Re: Auto-jailing of services - 2nd implementation

2022-05-16 Thread Alexander Leidinger
Quoting FreeBSD User (from Sun, 15 May 2022 12:49:06 +0200): On Sun, 03 Apr 2022 21:48:42 +0200 Alexander Leidinger wrote: Hi, attached is a new implementation of service jails (auto-jailing of services). This one now supports rc command prefixes (e.g. onestart) and I tested it in nested

Auto-jailing of services - 2nd implementation

2022-04-03 Thread Alexander Leidinger
Hi, attached is a new implementation of service jails (auto-jailing of services). This one now supports rc command prefixes (e.g. onestart) and I tested it in nested jails. The benefit of auto-jailing services is, that you can apply some restrictions to services (and what other processes

Re: injecting vars into rc-service-scripts at jail-start?

2022-04-01 Thread Alexander Leidinger
Quoting Jens Schweikhardt (from Fri, 1 Apr 2022 14:26:27 +0200 (CEST)): Identifier confusion? You use _rc_svcs and _rc_svcj in your description. Typo s/svcs/svcj/ in the explanation. The diff/code has the vars correct (svcj) and the conditional and the setting are close to each

injecting vars into rc-service-scripts at jail-start?

2022-04-01 Thread Alexander Leidinger
Hi, I'm overlooking something fundamental it seems... Context: I'm working on my auto-jailing of services idea: if the auto-jail is enabled, a service like syslog is started inside a jail (which inherits the FS and depending on some settings also inherits network and other stuff or not).

FYI: OCI-compatible runtime for FreeBSD jails

2021-03-18 Thread Alexander Leidinger via freebsd-jail
Hi, it seems someone is working on a OCI-compatible runtime for jails: https://github.com/samuelkarp/runj I stumbled over this and thought maybe someone here is interested enough to help the author... Bye, Alexander. -- http://www.Leidinger.net alexan...@leidinger.net: PGP

Re: /etc/jail.d (or jail.conf.d)

2020-12-10 Thread Alexander Leidinger via freebsd-jail
Quoting Kyle Evans (from Thu, 10 Dec 2020 12:44:27 -0600): Currently it adds an /etc/jail.d, but the point was raised that we have a mixture of these with different naming conventions and that /etc/jail.conf.d may be better -- I'm inclined to agree since I would prefer jail.conf.d. Also,

Re: vnet jail for local only or public access

2020-07-20 Thread Alexander Leidinger via freebsd-jail
Quoting Ernie Luzar (from Fri, 17 Jul 2020 16:31:53 -0400): Alexander Leidinger wrote: Quoting Ernie Luzar (from Fri, 17 Jul 2020 08:46:07 -0400): Trying to figure out how to configure a vnet jail so it is restricted to only being able to talk to other vnet jails on the same host IE

Re: vnet jail for local only or public access

2020-07-17 Thread Alexander Leidinger via freebsd-jail
Quoting Ernie Luzar (from Fri, 17 Jul 2020 08:46:07 -0400): Trying to figure out how to configure a vnet jail so it is restricted to only being able to talk to other vnet jails on the same host IE: local only vnet jails. As different to being able to access the public internet type of

Re: FreeBSD 12.1, vnet jail, and internet access

2020-07-01 Thread Alexander Leidinger via freebsd-jail
Quoting Dan Langille (from Tue, 30 Jun 2020 21:02:24 -0400): On Tue, Jun 30, 2020, at 8:30 PM, Ernie Luzar wrote: I think I have determined what your talking about. All the vnet literature talks about a vnet jail having it's own separate ip stack. I interpreted this to mean that the vnet

Re: Running GUI applications in jails

2020-06-09 Thread Alexander Leidinger via freebsd-jail
Quoting squiggly foo (from Mon, 08 Jun 2020 21:35:23 -0500): Hi Alexander, You seem to have a lot of experience with X11 so I'm happy to hear your advice. To answer your first question about where the graphical output needs to happen: I am not sure I am understanding your question,

