Re: HOWTO monitor changes in installed packages within jails?
On 20.07.2013, at 18:34, Michael Grimm trash...@odo.in-berlin.de wrote:
On 20.07.2013, at 14:53, Matthew Seaman m.sea...@infracaninophile.co.uk
wrote:
On 20/07/2013 12:09, Michael Grimm wrote:
I did migrate to pkgng some month ago, and ever since I am curious
how to monitor changes in installed packages within jails. I am
looking for a functionality/port that works like 490.status-
pkg-changes for my host.
Question: is there any functionality within the periodic system or a
port that I might have missed to find?
You can't just run 490.status-pkg-changes directly in your jail?
Yes, I can ;-)
But! I do have a lot of service jails running at my host, thus I would like
to omit modifying every jail's /etc/periodic.conf adding:
| daily_status_pkg_changes_enable=YES# Show package changes
| pkg_info=pkg info # Use this program
Try this patch:
Thanks for that approach, namely adding pkg -j jailname info for every jail
running. Due to my amount of jails I might need to add some looping over jls
-N output instead of adding a lot of $daily_status_pkg_changes_flags.
I was hoping that I could omit programming that functionality myself, but I
might need to do so.
I ended up in adding:
--- snip
--- /usr/src/etc/periodic/daily/490.status-pkg-changes 2013-04-03
17:59:35.894705550 +0200
+++ /etc/periodic/daily/490.status-pkg-changes 2013-07-23 20:19:27.833641916
+0200
@@ -32,6 +32,24 @@
diff -U 0 $bak/pkg_info.bak2 $bak/pkg_info.bak \
| grep '^[-+][^-+]' | sort -k 1.2
fi
+
+# added jail(s) support
+#
+ for jname in `jls -N | grep -v JID | awk '{print $1}'`; do
+ if [ -f $bak/pkg_info_${jname}.bak ]; then
+ mv -f $bak/pkg_info_${jname}.bak
$bak/pkg_info_${jname}.bak2
+ fi
+ jexec ${jname} ${pkg_info:-/usr/sbin/pkg_info}
$bak/pkg_info_${jname}.bak
+
+ cmp -sz $bak/pkg_info_${jname}.bak
$bak/pkg_info_${jname}.bak2
+ if [ $? -eq 1 ]; then
+ echo
+ echo Changes in installed packages (jail
${jname}):
+ diff -U 0 $bak/pkg_info_${jname}.bak2
$bak/pkg_info_${jname}.bak \
+ | grep '^[-+][^-+]' | sort -k 1.2
+ fi
+ done
+
fi
;;
--- snip
Not perfect, really, but working at my side.
Michael
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
HOWTO monitor changes in installed packages within jails?
Hi -- I did migrate to pkgng some month ago, and ever since I am curious how to monitor changes in installed packages within jails. I am looking for a functionality/port that works like 490.status-pkg-changes for my host. Question: is there any functionality within the periodic system or a port that I might have missed to find? Thanks in advance and with kind regards, Michael ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: HOWTO monitor changes in installed packages within jails?
On 20/07/2013 12:09, Michael Grimm wrote:
I did migrate to pkgng some month ago, and ever since I am curious
how to monitor changes in installed packages within jails. I am
looking for a functionality/port that works like 490.status-
pkg-changes for my host.
Question: is there any functionality within the periodic system or a
port that I might have missed to find?
You can't just run 490.status-pkg-changes directly in your jail?
Try this patch:
lucid-nonsense:/tmp:% diff -u 490.status-pkg-changes{.orig,}
--- 490.status-pkg-changes.orig 2013-07-20 13:43:44.306303775 +0100
+++ 490.status-pkg-changes 2013-07-20 13:44:42.055327506 +0100
@@ -10,7 +10,7 @@
case $daily_status_pkg_changes_enable in
[Yy][Ee][Ss])
- pkgcmd=/usr/local/sbin/pkg
+ pkgcmd=/usr/local/sbin/pkg $daily_status_pkg_changes_flags
echo
echo 'Changes in installed packages:'
Then add something like the following to /etc/periodic.conf:
daily_status_pkg_changes_flags='-j jailname'
Of course, this only lets you monitor changes in one jail at a time.
You can cover more by copying the script and changing its name eg.
sed -e 's/daily_status_pkg_changes/daily_status_pkg_changes2/g' \
490.status-pkg-changes 490.status-pkg-changes2
Then add appropriate daily_status_pkg_changes2_flags='-j otherjail'
settings to periodic.conf
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil.
PGP: http://www.infracaninophile.co.uk/pgpkey
JID: matt...@infracaninophile.co.uk
signature.asc
Description: OpenPGP digital signature
Re: HOWTO monitor changes in installed packages within jails?
On 20.07.2013, at 14:53, Matthew Seaman m.sea...@infracaninophile.co.uk wrote: On 20/07/2013 12:09, Michael Grimm wrote: I did migrate to pkgng some month ago, and ever since I am curious how to monitor changes in installed packages within jails. I am looking for a functionality/port that works like 490.status- pkg-changes for my host. Question: is there any functionality within the periodic system or a port that I might have missed to find? You can't just run 490.status-pkg-changes directly in your jail? Yes, I can ;-) But! I do have a lot of service jails running at my host, thus I would like to omit modifying every jail's /etc/periodic.conf adding: | daily_status_pkg_changes_enable=YES# Show package changes | pkg_info=pkg info # Use this program Try this patch: Thanks for that approach, namely adding pkg -j jailname info for every jail running. Due to my amount of jails I might need to add some looping over jls -N output instead of adding a lot of $daily_status_pkg_changes_flags. I was hoping that I could omit programming that functionality myself, but I might need to do so. Thanks for your input and with kind regards, Michael ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: netgraph network setup for jail(8) vnet jails.
Teske, Devin wrote: snip... I rendered your output by saving it in a file (joe.dot) and then running: dot -Tsvg -o joe.svg joe.dot I then uploaded joe.svg to my website: http://druidbsd.sf.net/download/joe.svg Compare your output to any of the following: http://druidbsd.sf.net/download/warden0.jbsd.svg http://druidbsd.sourceforge.net/download/folsom.svg It looks like everything is connected properly. A couple thoughts off the top of my head: a. Did you enable promiscuous mode on rl0 via ngctl? (in your script perhaps?) b. Have you tried giving ngeth0 a new MAC address? (I do this through ngctl too, but I imagine ifconfig from within the jail could achieve the same thing) -- Devin Yes I enabled promiscuous mode and setautosrc 0 on rl0 via ngctl. I can find no documentation on why this is done. Can you point me to some? Yes I gave the jail a unique MAC address. I tried to generate my own network map, but having problem. ngctl dot file.dot works. dot -Tsvg -o file.svg file.dot gives me command dot not found. Tried ngctl dot -Tsvg -o file.svg file.dot and -T is illegal option. What am I doing wrong? Thanks for your help Joe ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: netgraph network setup for jail(8) vnet jails.
On Thu, 23 May 2013 09:42-0400, Joe wrote: Teske, Devin wrote: snip... I rendered your output by saving it in a file (joe.dot) and then running: dot -Tsvg -o joe.svg joe.dot I then uploaded joe.svg to my website: http://druidbsd.sf.net/download/joe.svg Compare your output to any of the following: http://druidbsd.sf.net/download/warden0.jbsd.svg http://druidbsd.sourceforge.net/download/folsom.svg It looks like everything is connected properly. A couple thoughts off the top of my head: a. Did you enable promiscuous mode on rl0 via ngctl? (in your script perhaps?) b. Have you tried giving ngeth0 a new MAC address? (I do this through ngctl too, but I imagine ifconfig from within the jail could achieve the same thing) -- Devin Yes I enabled promiscuous mode and setautosrc 0 on rl0 via ngctl. I can find no documentation on why this is done. Can you point me to some? Yes I gave the jail a unique MAC address. I tried to generate my own network map, but having problem. ngctl dot file.dot works. dot -Tsvg -o file.svg file.dot gives me command dot not found. Please install graphics/graphviz, either from ports or from packages. Tried ngctl dot -Tsvg -o file.svg file.dot and -T is illegal option. What am I doing wrong? Thanks for your help Joe -- +---++ | Vennlig hilsen, | Best regards, | | Trond Endrestøl, | Trond Endrestøl, | | IT-ansvarlig, | System administrator, | | Fagskolen Innlandet, | Gjøvik Technical College, Norway, | | tlf. mob. 952 62 567, | Cellular...: +47 952 62 567, | | sentralbord 61 14 54 00. | Switchboard: +47 61 14 54 00. | +---++___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
netgraph network setup for jail(8) vnet jails.
Hello list
I cant get to the internet using this netgraph setup script.
I sure would appreciate giving this console log a look over for
errors. My netgraph knowledge level is not sufficient to see what is
wrong. The goal is to run this script to setup and break down a netgraph
network for a single vnet jail at a time. rl0 is the real nic interface
device name of the nic facing the internet. This box is on my lan and
the gateway box does NAT for all lan boxes. The host running this script
can ping the internet ok.
Thank you very much for your help.
The host's kernel has modules with vimage ipfw compiled in.
From the host
# /root ifconfig
rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu
options=2008VLAN_MTU,WOL_MAGIC
ether 00:0c:6e:09:8b:74
inet 10.0.10.5 netmask 0xfff8 broadcast 10.0.10.7
nd6 options=29PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL
media: Ethernet autoselect (100baseTX full-duplex)
status: active
plip0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST metric 0 mtu 1500
nd6 options=29PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL
ipfw0: flags=8801UP,SIMPLEX,MULTICAST metric 0 mtu 65536
nd6 options=29PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST metric 0 mtu 16384
options=63RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8
inet 127.0.0.1 netmask 0xff00
nd6 options=21PERFORMNUD,AUTO_LINKLOCAL
The jails config file
# /root cat /usr/local/etc/vnet/vdir4
vdir4 {
host.hostname = vdir4;
path= /usr/jails/vdir4;
mount.fstab = /usr/local/etc/fstab/vdir4;
vnet;
persist;
}
The netgraph script
# /root cat /usr/local/bin/vnet.ng.test
#!/bin/sh
# snip comments for displaying here
# This script is based on this /usr/share/examples/netgraph/virtual.lan
# Give the name of ethernet interface.
ETHER_INTF=rl0
# List the names of virtual nodes and their IP addresses. Use ':'
# character to separate node name from node IP address and netmask.
#TARGET_TOPOLOGY=c1|10.0.2.20/24 c2|10.0.2.21/24 c3|10.0.2.22/24
TARGET_TOPOLOGY=vdir4|10.0.2.20/24
# MAC manufacturer prefix. This can be modified according to needs.
MAC_PREFIX=00:1d:92
# Temporary file is important for proper execution of script.
TEMP_FILE=/var/tmp/virtual.lan.tmp
virtual_lan_start() {
# Load netgraph KLD's as necessary.
for KLD in ng_ether ng_bridge ng_eiface; do
if ! kldstat -v | grep -qw ${KLD}; then
echo -n Loading ${KLD}.ko...
kldload ${KLD} || exit 1
echo done
fi
done
# Reset all interfaces and jails. If temporary file can not be found
# script assumes that there is no previous configuration.
if [ ! -e ${TEMP_FILE} ]; then
echo No previous configuration(${TEMP_FILE}) found to clean-up.
else
echo -n Cleaning previous configuration...
virtual_lan_stop
echo done
fi
# Create temporary file for usage. This file includes generated
# interface names and jail names. All bridges, interfaces and jails
# are written to file while created. In clean-up process written
# objects are cleaned (i.e. removed) from system.
if [ -e ${TEMP_FILE} ]; then
touch ${TEMP_FILE}
fi
echo -n Verifying ethernet interface existence...
# Verify ethernet interface exist.
if ! ngctl info ${ETHER_INTF}: /dev/null 21; then
echo Error: interface ${ETHER_INTF} does not exist
exit 1
fi
ifconfig ${ETHER_INTF} up || exit 1
echo done
# Get current number of bridge interfaces in the system. This number
# is used to create a name for new bridge.
BRIDGE_COUNT=`ngctl l | grep bridge | wc -l | sed -e s/ //g`
BRIDGE_NAME=bridge${BRIDGE_COUNT}
# Create new ng_bridge(4) node and attach it to the ethernet interface.
# Connect ng_ether:lower hook to bridge:link0 when creating bridge and
# connect ng_ether:upper hook to bridge:link1 after bridge name is set.
echo Creating bridge interface: ${BRIDGE_NAME}...
ngctl mkpeer ${ETHER_INTF}: bridge lower link0 || exit 1
ngctl name ${ETHER_INTF}:lower ${BRIDGE_NAME} || exit 1
ngctl connect ${ETHER_INTF}: ${BRIDGE_NAME}: upper link1 || exit 1
echo Bridge ${BRIDGE_NAME} is created and ${ETHER_INTF} is connected.
# In the above code block two hooks are connected to bridge interface,
# therefore LINKNUM is set to 2 indicating total number of connected
# hooks on the bridge interface.
LINKNUM=2
# Write name of the bridge to temp file. Clean-up procedure will use
# this name to shutdown bridge interface.
echo bridge ${BRIDGE_NAME} ${TEMP_FILE}
# Attach vnet jail.
for NODE in ${TARGET_TOPOLOGY}; do
# Virtual nodes are defined in TARGET_TOPOLOGY variable. They
# have the form of 'nodeName|IPaddr'. Below two lines split
# node definition to get node name and node IP.
NODE_NAME=`echo ${NODE} | awk -F| '{print $1}'`
NODE_IP=`echo ${NODE} | awk -F| '{print $2}'`
# Create virtual node (jail) with given
Re: netgraph network setup for jail(8) vnet jails.
Sorry for top-post, but just wanted to add a quick note:
The output of ngctl dot would be very helpful to others in debugging your
setup.
--
Devin
On May 18, 2013, at 8:38 AM, Joe wrote:
Hello list
I cant get to the internet using this netgraph setup script.
I sure would appreciate giving this console log a look over for
errors. My netgraph knowledge level is not sufficient to see what is
wrong. The goal is to run this script to setup and break down a netgraph
network for a single vnet jail at a time. rl0 is the real nic interface
device name of the nic facing the internet. This box is on my lan and
the gateway box does NAT for all lan boxes. The host running this script can
ping the internet ok.
Thank you very much for your help.
The host's kernel has modules with vimage ipfw compiled in.
From the host
# /root ifconfig
rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu
options=2008VLAN_MTU,WOL_MAGIC
ether 00:0c:6e:09:8b:74
inet 10.0.10.5 netmask 0xfff8 broadcast 10.0.10.7
nd6 options=29PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL
media: Ethernet autoselect (100baseTX full-duplex)
status: active
plip0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST metric 0 mtu 1500
nd6 options=29PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL
ipfw0: flags=8801UP,SIMPLEX,MULTICAST metric 0 mtu 65536
nd6 options=29PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST metric 0 mtu 16384
options=63RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8
inet 127.0.0.1 netmask 0xff00
nd6 options=21PERFORMNUD,AUTO_LINKLOCAL
The jails config file
# /root cat /usr/local/etc/vnet/vdir4
vdir4 {
host.hostname = vdir4;
path= /usr/jails/vdir4;
mount.fstab = /usr/local/etc/fstab/vdir4;
vnet;
persist;
}
The netgraph script
# /root cat /usr/local/bin/vnet.ng.test
#!/bin/sh
# snip comments for displaying here
# This script is based on this /usr/share/examples/netgraph/virtual.lan
# Give the name of ethernet interface.
ETHER_INTF=rl0
# List the names of virtual nodes and their IP addresses. Use ':'
# character to separate node name from node IP address and netmask.
#TARGET_TOPOLOGY=c1|10.0.2.20/24 c2|10.0.2.21/24 c3|10.0.2.22/24
TARGET_TOPOLOGY=vdir4|10.0.2.20/24
# MAC manufacturer prefix. This can be modified according to needs.
MAC_PREFIX=00:1d:92
# Temporary file is important for proper execution of script.
TEMP_FILE=/var/tmp/virtual.lan.tmp
virtual_lan_start() {
# Load netgraph KLD's as necessary.
for KLD in ng_ether ng_bridge ng_eiface; do
if ! kldstat -v | grep -qw ${KLD}; then
echo -n Loading ${KLD}.ko...
kldload ${KLD} || exit 1
echo done
fi
done
# Reset all interfaces and jails. If temporary file can not be found
# script assumes that there is no previous configuration.
if [ ! -e ${TEMP_FILE} ]; then
echo No previous configuration(${TEMP_FILE}) found to clean-up.
else
echo -n Cleaning previous configuration...
virtual_lan_stop
echo done
fi
# Create temporary file for usage. This file includes generated
# interface names and jail names. All bridges, interfaces and jails
# are written to file while created. In clean-up process written
# objects are cleaned (i.e. removed) from system.
if [ -e ${TEMP_FILE} ]; then
touch ${TEMP_FILE}
fi
echo -n Verifying ethernet interface existence...
