[smartos-discuss] SmartOS release-20180705

[Cody Mello]

Hello All,

The latest bi-weekly "release" branch build of SmartOS is up:

curl -C - -O
https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos-latest.iso
curl -C - -O
https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos-latest-USB.img.bz2
curl -C - -O
https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos-latest.vmwarevm.tar.bz2

A generated changelog is here:


https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos.html#20180705T211554Z

The full build bits directory, for those interested, is here in Manta:

/Joyent_Dev/public/SmartOS/20180705T211554Z


# General Info

Every second Thursday we roll a "release-MMDD" release branch and
builds for SmartOS (and Triton DataCenter and Manta, as well).

Cheers,
Cody Mello, on behalf of the SmartOS developers
https://smartos.org


---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125
Powered by Listbox: https://www.listbox.com

[smartos-discuss] New minimum Triton platform

[Cody Mello]

Hello all,

For a while now the minimum supported platform for running Joyent zone images
has been release-20141004. We will be switching them to release-20151126 before
the end of the month. If you are still running platforms older than
release-20151126, please take the time to upgrade to a more recent platform.

While you will be able to run the zone images on release-20151126, you should
strongly consider running something much more recent, to pick up bug fixes,
security fixes, and improvements made over the past 2+ years.

Cheers,
Cody Mello, on behalf of the Triton devs
https://github.com/joyent/triton


---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Re: [smartos-discuss] Scripting question Bash

[Cody Mello]

In addition to looking it up, you can also set the "uuid" field in the
payload. The VM will be created using that UUID instead of generating
a new one. You can use the uuidgen program to generate a valid UUID
inside your shell script.

On Fri, Feb 2, 2018 at 10:46 AM, Jonathan Perkin  wrote:
> * On 2018-02-02 at 18:24 GMT, George Linn via smartos-discuss wrote:
>
>> I  am trying to figure out how to script some vmadm commands in a bash 
>> script. For a basic scenario, the bash script calls vmadm to create a VM and 
>> that works fine.  However, I am trying to capture the UUID of the newly 
>> created VM.
>> I receive the following message on the screen:
>> "Successfully created VM 0999429a-6b52-edfd-f0b7-997ca26df1fc"
>>
>> Can someone provide an example of how bash can call "vmadm create -f" and 
>> record the UUID if the VM is successfully created?
>
> Rather than parsing the output which shouldn't be considered stable,
> you might want to try the approach of performing a lookup after the
> zone has been created based on the alias you used.
>
> So, for example, after creating a zone with the 'myzonealias' alias
> (catchy I know!):
>
>   $ vmadm create <<-EOF
>   >   ..
>   >   "alias": "myzonealias",
>   >   ..
>   > EOF
> 
> You can use 'vmadm lookup' to retrive the UUID:
> 
> $ myzoneuuid=$(vmadm lookup -1 alias=myzonealias)
> 
> As long as you don't have duplicate aliases (which would probably be a
> bad idea in the first place anyway), this should work fine.
> 
> --
> Jonathan Perkin  -  Joyent, Inc.  -  www.joyent.com
> 


---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Re: [smartos-discuss] VM.js Node Version

[Cody Mello]

Hi Kilian,

As Josh mentioned, VM.js should only be used by applications that are
bundled in the platform. For our services (like cn-agent and vm-agent), we
use a wrapper library that takes care of executing vmadm and parsing it's
feedback. I've written up some docs, and posted it to npm here:

https://www.npmjs.com/package/vmadm/

Switching where you require VM.js with that library should hopefully not be
too difficult. For most of the functions you should just need to wrap up
the first several arguments into an object with the right property names.

- Cody


On Mon, Oct 16, 2017 at 11:01 AM, Josh Wilsdon  wrote:

> Is there any plan form Joyent to update this Library to a newer node
>> version? This is an really old version and besides the security point many
>> commands like "const" are not supported :/
>>
>
> Hi Kilian,
>
> We would like to eventually update the node in the platform, but this is
> not a current priority.
>
> I would also point out that using VM.js in applications not shipped with
> the platform is not supported. See also the note here:
> https://github.com/joyent/smartos-live/blob/master/src/
> vm/node_modules/VM.js#L61-L63 which was added in 2013.
>
> In our own components that use the platform tools without being shipped
> with it (e.g. Triton's cn-agent and vm-agent) we use vmadm instead of VM.js
> which avoids these issues.
>
> Thanks,
> Josh
> *smartos-discuss* | Archives
> 
>  |
> Modify
> 
> Your Subscription 
>



---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Re: [smartos-discuss] SmartOS release-20170914

[Cody Mello]

 Hi Paul,

The 20170913T233706Z build is a release-20170914 build, it just has a
20170913 timestamp because I started the build Wednesday evening. The
20170916T185915Z is also from the release-20170914 branch, but
includes two additional bug fixes (OS-6346 and OS-6350) that we
decided we wanted to backport to a release before the next one.

- Cody

On Sat, Sep 16, 2017 at 10:44 PM, Paul Sture <smar...@chingola.ch> wrote:
> Hi Cody,
>
> I didn't find release-201700914 when I looked yesterday; release-20170916 is
> currently the latest.
>
> Changelog for that here:
>
> https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos.html#20170916T185915Z
>
> Regards,
>
> Paul Sture
>
>
> On 16 Sep 2017, at 6:20, Cody Mello wrote:
>
>> Hello All,
>>
>> The latest bi-weekly "release" branch build of SmartOS is up:
>>
>> curl -C - -O
>>
>> https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos-latest.iso
>> curl -C - -O
>>
>> https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos-latest-USB.img.bz2
>> curl -C - -O
>>
>> https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos-latest.vmwarevm.tar.bz2
>>
>> A generated changelog is here:
>>
>>
>>
>> https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos.html#20170913T233706Z
>>
>> The full build bits directory, for those interested, is here in Manta:
>>
>> /Joyent_Dev/public/SmartOS/20170913T233706Z
>>
>>
>> # General Info
>>
>> Every second Thursday we roll a "release-MMDD" release branch and
>> builds for SmartOS (and Triton DataCenter and Manta, as well).
>>
>> Cheers,
>> Cody Mello, on behalf of the SmartOS developers
>> https://smartos.org
>>
> 
> 


