Re: jails bind ip
Hi, First of all usage of 127.0.0.1 as second address is nothing but wrong, as this is the loopback address :) For the second part of the question - I suppose it has nothing to do with the BSD and the jail subsystem. I am not sure why you have eth1 tbh, you should only have eth0, maybe because of this binding to 127.0.0.1, which fails as you already have this address on lo0. But from your logs: INFO 2013-01-26 16:03:03.085 Created socket: /127.0.0.1:5001 [main] ERROR 2013-01-26 16:03:03.186 A serious error occurred during PMS init org.jboss.netty.channel.ChannelException: Failed to bind to: /127.0.0.1:5001 Obviously you have error in your config, as you are not binding to address, but on local socket at the root of the system. So my guess is you must eighter change your software configuration or you should giva access to root folder to the user running the application. Regards, Ivailo Tanusheff Zyumbilev, Peter pe...@aboutsupport.com Sent by: owner-freebsd-questi...@freebsd.org 26.01.2013 15:18 To freebsd-questions@freebsd.org freebsd-questions@freebsd.org cc Subject jails bind ip Hi, I have successfully run multiple jails on freebsd 9.1 Two of the jails are FreeBSD and I have no problems with them. However I havesome strange problem with Debian 6.0 Jail. This is my config jail_debian_rootdir=/jail/debian jail_debian_hostname=debian.bivol.net jail_debian_ip=192.168.30.12,127.0.0.1 jail_debian_interface=bge0 jail_debian_devfs_enable=YES jail_debian_devfs_ruleset=devfsrules_jail jail_debian_flags=-n debian #jail_debian_mount_enable=YES # mount YES|NO jail_debian_fstab=/jail/conf/fstab.debian # File with Filesystems to mount I tried with and without 127.0.0.1. This is how ifconfig looks from inside debian: root@debian:/# ifconfig eth0 Link encap:Ethernet HWaddr e8:39:35:25:d2:ef inet addr:192.168.30.12 Bcast:192.168.30.12 Mask:255.255.255.255 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:425676061 errors:0 dropped:0 overruns:0 frame:0 TX packets:483122783 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:478459387769 (445.6 GiB) TX bytes:190485214007 (177.4 GiB) eth1 Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MULTICAST MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) lo0 Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MULTICAST MTU:16384 Metric:1 RX packets:1273268 errors:0 dropped:0 overruns:0 frame:0 TX packets:1273274 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:103125473 (98.3 MiB) TX bytes:103125585 (98.3 MiB) usbus0Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus1Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus2Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus3Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus4Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus5Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) However, applications have problem binding. Two applications that fail are plexmedia server and psmedia server. 1. PS3 media server throws crazy errors like that it canncot bind - no matter which IP I choose: [main] INFO 2013-01-26 16:03:02.833 Loading configuration file: Panasonic.conf [main] DEBUG 2013-01-26 16:03:02.833 Base path set to
Re: jails bind ip
Zyumbilev, Peter wrote: Hi, I have successfully run multiple jails on freebsd 9.1 Two of the jails are FreeBSD and I have no problems with them. However I havesome strange problem with Debian 6.0 Jail. This is my config jail_debian_rootdir=/jail/debian jail_debian_hostname=debian.bivol.net jail_debian_ip=192.168.30.12,127.0.0.1 jail_debian_interface=bge0 jail_debian_devfs_enable=YES jail_debian_devfs_ruleset=devfsrules_jail jail_debian_flags=-n debian #jail_debian_mount_enable=YES # mount YES|NO jail_debian_fstab=/jail/conf/fstab.debian # File with Filesystems to mount I tried with and without 127.0.0.1. This is how ifconfig looks from inside debian: root@debian:/# ifconfig eth0 Link encap:Ethernet HWaddr e8:39:35:25:d2:ef inet addr:192.168.30.12 Bcast:192.168.30.12 Mask:255.255.255.255 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:425676061 errors:0 dropped:0 overruns:0 frame:0 TX packets:483122783 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:478459387769 (445.6 GiB) TX bytes:190485214007 (177.4 GiB) eth1 Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MULTICAST MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) lo0 Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MULTICAST MTU:16384 Metric:1 RX packets:1273268 errors:0 dropped:0 overruns:0 frame:0 TX packets:1273274 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:103125473 (98.3 MiB) TX bytes:103125585 (98.3 MiB) usbus0Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus1Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus2Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus3Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus4Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus5Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) However, applications have problem binding. Two applications that fail are plexmedia server and psmedia server. 1. PS3 media server throws crazy errors like that it canncot bind - no matter which IP I choose: [main] INFO 2013-01-26 16:03:02.833 Loading configuration file: Panasonic.conf [main] DEBUG 2013-01-26 16:03:02.833 Base path set to file:///etc/ps3mediaserver/renderers/Panasonic.conf [main] INFO 2013-01-26 16:03:02.855 Loading configuration file: PS3.conf [main] DEBUG 2013-01-26 16:03:02.855 Base path set to file:///etc/ps3mediaserver/renderers/PS3.conf [main] INFO 2013-01-26 16:03:02.861 Loading configuration file: AirPlayer.conf [main] DEBUG 2013-01-26 16:03:02.862 Base path set to file:///etc/ps3mediaserver/renderers/AirPlayer.conf [main] INFO 2013-01-26 16:03:02.864 Checking MPlayer font cache. It can take a minute or so. [main] DEBUG 2013-01-26 16:03:02.865 launching: /usr/lib/ps3mediaserver/linux/mplayer [main] INFO 2013-01-26 16:03:03.008 Done! [main] INFO 2013-01-26 16:03:03.016 Searching for plugins in /usr/lib/ps3mediaserver/plugins [main] INFO 2013-01-26 16:03:03.029 No plugins found [main] INFO 2013-01-26 16:03:03.060 Registering transcoding engine: FFmpeg Audio [main] INFO 2013-01-26 16:03:03.078 Registering transcoding engine: MEncoder [main] INFO 2013-01-26 16:03:03.079 Registering transcoding engine: MPlayer Audio [main] INFO 2013-01-26 16:03:03.079 Registering transcoding engine: MEncoder Web [main] INFO 2013-01-26
Re: jails bind ip
Are you saying you installed the Debian 6.0 operating system inside of a Freebsd jail and expect it to function? on top of all works ;-) Look at mailing list archives earlier ...See mails from me. Peter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jails bind ip
Zyumbilev, Peter wrote: Are you saying you installed the Debian 6.0 operating system inside of a Freebsd jail and expect it to function? on top of all works ;-) Look at mailing list archives earlier ...See mails from me. Peter Ok I read the archive thread subject jails. You read a reply pointing you to a French howto. http://blog.etoilebsd.net/post/Emprisonner_une_debian_dans_un_FreeBSD I don't read French so have no idea what you did. In another post you said you did this procedure 1. Use http://download.openvz.org/template/precreated/debian-6.0-x86.tar.gz instead of the file listed in the French howto. 2. Run sysctl compat.linux.osrelease=2.6.32 in Freebsd shell before starting the jail, otherwise you will get error kernel too old. Don't understand what you mean by shell in the the above #2 sentence. The info you provided is so lacking in details. People here on the list are not going to try to duplicate your steps just to get a understanding of your situation. When asking a question it's your job to describe in detail what your situation is. What your trying to achieve by using a jail. What applications you installed in your jail. The jail statements you used to create your jail. So on and so forth. No details results in no replies. If you want helpful replies start with more and better details. From a very general point of view. You can populate a jails directory tree with anything you want and the jail will still start. Having the jail start does not mean anything you put in side of the jail is working. Which is what I think is happening in your case. With out details I can not help you any further. Good luck. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jails bind ip
On 26/01/2013 23:06, Fbsd8 wrote: Zyumbilev, Peter wrote: Are you saying you installed the Debian 6.0 operating system inside of a Freebsd jail and expect it to function? on top of all works ;-) Look at mailing list archives earlier ...See mails from me. Peter Ok I read the archive thread subject jails. You read a reply pointing you to a French howto. http://blog.etoilebsd.net/post/Emprisonner_une_debian_dans_un_FreeBSD I don't read French so have no idea what you did. In another post you said you did this procedure 1. Use http://download.openvz.org/template/precreated/debian-6.0-x86.tar.gz instead of the file listed in the French howto. 2. Run sysctl compat.linux.osrelease=2.6.32 in Freebsd shell before starting the jail, otherwise you will get error kernel too old. Don't understand what you mean by shell in the the above #2 sentence. The info you provided is so lacking in details. People here on the list are not going to try to duplicate your steps just to get a understanding of your situation. When asking a question it's your job to describe in detail what your situation is. What your trying to achieve by using a jail. What applications you installed in your jail. The jail statements you used to create your jail. So on and so forth. No details results in no replies. If you want helpful replies start with more and better details. From a very general point of view. You can populate a jails directory tree with anything you want and the jail will still start. Having the jail start does not mean anything you put in side of the jail is working. Which is what I think is happening in your case. With out details I can not help you any further. Good luck. Hi, I know chances are slim someone to help. I believe my question is asked right. Even if noone can help it was worth asking - at least you learned that debian can run inside Freebsd :-) You know the idea is everyone to learn from this. Peter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jails ip addresses
Le Thu, 24 Jan 2013 11:51:46 -0500, Fbsd8 fb...@a1poweruser.com a écrit : Is there any situation where assigning the same IP address to a new jail that has already been assigned to a previous jail valid? I think not, but want verification. What are your thoughts? I'm sure they are case of this. One example is poudriere (a package builder), it starts several jails to build the packages and all the jails are bound to 127.0.0.1. The jail IP enforces that the jailed processus cannot use another one IP but that's all. Regards. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails
- Original Message - From: Zyumbilev, Peter pe...@aboutsupport.com To: freebsd-questions@FreeBSD.org freebsd-questions@FreeBSD.org Cc: Sent: Tuesday, January 15, 2013 3:12 AM Subject: Re: Jails On 15/01/2013 02:10, Leonardo M. Ramé wrote: Yes, and also defined /etc/resolv.conf. Any hint? Leonardo M. Ramé http://leonardorame.blogspot.com This is my jail conf. jail_debian_rootdir=/jail/debian jail_debian_hostname=debian.bivol.net jail_debian_ip=192.168.30.12 jail_debian_interface=bge0 jail_debian_devfs_enable=YES jail_debian_devfs_ruleset=devfsrules_jail jail_debian_flags=-n debian #jail_debian_mount_enable=YES # mount YES|NO jail_debian_fstab=/jail/conf/fstab.debian you have ip interface settings correct ? Mine card is bge0, but your one might be different. Peter Peter, last night I finally used apt-get to install g++, so, it's working!. The only thing that doesn't work is ping, but I won't care about it. Leonardo M. Ramé http://leonardorame.blogspot.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails
From: Zyumbilev, Peter pe...@aboutsupport.com To: freebsd-questions@FreeBSD.org freebsd-questions@FreeBSD.org Sent: Monday, January 14, 2013 3:53 AM Subject: Re: Jails On 13/01/2013 23:58, Leonardo M. Ramé wrote: root@debian:/# ping www.google.com WARNING: setsockopt(ICMP_FILTER): Protocol not available WARNING: your kernel is veeery old. No problems. PING www.google.com (173.194.42.16) 56(84) bytes of data. ping: recvmsg: Invalid argument ping: recvmsg: Invalid argument ping: recvmsg: Invalid argument ping: recvmsg: Invalid argument --- www.google.com ping statistics --- 4 packets transmitted, 0 received, 100% packet loss, time 3078ms root@debian:/# Hvae you run in FreeBSD: sysctl compat.linux.osrelease=2.6.32 ? Yes, and also defined /etc/resolv.conf. Any hint? Leonardo M. Ramé http://leonardorame.blogspot.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails
On 15/01/2013 02:10, Leonardo M. Ramé wrote: Yes, and also defined /etc/resolv.conf. Any hint? Leonardo M. Ramé http://leonardorame.blogspot.com This is my jail conf. jail_debian_rootdir=/jail/debian jail_debian_hostname=debian.bivol.net jail_debian_ip=192.168.30.12 jail_debian_interface=bge0 jail_debian_devfs_enable=YES jail_debian_devfs_ruleset=devfsrules_jail jail_debian_flags=-n debian #jail_debian_mount_enable=YES # mount YES|NO jail_debian_fstab=/jail/conf/fstab.debian you have ip interface settings correct ? Mine card is bge0, but your one might be different. Peter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails
On Jan 14, 2013, at 10:12 PM, Zyumbilev, Peter wrote: On 15/01/2013 02:10, Leonardo M. Ramé wrote: Yes, and also defined /etc/resolv.conf. Any hint? Leonardo M. Ramé http://leonardorame.blogspot.com This is my jail conf. jail_debian_rootdir=/jail/debian jail_debian_hostname=debian.bivol.net jail_debian_ip=192.168.30.12 jail_debian_interface=bge0 NOTE: You can optionally combine/collapse those last 2 lines into one: jail_debian_ip=bge0|192.168.30.12 (with the pipe character [|] separating the interface and IP) -- Devin jail_debian_devfs_enable=YES jail_debian_devfs_ruleset=devfsrules_jail jail_debian_flags=-n debian #jail_debian_mount_enable=YES # mount YES|NO jail_debian_fstab=/jail/conf/fstab.debian you have ip interface settings correct ? Mine card is bge0, but your one might be different. Peter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails
On 12/01/2013 18:41, Devin Teske wrote: On Jan 11, 2013, at 11:31 PM, Zyumbilev, Peter wrote: Hi, I have not tested it, but so far things do not look promising... I cannot even run netstat -nvatp properly, however sopcast seemed to run, but have not tested it, for plex - have not tried yet. netstat isn't allowed in traditional jails (but is allowed in vimage jails which have their own network stack). If you're able/willing to compile a new kernel to enable the VIMAGE feature, then this can be improved so that you can indeed use netstat within the jail. NOTE: netstat is not allowed within traditional (non-VIMAGE) jails due to security restrictions. My host os is Nas4Free and is stripped version of freebsd - e.g I cannot even compile ports - that is why I use jails - so no new kernel for me there :) So far I am quite happy with it - I use it mainly as DLNA server(Serviio), ZFS,UPS support Transmission made it quite good platform - would take plenty of time to get all this in plain FreeBSD install. The only thing that I might be missing is Plex, but due to lack browser per folder feature, I will stick to open standard - DLNA. Peter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails
