Re: Jail starts but doesn't start
Try sh first. Bash might not be installed in jail. -- Michael Scheidell CTO SECNAP Network Security 561-999-5000 -Original message- From: Mickey Harvey To: "freebsd-jail@freebsd.org" Sent: Wed, May 4, 2011 23:24:55 GMT+00:00 Subject: Jail starts but doesn't start Hosts /etc/rc.conf 1. ifconfig_bge0="inet 192.168.224.11 netmask 255.255.255.0" 2. defaultrouter="192.168.224.1" 3. sshd_enable="YES" 4. 5. linux_enable="YES" 6. zfs_enable="YES" 7. jail_enable="YES" 8. jail_list="www0 dns0 smarty0 centos" 9. 10. ifconfig_bge0_alias0="inet 192.168.224.12 netmask 255.255.255.255" 11. jail_www0_rootdir="/tank/jails/www0" 12. jail_www0_hostname="www0" 13. jail_www0_ip="192.168.224.12" 14. jail_www0_devfs_enable="YES" 15. jail_www0_exec_stop="/etc/rc.shutdown" 16. 17. #JAIL READY TO USE, JUST NEEDS APPROPRIATE FSTAB ENTRIES 18. #ENTRIES ARE IN LOADER.CONF 19. #TRIED TO BOOT WITH REQUIRED FSTAB BUT IT BROKE SO I REVERTED 20. #5/3/11 MH 21. #ifconfig_bge0_alias1="inet 192.168.224.13 netmask 255.255.255.255" 22. #jail_deb0_rootdir="/tank/jails/deb0" 23. #jail_deb0_hostname="deb0" 24. #jail_deb0_ip="192.168.224.13" 25. #jail_deb0_devfs_enable="YES" 26. #jail_deb0_exec_start="/etc/init.d/rc 3" 27. #jail_deb0_exec_stop="/etc/init.d/rc 0" 28. #jail_deb0_flags="-l -u root" 29. 30. ifconfig_bge0_alias1="inet 192.168.224.14 netmask 255.255.255.255" 31. jail_dns0_rootdir="/tank/jails/dns0" 32. jail_dns0_hostname="dns0" 33. jail_dns0_ip="192.168.224.14" 34. jail_dns0_devfs_enable="YES" 35. jail_dns0_exec_stop="/etc/rc.shutdown" 36. 37. ifconfig_bge0_alias2="inet 192.168.224.15 netmask 255.255.255.255" 38. jail_smarty0_rootdir="/tank/jails/smarty0" 39. jail_smarty0_hostname="smarty0" 40. jail_smarty0_ip="192.168.224.15" 41. jail_smarty0_devfs_enable="YES" 42. jail_smarty0_exec_stop="/etc/rc.shutdown" 43. 44. ifconfig_bge0_alias3="inet 192.168.224.16 netmask 255.255.255.255" 45. jail_centos_rootdir="/tank/jails/centos" 46. jail_centos_hostname="centos" 47. jail_centos_ip="192.168.224.16" 48. jail_centos_devfs_enable="YES" Result of jls after /etc/rc.d/jail start centos (notice there's no entry for centos) JID IP Address Hostname Path 1 192.168.224.12 www0 /tank/jails/www0 2 192.168.224.14 dns0 /tank/jails/dns0 3 192.168.224.15 smarty0 /tank/jails/smarty0 No error messages when starting or stopping centos jail. /var/run contains jail_centos.id Alias exists on bge0. So I tried "jexec 4 /bin/bash" figuring jls just isn't showing the centos jail for some reason but: jexec: jail_attach(4): Invalid argument Anybody have any idea about what might be happening here? ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org" ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: jail rc
Use sh /bin/rc -- Michael Scheidell CTO SECNAP Network Security 561-948-2259 -Original message- From: Mickey Harvey To: "freebsd-jail@freebsd.org" Sent: Thu, Apr 21, 2011 18:30:17 GMT+00:00 Subject: jail rc This might be more of a question about how rc works instead of being entirely jail specific but here goes: I am trying to start a jail using the jail command such that it appears on the command line as "jail /path/to/jail hostname 192.168.1.1 /bin/rc". I am expecting it to just start the jail and run the rc scripts but I must be doing something wrong because it returns the error "jail: execvp: /bin/rc: Permission denied". ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org" ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: loopback in jail
for amavisd-new, right? On 11/10/10 12:16 PM, Andrei Kolu wrote: Hi, I have problem with binding port to localhost inside of jail (ezjail). can only have one '127.0.0.1'. even with vnet, I am sure. /usr/local/etc/amavisd.conf:$inet_socket_port = 10024; should be fine. however, you also need this: @inet_acl = ( qw [ 0.0.0.0/0 ] ); plus a lot of things. We have a commercial hosted email security product with multiple dozens of amavisd based VPS's and it took a while to get it to work. try the amavisd users group as well. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 ISN: 1259*1300 >*| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best in Email Security,2010: Network Products Guide * King of Spam Filters, SC Magazine 2008 __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __ ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
RE: How do you manage your jails?
