Re: Proposal: automatic jailing of services (rc.d/*) [patch]
On 24/02/2019 10:00, Alexander Leidinger via freebsd-jail wrote: Attached is a proof of concept (only lightly tested with start/stop/status/restart) so that you can play around with it a little bit. I didn't see any attachment. Is this an oversight, or did I overlook something? Thanks, Roger ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Jails and IPv6 local loopback
On 28/08/16 00:26, Ernie Luzar wrote:
Roger Leigh wrote:
In my case, I haven't set anything related to the loopback interface
lo0 for the jail. The host has working v4 and v6 loopback addresses.
The guest has only working v4. Why not for v6?
interface = "bge0";
ip4.addr = "192.168.1.12";
ip6.addr = "2001:8b0:860:ddbd:3aea:a7ff:feab:7002";
allow.raw_sockets = "1";
is the extent of the configuration. I specify both v4 and v6
addresses on bge0. I don't specify anything loopback-related, so why
is it mapping v4 and not v6? The discrepancy seems a little odd.
Is there a solution to the problem at present? What would the
recommended configuration in jail.conf be for obtaining working v4 and
v6 addresses on the loopback interface inside the jail?
Previously you posted this as your jail.conf
bfcpp {
host.hostname = "bfcpp.codelibre.net";
interface = "bge0";
ip4.addr = "192.168.1.12";
ip6.addr = "2001:8b0:860:ddbd:3aea:a7ff:feab:7002";
allow.raw_sockets = "1";
path = "/jail/bfcpp";
mount.devfs;
mount.fdescfs;
mount.procfs;
mount.fstab="/etc/fstab.bfcpp";
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.clean;
exec.jail_user = "root";
exec.system_jail_user;
}
I see no reason for these
mount.fdescfs;
mount.procfs;
exec.clean;
exec.jail_user = "root";
exec.system_jail_user;
not the cause of your problem, just not needed.
Your assuming that ping6 is broken just because its having a problem
with localhost. Try ping6 against some other box on the lan using it's
ipv6 ip address.
I'm not assuming that ping6 is broken. The jail has a working v6 global
address. ping6 works fine to other hosts using global addresses, and I
can SSH into the jail from any v6 system using its record.
% host bfcpp.codelibre.net
bfcpp.codelibre.net has IPv6 address 2001:8b0:860:ddbd:3aea:a7ff:feab:7002
% ssh bfcpp.codelibre.net
Last login: Sat Aug 27 20:23:24 2016 from
7.5.2.1.f.5.e.f.f.f.c.4.4.a.2.6.d.b.d.d.0.6.8.0.0.b.8.0.1.0.0.2.ip6.arpa
FreeBSD 11.0-RC2 (GENERIC) #0 r304729: Wed Aug 24 06:59:03 UTC 2016
The fact that global IPv6 networking is functional is not really
relevant to the question I asked though.
What I can't do is ping6 the *localhost*, which I mentioned purely to
demonstrate the lack of a working v6 loopback, and hence I can't run v6
services on the localhost due to missing the v6 loopback. This is the
missing functionality I need, and the question I'm asking here which has
been unanswered is how to enable that.
You need to define the hosts ipv6 ip address to localhost in the hosts
/etc/hosts file.
You may also have to define the jails ipv6 ip address to localhost in
the jails /etc/hosts file.
This isn't what I want or need I'm afraid. I do require the loopback
working on v6 specifically, and not just a tweak to the localhost
hostname. Some of the services to be deployed in the jails run on the
public interfaces, some on the local loopback, and that type of hack
wouldn't be acceptable for deployment.
Is it possible to enable v6 loopback on lo0 in the jail using jail.conf?
Regards,
Roger
___
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Jails and IPv6 local loopback
On 27/08/16 23:05, Ernie Luzar wrote: Roger Leigh wrote: On 27/08/16 17:22, Roger Leigh wrote: Hi list, I saw https://lists.freebsd.org/pipermail/freebsd-jail/2011-March/001500.html in the archives but didn't see anything more recent. This is with 10.3-RELEASE [...] And after upgrade to 11.0-RC2: bfcpp% ifconfig bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=c019b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE> ether 38:ea:a7:ab:61:53 inet 192.168.1.12 netmask 0x broadcast 192.168.1.12 inet6 2001:8b0:860:ddbd:3aea:a7ff:feab:7002 prefixlen 128 vhid 3 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> media: Ethernet autoselect (1000baseT ) status: active lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=63<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> bfcpp% ping -c1 localhost PING localhost (127.0.0.1): 56 data bytes 64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.061 ms --- localhost ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.061/0.061/0.061/0.000 ms bfcpp% ping6 -c1 localhost PING6(56=40+8+8 bytes) 2001:8b0:860:ddbd:3aea:a7ff:feab:7002 --> ::1 ping6: sendmsg: Can't assign requested address ping6: wrote localhost 16 chars, ret=-1 --- localhost ping6 statistics --- 1 packets transmitted, 0 packets received, 100.0% packet loss As you can see, inside the jail I have a working IPv4 loopback, but not a working IPv6 loopback. Both work correctly on the host system. This is inconsistent, and it's breaking stuff which needs the v6 loopback to be functional. Is this a case of a bad default, a misconfiguration or a bug in the loopback support for jails? Note that 11.0-RC2 shows exactly the same behaviour. You are not seeing what you think you are seeing. jail(8) is mapping the loopback interface over the jails assigned ipv4 ip