---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

[smartos-discuss] SmartOS release-20170914

[Cody Mello]

Hello All,

The latest bi-weekly "release" branch build of SmartOS is up:

curl -C - -O
https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos-latest.iso
curl -C - -O
https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos-latest-USB.img.bz2
curl -C - -O
https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos-latest.vmwarevm.tar.bz2

A generated changelog is here:


https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos.html#20170913T233706Z

The full build bits directory, for those interested, is here in Manta:

/Joyent_Dev/public/SmartOS/20170913T233706Z


# General Info

Every second Thursday we roll a "release-MMDD" release branch and
builds for SmartOS (and Triton DataCenter and Manta, as well).

Cheers,
Cody Mello, on behalf of the SmartOS developers
https://smartos.org



---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

[smartos-discuss] SmartOS release-20170831

[Cody Mello]

Hello All,

The latest bi-weekly "release" branch build of SmartOS is up:

curl -C - -O
https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos-latest.iso
curl -C - -O
https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos-latest-USB.img.bz2
curl -C - -O
https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos-latest.vmwarevm.tar.bz2

A generated changelog is here:


https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos.html#20170831T155808Z

The full build bits directory, for those interested, is here in Manta:

/Joyent_Dev/public/SmartOS/20170831T155808Z


# General Info

Every second Thursday we roll a "release-MMDD" release branch and
builds for SmartOS (and Triton DataCenter and Manta, as well).

Cheers,
Cody Mello, on behalf of the SmartOS developers
https://smartos.org


---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Re: [smartos-discuss] Contributing to smartos-live

[Cody Mello]

Hi Daniel,

On Wed, Aug 9, 2017 at 12:33 AM, Daniel Kontsek  wrote:
> AFAIK we should open merge requests here: https://cr.joyent.us/ and not on
> GitHub, but we should create an issue on GitHub first, is this correct, or can
> we just create CRs in Gerrit?

Yes, merge requests should go through Gerrit for code review. You can
find instructions on how to get started using Gerrit here:

https://github.com/joyent/joyent-gerrit/tree/master/docs/user

You should create an issue on GitHub under the appropriate repository,
and then reference it in the commit message. For example, something
like:

joyent/smartos-live#12345 This Is The Issue's Subject Line
Reviewed by: Joe Smith 
Approved by: Jane Doe 

If you know of an open Joyent JIRA ticket (you can see them at
http://smartos.org/bugview/) then you're welcome to reference that in
the commit message instead.

Once you have a change on Gerrit, you can ping people in #smartos or
the Github ticket about it to find reviewers.

> Shell scripts coding style (mainly svc/methods and prompt_config) is a
> problem. We are seeing mixing of bash coding patterns, even in scripts where
> new bash features are used. (e.g. $var vs ${var} vs "${var}", `` vs $(), [ vs
> [[). I assume lots of these are just Solaris heritage, but some scripts are
> new and yet we see these strange inconsistencies. I'm not going to argue about
> line length and tabs vs spaces (although please don't mix them). But as we are
> saying: at least do it consistently wrong :) We are happily using shellcheck
> [2] for most of our bash scripts and it does solve these kind of problems. Is
> there a coding style guide for shell scripts?

This is the bash style guide, but it could definitely do with some
additional recommendations:

https://github.com/joyent/eng/blob/master/docs/index.md#bash-programming-guidelines

Dave Eddy at Joyent wrote some personal recommendations for writing
shell scripts, many of which should probably also be in the guide:

http://daveeddy.com/bash/

A lot of the scripts in smartos-live have vastly different styles. If
you're making changes in an area where someone has diverged from the
prevailing style of the file, then please do update that region to
match, so that over time each file can at least become consistent with
itself. In the long run, I'd like to flesh out the style guide and
write a linter/style checker to help enforce the guidelines.

> For example: we would love to rewrite the smartos_prompt_config.sh script so
> it does not use global variables. Would you accept such change?

smartos_prompt_config.sh could definitely do with some love. If you
can clean it up to be more readable and safer, we'd probably take
those changes. Just please make sure to also do testing for all of the
paths you change, and attach testing notes to the Github issue.

- Cody


---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Re: [smartos-discuss] Triton Data Center Question

[Cody Mello]

On Mon, Jul 31, 2017 at 6:48 PM, Lonnie Cumberland  wrote:
> Just a quick question. In my reading, I did come across the "CoaL" (Cloud on a
> Laptop) information. Am I correct in that it is a trimmed down version of
> Triton Data Center as it seems to have much less hardware requirements and I
> was just wondering although I am going for getting Triton installed and
> operational?

CoaL is the same build as Triton, but distributed as a VMWare image so
that developers can get an instance up more quickly. The reason for
the different hardware requirements is that the usage is going to be
different (mainly development), and you probably won't end up
installing all of the extra zones that you might in a production
deployment (CNS, CMON, the Docker API, CloudAPI, etc.), except for
those you are testing.

- Cody


---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Re: [smartos-discuss] Possible to enable/allow multicast packets using fwadm?

[Cody Mello]

Apologies, that last bit should say "but _not_ the VRRP address".