pssh with pki keys to run multiple commands, ports in main. Make packages then pssh each to install the package -Original Message- From: Christer Solskogen Sent: Thursday, January 28, 2010 5:05 PM To: freebsd-jail@freebsd.org Subject: How do you manage your jails? So you have installed a FreeBSD server and setup several jails on your system. They run the services they need and everything works smoothly. But how do manage all of them? What do you do if you want to run a command on all jails? Do you run cfengine/puppy? How do you setup sendmail? Do you have sendmail on all jails? Do you share ports to all jails? How do you keep ports up to date on them? Do you have a set of scripts that you want to share? On http://antarctica.no/stuff/UNIX/FreeBSD/jails/ you'll find what I use. I'm preparing a talk for BLUG (the local Linux/BSD group) and I want to know how YOU manage your jails, there sure are more than one way do it. -- chs ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org" __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __ ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: starting jails in the background & dependencies
On 1/5/10 5:35 AM, Remko Lodder wrote: My first reaction is to only allow to start in the background, but everything else needs to be serialized. i second that 'start in parallel', stop in serial, however, even with stop in serial, if I have 64 jails, even in a fast, quad/quad core system, I find that I stop jails prior to reboot/shutdown. even at that, for some reason, mysql doesn't always stop. in reboot, it does take a LONG time for them to all come up. -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com _ ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: crontab hanging won't die on SIGTERM in jail
you the jailutils guy? thanks, good stuff. (been meaning to ask why certain options that work outside of jail don't work inside also) thanks for finding this. really flustered. (but sigkill works also!) Stef Walter wrote: Stef Walter wrote: Michael Scheidell wrote: anyone having problems during an in jail shutdown with crontab hanging? I have seen this in 6.4 and 7.1, on i386 and amd64. I don't remember problems with 6.3 I see this same problem in certain jails. A jail that has this problem does it consistently, jails without the problem (on the same machine, same FreeBSD userland/kernel) don't have the problem consistently. Turns out (for me) the bug was in jailutils, and occurred when the jail had been restarted from inside the jail using the jkill (or appropriately configured reboot) command. I've released a new version of jailutils (1.6) that fixes this problem. Cheers, Stef -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _ ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: crontab hanging won't die on SIGTERM in jail
Stef Walter wrote: # mkdir -p /etc/rc.conf.d # echo "sig_stop=SIGQUIT" > /etc/rc.conf.d/cron from lots of man pages, and old POSIX docs, they say that to 'reboot' or stop a unix system you send a SIGTERM to everything. the 'critcal' systems that need to stay up during reboot/haltsys (init!, getty) or anything that needs to do cleanup are supposed to trap (and ignore SIGTERM) once the non critical systems are stopped, THEN you send the SIGQUIT. I can't see anything critical about cron running during a reboot or haltsys. SIGQUIT should be the default for it anyway. did you verify that this works for you? that after setting for hours /etc/rc.d/cron stop works? (I had one sitting overnight, worked. yes, I want to know why.. I suspect its some combination of something rc. calls (something in my /usr/local/etc/rc.d dir) but don't know why it 'hangs around'. maybe one of those rc scripts sets something bad. -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _ ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
RE: crontab hanging won't die on SIGTERM in jail