Re: Running GUI applications in jails

2020-06-06 Thread Alexander Leidinger via freebsd-jail
Quoting squiggly foo (from Fri, 05 Jun 2020 15:10:05 -0500): Thanks to Dave for pointing out that my HTML message was stripped. I am trying this again. Hi All, I'm using FreeBSD as a workstation trying to keep everything as lightweight and segregated as possible. So I am running GUI

panic on epair destroy in current as of r349853, jail related

2019-07-09 Thread Alexander Leidinger via freebsd-jail
Hi, I updated from r347365 to r349853. Now I get a panic on epair destroy (one end needs to be in a jail, and inside the jail an IP address needs to be assigned to the epair. If no ifconfig is used inside the jail, there is no panic. Another user reported something similar (but for him

Re: Proposal: automatic jailing of services (rc.d/*) [patch]

2019-02-25 Thread Alexander Leidinger via freebsd-jail
http://www.leidinger.net/FreeBSD/current-patches/rc_svc_jails.diff -- Send from a mobile device, please forgive brevity and misspellings. Am 24. Februar 2019 9:48:19 nachm. schrieb Miroslav Lachman <000.f...@quip.cz>: Alexander Leidinger via freebsd-jail wrote on 2019/02/24

Proposal: automatic jailing of services (rc.d/*) [patch]

2019-02-24 Thread Alexander Leidinger via freebsd-jail
Hi, Thanks to MWL for his upcoming jail book, it inspired me to come up with this. Note, I'm not subscribed to freebsd-rc, please keep at least jail@ in copy (I'm subscribed there). I propose to extend the rc system to automatically jail services in a light sense (off by default, can be

Re: enforce_statfs showing leading path

2019-01-09 Thread Alexander Leidinger via freebsd-jail
Hi. You see the dataset name of zfs without stripping. The mount point is correctly stripped. I don't remember how this looks on ufs. With jailed datasets we would need more than just some code to remove parts of the name. So it's a doc bug (clarity about mount points and dataset names) and

Re: does anyone use these any more?

2018-09-14 Thread Alexander Leidinger
Quoting Oleg Ginzburg (from Thu, 13 Sep 2018 18:45:51 +0300): With persist mode, CBSD created jail in follow scenario: 1) jail -c (create jail) in persist mode ( with empty exec.start script ) 2) exec inside jail something (zfs attach, /sbin/ifconfig ... ), what you need to do before

Re: IP address assignments to jails using ezjail

2016-12-24 Thread Alexander Leidinger
Quoting "James B. Byrne via freebsd-jail" (from Fri, 23 Dec 2016 09:33:17 -0500): I am experimenting with jails on a bhyve vm guest running FBSD-11.0 using ezjail. I am having a problem with network connections to the outside from within the jail. I have sshd

Re: ZFS and Jail :: nullfs mount :: nothing visible from host :: solved [partial]

2016-12-19 Thread Alexander Leidinger
Quoting Miroslav Lachman <000.f...@quip.cz> (from Mon, 19 Dec 2016 18:57:39 +0100): Alexander Leidinger wrote on 2016/12/19 17:56: Quoting Miroslav Lachman <000.f...@quip.cz> (from Sun, 18 Dec 2016 13:20:31 +0100): Alexander Leidinger wrote on 2016/12/17 19:59: Quoting SK &

Re: ZFS and Jail :: nullfs mount :: nothing visible from host :: solved [partial]

2016-12-19 Thread Alexander Leidinger
Quoting Miroslav Lachman <000.f...@quip.cz> (from Sun, 18 Dec 2016 13:20:31 +0100): Alexander Leidinger wrote on 2016/12/17 19:59: Quoting SK <fbsta...@cps-intl.org> (from Fri, 16 Dec 2016 14:02:20 +): If I understand you correctly, what you are suggesting is, the

Re: ZFS and Jail :: nullfs mount :: nothing visible from host :: solved [partial]

2016-12-17 Thread Alexander Leidinger
Quoting SK <fbsta...@cps-intl.org> (from Fri, 16 Dec 2016 14:02:20 +): On 16/12/2016 13:15, Alexander Leidinger wrote: For one of the filesystems I have set "zfs allow" permissions, but just that a specific user in the jail can do something on those FS without th

Re: timerfd in FreeBSD jail?