address. It only seems reasonable that its doing the same thing with the ipv6 ip address. Check out this PR for more details https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=210049 Sorry, I read that, but I'm not sure I understand. At least, I don't understand why a discrepancy between v4 and v6 would be expected or reasonable irrespective of any bugs. In my case, I haven't set anything related to the loopback interface lo0 for the jail. The host has working v4 and v6 loopback addresses. The guest has only working v4. Why not for v6? interface = "bge0"; ip4.addr = "192.168.1.12"; ip6.addr = "2001:8b0:860:ddbd:3aea:a7ff:feab:7002"; allow.raw_sockets = "1"; is the extent of the configuration. I specify both v4 and v6 addresses on bge0. I don't specify anything loopback-related, so why is it mapping v4 and not v6? The discrepancy seems a little odd. Is there a solution to the problem at present? What would the recommended configuration in jail.conf be for obtaining working v4 and v6 addresses on the loopback interface inside the jail? Thanks, Roger ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Jails and IPv6 local loopback
On 27/08/16 17:22, Roger Leigh wrote: Hi list, I saw https://lists.freebsd.org/pipermail/freebsd-jail/2011-March/001500.html in the archives but didn't see anything more recent. This is with 10.3-RELEASE [...] And after upgrade to 11.0-RC2: bfcpp% ifconfig bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=c019b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE> ether 38:ea:a7:ab:61:53 inet 192.168.1.12 netmask 0x broadcast 192.168.1.12 inet6 2001:8b0:860:ddbd:3aea:a7ff:feab:7002 prefixlen 128 vhid 3 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> media: Ethernet autoselect (1000baseT ) status: active lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=63<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> bfcpp% ping -c1 localhost PING localhost (127.0.0.1): 56 data bytes 64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.061 ms --- localhost ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.061/0.061/0.061/0.000 ms bfcpp% ping6 -c1 localhost PING6(56=40+8+8 bytes) 2001:8b0:860:ddbd:3aea:a7ff:feab:7002 --> ::1 ping6: sendmsg: Can't assign requested address ping6: wrote localhost 16 chars, ret=-1 --- localhost ping6 statistics --- 1 packets transmitted, 0 packets received, 100.0% packet loss As you can see, inside the jail I have a working IPv4 loopback, but not a working IPv6 loopback. Both work correctly on the host system. This is inconsistent, and it's breaking stuff which needs the v6 loopback to be functional. Is this a case of a bad default, a misconfiguration or a bug in the loopback support for jails? Note that 11.0-RC2 shows exactly the same behaviour. Regards, Roger ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Jails and IPv6 local loopback
Hi list,
I saw
https://lists.freebsd.org/pipermail/freebsd-jail/2011-March/001500.html
in the archives but didn't see anything more recent.
This is with 10.3-RELEASE
% freebsd-version
10.3-RELEASE-p6
% jls
JID IP Address Hostname Path
[...]
3 192.168.1.12bfcpp.codelibre.net /jail/bfcpp
[...]
From jail.conf:
bfcpp {
host.hostname = "bfcpp.codelibre.net";
interface = "bge0";
ip4.addr = "192.168.1.12";
ip6.addr = "2001:8b0:860:ddbd:3aea:a7ff:feab:7002";
allow.raw_sockets = "1";
path = "/jail/bfcpp";
mount.devfs;
mount.fdescfs;
mount.procfs;
mount.fstab="/etc/fstab.bfcpp";
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.clean;
exec.jail_user = "root";
exec.system_jail_user;
}
amys% ping -c1 localhost
PING localhost (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.046 ms
--- localhost ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.046/0.046/0.046/0.000 ms
amys% ping6 -c1 localhost
PING6(56=40+8+8 bytes) ::1 --> ::1
16 bytes from ::1, icmp_seq=0 hlim=64 time=0.252 ms
--- localhost ping6 statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.252/0.252/0.252/0.000 ms
Inside this jail:
bfcpp% ifconfig
bge0: flags=8843 metric 0 mtu 1500
options=c019b
ether 38:ea:a7:ab:61:53
inet 192.168.1.12 netmask 0x broadcast 192.168.1.12
inet6 2001:8b0:860:ddbd:3aea:a7ff:feab:7002 prefixlen 128
nd6 options=21
media: Ethernet autoselect (100baseTX )
status: active
lo0: flags=8049 metric 0 mtu 16384
options=63
nd6 options=21
bfcpp% ping localhost
PING localhost (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.056 ms
^C
--- localhost ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.056/0.056/0.056/0.000 ms
bfcpp% ping6 localhost
PING6(56=40+8+8 bytes) 2001:8b0:860:ddbd:3aea:a7ff:feab:7002 --> ::1
ping6: sendmsg: Can't assign requested address
ping6: wrote localhost 16 chars, ret=-1
ping6: sendmsg: Can't assign requested address
ping6: wrote localhost 16 chars, ret=-1
ping6: sendmsg: Can't assign requested address
ping6: wrote localhost 16 chars, ret=-1
^C
--- localhost ping6 statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
As you can see, inside the jail I have a working IPv4 loopback, but not
a working IPv6 loopback. Both work correctly on the host system. This
is inconsistent, and it's breaking stuff which needs the v6 loopback to
be functional.
Is this a case of a bad default, a misconfiguration or a bug in the
loopback support for jails?
Thanks,
Roger
___
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