From: Zyumbilev, Peter pe...@aboutsupport.com To: freebsd-questions@FreeBSD.org Cc: Mark Felder f...@feld.me; Devin Teske dte...@freebsd.org; Devin Teske devin.te...@fisglobal.com Sent: Sunday, January 13, 2013 7:09 AM Subject: Re: Jails On 12/01/2013 18:41, Devin Teske wrote: On Jan 11, 2013, at 11:31 PM, Zyumbilev, Peter wrote: Hi, I have not tested it, but so far things do not look promising... I cannot even run netstat -nvatp properly, however sopcast seemed to run, but have not tested it, for plex - have not tried yet. netstat isn't allowed in traditional jails (but is allowed in vimage jails which have their own network stack). If you're able/willing to compile a new kernel to enable the VIMAGE feature, then this can be improved so that you can indeed use netstat within the jail. NOTE: netstat is not allowed within traditional (non-VIMAGE) jails due to security restrictions. My host os is Nas4Free and is stripped version of freebsd - e.g I cannot even compile ports - that is why I use jails - so no new kernel for me there :) So far I am quite happy with it - I use it mainly as DLNA server(Serviio), ZFS,UPS support Transmission made it quite good platform - would take plenty of time to get all this in plain FreeBSD install. The only thing that I might be missing is Plex, but due to lack browser per folder feature, I will stick to open standard - DLNA. Peter Hi, I've installed debian 6 in a jail, from FreeBsd 9.1 x86-64 by following the instructions from this thread. However, I also updated my /etc/resolv.conf inside the jail, but I get this error when I do ping: server# /etc/rc.d/jail start debian Configuring jails:. Starting jails: debian. server# jls JID IP Address Hostname Path 13 192.168.0.250 debian /usr/home/jails/debian server# jexec 13 bash root@debian:/# uname -a Linux debian 2.6.32 FreeBSD 9.1-RELEASE #0 r243825: Tue Dec 4 09:23:10 UTC 2012 i686 GNU/Linux root@debian:/# ping www.google.com WARNING: WARNING: your kernel is veeery old. No problems. PING www.google.com (173.194.42.17) 56(84) bytes of data. ping: recvmsg: Invalid argument ping: recvmsg: Invalid argument Apart from getting those ping errors, I cannot apt-get update: root@debian:/# apt-get update Get:1 http://security.debian.org squeeze/updates Release.gpg [836 B] Ign http://security.debian.org/ squeeze/updates/contrib Translation-en Get:2 http://ftp.debian.org squeeze Release.gpg [1672 B] Ign http://ftp.debian.org/debian/ squeeze/contrib Translation-en 99% [Working]FATAL - Could not set non-blocking flag Bad file descriptor E: Method http has died unexpectedly! E: Sub-process http returned an error code (100) I need apt-get to install g++, to be able to compile a linux c++ app from FreeBsd. -- Leonardo M. Ramé http://leonardorame.blogspot.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails
On Jan 13, 2013, at 7:45 AM, Leonardo M. Ramé wrote: From: Zyumbilev, Peter pe...@aboutsupport.com To: freebsd-questions@FreeBSD.org Cc: Mark Felder f...@feld.me; Devin Teske dte...@freebsd.org; Devin Teske devin.te...@fisglobal.com Sent: Sunday, January 13, 2013 7:09 AM Subject: Re: Jails On 12/01/2013 18:41, Devin Teske wrote: On Jan 11, 2013, at 11:31 PM, Zyumbilev, Peter wrote: Hi, I have not tested it, but so far things do not look promising... I cannot even run netstat -nvatp properly, however sopcast seemed to run, but have not tested it, for plex - have not tried yet. netstat isn't allowed in traditional jails (but is allowed in vimage jails which have their own network stack). If you're able/willing to compile a new kernel to enable the VIMAGE feature, then this can be improved so that you can indeed use netstat within the jail. NOTE: netstat is not allowed within traditional (non-VIMAGE) jails due to security restrictions. My host os is Nas4Free and is stripped version of freebsd - e.g I cannot even compile ports - that is why I use jails - so no new kernel for me there :) So far I am quite happy with it - I use it mainly as DLNA server(Serviio), ZFS,UPS support Transmission made it quite good platform - would take plenty of time to get all this in plain FreeBSD install. The only thing that I might be missing is Plex, but due to lack browser per folder feature, I will stick to open standard - DLNA. Peter Hi, I've installed debian 6 in a jail, from FreeBsd 9.1 x86-64 by following the instructions from this thread. However, I also updated my /etc/resolv.conf inside the jail, but I get this error when I do ping: ping is usually denied from within a jail (for security purposes). Add the following to /etc/rc.conf: jail_sysvipc_allow=YES And then reboot. -- Devin _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails
- Original Message - From: Devin Teske devin.te...@fisglobal.com To: Leonardo M. Ramé martinr...@yahoo.com Cc: freebsd-questions@FreeBSD.org freebsd-questions@FreeBSD.org Sent: Sunday, January 13, 2013 2:23 PM Subject: Re: Jails On Jan 13, 2013, at 7:45 AM, Leonardo M. Ramé wrote: From: Zyumbilev, Peter pe...@aboutsupport.com To: freebsd-questions@FreeBSD.org Cc: Mark Felder f...@feld.me; Devin Teske dte...@freebsd.org; Devin Teske devin.te...@fisglobal.com Sent: Sunday, January 13, 2013 7:09 AM Subject: Re: Jails On 12/01/2013 18:41, Devin Teske wrote: On Jan 11, 2013, at 11:31 PM, Zyumbilev, Peter wrote: Hi, I have not tested it, but so far things do not look promising... I cannot even run netstat -nvatp properly, however sopcast seemed to run, but have not tested it, for plex - have not tried yet. netstat isn't allowed in traditional jails (but is allowed in vimage jails which have their own network stack). If you're able/willing to compile a new kernel to enable the VIMAGE feature, then this can be improved so that you can indeed use netstat within the jail. NOTE: netstat is not allowed within traditional (non-VIMAGE) jails due to security restrictions. My host os is Nas4Free and is stripped version of freebsd - e.g I cannot even compile ports - that is why I use jails - so no new kernel for me there :) So far I am quite happy with it - I use it mainly as DLNA server(Serviio), ZFS,UPS support Transmission made it quite good platform - would take plenty of time to get all this in plain FreeBSD install. The only thing that I might be missing is Plex, but due to lack browser per folder feature, I will stick to open standard - DLNA. Peter Hi, I've installed debian 6 in a jail, from FreeBsd 9.1 x86-64 by following the instructions from this thread. However, I also updated my /etc/resolv.conf inside the jail, but I get this error when I do ping: ping is usually denied from within a jail (for security purposes). Add the following to /etc/rc.conf: jail_sysvipc_allow=YES And then reboot. I've tried that, but I got the same results: root@debian:/# ping www.google.com WARNING: setsockopt(ICMP_FILTER): Protocol not available WARNING: your kernel is veeery old. No problems. PING www.google.com (173.194.42.16) 56(84) bytes of data. ping: recvmsg: Invalid argument ping: recvmsg: Invalid argument ping: recvmsg: Invalid argument ping: recvmsg: Invalid argument --- www.google.com ping statistics --- 4 packets transmitted, 0 received, 100% packet loss, time 3078ms root@debian:/# Leonardo M. Ramé http://leonardorame.blogspot.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails
On 13/01/2013 23:58, Leonardo M. Ramé wrote: root@debian:/# ping www.google.com WARNING: setsockopt(ICMP_FILTER): Protocol not available WARNING: your kernel is veeery old. No problems. PING www.google.com (173.194.42.16) 56(84) bytes of data. ping: recvmsg: Invalid argument ping: recvmsg: Invalid argument ping: recvmsg: Invalid argument ping: recvmsg: Invalid argument --- www.google.com ping statistics --- 4 packets transmitted, 0 received, 100% packet loss, time 3078ms root@debian:/# Hvae you run in FreeBSD: sysctl compat.linux.osrelease=2.6.32 ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails
On 13/01/2013 23:58, Leonardo M. Ramé wrote: root@debian:/# ping www.google.com WARNING: setsockopt(ICMP_FILTER): Protocol not available WARNING: your kernel is veeery old. No problems. PING www.google.com (173.194.42.16) 56(84) bytes of data. ping: recvmsg: Invalid argument ping: recvmsg: Invalid argument ping: recvmsg: Invalid argument ping: recvmsg: Invalid argument --- www.google.com ping statistics --- 4 packets transmitted, 0 received, 100% packet loss, time 3078ms root@debian:/# Also make sure you /etc/resolv.conf looks like this: nameserver 8.8.8.8 Peter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails
On Jan 11, 2013, at 11:31 PM, Zyumbilev, Peter wrote: Hi, I have not tested it, but so far things do not look promising... I cannot even run netstat -nvatp properly, however sopcast seemed to run, but have not tested it, for plex - have not tried yet. netstat isn't allowed in traditional jails (but is allowed in vimage jails which have their own network stack). If you're able/willing to compile a new kernel to enable the VIMAGE feature, then this can be improved so that you can indeed use netstat within the jail. NOTE: netstat is not allowed within traditional (non-VIMAGE) jails due to security restrictions. -- Devin On 11/01/2013 21:19, Mark Felder wrote: On Fri, 11 Jan 2013 18:28:41 +0200 Zyumbilev, Peter pe...@aboutsupport.com wrote: 1. Use http://download.openvz.org/template/precreated/debian-6.0-x86.tar.gz instead the file listed in the howto. 2. Run sysctl compat.linux.osrelease=2.6.32 in Freebsd shell before starting the jail, otherwise you will get error kernel too old. Does PLEX work? I'm highly interested in this I even posted asking for FreeBSD support on the relevant forum post... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails
On 11/01/2013 17:31, Patrick Lamaiziere wrote: Le Fri, 11 Jan 2013 17:02:19 +0200, Zyumbilev, Peter pe...@aboutsupport.com a écrit : Hi, I run FreeBSD 9.1 64 bit(Nas4free). I have no problem setting up FreeBSD jails inside. However, I wonder, is there any tutorial on how to make Debian Squeeze run inside a jail ? I know it is possible with PC-BSD, should be possible with FreeBSD, but I have not documentation on how to utilize this feature. Baptiste (bapt@) made a small doc for this in the past, but in french. http://blog.etoilebsd.net/post/Emprisonner_une_debian_dans_un_FreeBSD Regards For future reference: I've got it work, just 2 things: 1. Use http://download.openvz.org/template/precreated/debian-6.0-x86.tar.gz instead the file listed in the howto. 2. Run sysctl compat.linux.osrelease=2.6.32 in Freebsd shell before starting the jail, otherwise you will get error kernel too old. Otherwise, so far so good :-) Peter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails
On Fri, 11 Jan 2013 18:28:41 +0200 Zyumbilev, Peter pe...@aboutsupport.com wrote: 1. Use http://download.openvz.org/template/precreated/debian-6.0-x86.tar.gz instead the file listed in the howto. 2. Run sysctl compat.linux.osrelease=2.6.32 in Freebsd shell before starting the jail, otherwise you will get error kernel too old. Does PLEX work? I'm highly interested in this I even posted asking for FreeBSD support on the relevant forum post... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails
Hi, I have not tested it, but so far things do not look promising... I cannot even run netstat -nvatp properly, however sopcast seemed to run, but have not tested it, for plex - have not tried yet. Peter On 11/01/2013 21:19, Mark Felder wrote: On Fri, 11 Jan 2013 18:28:41 +0200 Zyumbilev, Peter pe...@aboutsupport.com wrote: 1. Use http://download.openvz.org/template/precreated/debian-6.0-x86.tar.gz instead the file listed in the howto. 2. Run sysctl compat.linux.osrelease=2.6.32 in Freebsd shell before starting the jail, otherwise you will get error kernel too old. Does PLEX work? I'm highly interested in this I even posted asking for FreeBSD support on the relevant forum post... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails on FreeBSD 9.0
On 22 July 2012 21:55, Herbert J. Skuhra h.sku...@gmail.com wrote: On Sat, 21 Jul 2012 16:10:56 +0200 Herbert J. Skuhra h.sku...@gmail.com wrote: On Sat, Jul 21, 2012 at 11:24 AM, Herbert J. Skuhra h.sku...@gmail.com wrote: Hi, ok, this is obviously a pf problem and the reason why the network in the jail doesn't work. ifconfig lo1 create ifconfig lo1 10.0.0.10 netmask 0xff00 nc -s 10.0.0.10 xx.xx.xx.xx 25 With pf: connections fails; server receives SYN-ACK, but nc continues sending SYNs until nc gives up With ipfw: connection OK On my Soekris box at home (9.1-PRERELEASE i386) both ipfw and pf works. Could this be a bug in the fxp driver? I have a 2nd machine with a fxp nic. Same problem. Thanks to yongari@ the issue could be resolved on both machines by disabling receive checksum offloading (ifconfig fxp0 -rxsum). If this is a fxp bug, can you please file a PR explaining the issue and how to reproduce it? -- Eitan Adler ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails on FreeBSD 9.0
On Mon, Jul 23, 2012 at 8:31 AM, Eitan Adler li...@eitanadler.com wrote: If this is a fxp bug, can you please file a PR explaining the issue and how to reproduce it? kern/170081 -- Herbert ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails on FreeBSD 9.0
On Sat, 21 Jul 2012 16:10:56 +0200 Herbert J. Skuhra h.sku...@gmail.com wrote: On Sat, Jul 21, 2012 at 11:24 AM, Herbert J. Skuhra h.sku...@gmail.com wrote: Hi, ok, this is obviously a pf problem and the reason why the network in the jail doesn't work. ifconfig lo1 create ifconfig lo1 10.0.0.10 netmask 0xff00 nc -s 10.0.0.10 xx.xx.xx.xx 25 With pf: connections fails; server receives SYN-ACK, but nc continues sending SYNs until nc gives up With ipfw: connection OK On my Soekris box at home (9.1-PRERELEASE i386) both ipfw and pf works. Could this be a bug in the fxp driver? I have a 2nd machine with a fxp nic. Same problem. Thanks to yongari@ the issue could be resolved on both machines by disabling receive checksum offloading (ifconfig fxp0 -rxsum). -- Herbert ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails on FreeBSD 9.0
Hi, ok, this is obviously a pf problem and the reason why the network in the jail doesn't work. ifconfig lo1 create ifconfig lo1 10.0.0.10 netmask 0xff00 nc -s 10.0.0.10 xx.xx.xx.xx 25 With pf: connections fails; server receives SYN-ACK, but nc continues sending SYNs until nc gives up With ipfw: connection OK On my Soekris box at home (9.1-PRERELEASE i386) both ipfw and pf works. Thanks. -- Herbert ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails on FreeBSD 9.0
On Sat, Jul 21, 2012 at 11:24 AM, Herbert J. Skuhra h.sku...@gmail.com wrote: Hi, ok, this is obviously a pf problem and the reason why the network in the jail doesn't work. ifconfig lo1 create ifconfig lo1 10.0.0.10 netmask 0xff00 nc -s 10.0.0.10 xx.xx.xx.xx 25 With pf: connections fails; server receives SYN-ACK, but nc continues sending SYNs until nc gives up With ipfw: connection OK On my Soekris box at home (9.1-PRERELEASE i386) both ipfw and pf works. Could this be a bug in the fxp driver? I have a 2nd machine with a fxp nic. Same problem. -- Herbert ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails on FreeBSD 9.0
On Thu, Jul 12, 2012 at 9:04 PM, Herbert J. Skuhra h.sku...@gmail.com wrote: On Thu, Jul 12, 2012 at 11:56 AM, joris dedieu joris.ded...@gmail.com wrote: 2012/7/12 Herbert J. Skuhra h.sku...@gmail.com: On Wed, Jul 11, 2012 at 11:59 PM, Herbert J. Skuhra h.sku...@gmail.com wrote: Hi, although I've followed the instructions in jail(8) and jail.conf(5) I cannot manage to setup jails on FreeBSD 9.0 STABLE (r238334). The symptons: * ssh'ing to jail works, but it takes about 20 seconds until password prompt appears Does it still the same with UseDNS=no in /etc/ssh/sshd_config ? No, I can login instantly. * netstat -r in the jail takes about 150 seconds to finish Does netstat -rn does the same ? No, the output appears immediately. * connections to the internet time out; with tcpdump I see that packets leave and enter the public interface on the host, but never reach the jail I use lo1 interface and ip address 192.168.1.1/24 for the jail. Public interface is fxp0 with both an IPv4 and an IPv6 address assigned. Of course, nat is enable via pf on the public interface. Can you post your PF configuration ? After switching to ipfw/natd networking in the jail works. Could this be a bug? I think you had an issue with firewall that block name resolution and makes everything goes slow. At least you need one single line on your pf.conf : nat on $public_interface form $jail_ip to any - ($public_interface) Even when loading only the nat rule it doesn't work: nat on fxp0 from 192.168.1.0/24 to any - $ext_addr Thanks. Herbert ___ freebsd-j...@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org As Mark Felder wrote You don't have anything in /etc/resolv.conf, in the jail do you? :-) -- Med Venlig Hilsen Kalle R. Møller ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails on FreeBSD 9.0