# Verify ethernet interface exist.
if ! ngctl info ${ETHER_INTF}: /dev/null 21; then
echo Error: interface ${ETHER_INTF} does not exist
exit 1
fi
ifconfig ${ETHER_INTF} up || exit 1
echo done
# Get current number of bridge interfaces in the system. This number
# is used to create a name for new bridge.
BRIDGE_COUNT=`ngctl l | grep bridge | wc -l | sed -e s/ //g`
BRIDGE_NAME=bridge${BRIDGE_COUNT}
# Create new ng_bridge(4) node and attach it to the ethernet interface.
# Connect ng_ether:lower hook to bridge:link0 when creating bridge and
# connect ng_ether:upper hook to bridge:link1 after bridge name is set.
echo Creating bridge interface: ${BRIDGE_NAME}...
ngctl mkpeer ${ETHER_INTF}: bridge lower link0 || exit 1
ngctl name ${ETHER_INTF}:lower ${BRIDGE_NAME} || exit 1
ngctl connect ${ETHER_INTF}: ${BRIDGE_NAME}: upper link1 || exit 1
echo Bridge ${BRIDGE_NAME} is created and ${ETHER_INTF} is connected.
# In the above code block two hooks are connected to bridge interface,
# therefore LINKNUM is set to 2 indicating total number of connected
# hooks on the bridge interface.
LINKNUM=2
# Write name of the bridge to temp file. Clean-up procedure will use
# this name to shutdown bridge interface.
echo bridge ${BRIDGE_NAME} ${TEMP_FILE}
# Attach vnet jail.
for NODE in ${TARGET_TOPOLOGY}; do
# Virtual nodes are defined
Re: netgraph network setup for jail(8) vnet jails.
Teske, Devin wrote:
Sorry for top-post, but just wanted to add a quick note:
The output of ngctl dot would be very helpful to others in debugging your
setup.
graph netgraph {
edge [ weight = 1.0 ];
node [ shape = record, fontsize = 12 ] {
1 [ label = {rl0:|{ether|[1]:}} ];
5 [ label = {bridge0:|{bridge|[5]:}} ];
9 [ label = {ngeth0:|{eiface|[9]:}} ];
e [ label = {ngctl2355:|{socket|[e]:}} ];
};
subgraph cluster_disconnected {
bgcolor = pink;
e;
};
node [ shape = octagon, fontsize = 10 ] {
1.upper [ label = upper ];
1.lower [ label = lower ];
};
{
edge [ weight = 2.0, style = bold ];
1 -- 1.upper;
1 -- 1.lower;
};
node [ shape = octagon, fontsize = 10 ] {
5.link2 [ label = link2 ];
5.link1 [ label = link1 ];
5.link0 [ label = link0 ];
};
{
edge [ weight = 2.0, style = bold ];
5 -- 5.link2;
5 -- 5.link1;
5 -- 5.link0;
};
5.link1 -- 1.upper;
5.link0 -- 1.lower;
node [ shape = octagon, fontsize = 10 ] {
9.ether [ label = ether ];
};
{
edge [ weight = 2.0, style = bold ];
9 -- 9.ether;
};
9.ether -- 5.link2;
};
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: netgraph network setup for jail(8) vnet jails.
On May 18, 2013, at 5:51 PM, Joe wrote:
Teske, Devin wrote:
Sorry for top-post, but just wanted to add a quick note:
The output of ngctl dot would be very helpful to others in debugging your
setup.
graph netgraph {
edge [ weight = 1.0 ];
node [ shape = record, fontsize = 12 ] {
1 [ label = {rl0:|{ether|[1]:}} ];
5 [ label = {bridge0:|{bridge|[5]:}} ];
9 [ label = {ngeth0:|{eiface|[9]:}} ];
e [ label = {ngctl2355:|{socket|[e]:}} ];
};
subgraph cluster_disconnected {
bgcolor = pink;
e;
};
node [ shape = octagon, fontsize = 10 ] {
1.upper [ label = upper ];
1.lower [ label = lower ];
};
{
edge [ weight = 2.0, style = bold ];
1 -- 1.upper;
1 -- 1.lower;
};
node [ shape = octagon, fontsize = 10 ] {
5.link2 [ label = link2 ];
5.link1 [ label = link1 ];
5.link0 [ label = link0 ];
};
{
edge [ weight = 2.0, style = bold ];
5 -- 5.link2;
5 -- 5.link1;
5 -- 5.link0;
};
5.link1 -- 1.upper;
5.link0 -- 1.lower;
node [ shape = octagon, fontsize = 10 ] {
9.ether [ label = ether ];
};
{
edge [ weight = 2.0, style = bold ];
9 -- 9.ether;
};
9.ether -- 5.link2;
};
I rendered your output by saving it in a file (joe.dot) and then running:
dot -Tsvg -o joe.svg joe.dot
I then uploaded joe.svg to my website:
http://druidbsd.sf.net/download/joe.svg
Compare your output to any of the following:
http://druidbsd.sf.net/download/warden0.jbsd.svg
http://druidbsd.sourceforge.net/download/folsom.svg
It looks like everything is connected properly.
A couple thoughts off the top of my head:
a. Did you enable promiscuous mode on rl0 via ngctl? (in your script perhaps?)
b. Have you tried giving ngeth0 a new MAC address? (I do this through ngctl
too, but I imagine ifconfig from within the jail could achieve the same thing)
--
Devin
_
The information contained in this message is proprietary and/or confidential.
If you are not the intended recipient, please: (i) delete the message and all
copies; (ii) do not disclose, distribute or use the message in any manner; and
(iii) notify the sender immediately. In addition, please be aware that any
message addressed to our domain is subject to archiving and review by persons
other than the intended recipient. Thank you.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: /etc/jail.conf for automatically started jails listed in /etc/rc.conf
2013/5/14 Joe fb...@a1poweruser.com:
David Demelier wrote:
Le lundi 13 mai 2013 16:32:01 Joe a écrit :
David Demelier wrote:
Hello dear,
Does jail.conf(5) does not work for jails listed in the rc.conf ?
I've added in /etc/jail.conf:
foo {
hostname=Foo;
path=/jails/foo;
allow.sysvipc=1;
}
And in /etc/rc.conf only foo in the jail_list parameter, but when I try
to
start the jail it still complain about missing hostname.
Regards,
There are 2 methods for configuring jails.
The legacy method which you put the jail config statements in the hosts
/etc/rc.conf file and start and stop control is done by the hosts
/etc/rc.d/jail script at boot time.
The jail(8) method which has it's own jail config statements in the
hosts /etc/jail.conf file and uses the jail(8) program for starting and
stopping. You can create a jail.conf file for each jail(8) and start it
using jail -c -f /etc/jailname.jail.conf and stop by issuing
jail -f /etc/jailname.jail.conf -r jailname
You can not mix the 2 methods.
My real problem is that I wanted to add allow.sysvipc only for *one* jail
and I can't find a real solution by jail_* flags in /etc/rc.conf
There is jail_allow_sysvipc but it enable it for all jails.
The jail(8) method does have a allow_sysvipc on a per jail basis. To use it
you have to use the jail(8) method. The 9.1-RELEASE legacy method is a work
in process to incorporate the jail(8) parameters into the rc.conf config
statements.
About the allow_sysvipc parameter, this breaks the security the jail is
designed to provide and should NOT be used on any jails having public
internet access.
What are you trying to do that you think you need to use the allow_sysvipc
parameter?
PostgreSQL, usually I install it on the host instead of jails, but I
needed a second instance on a different port for a public access..
Regards,
--
Demelier David
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: /etc/jail.conf for automatically started jails listed in /etc/rc.conf
David Demelier wrote:
2013/5/14 Joe fb...@a1poweruser.com:
David Demelier wrote:
Le lundi 13 mai 2013 16:32:01 Joe a écrit :
David Demelier wrote:
Hello dear,
Does jail.conf(5) does not work for jails listed in the rc.conf ?
I've added in /etc/jail.conf:
foo {
hostname=Foo;
path=/jails/foo;
allow.sysvipc=1;
}
And in /etc/rc.conf only foo in the jail_list parameter, but when I try
to
start the jail it still complain about missing hostname.
Regards,
There are 2 methods for configuring jails.
The legacy method which you put the jail config statements in the hosts
/etc/rc.conf file and start and stop control is done by the hosts
/etc/rc.d/jail script at boot time.
The jail(8) method which has it's own jail config statements in the
hosts /etc/jail.conf file and uses the jail(8) program for starting and
stopping. You can create a jail.conf file for each jail(8) and start it
using jail -c -f /etc/jailname.jail.conf and stop by issuing
jail -f /etc/jailname.jail.conf -r jailname
You can not mix the 2 methods.
My real problem is that I wanted to add allow.sysvipc only for *one* jail
and I can't find a real solution by jail_* flags in /etc/rc.conf
There is jail_allow_sysvipc but it enable it for all jails.
The jail(8) method does have a allow_sysvipc on a per jail basis. To use it
you have to use the jail(8) method. The 9.1-RELEASE legacy method is a work
in process to incorporate the jail(8) parameters into the rc.conf config
statements.
About the allow_sysvipc parameter, this breaks the security the jail is
designed to provide and should NOT be used on any jails having public
internet access.
What are you trying to do that you think you need to use the allow_sysvipc
parameter?
PostgreSQL, usually I install it on the host instead of jails, but I
needed a second instance on a different port for a public access..
Regards,
--
Demelier David
That all sounds logical and is what jails are designed to do.
Why would running PostgreSQL in a jail need sysvipc?
Have you tried it? Did you get some PostgreSQL error?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: /etc/jail.conf for automatically started jails listed in /etc/rc.conf
On 05/14/2013 8:20 am, Joe wrote:
David Demelier wrote:
2013/5/14 Joe fb...@a1poweruser.com:
David Demelier wrote:
Le lundi 13 mai 2013 16:32:01 Joe a écrit :
David Demelier wrote:
Hello dear,
Does jail.conf(5) does not work for jails listed in the rc.conf ?
I've added in /etc/jail.conf:
foo {
hostname=Foo;
path=/jails/foo;
allow.sysvipc=1;
}
And in /etc/rc.conf only foo in the jail_list parameter, but when I try
to
start the jail it still complain about missing hostname.
Regards,
There are 2 methods for configuring jails.
The legacy method which you put the jail config statements in the hosts
/etc/rc.conf file and start and stop control is done by the hosts
/etc/rc.d/jail script at boot time.
The jail(8) method which has it's own jail config statements in the
hosts /etc/jail.conf file and uses the jail(8) program for starting and
stopping. You can create a jail.conf file for each jail(8) and start it
using jail -c -f /etc/jailname.jail.conf and stop by issuing
jail -f /etc/jailname.jail.conf -r jailname
You can not mix the 2 methods.
My real problem is that I wanted to add allow.sysvipc only for *one*
jail
and I can't find a real solution by jail_* flags in /etc/rc.conf
There is jail_allow_sysvipc but it enable it for all jails.
The jail(8) method does have a allow_sysvipc on a per jail basis. To
use it
you have to use the jail(8) method. The 9.1-RELEASE legacy method is a
work
in process to incorporate the jail(8) parameters into the rc.conf
config
statements.
About the allow_sysvipc parameter, this breaks the security the jail is
designed to provide and should NOT be used on any jails having public
internet access.
What are you trying to do that you think you need to use the
allow_sysvipc
parameter?
PostgreSQL, usually I install it on the host instead of jails, but I
needed a second instance on a different port for a public access..
Regards,
--
Demelier David
That all sounds logical and is what jails are designed to do.
Why would running PostgreSQL in a jail need sysvipc?
Have you tried it? Did you get some PostgreSQL error?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
freebsd-questions-unsubscr...@freebsd.org
I can confirm that PostgreSQL will not run in a jail without sysvipc
enabled, I just setup a jail running PostgreSQL a few weeks ago and had
to do that as well. PostgreSQL will not start without it enabled,
though perhaps there is some setting change in PostgreSQL that will make
it not require this. In my case its the only jail, and I am the only
user with access to both the base system and the jail so I wasn't to
concerned about it allowing more access to the base system from the
jail.
--
Thanks,
Dean E. Weimer
http://www.dweimer.net/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: /etc/jail.conf for automatically started jails listed in /etc/rc.conf
2013/5/14 Joe fb...@a1poweruser.com:
David Demelier wrote:
2013/5/14 Joe fb...@a1poweruser.com:
David Demelier wrote:
Le lundi 13 mai 2013 16:32:01 Joe a écrit :
David Demelier wrote:
Hello dear,
Does jail.conf(5) does not work for jails listed in the rc.conf ?
I've added in /etc/jail.conf:
foo {
hostname=Foo;
path=/jails/foo;
allow.sysvipc=1;
}
And in /etc/rc.conf only foo in the jail_list parameter, but when I
try
to
start the jail it still complain about missing hostname.
Regards,
There are 2 methods for configuring jails.
The legacy method which you put the jail config statements in the hosts
/etc/rc.conf file and start and stop control is done by the hosts
/etc/rc.d/jail script at boot time.
The jail(8) method which has it's own jail config statements in the
hosts /etc/jail.conf file and uses the jail(8) program for starting and
stopping. You can create a jail.conf file for each jail(8) and start it
using jail -c -f /etc/jailname.jail.conf and stop by issuing
jail -f /etc/jailname.jail.conf -r jailname
You can not mix the 2 methods.
My real problem is that I wanted to add allow.sysvipc only for *one*
jail
and I can't find a real solution by jail_* flags in /etc/rc.conf
There is jail_allow_sysvipc but it enable it for all jails.
The jail(8) method does have a allow_sysvipc on a per jail basis. To use
it
you have to use the jail(8) method. The 9.1-RELEASE legacy method is a
work
in process to incorporate the jail(8) parameters into the rc.conf config
statements.
About the allow_sysvipc parameter, this breaks the security the jail is
designed to provide and should NOT be used on any jails having public
internet access.
What are you trying to do that you think you need to use the
allow_sysvipc
parameter?
PostgreSQL, usually I install it on the host instead of jails, but I
needed a second instance on a different port for a public access..
Regards,
--
Demelier David
That all sounds logical and is what jails are designed to do.
Why would running PostgreSQL in a jail need sysvipc?
Have you tried it? Did you get some PostgreSQL error?
Yes, unfortunately this is a very very old issue that has been
reported so much often..
--
Demelier David
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: /etc/jail.conf for automatically started jails listed in /etc/rc.conf
On 14/05/2013 14:31, dweimer wrote: I can confirm that PostgreSQL will not run in a jail without sysvipc enabled, I just setup a jail running PostgreSQL a few weeks ago and had to do that as well. PostgreSQL will not start without it enabled, though perhaps there is some setting change in PostgreSQL that will make it not require this. In my case its the only jail, and I am the only user with access to both the base system and the jail so I wasn't to concerned about it allowing more access to the base system from the jail. postgresql-9.3beta1 was announced a few days ago, and one of the key new features is switching largely away from sysvipc to mmap for shared memory. http://www.postgresql.org/docs/devel/static/release-9-3.html Unfortunately I don't think it's entirely sysV IPC free yet. But postgresql93 is available in ports. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey signature.asc Description: OpenPGP digital signature
SCTP: transport protocol and vimage jails
All the info on vimage jails say to nooption SCTP when compiling vimage into your kernel. Reason given is that sctp is not vimage aware. If that is ture, then why can't I find a PR on SCTP or vimage about this problem? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
/etc/jail.conf for automatically started jails listed in /etc/rc.conf
Hello dear,
Does jail.conf(5) does not work for jails listed in the rc.conf ?
I've added in /etc/jail.conf:
foo {
hostname=Foo;
path=/jails/foo;
allow.sysvipc=1;
}
And in /etc/rc.conf only foo in the jail_list parameter, but when I try to
start the jail it still complain about missing hostname.
Regards,
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: /etc/jail.conf for automatically started jails listed in /etc/rc.conf
David Demelier wrote:
Hello dear,
Does jail.conf(5) does not work for jails listed in the rc.conf ?
I've added in /etc/jail.conf:
foo {
hostname=Foo;
path=/jails/foo;
allow.sysvipc=1;
}
And in /etc/rc.conf only foo in the jail_list parameter, but when I try to
start the jail it still complain about missing hostname.
Regards,
There are 2 methods for configuring jails.
The legacy method which you put the jail config statements in the hosts
/etc/rc.conf file and start and stop control is done by the hosts
/etc/rc.d/jail script at boot time.
The jail(8) method which has it's own jail config statements in the
hosts /etc/jail.conf file and uses the jail(8) program for starting and
stopping. You can create a jail.conf file for each jail(8) and start it
using jail -c -f /etc/jailname.jail.conf and stop by issuing
jail -f /etc/jailname.jail.conf -r jailname
You can not mix the 2 methods.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: /etc/jail.conf for automatically started jails listed in /etc/rc.conf
Le lundi 13 mai 2013 16:32:01 Joe a écrit :
David Demelier wrote:
Hello dear,
Does jail.conf(5) does not work for jails listed in the rc.conf ?
I've added in /etc/jail.conf:
foo {
hostname=Foo;
path=/jails/foo;
allow.sysvipc=1;
}
And in /etc/rc.conf only foo in the jail_list parameter, but when I try to
start the jail it still complain about missing hostname.
Regards,
There are 2 methods for configuring jails.
The legacy method which you put the jail config statements in the hosts
/etc/rc.conf file and start and stop control is done by the hosts
/etc/rc.d/jail script at boot time.
The jail(8) method which has it's own jail config statements in the
hosts /etc/jail.conf file and uses the jail(8) program for starting and
stopping. You can create a jail.conf file for each jail(8) and start it
using jail -c -f /etc/jailname.jail.conf and stop by issuing
jail -f /etc/jailname.jail.conf -r jailname
You can not mix the 2 methods.
