Re: Proposal: automatic jailing of services (rc.d/*) [patch]
On 24/02/2019 10:00, Alexander Leidinger via freebsd-jail wrote: Attached is a proof of concept (only lightly tested with start/stop/status/restart) so that you can play around with it a little bit. I didn't see any attachment. Is this an oversight, or did I overlook something? Thanks, Roger ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Jails and IPv6 local loopback
On 28/08/16 00:26, Ernie Luzar wrote: Roger Leigh wrote: In my case, I haven't set anything related to the loopback interface lo0 for the jail. The host has working v4 and v6 loopback addresses. The guest has only working v4. Why not for v6? interface = "bge0"; ip4.addr = "192.168.1.12"; ip6.addr = "2001:8b0:860:ddbd:3aea:a7ff:feab:7002"; allow.raw_sockets = "1"; is the extent of the configuration. I specify both v4 and v6 addresses on bge0. I don't specify anything loopback-related, so why is it mapping v4 and not v6? The discrepancy seems a little odd. Is there a solution to the problem at present? What would the recommended configuration in jail.conf be for obtaining working v4 and v6 addresses on the loopback interface inside the jail? Previously you posted this as your jail.conf bfcpp { host.hostname = "bfcpp.codelibre.net"; interface = "bge0"; ip4.addr = "192.168.1.12"; ip6.addr = "2001:8b0:860:ddbd:3aea:a7ff:feab:7002"; allow.raw_sockets = "1"; path = "/jail/bfcpp"; mount.devfs; mount.fdescfs; mount.procfs; mount.fstab="/etc/fstab.bfcpp"; exec.start = "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc.shutdown"; exec.clean; exec.jail_user = "root"; exec.system_jail_user; } I see no reason for these mount.fdescfs; mount.procfs; exec.clean; exec.jail_user = "root"; exec.system_jail_user; not the cause of your problem, just not needed. Your assuming that ping6 is broken just because its having a problem with localhost. Try ping6 against some other box on the lan using it's ipv6 ip address. I'm not assuming that ping6 is broken. The jail has a working v6 global address. ping6 works fine to other hosts using global addresses, and I can SSH into the jail from any v6 system using its record. % host bfcpp.codelibre.net bfcpp.codelibre.net has IPv6 address 2001:8b0:860:ddbd:3aea:a7ff:feab:7002 % ssh bfcpp.codelibre.net Last login: Sat Aug 27 20:23:24 2016 from 7.5.2.1.f.5.e.f.f.f.c.4.4.a.2.6.d.b.d.d.0.6.8.0.0.b.8.0.1.0.0.2.ip6.arpa FreeBSD 11.0-RC2 (GENERIC) #0 r304729: Wed Aug 24 06:59:03 UTC 2016 The fact that global IPv6 networking is functional is not really relevant to the question I asked though. What I can't do is ping6 the *localhost*, which I mentioned purely to demonstrate the lack of a working v6 loopback, and hence I can't run v6 services on the localhost due to missing the v6 loopback. This is the missing functionality I need, and the question I'm asking here which has been unanswered is how to enable that. You need to define the hosts ipv6 ip address to localhost in the hosts /etc/hosts file. You may also have to define the jails ipv6 ip address to localhost in the jails /etc/hosts file. This isn't what I want or need I'm afraid. I do require the loopback working on v6 specifically, and not just a tweak to the localhost hostname. Some of the services to be deployed in the jails run on the public interfaces, some on the local loopback, and that type of hack wouldn't be acceptable for deployment. Is it possible to enable v6 loopback on lo0 in the jail using jail.conf? Regards, Roger ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Jails and IPv6 local loopback
On 27/08/16 23:05, Ernie Luzar wrote: Roger Leigh wrote: On 27/08/16 17:22, Roger Leigh wrote: Hi list, I saw https://lists.freebsd.org/pipermail/freebsd-jail/2011-March/001500.html in the archives but didn't see anything more recent. This is with 10.3-RELEASE [...] And after upgrade to 11.0-RC2: bfcpp% ifconfig bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=c019b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE> ether 38:ea:a7:ab:61:53 inet 192.168.1.12 netmask 0x broadcast 192.168.1.12 inet6 2001:8b0:860:ddbd:3aea:a7ff:feab:7002 prefixlen 128 vhid 3 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> media: Ethernet autoselect (1000baseT ) status: active lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=63<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> bfcpp% ping -c1 localhost PING localhost (127.0.0.1): 56 data bytes 64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.061 ms --- localhost ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.061/0.061/0.061/0.000 ms bfcpp% ping6 -c1 localhost PING6(56=40+8+8 bytes) 2001:8b0:860:ddbd:3aea:a7ff:feab:7002 --> ::1 ping6: sendmsg: Can't assign requested address ping6: wrote localhost 16 chars, ret=-1 --- localhost ping6 statistics --- 1 packets transmitted, 0 packets received, 100.0% packet loss As you can see, inside the jail I have a working IPv4 loopback, but not a working IPv6 loopback. Both work correctly on the host system. This is inconsistent, and it's breaking stuff which needs the v6 loopback to be functional. Is this a case of a bad default, a misconfiguration or a bug in the loopback support for jails? Note that 11.0-RC2 shows exactly the same behaviour. You are not seeing what you think you are seeing. jail(8) is mapping the loopback interface over the jails assigned ipv4 ip address. It only seems reasonable