On Tue, Jul 17, 2012 at 9:59 AM, Kalle Møller freebsd-questi...@k-moeller.dk wrote: On Thu, Jul 12, 2012 at 9:04 PM, Herbert J. Skuhra h.sku...@gmail.com wrote: On Thu, Jul 12, 2012 at 11:56 AM, joris dedieu joris.ded...@gmail.com wrote: 2012/7/12 Herbert J. Skuhra h.sku...@gmail.com: On Wed, Jul 11, 2012 at 11:59 PM, Herbert J. Skuhra h.sku...@gmail.com wrote: Hi, although I've followed the instructions in jail(8) and jail.conf(5) I cannot manage to setup jails on FreeBSD 9.0 STABLE (r238334). The symptons: * ssh'ing to jail works, but it takes about 20 seconds until password prompt appears Does it still the same with UseDNS=no in /etc/ssh/sshd_config ? No, I can login instantly. * netstat -r in the jail takes about 150 seconds to finish Does netstat -rn does the same ? No, the output appears immediately. * connections to the internet time out; with tcpdump I see that packets leave and enter the public interface on the host, but never reach the jail I use lo1 interface and ip address 192.168.1.1/24 for the jail. Public interface is fxp0 with both an IPv4 and an IPv6 address assigned. Of course, nat is enable via pf on the public interface. Can you post your PF configuration ? After switching to ipfw/natd networking in the jail works. Could this be a bug? I think you had an issue with firewall that block name resolution and makes everything goes slow. At least you need one single line on your pf.conf : nat on $public_interface form $jail_ip to any - ($public_interface) Even when loading only the nat rule it doesn't work: nat on fxp0 from 192.168.1.0/24 to any - $ext_addr Thanks. Herbert As Mark Felder wrote You don't have anything in /etc/resolv.conf, in the jail do you? :-) I have two nameservers listed! If I boot a kernel with ipfirewall/ipdivert and run natd the network in the jail works! With pf: I see the packets going out/coming in on fxp0 but somehow the jail does not see them. A 'dig www.google.com' in the jail fails with connection timed out; no servers could be reached, but 11:39:45.30 IP xxx.yyy.zzz.64452 google-public-dns-a.google.com.domain: 10794+ A? www.google.com. (32) 11:39:45.694045 IP google-public-dns-a.google.com.domain xxx.yyy.zzz.64452: 10794 6/0/0 CNAME www.l.google.com., A 173.194.35.177, A 173.194.35.176, A 173.194.35.179, A 173.194.35.180, A 173.194.35.178 (132) 11:39:50.667799 IP xxx.yyy.zzz.64452 google-public-dns-a.google.com.domain: 10794+ A? www.google.com. (32) 11:39:50.687083 IP google-public-dns-a.google.com.domain xxx.yyy.zzz.64452: 10794 6/0/0 CNAME www.l.google.com., A 173.194.35.177, A 173.194.35.178, A 173.194.35.179, A 173.194.35.180, A 173.194.35.176 (132) 11:39:55.668783 IP xxx.yyy.zzz.64452 google-public-dns-a.google.com.domain: 10794+ A? www.google.com. (32) 11:39:55.675917 IP google-public-dns-a.google.com.domain xxx.yyy.zzz.64452: 10794 6/0/0 CNAME www.l.google.com., A 173.194.35.180, A 173.194.35.177, A 173.194.35.179, A 173.194.35.176, A 173.194.35.178 (132) And 'nc 173.194.35.177 80': 11:41:52.176904 IP muc03s02-in-f17.1e100.net.http xxx.yyy.zzz.56936: Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss 1430,sackOK,TS val 1445658553 ecr 8593173,nop,wscale 6], length 0 11:41:53.382320 IP muc03s02-in-f17.1e100.net.http xxx.yyy.zzz.56936: Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss 1430,sackOK,TS val 1445659753 ecr 8593173,nop,wscale 6], length 0 11:41:54.088585 IP xxx.yyy.zzz.56936 muc03s02-in-f17.1e100.net.http: Flags [S], seq 2143442670, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 8596173 ecr 0], length 0 11:41:54.098838 IP muc03s02-in-f17.1e100.net.http xxx.yyy.zzz.56936: Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss 1430,sackOK,TS val 1445660466 ecr 8593173,nop,wscale 6], length 0 11:41:55.796638 IP muc03s02-in-f17.1e100.net.http xxx.yyy.zzz.56936: Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss 1430,sackOK,TS val 1445662155 ecr 8593173,nop,wscale 6], length 0 11:41:57.288596 IP xxx.yyy.zzz.56936 muc03s02-in-f17.1e100.net.http: Flags [S], seq 2143442670, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 8599373 ecr 0], length 0 11:41:57.299125 IP muc03s02-in-f17.1e100.net.http xxx.yyy.zzz.56936: Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss 1430,sackOK,TS val 1445663650 ecr 8593173,nop,wscale 6], length 0 11:42:00.488595 IP xxx.yyy.zzz.56936 muc03s02-in-f17.1e100.net.http: Flags [S], seq 2143442670, win 65535, options [mss 1460,sackOK,eol], length 0 11:42:00.498606 IP muc03s02-in-f17.1e100.net.http xxx.yyy.zzz.56936: Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss 1430,sackOK,TS val 1445666834 ecr 8593173,nop,wscale 6], length 0 11:42:00.621724 IP muc03s02-in-f17.1e100.net.http xxx.yyy.zzz.56936: Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss 1430,sackOK,TS val 1445666957 ecr 8593173,nop,wscale 6],
Re: Jails V2, VIMAGE, and integration in the base system
On 02/03/12 17:02, Devin Teske wrote: Please give this a try: http://druidbsd.sf.net/vimage.shtml http://druidbsd.sf.net/download.shtml Hi, Interesting. Is it safe to run in production (VIMAGE/vnets) ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails V2, VIMAGE, and integration in the base system
On Feb 4, 2012, at 10:45 AM, Hugo Silva wrote: On 02/03/12 17:02, Devin Teske wrote: Please give this a try: http://druidbsd.sf.net/vimage.shtml http://druidbsd.sf.net/download.shtml Hi, Interesting. Is it safe to run in production (VIMAGE/vnets) ? I can't speak to every application, release, or even purpose, but we've been using between 2 and 3 dozen vimages for various purposes without problem on 8.1-RELEASE-p6 (just haven't got around to updating to -p7 which is lated RELENG_8_1 security patch). We've been running amd64 hosts with both amd64 and i386 jails. Doing compiler builds, using them as web servers, shell servers, bastion's, gateways, proxies (both shell and web), and even for running legacy releases of FreeBSD (running 4.11 i386 on an amd64 8.1 host). So the VIMAGE/vnets support seems pretty stable in 8.1-RELEASE. Oh, we did have to MFC SVN r207194 to fix a bug in sys/net/rtsock.c when running i386 route(8) in VIMAGE under amd64 host. Though you don't have to apply the patch, as the workaround was simple -- copy the host's amd64 route(8) over vimage's i386 one. That's really the only bug we ever hit, but your mileage may vary. We've been generally very happy with VIMAGE/vnets so far. Now, with respect to the script being production ready, I'd say yes with one minor nit... Unnecessarily starting/stopping vimages after boot is bad for two reasons: 1. In 8.1-RELEASE there's an necessary loss in VM pages everytime you remove a vimage jail with jail -r (this has been fixed in later releases). 2. The Ethernet HW address auto-calculations performed in my script are based on the order in which vimages are started and stopped. This is easily overcome by setting the HW address in the ifconfig_* line within rc.conf(5) (within the vimage rootdir). -- Devin _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: Jails V2, VIMAGE, and integration in the base system
-Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd- questi...@freebsd.org] On Behalf Of Hugo Silva Sent: Friday, February 03, 2012 8:17 AM To: freebsd-questions@freebsd.org Subject: Jails V2, VIMAGE, and integration in the base system Hello, I didn't find much about jails v2 + epair + vimage on google; The FreeBSD wiki pages concerning this subject seem fairly outdated (that or not much has happened in 3 years), and the manpages don't mention much about vimage/vnet. According to http://ivoras.net/freebsd/freebsd8.html it should be in FreeBSD 8.0 (VIMAGE, Jails v2), and maybe it is, but if it's not integrated in the base system and information/documentarion is scarse, few will use it. Found this: http://www.freebsd.org/cgi/query-pr.cgi?pr=142972 - nearly 2 years old. My question is, how wise would it be to attempt to use these features in production? IMO this is very interesting stuff, having these things integrated would be a worthy addition to FreeBSD. Please give this a try: http://druidbsd.sf.net/vimage.shtml http://druidbsd.sf.net/download.shtml -- Devin _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails V2, VIMAGE, and integration in the base system
Hugo Silva wrote: Hello, I didn't find much about jails v2 + epair + vimage on google; The FreeBSD wiki pages concerning this subject seem fairly outdated (that or not much has happened in 3 years), and the manpages don't mention much about vimage/vnet. According to http://ivoras.net/freebsd/freebsd8.html it should be in FreeBSD 8.0 (VIMAGE, Jails v2), and maybe it is, but if it's not integrated in the base system and information/documentarion is scarse, few will use it. Found this: http://www.freebsd.org/cgi/query-pr.cgi?pr=142972 - nearly 2 years old. My question is, how wise would it be to attempt to use these features in production? IMO this is very interesting stuff, having these things integrated would be a worthy addition to FreeBSD. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Yes VIMAGE Jails are part of the 8.x releases. Jail is in the base release in its manual form and you have to recompile the kernel to enable VIMAGE which is labeled experimental. Jails are used in many production environments managed by the sysutil/qjail port but use VIMAGE at your own risk. Have no info on epair. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails within different networks ... ?
I've actually done that but the result was jails coming up incredibly slowly and once up basically not wired. I'm gonna check my configuration again and I'll update the mailing list soon. Thanks for you time to you all. On Sat, 2011-12-03 at 21:54 +, Matthew Seaman wrote: On 03/12/2011 17:54, Snoop wrote: I have 3 jails within the host xxx.xxx.26.224 configured in this way (below) and everything works well. What if I want to enable another jail but I don't want to assign to that my next available public ip address xxx.xxx.26.228/24 but I want this jail to have a private ip address like 172.16.1.2/27? Is that possible or it's a delirium? Sure you can do that. Remember the rule though, that the first IP from each different network configured on an interface must use the natural netmask for that network. Second and subsequent addresses from each different network can either use the all-ones (/32) netmask, or the natural netmask. This only changed a few years ago, so there's still a lot of advice going around saying you should use the older all-ones style, but in actuality you can do it which ever of those ways you want and it won't make any functional difference. Cheers, Matthew -- Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f Sponsor: ING DIRECT Conto Arancio. 4,20% per 12 mesi, zero spese, aprilo in due minuti! Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=11924d=4-12 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails within different networks ... ?
Just an update. It seems to be working well. The jail startup slowness I believe is due to the fact that the DNS is still down. Thanks for your time. ### host rc.conf related section ifconfig_lagg0=laggproto failover laggport bge0 laggport bge1 xxx.xxx.26.224/24 ifconfig_lagg0_alias_0=inet xxx.xxx.26.225/32 ifconfig_lagg0_alias_1=inet xxx.xxx.26.226/32 ifconfig_lagg0_alias_2=inet xxx.xxx.26.227/32 ifconfig_lagg0_alias_3=inet 172.16.3.2/27 ifconfig_lagg0_alias_4=inet 172.16.3.3/27 ifconfig_lagg0_alias_5=inet 172.16.3.4/27 ifconfig_lagg0_alias_6=inet 172.16.3.5/27 ifconfig_lagg0_alias_7=inet 172.16.3.6/27 ### ifconfig related output lagg0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=8009bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LINKSTATE ether 00:14:5e:ee:2b:c0 inet xxx.xxx.26.224 netmask 0xff00 broadcast xxx.xxx.26.255 inet xxx.xxx.26.225 netmask 0x broadcast xxx.xxx.26.225 inet xxx.xxx.26.226 netmask 0x broadcast xxx.xxx.26.226 inet xxx.xxx.26.227 netmask 0x broadcast xxx.xxx.26.227 inet 172.16.3.2 netmask 0x broadcast 172.16.3.2 inet 172.16.3.3 netmask 0x broadcast 172.16.3.3 inet 172.16.3.4 netmask 0x broadcast 172.16.3.4 inet 172.16.3.5 netmask 0x broadcast 172.16.3.5 inet 172.16.3.6 netmask 0x broadcast 172.16.3.6 media: Ethernet autoselect status: active laggproto failover laggport: bge1 flags=0 laggport: bge0 flags=5MASTER,ACTIVE -- Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f Sponsor: Conto Arancio al 4,20%. Soldi sempre disponibili, zero spese, aprilo in due minuti! Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=11920d=4-12 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails within different networks ... ?
2011/12/3 Snoop sn...@email.it: Hi there, I've a doubt! I have 3 jails within the host xxx.xxx.26.224 configured in this way (below) and everything works well. What if I want to enable another jail but I don't want to assign to that my next available public ip address xxx.xxx.26.228/24 but I want this jail to have a private ip address like 172.16.1.2/27? Is that possible or it's a delirium? I don't want to waste my public ip address for a jail which I want to have a network configured but not to be publicly visible. Many thanks in advance. lagg0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=8009bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LINKSTATE ether 00:14:5e:ee:2b:c0 inet xxx.xxx.26.224 netmask 0xff00 broadcast xxx.xxx.26.255 inet xxx.xxx.26.225 netmask 0x broadcast xxx.xxx.26.225 inet xxx.xxx.26.226 netmask 0x broadcast xxx.xxx.26.226 inet xxx.xxx.26.227 netmask 0x broadcast xxx.xxx.26.227 media: Ethernet autoselect status: active laggproto failover laggport: bge1 flags=0 laggport: bge0 flags=5MASTER,ACTIVE Create an Alias Example: ifconfig_em0_alias0=inet 192.0.2.9 netmask 255.255.255.255 http://blather.michaelwlucas.com/archives/1021 Regards. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails within different networks ... ?
On 03/12/2011 17:54, Snoop wrote: I have 3 jails within the host xxx.xxx.26.224 configured in this way (below) and everything works well. What if I want to enable another jail but I don't want to assign to that my next available public ip address xxx.xxx.26.228/24 but I want this jail to have a private ip address like 172.16.1.2/27? Is that possible or it's a delirium? Sure you can do that. Remember the rule though, that the first IP from each different network configured on an interface must use the natural netmask for that network. Second and subsequent addresses from each different network can either use the all-ones (/32) netmask, or the natural netmask. This only changed a few years ago, so there's still a lot of advice going around saying you should use the older all-ones style, but in actuality you can do it which ever of those ways you want and it won't make any functional difference. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: Jails: How do i limit what ifconfig shows?
Use ugidfw to limit/deny access to ifconfig - man ugidfw Cheers, On 04/23/11 08:21, xor wrote: Hullo First off, thanks for a lovely operating system 3 I decided to go for FreeBSD perhaps 3 days ago. Before, ive been an Debian/OpenBSD guy, and ive only used my obsd box for redundant firewalls and networking. Ive not been running any services off the boxen. The reason I decided to go for FreeBSD is because of the Jails. Ive looked around a bit, but I can not find anything about how to limit what interfaces that ifconfig shows. I would like it to hide pretty much everything so that _no_ information about the host systems networking leaks into the jails. I dont want jails to know anything but their IP-numbers and which computer to use for DNS lookups, essentially. Is there any good text out there that describes how to do this? Ive searched a bit for it, but Ive been unable to find anything but the basics. Thanks! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails: How do i limit what ifconfig shows?
Am 22.04.2011, 22:21 Uhr, schrieb xor xor...@gmail.com: Hullo First off, thanks for a lovely operating system 3 I decided to go for FreeBSD perhaps 3 days ago. Before, ive been an Debian/OpenBSD guy, and ive only used my obsd box for redundant firewalls and networking. Ive not been running any services off the boxen. The reason I decided to go for FreeBSD is because of the Jails. Ive looked around a bit, but I can not find anything about how to limit what interfaces that ifconfig shows. I would like it to hide pretty much everything so that _no_ information about the host systems networking leaks into the jails. I dont want jails to know anything but their IP-numbers and which computer to use for DNS lookups, essentially. Is there any good text out there that describes how to do this? Ive searched a bit for it, but Ive been unable to find anything but the basics. Maybe you can remove the ifconfig binary from the jail. Works for me. Michael ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails: How do i limit what ifconfig shows?