My real problem is that I wanted to add allow.sysvipc only for *one* jail and
I can't find a real solution by jail_* flags in /etc/rc.conf
There is jail_allow_sysvipc but it enable it for all jails.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: /etc/jail.conf for automatically started jails listed in /etc/rc.conf
David Demelier wrote:
Le lundi 13 mai 2013 16:32:01 Joe a écrit :
David Demelier wrote:
Hello dear,
Does jail.conf(5) does not work for jails listed in the rc.conf ?
I've added in /etc/jail.conf:
foo {
hostname=Foo;
path=/jails/foo;
allow.sysvipc=1;
}
And in /etc/rc.conf only foo in the jail_list parameter, but when I try to
start the jail it still complain about missing hostname.
Regards,
There are 2 methods for configuring jails.
The legacy method which you put the jail config statements in the hosts
/etc/rc.conf file and start and stop control is done by the hosts
/etc/rc.d/jail script at boot time.
The jail(8) method which has it's own jail config statements in the
hosts /etc/jail.conf file and uses the jail(8) program for starting and
stopping. You can create a jail.conf file for each jail(8) and start it
using jail -c -f /etc/jailname.jail.conf and stop by issuing
jail -f /etc/jailname.jail.conf -r jailname
You can not mix the 2 methods.
My real problem is that I wanted to add allow.sysvipc only for *one* jail and
I can't find a real solution by jail_* flags in /etc/rc.conf
There is jail_allow_sysvipc but it enable it for all jails.
The jail(8) method does have a allow_sysvipc on a per jail basis. To use
it you have to use the jail(8) method. The 9.1-RELEASE legacy method is
a work in process to incorporate the jail(8) parameters into the rc.conf
config statements.
About the allow_sysvipc parameter, this breaks the security the jail is
designed to provide and should NOT be used on any jails having public
internet access.
What are you trying to do that you think you need to use the
allow_sysvipc parameter?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
jails running xorg desktop, is it possible?
Has anyone been able to get a xorg desktop to run inside of a jail? All information and links to howto's welcome. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jails bind ip
Hi, First of all usage of 127.0.0.1 as second address is nothing but wrong, as this is the loopback address :) For the second part of the question - I suppose it has nothing to do with the BSD and the jail subsystem. I am not sure why you have eth1 tbh, you should only have eth0, maybe because of this binding to 127.0.0.1, which fails as you already have this address on lo0. But from your logs: INFO 2013-01-26 16:03:03.085 Created socket: /127.0.0.1:5001 [main] ERROR 2013-01-26 16:03:03.186 A serious error occurred during PMS init org.jboss.netty.channel.ChannelException: Failed to bind to: /127.0.0.1:5001 Obviously you have error in your config, as you are not binding to address, but on local socket at the root of the system. So my guess is you must eighter change your software configuration or you should giva access to root folder to the user running the application. Regards, Ivailo Tanusheff Zyumbilev, Peter pe...@aboutsupport.com Sent by: owner-freebsd-questi...@freebsd.org 26.01.2013 15:18 To freebsd-questions@freebsd.org freebsd-questions@freebsd.org cc Subject jails bind ip Hi, I have successfully run multiple jails on freebsd 9.1 Two of the jails are FreeBSD and I have no problems with them. However I havesome strange problem with Debian 6.0 Jail. This is my config jail_debian_rootdir=/jail/debian jail_debian_hostname=debian.bivol.net jail_debian_ip=192.168.30.12,127.0.0.1 jail_debian_interface=bge0 jail_debian_devfs_enable=YES jail_debian_devfs_ruleset=devfsrules_jail jail_debian_flags=-n debian #jail_debian_mount_enable=YES # mount YES|NO jail_debian_fstab=/jail/conf/fstab.debian # File with Filesystems to mount I tried with and without 127.0.0.1. This is how ifconfig looks from inside debian: root@debian:/# ifconfig eth0 Link encap:Ethernet HWaddr e8:39:35:25:d2:ef inet addr:192.168.30.12 Bcast:192.168.30.12 Mask:255.255.255.255 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:425676061 errors:0 dropped:0 overruns:0 frame:0 TX packets:483122783 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:478459387769 (445.6 GiB) TX bytes:190485214007 (177.4 GiB) eth1 Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MULTICAST MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) lo0 Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MULTICAST MTU:16384 Metric:1 RX packets:1273268 errors:0 dropped:0 overruns:0 frame:0 TX packets:1273274 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:103125473 (98.3 MiB) TX bytes:103125585 (98.3 MiB) usbus0Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus1Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus2Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus3Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus4Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus5Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) However, applications have problem binding. Two applications that fail are plexmedia server and psmedia server. 1. PS3 media server throws crazy errors like that it canncot bind - no matter which IP I choose: [main] INFO 2013-01-26 16:03:02.833 Loading configuration file: Panasonic.conf [main] DEBUG 2013-01-26 16:03:02.833 Base path set to file:///etc/ps3mediaserver
jails bind ip
Hi, I have successfully run multiple jails on freebsd 9.1 Two of the jails are FreeBSD and I have no problems with them. However I havesome strange problem with Debian 6.0 Jail. This is my config jail_debian_rootdir=/jail/debian jail_debian_hostname=debian.bivol.net jail_debian_ip=192.168.30.12,127.0.0.1 jail_debian_interface=bge0 jail_debian_devfs_enable=YES jail_debian_devfs_ruleset=devfsrules_jail jail_debian_flags=-n debian #jail_debian_mount_enable=YES # mount YES|NO jail_debian_fstab=/jail/conf/fstab.debian # File with Filesystems to mount I tried with and without 127.0.0.1. This is how ifconfig looks from inside debian: root@debian:/# ifconfig eth0 Link encap:Ethernet HWaddr e8:39:35:25:d2:ef inet addr:192.168.30.12 Bcast:192.168.30.12 Mask:255.255.255.255 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:425676061 errors:0 dropped:0 overruns:0 frame:0 TX packets:483122783 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:478459387769 (445.6 GiB) TX bytes:190485214007 (177.4 GiB) eth1 Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MULTICAST MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) lo0 Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MULTICAST MTU:16384 Metric:1 RX packets:1273268 errors:0 dropped:0 overruns:0 frame:0 TX packets:1273274 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:103125473 (98.3 MiB) TX bytes:103125585 (98.3 MiB) usbus0Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus1Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus2Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus3Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus4Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus5Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) However, applications have problem binding. Two applications that fail are plexmedia server and psmedia server. 1. PS3 media server throws crazy errors like that it canncot bind - no matter which IP I choose: [main] INFO 2013-01-26 16:03:02.833 Loading configuration file: Panasonic.conf [main] DEBUG 2013-01-26 16:03:02.833 Base path set to file:///etc/ps3mediaserver/renderers/Panasonic.conf [main] INFO 2013-01-26 16:03:02.855 Loading configuration file: PS3.conf [main] DEBUG 2013-01-26 16:03:02.855 Base path set to file:///etc/ps3mediaserver/renderers/PS3.conf [main] INFO 2013-01-26 16:03:02.861 Loading configuration file: AirPlayer.conf [main] DEBUG 2013-01-26 16:03:02.862 Base path set to file:///etc/ps3mediaserver/renderers/AirPlayer.conf [main] INFO 2013-01-26 16:03:02.864 Checking MPlayer font cache. It can take a minute or so. [main] DEBUG 2013-01-26 16:03:02.865 launching: /usr/lib/ps3mediaserver/linux/mplayer [main] INFO 2013-01-26 16:03:03.008 Done! [main] INFO 2013-01-26 16:03:03.016 Searching for plugins in /usr/lib/ps3mediaserver/plugins [main] INFO 2013-01-26 16:03:03.029 No plugins found [main] INFO 2013-01-26 16:03:03.060 Registering transcoding engine: FFmpeg Audio [main] INFO 2013-01-26 16:03:03.078 Registering transcoding engine: MEncoder [main] INFO 2013-01-26 16:03:03.079 Registering transcoding engine: MPlayer Audio [main] INFO 2013-01-26 16:03:03.079 Registering transcoding engine: MEncoder Web [main] INFO 2013-01-26 16:03:03.080 Registering
Re: jails bind ip
Zyumbilev, Peter wrote: Hi, I have successfully run multiple jails on freebsd 9.1 Two of the jails are FreeBSD and I have no problems with them. However I havesome strange problem with Debian 6.0 Jail. This is my config jail_debian_rootdir=/jail/debian jail_debian_hostname=debian.bivol.net jail_debian_ip=192.168.30.12,127.0.0.1 jail_debian_interface=bge0 jail_debian_devfs_enable=YES jail_debian_devfs_ruleset=devfsrules_jail jail_debian_flags=-n debian #jail_debian_mount_enable=YES # mount YES|NO jail_debian_fstab=/jail/conf/fstab.debian # File with Filesystems to mount I tried with and without 127.0.0.1. This is how ifconfig looks from inside debian: root@debian:/# ifconfig eth0 Link encap:Ethernet HWaddr e8:39:35:25:d2:ef inet addr:192.168.30.12 Bcast:192.168.30.12 Mask:255.255.255.255 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:425676061 errors:0 dropped:0 overruns:0 frame:0 TX packets:483122783 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:478459387769 (445.6 GiB) TX bytes:190485214007 (177.4 GiB) eth1 Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MULTICAST MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) lo0 Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MULTICAST MTU:16384 Metric:1 RX packets:1273268 errors:0 dropped:0 overruns:0 frame:0 TX packets:1273274 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:103125473 (98.3 MiB) TX bytes:103125585 (98.3 MiB) usbus0Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus1Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus2Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus3Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus4Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus5Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) However, applications have problem binding. Two applications that fail are plexmedia server and psmedia server. 1. PS3 media server throws crazy errors like that it canncot bind - no matter which IP I choose: [main] INFO 2013-01-26 16:03:02.833 Loading configuration file: Panasonic.conf [main] DEBUG 2013-01-26 16:03:02.833 Base path set to file:///etc/ps3mediaserver/renderers/Panasonic.conf [main] INFO 2013-01-26 16:03:02.855 Loading configuration file: PS3.conf [main] DEBUG 2013-01-26 16:03:02.855 Base path set to file:///etc/ps3mediaserver/renderers/PS3.conf [main] INFO 2013-01-26 16:03:02.861 Loading configuration file: AirPlayer.conf [main] DEBUG 2013-01-26 16:03:02.862 Base path set to file:///etc/ps3mediaserver/renderers/AirPlayer.conf [main] INFO 2013-01-26 16:03:02.864 Checking MPlayer font cache. It can take a minute or so. [main] DEBUG 2013-01-26 16:03:02.865 launching: /usr/lib/ps3mediaserver/linux/mplayer [main] INFO 2013-01-26 16:03:03.008 Done! [main] INFO 2013-01-26 16:03:03.016 Searching for plugins in /usr/lib/ps3mediaserver/plugins [main] INFO 2013-01-26 16:03:03.029 No plugins found [main] INFO 2013-01-26 16:03:03.060 Registering transcoding engine: FFmpeg Audio [main] INFO 2013-01-26 16:03:03.078 Registering transcoding engine: MEncoder [main] INFO 2013-01-26 16:03:03.079 Registering transcoding engine: MPlayer Audio [main] INFO 2013-01-26 16:03:03.079 Registering transcoding engine: MEncoder Web [main] INFO 2013-01-26 16
Re: jails bind ip
Are you saying you installed the Debian 6.0 operating system inside of a Freebsd jail and expect it to function? on top of all works ;-) Look at mailing list archives earlier ...See mails from me. Peter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jails bind ip
Zyumbilev, Peter wrote: Are you saying you installed the Debian 6.0 operating system inside of a Freebsd jail and expect it to function? on top of all works ;-) Look at mailing list archives earlier ...See mails from me. Peter Ok I read the archive thread subject jails. You read a reply pointing you to a French howto. http://blog.etoilebsd.net/post/Emprisonner_une_debian_dans_un_FreeBSD I don't read French so have no idea what you did. In another post you said you did this procedure 1. Use http://download.openvz.org/template/precreated/debian-6.0-x86.tar.gz instead of the file listed in the French howto. 2. Run sysctl compat.linux.osrelease=2.6.32 in Freebsd shell before starting the jail, otherwise you will get error kernel too old. Don't understand what you mean by shell in the the above #2 sentence. The info you provided is so lacking in details. People here on the list are not going to try to duplicate your steps just to get a understanding of your situation. When asking a question it's your job to describe in detail what your situation is. What your trying to achieve by using a jail. What applications you installed in your jail. The jail statements you used to create your jail. So on and so forth. No details results in no replies. If you want helpful replies start with more and better details. From a very general point of view. You can populate a jails directory tree with anything you want and the jail will still start. Having the jail start does not mean anything you put in side of the jail is working. Which is what I think is happening in your case. With out details I can not help you any further. Good luck. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jails bind ip
On 26/01/2013 23:06, Fbsd8 wrote: Zyumbilev, Peter wrote: Are you saying you installed the Debian 6.0 operating system inside of a Freebsd jail and expect it to function? on top of all works ;-) Look at mailing list archives earlier ...See mails from me. Peter Ok I read the archive thread subject jails. You read a reply pointing you to a French howto. http://blog.etoilebsd.net/post/Emprisonner_une_debian_dans_un_FreeBSD I don't read French so have no idea what you did. In another post you said you did this procedure 1. Use http://download.openvz.org/template/precreated/debian-6.0-x86.tar.gz instead of the file listed in the French howto. 2. Run sysctl compat.linux.osrelease=2.6.32 in Freebsd shell before starting the jail, otherwise you will get error kernel too old. Don't understand what you mean by shell in the the above #2 sentence. The info you provided is so lacking in details. People here on the list are not going to try to duplicate your steps just to get a understanding of your situation. When asking a question it's your job to describe in detail what your situation is. What your trying to achieve by using a jail. What applications you installed in your jail. The jail statements you used to create your jail. So on and so forth. No details results in no replies. If you want helpful replies start with more and better details. From a very general point of view. You can populate a jails directory tree with anything you want and the jail will still start. Having the jail start does not mean anything you put in side of the jail is working. Which is what I think is happening in your case. With out details I can not help you any further. Good luck. Hi, I know chances are slim someone to help. I believe my question is asked right. Even if noone can help it was worth asking - at least you learned that debian can run inside Freebsd :-) You know the idea is everyone to learn from this. Peter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jails ip addresses
Le Thu, 24 Jan 2013 11:51:46 -0500, Fbsd8 fb...@a1poweruser.com a écrit : Is there any situation where assigning the same IP address to a new jail that has already been assigned to a previous jail valid? I think not, but want verification. What are your thoughts? I'm sure they are case of this. One example is poudriere (a package builder), it starts several jails to build the packages and all the jails are bound to 127.0.0.1. The jail IP enforces that the jailed processus cannot use another one IP but that's all. Regards. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Best approach to jails + zfs
Hi, I wanted to have the point of view of the community on the best approach in order to handle a quite large system with couple of jails (shouldn't have more than 5 to 10). Whole system is based on zfs. I'll use this as a backup server. I have been using the handbook approach so far. It is quite stable but the linked directories inside each jail is quite error prone and may be confusing. With this approach you can update all your jails at once… this is quite tempting, but if you have an error… all your jails are gone at once ! == you can't afford to have a kernel compile problem while updating your system or you're dead !! http://www.freebsd.org/doc//handbook/jails-build.html The other approach that I have found is to use create a base jail system using sysinstall and then zfs snapshot to clone It. You then use this to create a jail. You end up with couple of independent jails which are not linked to each other in any way. You can / need to update each jail one by one. http://vocalbit.com/article/402/freebsd-jails-using-zfs-and-bsdinstall • I wanted to know if the handbook approach is still the most recent one considering the latest progress in FBSD jail management ? • I wanted to know if you had some mixed approach that can leverage the risk of the handbook approach ? • Last but not least - do you have any good pointer to recent guide / howto / studies on the subject ? Thanks –– - Grégory Bernard Director - --- www.osnet.eu --- -- Your provider of OpenSource appliances -- –– OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Best approach to jails + zfs
On Fri, 25 Jan 2013 18:25:06 +0100 bsd b...@todoo.biz wrote: Hi, I wanted to have the point of view of the community on the best approach in order to handle a quite large system with couple of jails (shouldn't have more than 5 to 10). Whole system is based on zfs. I'll use this as a backup server. You might like the sysutils/ezjail port - I use it for a very similar purpose and find it works well. -- Steve O'Hara-Smith st...@sohara.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Best approach to jails + zfs
