Re: preferred jail management tool

Ian Smith wrote: On Mon, 26 Jan 2015 19:23:48 -0600, Mark Linimon wrote: [Sean Chittenden wrote:] For years I've used and endorsed ezjail, but as stated, it is depreciated. Hmm, there's no notation at http://portsmon.freebsd.org/portoverview.py?category=sysutilsportname=ezjail ,

Re: preferred jail management tool

Michael W. Lucas wrote: Hi, For those who haven't heard, I'm writing a book on jails. Some details are at http://blather.michaelwlucas.com/archives/2286. I want to cover at least one jail management tool. I've done some research into jail tools. You can see my results at

Re: Current state of VIMAGE on 10-STABLE?

Kai Gallasch wrote: Hi. What is the current state of VIMAGE jails on 10-STABLE? I'm asking, because I saw that Craig Rodrigues and others are working on some long known problems with VIMAGE and there were some related patches committed to the tree. When I experimented with VIMAGE jails on

Re: IPFW2 logging inside VIMAGE Jails?

Kai Gallasch wrote: Hi. Is it possible at all to log actions of IPFW firewall inside a running vnet/VIMAGE jail to the vnet/VIMAGE jail's syslog? NO. Not at this time. I'm asking, because I see no firewall log entries inside the jail's /var/log/security log. What I find is, that log

Re: iocage following stable?

Michael Grimm wrote: Hi — I am running ezjail for some years now, but I intend to migrate to iocage. Not that I am "disappointed" with ezjail, but I do want to give VNET a try. After having read iocage's documentation and some google research, I am left with the following questions: 1)

Re: deploy multiple vnets with VIMAGE/VNET + Production Ready?

Michael Grimm wrote: Sebastián Maruca via freebsd-jail wrote: Now we're talking about 10.3-HEAD wiht Jails+vnet... but then again, has anyone tried it? Roger, it seems you are thumbing up my challenge... But I guess i'll have to stick with netgraph instead

Re: qjail or qjail2?

Grzegorz Junka wrote: On 12/06/2016 13:07, Kurt Jaeger wrote: Hi! Which qjail should I use, qjail 4.7 or qjail2 2.2? Does the qjail project have any documentation apart from http://qjail.sourceforge.net/? qjail, as qjail2 is a non-longer updated version of qjail, as far as I understand.

Re: deploy multiple vnets with VIMAGE/VNET + Production Ready?

Here are the bare truths without any sugar coating. Vimage is officially described as experimental. You have to recompile the kernel to included vimage. Enabling pf or ipf firewalls cause the host to crash. ipfw firewall does not cause a crash but has next to no real life usage on vimage. When

Re: deploy multiple vnets with VIMAGE/VNET + Production Ready?

Roger Marquis wrote: Ernie Luzar wrote: the kernel to included vimage. Enabling pf or ipf firewalls cause the host to crash. ipfw firewall does not cause a crash but has next to no real life usage on vimage. Considering we have had ipfw/vimage/netgraph jails for several years I'd

11.0-ALPHA4 and VIMAGE

Hello list; I have installed 11.0-ALPHA4-i386-20160617-r301975 to test VIMAGE. I have read previous list posts saying vimage was going to be part of the base system in 11.0. When I configure a jail with vnet I get a error typical of vimage not being compiled into the kernel. To me it looks

Re: NFS + nullfs + jail = zombies?

Thomas Johnson wrote: I am working on developing a clustered application utilizing jails and running into problems that seem to be NFS-related. I'm hoping that someone can point out my error. The jail images and my application data are served via NFS. The host mounts NFS at boot, and then uses

testing 11.0-RC1 vnet jails with ipfilter

Hello list; Running 11.0-RC1 with only option vimage compiled into the generic kernel. I can run ipfilter on the host and start vnet jails containing no firewalls just fine. But when I try to also have ipfilter run in the vnet jail nothing happens. I added this to the vnet jails rc.conf

Re: testing 11.0-RC1 vnet jails with ipfilter

Bjoern A. Zeeb wrote: In 11-RC* it is present for all 3 firewalls; like VIMAGE due to memory footprint you might have to compile the firewall into the kernel rather than kldload it (especially ipfilter). /bzvnet The 11.0-RC1 host has vimage and ipfilter compiled into the kernel. Vnet