On Mon, May 15, 2017 at 6:11 PM, Cody Mello <mel...@joyent.com> wrote:
> Hello Angelo,
>
> What kinds of firewall rules do you have? Are you doing things like:
>
> FROM ip ... TO ... ALLOW tcp PORT 80
> FROM subnet ... TO ... ALLOW tcp PORT 80
> FROM any TO ... ALLOW tcp PORT 80
>
> Or something more like:
>
> FROM all vms TO ... ALLOW tcp PORT 80
> FROM tag  TO ... ALLOW tcp PORT 80
> FROM vm  TO ... ALLOW tcp PORT 80
>
> I would expect the first kind of rules to work, but not the second
> when using vrrp_primary_ip. The second set of rules take a look at the
> "ip" field on NICs, but the VRRP address.
>
> - Cody
>
> On Mon, May 15, 2017 at 6:02 PM, Brian Bennett <brian.benn...@joyent.com> 
> wrote:
>> Have you set the vrrp_primary_ip and vrrp_vrid properties on the nics that
>> you want to use with VRRP?
>> 
>> --
>> Brian Bennett
>> Systems Engineer, Cloud Operations
>> Joyent, Inc. | www.joyent.com
>> 
>> On May 15, 2017, at 7:14 AM, Dr. Angelo Roussos <ang...@cloudafrica.net>
>> wrote:
>> 
>> Hi All,
>> 
>> We have a scenario where one of our hosts is set up to create fwadm rules in
>> order to manage instance-level firewalling.
>> 
>> HOWEVER, we have an issue with a customer who wants to deploy (and manage)
>> their own HAProxy failover cluster.
>> 
>> We have successfully tested this setup with no issues at all when the
>> SmartOS host firewall is turned OFF, but we are unable to make this work
>> when the host firewall is turned ON and administered through fwadm.
>> 
>> Does fwadm/SmartOS host firewall support multicast – specifically, in this
>> case, to allow for VRRP packets?
>> 
>> Regards,
>> 
>> Angelo.
>> 


---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Re: [smartos-discuss] Possible to enable/allow multicast packets using fwadm?

[Cody Mello]

Hello Angelo,

What kinds of firewall rules do you have? Are you doing things like:

FROM ip ... TO ... ALLOW tcp PORT 80
FROM subnet ... TO ... ALLOW tcp PORT 80
FROM any TO ... ALLOW tcp PORT 80

Or something more like:

FROM all vms TO ... ALLOW tcp PORT 80
FROM tag  TO ... ALLOW tcp PORT 80
FROM vm  TO ... ALLOW tcp PORT 80

I would expect the first kind of rules to work, but not the second
when using vrrp_primary_ip. The second set of rules take a look at the
"ip" field on NICs, but the VRRP address.

- Cody

On Mon, May 15, 2017 at 6:02 PM, Brian Bennett  wrote:
> Have you set the vrrp_primary_ip and vrrp_vrid properties on the nics that
> you want to use with VRRP?
> 
> --
> Brian Bennett
> Systems Engineer, Cloud Operations
> Joyent, Inc. | www.joyent.com
> 
> On May 15, 2017, at 7:14 AM, Dr. Angelo Roussos 
> wrote:
> 
> Hi All,
> 
> We have a scenario where one of our hosts is set up to create fwadm rules in
> order to manage instance-level firewalling.
> 
> HOWEVER, we have an issue with a customer who wants to deploy (and manage)
> their own HAProxy failover cluster.
> 
> We have successfully tested this setup with no issues at all when the
> SmartOS host firewall is turned OFF, but we are unable to make this work
> when the host firewall is turned ON and administered through fwadm.
> 
> Does fwadm/SmartOS host firewall support multicast – specifically, in this
> case, to allow for VRRP packets?
> 
> Regards,
> 
> Angelo.
> 


---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Re: [smartos-discuss] /proc, psinfo, RSS

[Cody Mello]

Hi Rob,

Since pr_size and pr_rssize are size_t's, I'm guessing that they're zero
since the number is too big to represent in 32 bits, so the field is being
made 0 instead. If you compile your C program for 64-bit (-m64 for GCC, I
believe), does the output change?

- Cody


On Mon, Apr 10, 2017 at 5:08 PM, Robert Fisher  wrote:

> I've been writing some software which parses `/proc` to get process info.
> The original is in Python, but I got some unexpected results and, as I'm
> not the best with Python, assumed it was my bad coding. So, I wrote a bit
> of C to cross-reference, and I get the same results. I just can't
> understand why.
>
> -
> #include 
> #include 
> #include 
> #include 
>
> static void print_info(psinfo_t *buf);
>
> void main(int argc, char **argv) {
>   psinfo_t buf;
>   int fd;
>   char file [1024];
>   snprintf(file, 1024, "/proc/%s/psinfo", argv[1]);
>   fd = open(file, O_RDONLY);
>   read(fd, , sizeof(psinfo_t));
>   close(fd);
>   print_info();
> }
>
> static void print_info(psinfo_t *buf) {
>   printf(" PID: %ld\n", buf->pr_pid);
>   printf(" cmd: %s\n", buf->pr_psargs);
>   printf("size: %ld\n", buf->pr_size);
>   printf(" RSS: %ld\n", buf->pr_rssize);
> }
>
> -
>
> Obviously, this code parses a process's psinfo struct, and prints the
> memory usage. On some processes it works just fine:
>
> $ ./psinfo 27481
>  PID: 27481
>  cmd: /usr/sbin/cron
> size: 2132
>  RSS: 720
>
> $ ./psinfo 8715
>  PID: 8715
>  cmd: /usr/bin/java -Djava.library.path=/usr/local/graylog/bin/../lib/sigar
> -Xms256m
> size: 519536
>  RSS: 412148
>
> But on others, it always shows zero for memory usage. Every other field
> seems to be correct.
>
> $ ./psinfo 28352
>  PID: 28352
>  cmd: java -Xmx500m -Xms300m -server -verbosegc -XX:-UseParallelOldGC
> -XX:OnOutOfMemo
> size: 0
>  RSS: 0
>
> $ ./psinfo 27627
>  PID: 27627
>  cmd: /ops/local/mysql/bin/mysqld --defaults-file=/opt/local/
> etc/mysql/my.cnf
> size: 0
>  RSS: 0
>
> Examining that last process with prstat:
>
> $ prstat -cp 27627 1 1
> Please wait...
>PID USERNAME  SIZE   RSS STATE   PRI NICE  TIME  CPU PROCESS/NLWP
>
>  27627 mysql 619M  379M sleep280   0:01:28 0.0% mysqld/23
> Total: 1 processes, 23 lwps, load averages: 0.12, 0.15, 0.21
>
> DTracing that command, I can see prstat only looks at /proc/{pid}/psinfo,
> just like my C example. (At first I suspected it was doing something with
> LWP info.) Looking at the source suggests my code and prstat are doing the
> same thing, but one works and one doesn't.
>
> The "zero memory" processes are always the same ones. Some programs always
> report it, and the others never do. It seems particularly odd to me that
> some JVMs "work" and some don't, and it's always the same ones. I get
> identical results on a Solaris box, right down to the same Java programs
> working or not working.
>
> What's going on here? What am I missing?
>
> TIA,
>
>
> Rob
> *smartos-discuss* | Archives
> 
>  |
> Modify
> 
> Your Subscription 
>