Le 25 janv. 2013 à 18:41, Steve O'Hara-Smith a écrit : On Fri, 25 Jan 2013 18:25:06 +0100 bsd b...@todoo.biz wrote: Hi, I wanted to have the point of view of the community on the best approach in order to handle a quite large system with couple of jails (shouldn't have more than 5 to 10). Whole system is based on zfs. I'll use this as a backup server. You might like the sysutils/ezjail port - I use it for a very similar purpose and find it works well. -- Steve O'Hara-Smith st...@sohara.org I am a bit skeptical on the third party script approach. How stable has It been ? I have been using warden with PC-BSD TrueOS for testing and I have encountered all sorts of problems (not stable when you have two pools of disks - can't delete jail…)… Quite interesting approach, but not mature enough to be launched in production. I have finally gotten back to the FreeBSD root file system which I am using since couple of years now. It is not fancy, It does not provide script to ease your pain… But you understand what you are doing and It does what you tell him to do !! ZFS has introduced a new challenge, but now that I have understood (more or less) how It is working, I found It really great! Just trying to figure out the best way to use both Jail + ZFS. But I might re-consider my position… Does ezjail comply with the latest FreeBSD 9 / 9.1 advances in jail / ZFS management improvement ? Thanks for your feedback. –– - Grégory Bernard Director - --- www.osnet.eu --- -- Your provider of OpenSource appliances -- –– OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Best approach to jails + zfs
On Fri, 25 Jan 2013 19:14:45 +0100 bsd b...@todoo.biz wrote: Le 25 janv. 2013 à 18:41, Steve O'Hara-Smith a écrit : On Fri, 25 Jan 2013 18:25:06 +0100 bsd b...@todoo.biz wrote: Hi, I wanted to have the point of view of the community on the best approach in order to handle a quite large system with couple of jails (shouldn't have more than 5 to 10). Whole system is based on zfs. I'll use this as a backup server. You might like the sysutils/ezjail port - I use it for a very similar purpose and find it works well. -- Steve O'Hara-Smith st...@sohara.org I am a bit skeptical on the third party script approach. How stable has It been ? Rock solid - for me YMMV of course. The underpinnings are quite straightforward so it should be easy to fix anything that does go astray. ZFS has introduced a new challenge, but now that I have understood (more or less) how It is working, I found It really great! Just trying to figure out the best way to use both Jail + ZFS. But I might re-consider my position… Does ezjail comply with the latest FreeBSD 9 / 9.1 advances in jail / ZFS management improvement ? I'm using it on a 9,1 box to admin a bunch of 9.1 jails. It doesn't require ZFS but it can use it (along with a variety of other storage options). It uses standard ZFS commands to do it's work with ZFS. It's just a shell script program (albeit a 1500 line one), I might have written a simpler, cruder one myself had it not existed and worked. -- Steve O'Hara-Smith st...@sohara.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
jails ip addresses
Is there any situation where assigning the same IP address to a new jail that has already been assigned to a previous jail valid? I think not, but want verification. What are your thoughts? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails
- Original Message - From: Zyumbilev, Peter pe...@aboutsupport.com To: freebsd-questions@FreeBSD.org freebsd-questions@FreeBSD.org Cc: Sent: Tuesday, January 15, 2013 3:12 AM Subject: Re: Jails On 15/01/2013 02:10, Leonardo M. Ramé wrote: Yes, and also defined /etc/resolv.conf. Any hint? Leonardo M. Ramé http://leonardorame.blogspot.com This is my jail conf. jail_debian_rootdir=/jail/debian jail_debian_hostname=debian.bivol.net jail_debian_ip=192.168.30.12 jail_debian_interface=bge0 jail_debian_devfs_enable=YES jail_debian_devfs_ruleset=devfsrules_jail jail_debian_flags=-n debian #jail_debian_mount_enable=YES # mount YES|NO jail_debian_fstab=/jail/conf/fstab.debian you have ip interface settings correct ? Mine card is bge0, but your one might be different. Peter Peter, last night I finally used apt-get to install g++, so, it's working!. The only thing that doesn't work is ping, but I won't care about it. Leonardo M. Ramé http://leonardorame.blogspot.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails
From: Zyumbilev, Peter pe...@aboutsupport.com To: freebsd-questions@FreeBSD.org freebsd-questions@FreeBSD.org Sent: Monday, January 14, 2013 3:53 AM Subject: Re: Jails On 13/01/2013 23:58, Leonardo M. Ramé wrote: root@debian:/# ping www.google.com WARNING: setsockopt(ICMP_FILTER): Protocol not available WARNING: your kernel is veeery old. No problems. PING www.google.com (173.194.42.16) 56(84) bytes of data. ping: recvmsg: Invalid argument ping: recvmsg: Invalid argument ping: recvmsg: Invalid argument ping: recvmsg: Invalid argument --- www.google.com ping statistics --- 4 packets transmitted, 0 received, 100% packet loss, time 3078ms root@debian:/# Hvae you run in FreeBSD: sysctl compat.linux.osrelease=2.6.32 ? Yes, and also defined /etc/resolv.conf. Any hint? Leonardo M. Ramé http://leonardorame.blogspot.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails
On 15/01/2013 02:10, Leonardo M. Ramé wrote: Yes, and also defined /etc/resolv.conf. Any hint? Leonardo M. Ramé http://leonardorame.blogspot.com This is my jail conf. jail_debian_rootdir=/jail/debian jail_debian_hostname=debian.bivol.net jail_debian_ip=192.168.30.12 jail_debian_interface=bge0 jail_debian_devfs_enable=YES jail_debian_devfs_ruleset=devfsrules_jail jail_debian_flags=-n debian #jail_debian_mount_enable=YES # mount YES|NO jail_debian_fstab=/jail/conf/fstab.debian you have ip interface settings correct ? Mine card is bge0, but your one might be different. Peter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails
On Jan 14, 2013, at 10:12 PM, Zyumbilev, Peter wrote: On 15/01/2013 02:10, Leonardo M. Ramé wrote: Yes, and also defined /etc/resolv.conf. Any hint? Leonardo M. Ramé http://leonardorame.blogspot.com This is my jail conf. jail_debian_rootdir=/jail/debian jail_debian_hostname=debian.bivol.net jail_debian_ip=192.168.30.12 jail_debian_interface=bge0 NOTE: You can optionally combine/collapse those last 2 lines into one: jail_debian_ip=bge0|192.168.30.12 (with the pipe character [|] separating the interface and IP) -- Devin jail_debian_devfs_enable=YES jail_debian_devfs_ruleset=devfsrules_jail jail_debian_flags=-n debian #jail_debian_mount_enable=YES # mount YES|NO jail_debian_fstab=/jail/conf/fstab.debian you have ip interface settings correct ? Mine card is bge0, but your one might be different. Peter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails
On 12/01/2013 18:41, Devin Teske wrote: On Jan 11, 2013, at 11:31 PM, Zyumbilev, Peter wrote: Hi, I have not tested it, but so far things do not look promising... I cannot even run netstat -nvatp properly, however sopcast seemed to run, but have not tested it, for plex - have not tried yet. netstat isn't allowed in traditional jails (but is allowed in vimage jails which have their own network stack). If you're able/willing to compile a new kernel to enable the VIMAGE feature, then this can be improved so that you can indeed use netstat within the jail. NOTE: netstat is not allowed within traditional (non-VIMAGE) jails due to security restrictions. My host os is Nas4Free and is stripped version of freebsd - e.g I cannot even compile ports - that is why I use jails - so no new kernel for me there :) So far I am quite happy with it - I use it mainly as DLNA server(Serviio), ZFS,UPS support Transmission made it quite good platform - would take plenty of time to get all this in plain FreeBSD install. The only thing that I might be missing is Plex, but due to lack browser per folder feature, I will stick to open standard - DLNA. Peter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails
From: Zyumbilev, Peter pe...@aboutsupport.com To: freebsd-questions@FreeBSD.org Cc: Mark Felder f...@feld.me; Devin Teske dte...@freebsd.org; Devin Teske devin.te...@fisglobal.com Sent: Sunday, January 13, 2013 7:09 AM Subject: Re: Jails On 12/01/2013 18:41, Devin Teske wrote: On Jan 11, 2013, at 11:31 PM, Zyumbilev, Peter wrote: Hi, I have not tested it, but so far things do not look promising... I cannot even run netstat -nvatp properly, however sopcast seemed to run, but have not tested it, for plex - have not tried yet. netstat isn't allowed in traditional jails (but is allowed in vimage jails which have their own network stack). If you're able/willing to compile a new kernel to enable the VIMAGE feature, then this can be improved so that you can indeed use netstat within the jail. NOTE: netstat is not allowed within traditional (non-VIMAGE) jails due to security restrictions. My host os is Nas4Free and is stripped version of freebsd - e.g I cannot even compile ports - that is why I use jails - so no new kernel for me there :) So far I am quite happy with it - I use it mainly as DLNA server(Serviio), ZFS,UPS support Transmission made it quite good platform - would take plenty of time to get all this in plain FreeBSD install. The only thing that I might be missing is Plex, but due to lack browser per folder feature, I will stick to open standard - DLNA. Peter Hi, I've installed debian 6 in a jail, from FreeBsd 9.1 x86-64 by following the instructions from this thread. However, I also updated my /etc/resolv.conf inside the jail, but I get this error when I do ping: server# /etc/rc.d/jail start debian Configuring jails:. Starting jails: debian. server# jls JID IP Address Hostname Path 13 192.168.0.250 debian /usr/home/jails/debian server# jexec 13 bash root@debian:/# uname -a Linux debian 2.6.32 FreeBSD 9.1-RELEASE #0 r243825: Tue Dec 4 09:23:10 UTC 2012 i686 GNU/Linux root@debian:/# ping www.google.com WARNING: WARNING: your kernel is veeery old. No problems. PING www.google.com (173.194.42.17) 56(84) bytes of data. ping: recvmsg: Invalid argument ping: recvmsg: Invalid argument Apart from getting those ping errors, I cannot apt-get update: root@debian:/# apt-get update Get:1 http://security.debian.org squeeze/updates Release.gpg [836 B] Ign http://security.debian.org/ squeeze/updates/contrib Translation-en Get:2 http://ftp.debian.org squeeze Release.gpg [1672 B] Ign http://ftp.debian.org/debian/ squeeze/contrib Translation-en 99% [Working]FATAL - Could not set non-blocking flag Bad file descriptor E: Method http has died unexpectedly! E: Sub-process http returned an error code (100) I need apt-get to install g++, to be able to compile a linux c++ app from FreeBsd. -- Leonardo M. Ramé http://leonardorame.blogspot.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails
On Jan 13, 2013, at 7:45 AM, Leonardo M. Ramé wrote: From: Zyumbilev, Peter pe...@aboutsupport.com To: freebsd-questions@FreeBSD.org Cc: Mark Felder f...@feld.me; Devin Teske dte...@freebsd.org; Devin Teske devin.te...@fisglobal.com Sent: Sunday, January 13, 2013 7:09 AM Subject: Re: Jails On 12/01/2013 18:41, Devin Teske wrote: On Jan 11, 2013, at 11:31 PM, Zyumbilev, Peter wrote: Hi, I have not tested it, but so far things do not look promising... I cannot even run netstat -nvatp properly, however sopcast seemed to run, but have not tested it, for plex - have not tried yet. netstat isn't allowed in traditional jails (but is allowed in vimage jails which have their own network stack). If you're able/willing to compile a new kernel to enable the VIMAGE feature, then this can be improved so that you can indeed use netstat within the jail. NOTE: netstat is not allowed within traditional (non-VIMAGE) jails due to security restrictions. My host os is Nas4Free and is stripped version of freebsd - e.g I cannot even compile ports - that is why I use jails - so no new kernel for me there :) So far I am quite happy with it - I use it mainly as DLNA server(Serviio), ZFS,UPS support Transmission made it quite good platform - would take plenty of time to get all this in plain FreeBSD install. The only thing that I might be missing is Plex, but due to lack browser per folder feature, I will stick to open standard - DLNA. Peter Hi, I've installed debian 6 in a jail, from FreeBsd 9.1 x86-64 by following the instructions from this thread. However, I also updated my /etc/resolv.conf inside the jail, but I get this error when I do ping: ping is usually denied from within a jail (for security purposes). Add the following to /etc/rc.conf: jail_sysvipc_allow=YES And then reboot. -- Devin _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails
- Original Message - From: Devin Teske devin.te...@fisglobal.com To: Leonardo M. Ramé martinr...@yahoo.com Cc: freebsd-questions@FreeBSD.org freebsd-questions@FreeBSD.org Sent: Sunday, January 13, 2013 2:23 PM Subject: Re: Jails On Jan 13, 2013, at 7:45 AM, Leonardo M. Ramé wrote: From: Zyumbilev, Peter pe...@aboutsupport.com To: freebsd-questions@FreeBSD.org Cc: Mark Felder f...@feld.me; Devin Teske dte...@freebsd.org; Devin Teske devin.te...@fisglobal.com Sent: Sunday, January 13, 2013 7:09 AM Subject: Re: Jails On 12/01/2013 18:41, Devin Teske wrote: On Jan 11, 2013, at 11:31 PM, Zyumbilev, Peter wrote: Hi, I have not tested it, but so far things do not look promising... I cannot even run netstat -nvatp properly, however sopcast seemed to run, but have not tested it, for plex - have not tried yet. netstat isn't allowed in traditional jails (but is allowed in vimage jails which have their own network stack). If you're able/willing to compile a new kernel to enable the VIMAGE feature, then this can be improved so that you can indeed use netstat within the jail. NOTE: netstat is not allowed within traditional (non-VIMAGE) jails due to security restrictions. My host os is Nas4Free and is stripped version of freebsd - e.g I cannot even compile ports - that is why I use jails - so no new kernel for me there :) So far I am quite happy with it - I use it mainly as DLNA server(Serviio), ZFS,UPS support Transmission made it quite good platform - would take plenty of time to get all this in plain FreeBSD install. The only thing that I might be missing is Plex, but due to lack browser per folder feature, I will stick to open standard - DLNA. Peter Hi, I've installed debian 6 in a jail, from FreeBsd 9.1 x86-64 by following the instructions from this thread. However, I also updated my /etc/resolv.conf inside the jail, but I get this error when I do ping: ping is usually denied from within a jail (for security purposes). Add the following to /etc/rc.conf: jail_sysvipc_allow=YES And then reboot. I've tried that, but I got the same results: root@debian:/# ping www.google.com WARNING: setsockopt(ICMP_FILTER): Protocol not available WARNING: your kernel is veeery old. No problems. PING www.google.com (173.194.42.16) 56(84) bytes of data. ping: recvmsg: Invalid argument ping: recvmsg: Invalid argument ping: recvmsg: Invalid argument ping: recvmsg: Invalid argument --- www.google.com ping statistics --- 4 packets transmitted, 0 received, 100% packet loss, time 3078ms root@debian:/# Leonardo M. Ramé http://leonardorame.blogspot.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails
On 13/01/2013 23:58, Leonardo M. Ramé wrote: root@debian:/# ping www.google.com WARNING: setsockopt(ICMP_FILTER): Protocol not available WARNING: your kernel is veeery old. No problems. PING www.google.com (173.194.42.16) 56(84) bytes of data. ping: recvmsg: Invalid argument ping: recvmsg: Invalid argument ping: recvmsg: Invalid argument ping: recvmsg: Invalid argument --- www.google.com ping statistics --- 4 packets transmitted, 0 received, 100% packet loss, time 3078ms root@debian:/# Hvae you run in FreeBSD: sysctl compat.linux.osrelease=2.6.32 ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails
On 13/01/2013 23:58, Leonardo M. Ramé wrote: root@debian:/# ping www.google.com WARNING: setsockopt(ICMP_FILTER): Protocol not available WARNING: your kernel is veeery old. No problems. PING www.google.com (173.194.42.16) 56(84) bytes of data. ping: recvmsg: Invalid argument ping: recvmsg: Invalid argument ping: recvmsg: Invalid argument ping: recvmsg: Invalid argument --- www.google.com ping statistics --- 4 packets transmitted, 0 received, 100% packet loss, time 3078ms root@debian:/# Also make sure you /etc/resolv.conf looks like this: nameserver 8.8.8.8 Peter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails
On Jan 11, 2013, at 11:31 PM, Zyumbilev, Peter wrote: Hi, I have not tested it, but so far things do not look promising... I cannot even run netstat -nvatp properly, however sopcast seemed to run, but have not tested it, for plex - have not tried yet. netstat isn't allowed in traditional jails (but is allowed in vimage jails which have their own network stack). If you're able/willing to compile a new kernel to enable the VIMAGE feature, then this can be improved so that you can indeed use netstat within the jail. NOTE: netstat is not allowed within traditional (non-VIMAGE) jails due to security restrictions. -- Devin On 11/01/2013 21:19, Mark Felder wrote: On Fri, 11 Jan 2013 18:28:41 +0200 Zyumbilev, Peter pe...@aboutsupport.com wrote: 1. Use http://download.openvz.org/template/precreated/debian-6.0-x86.tar.gz instead the file listed in the howto. 2. Run sysctl compat.linux.osrelease=2.6.32 in Freebsd shell before starting the jail, otherwise you will get error kernel too old. Does PLEX work? I'm highly interested in this I even posted asking for FreeBSD support on the relevant forum post... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails
On 11/01/2013 17:31, Patrick Lamaiziere wrote: Le Fri, 11 Jan 2013 17:02:19 +0200, Zyumbilev, Peter pe...@aboutsupport.com a écrit : Hi, I run FreeBSD 9.1 64 bit(Nas4free). I have no problem setting up FreeBSD jails inside. However, I wonder, is there any tutorial on how to make Debian Squeeze run inside a jail ? I know it is possible with PC-BSD, should be possible with FreeBSD, but I have not documentation on how to utilize this feature. Baptiste (bapt@) made a small doc for this in the past, but in french. http://blog.etoilebsd.net/post/Emprisonner_une_debian_dans_un_FreeBSD Regards For future reference: I've got it work, just 2 things: 1. Use http://download.openvz.org/template/precreated/debian-6.0-x86.tar.gz instead the file listed in the howto. 2. Run sysctl compat.linux.osrelease=2.6.32 in Freebsd shell before starting the jail, otherwise you will get error kernel too old. Otherwise, so far so good :-) Peter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails
On Fri, 11 Jan 2013 18:28:41 +0200 Zyumbilev, Peter pe...@aboutsupport.com wrote: 1. Use http://download.openvz.org/template/precreated/debian-6.0-x86.tar.gz instead the file listed in the howto. 2. Run sysctl compat.linux.osrelease=2.6.32 in Freebsd shell before starting the jail, otherwise you will get error kernel too old. Does PLEX work? I'm highly interested in this I even posted asking for FreeBSD support on the relevant forum post... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails
Hi, I have not tested it, but so far things do not look promising... I cannot even run netstat -nvatp properly, however sopcast seemed to run, but have not tested it, for plex - have not tried yet. Peter On 11/01/2013 21:19, Mark Felder wrote: On Fri, 11 Jan 2013 18:28:41 +0200 Zyumbilev, Peter pe...@aboutsupport.com wrote: 1. Use http://download.openvz.org/template/precreated/debian-6.0-x86.tar.gz instead the file listed in the howto. 2. Run sysctl compat.linux.osrelease=2.6.32 in Freebsd shell before starting the jail, otherwise you will get error kernel too old. Does PLEX work? I'm highly interested in this I even posted asking for FreeBSD support on the relevant forum post... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
How do you manage jails?