Re: testing 11.0-RC1 vnet jails with ipfilter

Bjoern A. Zeeb wrote: On 16 Aug 2016, at 21:08, CyberLeo Kitsana wrote: On 08/16/2016 03:21 PM, Ernie Luzar wrote: Issuing "ipf -FS -Fa" command from within the vnet jail gives this message, "open device:no such file or directory. User kernel version check failed. Acc

Re: testing 11.0-RC1 vnet jails with ipfilter

Here is my new rules file. I have tested it with the commented out lines and with the comments removed. Tested on vimage/ipfilter kernel and vimage only kernel. In all 4 combinations the "ipf" and "ipstat" commands work. I can see the ipf firewall rules. The problem is when issuing the ping

Re: Using jail.conf array parameters in exec.* commands

/rc or the specific service is started in the jail? I unfortunately suspect you're right that I can't use the existing jail(8) and jail.conf(5) approach without wrapping the whole thing in a script. The hooks, even for networking, don't seem to be there. Jeff On 2/17/17 3:01 PM, Ernie

10.x or 11.0 and pf firewall in vimage jail

Would like to talk with anyone who has a working pf firewall on the host and in a vnet/vimage jail running on version 10.x or 11.0. Looking for details about pf configuration and setup. Thanks ___ freebsd-jail@freebsd.org mailing list

Problem 11.0-RC1 vnet jails with ipfilter

Hello List. I have a working setup where I am running IPF on the host and in a vnet jail at the same time. The problem is I don't think the vnet IPF rules are being enforced. To verify the vnet IPF rules are active and being enforced, I have a rule to deny outbound for port 43. Port 43 is

Re: Jails and IPv6 local loopback

Roger Leigh wrote: On 27/08/16 17:22, Roger Leigh wrote: Hi list, I saw https://lists.freebsd.org/pipermail/freebsd-jail/2011-March/001500.html in the archives but didn't see anything more recent. This is with 10.3-RELEASE [...] And after upgrade to 11.0-RC2: bfcpp% ifconfig bge0:

Re: Jails and IPv6 local loopback

Roger Leigh wrote: On 27/08/16 23:05, Ernie Luzar wrote: Roger Leigh wrote: On 27/08/16 17:22, Roger Leigh wrote: Hi list, I saw https://lists.freebsd.org/pipermail/freebsd-jail/2011-March/001500.html in the archives but didn't see anything more recent. This is with 10.3-RELEASE

Re: Closing ports in jail with ipfw

marcel wrote: Hi there, I've created a jail and when I do a nmap on his IP, I can see that port 25 and 22 are open but I don't want. So i've tried to create an IPFW rule by adding 'ipwf -q add 00290 deny all from router to jail' to my host ipfw conf file and applied it but ports jail are still

Re: Jail fails to unmount a directory

io7m+org.freebsd.j...@io7m.com wrote: Hello. I have an incredibly trivial jail setup: /usr/jail/com.example.service0 is the root of the jail. /usr/jail/com.example.service0/base is an empty directory. /usr/jail/base is a directory containing binaries. I use the following jail configuration:

Re: multiple interfaces for jail.conf(1) and jail_set(2)

Isaac (.ike) Levy wrote: Hi All, Can I specify multiple IP interfaces and assign IP’s to them using jail.conf? I have jails with IPv4/IPv6 addresses on multiple physical interfaces, as well as assigning a loopback. I have not found answers in the respective man pages or digging online. I’m

Re: Closing ports in jail with ipfw

marcel wrote: Le Thu, 15 Dec 2016 09:33:33 +0800, Ernie Luzar <luzar...@gmail.com> a écrit : marcel wrote: Le Mon, 05 Dec 2016 08:31:19 +0800, Ernie Luzar <luzar...@gmail.com> a écrit : marcel wrote: Hi there, I've created a jail and when I do a nmap on his IP, I can see

Re: Failure to add new files when updating jails with ezjail-admin

Miroslav Lachman wrote: Kirk Coombs wrote on 2016/12/07 01:20: The following files will be added as part of updating to 10.3-RELEASE-p13: /usr/share/zoneinfo/Asia/Barnaul /usr/share/zoneinfo/Asia/Famagusta /usr/share/zoneinfo/Asia/Tomsk /usr/share/zoneinfo/Asia/Yangon