Try my workaround . What cod it hurt? I'm not running java but am starting a number or perk based daemons . Some close control tty. -- Michael Scheidell Sent from my Windows Mobile phone -Original Message- From: Stef Walter Sent: Thursday, August 06, 2009 9:14 PM To: Michael Scheidell Cc: freebsd-jail@freebsd.org Subject: Re: crontab hanging won't die on SIGTERM in jail Michael Scheidell wrote: >>> anyone having problems during an in jail shutdown with crontab hanging? >>> I have seen this in 6.4 and 7.1, on i386 and amd64. >>> I don't remember problems with 6.3 Oh, and I'm seeing it on 6.3-RELEASE-p12 i386 userland jails running on 7.2-RELEASE-p1 amd64 kernel. I'll try to migrate one of the offending jails to a system with the same kernel version as the jail. That's why I didn't post about this earlier: I'm sufficiently off the beaten path, to not expect help debugging such things... :S Cheers, Stef _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _ ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: crontab hanging won't die on SIGTERM in jail
Stef Walter wrote: Michael Scheidell wrote: anyone having problems during an in jail shutdown with crontab hanging? I have seen this in 6.4 and 7.1, on i386 and amd64. I don't remember problems with 6.3 I see this same problem in certain jails. A jail that has this problem does it consistently, jails without the problem (on the same machine, same FreeBSD userland/kernel) don't have the problem consistently. In these cases, sending cron the TERM signal just doesn't do anything. You have to wait for at least one minute after jail startup for cron to get into this unTERMable state. YOU ARE RIGHT! it is intermentent. Try this (for me) on those boxes (before you try /etc/rc.d/cron restart: echo 'sig_stop=SIGKILL' > /etc/rc.conf.d/cron you arn't running ezjail, are you? could there be anything in ezjail that would do this? yes: boot someone in jail. /etc/rc.d/cron restart or killall -SIGTERM cron works. wait (for what?). ?? controlling terminal to quit? the first cron parse? some time (I went to lunch) and guess what. SIGTERM won't stop it. -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _ ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: crontab hanging won't die on SIGTERM in jail
then doing this doesn't make any sense (but fixed it)
echo 'sig_stop=SIGTERM' > /etc/rc.conf.d/cron
or, this even fixed it:
echo 'sig_stop=SIGTERM' >> /etc/rc.conf
the 'killall -SIGTERM cron' worked UNLESS I HAD PREVIOUSLY TRIED
/etc/rc.d/cron stop.
now, with sig_stop in a conf file, it works. doesn't make sense, but works.
Something, somewhere, somebody is masking or setting sig_stop to '' as a
default. I can't find it.
rc.subr seems to indicate it will set it to SIGTERM if undef:
grep sig_stop /etc/*
rc.subr:# kill $sig_stop $rc_pid
rc.subr:# ($sig_stop defaults to TERM.)
rc.subr:_doit=$(_run_rc_killcmd "${sig_stop:-TERM}")
nothing in /etc/defaults/* or /etc/rc.conf overrides it
grep sig_stop /etc/defaults/*
grep sig_stop /etc/rc.d/cron
grep sig_stop /etc/rc.d/*
/etc/rc.d/nfsd:sig_stop="USR1"
--
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
> *| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best Anti-Spam Product 2008, Network Products Guide
* King of Spam Filters, SC Magazine 2008
_
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
_
___
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: crontab hanging won't die on SIGTERM in jail
meant sig_stop=.
stranger yet, this works:
echo 'sig_stop=SIGTERM' > /etc/rc.conf.d/cron
truss shows the sigterm now just fine.
Michael Scheidell wrote:
this doesn't stop cron:
/etc/rc.d/cron stop
(just keeps spitting out the pid)
killall -SIGTERM cron (doesn't work)
killall -SIGQUIT|SIGKILL seems to work.
Workaround is this:
echo "sigstop=SIGQUIT" > /etc/rc.conf.d/cron
works fine now.
isn't needed in base, just in jail.
Michael Scheidell wrote:
anyone having problems during an in jail shutdown with crontab hanging?
I have seen this in 6.4 and 7.1, on i386 and amd64.