Hi All, I want to inquire how the majority of users manage jails within their own environments. Do you use the utilities described in the handbook in chapter 16 or some other management facility like qjail or ezjail? -- Take care Rick Miller ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How do you manage jails?
On Nov 29, 2012, at 6:05 AM, Rick Miller wrote: Hi All, I want to inquire how the majority of users manage jails within their own environments. Do you use the utilities described in the handbook in chapter 16 or some other management facility like qjail or ezjail? I use my own home grown solution (freely available as a package): http://druidbsd.sf.net/vimage.shtml http://druidbsd.sf.net/download.shtml#vimage -- Devin _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How do you manage jails?
On Thu, 29 Nov 2012 09:05:30 -0500 Rick Miller vmil...@hostileadmin.com wrote: Hi All, I want to inquire how the majority of users manage jails within their own environments. Do you use the utilities described in the handbook in chapter 16 or some other management facility like qjail or ezjail? ezjail here - my fileserver runs a bunch of jails for various services as well as a build jail. I find it convenient and it hasn't annoyed me yet. -- Steve O'Hara-Smith st...@sohara.org ---BeginMessage--- On Thu, 29 Nov 2012 09:05:30 -0500 Rick Miller vmil...@hostileadmin.com wrote: Hi All, I want to inquire how the majority of users manage jails within their own environments. Do you use the utilities described in the handbook in chapter 16 or some other management facility like qjail or ezjail? ezjail here - my fileserver runs a bunch of jails for various services as well as a build jail. I find it convenient and it hasn't annoyed me yet. -- Steve O'Hara-Smith st...@sohara.org ---End Message--- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ZFS / Boot Environments / Jails / Upgrading form Source Code
On 19/10/2012 07:44, dweimer wrote: First step replace the usr/src within the jail with new source using svn, easy enough. Then start make buildworld... oops, I have a problem now, the usr/obj/usr stuff is now under /usr/obj/usr/jails/release91rc2..., However I want it to be under /usr/jails/release91rc2/usr/obj/usr. If the jails base dir is /usr/obj/usr/jails/release91rc2 then it can only access files below that base dir. That is part of the jails security. If your jail is based at /usr/obj/usr/jails/release91rc2 then the jail by default will buildworld into /usr/obj of the jail system which translates to /usr/obj/usr/jails/release91rc2/usr/obj on the base system. You can adjust the settings within the jail but it will always be within the release91rc2 dir so you can't use the jail to install into /usr/jails of the base system. From looking at the usr/src/Makefile It looks like I need to set the MAKEOBJDIRPREFIX=/usr/jails/relase91rc2/usr/obj/usr/src/tmp environment variable, but is that the best solution here? There's also a /usr/obj/lib32 directory (system is running amd64, I assume this is for 32 bit libraries), so I would likely need to do something here as well, that I haven't gotten to yet. lib32 is part of the final system - you don't need to handle it separately. See man src.conf if you want to turn off the creation of 32bit libs. You can set MAKEOBJDIRPREFIX (default /usr/obj ) to define where the binary files are made. You can also set DESTDIR (default is / ) for the installworld step to define where they get installed. When you start a buildworld or buildkernel the compiled binaries are stored within MAKEOBJDIRPREFIX. When that is complete the installworld or installkernel steps install the files from MAKEOBJDIRPREFIX into DESTDIR to create a workable system. That prevents a failed build from destroying part of your running system. If you want to experiment with different versions then you can also try- mkdir /usr/jails cd /usr/jails svn co http://svn0.us-west.FreeBSD.org/base/releng/9.0 9.0-src cd 9.0-src set MAKEOBJDIRPREFIX = /usr/jails/9.0-obj set DESTDIR = /usr/jails/9.0-base make buildworld make installworld cd /usr/jails svn co http://svn0.us-east.FreeBSD.org/base/releng/9.1 9.1-src cd 9.1-src set MAKEOBJDIRPREFIX = /usr/jails/9.1-obj set DESTDIR = /usr/jails/9.1-base make buildworld make installworld I know the /usr/obj/usr directory can be deleted after the installation of the source, does the same go for the /usr/obj/lib32 directory? if so Anything in MAKEOBJDIRPREFIX (/usr/obj) can be deleted after you have installed it, including lib32 which are libs to allow running 32bit programs on a 64bit system. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ZFS / Boot Environments / Jails / Upgrading form Source Code
On 2012-10-19 02:48, Shane Ambler wrote: On 19/10/2012 07:44, dweimer wrote: First step replace the usr/src within the jail with new source using svn, easy enough. Then start make buildworld... oops, I have a problem now, the usr/obj/usr stuff is now under /usr/obj/usr/jails/release91rc2..., However I want it to be under /usr/jails/release91rc2/usr/obj/usr. If the jails base dir is /usr/obj/usr/jails/release91rc2 then it can only access files below that base dir. That is part of the jails security. If your jail is based at /usr/obj/usr/jails/release91rc2 then the jail by default will buildworld into /usr/obj of the jail system which translates to /usr/obj/usr/jails/release91rc2/usr/obj on the base system. You can adjust the settings within the jail but it will always be within the release91rc2 dir so you can't use the jail to install into /usr/jails of the base system. The base of the Jail, is /usr/jails/release91rc2, however, I did forget to mention that I was running the buildworld and buildkernel from the base system, with the intent to install using the DESTDIR=/usr/jails/release91rc2 command line option From looking at the usr/src/Makefile It looks like I need to set the MAKEOBJDIRPREFIX=/usr/jails/relase91rc2/usr/obj/usr/src/tmp environment variable, but is that the best solution here? There's also a /usr/obj/lib32 directory (system is running amd64, I assume this is for 32 bit libraries), so I would likely need to do something here as well, that I haven't gotten to yet. lib32 is part of the final system - you don't need to handle it separately. See man src.conf if you want to turn off the creation of 32bit libs. Got it, Fine with leaving it there, just wanted to know if there was a separate option to define where it ended up. You can set MAKEOBJDIRPREFIX (default /usr/obj ) to define where the binary files are made. You can also set DESTDIR (default is / ) for the installworld step to define where they get installed. It appears I went to deep on my definition of the MAKOBJDIRPREFIX, made the above path after seeing some output at the start of one of my buildworld attempts, which is what led me to believe there would be a second choice. When you start a buildworld or buildkernel the compiled binaries are stored within MAKEOBJDIRPREFIX. When that is complete the installworld or installkernel steps install the files from MAKEOBJDIRPREFIX into DESTDIR to create a workable system. That prevents a failed build from destroying part of your running system. If you want to experiment with different versions then you can also try- mkdir /usr/jails cd /usr/jails svn co http://svn0.us-west.FreeBSD.org/base/releng/9.0 9.0-src cd 9.0-src set MAKEOBJDIRPREFIX = /usr/jails/9.0-obj set DESTDIR = /usr/jails/9.0-base make buildworld make installworld cd /usr/jails svn co http://svn0.us-east.FreeBSD.org/base/releng/9.1 9.1-src cd 9.1-src set MAKEOBJDIRPREFIX = /usr/jails/9.1-obj set DESTDIR = /usr/jails/9.1-base make buildworld make installworld Here was the key information I needed, found several examples searching but none stated the MAKEOBJDIRPREFIX=, as you state below they are not needed for the running system, guessing most people clean them up afterwards so they aren't concerned they don't exist in the same boot environment in the end. I prefer to keep them in the same boot environment if possible, just so that if I delete a boot environment I know I got rid of everything that belonged to it and don't end up uselessly eating up extra disk space. I do delete the /usr/obj/usr directory prior to any rebuild, from old documentation I read when I first started doing source upgrades as a method of improving the speed of the buildworld. I am sure those were written for a 32bit system, which is why the lib32 directory wasn't included in those instructions. I know the /usr/obj/usr directory can be deleted after the installation of the source, does the same go for the /usr/obj/lib32 directory? if so Anything in MAKEOBJDIRPREFIX (/usr/obj) can be deleted after you have installed it, including lib32 which are libs to allow running 32bit programs on a 64bit system. Looks like I am on the right path, now time to give it a try with the new environment variables, thanks for your help Shane. If all goes well on this step, only things I have left to figured out and test is creating zfs snapshots by hand of volumes outside my boot environment, and mounting those read write within the jailed systems base so that I can fully test my applications against the latest live data without changing the actual data. Don't expect to have any trouble with this one. And then last of all need to test removing a HD from my Virtual Machine, adding a replacement, and rebuilding the mirror, again don't expect this to be a problem, just need to work my way through them and get the steps down before I am comfortable doing these procedures on a system
ZFS / Boot Environments / Jails / Upgrading form Source Code
I have been playing around with different build layouts etc trying to come up with a plan to make updates smoother and more easily recoverable if it goes horribly wrong. I think I have almost figured things out, just have a couple things left to figure out, one of which I am hoping someone on this list can help em out with, to save me some trial an error. Steps already figured out, mount new boot environment (using 9.1rc2 to test with) in /usr/jails/release91rc2, added the necessary settings to rc.conf, started jail, so far so good. I now know I can run the boot environment from within the jail, stop the jail and begin the upgrade from source. First step replace the usr/src within the jail with new source using svn, easy enough. Then start make buildworld... oops, I have a problem now, the usr/obj/usr stuff is now under /usr/obj/usr/jails/release91rc2..., However I want it to be under /usr/jails/release91rc2/usr/obj/usr. From looking at the usr/src/Makefile It looks like I need to set the MAKEOBJDIRPREFIX=/usr/jails/relase91rc2/usr/obj/usr/src/tmp environment variable, but is that the best solution here? There's also a /usr/obj/lib32 directory (system is running amd64, I assume this is for 32 bit libraries), so I would likely need to do something here as well, that I haven't gotten to yet. I know the /usr/obj/usr directory can be deleted after the installation of the source, does the same go for the /usr/obj/lib32 directory? if so perhaps it is a better option to make a new zfs data set outside the boot environments to mount under /usr/obj directory, let the default prefixes handle which sub directory to use, and just delete the directories when I am done working with the boot environment. -- Thanks, Dean E. Weimer http://www.dweimer.net/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Resolvconf with FreeBSD jails
FreeBSD 9 uses resolvconf tool to manage the resolv.conf file. How can I make it working with FreeBSD jails? In my case I am moving my laptop between networks and every time I boot FreeBSD it gets assigned a different DNS server. The file /etc/resolv.conf gets updated but the same file in each of the jails is not. I need resolv.conf in each jail in order for that jail to connect to the external network. I tried to make a link from resolv.conf in a jail to the same file in the host system, but inside jail the link doesn't work. I could copy the resolv.conf every time I boot FreeBSD after the DHCP obtained new DNS and updated resolv.conf but before ezjail starts any of the jails, but where I would need to put such copying? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Resolvconf with FreeBSD jails
On 07/30/2012 18:03, Grzegorz Junka wrote: FreeBSD 9 uses resolvconf tool to manage the resolv.conf file. How can I make it working with FreeBSD jails? In my case I am moving my laptop between networks and every time I boot FreeBSD it gets assigned a different DNS server. The file /etc/resolv.conf gets updated but the same file in each of the jails is not. I need resolv.conf in each jail in order for that jail to connect to the external network. If you really need your resolv.conf for connecting to an external network (and not to resolve local machine names), why not just add public DNS servers there and let them stay the same all he time? I tried to make a link from resolv.conf in a jail to the same file in the host system, but inside jail the link doesn't work. I could copy the resolv.conf every time I boot FreeBSD after the DHCP obtained new DNS and updated resolv.conf but before ezjail starts any of the jails, but where I would need to put such copying? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails on FreeBSD 9.0
On 22 July 2012 21:55, Herbert J. Skuhra h.sku...@gmail.com wrote: On Sat, 21 Jul 2012 16:10:56 +0200 Herbert J. Skuhra h.sku...@gmail.com wrote: On Sat, Jul 21, 2012 at 11:24 AM, Herbert J. Skuhra h.sku...@gmail.com wrote: Hi, ok, this is obviously a pf problem and the reason why the network in the jail doesn't work. ifconfig lo1 create ifconfig lo1 10.0.0.10 netmask 0xff00 nc -s 10.0.0.10 xx.xx.xx.xx 25 With pf: connections fails; server receives SYN-ACK, but nc continues sending SYNs until nc gives up With ipfw: connection OK On my Soekris box at home (9.1-PRERELEASE i386) both ipfw and pf works. Could this be a bug in the fxp driver? I have a 2nd machine with a fxp nic. Same problem. Thanks to yongari@ the issue could be resolved on both machines by disabling receive checksum offloading (ifconfig fxp0 -rxsum). If this is a fxp bug, can you please file a PR explaining the issue and how to reproduce it? -- Eitan Adler ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails on FreeBSD 9.0
On Mon, Jul 23, 2012 at 8:31 AM, Eitan Adler li...@eitanadler.com wrote: If this is a fxp bug, can you please file a PR explaining the issue and how to reproduce it? kern/170081 -- Herbert ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails on FreeBSD 9.0
On Sat, 21 Jul 2012 16:10:56 +0200 Herbert J. Skuhra h.sku...@gmail.com wrote: On Sat, Jul 21, 2012 at 11:24 AM, Herbert J. Skuhra h.sku...@gmail.com wrote: Hi, ok, this is obviously a pf problem and the reason why the network in the jail doesn't work. ifconfig lo1 create ifconfig lo1 10.0.0.10 netmask 0xff00 nc -s 10.0.0.10 xx.xx.xx.xx 25 With pf: connections fails; server receives SYN-ACK, but nc continues sending SYNs until nc gives up With ipfw: connection OK On my Soekris box at home (9.1-PRERELEASE i386) both ipfw and pf works. Could this be a bug in the fxp driver? I have a 2nd machine with a fxp nic. Same problem. Thanks to yongari@ the issue could be resolved on both machines by disabling receive checksum offloading (ifconfig fxp0 -rxsum). -- Herbert ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails on FreeBSD 9.0
Hi, ok, this is obviously a pf problem and the reason why the network in the jail doesn't work. ifconfig lo1 create ifconfig lo1 10.0.0.10 netmask 0xff00 nc -s 10.0.0.10 xx.xx.xx.xx 25 With pf: connections fails; server receives SYN-ACK, but nc continues sending SYNs until nc gives up With ipfw: connection OK On my Soekris box at home (9.1-PRERELEASE i386) both ipfw and pf works. Thanks. -- Herbert ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails on FreeBSD 9.0
On Sat, Jul 21, 2012 at 11:24 AM, Herbert J. Skuhra h.sku...@gmail.com wrote: Hi, ok, this is obviously a pf problem and the reason why the network in the jail doesn't work. ifconfig lo1 create ifconfig lo1 10.0.0.10 netmask 0xff00 nc -s 10.0.0.10 xx.xx.xx.xx 25 With pf: connections fails; server receives SYN-ACK, but nc continues sending SYNs until nc gives up With ipfw: connection OK On my Soekris box at home (9.1-PRERELEASE i386) both ipfw and pf works. Could this be a bug in the fxp driver? I have a 2nd machine with a fxp nic. Same problem. -- Herbert ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails on FreeBSD 9.0
On Thu, Jul 12, 2012 at 9:04 PM, Herbert J. Skuhra h.sku...@gmail.com wrote: On Thu, Jul 12, 2012 at 11:56 AM, joris dedieu joris.ded...@gmail.com wrote: 2012/7/12 Herbert J. Skuhra h.sku...@gmail.com: On Wed, Jul 11, 2012 at 11:59 PM, Herbert J. Skuhra h.sku...@gmail.com wrote: Hi, although I've followed the instructions in jail(8) and jail.conf(5) I cannot manage to setup jails on FreeBSD 9.0 STABLE (r238334). The symptons: * ssh'ing to jail works, but it takes about 20 seconds until password prompt appears Does it still the same with UseDNS=no in /etc/ssh/sshd_config ? No, I can login instantly. * netstat -r in the jail takes about 150 seconds to finish Does netstat -rn does the same ? No, the output appears immediately. * connections to the internet time out; with tcpdump I see that packets leave and enter the public interface on the host, but never reach the jail I use lo1 interface and ip address 192.168.1.1/24 for the jail. Public interface is fxp0 with both an IPv4 and an IPv6 address assigned. Of course, nat is enable via pf on the public interface. Can you post your PF configuration ? After switching to ipfw/natd networking in the jail works. Could this be a bug? I think you had an issue with firewall that block name resolution and makes everything goes slow. At least you need one single line on your pf.conf : nat on $public_interface form $jail_ip to any - ($public_interface) Even when loading only the nat rule it doesn't work: nat on fxp0 from 192.168.1.0/24 to any - $ext_addr Thanks. Herbert ___ freebsd-j...@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org As Mark Felder wrote You don't have anything in /etc/resolv.conf, in the jail do you? :-) -- Med Venlig Hilsen Kalle R. Møller ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails on FreeBSD 9.0