---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

[smartos-discuss] SmartOS release-20170302

[Cody Mello]

Hello All,

The latest bi-weekly "release" branch build of SmartOS is up:

curl -C - -O
https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos-latest.iso
curl -C - -O
https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos-latest-USB.img.bz2
curl -C - -O
https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos-latest.vmwarevm.tar.bz2

A generated changelog is here:


https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos.html#20170303T182248Z

The full build bits directory, for those interested, is here in Manta:

/Joyent_Dev/public/SmartOS/20170303T182248Z


# General Info

Every second Thursday we roll a "release-MMDD" release branch and
builds for SmartOS (and Triton DataCenter and Manta, as well).

Cheers,
Cody Mello, on behalf of the SmartOS developers
https://smartos.org



---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Re: [smartos-discuss] firewalls on zones

[Cody Mello]

Hi David,

Have you enabled the firewall with the -E flag?

- Cody

On Sat, Jan 28, 2017 at 7:58 PM, David Preece  wrote:

> Hi,
>
> I can't set firewall rules on zones. I'm trying:
>
> echo 'block in quick from 192.168.178.93/32 to any' | ipf -G
> d43b2283-c9c3-46d0-d9c0-8dcc592ffc4a -f -
>
> Where the IP is my laptop (on the same lan) and the uuid is a running
> lx-brand alpine 3. If I lose the -G and apply the rule to the global zone I
> lock myself out perfectly, so I know the rule works but is just not
> 'sticking' to the zone.
>
> I know I'm missing something fundamental - any ideas?
>
> -Dave
> *smartos-discuss* | Archives
> 
>  |
> Modify
> 
> Your Subscription 
>



---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

[smartos-discuss] SmartOS release-20161222

[Cody Mello]

Hello All,

The latest bi-weekly "release" branch build of SmartOS is up:

curl -C - -O
https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos-latest.iso
curl -C - -O
https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos-latest-USB.img.bz2
curl -C - -O
https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos-latest.vmwarevm.tar.bz2

A generated changelog is here:


https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos.html#20161222T003450Z

The full build bits directory, for those interested, is here in Manta:

/Joyent_Dev/public/SmartOS/20161222T003450Z

# Highlights

- Support for USB 3 devices (xHCI)
- Load /etc/ipf/ipf6.conf when using the "ipfilter" service
- XXV710 support (i40e)


# General Info

Every second Thursday we roll a "release-MMDD" release branch and
builds for SmartOS (and Triton DataCenter and Manta, as well).

Cheers,
Cody Mello, on behalf of the SmartOS developers
https://smartos.org


---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Re: [smartos-discuss] ipv6 firewall not working in smartos native zone

[Cody Mello]

Hi Rob,

It looks like we never picked up some work that Hans Rosenfeld did
earlier this year to get IPv6 custom policy files working with the
ipfilter service. I'll take care of pulling that in. Once that's done,
your /etc/ipf/ipf6.conf file should get detected and loaded.

- Cody


On Tue, Nov 15, 2016 at 2:21 PM, Rob Seastrom  wrote:
> 
> Hi all,
> 
> Apologies in advance for not actually getting my skills to a point where I 
> can just fix this myself and send a pr after all the help rm gave me a couple 
> of months ago.  The autumn has been full of distractions.
> 
> IPv6 firewall isn't working for me, and I hope I've got enough information 
> here to put folks on the right path to fixing it.
> 
> System in question is adf9565c-8be6-11e6-a077-57637270218d ( base-64 16.3.0 
> though I think I observed this behavior in 16.2.0 too).
> 
> Problem:  In a non-global zone (haven't tried this at all in global zone) 
> IPv6 ruleset placed in /etc/ipf/ipf6.conf does not get applied, at all, when 
> network/ipfilter is enabled.  The IPv4 ruleset at /etc/ipf/ipf.conf gets 
> applied just fine.
> 
> Upon investigation, the symlink ipf6.conf -> /etc/ipf/ipf6.conf is not 
> getting placed in /var/run/ipf.  Putting this symlink there manually and 
> restarting network/ipfilter seems to make everything work great, but it's not 
> durable across reboots of course.
> 
> Digging around in /lib/svc/share, I saw this:
> 
> [root@cumulus /lib/svc/share]# grep custom_policy_file *
> ipf_include.sh:CUSTOM_FILE_PROP="custom_policy_file"
> ipf_include.sh:CUSTOM_FILE_6_PROP="custom_policy_file_6"
> [root@cumulus /lib/svc/share]#
> 
> but when I looked at the propvals in the smf manifest, I see that the name it 
> should be importing is actually "ipf6_config_file" rather than 
> "custom_policy_file_6" (or perhaps more likely, the propval is wrong and 
> shold be custom_policy_file_6).
> 
> [root@cumulus ~]# svccfg export ipfilter | grep /etc/ipf
>  value='/etc/ipf/ipf6.conf'/>
>  value='/etc/ipf/ipnat.conf'/>
>  value='/etc/ipf/ippool.conf'/>
>  value='/etc/ipf/ipf.conf'/>
> [root@cumulus ~]#
> 
> Figuring that this was an easy work-around, I tried adding this:
> 
> -  shell: 'svccfg -s network/ipfilter:default setprop 
> config/custom_policy_file_6 = astring: /etc/ipf/ipf6.conf'
> 
> to my Ansible firewall setup role, but it wasn't sufficient - still no 
> symlink being created.
> 
> At this point I'm slightly foiled because /lib is read-only; I guess I could 
> go down the rabbit hole of moving all of the ipfilter SMF stuff into 
> /opt/local/lib/svc under a different name, but maybe I've provided enough 
> information here that someone who is better with the way that these scripts 
> are structured than I am will see the problem immediately...
> 
> Thanks,
> 
> -r
> 