Re: Closing ports in jail with ipfw

marcel wrote: Le Mon, 05 Dec 2016 08:31:19 +0800, Ernie Luzar <luzar...@gmail.com> a écrit : marcel wrote: Hi there, I've created a jail and when I do a nmap on his IP, I can see that port 25 and 22 are open but I don't want. So i've tried to create an IPFW rule by adding 'ipwf -q add

Re: Closing ports in jail with ipfw

marcel wrote: Hi there, I've created a jail and when I do a nmap on his IP, I can see that port 25 and 22 are open but I don't want. So i've tried to create an IPFW rule by adding 'ipwf -q add 00290 deny all from router to jail' to my host ipfw conf file and applied it but ports jail are still

Re: Does ezjail require manual configuration?

James B. Byrne via freebsd-jail wrote: I am experimenting with jails and ezjail on a FreeBSD-11.0 bhyve vm guest. I followed the instructions in the handbook to install ezjail and create a jail instance. I have connectivity issues with this jail of which I have inquired in another message.

Re: Issue with 127.0.0.1 when reconfiguring running Jail

Support SimpleRezo wrote: Hi ! I'm fancing an issue when i'm using "jail -m ip4.addr=..." for reconfiguring ip4.addr of a running jail: accessing or binding 127.0.0.1 is not redirect anymore by kernel to the jail IP. Is it expected? Do I missing something there? -- Clement SimpleRezo Your

12.0 betaX with vnet.pf

Hello lists: With 12.0, vimage is now included with the system base kernel and the pfctl program has been worked on so it will function in a vnet jail. While 12.0 is still in the beta releases i am trying to test this new environment. All ready found bug dealing with ipfilter running on host

Re: 12.0-beta3 pf firewall NAT rule syntax for vnet jail using pf

Kristof Provost wrote: On 9 Nov 2018, at 19:14, Ernie Luzar wrote: Hello lists; testing 12.0-beta3 vnet jail that is using pf firewall. net.inet.ip.forwarding =1 for the vnet jail. Host is running ipfilter firewall. The kldload pf.ko pflog.ko command has been issued

Re: 12.0-beta3 pf firewall NAT rule syntax for vnet jail using pf

Kristof Provost wrote: On 2018-11-11 12:00:49 (-0500), Ernie Luzar wrote: Kristof Provost wrote: If so, how can the jail see the vge0 interface? Through the bridge? I don't really know. Just guessing. Think of vnet jails as separate machines. There's no mechanism for pf hosts to exchange

12.0-beta3 pf firewall NAT rule syntax for vnet jail using pf

Hello lists; testing 12.0-beta3 vnet jail that is using pf firewall. net.inet.ip.forwarding =1 for the vnet jail. Host is running ipfilter firewall. The kldload pf.ko pflog.ko command has been issued. 10.0.10.30 is the ip address assigned to the vnet jail in the jail.conf. Using this nat rule

12.0-RC3 vnet jail with pf firewall/NAT not working

Have gateway host, (ie; host that is connected directly to the public internet.) running a vnet jail that has pf firewall running inside of it. When I start the vnet jail I see a few dhclient tasks auto start for vge0 which is the interface added as member to the bridge. I take this to mean

Re: jails which take a long time to shutdown

Dan Langille wrote: Michael, Something came to mind with your recent post about exit codes. What if a jail takes minutes to shutdown? Will it be shutdown properly? I ask because I routinely have a jail which when restarted has a corrupted mongodb database. I have not tracked down the

Re: "ipfw log" messages from jail show in host syslog

Rudy (bulk address) wrote: I've switched to VNET (love it) in jails. Neat, you an have ipfw running in your jail! I added some log lines to test it out and was a bit confused when /var/log/security wasn't showing the log lines. Turns out, the kernel is grabbing them and logging in the host

quotas in jails

Has anyone been able to get quotas to work in multiple jails? If so please describe steps to accomplish it. If imposable to do that is also useful information. Thank you ___ freebsd-jail@freebsd.org mailing list

Re: jails with quota

Valeri Galtsev wrote: On Feb 17, 2020, at 10:51 AM, Mike Wayne wrote: On Fri, Feb 14, 2020 at 01:53:11PM -0500, Ernie Luzar wrote: But after starting the fulljail with the allow.quotas option in jail.config and entering the root console I get this edquota -uh daddy message "NO q

jails with quota

Looked all over and only found small blurb in jail(8) manpage that really says next to nothing. I created /usr/jails/fulljail by un-compressing the downloaded base.txz file and then copying the hosts localtime file and resolv.conf file to the fulljail. This fulljail starts and stops with out