I don't remember problems with 6.3
using jailtools (jkill -r), OR
shutdown -r +0
OR
reboot
reboot: SIGTSTP init: No such process
truss shows:
truss -p 87553
(null)() = 0 (0x0)
gettimeofday({1249567500.835698},0x0)= 0 (0x0)
stat("tabs",{mode=drwx-- ,inode=10458278,size=512,blksize=4096})
= 0 (0x0)
stat("/etc/crontab",{mode=-rw-r--r--
,inode=10461256,size=748,blksize=4096}) = 0 (0x0)
gettimeofday({1249567500.836244},0x0)= 0 (0x0)
fork() = 88217 (0x15899)
gettimeofday({1249567500.836862},0x0)= 0 (0x0)
nanosleep({60.0})ERR#4 'Interrupted
system call'
SIGNAL 20 (SIGCHLD)
SIGNAL 20 (SIGCHLD)
wait4(0x,0xbfbfe99c,0x1,0x0) = 88217 (0x15899)
wait4(0x,0xbfbfe99c,0x1,0x0) ERR#10 'No child
processes'
sigreturn(0xbfbfe9d0)ERR#4 'Interrupted
system call'
gettimeofday({1249567500.842115},0x0)= 0 (0x0)
killall -SIGTERM cron
(caused NO truss activity)
it sees a HUP:
killall -SIGHUP cron
truss:
SIGNAL 1 (SIGHUP)
(null)() ERR#4 'Interrupted
system call'
gettimeofday({17.00},0x0)= 0 (0x0)
(null)() = 0 (0x0)
SIGKILL will kill it.
--
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
> *| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best Anti-Spam Product 2008, Network Products Guide
* King of Spam Filters, SC Magazine 2008
_
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
_
___
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: crontab hanging won't die on SIGTERM in jail
this doesn't stop cron:
/etc/rc.d/cron stop
(just keeps spitting out the pid)
killall -SIGTERM cron (doesn't work)
killall -SIGQUIT|SIGKILL seems to work.
Workaround is this:
echo "sigstop=SIGQUIT" > /etc/rc.conf.d/cron
works fine now.
isn't needed in base, just in jail.
Michael Scheidell wrote:
anyone having problems during an in jail shutdown with crontab hanging?
I have seen this in 6.4 and 7.1, on i386 and amd64.
I don't remember problems with 6.3
using jailtools (jkill -r), OR
shutdown -r +0
OR
reboot
reboot: SIGTSTP init: No such process
truss shows:
truss -p 87553
(null)() = 0 (0x0)
gettimeofday({1249567500.835698},0x0)= 0 (0x0)
stat("tabs",{mode=drwx-- ,inode=10458278,size=512,blksize=4096}) =
0 (0x0)
stat("/etc/crontab",{mode=-rw-r--r--
,inode=10461256,size=748,blksize=4096}) = 0 (0x0)
gettimeofday({1249567500.836244},0x0)= 0 (0x0)
fork() = 88217 (0x15899)
gettimeofday({1249567500.836862},0x0)= 0 (0x0)
nanosleep({60.0})ERR#4 'Interrupted
system call'
SIGNAL 20 (SIGCHLD)
SIGNAL 20 (SIGCHLD)
wait4(0x,0xbfbfe99c,0x1,0x0) = 88217 (0x15899)
wait4(0x,0xbfbfe99c,0x1,0x0) ERR#10 'No child
processes'
sigreturn(0xbfbfe9d0)ERR#4 'Interrupted
system call'
gettimeofday({1249567500.842115},0x0)= 0 (0x0)
killall -SIGTERM cron
(caused NO truss activity)
it sees a HUP:
killall -SIGHUP cron
truss:
SIGNAL 1 (SIGHUP)
(null)() ERR#4 'Interrupted
system call'
gettimeofday({17.00},0x0)= 0 (0x0)
(null)() = 0 (0x0)
SIGKILL will kill it.
--
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
> *| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best Anti-Spam Product 2008, Network Products Guide
* King of Spam Filters, SC Magazine 2008
_
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
_
___
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
crontab hanging won't die on SIGTERM in jail
anyone having problems during an in jail shutdown with crontab hanging?
I have seen this in 6.4 and 7.1, on i386 and amd64.