But then the root in the jail can just go and compile a new version of ifconfig from the ports collection. (Generally its a flawed idea to just remove the binaries. Someone can just download new ones. And if downloading new binaries is not allowed, they can always just push stdin through b64.. etc etc.) On 22 April 2011 23:00, Michael Ross michael.r...@gmx.net wrote: Am 22.04.2011, 22:21 Uhr, schrieb xor xor...@gmail.com: Hullo First off, thanks for a lovely operating system 3 I decided to go for FreeBSD perhaps 3 days ago. Before, ive been an Debian/OpenBSD guy, and ive only used my obsd box for redundant firewalls and networking. Ive not been running any services off the boxen. The reason I decided to go for FreeBSD is because of the Jails. Ive looked around a bit, but I can not find anything about how to limit what interfaces that ifconfig shows. I would like it to hide pretty much everything so that _no_ information about the host systems networking leaks into the jails. I dont want jails to know anything but their IP-numbers and which computer to use for DNS lookups, essentially. Is there any good text out there that describes how to do this? Ive searched a bit for it, but Ive been unable to find anything but the basics. Maybe you can remove the ifconfig binary from the jail. Works for me. Michael ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jails and one dynamic ip address
Hi, Sure there can be a better solution (I think :)): Use an rfc1918 private address range for your Jail, and use nat, to forward your external interface IP to the private address of the jail. This can be done in ipnat, PF, or the other natting, packet filtering tools. Hope I understood your question :). Regards, Balázs M. On 26 May 2010 01:36, Fbsd1 fb...@a1poweruser.com wrote: I get one dynamic ip address from my ISP. This is what I specify on the jail for public network access. When the ip address changes on me I have to manually change the ip address associated with the jail. Is there some method I can code so jail will all ways have public network access? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jails and one dynamic ip address
I get one dynamic ip address from my ISP. This is what I specify on the jail for public network access. When the ip address changes on me I have to manually change the ip address associated with the jail. Is there some method I can code so jail will all ways have public network access? Hi, Sure there can be a better solution (I think :)): Use an rfc1918 private address range for your Jail, and use nat, to forward your external interface IP to the private address of the jail. This can be done in ipnat, PF, or the other natting, packet filtering tools. Hope I understood your question :). Regards, Balázs M. The jails are on the host with LAN behind it and with ipf firewall which allows out anything coming from LAN private ip address. I was not able to get this to work until I discovered the jail needed a copy of the hosts /etc/resolv.conf. Now it works without any special tweaks, and the dymanic ip address changing causes no problems. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails and Hardware security
I think you may write your only rule set for that jail in /etc/devfs.rules and specify it by using the line: jail_(jailname)_devfs_ruleset=(rule_name) in /etc/rc.conf Or corresponding line in /usr/local/etc/ezjail/(jailname) if you are using ezjail. Regards, C.C. On 1/31/2010 6:27 AM, Jay Hall wrote: Is it possible to limit what hardware a jail has access to? I am wanting to limit access to the tape drive/autoloader in one jail, but allow another to have access to it. Is this as simple as deleting the appropriate entries in /dev? Thanks, Jay ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails - Ethernet data vs IP data
On 01/09/10 21:21, Tim Judd wrote: I bought a new SiliconDust HDHomeRun device which brings two Digital coaxial tuners to an ethernet network. From what I read and understand about the HDHomeRun (HDHR), is that it does have an IP address assigned to the system, but all packets of video are actually just raw Ethernet packets/data that has it's own payload and protocol. The port MythTV (to which I'm starting to love) maintainer has marked the two pieces of MythTV as conflicting ports (I'll address to the maintainer directly), so I build the frontend (the user interface if you will) on the host, because it needs lots of X11/xorg. The backend runs as a daemon talking with MySQL to manage everything. Since they conflict, the backend goes onto a jail. I have to port-compile the backend every time, the packages have missing dependencies. It takes quite a while. I know the HDHR is online, I can watch the video without MythTV interaction, but the jailed backend isn't seeing it. So I was hoping to see if I can query the group and see if raw ethernet data can be delivered to a jail, or if I'm just fishing in the empty fish bowl trying to get this to work in a jail. Thanks forANY input in regards to limits the jail system might have. This is on a golden 8.0-RELEASE i386, haven't updated it yet. Take a look at the security.jail.allow_raw_sockets sysctl, or the allow.raw_sockets jail parameter (probably the former since the jail parameters don't have good rc support yet). By default, jails aren't allowed to create the raw sockets necessary for direct ethernet communication. Setting security.jail.allow_raw_sockets=1 should allow that. You might also need to clear security.jail.socket_unixiproute_only (or set allow.socket_af) - not sure about that. - Jamie ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails setup with binary packages only
On 12/27/09, Guy Marcenac g...@posteurs.com wrote: I would like to use a freebsd system with binary packages only. I want to heavily use the jail concept. All the documentation about jails implies the use of buildworld into the jails. In order to avoid any compilation time, I installed a minimal base system for the host and I nullfs mounted read-only every system directory (bin, sbin, etc) into my jails. Then, in order to be able to install additional software inside the jails, I unionfs mounted read-write empty directories ontop of the nullfs read-only system directories. So I only have to freebsd-update the host and then freebsd-update each jail in order to keep updated. What about this kind of setup ? do I miss something ? A binary jail install with packages is fine. I don't know why it was documented to do it from source other than the possibilities that it jails were a technology only achievable by updating your source files and installing (when jails were new). Now that it's gone through a release cycle, I've done several binary jails, with binary packages. To get a system up quickly, I often do a binary jail install with binary packages, and then run ports and a build to keep it maintained. Of course if I need an option not default in a port, it gets done by ports. Binary jail install, freebsd-update, pkg_add portaudit, rehash portaudit -Fa Now it's a basic setup, things like timezone (in the jail) and other odds-and-ends. enjoy, --Tim ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails: /bin/tcsh: Permission Denied
APseudoUtopia apseudouto...@gmail.com wrote: I'm setting up jails on my system. I started with a httpd jail for nginx and php to run in. I used ezjail to create it. I went through all the steps, and got a jail setup and working. I've logged in and out several times and installed a couple ports within the jail. I then added a non-privileged user by running adduser as root. However, that is when the problem came up. For some reason, I cannot switch to the unprivileged user. The shell is giving me a Permission Denied error. What are the permissions on /bin/tcsh inside the jail? Is it executable? Are the permissions of all of its libraries correct? (ldd /bin/tcsh will list the libs.) Are the permissions on the home directory correct? If everything else fails, trace the shell inside the jail (with strace, truss or ktrace). It will list the exact system call that fails. By the way, I recommend that jails which contain daemons (such as webservers, databases etc.) do not contain login accounts. In fact, I never put /bin/tcsh inside a jail that contains a webserver. Apache certainly doesn't need it. Some ports do need /bin/csh during the build process, but for building ports I recommend to use a separate jail anyway, create packages and pkg_add them in the actual webserver jail. Just my 2 cents. Best regards Oliver -- Oliver Fromme, secnetix GmbH Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd $ dd if=/dev/urandom of=test.pl count=1 $ file test.pl test.pl: perl script text executable ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails: /bin/tcsh: Permission Denied
On Mon, Oct 5, 2009 at 5:51 AM, Oliver Fromme o...@lurza.secnetix.de wrote: APseudoUtopia apseudouto...@gmail.com wrote: I'm setting up jails on my system. I started with a httpd jail for nginx and php to run in. I used ezjail to create it. I went through all the steps, and got a jail setup and working. I've logged in and out several times and installed a couple ports within the jail. I then added a non-privileged user by running adduser as root. However, that is when the problem came up. For some reason, I cannot switch to the unprivileged user. The shell is giving me a Permission Denied error. What are the permissions on /bin/tcsh inside the jail? Is it executable? Are the permissions of all of its libraries correct? (ldd /bin/tcsh will list the libs.) Are the permissions on the home directory correct? If everything else fails, trace the shell inside the jail (with strace, truss or ktrace). It will list the exact system call that fails. By the way, I recommend that jails which contain daemons (such as webservers, databases etc.) do not contain login accounts. In fact, I never put /bin/tcsh inside a jail that contains a webserver. Apache certainly doesn't need it. Some ports do need /bin/csh during the build process, but for building ports I recommend to use a separate jail anyway, create packages and pkg_add them in the actual webserver jail. Just my 2 cents. Best regards Oliver Hi, Thanks for the tips. I'm new to jails, and I didn't think it was possible to build a jail without tcsh. What shell do you use then? Just /bin/sh? /bin/tcsh works for fine for root. I log into the jail by using the ezjail-admin console option, which in turn executes /usr/bin/login. It logs in as root with a working tcsh shell. I've even changed the prompt of the shell in /root/.cshrc within the jail. I don't think it's the tcsh binary itself, rather some other permission. However, the information you asked for is below. As a matter-of-fact, I first ran into this problem when my web server (nginx) received a permission denied error for every file. While debugging it, I was asked to su to the www user. This is when I ran into this problem of getting a permission denied error for tcsh. -r-xr-xr-x 2 root wheel 311400 Oct 5 05:34 /bin/tcsh /bin/tcsh: libncurses.so.7 = /lib/libncurses.so.7 (0x280c5000) libcrypt.so.4 = /lib/libcrypt.so.4 (0x28104000) libc.so.7 = /lib/libc.so.7 (0x2811d000) -r--r--r-- 1 root wheel 258572 Oct 5 05:34 /lib/libncurses.so.7 -r--r--r-- 1 root wheel 32020 Oct 5 05:34 /lib/libcrypt.so.4 -r--r--r-- 1 root wheel 993092 Oct 5 05:34 /lib/libc.so.7 drwxr-xr-x 3 root wheel 512 Oct 5 07:49 home drwxr-xr-x 2 jailuser jailuser 512 Oct 5 07:49 jailuser The truss trace is on a pastebin (the output seemed too long for an email) located at http://pastebin.ca/1594445 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails: /bin/tcsh: Permission Denied
On Mon, Oct 5, 2009 at 9:19 AM, APseudoUtopia apseudouto...@gmail.com wrote: On Mon, Oct 5, 2009 at 5:51 AM, Oliver Fromme o...@lurza.secnetix.de wrote: APseudoUtopia apseudouto...@gmail.com wrote: I'm setting up jails on my system. I started with a httpd jail for nginx and php to run in. I used ezjail to create it. I went through all the steps, and got a jail setup and working. I've logged in and out several times and installed a couple ports within the jail. I then added a non-privileged user by running adduser as root. However, that is when the problem came up. For some reason, I cannot switch to the unprivileged user. The shell is giving me a Permission Denied error. What are the permissions on /bin/tcsh inside the jail? Is it executable? Are the permissions of all of its libraries correct? (ldd /bin/tcsh will list the libs.) Are the permissions on the home directory correct? If everything else fails, trace the shell inside the jail (with strace, truss or ktrace). It will list the exact system call that fails. By the way, I recommend that jails which contain daemons (such as webservers, databases etc.) do not contain login accounts. In fact, I never put /bin/tcsh inside a jail that contains a webserver. Apache certainly doesn't need it. Some ports do need /bin/csh during the build process, but for building ports I recommend to use a separate jail anyway, create packages and pkg_add them in the actual webserver jail. Just my 2 cents. Best regards Oliver Hi, Thanks for the tips. I'm new to jails, and I didn't think it was possible to build a jail without tcsh. What shell do you use then? Just /bin/sh? /bin/tcsh works for fine for root. I log into the jail by using the ezjail-admin console option, which in turn executes /usr/bin/login. It logs in as root with a working tcsh shell. I've even changed the prompt of the shell in /root/.cshrc within the jail. I don't think it's the tcsh binary itself, rather some other permission. However, the information you asked for is below. As a matter-of-fact, I first ran into this problem when my web server (nginx) received a permission denied error for every file. While debugging it, I was asked to su to the www user. This is when I ran into this problem of getting a permission denied error for tcsh. -r-xr-xr-x 2 root wheel 311400 Oct 5 05:34 /bin/tcsh /bin/tcsh: libncurses.so.7 = /lib/libncurses.so.7 (0x280c5000) libcrypt.so.4 = /lib/libcrypt.so.4 (0x28104000) libc.so.7 = /lib/libc.so.7 (0x2811d000) -r--r--r-- 1 root wheel 258572 Oct 5 05:34 /lib/libncurses.so.7 -r--r--r-- 1 root wheel 32020 Oct 5 05:34 /lib/libcrypt.so.4 -r--r--r-- 1 root wheel 993092 Oct 5 05:34 /lib/libc.so.7 drwxr-xr-x 3 root wheel 512 Oct 5 07:49 home drwxr-xr-x 2 jailuser jailuser 512 Oct 5 07:49 jailuser The truss trace is on a pastebin (the output seemed too long for an email) located at http://pastebin.ca/1594445 Sorry to reply again, but I have some further information. I used chpass to change the shell of the jailuser account. I tried /bin/sh, /bin/csh, /bin/tcsh, and /sbin/nologin. All of those gave the same Permission denied error. Even nologin gave Permission denied instead of This account is currently not available. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails: /bin/tcsh: Permission Denied
On Mon, Oct 5, 2009 at 1:24 PM, APseudoUtopia apseudouto...@gmail.com wrote: [snip] Sorry to reply again, but I have some further information. I used chpass to change the shell of the jailuser account. I tried /bin/sh, /bin/csh, /bin/tcsh, and /sbin/nologin. All of those gave the same Permission denied error. Even nologin gave Permission denied instead of This account is currently not available. What happens with /bin/false ? -- Glen Barber ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails: /bin/tcsh: Permission Denied
On Mon, Oct 5, 2009 at 9:28 AM, Glen Barber glen.j.bar...@gmail.com wrote: On Mon, Oct 5, 2009 at 1:24 PM, APseudoUtopia apseudouto...@gmail.com wrote: [snip] Sorry to reply again, but I have some further information. I used chpass to change the shell of the jailuser account. I tried /bin/sh, /bin/csh, /bin/tcsh, and /sbin/nologin. All of those gave the same Permission denied error. Even nologin gave Permission denied instead of This account is currently not available. What happens with /bin/false ? -- Glen Barber Same thing: jailuser:*:1001:1001:User :/home/jailuser:/bin/false # su jailuser su: /bin/false: Permission denied ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails: /bin/tcsh: Permission Denied
On Mon, Oct 5, 2009 at 1:30 PM, APseudoUtopia apseudouto...@gmail.com wrote: On Mon, Oct 5, 2009 at 9:28 AM, Glen Barber glen.j.bar...@gmail.com wrote: On Mon, Oct 5, 2009 at 1:24 PM, APseudoUtopia apseudouto...@gmail.com wrote: [snip] Sorry to reply again, but I have some further information. I used chpass to change the shell of the jailuser account. I tried /bin/sh, /bin/csh, /bin/tcsh, and /sbin/nologin. All of those gave the same Permission denied error. Even nologin gave Permission denied instead of This account is currently not available. What happens with /bin/false ? -- Glen Barber Same thing: jailuser:*:1001:1001:User :/home/jailuser:/bin/false # su jailuser su: /bin/false: Permission denied Have you created another user to test? FWIW, I was wrong about the location of 'false' - it is /usr/bin/false, not /bin/false - you should have received 'command not found'. -- Glen Barber ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails: /bin/tcsh: Permission Denied