Re: vnet Jail on a non-dedicated network interface

Arsenij Solovjev wrote: On Wed, 14 Oct 2020 at 15:41, Kristof Provost wrote: On 14 Oct 2020, at 15:36, Arsenij Solovjev wrote: On Wed, 14 Oct 2020 at 14:42, Kristof Provost wrote: On 14 Oct 2020, at 14:18, Arsenij Solovjev wrote: Hi all! Does anybody know if it's possible to run a vnet

how to make a non-vnet jail local only?

I have non-vnet jails working that can reach the public internet. But now I would like to make some local only non-vnet jails that can only access other local only non-vnet jails. BY local meaning have no access to the public internet. How do I make this happen? Thanks for any pointers.

Re: jail(8) bug with vnet & non-vnet jails running at same time?

Dan Langille wrote: On Aug 2, 2020, at 1:48 PM, Ernie Luzar wrote: Hello list; Please review configuration looking for something I may have missed. Hopping someone can suggest something that will change the behavior eliminating the problem. Equipment. Real hardware, 12.1 release, amd64

jail(8) bug with vnet & non-vnet jails running at same time?

Hello list; Please review configuration looking for something I may have missed. Hopping someone can suggest something that will change the behavior eliminating the problem. Equipment. Real hardware, 12.1 release, amd64 dual cpu. Description; non-vnet jails and vnet jails using the

Re: how to make a non-vnet jail local only?

Arthur Chance wrote: On 05/08/2020 02:02, Ernie Luzar wrote: I have non-vnet jails working that can reach the public internet. But now I would like to make some local only non-vnet jails that can only access other local only non-vnet jails. BY local meaning have no access to the public internet

Re: FreeBSD 12.1, vnet jail, and internet access

JÁKÓ András wrote: I was under the impression that the two stacks were separate? They are. But I don't think your ISP knows anything about your private subnet, so they won't send IP packets with your private destination address to you. And most probably they won't accept IP packets with your

Re: FreeBSD 12.1, vnet jail, and internet access

JÁKÓ András wrote: I was under the impression that the two stacks were separate? They are. But I don't think your ISP knows anything about your private subnet, so they won't send IP packets with your private destination address to you. And most probably they won't accept IP packets with your

vnet jail for local only or public access

Trying to figure out how to configure a vnet jail so it is restricted to only being able to talk to other vnet jails on the same host IE: local only vnet jails. As different to being able to access the public internet type of vnet jails. Using the bridge/epair method of connecting vnet jails

Re: vnet jail for local only or public access

Alexander Leidinger wrote: Quoting Ernie Luzar (from Fri, 17 Jul 2020 08:46:07 -0400): Trying to figure out how to configure a vnet jail so it is restricted to only being able to talk to other vnet jails on the same host IE: local only vnet jails. As different to being able to access

Re: How to steer public traffic to a jail

Carsten Bäcker wrote: Hi, you may want to have a look into reverse proxying, e.g. using nginx on your jail-host. Really basic example: |http { server { listen 80; server_name your.1st.domain.com; location / { proxy_pass http://127.0.1.2; } } server { listen 80; server_name your.2nd.domain.com;

How to steer public traffic to a jail

I have 4 registered domain names, one for each jail. How do I get [ALL] public traffic to a domain name directed to the desired jail? ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send

Re: Jails - vnet- netgraph

petru garstea wrote: Greetings FreeBSD community, Â Â Â OS: FreeBSD sun 12.2-RELEASE-p1 FreeBSD 12.2-RELEASE-p1 GENERICÂ amd64 I am trying to build a netgraph vnet jail with support of official jng script that comes with FreeBSD and developed by Devin Teske. jail.conf file netgraph {

Re: [Bug 251046] bhyve PCI passthrough does not work inside jail

bugzilla-nore...@freebsd.org wrote: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251046 --- Comment #15 from Anatoli --- Mark, All, --- Comment #3 from Mark Johnston --- PRIV_IO access is not required only by /dev/io, it is also required for sysarch(I386_SET_IOPERM), which is otherwise

Re: iocage, vnet jail does not go outside

I use qjail for my vnet jails because iocage just did not work for me.