Re: Jailed X applications

Quoting mal content [EMAIL PROTECTED] (from Fri, 17 Aug 2007 17:00:00 +0100): On 17/08/07, Alexander Leidinger [EMAIL PROTECTED] wrote: Quoting mal content [EMAIL PROTECTED] (from Fri, 17 Aug Has anyone here ever successfully set up a jail for X apps, connecting to an external X server

Re: pam _start: system error

Quoting Kalnz [EMAIL PROTECTED] (from Mon, 27 Aug 2007 12:54:19 +0300): Hi! After installing (in the jail) mysql-server-5.0.45 from ports, I can`t get up and running my mysql server. I have to point out that this problem is only inside the jail. All I have is: 1) clean mysql-server install 2)

Re: freebsd-update on jails

Quoting Jeffrey Smith [EMAIL PROTECTED] (from Sun, 20 Apr 2008 15:49:39 -0400): I previously posted a howto to use zfs to manage jails. The first update through freebsd-update has been released. Testing this I get [snip] But I still get that same error. Does anyone have any idea what

Re: Signal 11 messages showing in all jails?

Quoting Scott Lambert [EMAIL PROTECTED] (from Mon, 19 May 2008 00:17:07 -0500): Is this supposed to happen? FreeBSD 6.2 order.cgi is only installed in one jail on this system, but I see this report in all the jail on that system. The below lines are from the daily security run output for

Re: Signal 11 messages showing in all jails?

Quoting Andrew Snow [EMAIL PROTECTED] (from Mon, 19 May 2008 21:08:38 +1000): Sorry for previous message, it wasn't devfs rules at all that solved this problem. The rules you posted are part of some kind of workaround. The rules didn't include the syslog pipe for kernel messages

Re: is nfs mount inside jail possible?

Quoting Robert Watson [EMAIL PROTECTED] (from Wed, 25 Jun 2008 16:57:17 +0100 (BST)): On Wed, 25 Jun 2008, Alexander Leidinger wrote: Oh: I haven't checked if this actually works. I don't know if all places DTRT then. Normally it should work, but you better test if it really puts the FS

Re: is nfs mount inside jail possible?

Quoting Robert Watson [EMAIL PROTECTED] (from Wed, 25 Jun 2008 17:53:36 +0100 (BST)): I don't know of any specific vulnerabilities that will open up, and I don't have time to read the source code to find them now, but I do promise you that if you allow arbitrary mounting of file systems in

Re: Migration of Jail from one host to another?

Quoting Scott Lambert [EMAIL PROTECTED] (from Wed, 2 Jul 2008 15:22:35 -0500): I'm probably doing this completely wrong. I setup a couple of jails using simple image files because I thought that would make migration to another server more straightforward. I am now trying to migrate my first

Re: samba inside jails [was: jail/broadcast IP [was: ...]]

Quoting Bjoern A. Zeeb [EMAIL PROTECTED] (from Fri, 3 Oct 2008 08:21:53 + (UTC)): 3) In samba it used to be the interfaces = config option that you would set to the (primary) IP of your jail. With the above you should be able to address the samba server inside the jail and

Re: Compilation question 64bit, 32 bit

Quoting Miroslav Lachman [EMAIL PROTECTED] (from Fri, 17 Oct 2008 11:48:03 +0200): Alexander Leidinger wrote: Quoting Jose Amengual [EMAIL PROTECTED] (from Thu, 16 Oct 2008 08:43:15 -0300): Hi Guys. The other day I install a server with jails with FreeBSD 7 32 bit in a 64 bit

Re: HEADS UP: r185435 multi-IPv4/v6/no-IP jails in HEAD

Quoting Bjoern A. Zeeb [EMAIL PROTECTED] (from Mon, 1 Dec 2008 09:41:46 + (UTC)): Hi, as you may have already noticed multi-IPv4/v6/no-IP jails have hit HEAD. See commit message attached. Will this introduce changes how multicast is handled in jails, or is it the same behavior as

Re: Switching /etc/rc.d/jail to new syntax (+ new features)

On Sat, 27 Jun 2009 10:47:47 + (UTC) Bjoern A. Zeeb bzeeb-li...@lists.zabbadoz.net wrote: On Sat, 27 Jun 2009, Alexander Leidinger wrote: at http://www.leidinger.net/FreeBSD/current-patches/jail.diff I have a patch to switch the jail rc script to the new jail (8-current) syntax

Re: Multicast in jail?

Quoting Bill Marquette bill.marque...@ucsecurity.com (from Mon, 6 Jul 2009 20:14:02 -0500 (CDT)): I'm trying to run Avahi in a jail, much the same as Alexander Leidinger in this email from late last year http://www.mail-archive.com/freebsd-jail@freebsd.org/msg00587.html. I couldn't find

Re: Multicast in jail?

