RE: Jail question
On Fri, 01 Mar 2013, Bernt Hansson wrote: On 2013-02-27 11:19, Bernt Hansson wrote: 2013-02-26 15:18, Teske, Devin skrev: Yes, this is possible. When I get into work, I'll share with you the recipe Please do share with us. Ok I rephrase my question. How do I install freebsd 4.9 in a jail on 8.3 amd64. Step 1. Download the following files/directories... bin/ catpages/ cdrom.inf compat1x/ compat22/ compat3x/ compat4x/ crypto/ dict/ doc/ games/ info/ manpages/ proflibs/ from: ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/old-releases/i386/4.9-RELEASE/ NOTE: For example, download those files/directories to /usr/repos/FreeBSD-4.9/4.9-RELEASE Step 2. Download my jail_build script from: http://druidbsd.sourceforge.net/download.shtml#jail_build Step 3: Run jail_build NOTE: If you put your downloaded files in /usr/repos/FreeBSD-4.9/4.9-RELEASE then jail_build will automatically find them and present 4.9 as an option. After selecting FreeBSD-4.9, it will then prompt you to enter the root directory where to unpack the jail to. When jail_build completes, you'll have a freshly unpacked FreeBSD-4.9 in the desired root directory. Step 4: Grab and install my vimage package: http://druidbsd.sourceforge.net/download.shtml#vimage About: http://druidbsd.sourceforge.net/vimage.shtml Step 5: Configure your vimage in /etc/rc.conf (see /etc/rc.conf.d/vimage for a sample). Example: vimage_enable=YES vimage_list=fbsd4_9 vimage_fbsd4_9_rootdir=/usr/jails/fbsd4_9 vimage_fbsd4_9_hostname=fbsd4_9 vimage_fbsd4_9_bridges=bge0 vimage_fbsd4_9_devfs_enable=YES vimage_fbsd4_9_procfs_enable=YES Step 6: [Pre-]configure the network interface for the visage Example: chroot /usr/jails/fbsd4_9 vi /etc/rc.conf NOTE: Since the vimage (aka vnet jail) isn't running yet, we use chroot instead of jexec. (Also note that the chroot is only for pedantic safety ... it prevents things such as what if /etc/rc.conf is a symlink to /etc/rc.conf.other -- without the chroot you'd accidentally edit the host machines /etc/rc.conf.other). Add the following: ifconfig_ng0_fbsd4_9=inet 192.168.1.123 netmask 255.255.255.0 defaultrouter=192.168.1.1 # or whatever fits your network # Don't forget /etc/resolv.conf # Don't forget to set sshd_enable=YES in rc.conf(5) if you want to be able to ssh into the vimage Step 7: Fix some binaries in the 4.9 distribution to work under the 8.3 kernel... Download my update411binaries.sh script (should work fine for 4.9 jails too) from... http://druidbsd.sf.net/download/update411binares.sh Step 8: Run update411binares.sh with a first argument of (for example) /usr/jails/fbsd4_9 Step 9: Fire up the vimage service vimage start fbsd4_9 Step 10: Check things out... jls ssh 192.168.1.123 jexec fbsd4_9 csh etc. etc. -- HTH Devin _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail question
2013-02-26 15:18, Teske, Devin skrev: Yes, this is possible. When I get into work, I'll share with you the recipe Please do share with us. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: Jail question
Got it... (script inline below) The first (and only) argument is to be a path to a 4.11 jail's root directory. For example, if you take a FreeBSD-4 box and rsync it to /usr/jails/myold4box on a FreeBSD-8 machine, you should then execute: update411binaries.sh /usr/jails/myold4box Then just configure the jail and fire it up. Of course, these are vnet jails. Further instructions on http://druidbsd.sf.net/vimage.shtml with my vimage package here: http://druidbsd.sf.net/download.shtml#vimage === #!/bin/sh if [ $( id -u ) != 0 ]; then echo Must run as root! 2 exit 1 fi if [ $# -lt 1 ]; then echo Usage: $0 directory 2 exit 1 fi dir=$1 if [ ! -d $dir ]; then echo $dir: No such file or directory 2 exit 1 fi mkdir -p $dir/libexec $dir/lib $dir/usr/lib for file in \ /bin/ps \ /libexec/ld-elf.so.1\ /lib/libm.so.5 \ /lib/libkvm.so.5\ /lib/libc.so.7 \ /sbin/ifconfig \ /lib/libbsdxml.so.4 \ /lib/libjail.so.1 \ /lib/libsbuf.so.5 \ /lib/libipx.so.5\ /sbin/route \ /usr/bin/top\ /lib/libncurses.so.8\ /usr/bin/netstat\ /usr/lib/libmemstat.so.3\ /lib/libutil.so.8 \ /usr/lib/libnetgraph.so.4 \ ; do cp -pfv $file $dir$file done -Original Message- From: Bernt Hansson [mailto:b...