On Tue, Jul 17, 2012 at 9:59 AM, Kalle Møller freebsd-questi...@k-moeller.dk wrote: On Thu, Jul 12, 2012 at 9:04 PM, Herbert J. Skuhra h.sku...@gmail.com wrote: On Thu, Jul 12, 2012 at 11:56 AM, joris dedieu joris.ded...@gmail.com wrote: 2012/7/12 Herbert J. Skuhra h.sku...@gmail.com: On Wed, Jul 11, 2012 at 11:59 PM, Herbert J. Skuhra h.sku...@gmail.com wrote: Hi, although I've followed the instructions in jail(8) and jail.conf(5) I cannot manage to setup jails on FreeBSD 9.0 STABLE (r238334). The symptons: * ssh'ing to jail works, but it takes about 20 seconds until password prompt appears Does it still the same with UseDNS=no in /etc/ssh/sshd_config ? No, I can login instantly. * netstat -r in the jail takes about 150 seconds to finish Does netstat -rn does the same ? No, the output appears immediately. * connections to the internet time out; with tcpdump I see that packets leave and enter the public interface on the host, but never reach the jail I use lo1 interface and ip address 192.168.1.1/24 for the jail. Public interface is fxp0 with both an IPv4 and an IPv6 address assigned. Of course, nat is enable via pf on the public interface. Can you post your PF configuration ? After switching to ipfw/natd networking in the jail works. Could this be a bug? I think you had an issue with firewall that block name resolution and makes everything goes slow. At least you need one single line on your pf.conf : nat on $public_interface form $jail_ip to any - ($public_interface) Even when loading only the nat rule it doesn't work: nat on fxp0 from 192.168.1.0/24 to any - $ext_addr Thanks. Herbert As Mark Felder wrote You don't have anything in /etc/resolv.conf, in the jail do you? :-) I have two nameservers listed! If I boot a kernel with ipfirewall/ipdivert and run natd the network in the jail works! With pf: I see the packets going out/coming in on fxp0 but somehow the jail does not see them. A 'dig www.google.com' in the jail fails with connection timed out; no servers could be reached, but 11:39:45.30 IP xxx.yyy.zzz.64452 google-public-dns-a.google.com.domain: 10794+ A? www.google.com. (32) 11:39:45.694045 IP google-public-dns-a.google.com.domain xxx.yyy.zzz.64452: 10794 6/0/0 CNAME www.l.google.com., A 173.194.35.177, A 173.194.35.176, A 173.194.35.179, A 173.194.35.180, A 173.194.35.178 (132) 11:39:50.667799 IP xxx.yyy.zzz.64452 google-public-dns-a.google.com.domain: 10794+ A? www.google.com. (32) 11:39:50.687083 IP google-public-dns-a.google.com.domain xxx.yyy.zzz.64452: 10794 6/0/0 CNAME www.l.google.com., A 173.194.35.177, A 173.194.35.178, A 173.194.35.179, A 173.194.35.180, A 173.194.35.176 (132) 11:39:55.668783 IP xxx.yyy.zzz.64452 google-public-dns-a.google.com.domain: 10794+ A? www.google.com. (32) 11:39:55.675917 IP google-public-dns-a.google.com.domain xxx.yyy.zzz.64452: 10794 6/0/0 CNAME www.l.google.com., A 173.194.35.180, A 173.194.35.177, A 173.194.35.179, A 173.194.35.176, A 173.194.35.178 (132) And 'nc 173.194.35.177 80': 11:41:52.176904 IP muc03s02-in-f17.1e100.net.http xxx.yyy.zzz.56936: Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss 1430,sackOK,TS val 1445658553 ecr 8593173,nop,wscale 6], length 0 11:41:53.382320 IP muc03s02-in-f17.1e100.net.http xxx.yyy.zzz.56936: Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss 1430,sackOK,TS val 1445659753 ecr 8593173,nop,wscale 6], length 0 11:41:54.088585 IP xxx.yyy.zzz.56936 muc03s02-in-f17.1e100.net.http: Flags [S], seq 2143442670, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 8596173 ecr 0], length 0 11:41:54.098838 IP muc03s02-in-f17.1e100.net.http xxx.yyy.zzz.56936: Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss 1430,sackOK,TS val 1445660466 ecr 8593173,nop,wscale 6], length 0 11:41:55.796638 IP muc03s02-in-f17.1e100.net.http xxx.yyy.zzz.56936: Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss 1430,sackOK,TS val 1445662155 ecr 8593173,nop,wscale 6], length 0 11:41:57.288596 IP xxx.yyy.zzz.56936 muc03s02-in-f17.1e100.net.http: Flags [S], seq 2143442670, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 8599373 ecr 0], length 0 11:41:57.299125 IP muc03s02-in-f17.1e100.net.http xxx.yyy.zzz.56936: Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss 1430,sackOK,TS val 1445663650 ecr 8593173,nop,wscale 6], length 0 11:42:00.488595 IP xxx.yyy.zzz.56936 muc03s02-in-f17.1e100.net.http: Flags [S], seq 2143442670, win 65535, options [mss 1460,sackOK,eol], length 0 11:42:00.498606 IP muc03s02-in-f17.1e100.net.http xxx.yyy.zzz.56936: Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss 1430,sackOK,TS val 1445666834 ecr 8593173,nop,wscale 6], length 0 11:42:00.621724 IP muc03s02-in-f17.1e100.net.http xxx.yyy.zzz.56936: Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss 1430,sackOK,TS val 1445666957 ecr 8593173,nop,wscale 6
Re: IPNAT seems to affect network performance? of jails on lo0 (10.0.0.0/24) - why?
I know that ssh does a reverse dns lookup of the ip you connect from - no matter if its local or not. On Tue, Jun 26, 2012 at 4:58 PM, Christopher J. Ruwe c...@cruwe.de wrote: On Mon, 25 Jun 2012 18:23:56 -0400 Robert Huff roberth...@rcn.com wrote: Christopher J. Ruwe writes: On a KVM virtualized host, I run FreeBSD 8.3-RELEASE-p3 and some qjails, 8.3-RELEASE. The jails are connected all via lo0 on 10.0.0.0. While by the large working as expected, I have noticed one pecularity I have failed to pinpoint: When launching processes with some network interaction, like sshing into one of the jails from the platform or launching emacs, the command spends ages ( ~(1-2) minutes) idling? (nothing happens) before becoming interactive. If the number is very close to 90 seconds, my first guess would be you have a DNS problem. Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Thanks for the hint. It was DNS ... I have copied a resolv.conf into the jails for future use, but did not enable NAT from the start. The issue disappeared when I commented out the nameserver entries and switched NAT off again, i.e., I could login using ssh in a matter of seconds, not minutes. Now to the followup: Why does ssh and emacs! require DNS for entirely local connections or just to be started? Anyway, thanks for that hint, cheers, -- Christopher TZ: GMT + 2h -- Med Venlig Hilsen Kalle R. Møller ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPNAT seems to affect network performance? of jails on lo0 (10.0.0.0/24) - why?
On Mon, 25 Jun 2012 18:23:56 -0400 Robert Huff roberth...@rcn.com wrote: Christopher J. Ruwe writes: On a KVM virtualized host, I run FreeBSD 8.3-RELEASE-p3 and some qjails, 8.3-RELEASE. The jails are connected all via lo0 on 10.0.0.0. While by the large working as expected, I have noticed one pecularity I have failed to pinpoint: When launching processes with some network interaction, like sshing into one of the jails from the platform or launching emacs, the command spends ages ( ~(1-2) minutes) idling? (nothing happens) before becoming interactive. If the number is very close to 90 seconds, my first guess would be you have a DNS problem. Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Thanks for the hint. It was DNS ... I have copied a resolv.conf into the jails for future use, but did not enable NAT from the start. The issue disappeared when I commented out the nameserver entries and switched NAT off again, i.e., I could login using ssh in a matter of seconds, not minutes. Now to the followup: Why does ssh and emacs! require DNS for entirely local connections or just to be started? Anyway, thanks for that hint, cheers, -- Christopher TZ: GMT + 2h signature.asc Description: PGP signature
IPNAT seems to affect network performance? of jails on lo0 (10.0.0.0/24) - why?
On a KVM virtualized host, I run FreeBSD 8.3-RELEASE-p3 and some qjails, 8.3-RELEASE. The jails are connected all via lo0 on 10.0.0.0. While by the large working as expected, I have noticed one pecularity I have failed to pinpoint: When launching processes with some network interaction, like sshing into one of the jails from the platform or launching emacs, the command spends ages ( ~(1-2) minutes) idling? (nothing happens) before becoming interactive. For reasons unreleated, I have enabled NAT with ipf for the jails on 10.0.0.0/24 (to the external re0 IF and some IP) and, out of the blue, logging into the jails or starting emacs became snappy again. Why? Why does ipnatting jails which should be connected via the same lo0 on 10.0.0.0 have any impact? Don't get me wrong, I am not complaining and it solved an issue which gave me kind of headaches, but I would like to understand. Thanks and cheers, -- Christopher TZ: GMT + 2h signature.asc Description: PGP signature
IPNAT seems to affect network performance? of jails on lo0 (10.0.0.0/24) - why?
Christopher J. Ruwe writes: On a KVM virtualized host, I run FreeBSD 8.3-RELEASE-p3 and some qjails, 8.3-RELEASE. The jails are connected all via lo0 on 10.0.0.0. While by the large working as expected, I have noticed one pecularity I have failed to pinpoint: When launching processes with some network interaction, like sshing into one of the jails from the platform or launching emacs, the command spends ages ( ~(1-2) minutes) idling? (nothing happens) before becoming interactive. If the number is very close to 90 seconds, my first guess would be you have a DNS problem. Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Synchronising jails
/usr/ports/net/rsync On Fri, 27 Apr 2012, Frank Staals wrote: Hey Everyone, I'm looking for a way to synchronise two jails. More specifically, I would like to keep/maintain an exact copy of a given jail. As an example: Suppose I build a jail A on some system (in my particular case build with ezjail) , and I copy the jail into jail B on some other system (using tar, as is mentioned here: http://forums.freebsd.org/showthread.php?t=17813). Now stuff happens in Jail A, e.g. files change, new stuff is installed etc. I would like to propagate these changes to jail B, but since the transfer is over WAN I would like not to have to copy the entire jail again, just the stuff that has changed since the last backup. It is safe to assume nothing in Jail B changes: I basically want to maintain the exact copy so if something would happen to the system running Jail A I can immediately switch to jail B without much hassle. Normally I would say this a perfect use case for rsync. But as the aforementioned thread mentions ``scp or similar wont work to copy a jail'', and I consider rsync similar to scp, I am under the impression that rsync would not be usable in this situation. Can anyone shed some light on this, or suggest an alternative to synchronise the jails? Regards, -- - Frank ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Synchronising jails
Hey Everyone, I'm looking for a way to synchronise two jails. More specifically, I would like to keep/maintain an exact copy of a given jail. As an example: Suppose I build a jail A on some system (in my particular case build with ezjail) , and I copy the jail into jail B on some other system (using tar, as is mentioned here: http://forums.freebsd.org/showthread.php?t=17813). Now stuff happens in Jail A, e.g. files change, new stuff is installed etc. I would like to propagate these changes to jail B, but since the transfer is over WAN I would like not to have to copy the entire jail again, just the stuff that has changed since the last backup. It is safe to assume nothing in Jail B changes: I basically want to maintain the exact copy so if something would happen to the system running Jail A I can immediately switch to jail B without much hassle. Normally I would say this a perfect use case for rsync. But as the aforementioned thread mentions ``scp or similar wont work to copy a jail'', and I consider rsync similar to scp, I am under the impression that rsync would not be usable in this situation. Can anyone shed some light on this, or suggest an alternative to synchronise the jails? Regards, -- - Frank ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Synchronising jails
On 04/27/2012 09:35, Frank Staals wrote: Hey Everyone, I'm looking for a way to synchronise two jails. More specifically, I would like to keep/maintain an exact copy of a given jail. As an example: Suppose I build a jail A on some system (in my particular case build with ezjail) , and I copy the jail into jail B on some other system (using tar, as is mentioned here: http://forums.freebsd.org/showthread.php?t=17813). Now stuff happens in Jail A, e.g. files change, new stuff is installed etc. I would like to propagate these changes to jail B, but since the transfer is over WAN I would like not to have to copy the entire jail again, just the stuff that has changed since the last backup. It is safe to assume nothing in Jail B changes: I basically want to maintain the exact copy so if something would happen to the system running Jail A I can immediately switch to jail B without much hassle. Normally I would say this a perfect use case for rsync. But as the aforementioned thread mentions ``scp or similar wont work to copy a jail'', and I consider rsync similar to scp, rsync is dissimilar in that it is capable of preserving links. It may likely do the job? I am under the impression that rsync would not be usable in this situation. Can anyone shed some light on this, or suggest an alternative to synchronise the jails? Regards, signature.asc Description: OpenPGP digital signature
Re: Synchronising jails
Frank Staals fr...@fstaals.net writes: Hey Everyone, I'm looking for a way to synchronise two jails. More specifically, I would like to keep/maintain an exact copy of a given jail. As an example: Suppose I build a jail A on some system (in my particular case build with ezjail) , and I copy the jail into jail B on some other system (using tar, as is mentioned here: http://forums.freebsd.org/showthread.php?t=17813). Now stuff happens in Jail A, e.g. files change, new stuff is installed etc. I would like to propagate these changes to jail B, but since the transfer is over WAN I would like not to have to copy the entire jail again, just the stuff that has changed since the last backup. It is safe to assume nothing in Jail B changes: I basically want to maintain the exact copy so if something would happen to the system running Jail A I can immediately switch to jail B without much hassle. Normally I would say this a perfect use case for rsync. But as the aforementioned thread mentions ``scp or similar wont work to copy a jail'', and I consider rsync similar to scp, I am under the impression that rsync would not be usable in this situation. Can anyone shed some light on this, or suggest an alternative to synchronise the jails? I didn't don't know of any problem with using rsync (over ssh) for this, and after reading the thread to which you refer, I still don't. Set up a testbed using rsync and see if it works for you. If it doesn't, *then* you'll have something we can try to solve. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Synchronising jails
Hey Everyone, I'm looking for a way to synchronise two jails. More specifically, I would like to keep/maintain an exact copy of a given jail. As an example: Suppose I build a jail A on some system (in my particular case build with ezjail) , and I copy the jail into jail B on some other system (using tar, as is mentioned here: http://forums.freebsd.org/showthread.php?t=17813). Now stuff happens in Jail A, e.g. files change, new stuff is installed etc. I would like to propagate these changes to jail B, but since the transfer is over WAN I would like not to have to copy the entire jail again, just the stuff that has changed since the last backup. It is safe to assume nothing in Jail B changes: I basically want to maintain the exact copy so if something would happen to the system running Jail A I can immediately switch to jail B without much hassle. Normally I would say this a perfect use case for rsync. But as the aforementioned thread mentions ``scp or similar wont work to copy a jail'', and I consider rsync similar to scp, I am under the impression that rsync would not be usable in this situation. Can anyone shed some light on this, or suggest an alternative to synchronise the jails? Regards, -- - Frank ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Maybe you can store your jails on a per jail zfs filesystem. Then use zfs send/receive to send the incremental changes to the remote machine. Regards, Johan Hendriks___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Synchronising jails
Frank Staals wrote: Hey Everyone, I'm looking for a way to synchronise two jails. More specifically, I would like to keep/maintain an exact copy of a given jail. As an example: Suppose I build a jail A on some system (in my particular case build with ezjail) , and I copy the jail into jail B on some other system (using tar, as is mentioned here: http://forums.freebsd.org/showthread.php?t=17813). Now stuff happens in Jail A, e.g. files change, new stuff is installed etc. I would like to propagate these changes to jail B, but since the transfer is over WAN I would like not to have to copy the entire jail again, just the stuff that has changed since the last backup. It is safe to assume nothing in Jail B changes: I basically want to maintain the exact copy so if something would happen to the system running Jail A I can immediately switch to jail B without much hassle. Normally I would say this a perfect use case for rsync. But as the aforementioned thread mentions ``scp or similar wont work to copy a jail'', and I consider rsync similar to scp, I am under the impression that rsync would not be usable in this situation. Can anyone shed some light on this, or suggest an alternative to synchronise the jails? Regards, I have 3 different ideas that would work. Method 1. move changes to basejail. Use qjail to create your hosta-jaila and hostb-jaila. Qjail has a bkup function that you can backup the hosta-jaila basejail in compressed dump format and move that file to hostb any way you want and then use qjail restore function to restore that dump file to hostb-jaila basejail. bkuping up basejail takes less than one minute. method 2. move user data changes to jaila. create hosta-jaila and hosta-jailb both being the same. After changes to hosta-jaila run diff on hosta-jaila, hosta-jailb and them move the diff file to hostb and apply the diff to hostb-jaila. method 3. move user data changes to jaila. Use qjail to backup hosta-jaila and restore it to hostb-jaila. Backing up a jail takes less than 15 seconds. Note, Both hosta and hostb must be at same operating system version level. Ezjail also has function to bkup a jail but no way to bkup basejail. You can issue a dump command on the command line to create one after all jails are stopped. In my book rsync is the automated way to keep two live system in sync real time. Maybe overkill in something that is pretty much stable. If say hosta/jaila is running a mail server or a website that remote users enter info into, then rsync is the only solution. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Best practices about Jails
On 04/04/12 16:06, Fbsd8 wrote: This is overkill. I single ports tree on the host is fine. Matter of fact I use packages for everything accept for php which I have to compile in apache module. I even pre-install all of php's dependents as packages before doing make install on the php port. As far as portsclean goes its only for the paranoid. Ok, I've gone this way. If you dont have full ports tree in the jail then no need for portaudit in the jail. Portaudit doesn't check the port tree; it checks installed ports. Best practices is not to create a jail environment by hand as documented in the Freebsd handbook. The port utility qjail simplifies and automates the process to the point where you dont even have to know about the jail command. http://qjail.sourceforge.net/ use the port version for 8.x 9.0 I've had a look at qjail; it seems very simliar to ezjails, which I used (I didn't do jails by hand). bye Thanks av. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Changes in Jails from FreeBSD 6 to FreeBSD 9 -- particularly, networking and routing
