Re: Some questions about jails on FreeBSD9.0-RC1
> On 10/26/2011 03:12 AM, Patrick Lamaiziere wrote: >> Le Tue, 25 Oct 2011 22:52:55 +0200, >> carlopmart a écrit : >> >> Hello, >> >>>I have installed one FreeBSD 9.0-RC1 host to run different services >>> (dns, smtp and www only) using jails. This host has two physical >>> nics: em0 and em1. em0 is assigned to pyhiscal host, and I would like >>> to assign em1 to jails. But em0 and em1 are on different networks: >>> em0 is on 192.168.1.0/24 and em1 in 192.168.2.0/29. >>> >>>I have setup one jail using ezjail. My first surprise is that >>> ezjail only installs -RELEASE versions and not RC versions. Ok, I >>> supouse that it is normal. But my first question is: can I install a >>> FreeBSD 8.2 jail under a FreeBSD 9.0 host?? >> >> You may run 8.2 installed ports on 9.0 by using the port >> /usr/ports/misc/compat8x/ >> >> But I suggest to upgrade the port ASAP. >> >>>And the real question: How do I need to configure network under >>> this jail to access it? I have configured ifconfig param for em1 on >>> host's rc.conf, but what about the default route under this jail?? I >>> thought to use pf rules, but I am not sure. >> >> jail enforces the use of the jail IP address in the jail, but that's >> all. Just enable routing on the host. >> > > But, that is not possible. Between host and jail exists a firewall ... I > can't do simple routing with the host. Maybe a posible solution is to > use policy source routing ?? > > > > -- > CL Martinez > carlopmart {at} gmail {d0t} com > ___ I'm using FIBs. The host is in on a private network with gateway of 192.168.1.1 and jails are on public network with their own real/public gateway. FIBs work without the box becoming a gateway: %grep gateway /etc/rc.conf gateway_enable="NO" I have this in system startup to setup "public gateway" for jails: %cat /usr/local/etc/rc.d/0.setfib.sh #!/bin/sh echo setfib 1 for public jails /usr/sbin/setfib 1 /sbin/route add default 216.241.167.1 and in /usr/local/etc/ezjail/myjail I added this line to the end of configs: export jail_myjail_fib="1" [/usr/sbin/jail has FIB support built in, but at that time ezjail did not, so I had to manually add it in the config - nowadays I believe ezjail has FIB support natively, but the resulting config file is the same] The host is using NAT to get out via private IP, and jails are available via public IP. All the IPs are defined in rc.conf the normal _alias way. FIB support as I remember needs a custom kernel - not sure about 9, this is in 8.2. I even run openbsd spamd on the host and using FIBs to start the spamd daemon via a 'setfib 1' wrapper script: %cat /usr/local/etc/rc.d/obspamdfib.sh #!/bin/sh # # this just calls the orignal file, but with setfib 1 /usr/sbin/setfib 1 /usr/local/etc/rc.d.fib/obspamd $1 I had moved the 'obspamd' startup script to rc.d.fib just so a 'setfib 1' wrapper is called. ]Peter[ FIBs are awesome when you don't have many public IPs and when host is _only_ a jail host running no services ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Fwd: Re: Some questions about jails on FreeBSD9.0-RC1
On 26.10.2011 10:33, carlopmart wrote: On 10/26/2011 10:09 AM, lego...@legolasweb.nl wrote: On 10/26/2011 08:09 AM, lego...@legolasweb.nl wrote: I have setup one jail using ezjail. My first surprise is that ezjail only installs -RELEASE versions and not RC versions. Ok, I supouse that it is normal. But my first question is: can I install a FreeBSD 8.2 jail under a FreeBSD 9.0 host?? I have upgraded my ezjails using something like: env UNAME_r="8.2-RELEASE" freebsd-update -b /usr/jails/basejail -r 9.0-RC1 upgrade install This is some hassle, for example, one has to upgrade /etc and /var in /usr/jails/newjail by hand. (And maybe even more, not completely sure there.) is not possible to update the jail using "ejzail-admin update -u" instead of use freebsd-update directly?? Updating can be done, upgrading not. (Thus, a security update can be done, a full version not, if I understand it correctly.) This functionality exists (prematurely) in CVS: https://erdgeist.org/cvsweb/ezjail/ezjail-admin.diff?r1=1.263&r2=1.264&f=h Me too ... But downloading latest ezjail-admin code from cvs: 885 # Make the host systems os version our target version 886 # Users can override this by setting the UNAME_r environment variable 887 ezjail_osversion_target="`uname -r`" 888 889 # Finally run freebsd-update to upgrade our basejail 890 env UNAME_r="${ezjail_osversion_source}" freebsd-update -b ${ezjail_jailbase} -r ${ezjail_osversion_target} upgrade install If I am not wrong, it is possible to do a full upgrade between releases, right?? ezjail-admin cvs's version is 1.269: # $Id: ezjail-admin,v 1.269 2011/07/27 11:20:32 erdgeist Exp $ I think the installing of the new world is not included. (Thus, the part after the first reboot when doing a freebsd-update to 9.0-RC1 on the host system.) ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Some questions about jails on FreeBSD9.0-RC1