@bananmonarki.se] Sent: Wednesday, February 27, 2013 2:19 AM To: Teske, Devin Cc: questions FreeBSD Subject: Re: Jail question 2013-02-26 15:18, Teske, Devin skrev: Yes, this is possible. When I get into work, I'll share with you the recipe Please do share with us. _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: Jail question
Yes, this is possible. When I get into work, I'll share with you the recipe (I have a script called update4.sh which I run after building [or rsync'ing] a 4.x box to an 8.x box to become a vimage; note that I didn't say jail -- 4.x runs better as a VNET jail than a regular jail). We've not had much luck in running 4.x as a non-vnet jail under 8.x whereas vnet-jail works wonders (with a couple binaries replaced, like netstat, ifconfig, ps, and top for example). -- Devin From: owner-freebsd-questi...@freebsd.org [owner-freebsd-questi...@freebsd.org] on behalf of Bernt Hansson [b...@bananmonarki.se] Sent: Tuesday, February 26, 2013 5:23 AM To: questions FreeBSD Subject: Jail question Hello list! I would like to install an old version of freebsd let's say 4.6 in a jail. Is that possible. Host is 8.3-stable amd64 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail question
Bernt Hansson wrote: I would like to install an old version of freebsd let's say 4.6 in a jail. Is that possible. Host is 8.3-stable amd64 Things like ps won't run, but you can copy static binaries from host:/rescue to jail:/{bin,sbin} as appropriate and that helps a lot. I just installed a 5.4-RELEASE/i386 jail on a 9.1-STABLE/amd64 system. Mysqld would not run (dumped core), so I relocated that to a separate jail running 9.1-STABLE/amd64 One gotcha I found is that while you can run an old i386 system in a jail on an amd64 host, you can't build an amd64 kernel with COMPAT_AOUT, so if you have an a.out binary from days of old, you need an i386 kernel. Devin Teske wrote: Yes, this is possible. When I get into work, I'll share with you the recipe (I have a script called update4.sh which I run after building [or rsync'ing] a 4.x box to an 8.x box to become a vimage; note that I didn't say jail -- 4.x runs better as a VNET jail than a regular jail). We've not had much luck in running 4.x as a non-vnet jail under 8.x whereas vnet-jail works wonders (with a couple binaries replaced, like netstat, ifconfig, ps, and top for example). Devin, Please share your script with us all (especially me :-) ) Thanks, Danny ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Noob Jail question.
Hi.. I've actualy got a messing about PC with 8.1 on, that I often play with during lunch times at work. Trouble is, been working through lunchtimes for the last week or three. Self teaching is good, you certainly learn things, but though I'm not in need of instant self gratification, it's a bit frustrating the time it takes to learn, and then get it sorted, when I idealy want it to just work. Still, for the price (free of course) I can't complain, and it's not as if I'm doing it for a job, or charging anyone for it. If I was, I'd take paid for advice, and pass the cost on! Thanks for the encoragement.. Dave B. On 17 Dec 2010 at 12:14, Indexer wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Indexer and Da Rock, many thanks, more reading, and some fiddling needed I think. It is the best way to learn. Setup a VM of fbsd 8.1 on your computer, and just play with it on that with jails, and learn what you can an cant do. Remember that if you ever need help of course, these email lists are great. Also, read the FBSD handbook, it has some great instructions Isnt self directed learning great ;) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Noob Jail question.