On Apr 13, 2012, at 4:58 PM, Mark Felder wrote: On Fri, 13 Apr 2012 15:53:49 -0500, Chad Leigh Shire.Net LLC c...@shire.net wrote: No NAT needed since they share the network stack under Jails v1 they share the routing tables. It works. Try it. You're clearly exploiting a bug in FreeBSD 6's jails. It was a documented behavior when I first started using jails ca. 2004 in FreeBSD 5. Which is why I did it that way. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Changes in Jails from FreeBSD 6 to FreeBSD 9 -- particularly, networking and routing
Hi All OK, so I have a server that has been running FreeBSD 6.1 and a bunch of jails, providing a few limited services. I am migrating these from real hardware and FreeBSD 6.1 with jail running, to a Xen based VPS running FreeBSD 9.0-R with a kernel rebuild from a GENERIC kernel to GENERIC plus the Xen pci device. There is one network device on the new server and it shares all addresses and the default route goes out it. Because jails in FBSD 6 shared a network stack, I could have a public network x.x.x.0/24 and public address on the host machine, and a default route in that network as well, and use a 192.168.1.0/24 address aliased on the same network interface as the IP for my jail. When doing that, from inside the jail, I could still reach the internet since it shared the route with the underlying machine. That seems to have changed on FBSD 9. Now, if I add in the 192.168.1.0/24 address and run a jail on it, with the host machine in a public network/address/route as described above, from inside the jail I CANNOT reach the internet (it is not a resolver issue as services going to numeric addresses also fail). However, the jail with the private 192.168.1.0/24 address CAN reach the host machines services even if it cannot get out onto the internet. And the HOST machine can access services on the jail running on the private IP address. (The purpose of the jail is to provide services to other jails and hosts on the same public network [all VPS on the same public vlan] and NOT to provide services to the internet. Things like local ldap or a local dns etc. But the private jail still needs to reach the internet for things like name servers it needs to access that are outside of the public network the host lives in. So I don't care if the internet itself can reach the private jail, just the local jails and hosts it co-exists with. The answer shouldn't be natd etc (was not needed in 6.0 and I am not sharing one public address with a range of private jails behind it). If I launch the jail with an address from the same public range as the host, it works fine. The jail can access the internet fine and vice versa. The host can access the jail services as well. If I launch the jail with a private address, the jail cannot reach the internet. It can reach the host in the public network, but not other machines in the same public network (ie, the other VPS I have running which are all in the same public network). If I launch the jail with both a private address and a public address, it can reach the internet and other VPS on the same public network. I may have to end up doing that and just not having any services run on the public IP but I'd rather avoid using up an address like that. What changes happened in the jails between FBSD 6 and FBSD 9 that would give the symptoms I have been experiencing? Thanks Chad ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Changes in Jails from FreeBSD 6 to FreeBSD 9 -- particularly, networking and routing
Do I understand this right? Working in FreeBSD 6.x: interface em0: 1.2.3.4/24 -- public IP, host only 192.168.1.1/24 -- private IP, host only 192.168.1.2/24 -- Jail #1 192.168.1.3/24 -- Jail #2 With this configuration you had no problems accessing the internet from the jails. Is this correct? This seems bizarre; this should only be possible if you're doing NAT somewhere in there and that is not possible with Jails v1 (which share a network stack) and is only possible in Jails v2 (vnet). ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Changes in Jails from FreeBSD 6 to FreeBSD 9 -- particularly, networking and routing
On Apr 13, 2012, at 1:50 PM, Mark Felder wrote: Do I understand this right? Working in FreeBSD 6.x: interface em0: 1.2.3.4/24 -- public IP, host only 192.168.1.1/24 -- private IP, host only 192.168.1.2/24 -- Jail #1 192.168.1.3/24 -- Jail #2 With this configuration you had no problems accessing the internet from the jails. correct. (not that it did not matter I don't think is the private IP, host only exists and ALL IP exist on the host in addition to whatever Jail they are assigned to) Is this correct? This seems bizarre; this should only be possible if you're doing NAT somewhere in there and that is not possible with Jails v1 (which share a network stack) and is only possible in Jails v2 (vnet). No NAT needed since they share the network stack under Jails v1 they share the routing tables. It works. Try it. The question is, is it possible to do something similar with FreeBSD 9 jails (v2 I guess) without the overhead of running NAT? The jail with the private IP *can* access the HOST's public services but not anyone else's Chad ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Changes in Jails from FreeBSD 6 to FreeBSD 9 -- particularly, networking and routing
On Fri, 13 Apr 2012 15:53:49 -0500, Chad Leigh Shire.Net LLC c...@shire.net wrote: No NAT needed since they share the network stack under Jails v1 they share the routing tables. It works. Try it. You're clearly exploiting a bug in FreeBSD 6's jails. It must get confused and send your public IP on those packets. I have no idea how it processes the return traffic successfully, but that's a neat trick!. There is no possible way for this to work without NAT or whatever bug this is. If a Jail has a 192.168 IP all packets would leave with a source of 192.168. When Google or whoever on the internet gets your packets it would see 192.168 and probably drop it because that's not a publicly routable network. Without NAT it's impossible for any device anywhere on the planet to access the internet with an RFC 1918 IP address. I urge you to share your experience on the freebsd-jail@ mailing list. Those guys might be able to lend some further insight. I bet the change came with the update to jails that allows multiple IPs. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Best practices about Jails
Hello. Plase forgive the long post and the amount of questions, but I'm new to jails and I'd like to be sure of what I'm doing before deploying more than a test one. Right now I need to run a commercial Java app, which, ideally, I would forbid to access files outside its directory. This might be done by simple chrooting it, but I read a jail is a better solution, so I started with ezjails. First of all, I'm wondering whether it would be possible/useful to use chroot even inside that jail. Any opinions? Second question: from inside the jail I can access all services on localhost (eg. telnet localhost pop3, where a pop3 server is running on the host). Can this be avoided, e.g. with ipfw? Ideally, since this jail will run only one deamon and it will be accessed through Apache mod_proxy from the host, I'll just need inbound access to its port and outbound access to smtp and web proxy on the host system. No direct access from/to other hosts. Is this possible? Next... ezjail's author suggests I have a copy of the port tree just for the jails and, furthermore, a repository for distfiles for every jail. Since this would waste a lot of space, I already used a single distfile repository, but I'm also wondering whether it would be a bad idea to use the host's port tree. I know lot of people do this and, keeping it tidy with portsclean -CD, I wonder if it really would be a security risk in my case. Finally (for now :): I usually install portaudit and receive every day a report about vulnerabilities in the host system's installed ports. What about jails? Should I install portaudit there too and let them flood me with reports? Is there a way to let the host's portaudit check jails too? I'm sure I'll have other questions in some days... Thanks in advance for now to anyone who will answer. bye av. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Best practices about Jails
Andrea Venturoli wrote: Hello. Plase forgive the long post and the amount of questions, but I'm new to jails and I'd like to be sure of what I'm doing before deploying more than a test one. Right now I need to run a commercial Java app, which, ideally, I would forbid to access files outside its directory. This might be done by simple chrooting it, but I read a jail is a better solution, so I started with ezjails. First of all, I'm wondering whether it would be possible/useful to use chroot even inside that jail. Any opinions? Possible yes, useful not at all. Second question: from inside the jail I can access all services on localhost (eg. telnet localhost pop3, where a pop3 server is running on the host). Can this be avoided, e.g. with ipfw? Ideally, since this jail will run only one deamon and it will be accessed through Apache mod_proxy from the host, I'll just need inbound access to its port and outbound access to smtp and web proxy on the host system. No direct access from/to other hosts. Is this possible? Firewall in a jail will not work. Only the host firewall has access to the network. Next... ezjail's author suggests I have a copy of the port tree just for the jails and, furthermore, a repository for distfiles for every jail. Since this would waste a lot of space, I already used a single distfile repository, but I'm also wondering whether it would be a bad idea to use the host's port tree. I know lot of people do this and, keeping it tidy with portsclean -CD, I wonder if it really would be a security risk in my case. This is overkill. I single ports tree on the host is fine. Matter of fact I use packages for everything accept for php which I have to compile in apache module. I even pre-install all of php's dependents as packages before doing make install on the php port. As far as portsclean goes its only for the paranoid. Finally (for now :): I usually install portaudit and receive every day a report about vulnerabilities in the host system's installed ports. What about jails? Should I install portaudit there too and let them flood me with reports? Is there a way to let the host's portaudit check jails too? If you dont have full ports tree in the jail then no need for portaudit in the jail. I'm sure I'll have other questions in some days... Thanks in advance for now to anyone who will answer. Best practices is not to create a jail environment by hand as documented in the Freebsd handbook. The port utility qjail simplifies and automates the process to the point where you dont even have to know about the jail command. http://qjail.sourceforge.net/ use the port version for 8.x 9.0 bye av. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Best practices about Jails
On Wed, 04 Apr 2012 09:06:25 -0500, fb...@a1poweruser.com wrote: Firewall in a jail will not work. Only the host firewall has access to the network. Jailsv2 allows your own firewall in the jail. You get a full network stack. This is not supported by ezjails, and should still be marked rather EXPERIMENTAL but isn't. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Best practices about Jails
On Wed, Apr 04, 2012 at 10:16:37AM +0200, Andrea Venturoli wrote: Hello. Plase forgive the long post and the amount of questions, but I'm new to jails and I'd like to be sure of what I'm doing before deploying more than a test one. Right now I need to run a commercial Java app, which, ideally, I would forbid to access files outside its directory. This might be done by simple chrooting it, but I read a jail is a better solution, so I started with ezjails. First of all, I'm wondering whether it would be possible/useful to use chroot even inside that jail. Any opinions? Not very usefull. If one chroot is safe, a double is overkill. If chroot can be broken out of, an extra chroot is at most an inconvenience. Second question: from inside the jail I can access all services on localhost (eg. telnet localhost pop3, where a pop3 server is running on the host). Can this be avoided, e.g. with ipfw? The pf firewall allows you to explicitly exlude aliases from interface names. I'm assuming ipfw has similar capabilities. If you make a _pass_ rule for just the real interface without the aliases, you should be able to block stuff. Maybe you can create a loopback device, and associate the jail with that. Than you can filter the traffic to/from that to your hearts' content. Ideally, since this jail will run only one deamon and it will be accessed through Apache mod_proxy from the host, I'll just need inbound access to its port and outbound access to smtp and web proxy on the host system. No direct access from/to other hosts. Is this possible? I think so if you make alias the jail to a new loopback interface, you can filter on that. Next... ezjail's author suggests I have a copy of the port tree just for the jails and, furthermore, a repository for distfiles for every jail. Since this would waste a lot of space, I already used a single distfile repository, but I'm also wondering whether it would be a bad idea to use the host's port tree. I know lot of people do this and, keeping it tidy with portsclean -CD, I wonder if it really would be a security risk in my case. Does your daemon even use ports? If not, there is no use for the ports tree. But if you want it, you can use a combination of nullfs and unionfs to get a read-only view of the hosts' ports tree in the jail, while the writes are done in the unionfs. This means that you only have to update the hosts' ports tree, and the jail will automagically see it. Suppose the root of your jail is in /var/jails/192.168.0.100/. You do the following (in the host) to set it up: # cd /var/jails/192.168.0.100/usr # mkdir tmp/foo # mount_nullfs /usr/ports/ ports/ # mount_unionfs -o noatime tmp/foo ports/ To tear this down when you don't need it anymore, do this; # umount /var/jails/192.168.0.100/usr/ports # umount /var/jails/192.168.0.100/usr/ports # cd /var/jails/192.168.0.100/usr # rm -rf tmp/foo/* And yes, the umount command _does_ need to be run twice: once for the unionfs, and once for the nullfs! The contents of `/var/jails/192.168.0.100/usr/tmp/foo/*` are deleted to save space. What about jails? Should I install portaudit there too and let them flood me with reports? Is there a way to let the host's portaudit check jails too? With the nullfs/unionfs combo, you only need to update the ports tree once. You do need to update the ports in your jail with e.g. portmaster. Roland -- R.F.Smith http://rsmith.home.xs4all.nl/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) pgpzGRyvo31AX.pgp Description: PGP signature
Re: Best practices about Jails
On Wed, Apr 4, 2012 at 3:16 AM, Andrea Venturoli m...@netfence.it wrote: Second question: from inside the jail I can access all services on localhost (eg. telnet localhost pop3, where a pop3 server is running on the host). Can this be avoided, e.g. with ipfw? Ideally, since this jail will run only one deamon and it will be accessed through Apache mod_proxy from the host, I'll just need inbound access to its port and outbound access to smtp and web proxy on the host system. No direct access from/to other hosts. Is this possible? I use http://druidbsd.sourceforge.net/vimage.shtml to manage VIMAGE jails. It works well. I don't use any of the jail frameworks in ports because I don't run a large amount of jails which is where one sees the greatest benefit from them. Of course they make certain optimization and procedures easier, but there is something to be said for learning the canonical way jails operate before implementing them in a more abstract framework. My statements are not considering the rc.d/jail* and vimage package as frameworks(although they are in a way at least). -- Adam Vande More ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: Email issues, relay failure, perhaps Jails is causing it.
Hello Can anybody assist me with pfctl on freebsd? I have pfctl running as adaptive. It is blocking some smtp mail. I am uncertain about flushing the states or machining some of the TIMEWAITING constraints go away. Which is really blocking my email. Can anyone assist? Thanks -Original Message- From: Bernt Hansson [mailto:b...@bananmonarki.se] Sent: Sunday, February 26, 2012 2:20 AM To: Bender, Chris Cc: freebsd-questions@freebsd.org Subject: Re: Email issues, relay failure, perhaps Jails is causing it. 2012-02-26 00:54, Bender, Chris skrev: Hi Brent Yes the system we are calling X, is jailed by another system. Here is the jailer system: zs1# netstat -aptcp | grep smtp tcp4 0 0 tools2.smtp10.156.31.20.45081 SYN_RCVD tcp4 0 0 tools2.smtp*.* LISTEN tcp4 0 0 rt3.smtp *.* LISTEN tcp4 0 0 npims.smtp *.* LISTEN tcp4 0 0 wiki.smtp *.* LISTEN tcp4 0 0 localhost.smtp *.* LISTEN Here is about jails; http://www.uk.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails.html Have you tried to telnet into the other jailed hostnames and ip-addresses, like telnet rt3.* 25 What does it say? Can you connect? There seems to be either a jail problem or a routing problem You can look at your routing table with netstat -r ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: Email issues, relay failure, perhaps Jails is causing it.
Does anybody have an idea on how to clear the bruteforCE TABLE ON PFCTL ? An adaptive fw or pftcl device is blocking some of my email? Thanks -Original Message- From: Bernt Hansson [mailto:b...@bananmonarki.se] Sent: Sunday, February 26, 2012 2:20 AM To: Bender, Chris Cc: freebsd-questions@freebsd.org Subject: Re: Email issues, relay failure, perhaps Jails is causing it. 2012-02-26 00:54, Bender, Chris skrev: Hi Brent Yes the system we are calling X, is jailed by another system. Here is the jailer system: zs1# netstat -aptcp | grep smtp tcp4 0 0 tools2.smtp10.156.31.20.45081 SYN_RCVD tcp4 0 0 tools2.smtp*.* LISTEN tcp4 0 0 rt3.smtp *.* LISTEN tcp4 0 0 npims.smtp *.* LISTEN tcp4 0 0 wiki.smtp *.* LISTEN tcp4 0 0 localhost.smtp *.* LISTEN Here is about jails; http://www.uk.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails.html Have you tried to telnet into the other jailed hostnames and ip-addresses, like telnet rt3.* 25 What does it say? Can you connect? There seems to be either a jail problem or a routing problem You can look at your routing table with netstat -r ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Email issues, relay failure, perhaps Jails is causing it.