I don't remember problems with 6.3
using jailtools (jkill -r), OR
shutdown -r +0
OR
reboot
reboot: SIGTSTP init: No such process
truss shows:
truss -p 87553
(null)() = 0 (0x0)
gettimeofday({1249567500.835698},0x0)= 0 (0x0)
stat("tabs",{mode=drwx-- ,inode=10458278,size=512,blksize=4096}) = 0
(0x0)
stat("/etc/crontab",{mode=-rw-r--r--
,inode=10461256,size=748,blksize=4096}) = 0 (0x0)
gettimeofday({1249567500.836244},0x0)= 0 (0x0)
fork() = 88217 (0x15899)
gettimeofday({1249567500.836862},0x0)= 0 (0x0)
nanosleep({60.0})ERR#4 'Interrupted
system call'
SIGNAL 20 (SIGCHLD)
SIGNAL 20 (SIGCHLD)
wait4(0x,0xbfbfe99c,0x1,0x0) = 88217 (0x15899)
wait4(0x,0xbfbfe99c,0x1,0x0) ERR#10 'No child processes'
sigreturn(0xbfbfe9d0)ERR#4 'Interrupted
system call'
gettimeofday({1249567500.842115},0x0)= 0 (0x0)
killall -SIGTERM cron
(caused NO truss activity)
it sees a HUP:
killall -SIGHUP cron
truss:
SIGNAL 1 (SIGHUP)
(null)() ERR#4 'Interrupted
system call'
gettimeofday({17.00},0x0)= 0 (0x0)
(null)() = 0 (0x0)
SIGKILL will kill it.
--
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
> *| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best Anti-Spam Product 2008, Network Products Guide
* King of Spam Filters, SC Magazine 2008
_
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
_
___
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: ssl accelerator cards and jail?
Brian A. Seklecki wrote: On Wed, 2009-07-08 at 16:45 -0400, Michael Scheidell wrote: has anyone done any work with hardware ssl accelerator cards and freebsd? I'm pretty sure. Because it is a;; one kernel, the userland->kernel sysctls just fall through to the host. I've been meaning to try the VMWare ESXi 4.0 PCI card passthrough feature. Let me pass my Sun Crypto 1000 (BCM5921/23) through to a Jailhost FreeBSD 7.2, then try it within a jail. Should be quite a head trip. thanks. maybe I'll look into one of those and give it a try on 7.1 (worries me that 7.2 has a shorted lifespan than 7.1...) -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _ ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
ssl accelerator cards and jail?
has anyone done any work with hardware ssl accelerator cards and freebsd? specifically, freebsd 7.1 amd64? and, is it transparent in 'jail' so all jailed servers can use the one card? -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _ ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
tracking down problem: kill won't inside a jail
I am tracking down a problem, inside a 7.1 amd64 jail, kill won't work (default -TERM) kill -QUIT does. outside of jail, TERM works fine on same box, and I have verified that same binaries and libraries are in use (i think) newly created 7.1 amd64 jails (used ezjail.. don't know if they has any issues) /etc/rc.d/cron stop won't (that is just the symptoms I have been able to track down). hardly anything will stop with TERM. by default, rc.subr (and kill) uses SIGTERM, so I do a: /etc/rc.d/cron stop and I get (60 seconds of this: /etc/rc.d/cron stop Stopping cron. Waiting for PIDS: 98104, 98104, 98104, 98104 (so, of course, if you reboot the system, and have 15 jails, all with cron, none of the stop, and it times out) going to another tty and typeing: kill 98104 doen't help kill -TERM 98104 doesn't help state is: ps -auxwwp 98104 USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 98104 0.0 0.0 6692 1228 ?? SsJ 5:20PM 0:00.01 /usr/sbin/cron -s ps -auxwwp 98104 USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 98104 0.0 0.0 6692 1228 ?? IsJ 5:20PM 0:00.01 /usr/sbin/cron -s kill -QUIT 98104 does! (so does INT, again, inside jail, I need SIGQUIT, or INT outside, default TERM works also, /etc/rc.d/cron start && sleep 2 && /etc/rc.d/cron stop seems to work but sleep 60 seconds or more and it doesn't stop anymore. outside jail, cron ps looks like this: ps -auxwwp 98197 USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 98197 0.0 0.0 6692 1116 ?? Is5:21PM 0:00.01 /usr/sbin/cron -s inside: (I guess the J means in jail? root 98104 0.0 0.0 6692 1228 ?? SsJ 5:20PM 0:00.01 /usr/sbin/cron -s ps -auxwwp 98104 USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 98104 0.0 0.0 6692 1228 ?? IsJ 5:20PM 0:00.01 /usr/sbin/cron -s where do I start looking? id hate to put hundreds of /etc/rc.conf.d files with sigstop=SIGQUIT in just to workaround it. -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _ ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Memory usage across multiple jails