---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Re: [smartos-discuss] inet6 default gateway in non-global zones

[Cody Mello]

Hey Juraj,

On Wed, Oct 5, 2016 at 8:58 AM, Juraj Lutter  wrote:
> Yes, I know of -p but I thought that there
> is also another, SmartOS way.

There is the "gateways" field for NICs, which currently only supports
IPv4 addresses, but will eventually support IPv6. For now, the "route
-p add" method is probably the best thing to do. (Or set up some
script to run it at every reboot for you, which will be necessary for
lx zones.)

- Cody


---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Re: [smartos-discuss] fwadm BLOCK outgoing and questions about LX Brand

[Cody Mello]

Hi Eric,

On Sun, Aug 28, 2016 at 2:50 AM, Eric Ripa  wrote:
> 1) By default outgoing traffic is allowed. It seems like I need to explicitly 
> block every port/protocol if I want to block outgoing traffic. Is it somehow 
> possible to block all outgoing traffic with exceptions (and possibly being 
> statefull)?

There's no way to say "block everything, except for what these
additional rules allow", currently. What you can do though is make use
of port ranges to block several different ranges. So, for example:

FROM vm  TO any BLOCK ports 1-79, 81-442, 444-65535

Would allow outbound connections to ports 80 and 443.

> 2) Are fwadm rules supposed to work for lx branded zones? I cannot seem to 
> get them working, they get added and are enabled. But the rules are not 
> applied, see below. (the 722b…. zone is a SmartOS zone where rules are 
> working)
>
>
> # fwadm list
> UUID ENABLED RULE
> 692b5409-3616-4f68-b140-7fc2af6b1884 trueFROM vm 
> 722b3073-e771-6217-cc5d-a30f4fdd7ff3 TO vm 
> 23d8f7a0-6451-623c-dc9a-b5e46314f7ed ALLOW tcp PORT 8080
>
> # fwadm vms 692b5409-3616-4f68-b140-7fc2af6b1884
> 23d8f7a0-6451-623c-dc9a-b5e46314f7ed

Is the vm 722b3073-e771-6217-cc5d-a30f4fdd7ff3 on the same SmartOS
box? If it isn't, then fwadm won't know what addresses to use to
generate the rule.

- Cody


---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

[smartos-discuss] SmartOS release-20160721

[Cody Mello]

Hello All,

The latest bi-weekly "release" branch build of SmartOS is up:

curl -C - -O
https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos-latest.iso
curl -C - -O
https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos-latest-USB.img.bz2
curl -C - -O
https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos-latest.vmwarevm.tar.bz2

A generated changelog is here:


https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos.html#20160721T174418Z

The full build bits directory, for those interested, is here in Manta:

/Joyent_Dev/public/SmartOS/20160721T174418Z


# Highlights


# General Info

Every second Thursday we roll a "release-MMDD" release branch and
builds for SmartOS (and Triton DataCenter and Manta, as well).

Cheers,
Cody Mello, on behalf of the SmartOS developers
https://smartos.org



---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Re: [smartos-discuss] Temporarily disconecting a NIC

[Cody Mello]

On Mon, Mar 14, 2016 at 8:55 PM, Ian Collins  wrote:
> I usually use "ipadm down-addr -t " from within a zone.  I just
> tried this with zlogin and managed to bugger up the zone (couldn't zlogin to
> or reboot the zone) for a while, so take care.

What kind of zone was this? OS or LX?

- Cody


---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Re: [smartos-discuss] Net access on vm

[Cody Mello]

Hi Rupinder,

Could you provide details about the network you're trying to get set up on?
The configuration of the network affects how you'll want to configure your
host.

- Cody

On Mon, Mar 14, 2016 at 9:45 PM, Rupinder Singh Chugh 
wrote:

> We had followed same link and do setup same already , but still issue is
> there
>
>
>
>
>
>
>
> Regards
> *Rupinder Singh*
>
>
> On 15 March 2016 at 01:13, Jorge Schrauwen  wrote:
>
>> This was recently verified to still be working:
>> https://docu.blackdot.be/snipets/solaris/smartos-nat
>>
>> Just make sure to update the nat-rules, gz's vnic ip and address
>> concistantly.
>>
>> Regards
>>
>> Jorge
>>
>>
>>
>>
>>
>>
>> On 2016-03-14 17:30, Rupinder Singh Chugh wrote:
>>
>> We had smartos with single public ip
>>
>> We had created virtual nic with ip 10.0.0.1 on smartos and created a
>> Vm with ip 10.0.0.2 created and able to ping to nic ip
>>
>> But we are not able to access Internet
>> Can you provide us next additional steps to do on smartos so on all  my
>> Internet will be accessed
>>
>>
> *smartos-discuss* | Archives
> 
>  |
> Modify
> 
> Your Subscription 
>



---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Re: [smartos-discuss] Net access on vm

[Cody Mello]

Hi Rupinder,

What type of network are you on? Do you know your gateway address, and have
you set it for the host and the VM? You've selected two RFC 1918 addresses,
which are for use on private networks. If you want your host and VM to
reach the internet, they will need to pass through a NAT. If you want the
internet to be able to reach your host and VM, you will need to assign them
public IPs.

