Re: Focker 2.0 released
On 18/08/2021 12:04, Stanislaw Adaszewski wrote: Hi Miroslav, Thanks. For me it is really useful. Ever since I developed it, I started deploying jails like crazy. In the v1 branch there is an old port, looking for a maintainer I guess. For the moment, the only official way of installing is: pip install git+https://github.com/sadaszewski/focker.git It is not too bad to be honest. I cannot support anything more at this time - apologies for the inconvenience. I understand. But I think providing an official port for FreeBSD will give you a more audience, more testers etc. Miroslav Lachman
Re: Focker 2.0 released
On 17/08/2021 22:47, Stanislaw Adaszewski wrote: I have released Focker 2.0 today with numerous improvements to API, Configurability, Plugins, Facets, Bootstrap and many other aspects. Hope you give it a try: https://github.com/sadaszewski/focker/ It looks interesting. Will it be available as port / pkg? Kind regards Miroslav Lachman
Re: Move jails hard way to iocage
On 26/03/2021 10:28, Jacques Foucry wrote: Hello Friends, I run many jails, configured in the "hard way" (ie `/etc/jail.conf` file) and I would like to move them into iocage. I can't find any help on the Internet (may be I did search corretly). Did some own have a pointer or a how-to? I am not using iocage but it should not be hard. I guess you can create jails with names and setting you want (not start them) and then move (rename) ZFS filesystems if they are used in your current setup. Or just move files with rsync from old jail to new jail. What will be better for your setup. Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: dedicated dataset for jail data
On 15/01/2021 16:17, Julien Cigar wrote: Hello, I have a host with a lot of jails, which are deployed automatically with Saltstack (thanks to https://github.com/silenius/jails-formula). I usually create two datasets per jail: one for the jail itselfs, and one for the "data". The idea is to be able to easily upgrade the jail without touching the "data". So I have something like (1). I have one fstab per jail which mount the corresponding "data" dataset under the jail, something like: ~/ cat /etc/fstab.nextcloud /data/jails/nextcloud /jails/nextcloud/data nullfs rw 0 0 I'd like to know if there is a better way of handling this, without involving nullfs if possible and how do people usually manage that..? (1) https://gist.github.com/silenius/f1899ebb5cf58ca33b3e5edafc85d549 I am using nullfs to mount shared basejail in to each jail. I prefere to have filesystems for jails mounted all the time so I can manage (backup, configure, update) files even if jail is not running. No fstab is needed for this scenario. But if you want to mount / unmount jail's datasets when jail start / stop you can set these ZFS filesystems as "legacy" (no automatic mount at boot) and then mount them with /etc/fstab.jailname as you use nullfs now. Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Jail resource limits?
Greg Lewis wrote on 11/07/2019 05:43: Hi all, I've been playing with limiting FreeBSD jail resources with both cpuset and rctl and I wondered if anyone knew of a way to tell from inside the jail what these limits are? E.g. let's say I use cpuset to limit a jail to CPU0 and rctl to limit a jail to only using up to 4G of memory. Can I then tell from a process running inside the jail that these limits are in place? I tried dumping out sysctl -a and couldn't see anything that seemed to match up with the limits I put in place. I haven't yet tried writing some code to call cpuset(2) to see if that works. The reason I'm asking is that some software may make decisions based on the resources available and I'd like to have a way to accurately determine those resource limits for jailed processes. cpuset called inside a jail will return available cores # cpuset -g pid -1 mask: 2, 3 I don't think it is possible to query rctl limits. Maybe somebody else knows better. Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: how to determine primary (source) IP address in jail
Dave Cottlehuber wrote on 2019/03/01 12:43: On Thu, 28 Feb 2019, at 11:59, Miroslav Lachman wrote: Is there some easy way to determine the primary (source) address which is used in jail with multiple IP addresses? I came to this problem with running local_unbound in jail. Unbound refuses queries originating in this jail because the do not come from real 127.0.0.1 (which is the only one allowed by default). Unbound in jail see requests come from jails IP. It is easy to determine (in shell script) if jail has only one IP. But what in case where jail has multiple IPs? Is there some sysctl or some call to ifconfig or any other util to get the IP which will be used as source address for queries on local services in jail? Specifically for unbound, try interface-automatic and see if that helps. interface-automatic: Detect source interface on UDP queries and copy them to replies. This feature is experimental, and needs support in your OS for particular socket options. Default value is no. # /etc/unbound/conf.d/secure.conf server: interface-automatic: yes access-control: 127.0.0.0/8 allow access-control:10.0.0.0/8 allow access-control: 0.0.0.0/0 refuse access-control: ::1/64allow access-control: ::/8 refuse ... I dont use it quite the same way as you though, and it doesn't solve the generic problem. I run a single unbound instance in the host system, and only allow jails to resolve via that. https://www.nlnetlabs.nl/documentation/unbound/unbound.conf/ Thanks to all for the replies. It seems that is easier to list all jail's IPs in the access-control with /32 mask than try to find the source address. I can live with it ;) Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
how to determine primary (source) IP address in jail
Is there some easy way to determine the primary (source) address which is used in jail with multiple IP addresses? I came to this problem with running local_unbound in jail. Unbound refuses queries originating in this jail because the do not come from real 127.0.0.1 (which is the only one allowed by default). Unbound in jail see requests come from jails IP. It is easy to determine (in shell script) if jail has only one IP. But what in case where jail has multiple IPs? Is there some sysctl or some call to ifconfig or any other util to get the IP which will be used as source address for queries on local services in jail? I know I can allow all IPs of jail in access-control: a.b.c.d/32 allow access-control: e.f.g.h/32 allow I am just curios if there is some way to get "primary" IP in jail without calling anything from the host environment. Kind regards Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Proposal: automatic jailing of services (rc.d/*) [patch]
Alexander Leidinger via freebsd-jail wrote on 2019/02/24 11:00: [...] Attached is a proof of concept (only lightly tested with start/stop/status/restart) so that you can play around with it a little bit. Please don't focus on the patch. This mail is to seek feedback about the feature and the quick design so far. To make it explicit, I do not ask (yet) if and which service to handle like this by default. This is just the possibility to do something like this. Interesting idea but patch was stripped by mailing list. Can you put it online and post the link to it? Kind regards Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: jails which take a long time to shutdown
Dan Langille wrote on 2019/02/06 16:47: Michael, Something came to mind with your recent post about exit codes. What if a jail takes minutes to shutdown? Will it be shutdown properly? I ask because I routinely have a jail which when restarted has a corrupted mongodb database. I have not tracked down the issue, but I know it takes a while to shutdown. Can it be related to calling /etc/rc.shutdown and sort rcshutdown_timeout in rc.conf? (etc/defaults/rc.conf has rcshutdown_timeout=90) Is your mongodb corrupted when you just restart the jail or only in case when you restart the whole machine? I am not sure if the system shutdown will wait 90 for each jail or kill all processes after 90 seconds counted by hosts rcshutdown_timeout. Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: delegating ZFS of jail's root directory
Michael W. Lucas wrote on 2019/01/22 17:23: On Tue, Jan 22, 2019 at 11:39:57AM +0100, Willem Jan Withagen wrote: On 21-1-2019 17:42, Michael W. Lucas wrote: Hi Michael, I think I asked that question a some time ago, to be able to run a ceph-setup script in a jail The basic answer was that the jail needs to have access to /dev/zfs in the jail to be effectively controlling zfs. But then I think you delegate the whole set of zfs capabilities to the jail. Which in my case was not a problem. But if you want to use a jail as separation of control, then this will be way too liberal. There is a set of configs for devfs in /etc. See `man -k devfs` But I've not used this in the end. That fixes the first problem, thank you. I still can't delegate the jail's root directory to the jail, though. Once I set jailed=on to the jail's zroot, it's unmounted and jail(8) can't find the jail's /dev to mount it. There seems to be a chicken-and-egg problem here that I have no idea how to resolve. Any suggestions? What about to mount it with exec.prestart before the jail is created? (I didn't tried it) Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: jail related inconsistencies in FreeBSD tools parameters
James Gritton wrote on 2018/06/26 20:42: On 2018-06-23 12:58, Eitan Adler wrote: [...] I was thinking of a more generic one that does id or name. Now that I think about it a bit more, C makes this kind of thing impossible to do usefully. That said, I'll still review and commit any patches to existing tools to make them behave consistently. Yes, jail_getid(3) works with either a numeric ID or a name. I've added a patch to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229266 for the four programs I've found that need help. I've tested the easy ones (cpuset and sockstat). Thank you very much. I really appreciate your neverending work on jails! I hope it will be committed soon. Kind regards Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: jail related inconsistencies in FreeBSD tools parameters
James Gritton wrote on 2018/06/23 17:30: On 2018-06-22 16:03, Miroslav Lachman wrote: Chris H wrote on 2018/06/22 23:46: On Fri, 22 Jun 2018 23:13:17 +0200 "Miroslav Lachman" <000.f...@quip.cz> said I don't know if it is better to discuss it in jail@ or stable@ list so a do cross-post. FreeBSD has many jail aware utilities but they are inconsistent in taking JID as parameter. For example "sockstat" takes -j JID "Show only sockets belonging to the specified jail ID" and it means numeric ID only. On the other hand "ps" takes -J JID "This may be either the jid or name of the jail. Use -J 0 to display only host processes." The same apply for "top", it understands jid as a number or name of the jail too. Then again "cpuset" takes only numerical ID of the jail... Shouldn't it be consistent across all FreeBSD base utilities so all of them can use numerical ID and name? Good idea! Are you offering to create a patch? ;-) It'd be my guess that given they weren't all created at the same time, nor the same individual; that (quite probably?) the "jail" additions were also added at different times, and by different people. So I'd imagine that unless someone with a commit bit decides one day they'd like to take that on. Someone(tm) maybe you? will need to propose a patch. :-) If I can understand C sources I will create the patch by myself instead of just posting here. Unfortunately I am able to code in sh, php and a bit of javascript and perl but no C. :) Miroslav Lachman Sure, a PR would be handy for this - it's a pretty simple thing to add, and consistency would indeed be a good move. PR 229266 created https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229266 Kind regards Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: jail related inconsistencies in FreeBSD tools parameters
Chris H wrote on 2018/06/22 23:46: On Fri, 22 Jun 2018 23:13:17 +0200 "Miroslav Lachman" <000.f...@quip.cz> said I don't know if it is better to discuss it in jail@ or stable@ list so a do cross-post. FreeBSD has many jail aware utilities but they are inconsistent in taking JID as parameter. For example "sockstat" takes -j JID "Show only sockets belonging to the specified jail ID" and it means numeric ID only. On the other hand "ps" takes -J JID "This may be either the jid or name of the jail. Use -J 0 to display only host processes." The same apply for "top", it understands jid as a number or name of the jail too. Then again "cpuset" takes only numerical ID of the jail... Shouldn't it be consistent across all FreeBSD base utilities so all of them can use numerical ID and name? Good idea! Are you offering to create a patch? ;-) It'd be my guess that given they weren't all created at the same time, nor the same individual; that (quite probably?) the "jail" additions were also added at different times, and by different people. So I'd imagine that unless someone with a commit bit decides one day they'd like to take that on. Someone(tm) maybe you? will need to propose a patch. :-) If I can understand C sources I will create the patch by myself instead of just posting here. Unfortunately I am able to code in sh, php and a bit of javascript and perl but no C. :) Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
jail related inconsistencies in FreeBSD tools parameters
I don't know if it is better to discuss it in jail@ or stable@ list so a do cross-post. FreeBSD has many jail aware utilities but they are inconsistent in taking JID as parameter. For example "sockstat" takes -j JID "Show only sockets belonging to the specified jail ID" and it means numeric ID only. On the other hand "ps" takes -J JID "This may be either the jid or name of the jail. Use -J 0 to display only host processes." The same apply for "top", it understands jid as a number or name of the jail too. Then again "cpuset" takes only numerical ID of the jail... Shouldn't it be consistent across all FreeBSD base utilities so all of them can use numerical ID and name? Should I file a PR for it? Miroslav Lachman PS: I am on FreeBSD 10.4 so I don't know if something is different in newer branches ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: two NIC's in a jail
joerg_surmann wrote on 2018/03/23 20:12: Hi, thanks for yor help. I can't find a solution. But i have find a starnge ip config. in rc.conf on Host(not jail) ifconfig_vmx0_alias1="inet 192.168.100.2 netmask 255.255.255.0" ifconfig_em0="inet 213.70.80.92 netmask 255.255.255.0" ifconfig on host say: inet 213.70.80.92 netmask 0x broadcast 213.70.80.92 inet 192.168.100.2 netmask 0x broadcast 192.168.100.2 ifconfig say to both ip's /32. Maby that's the reason for unavailable the apache. ifconfig iside the jail say the same. I'm a little bit confused. I think it can be a problem with your configuration of ezjail. I am not sure but if I remember it well if you set IP for jail in ezjail configuration it will be added to network interface on startup nad removed on stop of the jail. So when you start the host you will have 192.168.100.2/24 but after jail start you will end up with 192.168.100.2/32. Can you confirm this? (reboot the machine with ezjail disabled in rc.conf) You need to configure ezjail to not manage IPs on interfaces. Please post content of ezjail.conf and full conf of your jail. Am 23.03.2018 um 17:41 schrieb Miroslav Lachman: Joerg Surmann wrote on 2018/03/23 17:14: tail -f /var/log/httpd-access.log 192.168.100.2 - - [23/Mar/2018:13:12:10 +] "OPTIONS * HTTP/1.0" 200 - 192.168.100.2 - - [23/Mar/2018:15:12:02 +] "OPTIONS * HTTP/1.0" 200 - 213.70.80.92 - - [23/Mar/2018:15:33:07 +] "OPTIONS * HTTP/1.0" 200 - 213.70.80.92 - - [23/Mar/2018:15:33:08 +] "OPTIONS * HTTP/1.0" 200 - 213.70.80.92 - - [23/Mar/2018:15:33:09 +] "OPTIONS * HTTP/1.0" 200 - 213.70.80.92 - - [23/Mar/2018:15:35:37 +] "GET / HTTP/1.1" 302 209 213.70.80.92 - - [23/Mar/2018:15:35:44 +] "OPTIONS * HTTP/1.0" 200 - 213.70.80.92 - - [23/Mar/2018:15:35:45 +] "OPTIONS * HTTP/1.0" 200 - 213.70.80.92 - - [23/Mar/2018:15:35:46 +] "OPTIONS * HTTP/1.0" 200 - 213.70.80.92 - - [23/Mar/2018:15:58:05 +] "GET / HTTP/1.1" 302 209 How did you do the request from 213.70.80.92? It was made from localhost where Apache runs? jls -v JID Hostname Path Name State CPUSetID IP Address(es) 2 apache24 /usr/jails/apache24 apache24 ACTIVE 3 192.168.100.2 213.70.80.92 Looks good jls -s devfs_ruleset=0 enforce_statfs=2 host=new ip4=disable ip6=disable jid=2 name=apache24 osreldate=1101001 osrelease=11.1-RELEASE path=/usr/jails/apache24 nopersist securelevel=-1 sysvmsg=disable sysvsem=disable sysvshm=disable allow.nochflags allow.mount allow.mount.nodevfs allow.mount.nofdescfs allow.mount.nolinprocfs allow.mount.nolinsysfs allow.mount.nonullfs allow.mount.noprocfs allow.mount.notmpfs allow.mount.nozfs allow.noquotas allow.raw_sockets allow.noset_hostname allow.nosocket_af allow.nosysvipc children.max=0 host.domainname="" host.hostid=0 host.hostname=apache24 host.hostuuid=---- This is strange. You have ip4=disable ip6=disable. My jails have "ip4=new ip6=disable" And you don't have ip4.addr at all. I have ip4.addr=172.16.16.2 for example Miroslav Lachman Am 23.03.2018 um 16:58 schrieb Miroslav Lachman: Joerg Surmann wrote on 2018/03/23 16:45: Thanks for replay. netstat -an | egrep 'tcp4.*80 .*LISTEN' say: netstat: kvm not available: /dev/mem No such file or directory <- is inside a jail. tcp4 0 0 *.80 *.* LISTEN grep -i Listen /usr/local/etc/apache24/httpd.conf Listen 80 Listen 443 From the internal IP is no Problem. You are right. I'm not sure on wich IP's Apache is listening. I have change the Listen directive to the external IP in httpd.conf Listen 213.70.80.92:80 netstat -an | egrep 'tcp4.*80 .*LISTEN' now say: tcp4 0 0 213.70.80.92:80 *.* LISTEN But apache is not availble from Internet. From Intranet... no Problem. When i use tcpdump on Host i can see Traffic. Whats wrong? That's strange. Listen 80 and Listen 443 is OK, it is the same as Listen *:80 Listen *:443 and as you see with netstat, Apache was listening on both IPs: *.80 *.* LISTEN Do you have something listening on port 80 in the Host? What netstat shows in the host? Also check Apache log files. If you didn't configure virtual host, then you have just these two log files: /var/log/httpd-access.log /var/log/httpd-error.log Use tail and then try to access your website from the internet # tail -f /var/log/httpd-*.log Please send what "jls -v" in the Host will show you. (there should be 2 IPs for your jail) or "jls -s" (replace any sensitive informations if you want) And move this discussion to proper mailing list: freebsd-jail@FreeBSD.org