2016-09-07 Thread Alexander Leidinger
Quoting "Martin \"eto\" Misuth" (from Tue, 6 Sep 2016 16:07:31 +0200): On Tue, 6 Sep 2016 13:19:13 + Grzegorz Junka wrote: How would I know that this is not implemented in the linux emulation layer rather than disabled on the host? I would be

Re: ezjail and UPDATING20131010

2013-10-11 Thread Alexander Leidinger
On Fri, 11 Oct 2013 15:42:11 -0500 Mark Felder f...@freebsd.org wrote: On Fri, Oct 11, 2013, at 14:30, Dirk Engling wrote: On 11.10.13 21:27, wishmaster wrote: Yeah!? But do you think updating python in each jail this is the right solution? Freebsd-update in each jail?? What about

Re: Exposing a hierarchy of ZFS datasets inside multiple jails

2011-06-18 Thread Alexander Leidinger
On Fri, 17 Jun 2011 14:46:59 -0400 Lars Kellogg-Stedman l...@seas.harvard.edu wrote: Hello all, Hi there, I am trying to expose a hierarchy of home directories to a number of FreeBSD jails. The home directories are configured such that each is a unique ZFS dataset. The jails are used for

Re: Fwd: X11 in a jail (was: Re: NFS mount inside jail fails)

2011-05-27 Thread Alexander Leidinger
Quoting Alexander Leidinger alexan...@leidinger.net (from Fri, 27 May 2011 09:43:08 +0200): Quoting Doug Ambrisko ambri...@ambrisko.com (from Thu, 26 May 2011 10:36:24 -0700 (PDT)): Alexander Leidinger writes: | Just to make sure we talk about the same things: | Did you configure the X

Re: Thoughts on jail.config

2010-06-29 Thread Alexander Leidinger
Quoting James O'Gorman ja...@netinertia.co.uk (from Mon, 28 Jun 2010 23:40:21 +0100): On 28 Jun 2010, at 16:38, Jamie Gritton wrote: On 06/28/10 08:41, Rodrigo Mosconi wrote: An idea: if it works like a jaild? A daemon management the start-up, shutdown, console redirection? All the

RE: Strange things happening with jails?? Not starting up on boot or services not running inside!

2010-06-04 Thread Alexander Leidinger
Quoting Andrew Hotlab andrew.hot...@hotmail.com (from Thu, 3 Jun 2010 22:04:44 +): I've never had to make Squid listening on port 80, but referring its startup script in /usr/local/etc/rc.d/: # squid_user: The user id that should be used to run the Squid master #

Re: starting jails in the background dependencies

2010-03-05 Thread Alexander Leidinger
On Tue, 5 Jan 2010 11:24:47 +0100 Alexander Leidinger alexan...@leidinger.net wrote: On Mon, 07 Dec 2009 08:03:53 +0100 Alexander Leidinger alexan...@leidinger.net wrote: Hi, now that jails are started in the background (which is good, to I just realized yesterday that it also stops

Re: linux-only jail possible?

2010-03-04 Thread Alexander Leidinger
On Wed, 3 Mar 2010 19:06:36 +0100 Roman Divacky rdiva...@freebsd.org wrote: On Wed, Mar 03, 2010 at 11:59:49AM -0500, John Nielsen wrote: On Wednesday 03 March 2010 03:00:50 Roman Divacky wrote: I succesfully ran chroot of linux environment on freebsd back in 2007/2008. I firmly believe

Re: Importing jails from 7.0, 7.2 to 8.0.

2010-02-09 Thread Alexander Leidinger
On Mon, 8 Feb 2010 11:29:41 -0800 Jose Amengual M jose.ameng...@gmail.com wrote: My question is : Do I need to reinstall portupgrade and reinstall all ports ? Did I do the proper export and import process ? The jail where running on 7.0 and the basejail dir was from 7.0, now is from

Re: starting jails in the background dependencies

2010-01-14 Thread Alexander Leidinger
Quoting Remko Lodder re...@freebsd.org (from Tue, 5 Jan 2010 11:35:48 +0100): On Tue, January 5, 2010 11:24 am, Alexander Leidinger wrote: On Mon, 07 Dec 2009 08:03:53 +0100 Alexander Leidinger alexan...@leidinger.net wrote: Hi, now that jails are started in the background (which is good