- Cody


On Mon, Mar 14, 2016 at 9:30 AM, Rupinder Singh Chugh 
wrote:

> We had smartos with single public ip
>
> We had created virtual nic with ip 10.0.0.1 on smartos and created a
> Vm with ip 10.0.0.2 created and able to ping to nic ip
>
> But we are not able to access Internet
> Can you provide us next additional steps to do on smartos so on all  my
> Internet will be accessed
> *smartos-discuss* | Archives
> 
>  |
> Modify
> 
> Your Subscription 
>
>



---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Re: [smartos-discuss] fwadm KVM

[Cody Mello]

Hey Will,

If you want to block everything outbound, you can write something like
the following:

FROM vm  TO ANY BLOCK TCP PORT all
FROM vm  TO ANY BLOCK UDP PORT all

If you want to block all outbound except for several ports, you can do
the following (assuming you're on a recent platform with FWAPI-197's
changes):

FROM vm  TO any BLOCK TCP PORTS 1-21, 23-79, 81-65535

And yes, fwadm is a wrapper around ipf that's aware of VM uuids and
tags. It makes use of the global zone controlled ruleset (versus the
in-zone controlled ruleset). I don't think it's stated explicitly
anywhere, fwadm(1M) does mention some flags related to ipf.

- Cody


On Sun, Mar 6, 2016 at 6:57 AM, Will Beazley
<will.beaz...@infoassets.com> wrote:
> Cody,
>
> Quick follow-up.
>
> I undertook the following two steps once I had read your email and now that
> I had a window to work on it:
> 1. Went back and update the owner_uuid (conflict indeed); and
> 2. reapplied the existing rules, after no change after step [1].
>
> Now it works.
>
> Is there a way using fwadm to block everything outbound (save for a clutch
> of ports) or shall I need to use ipf for that (not an issue at all)?
>
> Stop me if you have heard this one:
> It seems to me that fwadm is likely a VM aware wrapper for ipf; now why this
> possibility didn't dawn on me earlier, I am sure it is likely hidden in
> plain sight in the manual.
>
> Many Thanks,
> Will
>
>
>
>
> On 2/29/16 3:54 PM, Cody Mello wrote:
>>
>> This type of rule is meant to work, and works when I set one up on my
>> local instance. There are two possibilities that I can think of right
>> now:
>>
>> - What version of SmartOS are you running? This may be a bug that has
>> since been fixed
>> - What's the output of `fwadm list -j'? If your rule isn't a global
>> rule and has an owner_uuid, then it won't be applied to the VM if the
>> owner_uuid disagrees.
>>
>> - Cody
>>
>> On Mon, Feb 29, 2016 at 1:37 PM, Will Beazley
>> <will.beaz...@infoassets.com> wrote:
>>>
>>> [root@90-b1-1c-00-0b-6a /usbkey]# ipfstat -nio -G
>>> 49700b0b-55a8-4245-b3bf-907e098130ab
>>> @1 pass out quick proto tcp from any to any flags S/SA keep state
>>> @2 pass out proto tcp from any to any
>>> @3 pass out proto udp from any to any keep state
>>> @4 pass out quick proto icmp from any to any keep state
>>> @5 pass out proto icmp from any to any
>>> @1 pass in quick proto icmp from any to any icmp-type echo code 0
>>> @2 pass in quick proto tcp from any to any port = ssh
>>> @3 block in all
>>> [root@90-b1-1c-00-0b-6a /usbkey]#
>>>
>>> On 2/29/16 3:14 PM, Cody Mello wrote:
>>>>
>>>> ipfstat -nio -G 49700b0b-55a8-4245-b3bf-907e098130a
>>>
>>>
>>
> 
> 


---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

[smartos-discuss] SmartOS release-20160303

[Cody Mello]

Hello All,

The latest bi-weekly "release" branch build of SmartOS is up:

curl -C - -O
https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos-latest.iso
curl -C - -O
https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos-latest-USB.img.bz2
curl -C - -O
https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos-latest.vmwarevm.tar.bz2

A generated changelog is here:


https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos.html#20160304T005100Z

The full build bits directory, for those interested, is here in Manta:

/Joyent_Dev/public/SmartOS/20160304T005100Z/


# Highlights

- Support for IPv6 firewall rules (FWAPI-225)


# General Info

Every second Thursday we roll a "release-MMDD" release branch and
builds for SmartOS (and SmartDataCenter and Manta, as well).

Cheers,
Cody Mello, on behalf of the SmartOS developers
https://smartos.org


---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Re: [smartos-discuss] Static IPV6 not working in lx-zone (centos-6.7)

[Cody Mello]

Hi Paul,

Are you editing the zone XML file directly? If you're using vmadm, it
will let you know that static IPv6 gateways are not supported at this
time. There's some further work that needs to be done in order to
support them. For now, you need to use 'addrconf' and rely on Router
Advertisements to discover the gateway.