Re: two NIC's in a jail
Joerg Surmann wrote on 2018/03/23 17:14: tail -f /var/log/httpd-access.log 192.168.100.2 - - [23/Mar/2018:13:12:10 +] "OPTIONS * HTTP/1.0" 200 - 192.168.100.2 - - [23/Mar/2018:15:12:02 +] "OPTIONS * HTTP/1.0" 200 - 213.70.80.92 - - [23/Mar/2018:15:33:07 +] "OPTIONS * HTTP/1.0" 200 - 213.70.80.92 - - [23/Mar/2018:15:33:08 +] "OPTIONS * HTTP/1.0" 200 - 213.70.80.92 - - [23/Mar/2018:15:33:09 +] "OPTIONS * HTTP/1.0" 200 - 213.70.80.92 - - [23/Mar/2018:15:35:37 +] "GET / HTTP/1.1" 302 209 213.70.80.92 - - [23/Mar/2018:15:35:44 +] "OPTIONS * HTTP/1.0" 200 - 213.70.80.92 - - [23/Mar/2018:15:35:45 +] "OPTIONS * HTTP/1.0" 200 - 213.70.80.92 - - [23/Mar/2018:15:35:46 +] "OPTIONS * HTTP/1.0" 200 - 213.70.80.92 - - [23/Mar/2018:15:58:05 +] "GET / HTTP/1.1" 302 209 How did you do the request from 213.70.80.92? It was made from localhost where Apache runs? jls -v JID Hostname Path Name State CPUSetID IP Address(es) 2 apache24 /usr/jails/apache24 apache24 ACTIVE 3 192.168.100.2 213.70.80.92 Looks good jls -s devfs_ruleset=0 enforce_statfs=2 host=new ip4=disable ip6=disable jid=2 name=apache24 osreldate=1101001 osrelease=11.1-RELEASE path=/usr/jails/apache24 nopersist securelevel=-1 sysvmsg=disable sysvsem=disable sysvshm=disable allow.nochflags allow.mount allow.mount.nodevfs allow.mount.nofdescfs allow.mount.nolinprocfs allow.mount.nolinsysfs allow.mount.nonullfs allow.mount.noprocfs allow.mount.notmpfs allow.mount.nozfs allow.noquotas allow.raw_sockets allow.noset_hostname allow.nosocket_af allow.nosysvipc children.max=0 host.domainname="" host.hostid=0 host.hostname=apache24 host.hostuuid=---- This is strange. You have ip4=disable ip6=disable. My jails have "ip4=new ip6=disable" And you don't have ip4.addr at all. I have ip4.addr=172.16.16.2 for example Miroslav Lachman Am 23.03.2018 um 16:58 schrieb Miroslav Lachman: Joerg Surmann wrote on 2018/03/23 16:45: Thanks for replay. netstat -an | egrep 'tcp4.*80 .*LISTEN' say: netstat: kvm not available: /dev/mem No such file or directory <- is inside a jail. tcp4 0 0 *.80 *.* LISTEN grep -i Listen /usr/local/etc/apache24/httpd.conf Listen 80 Listen 443 From the internal IP is no Problem. You are right. I'm not sure on wich IP's Apache is listening. I have change the Listen directive to the external IP in httpd.conf Listen 213.70.80.92:80 netstat -an | egrep 'tcp4.*80 .*LISTEN' now say: tcp4 0 0 213.70.80.92:80 *.* LISTEN But apache is not availble from Internet. From Intranet... no Problem. When i use tcpdump on Host i can see Traffic. Whats wrong? That's strange. Listen 80 and Listen 443 is OK, it is the same as Listen *:80 Listen *:443 and as you see with netstat, Apache was listening on both IPs: *.80 *.* LISTEN Do you have something listening on port 80 in the Host? What netstat shows in the host? Also check Apache log files. If you didn't configure virtual host, then you have just these two log files: /var/log/httpd-access.log /var/log/httpd-error.log Use tail and then try to access your website from the internet # tail -f /var/log/httpd-*.log Please send what "jls -v" in the Host will show you. (there should be 2 IPs for your jail) or "jls -s" (replace any sensitive informations if you want) And move this discussion to proper mailing list: freebsd-jail@FreeBSD.org ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: two NIC's in a jail
Joerg Surmann wrote on 2018/03/23 16:45: Thanks for replay. netstat -an | egrep 'tcp4.*80 .*LISTEN' say: netstat: kvm not available: /dev/mem No such file or directory <- is inside a jail. tcp4 0 0 *.80 *.* LISTEN grep -i Listen /usr/local/etc/apache24/httpd.conf Listen 80 Listen 443 From the internal IP is no Problem. You are right. I'm not sure on wich IP's Apache is listening. I have change the Listen directive to the external IP in httpd.conf Listen 213.70.80.92:80 netstat -an | egrep 'tcp4.*80 .*LISTEN' now say: tcp4 0 0 213.70.80.92:80 *.* LISTEN But apache is not availble from Internet. From Intranet... no Problem. When i use tcpdump on Host i can see Traffic. Whats wrong? That's strange. Listen 80 and Listen 443 is OK, it is the same as Listen *:80 Listen *:443 and as you see with netstat, Apache was listening on both IPs: *.80*.*LISTEN Do you have something listening on port 80 in the Host? What netstat shows in the host? Also check Apache log files. If you didn't configure virtual host, then you have just these two log files: /var/log/httpd-access.log /var/log/httpd-error.log Use tail and then try to access your website from the internet # tail -f /var/log/httpd-*.log Please send what "jls -v" in the Host will show you. (there should be 2 IPs for your jail) or "jls -s" (replace any sensitive informations if you want) And move this discussion to proper mailing list: freebsd-jail@FreeBSD.org Miroslav Lachman Am 23.03.2018 um 16:07 schrieb Miroslav Lachman: Joerg Surmann wrote on 2018/03/23 13:49: Hi all, I have a Problem to understund how to manage 2 Networks inside a Jail. i have create a jail (using ezjail) with a alias IP. in rc.conf (on Host): ifconfig_vmx0="inet 192.168.100.1 netmask 255.255.255.0" ifconfig_vmx0_alias0="inet 192.168.100.2 netmask 255.255.255.0" <- this is the jail ip Inside the jail running apachhe24. Now i add a new NIC to the System. in rc.conf (on Host): ifconfig_em0="inet 213.70.80.92 netmask 255.255.255.0" in /usr/local/etc/ezjail/myjail.conf: i add the new ip export jail_myjail_ip="192.168.100.2,213.70.80.92" Restart the jail and ifconfig looks fine. vmx0 -> inet 192.168.100.2 em0 -> inet 213.70.80.92 Apache Listen on all NIC's () But i can see my Website only via 192.168.100.2 from intern Network. The Host is behind a Firewall. The IP 213.70.80.92 is enabled for incomming Traffic. When i give the Hostname in a Browser i become "connection Timeout". What is to do that the Host is accessable from Inet? Are you sure Apache is listening on both IPs? What netstat says? # netstat -an | egrep 'tcp4.*80 .*LISTEN' Also check what you have in httpd.conf for Listen directive # grep -i Listen /usr/local/etc/apache24/httpd.conf I am not using ezjail, I am using jail.conf costa { host.hostname = "costa.example.com"; ip4.addr = AA.BB.CCC.DDD; ip4.addr += 192.168.222.57; } Real IP was replaced with AA.BB.CCC.DDD And it works. Services inside jail must be listening on both IPs or wildcard * (0.0.0.0) And be sure to disable hosts services to listen on IPs and ports you want to be served from jail. ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Update jails strategy
Michael Grimm wrote on 2017/11/11 21:42: Hi -- [FYI: I am running some service jails with an ezjail-type basejail approach.] Until now I did stop all jails before updating and restarting them afterwards. Now I am wondering if that is necessary at all. Wouldn't it be sufficient to update basejail with running jails and restart them after this updating? (In analogy to a "make installworld; make installkernel; reboot") Update of basejail and restart of jails is enough. I am doing it this way for a years. We have build server with prepared updates mounted thru NFS and then just make installkernel && make installworld (+ mergemaster) in host system. After the host is updated (before reboot) I run my local script to rsync changes from host to basejail (sync just bin, sbin, libs, but not home, etc, var), then mergemaster in all jails and finally reboot the server. I never stop jails before update. Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: set jail cpu-list in jail.conf
Steve Wills wrote on 2017/10/25 15:58: Hi, I created a patch which adds support for setting the cpu-list of a jails cpuset in jail.conf, here: https://reviews.freebsd.org/D12789 If anyone finds this useful or has comments, please let me know. It looks much better than my workaround: alpha { host.hostname = "alpha.example.com"; ip4.addr = 10.10.10.2; exec.poststart += "cpuset -c -l 1,2,5 -j `jls -j alpha jid`"; } Thank you! Missing update of man pages for jail(8). Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Passing a limited amount of disk devices to jails
Willem Jan Withagen wrote on 2017/06/09 15:48: On 9-6-2017 11:23, Steven Hartland wrote: You could do effectively this by using dedicated zfs filesystems per jail Hi Steven, That is how I'm going to do it, when nothing else works. But then I don't get to test the part of building the ceph-cluster from raw disk... I was more thinking along the lines of tinkering with the devd.conf or something. And would appreciate opinions on how to (not) do it. I totally skipped devd.conf in my mind in previous reply. So maybe you can really use devd.conf to allow access to /dev/adaX devices or you can use ZFS zvol if you have big pool and need some smaller devices to test with. Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Passing a limited amount of disk devices to jails
Willem Jan Withagen wrote on 2017/06/09 10:45: Hi, I'm writting/building a test environment for my ceph cluster, and I'm using jails for that Now one of the things I'd be interested in, is to pass a few raw disks to each of the jails. So jail ceph-1 gets /dev/ada1 and /dev/ada2 (and partitions), ceph-2 gets /dev/ada2 and /dev/ada3. AND I would need gpart to be able to work on them! Would this be possible to do with the current jail implementation on 12-CURRENT? I don't think jail will ever have access to raw / block devices. It is disallowed by security design. Wouldn't it be better to use bhyve guests for this environment? Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: ZFS and Jail :: nullfs mount :: nothing visible from host :: solved [partial]
Alexander Leidinger wrote on 2016/12/19 20:54: Quoting Miroslav Lachman <000.f...@quip.cz> (from Mon, 19 Dec 2016 18:57:39 +0100): Alexander Leidinger wrote on 2016/12/19 17:56: Quoting Miroslav Lachman <000.f...@quip.cz> (from Sun, 18 Dec 2016 13:20:31 +0100): I don't expect it to be in the docs. I try to come up with something for the man page for zfs (for the "attach to jail" part), but anyone shall feel free to beat me with this. Anyone with an idea where in the jail man page we should add something too (I only had a look at the zfs man page when this issue came up)? It would be nice to have this mentioned in zfs(8) man page (that user in jail cannot manage jail's root dataset but can manage some sub-dataset not required to boot the jail) What about this? Better wording welcome. ---snip--- Index: zfs.8 === --- zfs.8 (Revision 298108) +++ zfs.8 (Arbeitskopie) @@ -450,8 +450,11 @@ dataset can be attached to a jail by using the .Qq Nm Cm jail subcommand. You cannot attach a dataset to one jail and the children of the -same dataset to another jails. To allow management of the dataset from within -a jail, the +same dataset to another jails. You can also not attach the root file system +of the jail or any dataset which needs to be mounted before the zfs rc script +is run inside the jail, as it would be attached unmounted until it is +mounted from the rc script inside the jail. To allow management of the +dataset from within a jail, the .Sy jailed property has to be set and the jail needs access to the .Pa /dev/zfs ---snip--- And there can be some useful example in jail(8) man page in EXAMPLES. There is section "Jails and File Systems" and there can be new section "Manage ZFS from within jail" with basic notes about required jail params, zfs set jailed property and example "hierarchy". (and warning about gotchas with jailed=0 on jail's root directory) Are you willing to come up with some text-only version/draft/outline for this one? I am not good at English but I will try something. Thank you! Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: ZFS and Jail :: nullfs mount :: nothing visible from host :: solved [partial]
Alexander Leidinger wrote on 2016/12/19 17:56: Quoting Miroslav Lachman <000.f...@quip.cz> (from Sun, 18 Dec 2016 13:20:31 +0100): Alexander Leidinger wrote on 2016/12/17 19:59: Quoting SK <fbsta...@cps-intl.org> (from Fri, 16 Dec 2016 14:02:20 Correct. You need the data in the root of the jail to boot, if you then attribute this dataset to the jail, it will vanish until "zfs mount -a" is run (rc script inside the jail). As it will vanish during the boot of the jail (if added automatically), the rc script to mount all datasets can not be found. [...] I think what you are trying to tell here is, unless and until that "vanished" dataset is put to use (mounted) from inside the jail, it will remain vanished/unusable from the host itself; however, once that dataset is put to use, the host system should be able to "see" and maybe even work on that dataset. Could you please confirm if I understood you correctly? Correct. A sub-dataset which is not needed to boot, or a dataset not within the subtree of the jail (and not needed to boot) can be used. Thank you for this information! If it is somewhere in the docs it is well hidden to me :) I don't expect it to be in the docs. I try to come up with something for the man page for zfs (for the "attach to jail" part), but anyone shall feel free to beat me with this. Anyone with an idea where in the jail man page we should add something too (I only had a look at the zfs man page when this issue came up)? It would be nice to have this mentioned in zfs(8) man page (that user in jail cannot manage jail's root dataset but can manage some sub-dataset not required to boot the jail) And there can be some useful example in jail(8) man page in EXAMPLES. There is section "Jails and File Systems" and there can be new section "Manage ZFS from within jail" with basic notes about required jail params, zfs set jailed property and example "hierarchy". (and warning about gotchas with jailed=0 on jail's root directory) Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: ZFS and Jail :: nullfs mount :: nothing visible from host :: solved [partial]
Alexander Leidinger wrote on 2016/12/17 19:59: Quoting SK <fbsta...@cps-intl.org> (from Fri, 16 Dec 2016 14:02:20 +): If I understand you correctly, what you are suggesting is, the dataset used by the jail itself for its root/base cannot be "worked on" from within the jail, but if I define a different dataset (under the same branch below the jail dataset), and attribute it to the jail, then I can manipulate that "other" dataset. Could you please confirm if I understood it correctly? Correct. You need the data in the root of the jail to boot, if you then attribute this dataset to the jail, it will vanish until "zfs mount -a" is run (rc script inside the jail). As it will vanish during the boot of the jail (if added automatically), the rc script to mount all datasets can not be found. [...] I think what you are trying to tell here is, unless and until that "vanished" dataset is put to use (mounted) from inside the jail, it will remain vanished/unusable from the host itself; however, once that dataset is put to use, the host system should be able to "see" and maybe even work on that dataset. Could you please confirm if I understood you correctly? Correct. A sub-dataset which is not needed to boot, or a dataset not within the subtree of the jail (and not needed to boot) can be used. Thank you for this information! If it is somewhere in the docs it is well hidden to me :) Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: multiple interfaces for jail.conf(1) and jail_set(2)
Michael Grimm wrote on 2016/12/15 19:36: [cc'd to freebsd-jail@FreeBSD.org where that thread originated] Valeri Galtsev <galt...@kicp.uchicago.edu> wrote: On Wed, December 14, 2016 2:30 pm, Michael Grimm wrote: # # network settings to apply/destroy during start/stop of every jail # exec.prestart= "sleep 2"; exec.prestart += "/sbin/ifconfig epair${jailID} create up"; exec.prestart += "/sbin/ifconfig bridge0 addm epair${jailID}a"; exec.start = "/sbin/sysctl net.inet6.ip6.dad_count=0"; exec.start += "/sbin/ifconfig lo0 127.0.0.1 up"; exec.start += "/sbin/ifconfig epair${jailID}b inet ${ip4_addr}"; exec.start += "/sbin/ifconfig epair${jailID}b inet6 ${ip6_addr}"; exec.start += "/sbin/route add default -gateway 10.1.1.254"; exec.start += "/sbin/route add -inet6 default -gateway ${ip6prefixLOCAL}::254"; exec.stop= "/sbin/route del default"; exec.stop += "/sbin/route del -inet6 default"; exec.stop += "/bin/sh /etc/rc.shutdown"; exec.poststop= "/sbin/ifconfig epair${jailID}a destroy"; # # individual jail settings # dns { $jailID = 1; $ip4_addr= 10.1.1.1; $ip4_addr_2 = 10.1.1.2; […] Michael, is it possible to have two addresses belonging to two different networks (through two different network interfaces)? Say, on host system: ifconfig_igb0="inet 172.20.9.22 ... ifconfig_igb1="inet 10.1.1.17 ... and in some jail $ip4_addr= 172.20.9.22; $ip4_addr_2 = 10.1.1.17; - will that work? This is what didn't work for me in the past when configured jails old style in /etc/rc.conf I can't answer that because I have never tried it before. More IP addresses on more interfaces works for me for many years even in old rc.conf style jails. Converted to new jail.conf is something like this costa { host.hostname = "costa.example.com"; ip4.addr = 94.104.135.21; ip4.addr += 192.168.222.57; } As you can see, IPs are from different networks. We are not using auto add / remove IP on interfaces. We don't want to have something else to manage IP addresses. All IPs are defined in rc.conf on their proper interfaces. In this case, first jail's IP is in bge1 and the second is on nfe0 (LAN interface) I already made jail using VPN assigned IP on tun0 OpenVPN interface. In another words - jail doesn't care about interfaces. If there is an IP in the system (on whatever interface) then you can assign it to jail and you can assign as many IPs as you want (up to some really high limit). Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Getting "Permission Denied" issues after migrating jails