Quoting Bjoern A. Zeeb bzeeb-li...@lists.zabbadoz.net (from Tue, 7 Jul 2009 11:08:46 + (UTC)): Alternatively I wouldn't wonder if enabling raw sockets would give Didn't work for me. what you want or you'll wait for virtualization to be ready. As _I_ don't need it on -stable: it's

Re: Best practice to update jails

On Thu, 20 Aug 2009 11:50:49 -0700 Jose Amengual jose.ameng...@gmail.com wrote: The server is now 7.0 and was wondering what is the best practice to maintain security patches and kernel updates and I came out with the following idea : 1.- freebsd-update fetch install ( host system) 2.-

Re: xorg in jail

Quoting hulibyaka hulibyaka huliby...@gmail.com (from Thu, 8 Oct 2009 22:01:23 +0400): What the difference for restriction on /dev/io between chroot and jail? How can i get all needed by xinit privileges on /dev/io within jail ? There are additional access restrictions in the kernel when

Re: xorg in jail

and when it abortet you can have a look with kdump|less what it tries to do. Bye, Alexander. Thank you, regards On Oct 9, 2009, at 10:45 AM, Alexander Leidinger wrote: Quoting hulibyaka hulibyaka huliby...@gmail.com (from Thu, 8 Oct 2009 22:01:23 +0400): What the difference

starting jails in the background dependencies

Hi, now that jails are started in the background (which is good, to prevent that a broken jail causes a good jail not to start), I have to problem how to express dependencies. Scenario: - several jails on the same machine (via ezjail) - one jail depends on the services of another jail,

Re: starting jails in the background dependencies

Quoting Remko Lodder re...@freebsd.org (from Tue, 5 Jan 2010 11:35:48 +0100): On Tue, January 5, 2010 11:24 am, Alexander Leidinger wrote: On Mon, 07 Dec 2009 08:03:53 +0100 Alexander Leidinger alexan...@leidinger.net wrote: Hi, now that jails are started in the background (which is good

Re: starting jails in the background dependencies

Quoting Miroslav Lachman 000.f...@quip.cz (from Tue, 05 Jan 2010 11:45:34 +0100): Alexander Leidinger wrote: On Mon, 07 Dec 2009 08:03:53 +0100 Alexander Leidinger alexan...@leidinger.net wrote: Hi, now that jails are started in the background (which is good, to I just realized

Re: Importing jails from 7.0, 7.2 to 8.0.

On Mon, 8 Feb 2010 11:29:41 -0800 Jose Amengual M jose.ameng...@gmail.com wrote: My question is : Do I need to reinstall portupgrade and reinstall all ports ? Did I do the proper export and import process ? The jail where running on 7.0 and the basejail dir was from 7.0, now is from

Re: linux-only jail possible?

On Wed, 3 Mar 2010 19:06:36 +0100 Roman Divacky rdiva...@freebsd.org wrote: On Wed, Mar 03, 2010 at 11:59:49AM -0500, John Nielsen wrote: On Wednesday 03 March 2010 03:00:50 Roman Divacky wrote: I succesfully ran chroot of linux environment on freebsd back in 2007/2008. I firmly believe

Re: starting jails in the background dependencies

On Tue, 5 Jan 2010 11:24:47 +0100 Alexander Leidinger alexan...@leidinger.net wrote: On Mon, 07 Dec 2009 08:03:53 +0100 Alexander Leidinger alexan...@leidinger.net wrote: Hi, now that jails are started in the background (which is good, to I just realized yesterday that it also stops

RE: Strange things happening with jails?? Not starting up on boot or services not running inside!

Quoting Andrew Hotlab andrew.hot...@hotmail.com (from Thu, 3 Jun 2010 22:04:44 +): I've never had to make Squid listening on port 80, but referring its startup script in /usr/local/etc/rc.d/: # squid_user: The user id that should be used to run the Squid master #

Re: Thoughts on jail.config

Quoting James O'Gorman ja...@netinertia.co.uk (from Mon, 28 Jun 2010 23:40:21 +0100): On 28 Jun 2010, at 16:38, Jamie Gritton wrote: On 06/28/10 08:41, Rodrigo Mosconi wrote: An idea: if it works like a jaild? A daemon management the start-up, shutdown, console redirection? All the

Re: Fwd: X11 in a jail (was: Re: NFS mount inside jail fails)

Quoting Alexander Leidinger alexan...@leidinger.net (from Fri, 27 May 2011 09:43:08 +0200): Quoting Doug Ambrisko ambri...@ambrisko.com (from Thu, 26 May 2011 10:36:24 -0700 (PDT)): Alexander Leidinger writes: | Just to make sure we talk about the same things: | Did you configure the X