On 26.10.2011 10:33, carlopmart wrote: On 10/26/2011 10:09 AM, lego...@legolasweb.nl wrote: On 10/26/2011 08:09 AM, lego...@legolasweb.nl wrote: I have setup one jail using ezjail. My first surprise is that ezjail only installs -RELEASE versions and not RC versions. Ok, I supouse that it is normal. But my first question is: can I install a FreeBSD 8.2 jail under a FreeBSD 9.0 host?? I have upgraded my ezjails using something like: env UNAME_r="8.2-RELEASE" freebsd-update -b /usr/jails/basejail -r 9.0-RC1 upgrade install This is some hassle, for example, one has to upgrade /etc and /var in /usr/jails/newjail by hand. (And maybe even more, not completely sure there.) is not possible to update the jail using "ejzail-admin update -u" instead of use freebsd-update directly?? Updating can be done, upgrading not. (Thus, a security update can be done, a full version not, if I understand it correctly.) This functionality exists (prematurely) in CVS: https://erdgeist.org/cvsweb/ezjail/ezjail-admin.diff?r1=1.263&r2=1.264&f=h Me too ... But downloading latest ezjail-admin code from cvs: 885 # Make the host systems os version our target version 886 # Users can override this by setting the UNAME_r environment variable 887 ezjail_osversion_target="`uname -r`" 888 889 # Finally run freebsd-update to upgrade our basejail 890 env UNAME_r="${ezjail_osversion_source}" freebsd-update -b ${ezjail_jailbase} -r ${ezjail_osversion_target} upgrade install If I am not wrong, it is possible to do a full upgrade between releases, right?? ezjail-admin cvs's version is 1.269: # $Id: ezjail-admin,v 1.269 2011/07/27 11:20:32 erdgeist Exp $ I think the installing of the new world is not included. (Thus, the part after the first reboot when doing a freebsd-update to 9.0-RC1 on the host system.) ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Some questions about jails on FreeBSD9.0-RC1
On 10/26/2011 10:09 AM, lego...@legolasweb.nl wrote: On 10/26/2011 08:09 AM, lego...@legolasweb.nl wrote: I have setup one jail using ezjail. My first surprise is that ezjail only installs -RELEASE versions and not RC versions. Ok, I supouse that it is normal. But my first question is: can I install a FreeBSD 8.2 jail under a FreeBSD 9.0 host?? I have upgraded my ezjails using something like: env UNAME_r="8.2-RELEASE" freebsd-update -b /usr/jails/basejail -r 9.0-RC1 upgrade install This is some hassle, for example, one has to upgrade /etc and /var in /usr/jails/newjail by hand. (And maybe even more, not completely sure there.) is not possible to update the jail using "ejzail-admin update -u" instead of use freebsd-update directly?? Updating can be done, upgrading not. (Thus, a security update can be done, a full version not, if I understand it correctly.) This functionality exists (prematurely) in CVS: https://erdgeist.org/cvsweb/ezjail/ezjail-admin.diff?r1=1.263&r2=1.264&f=h Me too ... But downloading latest ezjail-admin code from cvs: 885 # Make the host systems os version our target version 886 # Users can override this by setting the UNAME_r environment variable 887 ezjail_osversion_target="`uname -r`" 888 889 # Finally run freebsd-update to upgrade our basejail 890 env UNAME_r="${ezjail_osversion_source}" freebsd-update -b ${ezjail_jailbase} -r ${ezjail_osversion_target} upgrade install If I am not wrong, it is possible to do a full upgrade between releases, right?? ezjail-admin cvs's version is 1.269: # $Id: ezjail-admin,v 1.269 2011/07/27 11:20:32 erdgeist Exp $ -- CL Martinez carlopmart {at} gmail {d0t} com ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Some questions about jails on FreeBSD9.0-RC1