- Cody


On Wed, Mar 2, 2016 at 7:36 AM, Paul Dunkler  wrote:
> All,
> 
> i am not able to get ipv6 working inside an lx branded centos-6.7 zone.
> 
> System Info:
> 
> Global Zone: joyent_20151029T053122Z
> LX Zone: 232ddfaa-c87f-11e5-9a3a-7bc6a36a1bfd // centos-6 (20160201)
> 
> What i did:
> 
> -  Added an IPV6-Ip to "nic.ips":
> 
> 
> 
> -  Added an IPV6-Gateway to "nic.gateways":
> 
> 
> 
> What i tried:
> 
> Pinging my own configured ipv6 address is not working from inside the zone:
> 
> [root@-xx ~]# ping6 2a00:xx8:xxx:f::73
> 
> WARNING: your kernel is veeery old. No problems.
> PING2a00:xx8:xxx:f::73(2a00:xx8:xxx:f::73) 56 data bytes
> 
> ping: recvmsg: Operation not supported
> ping: recvmsg: Operation not supported
> ^C
> 
> Pinging the configured default GW is not working:
> 
> [root@-xx ~]# ping6 2A00:xx8:xx0:F::1
> 
> WARNING: your kernel is veeery old. No problems.
> PING2A00:xx8:xx0:F::1(2A00:xx8:xx0:F::1) 56 data bytes
> 
> Pinging another ipv6 (google) is not working:
> 
> [root@-xx ~]# ping6 2a00:1450:4008:802::2003
> connect: Network is unreachable
> 
> [root@-xx ~]# ping6 ipv6.google.com
> connect: Network is unreachable
> 
> Inside the LX-Zone the IPv6 address is correctly shown by ifconfig and
> native ifconfig:
> 
> [root@-xx ~]# ifconfig
> eth0  Link encap:Ethernet  HWaddr C2:87:A8:08:A4:44
>   inet addr:212.12.xx.xxx  Bcast:212.12.xx.xxx  Mask:255.255.255.192
>   inet6 addr: fe80::c087:a8ff:fe08:a444/10 Scope:Link
>   inet6 addr: 2a00:xx8:xxx:f::73/64 Scope:Global
> 
> [root@-xx ~]# /native/sbin/ifconfig
> eth0:1: flags=2000841 mtu 1500 index 2
> inet6 2a00:xx8:xxx:f::73/64
> 
> I even tried setting "allow_ip_spoofing" to true - doesn't help.
> We already configured IPv6 for a native zone on the same global zone which
> is working fine.
> Do we need to upgrade the Platform Image? Couldn't find any evidence...
> 
> Would be nice if anybody can lead me onto the right track.
> 
> Best regards,
> 
> —
> Paul Dunkler
> 


---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Re: [smartos-discuss] limit on multi-homed IP

[Cody Mello]

Hi Anil,

This isn't by design. You're most likely running up against some limitation
somewhere along the way. (My guess is it's in the network startup script,
but I don't know for sure, yet.) I'll try to duplicate this.

- Cody
On Feb 29, 2016 7:53 PM, "Anil Jangity"  wrote:

> I tried to specify about 16+ IP address in the “ips” attribute of the
> config (joyent_20160204T173339Z) but apparently things seem to get
> truncated.
>
>   "nics": [
> {
>   "nic_tag": "external",
>   "ip": "102.29.163.170",
>   "netmask": "255.255.255.192",
>   "gateway": "102.29.163.129",
>   "ips": ["102.29.163.170/26", "2001:392:2:60e::14/64",
> "2001:392:2:60e::1000/64", "2001:392:2:60e::1001/64",
> "2001:392:2:60e::1002/64", "2001:392:2:60e::1003/64",
> "2001:392:2:60e::1004/64", "2001:392:2:60e::1005/64",
> "2001:392:2:60e::1006/64", "2001:392:2:60e::1007/64",
> "2001:392:2:60e::1008/64", "2001:392:2:60e::1009/64"],
>   "primary": true
> }
>   ]
>
>
> This ends up creating:
>
> # ifconfig -a
> ...
> net0:1: flags=40002000841 mtu 1500
> index 2
> inet6 2001:392:2:60e::14/64
> net0:2: flags=40002000841 mtu 1500
> index 2
> inet6 2001:392:2:60e::1000/64
> net0:3: flags=40002000841 mtu 1500
> index 2
> inet6 2001:392:2:60e::1001/64
> net0:4: flags=40002000841 mtu 1500
> index 2
> inet6 2001:392:2:60e::1002/64
> net0:5: flags=40002000841 mtu 1500
> index 2
> inet6 2001:392:2:60e::1003/64
> net0:6: flags=40002000841 mtu 1500
> index 2
> inet6 2001:392:2:60e::1004/64
> net0:7: flags=40002000841 mtu 1500
> index 2
> inet6 2001:392:2:60e::1005/64
> net0:8: flags=40002000841 mtu 1500
> index 2
> inet6 2001:392:2:60e::1006/64
> net0:9: flags=40002000841 mtu 1500
> index 2
> inet6 2001:392:2:60e::1007/64
> net0:10: flags=40002000841 mtu 1500
> index 2
> inet6 2001:392:2:60e::1008/6
> #
> 
> 
> Also note the “1008/6” in the last one. Definitely looks like truncation
> here.
> 
> Is this by design?
> 
> Thanks
> 



---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Re: [smartos-discuss] fwadm KVM

[Cody Mello]

Can you run the following:

# ipfstat -nio -G 49700b0b-55a8-4245-b3bf-907e098130a

That'll show us what ipfilter rules are being installed.