Re: starting jails in the background dependencies

2010-01-14 Thread Alexander Leidinger
Quoting Miroslav Lachman 000.f...@quip.cz (from Tue, 05 Jan 2010 11:45:34 +0100): Alexander Leidinger wrote: On Mon, 07 Dec 2009 08:03:53 +0100 Alexander Leidinger alexan...@leidinger.net wrote: Hi, now that jails are started in the background (which is good, to I just realized

Re: starting jails in the background dependencies

2010-01-05 Thread Alexander Leidinger
On Mon, 07 Dec 2009 08:03:53 +0100 Alexander Leidinger alexan...@leidinger.net wrote: Hi, now that jails are started in the background (which is good, to I just realized yesterday that it also stops in parallel (in the background). This is bad. It may be the case that a jail is not fully

starting jails in the background dependencies

2009-12-06 Thread Alexander Leidinger
Hi, now that jails are started in the background (which is good, to prevent that a broken jail causes a good jail not to start), I have to problem how to express dependencies. Scenario: - several jails on the same machine (via ezjail) - one jail depends on the services of another jail,

Re: xorg in jail

2009-10-11 Thread Alexander Leidinger
and when it abortet you can have a look with kdump|less what it tries to do. Bye, Alexander. Thank you, regards On Oct 9, 2009, at 10:45 AM, Alexander Leidinger wrote: Quoting hulibyaka hulibyaka huliby...@gmail.com (from Thu, 8 Oct 2009 22:01:23 +0400): What the difference

Re: xorg in jail

2009-10-09 Thread Alexander Leidinger
Quoting hulibyaka hulibyaka huliby...@gmail.com (from Thu, 8 Oct 2009 22:01:23 +0400): What the difference for restriction on /dev/io between chroot and jail? How can i get all needed by xinit privileges on /dev/io within jail ? There are additional access restrictions in the kernel when

Re: Best practice to update jails

2009-08-22 Thread Alexander Leidinger
On Thu, 20 Aug 2009 11:50:49 -0700 Jose Amengual jose.ameng...@gmail.com wrote: The server is now 7.0 and was wondering what is the best practice to maintain security patches and kernel updates and I came out with the following idea : 1.- freebsd-update fetch install ( host system) 2.-

Re: Multicast in jail?

2009-07-07 Thread Alexander Leidinger
Quoting Bill Marquette bill.marque...@ucsecurity.com (from Mon, 6 Jul 2009 20:14:02 -0500 (CDT)): I'm trying to run Avahi in a jail, much the same as Alexander Leidinger in this email from late last year http://www.mail-archive.com/freebsd-jail@freebsd.org/msg00587.html. I couldn't find

Re: Multicast in jail?

2009-07-07 Thread Alexander Leidinger
Quoting Bjoern A. Zeeb bzeeb-li...@lists.zabbadoz.net (from Tue, 7 Jul 2009 11:08:46 + (UTC)): Alternatively I wouldn't wonder if enabling raw sockets would give Didn't work for me. what you want or you'll wait for virtualization to be ready. As _I_ don't need it on -stable: it's

Re: Switching /etc/rc.d/jail to new syntax (+ new features)

2009-06-27 Thread Alexander Leidinger
On Sat, 27 Jun 2009 10:47:47 + (UTC) Bjoern A. Zeeb bzeeb-li...@lists.zabbadoz.net wrote: On Sat, 27 Jun 2009, Alexander Leidinger wrote: at http://www.leidinger.net/FreeBSD/current-patches/jail.diff I have a patch to switch the jail rc script to the new jail (8-current) syntax

Re: HEADS UP: r185435 multi-IPv4/v6/no-IP jails in HEAD

2008-12-01 Thread Alexander Leidinger
Quoting Bjoern A. Zeeb [EMAIL PROTECTED] (from Mon, 1 Dec 2008 09:41:46 + (UTC)): Hi, as you may have already noticed multi-IPv4/v6/no-IP jails have hit HEAD. See commit message attached. Will this introduce changes how multicast is handled in jails, or is it the same behavior as

Re: Compilation question 64bit, 32 bit

2008-10-17 Thread Alexander Leidinger
Quoting Miroslav Lachman [EMAIL PROTECTED] (from Fri, 17 Oct 2008 11:48:03 +0200): Alexander Leidinger wrote: Quoting Jose Amengual [EMAIL PROTECTED] (from Thu, 16 Oct 2008 08:43:15 -0300): Hi Guys. The other day I install a server with jails with FreeBSD 7 32 bit in a 64 bit

Re: samba inside jails [was: jail/broadcast IP [was: ...]]