On Mon, Oct 5, 2009 at 1:33 PM, Glen Barber glen.j.bar...@gmail.com wrote: [snip] jailuser:*:1001:1001:User :/home/jailuser:/bin/false # su jailuser su: /bin/false: Permission denied Also, check the permissions on /home/jailuser -- Glen Barber ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails: /bin/tcsh: Permission Denied
On Mon, Oct 5, 2009 at 4:08 AM, APseudoUtopia apseudouto...@gmail.com wrote: Hey list, I'm setting up jails on my system. I started with a httpd jail for nginx and php to run in. I used ezjail to create it. I went through all the steps, and got a jail setup and working. I've logged in and out several times and installed a couple ports within the jail. I then added a non-privileged user by running adduser as root. However, that is when the problem came up. For some reason, I cannot switch to the unprivileged user. The shell is giving me a Permission Denied error. [snip] I have solved the problem with the help of Google and this thread: https://elektropost.org/ezjail/threads.html#00263 The permissions on the HOST for /usr/jails/httpd and /usr/jails/basejail were set incorrectly. When I installed the jail, I used umask 0077. Those jail directories needed to be chmod'ed 755. Everything works successfully now. Thanks very much for the tips, suggestions, and overall help. If I hadn't found that ezjail mailing list thread, I would've been ripping my hair out for days. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails: /bin/tcsh: Permission Denied
APseudoUtopia wrote: Thanks for the tips. I'm new to jails, and I didn't think it was possible to build a jail without tcsh. What shell do you use then? Just /bin/sh? I never log into a jail. There's no reason to do that. However, usually /bin/sh is required to run scripts, cron jobs and other things. Also, some library functions such as system(3) and popen(3) require /bin/sh. Those functions are used by many programs. So, bascially, you will almost always need to have /bin/sh in a jail. But that doesn't mean that you have any login accounts inside the jail. Usually the passwd inside your jail should only contain root and a few pseudo users. The pseudo users (including root) should have no valid password, no valid login shell, and in most cases no valid home directory. There's no reason to make things easier for intruders. Of course, that's only true for jails that contain services (i.e. daemons). If you want to put shell users inside jails, that's a completely different thing. (I'm not using ezjail, FWIW.) -r-xr-xr-x 2 root wheel 311400 Oct 5 05:34 /bin/tcsh /bin/tcsh: libncurses.so.7 = /lib/libncurses.so.7 (0x280c5000) libcrypt.so.4 = /lib/libcrypt.so.4 (0x28104000) libc.so.7 = /lib/libc.so.7 (0x2811d000) -r--r--r-- 1 root wheel 258572 Oct 5 05:34 /lib/libncurses.so.7 -r--r--r-- 1 root wheel 32020 Oct 5 05:34 /lib/libcrypt.so.4 -r--r--r-- 1 root wheel 993092 Oct 5 05:34 /lib/libc.so.7 drwxr-xr-x 3 root wheel 512 Oct 5 07:49 home drwxr-xr-x 2 jailuser jailuser 512 Oct 5 07:49 jailuser Looks good. The only thing I noticed is that your /etc/login.conf.db doesn't seem to be world-readable. It should have permissions 644, but has only 600. However, I'm not sure if this might cause the kind of problem you're seeing. But fixing the permissions is certainly worth a try. The truss trace is on a pastebin (the output seemed too long for an email) located at http://pastebin.ca/1594445 Other than that, I didn't notice anything unusual in the trace. Sorry to reply again, but I have some further information. I used chpass to change the shell of the jailuser account. I tried /bin/sh, /bin/csh, /bin/tcsh, and /sbin/nologin. All of those gave the same Permission denied error. Even nologin gave Permission denied instead of This account is currently not available. Yeah, when the trace aborts, it is still executing the su binary. It doesn't get as far as actually trying to execute the shell. Best regards Oliver -- Oliver Fromme, secnetix GmbH Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd We, the unwilling, led by the unknowing, are doing the impossible for the ungrateful. We have done so much, for so long, with so little, we are now qualified to do anything with nothing. -- Mother Teresa ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails: /bin/tcsh: Permission Denied
APseudoUtopia apseudouto...@gmail.com wrote: The permissions on the HOST for /usr/jails/httpd and /usr/jails/basejail were set incorrectly. When I installed the jail, I used umask 0077. You should _never_ have umask 077 as root. It will cause all kinds of weird problems. It's best to keep the umask at the default of 022, unless you specifically know that you need a different one for a certain installation. Best regards Oliver -- Oliver Fromme, secnetix GmbH Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd We, the unwilling, led by the unknowing, are doing the impossible for the ungrateful. We have done so much, for so long, with so little, we are now qualified to do anything with nothing. -- Mother Teresa ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails and common ports
On Thursday 20 November 2008 23:33:30 Marcus I. Ryan wrote: However, I started hitting issues with libtool and friends. The children would not find them, and would go ahead and start installing their own local copies of those ports. Turns out quite a few tools are defined in /usr/ports/Mk/* and are defined relative to LOCALBASE. If I leave LOCALBASE and PREFIX alone in the child jails so they'll use /usr/local for their specific ports, I can't recognize and use other ports like libtool installed in /opt; it doesn't seem right to set LOCALBASE in the child jails since I want them to use /usr/local for anything I haven't provided. Yeah, I feel your pain. You can't really do this with ports that require libraries from other ports. The ports system was created with the assumption that LOCALBASE (and PREFIX) for one installation (one PKG_DBDIR) is the same. There are some exceptions, or rather, for some things it can work but libraries in general don't and libtool is even pickier. I only have bash-static, sudo and vim shared in /opt, as they are stand-alone and no ports I use depend on them. The only thing I can think of that would work for you, is to use unionfs for /usr/local. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Jails, IPs and identd
On Tue, 5 Aug 2008, Redd Vinylene wrote: Hello! I have a jail with multiple IPs. It runs identd, however it only works from the jail's main IP: auth stream tcp nowait root internal auth -r -f -n -o UNKNOWN -t 30 How do I make it work from absolutely all IPs? Perhaps: auth stream tcp nowait root internal auth -r -f -n -o UNKNOWN -t 30 -a insert hundreds of ips here? Thank you all! # man identd -a Specify one specific IP address to bind to. Alternatively, a hostname can be specified, in which case the IPv4 or IPv6 address which corresponds to that hostname is used. Usually a hostname is specified when inetd is run inside a jail(8), in which case the hostname corresponds to that of the jail(8) environment. When the hostname specification is used and both IPv4 and IPv6 bindings are desired, one entry with the appropriate protocol type for each binding is required for each service in /etc/inetd.conf. For example, a TCP-based service would need two entries, one using ``tcp4'' for the protocol and the other using ``tcp6''. See the explanation of the /etc/inetd.conf protocol field below. It is my understanding you get one IP/jail and that multiple IPs are a work in progress. See http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-intro.html A jail is characterized by four elements: : * An IP address -- this will be assigned to the jail and cannot be changed in any way during the jail's life span. The IP address of a jail is usually an alias address for an existing network interface, but this is not strictly necessary. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Jails, IPs and identd
Yeah but I'm using Bjoern Zeeb's multiple IP patch... On Tue, Aug 5, 2008 at 4:43 PM, doug [EMAIL PROTECTED] wrote: On Tue, 5 Aug 2008, Redd Vinylene wrote: Hello! I have a jail with multiple IPs. It runs identd, however it only works from the jail's main IP: auth stream tcp nowait root internal auth -r -f -n -o UNKNOWN -t 30 How do I make it work from absolutely all IPs? Perhaps: auth stream tcp nowait root internal auth -r -f -n -o UNKNOWN -t 30 -a insert hundreds of ips here? Thank you all! # man identd -a Specify one specific IP address to bind to. Alternatively, a hostname can be specified, in which case the IPv4 or IPv6 address which corresponds to that hostname is used. Usually a hostname is specified when inetd is run inside a jail(8), in which case the hostname corresponds to that of the jail(8) environment. When the hostname specification is used and both IPv4 and IPv6 bindings are desired, one entry with the appropriate protocol type for each binding is required for each service in /etc/inetd.conf. For example, a TCP-based service would need two entries, one using ``tcp4'' for the protocol and the other using ``tcp6''. See the explanation of the /etc/inetd.conf protocol field below. It is my understanding you get one IP/jail and that multiple IPs are a work in progress. See http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-intro.html A jail is characterized by four elements: : * An IP address -- this will be assigned to the jail and cannot be changed in any way during the jail's life span. The IP address of a jail is usually an alias address for an existing network interface, but this is not strictly necessary. -- http://www.home.no/reddvinylene ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Jails, IPs and identd
On Tue, Aug 5, 2008 at 6:02 PM, [EMAIL PROTECTED] wrote: ah - above my pay grade. On Tue, 5 Aug 2008, Redd Vinylene wrote: Yeah but I'm using Bjoern Zeeb's multiple IP patch... On Tue, Aug 5, 2008 at 4:43 PM, doug [EMAIL PROTECTED] wrote: On Tue, 5 Aug 2008, Redd Vinylene wrote: Hello! I have a jail with multiple IPs. It runs identd, however it only works from the jail's main IP: auth stream tcp nowait root internal auth -r -f -n -o UNKNOWN -t 30 How do I make it work from absolutely all IPs? Perhaps: auth stream tcp nowait root internal auth -r -f -n -o UNKNOWN -t 30 -a insert hundreds of ips here? Thank you all! # man identd -a Specify one specific IP address to bind to. Alternatively, a hostname can be specified, in which case the IPv4 or IPv6 address which corresponds to that hostname is used. Usually a hostname is specified when inetd is run inside a jail(8), in which case the hostname corresponds to that of the jail(8) environment. When the hostname specification is used and both IPv4 and IPv6 bindings are desired, one entry with the appropriate protocol type for each binding is required for each service in /etc/inetd.conf. For example, a TCP-based service would need two entries, one using ``tcp4'' for the protocol and the other using ``tcp6''. See the explanation of the /etc/inetd.conf protocol field below. It is my understanding you get one IP/jail and that multiple IPs are a work in progress. See http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-intro.html A jail is characterized by four elements: : * An IP address -- this will be assigned to the jail and cannot be changed in any way during the jail's life span. The IP address of a jail is usually an alias address for an existing network interface, but this is not strictly necessary. -- http://www.home.no/reddvinylene _ Douglas Denault http://www.safeport.com [EMAIL PROTECTED] Voice: 301-469-8766 Fax: 301-469-0601 heheh.. no worries. i think im better off asking this on the freebsd-jails mailinglist anyhow. have a great day! -- http://www.home.no/reddvinylene ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Jails and IP Aliasing
Jason Morgan wrote: On 2008.07.07 12:16:44, David Allen wrote: # grep fxp0 /etc/rc.conf ifconfig_fxp0=inet 10.0.1.2 netmask 0xff00 ifconfig_fxp0_alias0=10.0.1.3 netmask 0x ifconfig_fxp0_alias1=10.0.1.4 netmask 0x ifconfig_fxp0_alias2=10.0.1.5 netmask 0x My understanding from the handbook is that the mask should be set to all ones if the alias is for an address that's part of the same network. For a different segment, it's the first alias that should be set to the real netmask, with any additional aliases using a netmask of all ones. Granted, the broadcast addresses looks odd. If I my programming skills were better, I'd just read through the code and understand what's really happening, but for now, I'm just taking the FreeBSD folks at their word at following instructions. That's a roundabout way of saying I think your aliases are set up incorrectly. ;-) That it quite possible (I do notice the newer documentation calling for netmask 0x). But I have never had any trouble over the last three years so, you know how it is, if it ain't (too) broke ... Using a /32 netmask for aliases in the same network as the primary address used to be mandatory until sometime during the 6.x RELEASE series. It is still recommended in the various documentation, and it does make it clear to the administrator which is the primary address when looking at ifconfig output, when that distinction is important[*]. Using the 'natural' netmask for the network the aliases are part of has worked for several years: this seems to be what most new users expect and it's familiar for users of other operating systems. As far as I know, there is no technical or performance reason to prefer one style over the other -- just a matter of administrator preference. Cheers, Matthew [*] ie. which is the source address used for connection /from/ the server. If all the aliases are used for jails, or all your software is configured to bind to one or other of the addresses this doesn't come into play. -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: Jails and IP Aliasing
Hi, I guess the problem is with your netmask and respectivly the broadcast adrresses for the jails. It should be: inet 10.0.1.2 netmask 0xff00 broadcast 10.0.1.255 inet 10.0.1.3 netmask 0xff00 broadcast 10.0.1.255 inet 10.0.1.4 netmask 0xff00 broadcast 10.0.1.255 Regards, Ivailo Tanusheff Deputy Head of IT Department ProCredit Bank (Bulgaria) AD Jason Morgan [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 07.07.2008 21:01 To FreeBSD Questions freebsd-questions@freebsd.org cc Subject Re: Jails and IP Aliasing Hello, On 2008.07.07 09:51:33, David Allen wrote: Unless I'm losing my mind, I'm encountering what seems to yet another gotcha with jails. The following has been dumbed down for clarity and brevity. - # hostname jailhost.example.org # host jailhost jailhost.example.org has address 10.0.1.2 # ifconfig fxp0 fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=bRXCSUM,TXCSUM,VLAN_MTU ether 00:07:e9:c8:2e:32 inet 10.0.1.2 netmask 0xff00 broadcast 10.0.1.255 inet 10.0.1.3 netmask 0x broadcast 10.0.1.3 inet 10.0.1.4 netmask 0x broadcast 10.0.1.4 media: Ethernet autoselect (100baseTX full-duplex) status: active This is the output for my jail interface. Notice that your jail aliases are broadcasting on the jail's IP. I don't know if this is an issue or not (my jails run on i386 FBSD 6.3), but it's something to look at. How are you setting the aliases? sk0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=bRXCSUM,TXCSUM,VLAN_MTU inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255 inet 10.0.0.101 netmask 0xff00 broadcast 10.0.0.255 inet 10.0.0.201 netmask 0xff00 broadcast 10.0.0.255 ether xx:xx:xx:xx:xx:xx media: Ethernet autoselect (1000baseTX full-duplex,flag0,flag1) status: active Cheers, ~Jason ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Jails and IP Aliasing
On Monday 07 July 2008 18:51:33 David Allen wrote: Granted, everything is really happening over the loopback address, but a connection originating from the jailhost to a jail should appear to be using the jailhost's IP address, or so I'd like to think. If it doesn't, then the scenario is awkward at best when trying to understand or debug issues. To debug this, you need to 'add jail support to sockstat'. This sounds hard, and it is, but you can fake it, since sockstat gives you the PID. With a little creative scripting, you can call `ps -o state' for each PID in the list, look for the capital 'J' and if it is, add the 'J' to the line. The thought occurred to me, however, that I could add a new network card and reserve that for the IP aliases needed by the jails. But I'm not sure whether that will work in telling me who's who, or whether I'll discover another gotcha. ;-) It will add more gotcha's, unless you put each network card in a different network. With the IP's given here, you tell the host that 10.0.1.0/24 is on fxp0, so it will never go to fxp1 for 10.0.1.4. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Jails and IP Aliasing
On Tuesday 08 July 2008 11:13:04 Ivailo Tanusheff wrote: Hi, I guess the problem is with your netmask and respectivly the broadcast adrresses for the jails. It should be: inet 10.0.1.2 netmask 0xff00 broadcast 10.0.1.255 inet 10.0.1.3 netmask 0xff00 broadcast 10.0.1.255 inet 10.0.1.4 netmask 0xff00 broadcast 10.0.1.255 You guess wrong. Aliases SHOULD (as in IETF RFC should) have 255.255.255.255 netmask. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Jails and IP Aliasing