Kaya Saman wrote on 2016/12/10 15:33: which suggests fixing the noexec flags. On the actual ZFS dataset the exec=on parameter is already set meaning that this must be a local issue and something to do with the "chflags" command but I can't recall or even find any clue on which files to run the command on and parameters to use in "man chflags". Run ls -lo /var/db/pkg/vuln.xml to view permissions. You can use something like this to check all files with specified flag find /path/to/jail/ -flags +schg -exec ls -lo {} + Then check what is your kern_securelevel settings in host and in a jails rc.conf. You cannot modify files witch flags is securelevel is higher than 0. Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: ZFS and Jail :: nullfs mount :: nothing visible from host
SK wrote on 2016/12/09 13:21: I will try enforce_statfs=2, maybe that will give me what I need. But still, not sure what is happening with jailed=on zfs set jailed=on gT/JailS/testJail << Did you set this property? Now this is an interesting bit. I tried this, and as soon as I ran the command, the dataset vanished :P Interesting. All documentation says jailed=on must be set. Yes, I know. I checked everywhere and that seems to be the norm. But the moment I do it, my jail no longer functions :P My last idea - put zfs_enable="YES" in jails /etc/rc.conf. Maybe the dataset is not mounted if has property jailed=on (I don't know I didn't test it yet) Still, my desire for keeping it simple and raw is preventing me from taking any of these routes. I would very much like NOT to run any additional package on the host/base itself. I already have screen, mc and wget -- that is an overkill in my own personal opinion. I understand it. I am running jails on many machines for years without any 3rd party tools :) But you can try iocage, cbsd or ezjail just to test if it is possible to do what you want. Then you can check sysctls in host, in jail, check jail's properties (`jls -s`), `zfs get all` and then you can try it reproduce without 3rd party tools. Ping me next week, I hope I will have more spare time to test it. Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: ZFS and Jail :: nullfs mount :: nothing visible from host
SK wrote on 2016/12/09 12:36: Thanks Miroslav, I get the picture now. Please see my reply inline I mean your command "zfs list", because normally "zfs list" inside jail print: "no datasets available" :) OK, considering that I have the setup as I explained before, and have run zfs jail testJail gT/JailS/testJail, I can see the complete dataset along with the ones that are NOT part of the jail. So, whatever dataset the host can see, I can see from inside the jail. However, I cannot do anything with the dataset from inside the jail. I am not sure, maybe it is not possible to hide them when you need to manage zfs inside jail. If you can live with not managing zfs inside but from the host, then you can use enforce_statfs=2. Then you will see just a root dataset inside jail. enforce_statfs=0 ~ you will see all datasets and partitions from the host enforce_statfs=1 ~ you will see all related to this jail (parents, devfs etc) enforce_statfs=2 ~ only root mount is visible But, what I would really like to have a) ONLY the relevant datasets for a jail are visible and can be manipulated from within the jail. I do not mind if they are visible from host (in fact, I might prefer that -- not manipulate, just see and maybe take snapshot of what is there -- helps in centralizing backups). But the Jails /must not/ see each others' datasets zfs create gT/JailS/testJail zfs set jailed=on gT/JailS/testJail << Did you set this property? Now this is an interesting bit. I tried this, and as soon as I ran the command, the dataset vanished :P Not only that, I could not run jail any more. Given that gT/JailS is mounted on /JailS and the path parameter in jail.conf is /JailS/testJail, I am not surprised that the jail did not run (it initially complained about not being able to mount /dev, as it cannot find /JailS/testJail/dev) As a workaround, I removed mount.devfs, mount.procfs (that complained too), mount.fdesc (complained too), and then the jail ran But now that I do not have devfs, I could not do anything with zfs -- I could not even see them. So, manipulation from within the jail or outside the jail was no longer possible. Interesting. All documentation says jailed=on must be set. # (populate & start jail) zfs jail testJail gT/JailS/testJail b) if that is not achievable, maybe not allow the jails to see the complete dataset hierarchy -- just make them feel that they are where they are in a root, but still be able to create datasets that would magically show up in the respective jails. This way, the total control is from the host itself, where no one has access to, but the datasets are restricted to different jails. What is visible is controlled by enforce_statfs values. If you create /tank/jail/alpha and set this path to you first jail no other jail will know about it. This I believe is where I am stuck at the moment. How do you set this path to the jail? Apparently running zfs jail testJail gT/JailS/testJail did not stop the testJail from seeing gT/Data or gT/JailS/Moving -- in fact, they became visible after that script was run. Any suggestion/pointers is greatly welcome. Out of a little bit of frustration (since I was unable to find any proper documentation on jail.conf -- there is nothing under /etc/default, there is nothing on the man page -- I could not even figure out how to define a zfs as the root/fs for the jail!), I have started looking into ezjail now -- given that everyone seem to claim it can do what I had been unable to do through command line. If my sense and intelligence is well enough, I might be able to find out how it is done. "Everybody" say "use ezjail" because it was the first tool to manipulate jails available for the masses. I tried it after I learned all things about jails the hard way and then I realised ezjail is doing strange things in some cases. I know it evolved, but I you need to use some tool there are some better tools (in my opinion) which were developed with ZFS features from the start. You can try iocage or cbsd. They also can manage bhyve guests. Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: ZFS and Jail :: nullfs mount :: nothing visible from host
SK wrote on 2016/12/09 11:12: zfs list is good start. I never used zfs from within jail so I cannot comment on permission denied. I don't know what more must be done. I'm not sure which list you are referring to. I could not find any zfs list in FreeBSD mailing list lists I mean your command "zfs list", because normally "zfs list" inside jail print: "no datasets available" :) But, what I would really like to have a) ONLY the relevant datasets for a jail are visible and can be manipulated from within the jail. I do not mind if they are visible from host (in fact, I might prefer that -- not manipulate, just see and maybe take snapshot of what is there -- helps in centralizing backups). But the Jails /must not/ see each others' datasets zfs create gT/JailS/testJail zfs set jailed=on gT/JailS/testJail << Did you set this property? # (populate & start jail) zfs jail testJail gT/JailS/testJail b) if that is not achievable, maybe not allow the jails to see the complete dataset hierarchy -- just make them feel that they are where they are in a root, but still be able to create datasets that would magically show up in the respective jails. This way, the total control is from the host itself, where no one has access to, but the datasets are restricted to different jails. What is visible is controlled by enforce_statfs values. If you create /tank/jail/alpha and set this path to you first jail no other jail will know about it. Now, for the sysctl values, here they come sysctls seem OK, I am out of ideas now. maybe I will have time next week to try this on my test setup. Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: ZFS and Jail :: nullfs mount :: nothing visible from host
SK wrote on 2016/12/08 20:13: Initially they were not visible from within the jail, but as I ran zfs jail testJail gT/JailS/testJail they were visible from inside. You can add zfs jail testJail gT/JailS/testJail to your jail.conf post exec so it will be executed automatically. HOWEVER, I am unable to do any manipulation whatsoever from within the jail. root@testJail:/ # zfs list NAMEUSED AVAIL REFER MOUNTPOINT gT 10.3G 199G 9.51G legacy gT/JailS832M 199G20K /JailS gT/JailS/testJail 546K 199G 827M /JailS/testJail root@testJail:/ # zfs snapshot gT/JailS/testJail@test *cannot create snapshots : permission denied* root@testJail:/ # zfs create gT/JailS/testJail/test *cannot create 'gT/JailS/testJail/test': permission denied* root@testJail:/ # exit zfs list is good start. I never used zfs from within jail so I cannot comment on permission denied. I don't know what more must be done. Even after the jail was able to see the dataset, the following sysctl was still zero security.jail.mount_zfs_allowed: 0 I think you don't need this sysctl, you just need to set proper jail options like allow.mount allow.mount.zfs and enforce_statfs (per jail) I changed it to one, but that didn't seem to have the desired effect (should have I restarted?) No restart needed. Sysctls are runtime configurable. If you need to preserve some sysctl settings after reboot you must put them in to /etc/sysctl.conf below are some of the relevant settings. If you require any other information, I'll try to send them as soon as I can. Send us `sysctl security.jail` from host and from jail too. ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: ZFS and Jail :: nullfs mount :: nothing visible from host
SK wrote on 2016/12/08 15:22: So far I have tried to follow as many google results as possible using jail, zfs, mountpoint, nullfs, manage zfs and so on. There were a few sites coming up again and again but they were talking about ezjail (not that I have anything against it, but I would prefer to be able to use the base system as it is -- might help me learn a few things that ezjail will hide from me :D) If you want to manage ZFS dataset from withing a jail, then you need to use zfs set jailed=on property (see man zfs). But this data set cannot be mounted as nullfs, it should be dedicated to the jail. You don't need ezjail because ezjail cannot do anything more than you can do. It is just a shell script wrapper. Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Failure to add new files when updating jails with ezjail-admin
Kirk Coombs wrote on 2016/12/07 01:20: The following files will be added as part of updating to 10.3-RELEASE-p13: /usr/share/zoneinfo/Asia/Barnaul /usr/share/zoneinfo/Asia/Famagusta /usr/share/zoneinfo/Asia/Tomsk /usr/share/zoneinfo/Asia/Yangon /usr/share/zoneinfo/Europe/Astrakhan /usr/share/zoneinfo/Europe/Kirov /usr/share/zoneinfo/Europe/Ulyanovsk Files below are sources, these should not be in jails /usr/src/contrib/libarchive/libarchive/test/test_write_disk_secure744.c /usr/src/contrib/libarchive/libarchive/test/test_write_disk_secure745.c /usr/src/contrib/libarchive/libarchive/test/test_write_disk_secure746.c /usr/src/contrib/ntp/README.pullrequests /usr/src/contrib/ntp/lib/isc/tsmemcmp.c /usr/src/contrib/ntp/scripts/build/genAuthors.in /usr/src/contrib/ntp/sntp/m4/sntp_problemtests.m4 /usr/src/contrib/ntp/tests/libntp/run-tsafememcmp.c /usr/src/contrib/ntp/tests/libntp/tsafememcmp.c /usr/src/contrib/tzdata/CONTRIBUTING /usr/src/contrib/tzdata/LICENSE /usr/src/contrib/tzdata/Makefile /usr/src/contrib/tzdata/NEWS /usr/src/contrib/tzdata/README /usr/src/contrib/tzdata/Theory /usr/src/contrib/tzdata/backzone /usr/src/contrib/tzdata/checklinks.awk /usr/src/contrib/tzdata/checktab.awk /usr/src/contrib/tzdata/leapseconds.awk /usr/src/contrib/tzdata/version /usr/src/contrib/tzdata/zoneinfo2tdf.pl The following files will be updated as part of updating to 10.3-RELEASE-p13: /var/db/mergemaster.mtree Installing updates...mkdir: /usr/jails/newjail//boot: No such file or directory mtree: /usr/jails/newjail//boot/kernel: No such file or directory mtree: /usr/jails/newjail//boot/kernel.old: No such file or directory touch: /usr/jails/newjail//boot/kernel.old/.freebsd-update: No such file or directory Could not create kernel backup directory Jails are not using own kernel thus don;t need /boot/kernel directory The output is the same now matter how many times I invoke "ezjail-admin update -u,” so the new files are clearly not being inserted into the basejail. Any suggestions? I don't like ezjail I am rolling jails by hand (few simple shell scripts) so I can't talk about ezjail... but if freebsd-update failed because /boot/kernel was not found inside jail, you can try to create this directory (empty directory) and run update again. Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
some (random) jails are not started after reboot
Hi, we have a few machines running jails as "vps". All jails are maintained by me and have normal setup with one IPv4. We are running usual web things in jails like Apache, PHP, Python, MySQL. I noticed that some jails are not started after reboot on one machine. (after security update to 10.3-RELEASE-p6 in the summer) I updated our machines last night to 10.3-RELEASE-p9 and one jail on the same machine did not start. Console log of this jail does not contain any startup messages. The last record are from previous start. I can start the jail manually without any problem. No errors. Only one machine has this problem. Problem started a few months back. (The machine was started as some old 8.x install and is continually upgraded to the latest 10.3) Base system is on UFS, jails are on ZFS if it matter. This is production machine so I can't play with it too much. But does anybody else seen it too? How can I debug it on next reboot? Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Effective rule sets in a jail?
Grzegorz Junka wrote on 07/07/2016 11:42: OK, I am just an user, not very familiar with the terminology. For me (as a programmer) inheriting means overriding, so merging the more specific to the less specific declarations. Does it mean that the "inheriting" works in nested declarations but doesn't take into account the default value? In other words, the default is just default unless it re-defined in a jail declaration. If that's the case then wouldn't be more clear to name the "outside" default declaration as default, e.g. "default_devfs_ruleset"? Then it would be more difficult to confuse the default with the one that can be inherited. I think it is simple in current form. (And I am not sys developer, I was web application programmer before I became sysadmin) I started with jails long time before jail2 with jail.conf. Current jail.conf is s simpler in comparision with rc.conf style variables. Naming each default variable with different name will be harder to code, harder to write in jail.conf, harder to document in manpages. Almost all programming languages works the same in this context - later variable definition wins. So you can easily define all variables needed to run jails and then set just those specific to one jail - IPs and hostname: ## Typical static defaults: ## Use the rc scripts to start and stop jails. Mount jail's /dev. exec.start = "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc.shutdown"; exec.clean; exec.system_user = "root"; exec.jail_user = "root"; mount.devfs; devfs_ruleset = 4; enforce_statfs = 1; #allow.set_hostname = false; #allow.mount; allow.set_hostname = 0; allow.sysvipc = 0; allow.raw_sockets = 0; ## Dynamic wildcard parameter: path= "/vol1/jail/$name"; exec.consolelog = "/var/log/jail/$name.console"; mount.fstab = "/etc/fstab.$name"; ## Jail myjail0 myjail0 { host.hostname = "myjail0.example.conf"; ip4.addr = 10.20.30.40; } ## Jail myjail1 myjail1 { host.hostname = "myjail1.example.conf"; ip4.addr = 10.20.30.41; } devfs_ruleset is the same as the other variables - you can't (and I hope nobody expect) to merge global default value of e.g. exec.system_user or allow.sysvipc with variables defined in specific jail context. Those variables can have only one value (bool, or string, or number; not an array). It is the same for devfs_rules. Can't have more than one numeric value, can't combine two together. I think you will be familiar with this very soon. Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Effective rule sets in a jail?
Grzegorz Junka wrote on 07/07/2016 10:41: I was referring to this clause in the man document: Descendant jails inherit the parent jail's devfs ruleset enforcement. This is true for hierarchical "nested" jails = jail inside jail. And inheriting doesn't mean merging. You can't allow devices in descendant jail which are not allowed on parent. I thought that the outside rule is combined with the inside rule in the jail definition. But thanks for the hint about jls -s, it does shows the (single) active rule set (however without referring to the specific rules defined in devfs.rules or a combination of it). You are mixing nested jails context with jail.conf context where "outside" definitions are the defaults for all jails which are not overriding those values with own values. Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Effective rule sets in a jail?