2008-10-03 Thread Alexander Leidinger
Quoting Bjoern A. Zeeb [EMAIL PROTECTED] (from Fri, 3 Oct 2008 08:21:53 + (UTC)): 3) In samba it used to be the interfaces = config option that you would set to the (primary) IP of your jail. With the above you should be able to address the samba server inside the jail and

Re: Migration of Jail from one host to another?

2008-10-01 Thread Alexander Leidinger
Quoting Scott Lambert [EMAIL PROTECTED] (from Wed, 2 Jul 2008 15:22:35 -0500): I'm probably doing this completely wrong. I setup a couple of jails using simple image files because I thought that would make migration to another server more straightforward. I am now trying to migrate my first

Re: is nfs mount inside jail possible?

2008-06-26 Thread Alexander Leidinger
Quoting Robert Watson [EMAIL PROTECTED] (from Wed, 25 Jun 2008 17:53:36 +0100 (BST)): I don't know of any specific vulnerabilities that will open up, and I don't have time to read the source code to find them now, but I do promise you that if you allow arbitrary mounting of file systems in

Re: is nfs mount inside jail possible?

2008-06-25 Thread Alexander Leidinger
Quoting Robert Watson [EMAIL PROTECTED] (from Wed, 25 Jun 2008 16:57:17 +0100 (BST)): On Wed, 25 Jun 2008, Alexander Leidinger wrote: Oh: I haven't checked if this actually works. I don't know if all places DTRT then. Normally it should work, but you better test if it really puts the FS

Re: Signal 11 messages showing in all jails?

2008-05-19 Thread Alexander Leidinger
Quoting Scott Lambert [EMAIL PROTECTED] (from Mon, 19 May 2008 00:17:07 -0500): Is this supposed to happen? FreeBSD 6.2 order.cgi is only installed in one jail on this system, but I see this report in all the jail on that system. The below lines are from the daily security run output for

Re: Signal 11 messages showing in all jails?

2008-05-19 Thread Alexander Leidinger
Quoting Andrew Snow [EMAIL PROTECTED] (from Mon, 19 May 2008 21:08:38 +1000): Sorry for previous message, it wasn't devfs rules at all that solved this problem. The rules you posted are part of some kind of workaround. The rules didn't include the syslog pipe for kernel messages

Re: freebsd-update on jails

2008-04-21 Thread Alexander Leidinger
Quoting Jeffrey Smith [EMAIL PROTECTED] (from Sun, 20 Apr 2008 15:49:39 -0400): I previously posted a howto to use zfs to manage jails. The first update through freebsd-update has been released. Testing this I get [snip] But I still get that same error. Does anyone have any idea what

Re: How to better update a jail host system

2008-01-02 Thread Alexander Leidinger
Quoting Andrew Hotlab [EMAIL PROTECTED] (Wed, 2 Jan 2008 13:12:24 +0100): -- From: Alexander Leidinger [EMAIL PROTECTED] Sent: Sunday, December 30, 2007 12:41 AM To: Andrew Hotlab [EMAIL PROTECTED] Cc: FreeBSD-Jail freebsd-jail@freebsd.org

Re: pam _start: system error

2007-08-27 Thread Alexander Leidinger
Quoting Kalnz [EMAIL PROTECTED] (from Mon, 27 Aug 2007 12:54:19 +0300): Hi! After installing (in the jail) mysql-server-5.0.45 from ports, I can`t get up and running my mysql server. I have to point out that this problem is only inside the jail. All I have is: 1) clean mysql-server install 2)

Re: Jailed X applications

2007-08-20 Thread Alexander Leidinger
Quoting mal content [EMAIL PROTECTED] (from Fri, 17 Aug 2007 17:00:00 +0100): On 17/08/07, Alexander Leidinger [EMAIL PROTECTED] wrote: Quoting mal content [EMAIL PROTECTED] (from Fri, 17 Aug Has anyone here ever successfully set up a jail for X apps, connecting to an external X server