway so it would give an attacker carte blanche to the internal nets if it was compromised, which makes me nervous. The plan is to run openvpn as the only unjailed service and the rest of the services in a single jail or their own jails. I have never touched jails before and I'm a bit unsure of the best way to go. I realise that I can jail a service or a copy of the whole system (service would be preferable for space efficiency) but I am unclear on how to deal with IP addresses in jailed environments and if I should create individual jails or a single jail for all services. At the moment I am leaning toward a single system jail for everything so I can keep the space in which openvpn runs as uncluttered as possible and also have a single postgres instance shared by the other services. Basically, if any of the public services in the jail are compromised I would like to make it very hard for the attacker to see the internal network. If I use this scheme must I use separate public IPs for openvpn and the services jail or is it possible to use a single IP or some NAT/PAT scheme? -this box currently has 4 x NICs split into 2x lagg interfaces in failover mode (one public, one private), if that makes any difference Sorry for the rambling question and I hope this makes sense! Matt. Check out qjail. It has been submitted for addition to the ports collection, but the ports dept is very slow in performing their task of adding new ports to the system. So in the mean time you can get qjail from here. http://sourceforge.net/projects/qjail/files/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail question
On Fri, 15 Oct 2010 08:35:39 -0400 Fbsd8 fb...@a1poweruser.com articulated: Check out qjail. It has been submitted for addition to the ports collection, but the ports dept is very slow in performing their task of adding new ports to the system. So in the mean time you can get qjail from here. http://sourceforge.net/projects/qjail/files/ I have submitted new ports in the past and they were usually accepted and posted within a short period of time; usually 2 weeks or so. Perhaps there is a specific reason why this port has not been accepted/released into the ports system. Have you, or whom ever submitted the port, requested clarification as to why it has not been accepted/released? Before issuing a blank condemnation of the port's department it would seem like the logical course of action. If you don't receive a satisfactory reply with two weeks, then it might be worth escalating the matter. Just my 2¢. -- Jerry ✌ freebsd.u...@seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail question
On Thu, 14 Oct 2010, Matthew Law wrote: I have a single box on which I would like to run openvpn, smtp (postfix, dspam, greylist, clamav), imap (dovecot) apache22 and bind. This box also acts as a network gateway so it would give an attacker carte blanche to the internal nets if it was compromised, which makes me nervous. The plan is to run openvpn as the only unjailed service and the rest of the services in a single jail or their own jails. I have never touched jails before and I'm a bit unsure of the best way to go. I realise that I can jail a service or a copy of the whole system (service would be preferable for space efficiency) but I am unclear on how to deal with IP addresses in jailed environments and if I should create individual jails or a single jail for all services. At the moment I am leaning toward a single system jail for everything so I can keep the space in which openvpn runs as uncluttered as possible and also have a single postgres instance shared by the other services. Basically, if any of the public services in the jail are compromised I would like to make it very hard for the attacker to see the internal network. If I use this scheme must I use separate public IPs for openvpn and the services jail or is it possible to use a single IP or some NAT/PAT scheme? -this box currently has 4 x NICs split into 2x lagg interfaces in failover mode (one public, one private), if that makes any difference Sorry for the rambling question and I hope this makes sense! Matt. Starting with FreeBSD 8 jails may have multiple IPs and can use sockets. AFAIK this makes a jail pretty much like a separate physical system in a functional sense. Between man jail and the handbook there is a clear explaination of the management and setup procedures. Hopefully those with a better understanding of the internals will weigh in with the liabilities for what you want to do. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail question
On 14 October 2010 19:19, doug d...@fledge.watson.org wrote: On Thu, 14 Oct 2010, Matthew Law wrote: I have a single box on which I would like to run openvpn, smtp (postfix, dspam, greylist, clamav), imap (dovecot) apache22 and bind. This box also acts as a network gateway so it would give an attacker carte blanche to the internal nets if it was compromised, which makes me nervous. The plan is to run openvpn as the only unjailed service and the rest of the services in a single jail or their own jails. I have never touched jails before and I'm a bit unsure of the best way to go. I realise that I can jail a service or a copy of the whole system (service would be preferable for space efficiency) but I am unclear on how to deal with IP addresses in jailed environments and if I should create individual jails or a single jail for all services. At the moment I am leaning toward a single system jail for everything so I can keep the space in which openvpn runs as uncluttered as possible and also have a single postgres instance shared by the other services. Basically, if any of the public services in the jail are compromised I would like to make it very hard for the attacker to see the internal network. If I use this scheme must I use separate public IPs for openvpn and the services jail or is it possible to use a single IP or some NAT/PAT scheme? -this box currently has 4 x NICs split into 2x lagg interfaces in failover mode (one public, one private), if that makes any difference Sorry for the rambling question and I hope this makes sense! Matt. Starting with FreeBSD 8 jails may have multiple IPs and can use sockets. AFAIK this makes a jail pretty much like a separate physical system in a functional sense. Between man jail and the handbook there is a clear explaination of the management and setup procedures. Hopefully those with a better understanding of the internals will weigh in with the liabilities for what you want to do. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.orgo how ever you decide to do it have a look a qjail, as its a good managment tool especially if you have multiple jails ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail question
I want to check the understanding of jails. My understanding is a jail uses the existing kernel configuration and cannot use its own kernel configuration. Is this correct? Yes. The jail is being executed by the same kernel as the host system. The jail just has restricted access to certain system calls, which creates the sandbox. -- / Peter Schuller PGP userID: 0xE9758B7D or 'Peter Schuller [EMAIL PROTECTED]' Key retrieval: Send an E-Mail to [EMAIL PROTECTED] E-Mail: [EMAIL PROTECTED] Web: http://www.scode.org signature.asc Description: This is a digitally signed message part.