> On 10/26/2011 08:09 AM, lego...@legolasweb.nl wrote: >> I have setup one jail using ezjail. My first surprise is that ezjail only installs -RELEASE versions and not RC versions. Ok, I supouse that it is normal. But my first question is: can I install a FreeBSD 8.2 jail under a FreeBSD 9.0 host?? >> >> I have upgraded my ezjails using something like: >> env UNAME_r="8.2-RELEASE" freebsd-update -b /usr/jails/basejail -r >> 9.0-RC1 >> upgrade install >> >> This is some hassle, for example, one has to upgrade /etc and /var in >> /usr/jails/newjail by hand. (And maybe even more, not completely sure >> there.) >> > > is not possible to update the jail using "ejzail-admin update -u" > instead of use freebsd-update directly?? > Updating can be done, upgrading not. (Thus, a security update can be done, a full version not, if I understand it correctly.) This functionality exists (prematurely) in CVS: https://erdgeist.org/cvsweb/ezjail/ezjail-admin.diff?r1=1.263&r2=1.264&f=h ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Some questions about jails on FreeBSD9.0-RC1
On 10/26/2011 12:38 AM, George Kontostanos wrote: On Tue, Oct 25, 2011 at 11:52 PM, carlopmart wrote: Hi all, I have installed one FreeBSD 9.0-RC1 host to run different services (dns, smtp and www only) using jails. This host has two physical nics: em0 and em1. em0 is assigned to pyhiscal host, and I would like to assign em1 to jails. But em0 and em1 are on different networks: em0 is on 192.168.1.0/24 and em1 in 192.168.2.0/29. I have setup one jail using ezjail. My first surprise is that ezjail only installs -RELEASE versions and not RC versions. Ok, I supouse that it is normal. But my first question is: can I install a FreeBSD 8.2 jail under a FreeBSD 9.0 host?? ezjail doesn't necessarily install a release version.< ezjail-admin update -p -i> will install the basejail from your source. I have installed this jail using "ezjail-admin install". I can't compile source every time that I need to do an update in this host ... And the real question: How do I need to configure network under this jail to access it? I have configured ifconfig param for em1 on host's rc.conf, but what about the default route under this jail?? I thought to use pf rules, but I am not sure. gateway_enable="YES" should take care of this. In host or in the jail?? Thanks. -- CL Martinez carlopmart {at} gmail {d0t} com ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org" Regards -- CL Martinez carlopmart {at} gmail {d0t} com ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Some questions about jails on FreeBSD9.0-RC1
On 10/26/2011 03:12 AM, Patrick Lamaiziere wrote: Le Tue, 25 Oct 2011 22:52:55 +0200, carlopmart a écrit : Hello, I have installed one FreeBSD 9.0-RC1 host to run different services (dns, smtp and www only) using jails. This host has two physical nics: em0 and em1. em0 is assigned to pyhiscal host, and I would like to assign em1 to jails. But em0 and em1 are on different networks: em0 is on 192.168.1.0/24 and em1 in 192.168.2.0/29. I have setup one jail using ezjail. My first surprise is that ezjail only installs -RELEASE versions and not RC versions. Ok, I supouse that it is normal. But my first question is: can I install a FreeBSD 8.2 jail under a FreeBSD 9.0 host?? You may run 8.2 installed ports on 9.0 by using the port /usr/ports/misc/compat8x/ But I suggest to upgrade the port ASAP. And the real question: How do I need to configure network under this jail to access it? I have configured ifconfig param for em1 on host's rc.conf, but what about the default route under this jail?? I thought to use pf rules, but I am not sure. jail enforces the use of the jail IP address in the jail, but that's all. Just enable routing on the host. But, that is not possible. Between host and jail exists a firewall ... I can't do simple routing with the host. Maybe a posible solution is to use policy source routing ?? -- CL Martinez carlopmart {at} gmail {d0t} com ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Some questions about jails on FreeBSD9.0-RC1
On 10/26/2011 08:09 AM, lego...@legolasweb.nl wrote: I have setup one jail using ezjail. My first surprise is that ezjail only installs -RELEASE versions and not RC versions. Ok, I supouse that it is normal. But my first question is: can I install a FreeBSD 8.2 jail under a FreeBSD 9.0 host?? I have upgraded my ezjails using something like: env UNAME_r="8.2-RELEASE" freebsd-update -b /usr/jails/basejail -r 9.0-RC1 upgrade install This is some hassle, for example, one has to upgrade /etc and /var in /usr/jails/newjail by hand. (And maybe even more, not completely sure there.) is not possible to update the jail using "ejzail-admin update -u" instead of use freebsd-update directly?? -- CL Martinez carlopmart {at} gmail {d0t} com ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Some questions about jails on FreeBSD9.0-RC1