No, I am right. Try it yourself and you will see that solves the issue. I have several jails on different machines and this way the system works without any error or problem. Try it and see it :) Regards, Ivailo Tanusheff Mel [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 08.07.2008 12:38 To freebsd-questions@freebsd.org cc Subject Re: Jails and IP Aliasing On Tuesday 08 July 2008 11:13:04 Ivailo Tanusheff wrote: Hi, I guess the problem is with your netmask and respectivly the broadcast adrresses for the jails. It should be: inet 10.0.1.2 netmask 0xff00 broadcast 10.0.1.255 inet 10.0.1.3 netmask 0xff00 broadcast 10.0.1.255 inet 10.0.1.4 netmask 0xff00 broadcast 10.0.1.255 You guess wrong. Aliases SHOULD (as in IETF RFC should) have 255.255.255.255 netmask. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Jails and IP Aliasing
On Mon, Jul 7, 2008 at 2:01 PM, George Hartzell [EMAIL PROTECTED] wrote: Did you take the necessary steps to restrict the IP addresses on which sendmail on the host and the jail listen? The jail man page only says: I don't think anyone would get too far with jails in general if the jail host wasn't properly configured beforehand. To answer your question, sendmail on the jail host is listening to the loopback address only. And to the extent it's not redundant or meaningless, within each jail, sendmail is configured to listen to the jail's IP address only. Regrettably, the problem isn't specific to sendmail or any other service, as an ssh connection would exhibit identical behaviour. Put simply, all connections from the jail host to any jail are reported as using that jail's IP address only. Doesn't matter if your viewing the state from the perspective of the jail host, or from within the jail itself. Both ends of the connection have the same IP address. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Jails and IP Aliasing
On Tue, Jul 8, 2008 at 2:24 AM, Mel [EMAIL PROTECTED] wrote: On Monday 07 July 2008 18:51:33 David Allen wrote: Granted, everything is really happening over the loopback address, but a connection originating from the jailhost to a jail should appear to be using the jailhost's IP address, or so I'd like to think. If it doesn't, then the scenario is awkward at best when trying to understand or debug issues. To debug this, you need to 'add jail support to sockstat'. This sounds hard, and it is, but you can fake it, since sockstat gives you the PID. With a little creative scripting, you can call `ps -o state' for each PID in the list, look for the capital 'J' and if it is, add the 'J' to the line. Been there and done that. When I first stated working with jails, I discovered that most standard utilities didn't offer any support for jails, and chaining commands got to be really old fast. I ended up writing a few Perl scripts and routinely use those instead. IIRC, there's a jail-related port that offers a collection of something similar. Still, we're talking about a very limited subset of tools and functionality. What about tcpdump? Or firewall rules? Or any other network tool? There was a post recently (Matthew Seaman's name comes to mind) that suggested binding jails to addresses in the loopback range and then using firewall rules to redirect the traffic accordingly. There's a possibility that may help in this case, but that layer of added complexity isn't much of an improvement over seeing connections with seemingly identical endpoints and interpreting the results in my head. The thought occurred to me, however, that I could add a new network card and reserve that for the IP aliases needed by the jails. But I'm not sure whether that will work in telling me who's who, or whether I'll discover another gotcha. ;-) It will add more gotcha's, unless you put each network card in a different network. With the IP's given here, you tell the host that 10.0.1.0/24 is on fxp0, so it will never go to fxp1 for 10.0.1.4. You're probably right. I'm wondering, though, if by moving the jails into their own network space and adding routing into the mix, the end result may be more satisfactory? Setting aside the fun of mental gymnastics, the conclusion seems to be don't run anything on the jail host that would initiate a connection to a service running inside a jail. Unless, of course, you don't mind being confused (at least from a networking perspective) by WTF you're seeing. ;-) Either way, thanks very much for the input. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Jails and IP Aliasing
David Allen wrote: There was a post recently (Matthew Seaman's name comes to mind) that suggested binding jails to addresses in the loopback range and then using firewall rules to redirect the traffic accordingly. There's a possibility that may help in this case, but that layer of added complexity isn't much of an improvement over seeing connections with seemingly identical endpoints and interpreting the results in my head. Guilty as charged M'lud. However what I recommended was a more-than-slightly hacky way to achieve three things: * Something like a loopback address inside the jail. It may be 127.0.0.2 instead of 127.0.0.1 but most software can be persuaded to use it for loopback style things. * The ability to map several IPs onto the jailed system by use of NAT and redirect within firewall rules * The ability to have a jail with /no/ external IP for when the paranoia becomes unbearable[*]. Of course, all this will be immediately obsoleted by Marco Zec's work on virtualizing the IP stack. http://imunes.tel.fer.hr/virtnet/ Cheers, Matthew [*] Combine this with a Hardware Load Balancer that does Direct Server Return and you can have a publicly accessible jailed server with /no external IP address/. -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: Jails and IP Aliasing
Hello, * Something like a loopback address inside the jail. It may be 127.0.0.2 instead of 127.0.0.1 but most software can be persuaded to use it for loopback style things. * The ability to map several IPs onto the jailed system by use of NAT and redirect within firewall rules * The ability to have a jail with /no/ external IP for when the paranoia becomes unbearable[*]. Most of this is actually implemented by [EMAIL PROTECTED] You can find some patches at http://sources.zabbadoz.net/freebsd/jail.html -- Best regards, Daniel Gerzo ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Jails and IP Aliasing
Daniel Gerzo wrote: Hello, * Something like a loopback address inside the jail. It may be 127.0.0.2 instead of 127.0.0.1 but most software can be persuaded to use it for loopback style things. * The ability to map several IPs onto the jailed system by use of NAT and redirect within firewall rules * The ability to have a jail with /no/ external IP for when the paranoia becomes unbearable[*]. Most of this is actually implemented by [EMAIL PROTECTED] You can find some patches at http://sources.zabbadoz.net/freebsd/jail.html These patches (in various forms) have been around since version 4.x. Why has none of this functionality ever been committed to head? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Jails and IP Aliasing
On Tuesday 08 July 2008 11:24:33 Mel wrote: On Monday 07 July 2008 18:51:33 David Allen wrote: Granted, everything is really happening over the loopback address, but a connection originating from the jailhost to a jail should appear to be using the jailhost's IP address, or so I'd like to think. If it doesn't, then the scenario is awkward at best when trying to understand or debug issues. To debug this, you need to 'add jail support to sockstat'. This sounds hard, and it is It's actually not that hard, though it stretches the output width. Diff inlined below sig, for RELENG_7. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. Index: sockstat.c === RCS file: /home/ncvs/src/usr.bin/sockstat/sockstat.c,v retrieving revision 1.17 diff -u -r1.17 sockstat.c --- sockstat.c 16 Jun 2007 20:24:55 - 1.17 +++ sockstat.c 8 Jul 2008 19:40:11 - @@ -94,6 +94,11 @@ struct sock *next; }; +struct procinfo { + const char *procname; + int jid; +}; + #define HASHSIZE 1009 static struct sock *sockhash[HASHSIZE]; @@ -513,13 +518,16 @@ return xprintf(%s:%d, addrstr, port); } -static const char * -getprocname(pid_t pid) +static int +getprocinfo(pid_t pid, struct procinfo *pi_ptr) { static struct kinfo_proc proc; size_t len; int mib[4]; + if( pi_ptr == NULL ) + return -1; + mib[0] = CTL_KERN; mib[1] = KERN_PROC; mib[2] = KERN_PROC_PID; @@ -529,9 +537,12 @@ /* Do not warn if the process exits before we get its name. */ if (errno != ESRCH) warn(sysctl()); - return (??); + return -1; } - return (proc.ki_comm); + pi_ptr-procname = proc.ki_comm; + pi_ptr-jid = proc.ki_jid; + + return (0); } static int @@ -564,11 +575,12 @@ struct passwd *pwd; struct xfile *xf; struct sock *s; + struct procinfo pi; void *p; int hash, n, pos; - printf(%-8s %-10s %-5s %-2s %-6s %-21s %-21s\n, - USER, COMMAND, PID, FD, PROTO, + printf(%-8s %-10s %-5s %-5s %-2s %-6s %-21s %-21s\n, + USER, COMMAND, PID, JID, FD, PROTO, LOCAL ADDRESS, FOREIGN ADDRESS); setpassent(1); for (xf = xfiles, n = 0; n nxfiles; ++n, ++xf) { @@ -583,33 +595,41 @@ if (!check_ports(s)) continue; pos = 0; + if( -1 == getprocinfo(xf-xf_pid, pi) ) + { + pi.procname = ??; + pi.jid = -1; + } if ((pwd = getpwuid(xf-xf_uid)) == NULL) pos += xprintf(%lu, (u_long)xf-xf_uid); else pos += xprintf(%s, pwd-pw_name); while (pos 9) pos += xprintf( ); - pos += xprintf(%.10s, getprocname(xf-xf_pid)); + pos += xprintf(%.10s, pi.procname); while (pos 20) pos += xprintf( ); pos += xprintf(%lu, (u_long)xf-xf_pid); while (pos 26) pos += xprintf( ); + pos += xprintf(%u, pi.jid); + while (pos 32) + pos += xprintf( ); pos += xprintf(%d, xf-xf_fd); - while (pos 29) + while (pos 35) pos += xprintf( ); pos += xprintf(%s, s-protoname); if (s-vflag INP_IPV4) pos += xprintf(4); if (s-vflag INP_IPV6) pos += xprintf(6); - while (pos 36) + while (pos 42) pos += xprintf( ); switch (s-family) { case AF_INET: case AF_INET6: pos += printaddr(s-family, s-laddr); - while (pos 58) + while (pos 64) pos += xprintf( ); pos += printaddr(s-family, s-faddr); break; ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Jails and IP Aliasing
On Tue, Jul 8, 2008 at 9:35 AM, Matthew Seaman [EMAIL PROTECTED] wrote: David Allen wrote: There was a post recently (Matthew Seaman's name comes to mind) that suggested binding jails to addresses in the loopback range and then using firewall rules to redirect the traffic accordingly. There's a possibility that may help in this case, but that layer of added complexity isn't much of an improvement over seeing connections with seemingly identical endpoints and interpreting the results in my head. Guilty as charged M'lud. Stand up, fool, lest I be forced to lower my knee and acknowledge your presence in a manner befitting a man as yourself. However what I recommended was a more-than-slightly hacky way to achieve three things: * Something like a loopback address inside the jail. It may be 127.0.0.2 instead of 127.0.0.1 but most software can be persuaded to use it for loopback style things. * The ability to map several IPs onto the jailed system by use of NAT and redirect within firewall rules * The ability to have a jail with /no/ external IP for when the paranoia becomes unbearable[*]. It could be said that those three expand into more numerous achievements. I'm still debating the more-than-slightly hacky aspects of such an arrangement, but undeniably it's interesting enough. Of course, all this will be immediately obsoleted by Marco Zec's work on virtualizing the IP stack. http://imunes.tel.fer.hr/virtnet/ Promising, even exciting, but I'm having trouble deciding whether I declare a victory for the triumph of optimism over experience, or offer the comment that the Real Soon Now schedule is a disappointment? Seriously, though, jails can be seen as the greatest thing since slide bread, but I have this nagging feeling I'm at work writing a small book that details their niggly shortcomings, a book whose completion, I hope, will be cut short by the addition of New and Improved features. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Jails and IP Aliasing
Hello, On 2008.07.07 09:51:33, David Allen wrote: Unless I'm losing my mind, I'm encountering what seems to yet another gotcha with jails. The following has been dumbed down for clarity and brevity. - # hostname jailhost.example.org # host jailhost jailhost.example.org has address 10.0.1.2 # ifconfig fxp0 fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=bRXCSUM,TXCSUM,VLAN_MTU ether 00:07:e9:c8:2e:32 inet 10.0.1.2 netmask 0xff00 broadcast 10.0.1.255 inet 10.0.1.3 netmask 0x broadcast 10.0.1.3 inet 10.0.1.4 netmask 0x broadcast 10.0.1.4 media: Ethernet autoselect (100baseTX full-duplex) status: active This is the output for my jail interface. Notice that your jail aliases are broadcasting on the jail's IP. I don't know if this is an issue or not (my jails run on i386 FBSD 6.3), but it's something to look at. How are you setting the aliases? sk0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=bRXCSUM,TXCSUM,VLAN_MTU inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255 inet 10.0.0.101 netmask 0xff00 broadcast 10.0.0.255 inet 10.0.0.201 netmask 0xff00 broadcast 10.0.0.255 ether xx:xx:xx:xx:xx:xx media: Ethernet autoselect (1000baseTX full-duplex,flag0,flag1) status: active Cheers, ~Jason ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Jails and IP Aliasing
On Mon, Jul 7, 2008 at 10:54 AM, Jason Morgan [EMAIL PROTECTED] wrote: On 2008.07.07 09:51:33, David Allen wrote: Unless I'm losing my mind, I'm encountering what seems to yet another gotcha with jails. The following has been dumbed down for clarity and brevity. - # hostname jailhost.example.org # host jailhost jailhost.example.org has address 10.0.1.2 # ifconfig fxp0 fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=bRXCSUM,TXCSUM,VLAN_MTU ether 00:07:e9:c8:2e:32 inet 10.0.1.2 netmask 0xff00 broadcast 10.0.1.255 inet 10.0.1.3 netmask 0x broadcast 10.0.1.3 inet 10.0.1.4 netmask 0x broadcast 10.0.1.4 media: Ethernet autoselect (100baseTX full-duplex) status: active This is the output for my jail interface. Notice that your jail aliases are broadcasting on the jail's IP. I don't know if this is an issue or not (my jails run on i386 FBSD 6.3), but it's something to look at. How are you setting the aliases? sk0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=bRXCSUM,TXCSUM,VLAN_MTU inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255 inet 10.0.0.101 netmask 0xff00 broadcast 10.0.0.255 inet 10.0.0.201 netmask 0xff00 broadcast 10.0.0.255 ether xx:xx:xx:xx:xx:xx media: Ethernet autoselect (1000baseTX full-duplex,flag0,flag1) status: active My own aliases: # grep fxp0 /etc/rc.conf ifconfig_fxp0=inet 10.0.1.2 netmask 0xff00 ifconfig_fxp0_alias0=10.0.1.3 netmask 0x ifconfig_fxp0_alias1=10.0.1.4 netmask 0x ifconfig_fxp0_alias2=10.0.1.5 netmask 0x My understanding from the handbook is that the mask should be set to all ones if the alias is for an address that's part of the same network. For a different segment, it's the first alias that should be set to the real netmask, with any additional aliases using a netmask of all ones. Granted, the broadcast addresses looks odd. If I my programming skills were better, I'd just read through the code and understand what's really happening, but for now, I'm just taking the FreeBSD folks at their word at following instructions. That's a roundabout way of saying I think your aliases are set up incorrectly. ;-) If you're not seeing the behaviour I'm seeing, do let me know. But to clarify with a concrete example, the following is what I see on the jailhost (10.0.1.2) when it connects to port 25 on one of the jails (10.0.1.5). # tcpdump -nqti lo0 port 25 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on lo0, link-type NULL (BSD loopback), capture size 96 bytes IP 10.0.1.5.62110 10.0.1.5.25: tcp 0 IP 10.0.1.5.25 10.0.1.5.62110: tcp 0 IP 10.0.1.5.62110 10.0.1.5.25: tcp 0 IP 10.0.1.5.25 10.0.1.5.62110: tcp 89 IP 10.0.1.5.62110 10.0.1.5.25: tcp 0 # netstat -nf inet Active Internet connections Proto Recv-Q Send-Q Local Address Foreign Address(state) tcp4 0 0 10.0.1.5.2510.0.1.5.62110 ESTABLISHED tcp4 0 0 10.0.1.5.62110 10.0.1.5.25ESTABLISHED # sockstat -4 -p 25 USER COMMANDPID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS root sendmail 16594 1 tcp4 10.0.1.5:25 10.0.1.5:62110 root sendmail 16594 4 tcp4 10.0.1.5:25 10.0.1.5:62110 root sendmail 16594 7 tcp4 10.0.1.5:25 10.0.1.5:62110 root telnet 16593 3 tcp4 10.0.1.5:6211010.0.1.5:25 Why the jailhost is suddenly using the jail's IP address is beyond me. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Jails and IP Aliasing