Ultima wrote on 07/07/2016 06:04: Not so. The top variable, devfs_ruleset = 4 is being set as the default for all jails. The devfs_ruleset = 5 inside the brackets is changing the default value. How to check what ruleset is mounted? That is a great question. I'm not sure of an easy way to check other than verifying the /dev directory inside the jail. There is no way to set more than one devfs rule to jail AFAIK. You can see the rule number in output of jls -s or jls -n. Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: netstat -rn in jail doesn't work
Grzegorz Junka wrote on 05/18/2016 18:37: What may be the reason that netstat -rn works in one jail and doesn't in another? root@app2:/ # netstat -rn Routing tables Internet: DestinationGatewayFlags Netif Expire 192.168.1.76 link#4 UHS lo0 root@pjp1:/ # netstat -rn netstat: kvm not available: /dev/mem: No such file or directory Routing tables rt_tables: symbol not in namelist I don't know the reason but I can confirm this behavior. I know about this for a long time. Netstat complains about /dev/mem for some other params too even if it outputs correct values for example for opened tcp connections: /# netstat -s -p tcp netstat: kvm not available: /dev/mem: No such file or directory tcp: 1517892073 packets sent 1453939900 data packets (2274781047202 bytes) 759536 data packets (929141944 bytes) retransmitted 59175 data packets unnecessarily retransmitted 0 resends initiated by MTU discovery 51907865 ack-only packets (26667901 delayed) 0 URG only packets 267 window probe packets 795506 window update packets 10493883 control packets 1487401217 packets received 1417951529 acks (for 2273802396874 bytes) 7502860 duplicate acks 38600 acks for unsent data 1368386110 packets (2153255668968 bytes) received in-sequence 222423 completely duplicate packets (39239815 bytes) 11980 old duplicate packets 221 packets with some dup. data (94160 bytes duped) 35171 out-of-order packets (15770219 bytes) 21 packets (11 bytes) of data after window 11 window probes 1863690 window update packets 1642030 packets received after close 281 discarded for bad checksums 0 discarded for bad header offset fields 0 discarded because packet too short 87 discarded due to memory problems 2448384 connection requests 7800552 connection accepts 0 bad connection attempts 109 listen queue overflows 339306 ignored RSTs in the windows 10221160 connections established (including accepts) 10554092 connections closed (including 1990441 drops) 5674590 connections updated cached RTT on close 5677848 connections updated cached RTT variance on close 1583021 connections updated cached ssthresh on close 10125 embryonic connections dropped 1405786035 segments updated rtt (of 1374995187 attempts) 404689 retransmit timeouts 1681 connections dropped by rexmit timeout 608 persist timeouts 0 connections dropped by persist timeout 0 Connections (fin_wait_2) dropped because of timeout 12388 keepalive timeouts 11896 keepalive probes sent 492 connections dropped by keepalive 38184853 correct ACK header predictions 46419366 correct data packet header predictions 7826351 syncache entries added 45759 retransmitted 55797 dupsyn 84 dropped 7800552 completed 40 bucket overflow 0 cache overflow 19220 reset 7941 stale 109 aborted 0 badack 230 unreach 0 zone failures 7826435 cookies sent 1784 cookies received 212203 hostcache entries added 28 bucket overflow 104273 SACK recovery episodes 242234 segment rexmits in SACK recovery episodes 303575028 byte rexmits in SACK recovery episodes 1538523 SACK options (SACK blocks) received 12421 SACK options (SACK blocks) sent 114 SACK scoreboard overflow 0 packets with ECN CE bit set 0 packets with ECN ECT(0) bit set 0 packets with ECN ECT(1) bit set 0 successful ECN handshakes 0 times ECN reduced the congestion window 0 packets with valid tcp-md5 signature received 0 packets with invalid tcp-md5 signature received 0 packets with tcp-md5 signature mismatch 0 packets with unexpected tcp-md5 signature received 0 packets without expected tcp-md5 signature received I tried netstat -rn in all 8 jails on our test machine. 4 of them works, the other 4 don't work. netstat -rn doesn't work in those jail which are older than host environment netstat -s -p tcp prints error message even in the newest jails: netstat: kvm not available: /dev/mem: No such file or directory Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list https
Re: SYSV IPC on jails with separate key namespace
James Gritton wrote on 04/21/2016 19:18: I've updated patch 48471 (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=48471) which had a patch to make jails work the way they should regarding SYSV IPC objects. There's a new patch there, that does the same thing, bit with some different infrastructure around it. This is really good news. Thank you James! I plan to commit these patches pretty soon, to get into the 11 release. I'd like some feedback first if anyone wants to try them out, but barring that I'll accept my feedback after I commit :-). They work at least for some simple test cases, but I don't have anything handy that actually makes significant use of SYSV IPC and I know that others do and have been waiting to see something like this. Will this be MFC to 10.x? I don't have any 11 (CURRENT) right now. I would like to test this with few instances of PostgreSQL and Firebird in jails. I don't know when I will have time for it because I am busy with $WORK. I hope I will try it soon! Thank you for your ongoing work on jails. Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: SHM objects cannot be isolated in jails, any evolution in future FreeBSD versions?
James Gritton wrote on 03/23/2016 00:25: On 2016-03-17 05:54, Simon wrote: Le 2016-03-15 09:34, Miroslav Lachman a écrit : Mark Felder wrote on 03/14/2016 22:07: On Sat, Mar 12, 2016, at 11:42, James Gritton wrote: On 2016-03-12 04:05, Simon wrote: The shm_open()(2) function changed since FreeBSD 7.0: the SHM objects path are now uncorrelated from the physical file system to become just abstract objects. Probably due to this, the jail system do not provide any form of filtering regarding shared memory created using this function. Therefore: - Anyone can create unauthorized communication channels between jails, - Users with enough privileges in any jail can access and modify any SHM objects system-wide, ie. shared memory objects created in any other jail and in the host system. I've seen a few claims that SHM objects were being handled differently whether they were created inside or outside a jail. However, I tested on FreeBSD 10.1 and 9.3 but found no evidence of this: both version were affected by the same issue. A reference of such claim: https://lists.freebsd.org/pipermail/freebsd-ports-bugs/2015-July/312665.html My initial post on FreeBSD forum discussing the issue with more details: https://forums.freebsd.org/threads/55468/ Currently, there does not seem to be any way to prevent this. I'm therefore wondering if there are any concrete plans to change this situation in future FreeBSD versions? Be able to block the currently free inter-jail SHM-based communication seems a minimum, however such setting would also most likely prevent SHM-based application to work. Using file based SHM objects in jails seemed a good ideas but it does not seem implemented this way, I don't know why. Is this planned, or are there any greater plans ongoing also involving IPC's similar issue? There are no concrete plans I'm aware of, but it's definitely a thing that should be done. How about filing a bug report for it? You've already got a good write-up of the situation. Both this and SYSV IPC jail support[1] are badly needed. [1] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=48471 Yes, it is very sad that original patch was not commited, nor commented or improved by core developers for long 13 years. I am not 100% sure but I thing there was some patch from PJD for SysV IPC too. There were EclipseBSD with resource limits in times of FreeBSD 3.4 and there is FreeVPS for 6.x with virtualized IPC... So I really hope SysV IPC aware jails will become reality soon. Miroslav Lachman Hi everyone, Odd thing, I've seen that the very first exchanges which opened this mailing list back in 2007 precisely discussed IPC isolation in Jail and some work already done in the Jail2 project part of the now abandoned FreeVPS project. At that time IPC virtualization was qualified as an easy job: As say about SYSV IPC stuff you say about only virtualization? or also about limits? "virtualization" is easy, but for limits - need more work (https://lists.freebsd.org/pipermail/freebsd-jail/2007-May/04.html) We have now come full circle :). As per the SHM objects issue, I've now filled a new bug #208082: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=208082 I explain in the bug description why it may be different than the already existing bug #48471 covering SysV IPC. Le 2016-03-17 01:10, Dewayne Geraghty a écrit : PS We don't want/need the complexity (or performance hit) associated with v* additions when a well thought out (simple) jail does the task very nicely :) I agree, the main advantage of jails and other lightweight containers is precisely their lightness. Regards, Simon. I've put a diff on the bug report (Bug 208082), for the shm objects, and also for ksem and mqueue which have the same problems. Any review is welcome :-). SYSV IPC is a separate issue. I'm following up with bz about my memory of hearing there's something vimage-related there, and if there isn't I can jump into that one as well (I actually have some work already done with it, so it just needs a little more). I am more interested in SysV IPC (needed to run PostgreSQL in jails) but working SHM is good starting point. I really appreciate all your work on improving jails! Thank you for this great news :) Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Jail management
Martin "eto" Misuth wrote on 02/25/2016 16:14: [...] - not sure about Miroslav's problems with freebsd-update, but it seems to work pretty well with -basedir /jail/tree parameter nowadays (there might be corner cases) Freebsd-update maintains patches for each file in each jail (if you use full jails and not shared basejail) so this is IO / space / time consuming. freebsd-update has some unhandled exceptions which can leave system in an inconsistent state. (unbootable) It ended up with mixed files from 9.x and 10.x on host when updating host. It was about 2 years ago and it may be fixed. I don't know. - you can have older jail-base run on newest kernel (other way around is not possible) - you can kill many files in given jail to get bare minimal running setup (this seems completely driven by gut, from what I gathered, as some things might have un-obvious dependencies) - you can mount many things into jail read-only (this makes them more rigid and harder to "manage" "live") - jails can have limits on number of procs living in them and can be allowed to be nested(!) (jail-in-jail) - with rctl you can cap resources per jail Beware of RCTL. We are using it a lot but some of them don't work as one can expect from their name and manpage description. Namely memory or swapuse. Limiting of processor seems good. Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Jail management
Aristedes Maniatis wrote on 02/22/2016 12:26: On 22/02/2016 9:56pm, Miroslav Lachman wrote: I don't know your environment and your FreeBSD jails skills but it seems you think jails are something complex and "magic". It is not. ... Just don't be afraid of writing simple shell scripts :) You are right, and perhaps I should just bite the bullet. I am afraid of only two things. * upgrade the basejail with FreeBSD upgrades. I am sure this is a simple bit of chroot magic, but freebsd-update is a bit of a black box to me. I tried it few years ago and it had some problems that doesn't fit well in to my environment, then I moved all our servers to own buildserver with make buildkernel + buildworld and then installworld through NFS in to destionation. Faster, safer and predictable solution. (I had problems with freebsd-update even on bare metal systems, not in jails) * nullfs. I've never used it before and need to play with it more Nullfs is easy. You can "mount" one directory to another. If you have /vol0/jail/_basejail and jails in /vol0/jail/alpha, /vol0/jail/beta Then you can do mkdir /vol0/jail/alpha/basejail mkdir /vol0/jail/beta/basejail mount -t nullfs /vol0/jail/_basejail /vol0/jail/alpha/basejail mount -t nullfs /vol0/jail/_basejail /vol0/jail/beta/basejail Your basejail contains # ls -1 /vol0/jail/_basejail UPDATED bin boot lib libexec rescue sbin usr an jails (alpha, beta and you new jail template) contains symlinks to these directories # ls -lg /vol0/jail/alpha/ -rw-r--r-- 1 root wheel 798 Jan 13 2015 .cshrc -rw-r--r-- 2 root wheel 265 Jan 13 2015 .profile -r--r--r-- 1 root wheel 6197 May 12 2015 COPYRIGHT drwxr-xr-x 9 root wheel10 May 12 2015 basejail lrwxr-xr-x 1 root wheel13 Jan 13 2015 bin -> /basejail/bin lrwxr-xr-x 1 root wheel14 Jan 13 2015 boot -> /basejail/boot dr-xr-xr-x 7 root wheel 512 Oct 18 17:52 dev lrwxr-xr-x 1 root wheel12 Jan 20 2015 develop -> /usr/develop drwxr-xr-x 20 root wheel 105 Nov 12 19:37 etc lrwxr-xr-x 1 root wheel 8 Jan 13 2015 home -> usr/home lrwxr-xr-x 1 root wheel13 Jan 13 2015 lib -> /basejail/lib lrwxr-xr-x 1 root wheel17 Jan 13 2015 libexec -> /basejail/libexec dr-xr-xr-x 2 root wheel 2 Jan 13 2015 proc lrwxr-xr-x 1 root wheel16 Jan 13 2015 rescue -> /basejail/rescue drwxr-xr-x 10 root wheel29 May 12 2015 root lrwxr-xr-x 1 root wheel14 Jan 13 2015 sbin -> /basejail/sbin lrwxr-xr-x 1 root wheel11 Jan 13 2015 sys -> usr/src/sys drwxrwxrwt 9 root wheel10 Feb 22 03:43 tmp drwxr-xr-x 7 root wheel17 Jan 20 2015 usr drwxr-xr-x 22 root wheel22 Oct 18 17:52 var Nullfs mounts can be specified in fstab files # cat /etc/fstab.alpha /vol0/jail/_basejail /vol0/jail/alpha/basejail nullfs ro 0 0 # cat /etc/fstab.beta /vol0/jail/_basejail /vol0/jail/beta/basejail nullfs ro 0 0 So if jails are running, you wil see this tank/vol0/jail/alpha on /vol0/jail/alpha (zfs, local, noatime, nfsv4acls) tank/vol0/jail/beta on /vol0/jail/beta (zfs, local, noatime, nfsv4acls) /vol0/jail/_basejail on /vol0/jail/alpha/basejail (nullfs, local, read-only) /vol0/jail/_basejail on /vol0/jail/beta/basejail (nullfs, local, read-only) And you can have gamma with another basejail called _basejail93 mounted as tank/vol0/jail/gamma on /vol0/jail/gamma (zfs, local, noatime, nfsv4acls) /vol0/jail/_basejail93 on /vol0/jail/gamma/basejail (nullfs, local, read-only) Migrate this jail to _basejail is just a matter of change one line if fstab.gamma All commong settings are in /etc/jail.conf It can be something like this ## Typical static defaults: ## Use the rc scripts to start and stop jails. Mount jail's /dev. exec.start = "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc.shutdown"; exec.clean; exec.system_user = "root"; exec.jail_user = "root"; mount.devfs; devfs_ruleset = 4; enforce_statfs = 1; #allow.set_hostname = false; #allow.mount; allow.set_hostname = 0; allow.sysvipc = 0; allow.raw_sockets = 0; ## Dynamic wildcard parameter: ## Base the path off the jail name. path= "/vol0/jail/$name"; exec.consolelog = "/var/log/jail/$name.console"; mount.fstab = "/etc/fstab.$name"; ## Alpha alpha { host.hostname = "alpha.example.com"; ip4.addr = 10.10.10.20; allow.sysvipc = 1; } ## Beta beta { host.hostname = "beta.example.com"; ip4.addr= 10.10.10.30; } ## Gamma gamma { host.hostname = "gamma.example.com"; ip4.addr= 10.10.10.40; } As for shell scripts: my only goal in life is to write *fewer* shell scripts. My adoption of saltstack was spurred by shell everywhere, mostly not under version control. So less shell and more python centrally managed and versio
Re: Jail management
Aristedes Maniatis wrote on 02/22/2016 03:18: [...] Have I just now outgrown ezjail and should set off on my own? I'm afraid of how I'd go about upgrading the basejail for new FreeBSD host versions without your tool :-) I don't know your environment and your FreeBSD jails skills but it seems you think jails are something complex and "magic". It is not. Managing jail by "hand" (own simple tools and scripts) is really simple and straight forward. Creating new base jail is just 'make installworld DESTDIR=/vol/jail/_basejail_XYZ' (or extracting base.txz installation archive) Movin your old jail to newer basejail is metter of change in fstab file where you will change path to new basejail. Once you tried it you will found how simple it is to write some own script perfectly fitting your needs. It is just a file manipulation - installing, unpacking, movin, deleting. Nothing more. As time and projects passed by, I had scripts to create+update jail from FTP, or from NFS mounted src and obj (by make installworld), or unpacking TGZ archive, or updated by rsyncing fails from hosts base or another directory... There are so many ways you can do this and I don't think you will find any existing tool fitting all your needs. Just don't be afraid of writing simple shell scripts :) For your problem with installing old versions of packages - I think you are still able to install whatever version you need if you have it locally on disk. Then you can use "pkg install my-package-1.2.3.txz" (you need all dependencies as well) Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: ppp has NOJAIL keyword in its startup script
Rob J wrote on 12/11/2015 20:26: Hello, I was wondering why my ppp configuration wasn't starting in a jail, until I looked at the /etc/rc.d/ppp script, which contains the keyword NOJAIL. So, I cannot start ppp (for my dsl connection) in a jail, and the question is why? Are there security, or other reasons why you can't run ppp in a jail? You cannot manage network interfaces, IP addresses and routing tables in jail with default system settings. (for security reason) Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: /etc/jail.conf documentation?