that its doing the same thing with the ipv6 ip address. Check out this PR for more details https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=210049 Sorry, I read that, but I'm not sure I understand. At least, I don't understand why a discrepancy between v4 and v6 would be expected or reasonable irrespective of any bugs. In my case, I haven't set anything related to the loopback interface lo0 for the jail. The host has working v4 and v6 loopback addresses. The guest has only working v4. Why not for v6? interface = "bge0"; ip4.addr = "192.168.1.12"; ip6.addr = "2001:8b0:860:ddbd:3aea:a7ff:feab:7002"; allow.raw_sockets = "1"; is the extent of the configuration. I specify both v4 and v6 addresses on bge0. I don't specify anything loopback-related, so why is it mapping v4 and not v6? The discrepancy seems a little odd. Is there a solution to the problem at present? What would the recommended configuration in jail.conf be for obtaining working v4 and v6 addresses on the loopback interface inside the jail? Thanks, Roger ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Jails and IPv6 local loopback
On 27/08/16 17:22, Roger Leigh wrote: Hi list, I saw https://lists.freebsd.org/pipermail/freebsd-jail/2011-March/001500.html in the archives but didn't see anything more recent. This is with 10.3-RELEASE [...] And after upgrade to 11.0-RC2: bfcpp% ifconfig bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=c019b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE> ether 38:ea:a7:ab:61:53 inet 192.168.1.12 netmask 0x broadcast 192.168.1.12 inet6 2001:8b0:860:ddbd:3aea:a7ff:feab:7002 prefixlen 128 vhid 3 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> media: Ethernet autoselect (1000baseT ) status: active lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=63<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> bfcpp% ping -c1 localhost PING localhost (127.0.0.1): 56 data bytes 64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.061 ms --- localhost ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.061/0.061/0.061/0.000 ms bfcpp% ping6 -c1 localhost PING6(56=40+8+8 bytes) 2001:8b0:860:ddbd:3aea:a7ff:feab:7002 --> ::1 ping6: sendmsg: Can't assign requested address ping6: wrote localhost 16 chars, ret=-1 --- localhost ping6 statistics --- 1 packets transmitted, 0 packets received, 100.0% packet loss As you can see, inside the jail I have a working IPv4 loopback, but not a working IPv6 loopback. Both work correctly on the host system. This is inconsistent, and it's breaking stuff which needs the v6 loopback to be functional. Is this a case of a bad default, a misconfiguration or a bug in the loopback support for jails? Note that 11.0-RC2 shows exactly the same behaviour. Regards, Roger ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Jails and IPv6 local loopback
Hi list, I saw https://lists.freebsd.org/pipermail/freebsd-jail/2011-March/001500.html in the archives but didn't see anything more recent. This is with 10.3-RELEASE % freebsd-version 10.3-RELEASE-p6 % jls JID IP Address Hostname Path [...] 3 192.168.1.12bfcpp.codelibre.net /jail/bfcpp [...] From jail.conf: bfcpp { host.hostname = "bfcpp.codelibre.net"; interface = "bge0"; ip4.addr = "192.168.1.12"; ip6.addr = "2001:8b0:860:ddbd:3aea:a7ff:feab:7002"; allow.raw_sockets = "1"; path = "/jail/bfcpp"; mount.devfs; mount.fdescfs; mount.procfs; mount.fstab="/etc/fstab.bfcpp"; exec.start = "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc.shutdown"; exec.clean; exec.jail_user = "root"; exec.system_jail_user; } amys% ping -c1 localhost PING localhost (127.0.0.1): 56 data bytes 64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.046 ms --- localhost ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.046/0.046/0.046/0.000 ms amys% ping6 -c1 localhost PING6(56=40+8+8 bytes) ::1 --> ::1 16 bytes from ::1, icmp_seq=0 hlim=64 time=0.252 ms --- localhost ping6 statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.252/0.252/0.252/0.000 ms Inside this jail: bfcpp% ifconfig bge0: flags=8843metric 0 mtu 1500 options=c019b ether 38:ea:a7:ab:61:53 inet 192.168.1.12 netmask 0x broadcast 192.168.1.12 inet6 2001:8b0:860:ddbd:3aea:a7ff:feab:7002 prefixlen 128 nd6 options=21 media: Ethernet autoselect (100baseTX ) status: active lo0: flags=8049 metric 0 mtu 16384 options=63 nd6 options=21 bfcpp% ping localhost PING localhost (127.0.0.1): 56 data bytes 64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.056 ms ^C --- localhost ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.056/0.056/0.056/0.000 ms bfcpp% ping6 localhost PING6(56=40+8+8 bytes) 2001:8b0:860:ddbd:3aea:a7ff:feab:7002 --> ::1 ping6: sendmsg: Can't assign requested address ping6: wrote localhost 16 chars, ret=-1 ping6: sendmsg: Can't assign requested address ping6: wrote localhost 16 chars, ret=-1 ping6: sendmsg: Can't assign requested address ping6: wrote localhost 16 chars, ret=-1 ^C --- localhost ping6 statistics --- 3 packets transmitted, 0 packets received, 100.0% packet loss As you can see, inside the jail I have a working IPv4 loopback, but not a working IPv6 loopback. Both work correctly on the host system. This is inconsistent, and it's breaking stuff which needs the v6 loopback to be functional. Is this a case of a bad default, a misconfiguration or a bug in the loopback support for jails? Thanks, Roger ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"