Re: Exposing a hierarchy of ZFS datasets inside multiple jails

On Fri, 17 Jun 2011 14:46:59 -0400 Lars Kellogg-Stedman l...@seas.harvard.edu wrote: Hello all, Hi there, I am trying to expose a hierarchy of home directories to a number of FreeBSD jails. The home directories are configured such that each is a unique ZFS dataset. The jails are used for

Re: ezjail and UPDATING20131010

On Fri, 11 Oct 2013 15:42:11 -0500 Mark Felder f...@freebsd.org wrote: On Fri, Oct 11, 2013, at 14:30, Dirk Engling wrote: On 11.10.13 21:27, wishmaster wrote: Yeah!? But do you think updating python in each jail this is the right solution? Freebsd-update in each jail?? What about

Re: timerfd in FreeBSD jail?

Quoting "Martin \"eto\" Misuth" (from Tue, 6 Sep 2016 16:07:31 +0200): On Tue, 6 Sep 2016 13:19:13 + Grzegorz Junka wrote: How would I know that this is not implemented in the linux emulation layer rather than disabled on the host? I would be

Re: ZFS and Jail :: nullfs mount :: nothing visible from host :: solved [partial]

Quoting SK <fbsta...@cps-intl.org> (from Fri, 16 Dec 2016 14:02:20 +): On 16/12/2016 13:15, Alexander Leidinger wrote: For one of the filesystems I have set "zfs allow" permissions, but just that a specific user in the jail can do something on those FS without th

Re: ZFS and Jail :: nullfs mount :: nothing visible from host :: solved [partial]

Quoting Miroslav Lachman <000.f...@quip.cz> (from Sun, 18 Dec 2016 13:20:31 +0100): Alexander Leidinger wrote on 2016/12/17 19:59: Quoting SK <fbsta...@cps-intl.org> (from Fri, 16 Dec 2016 14:02:20 +): If I understand you correctly, what you are suggesting is, the

Re: ZFS and Jail :: nullfs mount :: nothing visible from host :: solved [partial]

Quoting Miroslav Lachman <000.f...@quip.cz> (from Mon, 19 Dec 2016 18:57:39 +0100): Alexander Leidinger wrote on 2016/12/19 17:56: Quoting Miroslav Lachman <000.f...@quip.cz> (from Sun, 18 Dec 2016 13:20:31 +0100): Alexander Leidinger wrote on 2016/12/17 19:59: Quoting SK &

Re: IP address assignments to jails using ezjail

Quoting "James B. Byrne via freebsd-jail" (from Fri, 23 Dec 2016 09:33:17 -0500): I am experimenting with jails on a bhyve vm guest running FBSD-11.0 using ezjail. I am having a problem with network connections to the outside from within the jail. I have sshd

Re: does anyone use these any more?

Quoting Oleg Ginzburg (from Thu, 13 Sep 2018 18:45:51 +0300): With persist mode, CBSD created jail in follow scenario: 1) jail -c (create jail) in persist mode ( with empty exec.start script ) 2) exec inside jail something (zfs attach, /sbin/ifconfig ... ), what you need to do before

Re: injecting vars into rc-service-scripts at jail-start?

Quoting Jens Schweikhardt (from Fri, 1 Apr 2022 14:26:27 +0200 (CEST)): Identifier confusion? You use _rc_svcs and _rc_svcj in your description. Typo s/svcs/svcj/ in the explanation. The diff/code has the vars correct (svcj) and the conditional and the setting are close to each

injecting vars into rc-service-scripts at jail-start?

Hi, I'm overlooking something fundamental it seems... Context: I'm working on my auto-jailing of services idea: if the auto-jail is enabled, a service like syslog is started inside a jail (which inherits the FS and depending on some settings also inherits network and other stuff or not).

Auto-jailing of services - 2nd implementation

Hi, attached is a new implementation of service jails (auto-jailing of services). This one now supports rc command prefixes (e.g. onestart) and I tested it in nested jails. The benefit of auto-jailing services is, that you can apply some restrictions to services (and what other processes

Opening of /dev/pts/3 fails in jail (no such file), but it is visible in ls

Hi, I'm trying to debug an issue with pinentry-tty. The reason is that I want to export a gpg secret key, but it fails when the gpg-agent tries to ask for the PW. An alternative way to export the key works, but the main way should work too. So I took the time now to dig deeper. This is