Clint Armstrong wrote on 10/29/2015 12:53: A little while ago I wrote up an overview of how I build jails using jail.conf at http://clinta.github.io/freebsd-jails-the-hard-way/. I noticed your are using unionfs. Is it working without any problems? Every time (in the past) I read that somebody tried it, it always has some problems with stability etc. And what you are using to update / upgrade modified system files in thinjail1? (if nullfs ro shared base is updated / upgraded) Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: preferred jail management tool
Dirk Engling wrote on 01/27/2015 22:21: On 27.01.15 22:12, Miroslav Lachman wrote: Yes. Sometimes I have a feeling that jails or some other features are unwanted children. I had PR opened for years with patche to rc.d/jail or etc/rc.subr to incorporate nice, or cpuset. And it never found it's way to the tree. How's that possible? I felt similarly frustrated when I went to 2013's BSDCan trying to talk to the jaily people and noone was around. Jamie couldn't attend but said that he's busy with other stuff and couldn't commit time to jail development. Which, of course, is fine. It leaves a void, though. What good are features that are neither documented nor exposed to the users? How do we move on from here and get config and docs synchronized and where can I get a big picture of what's the big plan for the future? I don't know if it is because FreeBSD has insufficient man power to fulfill all related tasks. I just think this is the root cause why we still have simple jails while Linux folks pushed their train hard and now are far away with many jail like containers solutions allowing projects like Docker to happened. And this is sad. Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: preferred jail management tool
Peter Toth wrote on 01/27/2015 21:37: [...] A lot of new technologies emerged/matured in FreeBSD in the recent years, we have resource containers (rctl), ZFS, VIMAGE/VNET, cpuset - just to name a few. These are a blessing when it comes to managing/using jails. These (awesome) technologies really set FreeBSD apart from other Unix like operating systems - yet no integration points existed for jails. Yes. Sometimes I have a feeling that jails or some other features are unwanted children. I had PR opened for years with patche to rc.d/jail or etc/rc.subr to incorporate nice, or cpuset. And it never found it's way to the tree. In the time of my maintaining of Jails wiki page I tried to convince developers to write about their work in progress publicly in this list. But it never happend. It was almost everytime quite hidden work and then commit. As a result we have many features in the base system, but no way to use them all together just with base startup scripts and tools. That's why we need 3rd party tools like iocage, cbsd, ezjail etc. to fix this gap. Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: preferred jail management tool
Michael W. Lucas wrote on 01/23/2015 22:00: Hi, For those who haven't heard, I'm writing a book on jails. Some details are at http://blather.michaelwlucas.com/archives/2286. I am glad to read that somebody is working on this topic. (after all!) :) I was maintaining https://wiki.freebsd.org/Jails for some time in the past. It was not easy task, because almost all development work (new features and changes) was made behind close doors. I am no longer able to keep this page up to date. I want to cover at least one jail management tool. I've done some research into jail tools. You can see my results at http://blather.michaelwlucas.com/archives/2291. I don't know your concept of the book but from my point of view, it is more important to explain all behind rather than a one tool (and I am almost sure you know it). Too many users have feelings that jails are some king of black magic. And reality is as simple as directory tree full of normal system files. If it should have real value to wide range of users (not only for beginners), the book should cover all corner usecases. For example: cpuset, resource limits, quotas, setfib, VIMAGE (routing and firewalling inside jails), IPv6, ZFS (cloning, snapshoting) nullfs, unionfs, hierarchical jails, using jails.conf instead of rc.conf running 32bit jails on 64bit system running Linux inside of jail monitoring jail resource usage Installing jails by extracting base.txz, by installworld, by rsync from host system Upgrading jails by installworld, by freebsd-update, by rsync from host system Converting physical server in to the jail and vice versa. etc. I have several choices of jail management tools to write about. It seems that ezjail gets all the press. I'm wondering if this is because it's the first tool, or if it's the best of its kind. I also hear a lot of whinging about ezjail. I suspect that's because it's the most widely deployed tool of it's type, however. The one in front gets the most mud slung at it. Looking at the documentation, I'm highly intrigued by iocage. It seems to do everything that ezjail does and then some. CBSD also looks like a really good choice. Based on what I know now, I'm inclined to cover iocage and CBSD. I created my first jail long time before I discovered existence of ezjail. Then I tried ezjail and ended up with some crashes after update / upgrade of jails by ezjail so I decided not to use it anymore (I still have one old server with ezjail installed). I wrote my one simple tool (shell script) focused on my tasks and my workflow. Instalation or update never failed anymore. So I am one of those folks whinging about ezjail. I want to ask the experts, though. Which is you guys. Any recommendations on what I should cover, or not cover? Any big screaming red flags in these tools that I should be aware of? From my point of view, ezjail is the most widespreaded and outdated at the same time. New features are glued in it in not so good way and some are missing. Newer tools, like iocage or CBSD, are designed with all new features from the beginning. As I wrote above, I am using my own tool and I don't have practical experience with iocage or CBSD, but I really would like to read about one of them from your book. After some documentation and mailinglist reading I prefer CBSD for bigger projects and iocage for some smaller (single host server, for example) I am looking forward to read your books about Jails and ZFS. Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: jail.conf cpuset.id
Jamie Gritton wrote: [...] Hi Jamie, I tried your suggestion with exec_poststart for setting the cpuset. It doesn't work. I don't know if it worked for you with any older version of FreeBSD. I tried it on FreeBSD 9.1-RELESE. I have this in rc.conf jail_fox_exec_poststart0=cpuset -c -l 5-6 -j `cat /var/run/jail_fox.id` With rc_debug=YES, I get this error # service jail start fox cat: /var/run/jail_fox.id: No such file or directory cat: /var/run/jail_fox.id: No such file or directory [snip] /etc/rc.d/jail: DEBUG: fox exec post-start #1: cpuset -c -l 5-6 -j [snip] fox.example.comcpuset: option requires an argument -- j usage: cpuset [-l cpu-list] [-s setid] cmd ... cpuset [-l cpu-list] [-s setid] -p pid cpuset [-c] [-l cpu-list] -C -p pid cpuset [-cr] [-l cpu-list] [-j jailid | -p pid | -t tid | -s setid | -x irq] cpuset [-cgir] [-j jailid | -p pid | -t tid | -s setid | -x irq] I think the problem is, that the command is evaluated befor the jail is started. Or am I doing something wrong? I also tried following with no luck: jail_fox_exec_poststart0=cpuset -c -l 5-6 -j `jls -j fox jid` I'm not seeing /var/run/jail_*.id either, despite it being mentioned in /etc/rc.d/jail. The jls one works for me, but then I'm running current so maybe that's the difference. I made a diff between rc.d/jail from HEAD, 8.4-RELEASE and 9.1-RELEASE and there is no changes in code for _exec_poststart. I don't know how it is possible, that it works for you and doesn't for for me. If I interpret it correctly, the following code in the begining of init_variables() does the eval on the command and backticks are executed at this time - before the jail is started. Am I wrong? i=0 while : ; do eval _exec_poststart${i}=\\${jail_${_j}_exec_poststart${i}:-\${jail_exec_poststart${i}}}\ [ -z $(eval echo \\$_exec_poststart${i}\) ] break i=$((i + 1)) done Then there is code for debug printing only i=0 while : ; do eval out=\\${_exec_poststart${i}:-''}\ if [ -z $out ]; then break fi debug $_j exec post-start #${i}: ${out} i=$((i + 1)) done And in jail_start() there is jail command executions followed by execution of poststart commands, but at this time, the command is cpuset -c -l 5-6 -j and not cpuset -c -l 5-6 -j `jls -j fox jid` eval ${_setfib} jail ${_flags} -i ${_rootdir} ${_hostname} \ \${_addrl}\ ${_exec_start} ${_tmp_jail} 21 \ /dev/null i=0 while : ; do eval out=\\${_exec_poststart${i}:-''}\ [ -z $out ] break ${out} i=$((i + 1)) done So how can it works for you? Is there any changes in sh with eval and backticks evaluation in HEAD? If all else fails, you can hardcode the jail number - that'll work as long as you only ever let the jails load on startup. Unluckily I need to restart some jails manually, so I think I cannot use hardcoded JID numbers :( Thank you for your reply. Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: jail.conf cpuset.id
Jamie Gritton wrote: On 03/17/13 05:59, Nicolas de Bari Embriz Garcia Rojas wrote: Hi, all, I am start using the jail.conf for running my jails, in rc.local I have this line jail -c this to start my jails at boot time (any better ideas) Now checking the man pages for the jail I found a option that cough my attention, 'cpuset.id' any idea of how to use it ? I would like to found a way to prevent a root user within a jail to run a 'fork-bum' and freeze the host server. Take a look at cpuset(1). You use that utility (in the host environment) to change the CPUs available to a jail. Don't worry about the cpuset.id parameter itself - you don't need it. Just use cpuset's -j flag to specify the jail itself (by jid only). When you're starting jails in rc, add the appropriate cpuset commands an exec_poststart option. Such as: jail_backtest_poststart0=cpuset -c -l1,3-7 -j`cat /var/run/jail_backtest.id` Hi Jamie, I tried your suggestion with exec_poststart for setting the cpuset. It doesn't work. I don't know if it worked for you with any older version of FreeBSD. I tried it on FreeBSD 9.1-RELESE. I have this in rc.conf jail_fox_exec_poststart0=cpuset -c -l 5-6 -j `cat /var/run/jail_fox.id` With rc_debug=YES, I get this error # service jail start fox cat: /var/run/jail_fox.id: No such file or directory cat: /var/run/jail_fox.id: No such file or directory [snip] /etc/rc.d/jail: DEBUG: fox exec post-start #1: cpuset -c -l 5-6 -j [snip] fox.example.comcpuset: option requires an argument -- j usage: cpuset [-l cpu-list] [-s setid] cmd ... cpuset [-l cpu-list] [-s setid] -p pid cpuset [-c] [-l cpu-list] -C -p pid cpuset [-cr] [-l cpu-list] [-j jailid | -p pid | -t tid | -s setid | -x irq] cpuset [-cgir] [-j jailid | -p pid | -t tid | -s setid | -x irq] I think the problem is, that the command is evaluated befor the jail is started. Or am I doing something wrong? I also tried following with no luck: jail_fox_exec_poststart0=cpuset -c -l 5-6 -j `jls -j fox jid` Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: combining rc.conf and jail.conf
Marek Rudnicki wrote: Hello I have a jail configuration in /etc/jail.conf and can start it with: # jail -c myjail However, I would like to start it automatically at system boot, e.g. by using /etc/rc.conf . What's the best way to do that? And generally, is it the recommended way to configure jail in /etc/jail.conf and just start them with /etc/rc.conf ? Cheers Marek PS I'm running FreeBSD 9.1-RELEASE-p4 You can install sysutils/jail2 - it is new rc script for starting jails configured in /etc/jail.conf. Original /etc/rc.d/jail cannot start jails from jail.conf Beware of bug in handling of devfs rulesets in FreeBSD 9.1 - see archive of this list. (I think it is fixed in stable and 9.2) Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: automatic garbage collection of stuff mounted (etc.) by jailed root
Jamie Gritton wrote: On 04/22/13 11:39, Miroslav Lachman wrote: Jamie Gritton wrote: On 04/22/13 03:17, Mateusz Guzik wrote: [...] Again, the goal is to have jails clean up automatically after anything jailed root was permitted to do. Thoughts? This already happens when jails are created using a jail.conf file. Any mounts there are unmounted as part of the jail removal process. Just recently I fixed it to properly do this unmounting in reverse order. Do you mean mounts defined in jail.conf or all mounts manually done by root user in jail? Miroslav Lachman Ah, I see the difference. Yes, that's only for mounts in the jail.conf. For mounts done by the jail itself, I guess we would go off the mount record's credential. So is this something you expect to be happening entirely in the kernel? I don't know what's the right place for this, but I am sure there should be something to clear these mounts made inside jails. Otherwise there will be unwanted leftovers after a jail restart / destroy. Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: rc.d/jail and jail.conf
Dirk Engling wrote: if I follow the development correctly, the jail(8) command was augmented to make the rc.d/jail script obsolete. However when I want to use the rc system to start my jails, I am stuck with convincing rc.d/jail to not fail for missing _hostname or _rootdir. Jails in any RELEASE version of FreeBSD are not 100% ready to be started by the new way. The old rc.d/jail + rc.conf style is still the only one officially supported. (see my posts one week ago) How am I supposed to have my jails started at boot time? And while we're at it, is there a rcorder-style way to introduce dependencies into jail.conf to control the order my jails are started in? You can use sysutils/jail2 but be aware of devfs problem... In theory, with jail.conf you should use depend (see man jail) to define jail dependencies. Which brings me to another point, there does not seem to be a way to convince rc.d/jail to set a jailname for old style jails, making it hard to integrate with tools that use libjail to translate what were _hostname parameters to jid before. There is a way, you should use flags. I discussed this topic with bz@ few years ago and this is the official recommendation how newly added features should be used without changes in rc.d/jail jail_myjail_flags=-l -U root -n myjail Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: new jail(8) ignoring devfs_ruleset?
crw--- 1 root wheel 0, 51 Mar 1 19:40 ttyv7 crw--- 1 root wheel 0, 52 Mar 1 19:39 ttyv8 crw--- 1 root wheel 0, 53 Mar 1 19:39 ttyv9 crw--- 1 root wheel 0, 54 Mar 1 19:39 ttyva crw--- 1 root wheel 0, 55 Mar 1 19:39 ttyvb crw--- 1 root wheel 0, 56 Mar 1 19:39 ttyvc crw--- 1 root wheel 0, 57 Mar 1 19:39 ttyvd crw--- 1 root wheel 0, 58 Mar 1 19:39 ttyve crw--- 1 root wheel 0, 59 Mar 1 19:39 ttyvf dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 ufs dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 ufsid lrwxr-xr-x 1 root wheel9 Mar 22 00:46 ugen0.1 - usb/0.1.0 lrwxr-xr-x 1 root wheel9 Mar 22 00:46 ugen1.1 - usb/1.1.0 lrwxr-xr-x 1 root wheel9 Mar 22 00:46 ugen1.2 - usb/1.2.0 lrwxr-xr-x 1 root wheel9 Mar 22 00:46 ugen2.1 - usb/2.1.0 lrwxr-xr-x 1 root wheel9 Mar 22 00:46 ugen3.1 - usb/3.1.0 lrwxr-xr-x 1 root wheel9 Mar 22 00:46 ugen3.2 - usb/3.2.0 lrwxr-xr-x 1 root wheel9 Mar 22 00:46 ugen4.1 - usb/4.1.0 lrwxr-xr-x 1 root wheel9 Mar 22 00:46 ugen5.1 - usb/5.1.0 lrwxr-xr-x 1 root wheel9 Mar 22 00:46 ugen6.1 - usb/6.1.0 lrwxr-xr-x 1 root wheel9 Mar 22 00:46 ugen7.1 - usb/7.1.0 lrwxr-xr-x 1 root wheel9 Mar 22 00:46 ugen7.2 - usb/7.2.0 crw--- 1 root wheel 0, 163 Mar 1 19:39 ukbd0 crw-r--r-- 1 root operator0, 169 Mar 1 19:39 ums0 crw-r--r-- 1 root operator0, 172 Mar 1 19:39 ums1 lrwxr-xr-x 1 root wheel6 Mar 22 00:46 urandom - random dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 usb crw-r--r-- 1 root operator0, 70 Mar 1 19:39 usbctl crw--- 1 root wheel 0, 69 Mar 1 19:39 vboxdrv crw--- 1 root wheel 0, 196 Mar 1 19:40 vboxnetctl crw--- 1 root operator0, 71 Mar 1 19:39 xpt0 crw-rw-rw- 1 root wheel 0, 23 Mar 1 19:39 zero Is it a problem in my understanding of manpage / configuration, or is it a bug in jail command on 9.1-RELEASE? Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: new jail(8) ignoring devfs_ruleset?