- Cody


On Mon, Feb 29, 2016 at 12:52 PM, Will Beazley
<will.beaz...@infoassets.com> wrote:
> Cody,
>
> Do you know whether these commands also working on the CLI?
>
> After validating that firewall_enable flag was set and reboot, nothing
> changed.
>
> When I run the following not all the rules are there:
> fwadm rules 49700b0b-55a8-4245-b3bf-907e098130a
> UUID ENABLED RULE
> 89862847-43cc-4b72-abbb-24758d3bf69d trueFROM any TO all vms ALLOW icmp
> TYPE 8 CODE 0
> c762c835-bde9-4a56-bda6-9a2ddf02d086 trueFROM any TO all vms ALLOW tcp
> PORT 22
>
> yet
> fwadm list | grep `vmadm list|grep centos4|sed
> 's/^\(\([a-z0-9]*-\)\([a-z0-9]*-\)*\([a-z0-9]*\)\).*/\1/g'`
> 0c8b49f2-e2b6-4ad0-870d-f05009eff55e trueFROM vm
> 49700b0b-55a8-4245-b3bf-907e098130ab TO any BLOCK tcp PORT 25
> a612e3e1-87e9-4f88-a442-da54f1067a29 trueFROM vm
> 49700b0b-55a8-4245-b3bf-907e098130ab TO ip XX.XXX.XX.XX BLOCK tcp PORT 25
> dfc33fc9-09bf-4f87-9435-0377f7b086b5 trueFROM vm
> 49700b0b-55a8-4245-b3bf-907e098130ab TO all vms BLOCK tcp PORT 25
> [root@90-b1-1c-00-0b-6a /usbkey]#
>
> But when I run the rule I think should work:
>
> With sanity check:
> #vmadm get 49700b0b-55a8-4245-b3bf-907e098130ab|grep fire
>   "firewall_enabled": true,
>
> Alas,
> [root@centos4 ~]# telnet XX.XXX.XX.XX 25
> Trying XX.XXX.XX.XX...
> Connected to XX.XXX.XX.XX.
> Escape character is '^]'.
> 220 XX.XXX.XX.XX ESMTP Postfix
> ^]
> telnet> Connection closed.
> [root@centos4 ~]#
>
> So does fw* not constrain the outbound ports?
>
>
>
> On 2/29/16 1:25 PM, Cody Mello wrote:
>
> Hi Will,
>
> Yes, fwadm rules will work on KVM instances as long as you're on a
> platform newer than 20140314:
>
> https://github.com/joyent/sdc-fwapi/blob/master/docs/index.md#vms
>
> - Cody
>
>
> On Mon, Feb 29, 2016 at 11:16 AM, Will Beazley
> <will.beaz...@infoassets.com> wrote:
>
> All,
>
> Are fwadm managed fw-rules effective with KVMs? The wording sounds funny so
> to restate, are the KVMs constrained by fwadm rules?
>
> What I am trying to do is have a KVM that can be gotten to but cannot get
> out save for a single route.
>
> If the system were to be compromised it is important that it not be able to
> change its firewall rules in a meaningful way.
>
> LX-BZs are an option too if KVM isn't know to work or is known to not work.
>
> Many Thanks,
> Will
>
> http://www.listbox.com
>
>
> smartos-discuss | Archives | Modify Your Subscription


---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

[smartos-discuss] SmartOS release-20160218

[Cody Mello]

Hello All,

The latest bi-weekly "release" branch build of SmartOS is up:

curl -C - -O
https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos-latest.iso
curl -C - -O
https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos-latest-USB.img.bz2
curl -C - -O
https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos-latest.vmwarevm.tar.bz2

A generated changelog is here:


https://us-east.manta.joyent.com/Joyent_Dev/public/SmartOS/smartos.html#20160218T022556Z

The full build bits directory, for those interested, is here in Manta:

/Joyent_Dev/public/SmartOS/20160218T022556Z


# General Info

Every second Thursday we roll a "release-MMDD" release branch and
builds for SmartOS (and SmartDataCenter and Manta, as well).

Cheers,
Cody Mello, on behalf of the SmartOS developers
https://smartos.org


---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

[smartos-discuss] Ordering the application of firewall rules (input wanted)

[Cody Mello]

Hello all,

Currently, firewall rules that agree with the default firewall policy
don't ever get applied. While thinking about this recently, I suspect
that this isn't the behaviour that people want or expect. Take for
example a case where you want to open up a port to the internet, but
want to apply a block list to prevent spammers or other abusers from
connecting:

FROM any to tag mta ALLOW TCP port 25
FROM (subnet  OR ip  OR ip ) TO tag mta BLOCK
TCP port 25

Or (this is the train of thought that lead me down this path), you
might have a global SDC rule that you want to counter.

After giving it some thought, I think that the more intuitive thing to
do is to apply rules in order of their scope, so that more specific
rules take precedence over other rules. I've outlined some of my
initial thoughts here:

https://smartos.org/bugview/FWAPI-233

Another avenue of possibility is introducing a PRIORITY keyword (with
a default of the lowest priority), so that you could write rules like
this:

PRIORITY 10 FROM any TO tag b ALLOW TCP port 8000
PRIORITY 5 FROM any TO tag a BLOCK TCP port 8000

Something like this would be necessary for tags since there's no
sensible way to determine which tag the user considers more important
for a machine with both tags.

What are people's thoughts here? I'd especially appreciate hearing
from anyone who makes heavy use of fwadm(1M) or FWAPI.

- Cody


---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Re: [smartos-discuss] Testing images w/ SLAAC support for IP spoofing protection

[Cody Mello]

Hey Jorge,

Yep, that's what it does. Much like IP spoofing detection currently
detects DHCP(v6) transactions and adds them to a list of allowed
addresses, this detects the Prefix Information on incoming Router
Advertisements, calculates the modified EUI-64 address, and adds that
to a list of allowed addresses.

- Cody


On Sat, Nov 14, 2015 at 3:45 AM, Jorge Schrauwen <sjorge...@blackdot.be> wrote:
> Hey Cody,
>
> I'm a bit confused what this does... does this allow me to add 'addrconf' to
> the ips's array like I can do with dhcp and it will just work (tm) without
> adding the address EUI-64 based address to the allowed_ip list?
>
> Regards
>
> Jorge
>
>
>
>
> On 2015-10-31 00:49, Cody Mello wrote:
>> 
>> Hello all,
>> 
>> Several people on IRC were interested in testing out images w/ support
>> for SLAAC when using IP spoofing protection. I've done a variety of
>> tests locally without any issues, and it should just work at this
>> point. If you want to try it out, you can download images from here:
>> 
>> https://us-east.manta.joyent.com/cody.mello/public/builds/OS-4667/platform-20151030T184221Z.tgz
>> 
>> https://us-east.manta.joyent.com/cody.mello/public/builds/OS-4667/platform-20151030T184221Z.usb.bz2
>> 
>> https://us-east.manta.joyent.com/cody.mello/public/builds/OS-4667/platform-20151030T184221Z.iso
>> 
>> If you try the images out, please let me know how it goes! If it
>> doesn't work for you, please include the output of `vmadm get', what's
>> doing Router Advertisements on your network and its configuration, and
>> any other details you think are relevant.
>> 
>> -  Cody
>> 


---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com