Re: jail question
On Thu, 26 Apr 2007, Roberto Pereyra wrote: hi I running fbsd 6.2 and I would like to my first jail setup, but I have this error when I start the jail (jail0): srv1# /etc/rc.d/jail start Configuring jails:. Starting jails:ifconfig: interface alias does not exist jail0. srv1# What I do wrong ? Thanks in advance. roberto This is my /etc/rc.conf # -- sysinstall generated deltas -- # Mon Apr 23 09:32:04 2007 # Created: Mon Apr 23 09:32:04 2007 # Enable network daemons for user convenience. # Please make all changes to this file, not to /etc/defaults/rc.conf. # This file now contains just the overrides from /etc/defaults/rc.conf. defaultrouter=192.168.0.2 hostname=srv1.gualeguaychu.gov.ar ifconfig_sk0=inet 192.168.0.1 netmask 255.255.0.0 keymap=spanish.iso.acc linux_enable=YES sshd_enable=YES usbd_enable=YES # -- sysinstall generated deltas -- # Mon Apr 23 12:52:02 2007 moused_port=/dev/cuad0 moused_type=auto moused_enable=YES ## jails sendmail_enable=NO inetd_flags=-wW -a 192.168.0.1 rpcbind_enable=NO jail_enable=YES # Set to NO to disable starting of any jails jail_list=jail0 # Space separated list of names of jails jail_jail0_rootdir=/usr/home/jails/jail0 # jail's root directory jail_jail0_hostname=jail0 # jail's hostname jail_jail0_ip=192.168.0.3 # jail's IP address #jail_jail0_devfs_enable=YES # mount devfs in the jail #jail_jail0_devfs_ruleset=www_ruleset # devfs ruleset to apply to jail You do not have your jail IP set up as an alias on your network interface. You need to add ifconfig_sk0_alias0=inet 192.168.0.3 netmask 255.255.0.0 after your primary interface ifconfig_sk0=inet 192.168.0.1 netmask 255.255.0.0 in the /etc/rc.conf. Then do an ifconfig sk0 inet 192.168.0.3 netmask 255.255.0.0 alias to make it live without having to reboot. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: jail question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Roberto Pereyra wrote: hi I running fbsd 6.2 and I would like to my first jail setup, but I have this error when I start the jail (jail0): srv1# /etc/rc.d/jail start Configuring jails:. Starting jails:ifconfig: interface alias does not exist jail0. srv1# What I do wrong ? [snip] This is my /etc/rc.conf [...] ifconfig_sk0=inet 192.168.0.1 netmask 255.255.0.0 [...] jail_jail0_ip=192.168.0.3 # jail's IP address Is 192.168.0.3 assigned to any interface? Have a look at ifconfig(8) output. You can add an alias with ifconfig and/or put something similar to /etc/rc.conf (assuming sk0 interface): % ifconfig_sk0_alias0=inet 192.168.0.3 netmask 255.255.255.255 HTH, Karol - -- Karol Kwiatkowski karol.kwiat at gmail dot com OpenPGP 0x06E09309 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGMI7fezeoPAwGIYsRCEy1AKCDhJxHggkdcANKc6GToJUSLFMfVwCdF+I4 GFW56bytWUfTavzmfhKzfJw= =0fDD -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: jail question
Thanks to all!!! roberto 2007/4/26, Karol Kwiatkowski [EMAIL PROTECTED]: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Roberto Pereyra wrote: hi I running fbsd 6.2 and I would like to my first jail setup, but I have this error when I start the jail (jail0): srv1# /etc/rc.d/jail start Configuring jails:. Starting jails:ifconfig: interface alias does not exist jail0. srv1# What I do wrong ? [snip] This is my /etc/rc.conf [...] ifconfig_sk0=inet 192.168.0.1 netmask 255.255.0.0 [...] jail_jail0_ip=192.168.0.3 # jail's IP address Is 192.168.0.3 assigned to any interface? Have a look at ifconfig(8) output. You can add an alias with ifconfig and/or put something similar to /etc/rc.conf (assuming sk0 interface): % ifconfig_sk0_alias0=inet 192.168.0.3 netmask 255.255.255.255 HTH, Karol - -- Karol Kwiatkowski karol.kwiat at gmail dot com OpenPGP 0x06E09309 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGMI7fezeoPAwGIYsRCEy1AKCDhJxHggkdcANKc6GToJUSLFMfVwCdF+I4 GFW56bytWUfTavzmfhKzfJw= =0fDD -END PGP SIGNATURE- -- Ing. Roberto Pereyra ContenidosOnline http://www.contenidosonline.com.ar ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: jail question