Re: Opening of /dev/pts/3 fails in jail (no such file), but it is visible in ls

Am 2023-09-22 14:02, schrieb Konstantin Belousov: On Fri, Sep 22, 2023 at 01:44:33PM +0200, Alexander Leidinger wrote: Hi, I'm trying to debug an issue with pinentry-tty. The reason is that I want to export a gpg secret key, but it fails when the gpg-agent tries to ask for the PW

Re: Auto-jailing of services - 2nd implementation

Quoting FreeBSD User (from Sun, 15 May 2022 12:49:06 +0200): On Sun, 03 Apr 2022 21:48:42 +0200 Alexander Leidinger wrote: Hi, attached is a new implementation of service jails (auto-jailing of services). This one now supports rc command prefixes (e.g. onestart) and I tested it in nested

Re: What's going on with vnets and epairs w/ addresses?

Quoting "Bjoern A. Zeeb" (from Tue, 13 Dec 2022 23:03:42 + (UTC)): Hi, I have used scripts like the below for almost a decade and a half (obviously doing more than that in the middle). I haven't used them much lately but given other questions I just wanted to fire up a test. I have

Re: enforce_statfs showing leading path

Hi. You see the dataset name of zfs without stripping. The mount point is correctly stripped. I don't remember how this looks on ufs. With jailed datasets we would need more than just some code to remove parts of the name. So it's a doc bug (clarity about mount points and dataset names) and

Proposal: automatic jailing of services (rc.d/*) [patch]

Hi, Thanks to MWL for his upcoming jail book, it inspired me to come up with this. Note, I'm not subscribed to freebsd-rc, please keep at least jail@ in copy (I'm subscribed there). I propose to extend the rc system to automatically jail services in a light sense (off by default, can be

Re: Proposal: automatic jailing of services (rc.d/*) [patch]

http://www.leidinger.net/FreeBSD/current-patches/rc_svc_jails.diff -- Send from a mobile device, please forgive brevity and misspellings. Am 24. Februar 2019 9:48:19 nachm. schrieb Miroslav Lachman <000.f...@quip.cz>: Alexander Leidinger via freebsd-jail wrote on 2019/02/24

panic on epair destroy in current as of r349853, jail related

Hi, I updated from r347365 to r349853. Now I get a panic on epair destroy (one end needs to be in a jail, and inside the jail an IP address needs to be assigned to the epair. If no ifconfig is used inside the jail, there is no panic. Another user reported something similar (but for him

Re: FreeBSD 12.1, vnet jail, and internet access

Quoting Dan Langille (from Tue, 30 Jun 2020 21:02:24 -0400): On Tue, Jun 30, 2020, at 8:30 PM, Ernie Luzar wrote: I think I have determined what your talking about. All the vnet literature talks about a vnet jail having it's own separate ip stack. I interpreted this to mean that the vnet

Re: Running GUI applications in jails

Quoting squiggly foo (from Fri, 05 Jun 2020 15:10:05 -0500): Thanks to Dave for pointing out that my HTML message was stripped. I am trying this again. Hi All, I'm using FreeBSD as a workstation trying to keep everything as lightweight and segregated as possible. So I am running GUI

Re: Running GUI applications in jails

Quoting squiggly foo (from Mon, 08 Jun 2020 21:35:23 -0500): Hi Alexander, You seem to have a lot of experience with X11 so I'm happy to hear your advice. To answer your first question about where the graphical output needs to happen: I am not sure I am understanding your question,

Re: vnet jail for local only or public access

Quoting Ernie Luzar (from Fri, 17 Jul 2020 08:46:07 -0400): Trying to figure out how to configure a vnet jail so it is restricted to only being able to talk to other vnet jails on the same host IE: local only vnet jails. As different to being able to access the public internet type of

Re: vnet jail for local only or public access

Quoting Ernie Luzar (from Fri, 17 Jul 2020 16:31:53 -0400): Alexander Leidinger wrote: Quoting Ernie Luzar (from Fri, 17 Jul 2020 08:46:07 -0400): Trying to figure out how to configure a vnet jail so it is restricted to only being able to talk to other vnet jails on the same host IE

Re: /etc/jail.d (or jail.conf.d)

Quoting Kyle Evans (from Thu, 10 Dec 2020 12:44:27 -0600): Currently it adds an /etc/jail.d, but the point was raised that we have a mixture of these with different naming conventions and that /etc/jail.conf.d may be better -- I'm inclined to agree since I would prefer jail.conf.d. Also,

FYI: OCI-compatible runtime for FreeBSD jails

Hi, it seems someone is working on a OCI-compatible runtime for jails: https://github.com/samuelkarp/runj I stumbled over this and thought maybe someone here is interested enough to help the author... Bye, Alexander. -- http://www.Leidinger.net alexan...@leidinger.net: PGP