Am 27.11.2015 um 08:54 schrieb "Carsten Bäcker":
Sorry... something's wrong with GMX webmailer. Secont time this
happens.
Hi Hackers,
i'm running into problems creating hierarchical jails.
First of all: this is my first try with *hierarchical* jails (in favor
of creating a bu
Hi James, others,
On 26 Sep 2014, at 21:28, James Gritton ja...@gritton.org wrote:
On 9/25/2014 3:40 AM, Ruben van Staveren wrote:
Hi,
Could a committer have a look at
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192951 ?
This enables fdescfs in hierarchical jails, would be nice
fdescfs in hierarchical jails, would be nice to have this for 10.1
Thanks!
Best Regards,
Ruben van Staveren
This would have to go into current first, and then MFC. Considering
10.1 is getting close to release, I suspect it wouldn't be allowed in.
I agree, probably better to do it that way
On 9/25/2014 3:40 AM, Ruben van Staveren wrote:
Hi,
Could a committer have a look at
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192951 ?
This enables fdescfs in hierarchical jails, would be nice to have this for 10.1
Thanks!
Best Regards,
Ruben van Staveren
This would have
Hi,
Could a committer have a look at
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192951 ?
This enables fdescfs in hierarchical jails, would be nice to have this for 10.1
Thanks!
Best Regards,
Ruben van Staveren
signature.asc
Description: Message signed with OpenPGP using GPGMail
Without going into the current rc system, which isn't up to the task
of hierarchical jails, here's a minimal set of parameters/commands to
create hierarchical jails that can still ping:
# jail -c name=foo host.hostname=foo allow.raw_sockets children.max=99
ip4.addr=10.20.12.68 persist
# jexec
jails need to allow raw sockets - a jail can't allow a
child jail to do what it can't do itself.
- Jamie
Edwin Shao wrote:
One other thing that is odd: hierarchical jails don't seem to inherit some
sysctls such as allow_raw_socket.
In the host (jail), rc.conf has
Edwin Shao wrote:
Hello,
Does anyone have a walkthrough for how to get hierarchical jails to work?
I've been playing around with it for a couple of days and it simply is not
working. I would like to know if anyone has gotten it to work, and if so,
how?
The error I tend to get within a jail
,
Edwin
On Mon, Sep 28, 2009 at 7:35 PM, Jamie Gritton ja...@freebsd.org wrote:
Edwin Shao wrote:
Hello,
Does anyone have a walkthrough for how to get hierarchical jails to work?
I've been playing around with it for a couple of days and it simply is not
working. I would like to know if anyone has
Thanks, that worked for me.
* Using jail to change children.max on the parent does not affect
`sysctl security.jail.param.children.max` in the child. Also
security.jail.param.children.cur never changes either. Not sure if that's
intended behavior.
* Is there any way to persist the
The sysctls not only don't get written to, they don't have any useful
information to read either. They only describe the existence and format
of the various jail parameters. Sorry, but there;s no way to set a
default children.max parameter or inherit it from the parent. We've
decided to set the
to do what it can't do itself.
- Jamie
Edwin Shao wrote:
One other thing that is odd: hierarchical jails don't seem to inherit
some sysctls such as allow_raw_socket.
In the host (jail), rc.conf has jail_set_allow_raw_sockets=YES and
sysctl.conf has security.jail.allow_raw_sockets=1
Jilles Tjoelker wrote:
On Thu, May 14, 2009 at 11:12:50AM -0600, Jamie Gritton wrote:
There's still a change to offer your input on the new jails before they
go in! OK, given the lack of response so far, it's less still a
chance than please?. Current plans are to have this in place for
8.0,
, and commits will likely be appearing soon.
I wrote:
Here's the first round of hierarchical jails under the new framework.
Instead of creds having either a prison or a NULL pointer, they all have
a prison pointer with the default being the global prison0 that
contains information about the real
that this is the global hostname
being used. Because you're right - the hostname is at the center of of
what it means to have a jail identity.
Then there's rootvnode, the third global that's superseded by
hierarchical jails. I could also remove that, allowing the use of
prison0.pr_root for those who need the real
On Thu, May 14, 2009 at 11:12:50AM -0600, Jamie Gritton wrote:
There's still a change to offer your input on the new jails before they
go in! OK, given the lack of response so far, it's less still a
chance than please?. Current plans are to have this in place for
8.0, with connections to the
Jilles Tjoelker wrote:
On Thu, May 14, 2009 at 11:12:50AM -0600, Jamie Gritton wrote:
There's still a change to offer your input on the new jails before they
go in! OK, given the lack of response so far, it's less still a
chance than please?. Current plans are to have this in place for
8.0,
Jamie Gritton wrote:
Here's the first round of hierarchical jails under the new framework.
Instead of creds having either a prison or a NULL pointer, they all have
a prison pointer with the default being the global prison0 that
contains information about the real environment. Jailed root may
On Tue, Sep 18, 2007 at 03:03:12PM -0600, James Gritton wrote:
I've been doing some work on a hierarchical jail setup, but I've got
this nagging feeling it's been done before. Does anyone know of such
an existing project? If not, I'll put forward my own code.
Something like this:
19 matches
Mail list logo