Jamie Gritton wrote: On 03/21/13 17:59, Miroslav Lachman wrote: Jeremie Le Hen wrote: On Mon, Feb 18, 2013 at 09:54:42AM +0100, Harald Schmalzbauer wrote: schrieb Jamie Gritton am 16.02.2013 00:40 (localtime): On 02/15/13 09:27, Harald Schmalzbauer wrote: Hello, like already posted, on 9.1-R, I highly appreciate the new jail(8) and jail.conf capabilities. Thanks for that extension! Accidentally I saw that devfs_ruleset seems to be ignored. If I list /dev/ I see all the hosts disk devices etc. I set devfs_ruleset = 4; and enforce_statfs = 1; in jail.conf. Inside the jail, sysctl security.jail.devfs_ruleset returnes 1. But like mentioned, I can access all devices... [...] I can confirm mentioned problem on my FreeBSD 9.1-RELEASE amd64 GENERIC I am now testing new jail.conf possibilities and I am seeing all devices in /dev in jail. Even if I set all this in my jail.conf exec.start = /bin/sh /etc/rc; exec.stop = /bin/sh /etc/rc.shutdown; exec.clean; mount.devfs; devfs_ruleset = 4; allow.set_hostname = false; path = /vol0/jail/$name; exec.consolelog = /var/log/jail/$name.console; mount.fstab = /etc/fstab.$name; ## Jail bali bali { host.hostname = bali.XXX.YY; ip4.addr = xx.xx.xx.xx; devfs_ruleset = 4; } [...] Is it a problem in my understanding of manpage / configuration, or is it a bug in jail command on 9.1-RELEASE? Miroslav Lachman It's a bug (deficiency) in the jail command. Is there a workaround or is it impossible to use jails with devfs on FreeBSD 9.1? Shouldn't it be mentioned in 9.1 errata? Is it fixed in stable/9? Thank you for your reply and your great work on new jails! Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: Using jail name in rctl(8) doesn't work - jail id works
Thomas Steen Rasmussen wrote: On 08-03-2012 23:30, Thomas Steen Rasmussen wrote: Hello, When I specify an rctl(8) rule for a jail using the jail name it doesn't work. Displaying resource usage doesn't work either, when using the jail name, like rctl -hu jail:myjail On the other hand, if I run rctl -hu jail:3 where 3 is the jail id, it works as expected. The manpage examples use the jail name so it should work. Any idea why it doesn't ? I am using 9.0-REL on this system. Should I submit a PR with relevant examples ? Hello, I submitted the PR which has more information. jexec(8) is also unable to convert the jail name to jail id on this sýstem. My jails are created and started using ezjail, if that matters. Link to the PR: http://www.freebsd.org/cgi/query-pr.cgi?pr=165886 Can you post output of `jls -v` and/or `jls -qn`? Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
File system issue [was Re: jails]
Hi Greg, I am having an issue with one of my jailed systems. It has run out of space. I have identified many files to delete but I can not Delete the files as the system comes back with No Space available. I tried to delete them from the host system as well but I get The same system issue. How does one delete files or free up space? What version you are running? (uname -a) Are you using ZFS or UFS? If ZFS, do you have some snapshots of given filesystem? If yes, then you must firstly delete some snapshots to get some free space. With snapshot, the deleted file needs additional space to alocate in last snapshot. Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: Memory Limits
Lars R. Noldan wrote: Hello all, I'm sorry if this has been asked before. My search fu only showed something dating back to FreeBSD 6.2 era, and I know a lot of work has gone into jails since then. Is there a way to limit the amount of total ram available to a jail? Say for instance I have a jails server with 32gb of ram, can I limit jail01 to 512mb? If this isn't currently possible is there any work being done towards this goal? Any suggestions you can provide, including links to the fine manual I should have found but didn't are welcome. Thanks for all the hard work that's gone into jails! In the time I've been using them (since 7.1-Release) The improvements are huge! You are looking for http://wiki.freebsd.org/Hierarchical_Resource_Limits it is implemented in 9-CURRENT http://svnweb.freebsd.org/base/head/usr.bin/rctl/ Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: jailing MySQL error
dsc fbsd.other wrote: [...] My steps: 1. Ezjail-admin onestart j009_mysql2 2. Ezjail-admin console j009_mysql2 3. Cd /usr/ports/database/mysql55-server make install clean 4. cp /usr/local/share/mysql/my-innodb-heavy-4G.cnf /usr/local/etc/my.cnf (modified socket file path to /var/db/mysql/mysql.sock, in both client and server lines) 5. chown -R mysql:mysql ... for ... /tmp /var/tmp /var/db/mysql 6. mysql_enable=YES in jail rc.conf 7. /usr/local/etc/rc.d/mysql-server start 8. ...and NOTHING ... mysql-server scripts starts /usr/local/bin/mysql_install_db (creates mysql and test folders in /var/db/mysql ... but nothing else ... it's just running) I am running mysql in a couple of jails without any additional tweaks. I don't know why you are using chown on /tmp /var/tmp and /var/db/mysql. Did you created /var/db/mysql manualy? Can you just try clean install without any tweaks without modifying my.cnf and just start it by: mysql_enable=YES in jail rc.conf and /usr/local/etc/rc.d/mysql-server start MySQL daemon should run in jail with standard configuration. Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: Jail hot migration / new VPS for FreeBSD
Klaus P. Ohrhallinger wrote: [...] Hello; It will be BSD licensed. I am going to release it in october, but it still has to be considered highly experimental, and there are still many points where virtualization doesn't take effect yet. You can send Heads Up / Work In Progress announcement e-mail to freebsd-virtualizat...@freebsd.org where you may get wider audience for your virtualization project! I am really glad that you are working on this type of VPS for FreeBSD. Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: Creating jails to run Squid and multiple Bind services - Newbee
Kaya Saman wrote: Hi, am attempting to create a set of Jails for the first time!! I have read some documentation: http://www.freebsd.org/doc/en/articles/portbuild/new-node.html http://www.freebsd.org/doc/en/books/handbook/jails-build.html http://www.section6.net/wiki/index.php/Creating_a_FreeBSD_Jail and finally for configuring Squid in FreeBSD: http://www.freebsddiary.org/squid.php (just as I currently run this on Solaris 9) http://www.freebsd.org/doc/en/books/handbook/jails-application.html Did you tried sysutils/ezjail? I am not using it, but if you are not too experienced jail user, you can find it useful. Note from webpage: This setup requires advanced experience with FreeBSD and usage of its features. If the presented steps below look too complicated, it is advised to take a look at a simpler system such as sysutils/ezjail, which provides an easier method of administering FreeBSD jails and is not as sophisticated as this setup. So far what I've done is this: cd /usr/src make buildworld Do you have all needed sources in /usr/src? Did you install them from CD-ROM or by csup? I straight away then get an error saying: /usr/src/usr.bin/make ***error code 2 Stop in /usr/src ***error code 1 Basically what I want to do is something very similar to how I use Solaris Zones; create a directory structure which will run 1 specific service only on a specific IP address I am not certain if I can run 2 instances of Bind in two different Jails but would be cool if I could. Yes, you can run as many jails with any services as you can (if you have enough IP addresses) [...] Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: linux-only jail possible?
John Nielsen wrote: Has anyone tried to run a jail containing only Linux binaries? I need a lightweight VM-ish solution to run an arbitrary number of test/dev/demo servers (apache + python mostly) but would like it to be reasonably close to the real servers (running Linux) in terms of software installation and maintenance, etc. (Moving the whole show over to FreeBSD is a battle for another day..) Aside from the logistics of actually making this work, are there any known or obvious show-stoppers/gotchas/pitfalls/etc? Ideally yum and rc+init.d would work normally, though I expect a bit of startup hackery may be necessary (as well as hand-extracting a bunch of RPM's to bootstrap the first jail). If you have attempted something like this I'd love to hear from you. I don't think it is possible to emulate full Linux environment and behavior in FreeBSD jail. You can use linux binaries with Linux ABI in jail, but it will be controlled by FreeBSD rc.d scripts, sw will be installed by ports system etc. Maybe you can have FreeBSD host system and start jail installed as copy of Debian GNU/kFreeBSD instead of classic FreeBSD jail + linux_base port. All in all, it will be a lot of work and experiments. Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: Importing jails from 7.0, 7.2 to 8.0.
Jose Amengual wrote: ok. the steps will be : 1.- archive jail in old system : ezjail archive 2.- install ezjail new system 3.- create basejail forr ezjail jails : ezjail update -ip ( here is where all the jail base gets updated ) 4.- import old jails : ezjail create -d .. 5.- Install compat7x in host system and jails 6.- upgrade all porst in jail or something like it. You can skip step 5. if you will upgrade all ports. compat7x is for case when you don't want to upgrade ports (compat7x installs old 7.x libraries) If all ports will be compiled against 8.x libraries, you don't need any 7.x libraries. Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: Importing jails from 7.0, 7.2 to 8.0.
Jose Amengual wrote: The problem that I had was that if I don't install compat7x I will not be able to use any software inside of my jail like bash, portupgrade, perl etc so you are force to install it and then upgrade all ports. I as getting this errors : /libexec/ld-elf.so.1: Shared object libcrypt.so.4: not found, required by ruby18 etc and none of the services are running. when I was running almost all the thirty party utilities or ports apps installed on the jail. But you can use tools from base system: cd /usr/ports/some_category/some_port make make deinstall make reinstall make clean So this way you can upgrade ruby + portupgrade from (t)csh shell without need of compat7x. Or even better, you can use portmaster instead of portupgrade. Portmaster is plain sh shell script without dependencies on any other port so it will work in your broken jails. You just need cd /usr/ports/ports-mgmt/portmaster/ make install clean rehash Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: starting jails in the background dependencies
Alexander Leidinger wrote: Quoting Miroslav Lachman 000.f...@quip.cz (from Tue, 05 Jan 2010 11:45:34 +0100): Alexander Leidinger wrote: On Mon, 07 Dec 2009 08:03:53 +0100 Alexander Leidinger alexan...@leidinger.net wrote: Hi, now that jails are started in the background (which is good, to I just realized yesterday that it also stops in parallel (in the background). This is bad. It may be the case that a jail is not fully stopped via the rc scripts when the OS decides to kill the remaining processes during a shutdown. My first reaction is to only allow to start in the background, but everything else needs to be serialized. Any objections or better ideas out there? Maybe stopping can be done in parallel, but rc script should wait (in loop) until all jails are stopped or some configurable timeout (for example 60 seconds). Feel free to come up with a proof of concept... but the timeout on stop should be forever IMO. If you have a busy software which needs to be shutdown correctly for data safety or consistency reasons, I do not want that a reboot or shutdown prevents the correct shutdown. I misunderstand the whole thing from the begining. It's all about wording background and parallel. My first understanding was if I have 4 jails, they are started in parallel (each other) something like: for J in jail1 jail2 jail3 jail4 do jail_start $J done and similar for stoping them. But now I see that it is just a start jails in serial as usual but rc.d/jail runs in the background, so next rc script will start right after rc.d/jail, not waiting to jails come up. Both approaches have its pros and cons. In the first case (starting and stopping each jail in the background) stopping can be easy as: for J in $jail_list do jail_stop $J done while [ -n `jls` ] do sleep 1 done echo all jails were stopped For the second case, where jails are started / stopped as usual but whole rc.d/jail is backgrounded the only solution I got in my mind is the second rc script (for example bgjail_stop) with similar loop as above executed as one of the last rc scripts on system shutdown. (but I know it is ugly solution) I hope somebody will come with better idea :) Miroslav Lachman PS: as my english is not so well, it is sometimes hard to me to understand and sometimes hard to explain things ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: Using 'Jails' like Solaris Zones??
Glen Barber wrote: Hi, Miroslav Lachman wrote: Kaya Saman wrote: [...] Since FreeBSD has all the software I require and is quite easy on system resources I was considering using 'Jails' where in Solaris I would be using Zones to dedicate an individual IP address to each instance of Bind. However, is it possible to dedicate a specific NIC to each instance of Bind as well since this is really what I would be doing in Solaris??? Apologies if I seem a bit vague on which OS I will choose, it's just that I am trying to consolidate as many services as possible without requiring any more hardware. AFAIK FreeBSD jail can't be bound to a specific NIC, but can be bound to IP address(es) and addresses can be assigned to a different NICs. It means, if you have following NICs: nic0, nic1 and IPS on NICs: nic0 = 10.10.10.10 nic1 = 10.20.20.20 As of 7.2, jails can be bound directly to a specific interface. The example in /etc/defaults/rc.conf shows: #jail_example_interface= It is different thing and exists for more than 3 years. As is stated in the manpage, this is just a rc.conf(5) variable used to choose the interface where IP alias will be created, but is has nothing to do with jail(8) command. The command takes list of IP addresses, not NICs. jail_jname_interface (str) Unset by default. When set, sets the interface to use when setting IP address alias. Note that the alias is cre- ated at jail startup and removed at jail shutdown. Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: Using 'Jails' like Solaris Zones??