--As of February 26, 2012 8:20:14 AM +0100, Bernt Hansson is alleged to have said: http://www.uk.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails.html Have you tried to telnet into the other jailed hostnames and ip-addresses, like telnet rt3.* 25 What does it say? Can you connect? There seems to be either a jail problem or a routing problem You can look at your routing table with netstat -r --As for the rest, it is mine. This is my strong suspicion as well. To separate out what the problem is: 'su' to root in the jailed system. Shut down postfix. (`postfix stop`, or `/etc/rc.d/postfix stop`) Then run `nc -l 25`. This will echo anything that comes in on port 25 direct to your terminal. Then try telneting to it. If it works, the problem is postfix. If it doesn't, restart postfix and ignore it: It's not the problem. Daniel T. Staal --- This email copyright the author. Unless otherwise noted, you are expressly allowed to retransmit, quote, or otherwise use the contents for non-commercial purposes. This copyright will expire 5 years after the author's death, or in 30 years, whichever is longer, unless such a period is in excess of local copyright law. --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: Email issues, relay failure, perhaps Jails is causing it.
Hi Brent Yes the system we are calling X, is jailed by another system. Here is the jailer system: zs1# netstat -aptcp | grep smtp tcp4 0 0 tools2.smtp10.156.31.20.45081 SYN_RCVD tcp4 0 0 tools2.smtp*.*LISTEN tcp4 0 0 rt3.smtp *.*LISTEN tcp4 0 0 npims.smtp *.*LISTEN tcp4 0 0 wiki.smtp *.*LISTEN tcp4 0 0 localhost.smtp *.*LISTEN I see smtp running on several systems it has jailed including system X. I see above a smtp conversation between system X and 10.156.31.20. But that is never delivered from what I have seen. I am not sure about the queues Or how to see in postfix what exactly is happening? I think a lot of this stopped working after we rebooted the jailer system. Jails really should have no affect on This it is a virtual machine essentially, at least that is my thoughts. What happen to your thought that snmp needs to run as a non mailer system? Thanks regards -Original Message- From: Bernt Hansson [mailto:b...@bananmonarki.se] Sent: Saturday, February 25, 2012 6:11 PM To: Bender, Chris Cc: freebsd-questions@freebsd.org; Jon Radel Subject: Re: Email issues, relay failure 2012-02-25 23:29, Bender, Chris skrev: Hi Brent, Thanks for that, I am still digesting it. tools2# uname -a FreeBSD tools2 8.2-RELEASE-p2 FreeBSD 8.2-RELEASE-p2 # So I put a 0 in the first two octets of the ip address below, but that IP address is A. I am not sure what that means. I was horsing around and tried to start sendmail On X then I tried to send an email from A. I have no idea what all that means. Here is netstat results: netstat: kvm not available: /dev/mem: No such file or directory tcp4 0 0 tools2.smtp0.0.81.10.33679 SYN_RCVD tcp4 0 0 tools2.smtp*.* LISTEN Ok. I'm stabbing in the dark here, but didn't you say that X was a jail system? Is every postfix process in a jail? I have never used a jailed system. So my WILD guess it's a something with jail, or jail setup. What is non $mail_owner privileges or how to determine that? tools2# postconf -d | grep mail_version mail_version = 2.7.0 milter_macro_v = $mail_name $mail_version I am still not sure about the non mail owner issue yet, but I would think because this has run in the past that it wouldn't have changed. And how do I run smtp as a non mail user when I am root? Hopfully we are getting somewhere. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Email issues, relay failure, perhaps Jails is causing it.
2012-02-26 00:54, Bender, Chris skrev: Hi Brent Yes the system we are calling X, is jailed by another system. Here is the jailer system: zs1# netstat -aptcp | grep smtp tcp4 0 0 tools2.smtp10.156.31.20.45081 SYN_RCVD tcp4 0 0 tools2.smtp*.*LISTEN tcp4 0 0 rt3.smtp *.*LISTEN tcp4 0 0 npims.smtp *.*LISTEN tcp4 0 0 wiki.smtp *.*LISTEN tcp4 0 0 localhost.smtp *.*LISTEN Here is about jails; http://www.uk.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails.html Have you tried to telnet into the other jailed hostnames and ip-addresses, like telnet rt3.* 25 What does it say? Can you connect? There seems to be either a jail problem or a routing problem You can look at your routing table with netstat -r ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails V2, VIMAGE, and integration in the base system
On 02/03/12 17:02, Devin Teske wrote: Please give this a try: http://druidbsd.sf.net/vimage.shtml http://druidbsd.sf.net/download.shtml Hi, Interesting. Is it safe to run in production (VIMAGE/vnets) ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails V2, VIMAGE, and integration in the base system
On Feb 4, 2012, at 10:45 AM, Hugo Silva wrote: On 02/03/12 17:02, Devin Teske wrote: Please give this a try: http://druidbsd.sf.net/vimage.shtml http://druidbsd.sf.net/download.shtml Hi, Interesting. Is it safe to run in production (VIMAGE/vnets) ? I can't speak to every application, release, or even purpose, but we've been using between 2 and 3 dozen vimages for various purposes without problem on 8.1-RELEASE-p6 (just haven't got around to updating to -p7 which is lated RELENG_8_1 security patch). We've been running amd64 hosts with both amd64 and i386 jails. Doing compiler builds, using them as web servers, shell servers, bastion's, gateways, proxies (both shell and web), and even for running legacy releases of FreeBSD (running 4.11 i386 on an amd64 8.1 host). So the VIMAGE/vnets support seems pretty stable in 8.1-RELEASE. Oh, we did have to MFC SVN r207194 to fix a bug in sys/net/rtsock.c when running i386 route(8) in VIMAGE under amd64 host. Though you don't have to apply the patch, as the workaround was simple -- copy the host's amd64 route(8) over vimage's i386 one. That's really the only bug we ever hit, but your mileage may vary. We've been generally very happy with VIMAGE/vnets so far. Now, with respect to the script being production ready, I'd say yes with one minor nit... Unnecessarily starting/stopping vimages after boot is bad for two reasons: 1. In 8.1-RELEASE there's an necessary loss in VM pages everytime you remove a vimage jail with jail -r (this has been fixed in later releases). 2. The Ethernet HW address auto-calculations performed in my script are based on the order in which vimages are started and stopped. This is easily overcome by setting the HW address in the ifconfig_* line within rc.conf(5) (within the vimage rootdir). -- Devin _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Jails V2, VIMAGE, and integration in the base system
Hello, I didn't find much about jails v2 + epair + vimage on google; The FreeBSD wiki pages concerning this subject seem fairly outdated (that or not much has happened in 3 years), and the manpages don't mention much about vimage/vnet. According to http://ivoras.net/freebsd/freebsd8.html it should be in FreeBSD 8.0 (VIMAGE, Jails v2), and maybe it is, but if it's not integrated in the base system and information/documentarion is scarse, few will use it. Found this: http://www.freebsd.org/cgi/query-pr.cgi?pr=142972 - nearly 2 years old. My question is, how wise would it be to attempt to use these features in production? IMO this is very interesting stuff, having these things integrated would be a worthy addition to FreeBSD. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: Jails V2, VIMAGE, and integration in the base system
-Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd- questi...@freebsd.org] On Behalf Of Hugo Silva Sent: Friday, February 03, 2012 8:17 AM To: freebsd-questions@freebsd.org Subject: Jails V2, VIMAGE, and integration in the base system Hello, I didn't find much about jails v2 + epair + vimage on google; The FreeBSD wiki pages concerning this subject seem fairly outdated (that or not much has happened in 3 years), and the manpages don't mention much about vimage/vnet. According to http://ivoras.net/freebsd/freebsd8.html it should be in FreeBSD 8.0 (VIMAGE, Jails v2), and maybe it is, but if it's not integrated in the base system and information/documentarion is scarse, few will use it. Found this: http://www.freebsd.org/cgi/query-pr.cgi?pr=142972 - nearly 2 years old. My question is, how wise would it be to attempt to use these features in production? IMO this is very interesting stuff, having these things integrated would be a worthy addition to FreeBSD. Please give this a try: http://druidbsd.sf.net/vimage.shtml http://druidbsd.sf.net/download.shtml -- Devin _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails V2, VIMAGE, and integration in the base system
Hugo Silva wrote: Hello, I didn't find much about jails v2 + epair + vimage on google; The FreeBSD wiki pages concerning this subject seem fairly outdated (that or not much has happened in 3 years), and the manpages don't mention much about vimage/vnet. According to http://ivoras.net/freebsd/freebsd8.html it should be in FreeBSD 8.0 (VIMAGE, Jails v2), and maybe it is, but if it's not integrated in the base system and information/documentarion is scarse, few will use it. Found this: http://www.freebsd.org/cgi/query-pr.cgi?pr=142972 - nearly 2 years old. My question is, how wise would it be to attempt to use these features in production? IMO this is very interesting stuff, having these things integrated would be a worthy addition to FreeBSD. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Yes VIMAGE Jails are part of the 8.x releases. Jail is in the base release in its manual form and you have to recompile the kernel to enable VIMAGE which is labeled experimental. Jails are used in many production environments managed by the sysutil/qjail port but use VIMAGE at your own risk. Have no info on epair. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Securely sharing directories between jails
On Wed, Feb 01, 2012 at 08:30:31AM +0100, Stas Verberkt wrote: L.S., I want to set up my system in a way where applications are clustered over jails, e.g. a httpd, smbd and dbmsd jail. However, in most cases I need to share data over the jails, which is stored on the host. Often, nullfs and mounting ro is suitable, but I need write access in some cases. As nullfs rw over multiple jails can be considered insecure, I was wondering what would be a secure way. You could use a combination of nullfs and unionfs. Below is is what I do to share /usr/ports on the host with a jail, but keep the jail from writing in the host's tree. host# cd /usr/local/var/jails/192.168.0.100/usr host# mkdir tmp/foo host# mount_nullfs /usr/ports/ ports/ host# mount_unionfs -o noatime tmp/foo ports/ With this, the jail sees the hosts' /usr/ports tree, but when it wants to write there, the written files end up under tmp/foo in the jails' tree. Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) pgphIuUox4Drv.pgp Description: PGP signature
Securely sharing directories between jails
L.S., I want to set up my system in a way where applications are clustered over jails, e.g. a httpd, smbd and dbmsd jail. However, in most cases I need to share data over the jails, which is stored on the host. Often, nullfs and mounting ro is suitable, but I need write access in some cases. As nullfs rw over multiple jails can be considered insecure, I was wondering what would be a secure way. The only thing I could come up with was having both a NFS server and client running on the host and mounting such that all access is mapped to an account with less privileges. However, it seems like a waste to NFS with yourself. Thus, are there any better ways to achieve this? (I also thought of using nosuid flags, but I'm not sure if this is enough.) Kind regards, Stas Verberkt pgpweVZFL6b60.pgp Description: PGP signature
Re: Jails within different networks ... ?
I've actually done that but the result was jails coming up incredibly slowly and once up basically not wired. I'm gonna check my configuration again and I'll update the mailing list soon. Thanks for you time to you all. On Sat, 2011-12-03 at 21:54 +, Matthew Seaman wrote: On 03/12/2011 17:54, Snoop wrote: I have 3 jails within the host xxx.xxx.26.224 configured in this way (below) and everything works well. What if I want to enable another jail but I don't want to assign to that my next available public ip address xxx.xxx.26.228/24 but I want this jail to have a private ip address like 172.16.1.2/27? Is that possible or it's a delirium? Sure you can do that. Remember the rule though, that the first IP from each different network configured on an interface must use the natural netmask for that network. Second and subsequent addresses from each different network can either use the all-ones (/32) netmask, or the natural netmask. This only changed a few years ago, so there's still a lot of advice going around saying you should use the older all-ones style, but in actuality you can do it which ever of those ways you want and it won't make any functional difference. Cheers, Matthew -- Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f Sponsor: ING DIRECT Conto Arancio. 4,20% per 12 mesi, zero spese, aprilo in due minuti! Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=11924d=4-12 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails within different networks ... ?
Just an update. It seems to be working well. The jail startup slowness I believe is due to the fact that the DNS is still down. Thanks for your time. ### host rc.conf related section ifconfig_lagg0=laggproto failover laggport bge0 laggport bge1 xxx.xxx.26.224/24 ifconfig_lagg0_alias_0=inet xxx.xxx.26.225/32 ifconfig_lagg0_alias_1=inet xxx.xxx.26.226/32 ifconfig_lagg0_alias_2=inet xxx.xxx.26.227/32 ifconfig_lagg0_alias_3=inet 172.16.3.2/27 ifconfig_lagg0_alias_4=inet 172.16.3.3/27 ifconfig_lagg0_alias_5=inet 172.16.3.4/27 ifconfig_lagg0_alias_6=inet 172.16.3.5/27 ifconfig_lagg0_alias_7=inet 172.16.3.6/27 ### ifconfig related output lagg0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=8009bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LINKSTATE ether 00:14:5e:ee:2b:c0 inet xxx.xxx.26.224 netmask 0xff00 broadcast xxx.xxx.26.255 inet xxx.xxx.26.225 netmask 0x broadcast xxx.xxx.26.225 inet xxx.xxx.26.226 netmask 0x broadcast xxx.xxx.26.226 inet xxx.xxx.26.227 netmask 0x broadcast xxx.xxx.26.227 inet 172.16.3.2 netmask 0x broadcast 172.16.3.2 inet 172.16.3.3 netmask 0x broadcast 172.16.3.3 inet 172.16.3.4 netmask 0x broadcast 172.16.3.4 inet 172.16.3.5 netmask 0x broadcast 172.16.3.5 inet 172.16.3.6 netmask 0x broadcast 172.16.3.6 media: Ethernet autoselect status: active laggproto failover laggport: bge1 flags=0 laggport: bge0 flags=5MASTER,ACTIVE -- Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f Sponsor: Conto Arancio al 4,20%. Soldi sempre disponibili, zero spese, aprilo in due minuti! Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=11920d=4-12 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Jails within different networks ... ?
Hi there, I've a doubt! I have 3 jails within the host xxx.xxx.26.224 configured in this way (below) and everything works well. What if I want to enable another jail but I don't want to assign to that my next available public ip address xxx.xxx.26.228/24 but I want this jail to have a private ip address like 172.16.1.2/27? Is that possible or it's a delirium? I don't want to waste my public ip address for a jail which I want to have a network configured but not to be publicly visible. Many thanks in advance. lagg0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=8009bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LINKSTATE ether 00:14:5e:ee:2b:c0 inet xxx.xxx.26.224 netmask 0xff00 broadcast xxx.xxx.26.255 inet xxx.xxx.26.225 netmask 0x broadcast xxx.xxx.26.225 inet xxx.xxx.26.226 netmask 0x broadcast xxx.xxx.26.226 inet xxx.xxx.26.227 netmask 0x broadcast xxx.xxx.26.227 media: Ethernet autoselect status: active laggproto failover laggport: bge1 flags=0 laggport: bge0 flags=5MASTER,ACTIVE -- Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f Sponsor: Conto Arancio al 4,20%. Zero spese e massima liberta', aprilo in due minuti! Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=11922d=3-12 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails within different networks ... ?
2011/12/3 Snoop sn...@email.it: Hi there, I've a doubt! I have 3 jails within the host xxx.xxx.26.224 configured in this way (below) and everything works well. What if I want to enable another jail but I don't want to assign to that my next available public ip address xxx.xxx.26.228/24 but I want this jail to have a private ip address like 172.16.1.2/27? Is that possible or it's a delirium? I don't want to waste my public ip address for a jail which I want to have a network configured but not to be publicly visible. Many thanks in advance. lagg0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=8009bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LINKSTATE ether 00:14:5e:ee:2b:c0 inet xxx.xxx.26.224 netmask 0xff00 broadcast xxx.xxx.26.255 inet xxx.xxx.26.225 netmask 0x broadcast xxx.xxx.26.225 inet xxx.xxx.26.226 netmask 0x broadcast xxx.xxx.26.226 inet xxx.xxx.26.227 netmask 0x broadcast xxx.xxx.26.227 media: Ethernet autoselect status: active laggproto failover laggport: bge1 flags=0 laggport: bge0 flags=5MASTER,ACTIVE Create an Alias Example: ifconfig_em0_alias0=inet 192.0.2.9 netmask 255.255.255.255 http://blather.michaelwlucas.com/archives/1021 Regards. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jails within different networks ... ?
On 03/12/2011 17:54, Snoop wrote: I have 3 jails within the host xxx.xxx.26.224 configured in this way (below) and everything works well. What if I want to enable another jail but I don't want to assign to that my next available public ip address xxx.xxx.26.228/24 but I want this jail to have a private ip address like 172.16.1.2/27? Is that possible or it's a delirium? Sure you can do that. Remember the rule though, that the first IP from each different network configured on an interface must use the natural netmask for that network. Second and subsequent addresses from each different network can either use the all-ones (/32) netmask, or the natural netmask. This only changed a few years ago, so there's still a lot of advice going around saying you should use the older all-ones style, but in actuality you can do it which ever of those ways you want and it won't make any functional difference. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