Tom Haapanen wrote: I have been using FreeBSD (and other forms of *BSD) a long time, but I'm new to the world of jails. I have been doing reading on them, but there is one question I have not been able to find an answer to, and that's the efficiency of memory usage when using multiple jails on a single system. With "conventional" virtual machines (VMware, Virtual Server et al), essentially each VM is opaque to the host OS, and thus has to be allocated X MB of memory, which that VM then manages internally. im been expermenting with some of this disk cache (malloc, etc) is shared. if httpd is different in each jail (even if its the same), then example: jail 1 has 4 httpd's running, one copy (of binary) will be in memory, 4 copies of data structure jail 2 has 10 httpd's running, its got one (more) copy of binary, and 10 copies of data structure. HOWEVER if you nullmount /usr/local/bin ../sbin .../libexec ../lib then you CAN share the one httpd binary. other issue is static libs. in /usr/lib these aren't likely shares, as when you build the jail, you made COPIES of /usr/lib so, nullfs mount /usr/lib /usr/bin /usr/sbin /sbin, /usr/libexec, maybe you can get the most out of it. (but, 6 freebsd jails use a heck of a lot ram than 6 vmware images) However, since jails are based on the FreeBSD kernel, and both host and guest OSs are identical, I am wondering whether there are any comparative efficiencies in memory utilization. Will the jails share the disk cache, for example, or does each jail allocate its own? Will other kernel structures (and code!) be shared across jails, or allocated multiple times? And what about userland applications, like httpd, for example? (I suspect userland would not be able to benefit, but that's just a guess.) Thanks for any insight into this ... Tom ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org" -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _ ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: anyone using ssl accellorator cards in jail?
Brian A. Seklecki wrote: On Tue, 2009-03-31 at 07:38 -0700, Michael Scheidell wrote: trying to speed things up. I suspect that syscalls that support acceleration will simply fall right through the jail into the host kernel. I'll be testing that some time next week -- so I'll let you know. I don't think file handle access to /dev/crypto is required for Engine support. Again, I'll let you know ~BAS thanks Brian. wonder if you need one card per virtual ip? -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2009 Hot Company Award Finalist, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _ ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
anyone using ssl accellorator cards in jail?
would I need a card for each jail? each IP? What os? FBSD 6.4 or 7.1? what are your experiences? what about Self signed certs and those cards? having 'issues' I suspect with 30 ish https hosts on one jail, with multiple readers. trying to speed things up. -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2009 Hot Company Award, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _ ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
RE: BIND in jail problem
172 16 101 3 is what you should be listening on abduction use in resolve cong.
-Original Message-
From: Anders Hagman
Sent: Saturday, February 14, 2009 5:03 PM
To: freebsd-jail@freebsd.org
Subject: BIND in jail problem
Hi
I'm trying to use BIND inside a jail and have passed the chroot
problem and have a running named without chroot.
The problem is that the jail does not have the address 127.0.0.1 or does not
use
the info in resolv.conf.
When I use the host command I get:
[r...@ippbx1 ~]# host ippbx1
;; reply from unexpected source: 172.16.101.3#53, expected 127.0.0.1#53
/etc/resolv.conf
domain kalmar.se
search kalmar.se
nameserver 127.0.0.1
tcpdump:
21:33:49.569332 IP (tos 0x0, ttl 64, id 31390, offset 0, flags [none], proto
UDP
(17), length 52) 172.16.101.3.62278 > 172.16.101.3.53: 28477+ A? ippbx1. (24)
21:33:49.569890 IP (tos 0x0, ttl 64, id 31393, offset 0, flags [none], proto
UDP
(17), length 52) 172.16.101.3.53 > 172.16.101.3.62278: 28477 ServFail 0/0/0 (24
As you can see the destination address is 172.16.101.3 despite the name server
address in resolv.conf. The host command does not add the domain as it should
and sends the query as "A? ippbx1" instead of "A? ippbx1.kalmar.se". The host
command expects to get an answer from 127.0.0.1.