>> I have setup one jail using ezjail. My first surprise is that >> ezjail only installs -RELEASE versions and not RC versions. Ok, I >> supouse that it is normal. But my first question is: can I install a >> FreeBSD 8.2 jail under a FreeBSD 9.0 host?? I have upgraded my ezjails using something like: env UNAME_r="8.2-RELEASE" freebsd-update -b /usr/jails/basejail -r 9.0-RC1 upgrade install This is some hassle, for example, one has to upgrade /etc and /var in /usr/jails/newjail by hand. (And maybe even more, not completely sure there.) ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Some questions about jails on FreeBSD9.0-RC1
Le Tue, 25 Oct 2011 22:52:55 +0200, carlopmart a écrit : Hello, > I have installed one FreeBSD 9.0-RC1 host to run different services > (dns, smtp and www only) using jails. This host has two physical > nics: em0 and em1. em0 is assigned to pyhiscal host, and I would like > to assign em1 to jails. But em0 and em1 are on different networks: > em0 is on 192.168.1.0/24 and em1 in 192.168.2.0/29. > > I have setup one jail using ezjail. My first surprise is that > ezjail only installs -RELEASE versions and not RC versions. Ok, I > supouse that it is normal. But my first question is: can I install a > FreeBSD 8.2 jail under a FreeBSD 9.0 host?? You may run 8.2 installed ports on 9.0 by using the port /usr/ports/misc/compat8x/ But I suggest to upgrade the port ASAP. > And the real question: How do I need to configure network under > this jail to access it? I have configured ifconfig param for em1 on > host's rc.conf, but what about the default route under this jail?? I > thought to use pf rules, but I am not sure. jail enforces the use of the jail IP address in the jail, but that's all. Just enable routing on the host. Also be sure that the host's daemons don't bind on the jail IP address, as explained in the man page of jail (Setting up the Host Environment). Regards. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Some questions about jails on FreeBSD9.0-RC1
On Tue, Oct 25, 2011 at 11:52 PM, carlopmart wrote: > Hi all, > > I have installed one FreeBSD 9.0-RC1 host to run different services (dns, > smtp and www only) using jails. This host has two physical nics: em0 and > em1. em0 is assigned to pyhiscal host, and I would like to assign em1 to > jails. But em0 and em1 are on different networks: em0 is on 192.168.1.0/24 > and em1 in 192.168.2.0/29. > > I have setup one jail using ezjail. My first surprise is that ezjail only > installs -RELEASE versions and not RC versions. Ok, I supouse that it is > normal. But my first question is: can I install a FreeBSD 8.2 jail under a > FreeBSD 9.0 host?? ezjail doesn't necessarily install a release version. < ezjail-admin update -p -i > will install the basejail from your source. > And the real question: How do I need to configure network under this jail > to access it? I have configured ifconfig param for em1 on host's rc.conf, > but what about the default route under this jail?? I thought to use pf > rules, but I am not sure. gateway_enable="YES" should take care of this. > > Thanks. > -- > CL Martinez > carlopmart {at} gmail {d0t} com > ___ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org" > Regards -- George Kontostanos aisecure.net ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Some questions about jails on FreeBSD9.0-RC1
Hi all, I have installed one FreeBSD 9.0-RC1 host to run different services (dns, smtp and www only) using jails. This host has two physical nics: em0 and em1. em0 is assigned to pyhiscal host, and I would like to assign em1 to jails. But em0 and em1 are on different networks: em0 is on 192.168.1.0/24 and em1 in 192.168.2.0/29. I have setup one jail using ezjail. My first surprise is that ezjail only installs -RELEASE versions and not RC versions. Ok, I supouse that it is normal. But my first question is: can I install a FreeBSD 8.2 jail under a FreeBSD 9.0 host?? And the real question: How do I need to configure network under this jail to access it? I have configured ifconfig param for em1 on host's rc.conf, but what about the default route under this jail?? I thought to use pf rules, but I am not sure. Thanks. -- CL Martinez carlopmart {at} gmail {d0t} com ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"