On 2008.07.07 12:16:44, David Allen wrote: On Mon, Jul 7, 2008 at 10:54 AM, Jason Morgan [EMAIL PROTECTED] wrote: On 2008.07.07 09:51:33, David Allen wrote: Unless I'm losing my mind, I'm encountering what seems to yet another gotcha with jails. The following has been dumbed down for clarity and brevity. - # hostname jailhost.example.org # host jailhost jailhost.example.org has address 10.0.1.2 # ifconfig fxp0 fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=bRXCSUM,TXCSUM,VLAN_MTU ether 00:07:e9:c8:2e:32 inet 10.0.1.2 netmask 0xff00 broadcast 10.0.1.255 inet 10.0.1.3 netmask 0x broadcast 10.0.1.3 inet 10.0.1.4 netmask 0x broadcast 10.0.1.4 media: Ethernet autoselect (100baseTX full-duplex) status: active This is the output for my jail interface. Notice that your jail aliases are broadcasting on the jail's IP. I don't know if this is an issue or not (my jails run on i386 FBSD 6.3), but it's something to look at. How are you setting the aliases? sk0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=bRXCSUM,TXCSUM,VLAN_MTU inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255 inet 10.0.0.101 netmask 0xff00 broadcast 10.0.0.255 inet 10.0.0.201 netmask 0xff00 broadcast 10.0.0.255 ether xx:xx:xx:xx:xx:xx media: Ethernet autoselect (1000baseTX full-duplex,flag0,flag1) status: active My own aliases: # grep fxp0 /etc/rc.conf ifconfig_fxp0=inet 10.0.1.2 netmask 0xff00 ifconfig_fxp0_alias0=10.0.1.3 netmask 0x ifconfig_fxp0_alias1=10.0.1.4 netmask 0x ifconfig_fxp0_alias2=10.0.1.5 netmask 0x My understanding from the handbook is that the mask should be set to all ones if the alias is for an address that's part of the same network. For a different segment, it's the first alias that should be set to the real netmask, with any additional aliases using a netmask of all ones. Granted, the broadcast addresses looks odd. If I my programming skills were better, I'd just read through the code and understand what's really happening, but for now, I'm just taking the FreeBSD folks at their word at following instructions. That's a roundabout way of saying I think your aliases are set up incorrectly. ;-) That it quite possible (I do notice the newer documentation calling for netmask 0x). But I have never had any trouble over the last three years so, you know how it is, if it ain't (too) broke ... If you're not seeing the behaviour I'm seeing, do let me know. But to clarify with a concrete example, the following is what I see on the jailhost (10.0.1.2) when it connects to port 25 on one of the jails (10.0.1.5). # tcpdump -nqti lo0 port 25 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on lo0, link-type NULL (BSD loopback), capture size 96 bytes IP 10.0.1.5.62110 10.0.1.5.25: tcp 0 IP 10.0.1.5.25 10.0.1.5.62110: tcp 0 IP 10.0.1.5.62110 10.0.1.5.25: tcp 0 IP 10.0.1.5.25 10.0.1.5.62110: tcp 89 IP 10.0.1.5.62110 10.0.1.5.25: tcp 0 # netstat -nf inet Active Internet connections Proto Recv-Q Send-Q Local Address Foreign Address(state) tcp4 0 0 10.0.1.5.2510.0.1.5.62110 ESTABLISHED tcp4 0 0 10.0.1.5.62110 10.0.1.5.25ESTABLISHED # sockstat -4 -p 25 USER COMMANDPID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS root sendmail 16594 1 tcp4 10.0.1.5:25 10.0.1.5:62110 root sendmail 16594 4 tcp4 10.0.1.5:25 10.0.1.5:62110 root sendmail 16594 7 tcp4 10.0.1.5:25 10.0.1.5:62110 root telnet 16593 3 tcp4 10.0.1.5:6211010.0.1.5:25 Why the jailhost is suddenly using the jail's IP address is beyond me. I am actually getting the same results when telnetting to port 25 on my mailserver jail. Someone else here should be able to offer better advice. Sorry, I couldn't help. Good luck, ~Jason ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Jails and IP Aliasing
Did you take the necessary steps to restrict the IP addresses on which sendmail on the host and the jail listen? The jail man page only says: To configure sendmail(8), it is necessary to modify /etc/mail/sendmail.cf. but you'll probably end up adjusting the DAEMON_OPTIONS lines of your sendmail.mc (freebsd.mc, freebsd.submit.mc) and recreating your cf files. g. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Jails and multicore boxes
On Wed, 14 Nov 2007 19:20:06 +0100 Erik Cederstrand [EMAIL PROTECTED] wrote: You'll have to answer that yourself. How valuable is your data? What are you trying to protect? If you're worrying about getting cracked and used as a spam bot, jails are no more secure than a non-jail system. Maybe some qualification is needed here. If your mail jail gets broken into, then it will still be used as a spambot. But your host (the machine in which your jails run in) wouldn't have been compromised, necessarily, by the fact that the jail got compromised. Having root on a jail (if that's what we are talking about by 'compromised' ) shouldn't affect your host machine. Unless there is some other vulnerability that can be used, of course. B _ {Beto|Norberto|Numard} Meijome The more I see the less I know for sure. John Lennon I speak for myself, not my employer. Contents may be hot. Slippery when wet. Reading disclaimers makes you go blind. Writing them is worse. You have been Warned. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Jails and multicore boxes
On Nov 16, 2007 6:57 AM, Norberto Meijome [EMAIL PROTECTED] wrote: On Wed, 14 Nov 2007 19:20:06 +0100 Erik Cederstrand [EMAIL PROTECTED] wrote: You'll have to answer that yourself. How valuable is your data? What are you trying to protect? If you're worrying about getting cracked and used as a spam bot, jails are no more secure than a non-jail system. Maybe some qualification is needed here. If your mail jail gets broken into, then it will still be used as a spambot. But your host (the machine in which your jails run in) wouldn't have been compromised, necessarily, by the fact that the jail got compromised. Having root on a jail (if that's what we are talking about by 'compromised' ) shouldn't affect your host machine. Unless there is some other vulnerability that can be used, of course. Thats true indeed, however many people are saying that jails do not necessarily, make an environment more secure. I'm not really knowledable in that area, but they do add another layer to the proverbial onion. I use jails, but more for convenience then security, if i get a new (home) server box, I can just move some jails across with a simple tar and then scp, and have them work pretty much instantly. Cheers Federico ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: jails in 6.3 and 7.0
On Wednesday 14 November 2007 20:24:14 Erik Cederstrand wrote: Jonathan Horne wrote: I was reading a while back that the jails tcp system was getting an overhaul, possibly in the 7.0 release. I don't remember all the particulars, but things along the lines to make jails function even more like a real (independant) system. I believe one of the improvments might have been a separate virtual interface, thus allowing he jail to have its own pf configuration. I've not seen anything else on this topic, so I was wondering if anyone might know if that's going to make in to 7 (and possibly backported to 6.3)? You're thinking about the Network Stack Virtualization project: http://www.freebsd.org/news/status/report-2007-07-2007-10.html#Network-S tack-Virtualization In short: not ready yet. But, already usable to a great extent. Nikos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Jails and multicore boxes
Matt Fioravante wrote: I've heard that things like freebsd jails or solaris zones can still be insecure on multicore boxes because a race condition can occur. I don't know more details about it other than that. Is this true now on freebsd? There's always the possibility that a bug exists which lets you break out of a jail and give you access to the host system. Also, I have a home server which I'm considering running apache, bind, dhcp, and possiblty opening ports for some other services. Is it overkill to run all of these each in their own jail? You'll have to answer that yourself. How valuable is your data? What are you trying to protect? If you're worrying about getting cracked and used as a spam bot, jails are no more secure than a non-jail system. Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: jails in 6.3 and 7.0
Jonathan Horne wrote: I was reading a while back that the jails tcp system was getting an overhaul, possibly in the 7.0 release. I don't remember all the particulars, but things along the lines to make jails function even more like a real (independant) system. I believe one of the improvments might have been a separate virtual interface, thus allowing he jail to have its own pf configuration. I've not seen anything else on this topic, so I was wondering if anyone might know if that's going to make in to 7 (and possibly backported to 6.3)? You're thinking about the Network Stack Virtualization project: http://www.freebsd.org/news/status/report-2007-07-2007-10.html#Network-Stack-Virtualization In short: not ready yet. Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: jails in 6.3 and 7.0
Jonathan Horne wrote: I was reading a while back that the jails tcp system was getting an overhaul, possibly in the 7.0 release. I don't remember all the particulars, but things along the lines to make jails function even more like a real (independant) system. I believe one of the improvments might have been a separate virtual interface, thus allowing he jail to have its own pf configuration. I've not seen anything else on this topic, so I was wondering if anyone might know if that's going to make in to 7 (and possibly backported to 6.3)? It is still in development, although I think you can download a test iso. Kris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Jails and freebsd-update
Boris Samorodov wrote: Seems that you are looking for sysutils/ezjail. WBR Thank you for the reference. That is a very nice port. I will definitely make use of it when I need multiple jails (3). I only need 2 at the moment. I did a little more digging and it seems that I can install a jail using the base system's install script. It's found on CD 1 (6.2-RELEASE-i386-disc1.iso): (cd0 mounted on /dvdrw) $ pwd /dvdrw/6.2-RELEASE/base $ ls -la total 42496 dr-xr-xr-x 2 root wheel 6144 Jan 12 2007 . dr-xr-xr-x 13 root wheel 2048 Jan 12 2007 .. -r--r--r-- 3 root wheel 1624 Jan 12 2007 CHECKSUM.MD5 -r--r--r-- 3 root wheel 2779 Jan 12 2007 CHECKSUM.SHA256 -r--r--r-- 3 root wheel 1425408 Jan 12 2007 base.aa -r--r--r-- 3 root wheel 1425408 Jan 12 2007 base.ab -r--r--r-- 3 root wheel 1425408 Jan 12 2007 base.ac -r--r--r-- 3 root wheel 1425408 Jan 12 2007 base.ad [snip] -r--r--r-- 3 root wheel 962020 Jan 12 2007 base.bd -r--r--r-- 3 root wheel 898 Jan 12 2007 base.inf -r--r--r-- 3 root wheel 1204896 Jan 12 2007 base.mtree -r-xr-xr-x 3 root wheel 427 Apr 30 2002 install.sh I can use the install.sh script in place of the make installworld/distribution commands for the jail. This makes it possible to update the jail using freebsd-update. I wonder if the ezjail port can be tweaked to add an option for installing via the 'base' as above, rather than its current methods. In any event, I set DESTDIR to /tmp/base, ran the install.sh script and a full base system was placed in /tmp/base. A few jail details (IP, devfs) later and I was able to run freebsd-update from within the jail and it updated the world to -p8. Note I had to edit the freebsd-updates.conf file (within the jail) and set the Components variable to world only. Caveats: The jail is a full system. This might not be desirable. Normally, one can control what gets placed in the base jail system using the various NO_* knobs in a make.conf file (i.e. you can choose to keep things like the toolchain, sendmail, and bind from being placed in the jail). A certain amount of work could be done to remove those subsystems individually after the fact, I suppose. I wonder where I can get a list of files for each NO_* knob? Vinny ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Jails and freebsd-update
On Sun, 07 Oct 2007 18:13:34 -0400 Vinny wrote: I'm setting up a server for mail and web. I want to put each in their own jail on a host system. I have installed 6.2-Release on the host and successfully used freebsd-update to grab up to -p8. So far so good. Now, I was going to install the jails using the standard way (man jail): JAIL=/path/to/jail cd /usr/src mkdir -p $JAIL make world DESTDIR=$JAIL make distribution DESTDIR=$JAIL and so forth. But then it occurred to me that freebsd-update says it only works on installations that haven't been built from source. My question then is how can I use freebsd-update with jails? Thanks for any help. Seems that you are looking for sysutils/ezjail. WBR -- bsam ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Jails not being assigned IP address?
I have three jails on one machine that won't resolve DNS because it looks as though the jails themselves aren't being assigned IP addresses. In the end, I tried just rebooting the host, which fixed the problem. Thanks to Tom for emailing me :-) Best regards, Matt ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: jails or chroot?
On 5/9/06, Chad Leigh -- Shire.Net LLC [EMAIL PROTECTED] wrote: On May 9, 2006, at 5:53 AM, Michael Grant wrote: When it comes time to upgrade, how does one upgrade 100 different jails? This will be a nightmare! Actually, not. You only need 1 master jail and a bunch of nullfs read only mounts plus some exclusive space for each jail.I run 44 jails at the moment this way. Upgrading is relatively easy as I only have to upgrade one master jail (and unfortunately lots of jail etc if such happens but a few scripts can automate much of that). I basically set up /local/jails/master and install according to man jail into this place. I never start this jail. I happen to use disk backed md devices as the root for each jail. I mount each on on /local/jail/jailname Then I do /sbin/mount_nullfs -o ro /local/jails/master/bin /local/jails/adcmw/bin /sbin/mount_nullfs -o ro /local/jails/master/lib /local/jails/adcmw/lib /sbin/mount_nullfs -o ro /local/jails/master/libexec /local/jails/ adcmw/libexec /sbin/mount_nullfs -o ro /local/jails/master/sbin /local/jails/adcmw/ sbin /sbin/mount_nullfs -o ro /local/jails/master/usr /local/jails/adcmw/usr /sbin/mount -t procfs proc /local/jails/adcmw/proc devfs_domount /local/jails/adcmw/dev devfsrules_jail devfs_set_ruleset devfsrules_jail /local/jails/adcmw/dev /sbin/devfs -m /local/jails/adcmw/dev rule -s 4 applyset In my master jail I have some symlinks so that each jail has its own / usr/local/ that is writable. All the jails run out of one installed jail and they also have the side benefit of the main system directories being read only so exploits in one jail cannot affect all the running jails. Wow, I really like the setup you have make.. One question.How do you update the system(and the jail) ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: jails or chroot?
On May 10, 2006, at 2:33 AM, Iantcho Vassilev wrote: On 5/9/06, Chad Leigh -- Shire.Net LLC [EMAIL PROTECTED] wrote: On May 9, 2006, at 5:53 AM, Michael Grant wrote: When it comes time to upgrade, how does one upgrade 100 different jails? This will be a nightmare! Actually, not. You only need 1 master jail and a bunch of nullfs read only mounts plus some exclusive space for each jail.I run 44 jails at the moment this way. Upgrading is relatively easy as I only have to upgrade one master jail (and unfortunately lots of jail etc if such happens but a few scripts can automate much of that). snipppage All the jails run out of one installed jail and they also have the side benefit of the main system directories being read only so exploits in one jail cannot affect all the running jails. Wow, I really like the setup you have make.. One question.How do you update the system(and the jail) ? I shut all the jails down, and update the system. Then I boot without starting the jails and rebuild the master jail according to man jail. Then I start a special main jail that was used to install ports used, if any, into a common area and do any updates necessary -- this last one from 5.4 to 6.0 I just made sure I had the 5x compatibility stuff installed and all was fine for now so I have more time to redo individual ports or SW built frmo scratch. When that is done I restart all the jails. I had about 40 jails active when I went from 5.4 to 6.0 on this particular machine (some earlier ones I did from 5.4 to 6.0 had maybe 1 or 2 jails so they were not the definitive test case). Had no problems once I made sure all the jails were accessing the compat 5x stuff (which I did by editing in each jail /etc -- you could use a script but I am lousy at writing more than simple scripts -- the rc.conf and making sure that ldconfig_paths= was set appropriately to the master jail wide compat5x library location... Done, finis Chad --- Chad Leigh -- Shire.Net LLC Your Web App and Email hosting provider chad at shire.net ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: jails or chroot?
On 5/9/06, Michael Grant [EMAIL PROTECTED] wrote: I host a bunch of websites on my box. Recently I had some problems with file access problems with php which caused me to look into putting each of my clients into their own jail or chroot. I have roughly 100 different domains I'd need to split. I won't be doing this even if someone pays me twice for doing it. This is going to create a HELL lot of problems later on, especially during upgrades. BTW can you tell us your exact requirements? Thanks and Best Regards Subhro -- Subhro Kar Security Engineer iViZ Techno Solutions Pvt. Ltd. eRevMax House, 1st Floor Plot XI-16, Sector V Salt Lake City 700091 India ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: jails or chroot?