Changing the nameserver address in resolv.conf to 172.16.101.3 does not change
anything. Using the FQDN does not help because it's still the wrong expected
address. The only thing that works is: host ippbx1.kalmar.se 172.16.101.3.
Using ping give a different picture:
[r...@ippbx1 ~]# ping ippbx1
ping: cannot resolve ippbx1: Host name lookup failure
/etc/resolv.conf
domain kalmar.se
search kalmar.se
nameserver 172.16.101.3
tcpdump:
21:47:39.143152 IP (tos 0x0, ttl 64, id 31817, offset 0, flags [none], proto
UDP
(17), length 62) 172.16.101.3.60878 > 127.0.0.1.53: 35805+ A? ippbx1.kalmar.se.
(34)
21:47:39.143165 IP (tos 0x0, ttl 64, id 31818, offset 0, flags [none], proto
ICMP (1), length 56) 127.0.0.1 > 172.16.101.3: ICMP 127.0.0.1 udp port 53
unreachable, length 36
ping does add the domain to the query but does not read the address from
resolv.conf and sends the query to 127.0.0.1. And 127.0.0.1 is the host 0
machine and does not run BIND.
uname -a
FreeBSD ippbx1.kalmar.se 7.1-RELEASE FreeBSD 7.1-RELEASE #0
named -v
BIND 9.4.2-P2
named.conf:
zone "kalmar.se"{ type master; file "master/kalmar"; };
zone "101.16.172.in-addr.arpa" { type master; file "master/kalmar.rev"; };
zone file kalmar:
$TTL 3h
@ SOA ippbx1.kalmar.se. root.ippbx1.kalmar.se. 42 1d 12h 1w 3h
; Serial, Refresh, Retry, Expire, Neg. cache TTL
IN NS ippbx1.kalmar.se.
ippbx1 IN A 172.16.101.3
zone file kalmar.rev:
$TTL 3h
@ SOA ippbx1.kalmar.se. root.ippbx1.kalmar.se. 42 1d 12h 1w 3h
; Serial, Refresh, Retry, Expire, Neg. cache TTL
IN NS ippbx1.kalmar.se.
3 IN PTR ippbx1.kalmar.se.
Why do I what to run BIND inside a jail? Well I'm building a IP-PBX lab
and want to run six autonomous jails with DNS, DHCP, NTP and asterisk inside.
DHCP and Asterisk works but DNS is vital for the lab.
BR
Anders H
___
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
_
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
_
___
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Problem with ezjail: Manually restarted jails don't come up again
I installed the jail utilities (forgot which ones) has a 'jkill' utility. I then added a /etc/rc.conf.d/ezjail with a pre-stop() command that calls a jkill. then all works fine. Frank Steinborn wrote: Hi folks, I have a strange problem on my 7.1-RELEASE with ezjail here. I have 5 jails configured with ezjail, and they run flawlessy - they come up on boot without problems. However, if i stop a jail (via /usr/local/etc/rc.d/ezjail.sh stop ) and then want to restart it via the rc-script, it stalls here: # /usr/local/etc/rc.d/ezjail.sh start mldonkey.local Configuring jails:. Starting jails: If I check with jls and 'pgrep -lfj ', i see that there are processes inside the hanging jail running, including /etc/rc. I guess the jails are hanging somewhere in the boot-process, and i guess it's /etc/rc. I even doubt that this is an ezjail-only problem, but this is just a guess. Any hints? Thanks, Frank ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org" -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * King of Spam Filters, SC Magazine 2008 * Information Security Award 2008, Info Security Products Guide * CRN Magazine Top 40 Emerging Security Vendors * Finalist 2009 Network Products Guide Hot Companies _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _ ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Nagios & Jail
Andy Greenwood wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Albert Shih wrote: Hi all. I'm trying to install a nagios server in a jail. I've a problem with check_ping. only thing I see on mine is I have ipv6 disabled: (also, with_fping, with_netsnmp, with_mysql) all others disabled. -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * King of Spam Filters, SC Magazine 2008 * Information Security Award 2008, Info Security Products Guide * CRN Magazine Top 40 Emerging Security Vendors _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _ ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: listserver problems?