Kaya Saman wrote: [...] Since FreeBSD has all the software I require and is quite easy on system resources I was considering using 'Jails' where in Solaris I would be using Zones to dedicate an individual IP address to each instance of Bind. However, is it possible to dedicate a specific NIC to each instance of Bind as well since this is really what I would be doing in Solaris??? Apologies if I seem a bit vague on which OS I will choose, it's just that I am trying to consolidate as many services as possible without requiring any more hardware. AFAIK FreeBSD jail can't be bound to a specific NIC, but can be bound to IP address(es) and addresses can be assigned to a different NICs. It means, if you have following NICs: nic0, nic1 and IPS on NICs: nic0 = 10.10.10.10 nic1 = 10.20.20.20 Then if you start first jail with IP 10.10.10.10 and second jail with IP 10.20.20.20, then first jail will use nic0 and second jail will use nic1 You can also use more than one IP from more than one NIC in one jail thanks to BZs work on multi-ip jail (since 7.2) Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: ezjail with vimage
Alexander Petrovsky wrote: Hello! I want merge all my jails (ezjail framework) working under freebsd 7.2 to freebsd 8.0 with support vimage. Ezjail don't support jail_NAME_flags= Whether, I can simply change the line in /usr/local/etc/rc.d/ezjail: # Pass control to jail script which does the actual work [ ${ezjail_pass} ] sh /etc/rc.d/jail one${action%crypto} ${ezjail_pass} and add some parametres like: jail -c vnet name=*vnet1* host.hostname=*vnet1.example.net* path=/ persist You can add what ever variables you want in to /usr/local/etc/ezjail/vnet1_example_net It will be exported to /etc/rc.d/jail, so you can use: export jail_vnet1_example_net_flags=my special flags here Or you can try to set it in /etc/rc.conf. Ezjail is not so special as it looks. Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: ezjail with vimage
Alexander Leidinger wrote: Quoting Alexander Petrovsky askju...@gmail.com (from Mon, 7 Dec 2009 17:04:04 +0800): Hello! I want merge all my jails (ezjail framework) working under freebsd 7.2 to freebsd 8.0 with support vimage. Ezjail don't support jail_NAME_flags= http://www.leidinger.net/FreeBSD/current-patches/jail.diff Take only the part for the first two files. After that you have jail_NAME_jailname, jail_NAME_securelevel and jail_NAME_startparams. It also makes more sanity checks for the fstab entries. Hi, is this patch just for your private use or is it something commitable? The last time I wrote with Bjoern A. Zeeb about jailname, cpuset etc. support in rc.conf (back in March 2009) he stated that there is no need to add anything because it can be done by jail_NAME_flags. AFAIK current system still doesn't allow me to set cpuset to jail from rc.conf Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: ezjail with vimage
Bjoern A. Zeeb wrote: On Mon, 7 Dec 2009, Miroslav Lachman wrote: Hi Miroslav, The last time I wrote with Bjoern A. Zeeb about jailname, cpuset etc. support in rc.conf (back in March 2009) he stated that there is no need to add anything because it can be done by jail_NAME_flags. AFAIK current system still doesn't allow me to set cpuset to jail from rc.conf Check /etc/defaults/rc.conf for jail_example_exec_afterstart. You already said that in the past and it was the reason why I found bug in cpuset. http://lists.freebsd.org/pipermail/freebsd-jail/2009-April/000830.html As I said, exec_afterstart is executed inside the jail and it means that I can not use it to bind the jail to specific CPU cores. ...but maybe I am blind. Can you correct me if I am wrong? From my point of view, it can be done in rc.subr as more general way allowing to use cpuset for any process started by rc.subr similar to what is proposed in this patch for setfib http://www.kes.net.ua/softdev/fib_patch.html Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: Problem with Apache in Jail
Scheithauer, Lars (FH) wrote: Hi everyone, I've started to install an apache22 in a freebsd-jail and have a problem. The jail has a public ip address, so from what I know, I wouldn't have to forward any packages to it. I can reach the apache22 server by ip-address, but not by its DNS - the connection gets disrupted. I can successfully nslookup the DNS and if I watch the traffic of the browser via wireshark, I see that it sends packages to the server, but the server doesn't send any packages back. I also do not find any traces of the connection attempt in the apache-logs. The config-files of the apache are correct and read (tested by entering some false configs and the server refused to start afterwards - and as said I'm able to access it by its ip). Now, is there any way that this could be caused by the jail? You did not post what version and architecture you are using... But I am runing several jails with Apache or Lighttpd without any issues (on 6.3 i386 and 7.2 i386 + amd64). So I expect some misconfiguration on your side. Are you sure you have correct DNS entries pointing to right IP and you have working resolv.conf inside jail? What about /etc/hosts? Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: AW: AW: Networking from jail - errata
Scheithauer, Lars (FH) wrote: Hi Bjoern, I did, but the error was somewhere else. I set the proxy through set http_proxy=http://proxy.example.com:8080; while the correct version would be setenv http_proxy http://proxy.example.com:8080 In both cases, echo $http_proxy returns the correct entry. Could you explain the difference between set and setenv? The differenc is, that 'set' is for shell variables (in scope of current shell) and 'setenv' is for environment variables. If you use 'set' and then try to print the value from forked shell script, it will be empty. If you use 'setenv', the shell script will print the value. See 'man tcsh' (if you are using tcsh as your login shell) Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: Jails creation
Tonix (Antonio Nati) wrote: Miroslav Lachman ha scritto: [...] You are not the first one with this idea. You can easily use nullfs mount of directories from base system, but people mostly prefer independent directory with jail install shared by many jails. And sometimes somebody needs jails with modified binaries, so it is not possible to share theme with base system in all cases. There are many ways to get jails running without sources, it is up to you to choose one. [...] I have nothing against shared dirs, but my question is this: why the basic jail creation command requires compilation? Given the fact jail must have exactly the same version of base system, why the base create command dos not simply copy the existing binaries? It would avoid local source, remote packages, etc... It is not true. Jail command does not requires compilation, nor exactly same version. I am running 6.x version jail on system with 7.2 and you can run 32bit (i386) jail on 64bit (amd64) system. The `jail` command is there just for starting the jail, not for building it. The jail even does not need to be a full installed system! There are too many different scenarios with jails, that there can not be one command to satisfy them all. It is up to administrator to prepare the best environment for his/her needs. If you need the full copy of the base system, you can do it really easily (by tar as was suggested by Vincet Hoffman or dump restore), and if you do it for each jail, you loose the benefits of shared read-only base directory (you will need more disk space and more memory). If you do not want to spend some time by compilation, you can install the jail from installation media you already have from system install. cd /some/media/7.2-RELEASE/base mkdir /path/to/myjail setenv DESTDIR /path/to/myjail sh install.sh That's all! It is too simple in contrast to source build or manually copy something from base. If you are using ZFS, you can use snapshots and clones... And many more scenarios exist. I am CCing freebsd-jail@, it is more appropriate list to contionue. Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: kern/139454: [jail] traceroute does not work inside jail
The following reply was made to PR kern/139454; it has been noted by GNATS. From: Miroslav Lachman 000.f...@quip.cz To: bug-follo...@freebsd.org, stei...@nognu.de Cc: Subject: Re: kern/139454: [jail] traceroute does not work inside jail Date: Sat, 10 Oct 2009 00:20:36 +0200 I can confirm that traceroute inside jail on 6.3 works, on 7.2 works only with traceroute -s jails_addr Both machines have security.jail.allow_raw_sockets: 1 ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: Per Jail Memory Limits
Tom Judge wrote: So I have worked up some thing usable fore us based on the 7.0 code from the wiki. This patch is for 7.1 in implements both soft and hard memory limits. Details are here: http://www.tomjudge.com/index.php/FreeBSD/Jails/MemoryLimits Changes that add supporting infrastructure for cpu limiting are in the patch but changes to the schedulers have not been included. If you need the scheduling support you will need to patch sched_4bsd with the code from the original patch set here: http://lists.freebsd.org/pipermail/freebsd-jail/2008-June/000333.html Hope this is useful for some people. I added links to this thread and to your patch into wiki page http://wiki.freebsd.org/Jails. I hope it will help people to find your work. Do you plan to make it for 7.2 and other future releases? Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: df output into jail
Andrey Groshev wrote: Hi, All! I create garbage files. Mounted in the main system partition for data. #mount|grep /usr/jails/samba/ /dev/amrd0s4d.journal on /usr/jails/samba/data (ufs, asynchronous, local, noatime, nosuid, gjournal) /usr/jails/basejail on /usr/jails/samba/basejail (nullfs, local, read-only) devfs on /usr/jails/samba/dev (devfs, local) fdescfs on /usr/jails/samba/dev/fd (fdescfs) procfs on /usr/jails/samba/proc (procfs, local) And now... I see the output in the Jail df-h - it returns only the root mount. # df -h Filesystem SizeUsed Avail Capacity Mounted on /dev/amrd0s4a 18G3.6G 13G21%/ If you ask specifically df-h / data, then displays the desired data. # df -h /data Filesystem SizeUsed Avail Capacity Mounted on /dev/amrd0s4d.journal178G768M163G 0%[restricted] Looking sources, decided that this is due to answer mount. IMHO, should be able to see the file systems mounted below the directory of jail. I think you are looking for security.jail.enforce_statfs=1 Default is security.jail.enforce_statfs=2! See man jail(8) for more details. Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: Hierarchical jails
Jamie Gritton wrote: Here's the first round of hierarchical jails under the new framework. Instead of creds having either a prison or a NULL pointer, they all have a prison pointer with the default being the global prison0 that contains information about the real environment. Jailed root may (if granted permission) create prisons that would be under its place in the hierarchy, but may not alter (or even see) prisons at its level or above. The JID space is flat, i.e. every prison in the system has a unique ID. The prison name space is hierarchical, with jails having dot-separated component names. [...] I am glad that you are working on this feature! I added info + links to this patches on wiki http://wiki.freebsd.org/Jails I hope I will have some free time to test it soon. Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: changing cpuset of jail from inside of jail - is it feature?
Bjoern A. Zeeb wrote: [...] Ok, I am not sure what is going wrong here; well I know but I don't know if it's intended in cpuset. Trying to talk to the right people but they seen to be AWOL atm. If you are brave, you could try: http://people.freebsd.org/~bz/20090423-01-cpuset-jails.diff I haven't even compiled it yet. It may work, it may not work, it may make your machine panicing, ... just to warn you. it should still allow you to create further sets within a jail but you should not be able to change the root set of the jail from inside the jail anymore (in case it works;) I did just a quick test. (OK, not so quick, because compilation inside Qemu on my old PC takes 2 hours ;]) It compiles without problems and did what I expect: r...@72-rc1 ~/# jls JID IP Address Hostname Path 1 alpha.test/usr/jail/alpha r...@72-rc1 ~/# jexec 1 tcsh r...@alpha //# cpuset -l 0 -j 1 cpuset: setaffinity: Operation not permitted r...@alpha //# cpuset -l 0 -r -j 1 cpuset: setaffinity: Operation not permitted I have no real multicore machine to test it more deeply. (can't test it on production servers and spare machine is blocked by another task) Will this fix be included in 7.2-RELEASE or is it too late to commit this fix? Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: changing cpuset of jail from inside of jail - is it feature?
Bjoern A. Zeeb wrote: On Wed, 22 Apr 2009, Miroslav Lachman wrote: Hi, I am running system FreeBSD 7.1-STABLE amd64 GENERIC (Wed Feb 11 09:56:08 CET 2009) hosting few jails. The machine has dual core CPU and some jails are set to run only on one core (core 0 in this example): host# cpuset -l 0 -j 25 As I tested today, root user inside the jail can change this by the same command as I am doing it from the host system: injail# cpuset -l 0,1 -j 25 And from now, jail with JID 25 is running on both cores. Is it expected behavior of cpuset to allow user inside the jail change cpuset of the jail itself or is it a bug? It seems to me as undesirable. it is (undesirable) and it seems to be a bug as even if you do host# cpuset -l 0 -r -j 25 you can get back to 0,1 from within the jail. I'll check how/why this is possible. /bz PS: moving this to freebsd-jail@ I found this behavior as result of your reply to my e-mail from March http://lists.freebsd.org/pipermail/freebsd-jail/2009-March/000751.html You are suggesting jail_jname_exec_afterstart to use it for cpuset of starting jails, but as I look in to /etc/rc.d/jail, it seems this command is executed inside of the jail: while [ true ]; do eval out=\\${_exec_afterstart${i}:-''}\ if [ -z $out ]; then break; fi jexec ${_jail_id} ${out} i=$((i + 1)) done So I was confused if cpuset behavior i expected or not and if not, I don't know how to use current rc.d/jail + rc.conf to start jails on choosen cores or in particular set of cpus/cores. That was the reason to my suggestion - write patch for rc.d/jail to support something like: jail_jname_cpuset_list=0,3,5# start jail on cores 0, 3 and 5 It should be something like: _cpuset=cpuset -l ${_cpuset_list} eval ${_cpuset} ${_setfib} jail ${_flags} -i ${_rootdir} ${_hostname} \ \${_addrl}\ ${_exec_start} ${_tmp_jail} 21 (I didn't test the example above, so I don't know if it is valid) or something like: if [ -n $_cpuset_list ]; then cpuset -l ${_cpuset_list} -j ${_jail_id} fi (^ this seems more simpler) I don't know what is better, or if there is another way to set cpuset of jails from rc.conf But the first problem is as I previously posted - cpuset of jail should not be changed from within jail... Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: HEADS UP: multi-IPv4/v6/no-IP jails now in 7-STABLE
Stefan Lambrev wrote: Hi, Does this allow multiple network interfaces to be used by a single jail instance? Yes, I am using it. r...@cage ~/# jls -v JID Hostname Path Name State CPUSetID IP Address(es) 25 costa.example.com /vol0/jail/costa ALIVE 2 xxx.yy.105.31 192.168.222.57 r...@costa //# ifconfig nfe0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=19bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4 ether 00:1a:24:bd:e2:0f inet 192.168.222.57 netmask 0x broadcast 192.168.222.57 media: Ethernet autoselect (100baseTX full-duplex,flag0,flag1) status: active [...] bge1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=9bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM ether 00:1a:24:bd:e2:0e inet xxx.yy.105.31 netmask 0x broadcast xxx.yy.105.31 media: Ethernet autoselect (100baseTX full-duplex) status: active Above command (ifconfig) is inside jail, manually stripped other interfaces. (xxx.yy replaces real IP address) bge1 is used for internet connection and nfe0 for access services in LAN Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: CPU limit for Jails(patch for ULE scheduler)
Меньшиков Константин wrote: Hello all! Many users want have limits on resourse for jail, for examle cpu and memory limit. I`m rewrire original cdjones patch for cpu limit for jail under ULE scheduler. So, this work simple. We count cpu usage for all jails, and if jail use cpu more than have shared cpu, we move his threads to IDLE queue and return to TIMESHARE in reverse case. Jailed thread can use all avaliable cpu time, if system has avaliable cpu. If system under heavy load, jailed thread can`t use cpu long as ratio (shared cpu for jail/ all shared cpu) (estimate usage cpu for jail / all usage cpu) . Unjailed thread and interactive thread are not subject to this regime. Add 2 sysctl kern.sched.total_sched_shares - total count shares cpu in system, increase if we have more cpu kern.sched.flush_estcpu_interval - flush estcpu interval in ticks, default is 2560 = 2 * 128 * 10, NCPU*stathz*sec, increase if we have more cpu For use cpu limit, you need use flag -S NSharedCPU in /usr/sbin/jail program. My example jail -S100 /usr/jails/root/ root.kostjn.pht 192.168.0.245 /bin/csh I`m tested this under 10 simultaneous process in jail and in main system. test program is infinity cycle an 8 core xeon, use RELENG_7. First run process in jail, and after in main system. This one process tracking cpu usage [...] So we see, that after run in main system, jailed process can`t usage cpu. Please communicate me about all problem in this patch. This is initial version, without tune jail parameter in runtime. So, this work. But i`m not sure, that is best way. Attempt increase priority for jailed thread not work, because non interactive thread (that utilize many cpu) already have small prioriry(numerical high). Attempt decrease number ticks in cpu time slice, also not good idea, because, this increase number context switching on high load. May be you see other way for do this? Share you idea. Thank. Original cdjones cpu and memory limit patch http://wiki.freebsd.org/JailResourceLimits Hello, I can't judge your work / patch as I am not developer nor C programmer. But it is nice to see that someone is working on the resource limits. I am waiting for this feature for a years without success. The original SoC project was never done (not production ready). There were attempts by others to update cdjones patch to newer versions of FreeBSD, but still with some minor problems. The last I remember is Memory limits on 7.0 by Christopher Thunes (e-mail in archive of this list from 2008-06-24). Unfortunately I had not time to test his patch in times of 7.0 and I am not aware of any newer version of this patch (for 7.1 or upcoming 7.2). It would be nice if independent developers can work together on this subject and do this work production / commit ready. May be you should open PR with you patch, so anybody can find it, test it and help to make it better. Or if you have own web page with this patch + some documentation, I can put the link to http://wiki.freebsd.org/Jails Can you take a look to Memory limits patch and incorporate it in to your patch? Do you have a plan to add jtune? Thanks for your work, I hope I will have time to test it in few weeks. Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: maxproc per jail
Espartano wrote: On Tue, Mar 17, 2009 at 1:48 AM, Nicolas de Bari Embriz Garcia Rojas nb...@k9.cx wrote: Hi all, it is posible to limite the maxproc per jail ? or how to put a protection to the main host in case the root user of a jail try to make a fork bom. may be you can protect your computer using cpu's limits, you should visit this page: http://wiki.freebsd.org/JailResourceLimits take a look that the patch is for FreeBSD RELENG_6, I don't know if the patch work fine with FreeBSD 7, I have never used this patch. It is outdated and AFAIK no longer maintained. (FreeBSD 7.1 is shipped with different scheduler than before) Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: HEADS UP: multi-IPv4/v6/no-IP jails now in 7-STABLE
Bjoern A. Zeeb wrote: Hi, what has started a long time ago with patches from various people, was started, abandoned, resumed finally found an end. I am happy to hereby announce that the multi-IPv4/v6/no-IP jails work has been merged to 7-STABLE and thus can be used in FreeBSD 7 without the need to maintain or apply patches from now on. This also means that the updated jails will be included in 7.2 release. This update gives you (short selection): - zero, one or multi-IP jails. - IPv4 and IPv6 support. - cpuset support for jails. - jail names and states to ease administration. - 32bit compat on 64bit, jail v1 compat, .. You'll find a longer summary about all the new features and how to use them in a posting from December (you should really read it): http://lists.freebsd.org/pipermail/freebsd-jail/2008-December/000631.html Since the above posting, multiple PRs had been addressed and fixes include - SIOCGIFADDR ioctl handling which fixes the samba inside jails problem - no more arp and ndp information disclosure - updated rc.conf framework (fully backward compatible in 7), see man 5 rc.conf and /etc/defaults/rc.conf. - various documentation/man page updates - ... I am now using your new multi-IP Jail (7-STABLE) for a few weeks without any problems. Thanks for your good work! I am interested in new features - jail name and cpuset support. I can use it manually, but there is no support in /etc/rc.d/jail. Do you have any plan to add these features in to rc.d/jail + rc.conf? Or better said - If I make a patch, are you willing to clean + commit it? :) (I know, you do not want more complexity in rc.d/jail script...) I also done one patch half year ago http://www.freebsd.org/cgi/query-pr.cgi?pr=124248 Can you accept it, or reject it, so the PR can be closed? (I can make newer patch for 7-STABLE or 8-CURRENT if you want it) Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: HEADS UP: multi-IPv4/v6/no-IP jails now in 7-STABLE