I'll try to be more explicit on my requirements. I'm not worried about mail. I'm mostly worried about web. Each client has a web site with one or more domains. I currently offer them apache+php+mysql+mod_perl+mod_ssl. One of them needs java server pages, tomcat I think. Everyone gets access to their own logs and to geolizer (webalizer). Some clients would like shell access. Most clients write their web site using ftp. Certain ones need also the MS Front Page Extensions. Some clients want an ftp upload area. Ssl poses a special problem in that I need to allocate an ip address for those who have their own ssl certificate. It's pretty much all standard stuff. But yes, I totally agree with you, it is an administration nightmare to set up separate jails and keep track of which has which version of what and so on. There must be an easier way to do this. Some of you folks who run hosting sites, how do you manage large numbers of clients? Michael Grant On 5/9/06, Subhro [EMAIL PROTECTED] wrote: On 5/9/06, Michael Grant [EMAIL PROTECTED] wrote: I host a bunch of websites on my box. Recently I had some problems with file access problems with php which caused me to look into putting each of my clients into their own jail or chroot. I have roughly 100 different domains I'd need to split. I won't be doing this even if someone pays me twice for doing it. This is going to create a HELL lot of problems later on, especially during upgrades. BTW can you tell us your exact requirements? Thanks and Best Regards Subhro -- Subhro Kar Security Engineer iViZ Techno Solutions Pvt. Ltd. eRevMax House, 1st Floor Plot XI-16, Sector V Salt Lake City 700091 India ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: jails or chroot?
On 5/9/06, Michael Grant [EMAIL PROTECTED] wrote: I host a bunch of websites on my box. Recently I had some problems with file access problems with php which caused me to look into putting each of my clients into their own jail or chroot. I have roughly 100 different domains I'd need to split. Has anyone done this for more than a handfull of clients? Using apache and their mass virtual hosting, 100 domains is a breeze. But with a jail or chroot, I need a separate apache process for each domain. This is going to mean hundreds of apache processes. This seems unreasonable. Agreed that creation hundreds of chroots or jails would be an administrative nightmare. File access can be solved with suexec (compile apache with suexec enabled), this means that for each virtual host entry in your apache config you add User and Group (check http://httpd.apache.org/docs/2.2/suexec.html or your apache version doc set). This will make each apache process run as the user specified in virtual host entry (not www) allowing you to restrict their access to files with filesystem ACL's and even ugidfw, you could also then setup process/memory restrictions in /etc/login.conf It will also make updating pretty much as standard as it is now. Give it a burl if it sounds like what you need. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: jails or chroot?
Hi, Sure, jails require more work regarding administration. Ports are not the biggest problem I think, it's the easy part. The problem is when you have to update the world. But even here, with a good script, it's not such a nightmare. Maybe all you need is Michael's solution. But take into account that with jails, you have a great flexibility regarding the application you install for a particular client. And all the security that a jail system can offer, plus a fantastic way of managing your backups. I personally run a jail based VPS server, based on FreeBSD 6.0, with 13 jails at the moment. It's a dual xeon, with 4GB RAM, and RAID 5 SCSI HDs. I have 355 MB RAM active, 1525 inactive and 1679 MB RAM are free. I intend to run a maximum of 50 jails on this server. And until now, nothing seems to oppose to my plans. Beware of one thing with jails, though: a bug in FreeBSD does not permit a clean shutdown of jails. But tust me: you never need to! Hope this helps, and keep us informed of your choice. Philippe Lang -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Jahilliya Envoyé : mardi, 9. mai 2006 14:48 À : Michael Grant Cc : freebsd-questions@freebsd.org Objet : Re: jails or chroot? On 5/9/06, Michael Grant [EMAIL PROTECTED] wrote: I host a bunch of websites on my box. Recently I had some problems with file access problems with php which caused me to look into putting each of my clients into their own jail or chroot. I have roughly 100 different domains I'd need to split. Has anyone done this for more than a handfull of clients? Using apache and their mass virtual hosting, 100 domains is a breeze. But with a jail or chroot, I need a separate apache process for each domain. This is going to mean hundreds of apache processes. This seems unreasonable. Agreed that creation hundreds of chroots or jails would be an administrative nightmare. File access can be solved with suexec (compile apache with suexec enabled), this means that for each virtual host entry in your apache config you add User and Group (check http://httpd.apache.org/docs/2.2/suexec.html or your apache version doc set). This will make each apache process run as the user specified in virtual host entry (not www) allowing you to restrict their access to files with filesystem ACL's and even ugidfw, you could also then setup process/memory restrictions in /etc/login.conf It will also make updating pretty much as standard as it is now. Give it a burl if it sounds like what you need. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] smime.p7s Description: S/MIME cryptographic signature
Re: jails or chroot?
On Tuesday 09 May 2006 08:24, Michael Grant wrote: I'll try to be more explicit on my requirements. I'm not worried about mail. I'm mostly worried about web. Each client has a web site with one or more domains. I currently offer them apache+php+mysql+mod_perl+mod_ssl. One of them needs java server pages, tomcat I think. Everyone gets access to their own logs and to geolizer (webalizer). Some clients would like shell access. Most clients write their web site using ftp. Certain ones need also the MS Front Page Extensions. Some clients want an ftp upload area. Ssl poses a special problem in that I need to allocate an ip address for those who have their own ssl certificate. It's pretty much all standard stuff. I use suphp with apache in a mass hosting configuration for about 50 websites to take care of the php access issues. You'll need to setup the ACLs correctly so there is no snooping. I then use scponly to allow chrooted sftp access to their web directories. Webalizer logs are automatically generated an placed in their chrooted directory for download. As for shell access I don't allow it. If people want easy command line access I just tell use sshfs on FreeBSD or Linux. The Windows and Mac users don't care about shell access. For the Tomcat, Frontpage, and SSL users just setup jails for them. With the inclusion of mergemaster -u subsequent base system upgrades are much less painful. Using null mounts for the common areas should lessen the version sync issues. Once unionfs is stable again, you could just use one jail as a base image and allow the others to be cloned off of that. Hopefully some of the above helps you in your situation. But yes, I totally agree with you, it is an administration nightmare to set up separate jails and keep track of which has which version of what and so on. There must be an easier way to do this. Some of you folks who run hosting sites, how do you manage large numbers of clients? Michael Grant On 5/9/06, Subhro [EMAIL PROTECTED] wrote: On 5/9/06, Michael Grant [EMAIL PROTECTED] wrote: I host a bunch of websites on my box. Recently I had some problems with file access problems with php which caused me to look into putting each of my clients into their own jail or chroot. I have roughly 100 different domains I'd need to split. I won't be doing this even if someone pays me twice for doing it. This is going to create a HELL lot of problems later on, especially during upgrades. BTW can you tell us your exact requirements? Thanks and Best Regards Subhro -- Subhro Kar Security Engineer iViZ Techno Solutions Pvt. Ltd. eRevMax House, 1st Floor Plot XI-16, Sector V Salt Lake City 700091 India ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- Anish Mistry pgpQunBnXtHJk.pgp Description: PGP signature
Re: jails or chroot?
With the inclusion of mergemaster -u subsequent base system upgrades are much less painful. Using null mounts for the common areas should lessen the version sync issues. Once unionfs is stable again, you could just use one jail as a base image and allow the others to be cloned off of that. ezjail might come in handy as well... http://erdgeist.org/arts/software/ezjail/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: jails or chroot?
On May 9, 2006, at 5:53 AM, Michael Grant wrote: When it comes time to upgrade, how does one upgrade 100 different jails? This will be a nightmare! Actually, not. You only need 1 master jail and a bunch of nullfs read only mounts plus some exclusive space for each jail.I run 44 jails at the moment this way. Upgrading is relatively easy as I only have to upgrade one master jail (and unfortunately lots of jail etc if such happens but a few scripts can automate much of that). I basically set up /local/jails/master and install according to man jail into this place. I never start this jail. I happen to use disk backed md devices as the root for each jail. I mount each on on /local/jail/jailname Then I do /sbin/mount_nullfs -o ro /local/jails/master/bin /local/jails/adcmw/bin /sbin/mount_nullfs -o ro /local/jails/master/lib /local/jails/adcmw/lib /sbin/mount_nullfs -o ro /local/jails/master/libexec /local/jails/ adcmw/libexec /sbin/mount_nullfs -o ro /local/jails/master/sbin /local/jails/adcmw/ sbin /sbin/mount_nullfs -o ro /local/jails/master/usr /local/jails/adcmw/usr /sbin/mount -t procfs proc /local/jails/adcmw/proc devfs_domount /local/jails/adcmw/dev devfsrules_jail devfs_set_ruleset devfsrules_jail /local/jails/adcmw/dev /sbin/devfs -m /local/jails/adcmw/dev rule -s 4 applyset In my master jail I have some symlinks so that each jail has its own / usr/local/ that is writable. All the jails run out of one installed jail and they also have the side benefit of the main system directories being read only so exploits in one jail cannot affect all the running jails. Chad --- Chad Leigh -- Shire.Net LLC Your Web App and Email hosting provider chad at shire.net ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Jails CPU / RAM accounting?
Philippe Lang wrote: Hi, Hi there, Since there is no way (at least I know of) to limit RAM or CPU in a jail, is there a way to monitor and do some accounting on jails CPU / RAM used? You might want to take a look at login.conf. (perhaps cputime, memoryuse, memorylocked and perhaps others) Regards, Nick. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Jails third party services initialization
I'm not sure if this is the right forum for this subject, but here it goes. I've been using ezjail tool to deploy some jails on a server but I've noticed that the /usr/local/etc/rc.d/* scripts aren't executed at each jail startup, despite all jails are started normally. On the other hand, the /etc/rc.d/* scripts are executed normally and base system services - like sshd - are started without problems. Do someone has some tip about where should I look to verify and correct this? Add this to your /etc/rc.conf for the jail. early_late_divider=NETWORKING -philip ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Jails - nice tcsh promt: set promt = '[EMAIL PROTECTED]:%~%#'
Are you sure it's not just the fortune game that's started from your shells rc file? I got this in my .bash_profile which displays a freebsd tip every time I source .bash_profile (eg, every time I log in): [ -x /usr/games/fortune ] /usr/games/fortune freebsd-tips If you have the same line in yours, just comment it out. On 8/9/05, Michael [EMAIL PROTECTED] wrote: Hello, I recently tried creating some jails on my FreeBSD 5.4 Release installation. When I try and log into the jail via ssh I get to the login prompt, type my info and once I press enter I get some weird error nice tcsh promt: set promt = '[EMAIL PROTECTED]:%~%#'. I realize tcsh is a shell, but why the error... Does anyone know what this is, and how I can fix it? Please get back to me, Thanks. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- John Macintosh irc.ambernet.se http://irc.ambernet.se admin (AmberNet) irc.pte.hu http://irc.pte.hu oper (EFnet) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Jails - nice tcsh promt: set promt = '[EMAIL PROTECTED]:%~%#'
Michael wrote: Hello, I recently tried creating some jails on my FreeBSD 5.4 Release installation. When I try and log into the jail via ssh I get to the login prompt, type my info and once I press enter I get some weird error nice tcsh promt: set promt = '[EMAIL PROTECTED]:%~%#'. I realize tcsh is a shell, but why the error... Does anyone know what this is, and how I can fix it? its not an error, its likely the fortune running from your .login(?) comment this out: [ -x /usr/games/fortune ] /usr/games/fortune freebsd-tips or something of the sort. Jeff Please get back to me, Thanks. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Jails - nice tcsh promt: set promt = '[EMAIL PROTECTED]:%~%#'
When I try and log into the jail via ssh I get to the login prompt, type my info and once I press enter I get some weird error nice tcsh promt: set promt = '[EMAIL PROTECTED]:%~%#'. I realize tcsh is a shell, but why the error... Does anyone know what this is, and how I can fix it? I think this isn't an error, but fortune(6) being called by one of your login scripts. Cheers Benjamin signature.asc Description: OpenPGP digital signature
Re: Jails and filesystems
Rob wrote: I'm trying to figure out the best layout for multiple jails. I'd like to share binaries across jails - patches and packages only need to be installed once, and it saves a lot of space. So these directories would be shared and read-only: [...] You can also use mount_unionfs with option -b. For instance you have a template jail, let's say in /usr/jail/template, and a jail in /usr/jail/myjail. You can mount now the template to the jail directory mount_unionfs -b /usr/jail/template /usr/jail/myjail It's not read-only. Now you have all files of the template in myjail and you can even overwrite or delete them if you like, the template remains untouched. unionfs treats the mounted directory and the mount point as two layers. An upper layer where all changes are stored and a lower layer which is not writable through the upper layer. The option -b invert the position of these layers. I make some practical examples: If you access the myjail directory then you can imagine that you look from top onto the upper layer and in some cases you look through the upper layer to the lower layer. (1)(2)(3) | | | +---|--|--|+ | upper layer: /usr/jail/myjail || | | | || | | V X| | | /etc/rc.conf | +---|--+ | lower layer: /usr/jail/template | | | | | V | | /bin/sh /etc/rc.conf /usr/bin/gcc | +--+ (1) /bin/sh exists in the template, but not in myjail. You'll access the file of the lower layer. (2) At first /etc/rc.conf exists in the template only. Then you deceide that you want to make some changes to the file and you save it. It's stored in the upper layer and from now you access your changed file only. The file exists in two different versions in both layers. (3) You don't need /usr/bin/gcc in your jail? Just delete it. The template remains untouched, but you can't access it now anymore; even not if you remount your unionfs. Please test the use of unionfs copiously. Read the manpage mount_unionfs(8), especially the BUGS section. I know some users which never had problems with unionfs and jails, but you should be careful with it nevertheless. Regards Björn ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Jails ....
On Sun, 27 Mar 2005 11:23:05 -0500 Grant Peel [EMAIL PROTECTED] wrote: It seems to me, that for all the work of scponly shell to be setup, why not just create a simple jail and allow ssh teminal access for users? That having been said, is it possible to set up jails for existing users that include only simple commands, like: ls mkdir rmdir pico rm chown chmod if so, are there any guru's who would like to type and explanation and step by step how to here? i can think of one possible solution for this : 1) you create the jail (see : man jail [with one exception, i prefer a make world for the host and then use a make installworld for the jails instead of make world again for the jail]) 2) make /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin only accessible for root (and users for possible other services) and set the PATH to include a new dir e.g. /newbin/ which is accessible for users, and copy the shell (and possible other basic commands) they need in that dir too ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: jails: am I missing something or..
On Jul 25, 2004, at 6:29 AM, Hugo Silva wrote: It is unthinkable to be umount'ing EVERY jail if I want to add one. I need separate filesystems for jails if I want (I *need* to) user quotas on jails If I have separate filesystems, I can't create a new jail while the disk is being used (ie other jails mount'ed). Living with 1 ip? I could do it. Now, this is a major drawback. I've been a FreeBSD user for a long time, so I'm hoping there is a solution to this matter-- (bottom line: working user quotas INSIDE jails: need either a way to have them w/ different partitions and be able to create new jails with all other jails running, or need a way to use quotas with only a big partition) I find it weird there exists this big limitation on the jail system. try using the mdX memory/file backed file systems for your jails... Works well (though I have not tried the user quota -- you do get separate filesystems) Chad ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: jails: am I missing something or..
Hugo Silva [EMAIL PROTECTED] wrote: Hi, Ok, so I decided to use jails instead of vmware and try to live with the limitations (only 1 ip address, etc..).. Well, another jail limitation is the impossibility of setting user quotas inside a jail UNLESS the jail has a filesystem on its own (at least this is the most satisfatory answer I found after googling for some hours). Great, so I have 2x80G + 1x200G hdds. I had a jail running on ad2, and I wanted to create another jail on the same hdd. To my surprise, sysinstall would complain about not being able to write data to ad2. I had this problem before, so I couldn't believe the cause was what I thought.. I unmounted the first jail and tried again.. this time, I could create the new partition on ad2. so... It is unthinkable to be umount'ing EVERY jail if I want to add one. Format the second drive as one big vinum partition. You can then manipulate the space into different filesystems using vinum without affecting the other partitions. This is also nice as vinum allows you to turn non-contiguous space into a single filesystem. So, if you allocate 5G for a jail and then realize you need 10G, you can allocate more space into the vinum partition and use growfs to enlarge the filesystem. -- Bill Moran Potential Technologies http://www.potentialtech.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]