Nikola Lečić wrote: -BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Three objections to your DKIM signature: Thanks! the value of the great freebsd community! Been doing this since '83, and you will never find a more informed, more willing to help group out there anywhere. Thanks Nikola -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * King of Spam Filters, SC Magazine 2008 * Information Security Award 2008, Info Security Products Guide * CRN Magazine Top 40 Emerging Security Vendors _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _ ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Nagios & Jail
What plugin versions are you running? Im running latest also. pkg_info | grep nagios Albert Shih wrote: Le 18/12/2008 à 05:46:18-0500, Michael Scheidell a écrit Try nagios 3.03. I think they will do the trick. I'm using nagios 3.06 ... and it's not working. -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * King of Spam Filters, SC Magazine 2008 * Information Security Award 2008, Info Security Products Guide * CRN Magazine Top 40 Emerging Security Vendors _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _ ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
listserver problems?
might be generic listserver issues, but I noticed that at least on freebsd-jail list, it does NOT strip out dkim/domainkeys signatures. that might not be to bad, but it does 'mung' the headers, so dkim signed email passed through freebsd mailing list server comes back as a forged signature. whoever is working on the listservers can contact me for assistance on it. maybe just a postfix header IGNORE rule would strip it back out. -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * King of Spam Filters, SC Magazine 2008 * Information Security Award 2008, Info Security Products Guide * CRN Magazine Top 40 Emerging Security Vendors _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _ ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Nagios & Jail
Works here (tm). doublecheck these sysctl's: security.jail.socket_unixiproute_only: 1 security.jail.enforce_statfs: 2 security.jail.allow_raw_sockets: 1 Albert Shih wrote: Le 18/12/2008 à 05:46:18-0500, Michael Scheidell a écrit Try nagios 3.03. I think they will do the trick. I'm using nagios 3.06 ... and it's not working. Thanks for your answer. Regards. JAS -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * King of Spam Filters, SC Magazine 2008 * Information Security Award 2008, Info Security Products Guide * CRN Magazine Top 40 Emerging Security Vendors _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _ ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Nagios & Jail
Try nagios 3.03. I think they will do the trick. Bjoern A. Zeeb wrote: On Wed, 17 Dec 2008, Albert Shih wrote: Hi, I'm trying to install a nagios server in a jail. -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * King of Spam Filters, SC Magazine 2008 * Information Security Award 2008, Info Security Products Guide * CRN Magazine Top 40 Emerging Security Vendors _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _ ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Nagios & Jail
hmm we have it working, let me see how. Albert Shih wrote: Hi all. I'm trying to install a nagios server in a jail. -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * King of Spam Filters, SC Magazine 2008 * Information Security Award 2008, Info Security Products Guide * CRN Magazine Top 40 Emerging Security Vendors _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _ ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Performance and advice questions.
I would thing NFS performance depends on your applications. many don't like the NFS locking, so, look into generic NFS performance for each application. (I don't think I would run postfix on an NFS partition, I would not run most sql servers ../db files on NFS partition. I would not want ANY 'tmp' files on NFS.) -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * Everything Channel Hot Product of 2008 * Shaping Information Security Award 2008 * CRN Magazine Top 40 Emerging Security Vendors _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com _ ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: tun/gif interfaces inside jail.
Jille Timmmermans wrote: No. You must run OpenVPN outside of your jail Peter Ankerstål wrote: I have readRUMORS that you can have the jailed systems route through and access the jail which is outside the jail, but so far, have not sean any real 'cookbook' on how to do it. I tried it a couple of times and gave up. I wanted to get it to work, but with all the partial hints about routing, natd, pf rules with no real solution, I gave up and bought a $500 sonicwall firewall. -- Michael Scheidell, CTO Main: 561-999-5000, Office: 561-939-7259 > *| *SECNAP Network Security Corporation Winner 2008 Technosium hot company award. www.technosium.com/hotcompanies/ <http://www.technosium.com/hotcompanies/> _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com _ ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