I have a question about INADDR_ANY in relation to new multi-IP jails. It was discussed some time ago as PR 84215 [wildcard ip (INADDR_ANY) should not bind inside a jail] http://www.freebsd.org/cgi/query-pr.cgi?pr=84215 and it seemed fixed, but manpage for jail is still saying: Similarly, it might be a good idea to add an address alias flag such that daemons listening on all IPs (INADDR_ANY) will not bind on that address, which would facilitate building a safe host environment such that host daemons do not impose on services offered from within jails. Can you please clarify the current state? Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: kern/122270: [jail] [patch] jail numbers keep incrementing
Bjoern A. Zeeb wrote: On Tue, 10 Feb 2009, Miroslav Lachman wrote: http://www.freebsd.org/cgi/query-pr.cgi?pr=122270 Is it really commited to 7_RELENG? I am running 7.1-RELEASE and JID is still incrementing after each stop + start. In my test case, I started with 3 jails (JID 1, 2, 3), then I stopped jail with JID 2, start it again (now it has JID 4), stop + start and JID is 5, stop + start again and JID is 6... It had been backed out because it gave various people various problems and lead to races with startup/shutdown of jails an mgmt tools. But that's been looong ago. Thank you for your quick reply. I think that it would be nice to add related informations to (closed) PRs. This is not the first time when something was backed out or not MFCd but PR stated that it is commited. Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: HEADS UP: multi-IPv4/v6/no-IP jails now in 7-STABLE
Bjoern A. Zeeb wrote: On Sun, 8 Feb 2009, Miroslav Lachman wrote: Hi, Can you explain more details about 32bit compat on 64bit, jail v1 compat, ..? Is it possible to run 32bit jail in 64bit host and build run 32bit ports (marked as i386 only) in it? What is needet to setup 32bit jail in 64bit host? Running a 32bit userland on a 64bit machine inside a jail had been possible for quite a while; you'll find the instructions for a perfect setup with a bit of search. I know it was discussed few times in this list (eg. Compilation question 64bit, 32 bit at 2008-10-16), but I think there was not any perfect setup instructions and I am unable to find it with google (maybe I ask google by wrong questions ;]), so can you point me to the right place? What the above means is that your i386 jail binary will work on amd64 and that your old jail binary from before the update will work on the kernel after the update. jls will not btw. As Alexander Leidinger replied in the mentioned thread, it does not seems too simple (in case of ports infrastructure) to use 32bit jail as pure 32bit environment to compile i386 only ports. I will try it next week and post back any results / questions. And in case of success, I will write it on Jails wiki page. Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: bsnmp module for monitoring jails: bsnmp-jails
Stef wrote: I hope it's okay to announce this here. I thought folks might be interested... I've released a bsnmp module for monitoring jails via SNMP. Stuff like network traffic, disk space, CPU utilization etc... FreeBSD port attached, available here: http://memberwebs.com/stef/software/bsnmp-jails/ Thank you for your announcement and your work! I will test it as soon as possible. Is there some limitation of FreeBSD version (6.x / 7.x / 8.x; i386 / amd64) or is it compatible with all? Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: Local IP in jail
Uroš Gruber wrote: Hi, I'm setting up new jail and I was thinking enabling it on some local IP (10.1.1.1 for example). I added an alias in rc.conf and also created the jail. The only problem I have is routing is not working as it should. I don't know if it is because of jail or do I need to add manual routing for this IP to be able comunicate with outside world. Is it even possible to work this way and than use ipf to redirect trafic onto jail itself? It is possible. I am using Jails only this way (with private IPs and NAT+RDR in PF) Maybe you need to set net.inet.ip.forwarding=1 (in sysctl.conf) or gateway_enable=YES in rc.conf Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Compilation question 64bit, 32 bit
Alexander Leidinger wrote: Quoting Jose Amengual [EMAIL PROTECTED] (from Thu, 16 Oct 2008 08:43:15 -0300): Hi Guys. The other day I install a server with jails with FreeBSD 7 32 bit in a 64 bit capable processor. After I install I start wondering some things that I point out here : Any benefit to install 64 bit vs 32 bit with the purpose of use jails ? It depends. If you want to use more than 4G: yes. Can I install a 32 bit FreeBSD and create 64 bit jails ? ( using ezjail or downloading the full 64 bit source to create the jail ). No. Can I install 32 bit FreeBSD and then made a make world and change it to 64 bit ? ( is recommended ?) IIRC this depends upon your FreeBSD version. I think in CURRENT there's code which supports that now. No guarantees. Can I install a FreeBSD 64 bit and create 32 bit jails ? Sort of. You can install a 32bit world into the jail and make sure 32bit support is activated in the kernel. The 32bit programs will then run just fine in the jail (but 64bit ones should run fine too). It's the same way as you can run linux programs in a jail. Do you mean installing whole 32bit world instead of 64bit, for example from ftp.freebsd.cz:/pub/FreeBSD/releases/i386/7.0-RELEASE/base/ or just /lib32 /usr/lib32 libraries? Will it be possible in this (32bit) jail to install ports marked as arch i386 only, or some voodoo is needed to trick the ports system? What do you mean by 32bit support in kernel? Is it just options COMPAT_IA32 as is in amd64 GENERIC or anything else? I am interested in running 32bit ports on amd64 bit machine. Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: request for (security) comments on this setup
Greg Larkin wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Miroslav Lachman wrote: Bjoern A. Zeeb wrote: On Mon, 22 Sep 2008, Randy Schultz wrote: Hi, I'm mounting some iSCSI storage in a jail. It's mounting in the jail via fstab.jailname. When the jail is up and I'm logged into the jail I can cd to the mount point, r/w etc., everything seems to work. What's weird tho' is, while a df on the parent shows the partion mounted as expected, a df inside the jail shows the local disk but not the iSCSI mount. ... So, my first question is what am I missing, the second is does mounting things this way into a jail pose any sort of risk for escaping the jail? Does anything change if you do a sysctl security.jail.enforce_statfs=1 If that's what you want you can add the following lines to /etc/sysctl.conf in the base system so it is automatically set upon boot: # jails security.jail.enforce_statfs=1 Have this any impact on security? # sysctl -d security.jail.enforce_statfs security.jail.enforce_statfs: Processes in jail cannot see all mounted file systems For what this sysctl is implemented? Thanks Miroslav Lachman Hi Miroslav, - From the jail(8) man page: security.jail.enforce_statfs This MIB entry determines which information processes in a jail are able to get about mount-points. It affects the behaviour of the following syscalls: statfs(2), fstatfs(2), getfsstat(2) and fhstatfs(2) (as well as similar compatibility syscalls). When set to 0, all mount-points are available without any restrictions. When set to 1, only mount-points below the jail's chroot directory are visible. In addition to that, the path to the jail's chroot direc- tory is removed from the front of their pathnames. When set to 2 (default), above syscalls can operate only on a mount-point where the jail's chroot directory is located. Hope that helps, Greg Thank you, I forgot to open jail(8) man page before posting :) If I understand it correct - it is just about what informations (about mountpoints) are visible to processes inside jail without any security impact and it is safe to use security.jail.enforce_statfs=1. Am I right? (I am sorry for maybe dump questions, but I am not kernel/OS developer and statfs, fstatfs, getfsstat did not tell me much) Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: The best way to upgrade my FreeBSD and its jails
Mikhail Goriachev wrote: Redd Vinylene wrote: My dedicated server is mother, its two jails are camel and box. Is this the best way to upgrade all of them? We probably should keep this to freebsd-jail@ only. Had a look at http://pastie.org/245821 and have a few notes for you: 1.- As Miroslav already mentioned - it is not a good idea to daisy chain everything. You should break the procedure into two steps. Firstly upgrade the host and make sure the upgrade went well. Once you're certain that everything is ok, then proceed upgrading jails. I personally disable jails (jail_enable=NO), then reboot (to avoid any zombie jails), perform upgrade on all jails and then enable them back on. 2.- Your upgrading sequence is a bit off. Have a look at /usr/src/Makefile for further details and correct sequence: # make buildworld # make buildkernel # make installkernel # reboot # mergemaster -p # make installworld # make delete-old # mergemaster # reboot # make delete-old-libs 3.- You don't need kernels inside your jails. Having them won't hurt you, but they consume space. In other words, you shouldn't execute the following (or similar): # make DESTDIR=$D installkernel 4.- The make distribution DESTDIR=$D should be executed only once - when a jail is created. Otherwise you're nuking your configurations in jail's /etc and probably somewhere else. One thing to note - If you do delete-old delete-old-libs you probably need to recompile all installed ports because of lib dependencies. Have a go at this, you might find some use for it: --- JAILSDIR=/usr/local/jails cd /usr/src for jail in `ls ${JAILSDIR}`; do mergemaster -pD ${JAILSDIR}/${jail} make installworld DESTDIR=${JAILSDIR}/${jail} mergemaster -iD ${JAILSDIR}/${jail} done --- ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: The best way to upgrade my FreeBSD and its jails
Redd Vinylene wrote: My dedicated server is mother, its two jails are camel and box. Is this the best way to upgrade all of them? Pretty cool huh? - # FreeBSD/i386 mother.reddvinylene.no csup /etc/cvsupfile \ cd /usr/src \ make buildworld \ make buildkernel \ make installworld \ make installkernel \ make delete-old \ make delete-old-libs \ mergemaster -U \ export D=/usr/jail/camel \ make installworld DESTDIR=$D \ make installworld installkernel DESTDIR=$D \ make delete-old DESTDIR=$D \ make delete-old-libs DESTDIR=$D \ cd etc/ \ make distribution DESTDIR=$D \ cd .. \ mergemaster -U -D $D \ export D=/usr/jail/box \ make installworld DESTDIR=$D \ make installworld installkernel DESTDIR=$D \ make delete-old DESTDIR=$D \ make delete-old-libs DESTDIR=$D \ cd etc/ \ make distribution DESTDIR=$D \ cd .. \ mergemaster -U -D $D \ chflags -R noschg /usr/obj/* \ rm -rf /usr/obj/* It would be better if you post what version you are running and to what version you want to update / upgrade. If you want to use some RELEASE, you can user freebsd-update command for binary update of base and jails. Also it is not good to do all the above steps as one chained command. Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: getpwnam: root: No such file or directory
Евгений Шаповал wrote: hello =) When I try to start jail (/etc/rc.d/jail start) I have: /etc/rc.conf: //: Permission denied Configuring jails:. Starting jails: cannot start jail test: jail: getpwnam: root: No such file or directory how it's correct? =\ Can you post your rc.conf and how you populated jail environment? Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Memory limits on 7.0
Christopher Thunes wrote: Hey everyone, I spent some time working on getting cdjones' memory limit patches updated for 7.0 and beyond and thought I'd post my progress. I've attached my current patch which implements memory limits on 7.0-RELEASE, but only for the older (and default in -RELEASE) bsd4 scheduler (won't work at all on ULE). I haven't yet started work for ULE or getting CPU sharing working. This patch also includes fixes for problems in the original cdjones patches. If you want to give it a whirl it should apply cleanly to a 7.0-RELEASE source tree and if you run into any issues let me know. Thanx for you work, I put it on Jails wiki! I hope I'll give it a try in next week after I setup new testing machine with ZFS, 4GB of RAM and lot of jails for testing :) Do you plan to work on ULE version? (AFAIK ULE will be default for next release) Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: tun/gif interfaces inside jail.
Peter Ankerstål wrote: Is it possible to give root access to a certain tun-interface inside a jail? In order to use OpenVPN or something like that? -- Jail can use only 1 IP address (currently). If you need to use only some ports on VPN, you can use port redirect by firewall. I am using it to access MSSQL server throught VPN from jail. See my message in this list from 2008-04-22 with subject Re: routing Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Wildcard IP (INADDR_ANY) should not bind inside a jail [was: Re: Jail resource limits]
Bjoern A. Zeeb wrote: On Sun, 25 May 2008, Miroslav Lachman wrote: Hi, Bjoern A. Zeeb wrote: On Fri, 23 May 2008, Miroslav Lachman wrote: [...] The person to talk to about implementation/integrations/coordination might be me. As I am searching for and adding some more patches to the http://wiki.freebsd.org/Jails, I found Wildcard IP (INADDR_ANY) should not bind inside a jail. The PR http://www.freebsd.org/cgi/query-pr.cgi?pr=84215 is from year 2005 with patch for FreeBSD 6.x and as you have already hands on Multi-IPv4/v6/no-IP jails, can you take a look at this patch and try to incorporate it in to you work for FreeBSD 7.x / 8.x? If you look more closely you'll find a bunch of jail patches in PRs. I intend to deal with all of them once I am done, but not before. There are several reasons for this. I checked the list a few weeks ago. I am aware of all PRs from problem reports assigned to freebsd-jail@FreeBSD.org and few others and I will add them to the wiki page later as time permits. I am not trying to make any pressure to you or somebody else but PR database is not always including informations if somebody is working on it etc. I just ask you, if you have some plans / if you know about this PR. And your answer is positive. ;) It would be nice, if you (and other developers too) can publish more informations about what is in progress to this list, so I can put it on the page, update status of patches or items on the list of ideas. And thank you for your work! Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Jail resource limits
Peter Ankerstål wrote: http://wiki.freebsd.org/JailResourceLimits Is this anthing people are working on? Is it on its way to RELENG_7? Is there a 7-version of the patch or anything? This would be a _VERY_ useful feature. Hi, AFAIK nobody is working on it. A year ago there was newer release of the patch against CURRENT at that time (FreeBSD 7) [1] http://www.ualberta.ca/~cdjones/jail-cpumem-current.tgz I never test this patch on current, only version for 6.x and if patch for current were made without improvements, it contains same bugs as patch for 6.x (eg.: not showing memory usage). There are some other guys trying to do the same, but I never saw patches published. Andrew Snow - Jails as a VPS [2] Alex Lyashkov - Jail2 aka FreeVPS [3a][3b] Or fixes for C.D. Jones work: Chris Thunes - jtune not showing resource usage - fixed [4] (note - attached patch is reversed) [5] So as you can see, there were some talks about Jail improvements for one year existence of this mailinglist (freebsd-jail@freebsd.org), also it is two years from SoC [6] and we still don't have anything commited to 7.x or to CURRENT. It is sad. There is little attention to jails, only few people are able to do some coding work etc. If the are somebody with skills and time to resurrect some mentioned projects, I am willing to help with testing. Also it will be good to have some up-to-date wiki page with all the patches (resource limits, SysV IPC, multiple IPs...) and status of this work, so people can easily find and try it. Miroslav Lachman [1] http://lists.freebsd.org/pipermail/freebsd-jail/2007-June/30.html [2] http://lists.freebsd.org/pipermail/freebsd-jail/2008-January/000152.html [3a] http://docs.freevps.com/doku.php?id=freebsd:index [3b] http://lists.freebsd.org/pipermail/freebsd-arch/2006-June/005293.html [4] http://lists.freebsd.org/pipermail/freebsd-jail/2007-August/60.html [5] http://lists.freebsd.org/pipermail/freebsd-jail/2007-September/000101.html [6] http://wiki.freebsd.org/JailResourceLimits Other links: jail services: http://wiki.freebsd.org/AsiaBSDCon_2007_DevSummit?action=AttachFiledo=gettarget=jail_services.pdf kernel level virtualisation requirements: http://lists.freebsd.org/pipermail/freebsd-arch/2007-October/006872.html ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Jail resource limits
Alexander Leidinger wrote: Quoting Miroslav Lachman [EMAIL PROTECTED] (from Thu, 22 May 2008 13:19:55 +0200): Peter Ankerstål wrote: http://wiki.freebsd.org/JailResourceLimits If the are somebody with skills and time to resurrect some mentioned projects, I am willing to help with testing. Also it will be good to have some up-to-date wiki page with all the patches (resource limits, SysV IPC, multiple IPs...) and status of this work, so people can easily find and try it. Are you willing to update the existing wiki page? If yes register to the wiki (default style would be MiroslavLachman as the username) and I give you write access to the page. OK, I am registered now. Would you like me to edit existing JailResourceLimits page or would it be better to create new general page for Jail(s) similar to ZFS [1] page with table of patches and utilities extending existing jail implementation with status column, discription, authors etc., links to other pages with some useful informations and also with some requests area of users proposals that we can discuss here and try to find somebody willing to code / implement it? ;) The main goal could be to get more public attention for future Jail work and break current stagnation of commiting existing patches. Miroslav Lachman [1] http://wiki.freebsd.org/ZFS ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: freebsd-update on jails
Jeremie Le Hen wrote: Hi Jeffrey, On Sun, Apr 20, 2008 at 03:49:39PM -0400, Jeffrey Smith wrote: I previously posted a howto to use zfs to manage jails. The first Could you remind us the URL of this howto please? It was in this mailing list at March with subject ZFS Jails Management Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Updating the kernel
Michel wrote: Hello, I have a box running a 6.2-RELEASE with 3 jails and 6.3 is coming soon. So can I update my kernel (and how) without any trouble for the users in the jails ? I know that there is a binary compatibility between 6.2 and 6.3 but can I do a source update, make world, make kernel, install kernel, install world, mergemaster and leave the jails unchanged ? You can use source upgrade, or brand new binary upgrade http://www.daemonology.net/blog/2007-11-10-freebsd-minor-version-upgrade.html http://www.daemonology.net/blog/2007-11-11-freebsd-major-version-upgrade.html I have test machine, where I upgraded host system from 6.2 to 7.0-BETA4 and Jails are still 6.2. Everything works withou any problem. (but this machine in not heavily loaded) Or if you want, you can upgrade host kernel and world and then jails world. Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: User Quota inside jail?
Anton - Valqk wrote: Hello Group, I'm wondering if I can set quota inside a jail for user in it. For example: jail root: /usr/jails/testjail - this is a separate partition mounted with quota support in the jail I have user: testuser I want to set a quota 1G for him in his home - /usr/jails/testjail/home/testuser is this possible? I was thinking of making edquota from outside the jail and setting it from there... but I got error the uid dosen't exists You can try numerical UID instead of someusername from host system (outside of jail - I did not test it, so it my or may not work) Miroslav Lachman ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to [EMAIL PROTECTED]