On 11.02.2007 12:54, * Dino Vliet wrote: Hi folks, I'm installing a nice system to use as my multimedia box and already succeeded with geom-mirror. I want to use a jail to isolate the p2p applications like amule/emule and want to make sure that they only write to an encrypted disk (currently RTFM on geli and gbde) However, I was wondering what happens with a jail if I update the host system due to a security issue or something else (recompile kernel and install world). Do I need to define the jail again? If not, won't the files in the jail stay at their previous versions although the host system has been updated to a new version? Or should I just RTFM on jails and come back a few Unfortunately there is not much to read for end-users, like us. weeks from now:-) Thanks in advanced. Hi, Its never been a problem for my systems. Two machines running 19 jails. Done around a dozen system updates and also changing release from 6.0 to 6.2 using the same method was no problem at all. First proceed as the handbook describes for the host-system. After everything completes and your system and jails are up again rebuild you jails with as follows: # make -j4 buildworld # mergemaster -p -D /jails/example # make installworld DESTDIR=/jails/example # mergemaster -D /jails/example After that restart Jail. Done. In my case I work with different make.conf files for jails and host system, thats the reason why I rebuild world for the jails, If not you can just make installworld without rebuilding. If you have multiple jails, you can skip buildworld after first one. Hope this helps. Greetings Alain ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: jail question
Dino Vliet [EMAIL PROTECTED] wrote: Hi folks, I'm installing a nice system to use as my multimedia box and already succeeded with geom-mirror. I want to use a jail to isolate the p2p applications like amule/emule and want to make sure that they only write to an encrypted disk (currently RTFM on geli and gbde) However, I was wondering what happens with a jail if I update the host system due to a security issue or something else (recompile kernel and install world). Do I need to define the jail again? If not, won't the files in the jail stay at their previous versions although the host system has been updated to a new version? Yes, that is a problem you have to deal with. Have a look at the ezjail port, which makes this a lot easier to deal with. -Bill ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Jail question
On Wed, 4 Dec 2002, Didier Wiroth wrote: Hey, I'm a freebsd newbie. I was experimenting with jails. I've build an entire jail under /usr/local/jail/test which I'm accessing through the network using ssh. I thought that you can't grep any path or any information outside the jail but when I use the command df, I can clearly see the disk slice, partition and path to the jail. Is this normal? Thanks Didier This have been discussed earlier, and I even think some one did file a PR with a patch to correct it. Try to search the mailarchives. Best regards, Paul To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Jail question
On Wed, Dec 04, 2002 at 02:35:11PM +0100, Paul Everlund typed: On Wed, 4 Dec 2002, Didier Wiroth wrote: Hey, I'm a freebsd newbie. I was experimenting with jails. I've build an entire jail under /usr/local/jail/test which I'm accessing through the network using ssh. I thought that you can't grep any path or any information outside the jail but when I use the command df, I can clearly see the disk slice, partition and path to the jail. Is this normal? Thanks Didier This have been discussed earlier, and I even think some one did file a PR with a patch to correct it. Try to search the mailarchives. Not a patch, a kernel module. I just tried it today and it looks good. It's downloadable from http://garage.freebsd.pl cheers, Ruben Best regards, Paul To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