On 12/18/10 02:58, Dave wrote: Hi.. I've actualy got a messing about PC with 8.1 on, that I often play with during lunch times at work. Trouble is, been working through lunchtimes for the last week or three. Self teaching is good, you certainly learn things, but though I'm not in need of instant self gratification, it's a bit frustrating the time it takes to learn, and then get it sorted, when I idealy want it to just work. If you take them time now, it'll get quicker in the future. Happens to me all the time, so I understand the frustration, but hang in there and eventually you'll be flipping them out wherever you like. Being able to ask sometimes stupid questions here to get things clear is always handy too- sometimes something that should be obvious evades our comprehension :) Still, for the price (free of course) I can't complain, and it's not as if I'm doing it for a job, or charging anyone for it. If I was, I'd take paid for advice, and pass the cost on! It'll pay off in the end. IF you were getting paid for it, you'd have the knowledge for future clients, so I'm not sure how that fits in the economics ;) That said, I've found that paid advice is not always as helpful or knowledgeable as free... That may not be the case where you though. Here things are ruled by how much can be gained now and in the near future such as off the shelf. Thanks for the encoragement.. Dave B. On 17 Dec 2010 at 12:14, Indexer wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Indexer and Da Rock, many thanks, more reading, and some fiddling needed I think. It is the best way to learn. Setup a VM of fbsd 8.1 on your computer, and just play with it on that with jails, and learn what you can an cant do. Remember that if you ever need help of course, these email lists are great. Also, read the FBSD handbook, it has some great instructions Isnt self directed learning great ;) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Noob Jail question.
Dave d...@g8kbv.demon.co.uk writes: I've been reading the FreeBSD Manual (a dangerous thing to do during lunchtimes!) relating to Jails. Other than making my head spin, I'm finding it a tad dificult finding out just what you can/cant do with a Jail. Mainly, because I'm not familiar with a lot of the terms used, and though the man pages are no doubt correct as a reference, they don't explain it well, in as much as how to use it, well in my addled mind at the moment. I think I'd like to run Hiawatha in a Jail, as it seems the right thing to do with something that will be exposed to the www. (Comments/advice?) But, how do I arrange it to safely get (read only) access to the website data, without preventing the FTPD service from having access to update that data. FTPD will only be reachable from LAN side of the main gateway router, Hiawatha will have an outside world port forwarded to it by the router. What I'm asking I guess, is.. Can a jail'd app, reach outside the jail in read only mode. (I suspect, maybe?) Or can an app outside the jail, drop stuff off inside the jail? (For whatever reason, I suspect not?) If anyone understands what the heck I'm blathering on about, please explain it to me, as I think I've lost the plot. Comments, advice, brickbats etc? You may try to use sysutils/ezjail to install/manage/etc jails. Using ezjail-admin is quite easy. Ezjails are realy light (they use readonly mount_nullfs to a basejail rather then real filesystems). Then you may consider using one jail for FTPD with write access and an other jail for HTTPD server with read-only access (say, readonly mount_nullfs) to those written by FTPD files/filesystems. -- WBR, bsam ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Noob Jail question.
On 16 Dec 2010 at 14:50, Da Rock wrote: On 12/16/10 09:32, Dave wrote: Hi. As some of you may remember, I've managed to build a F'BSD V8.0 based system that provides me with:- . . . . Hi.. Indexer and Da Rock, many thanks, more reading, and some fiddling needed I think. Cheers. Dave B. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Noob Jail question.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Indexer and Da Rock, many thanks, more reading, and some fiddling needed I think. It is the best way to learn. Setup a VM of fbsd 8.1 on your computer, and just play with it on that with jails, and learn what you can an cant do. Remember that if you ever need help of course, these email lists are great. Also, read the FBSD handbook, it has some great instructions Isnt self directed learning great ;) Cheers. Dave B. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org William Brown pgp.mit.edu -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) iQIcBAEBAgAGBQJNCsBsAAoJEHF16AnLoz6JG58P/Auqb1g9Id0r+uAIdg7atLf0 +KCaJ78n/2+aYYUAxbjnfAIQrv/qwqvV163EnZCVq4xJSAfUlZWo9fkV55mPN5co d5ZO9s7dr4p57ptv3MuF8+DtG0dPq9KtBPQT1U7m94uzXSDCRtjVJMzg5AqIfRTi +ZO19ewjfMkhvEi0qmk2BoOTc50WGaQSU8A09r8ItquDOAqGYV+a7yPswUhn6Uc8 NCc+m1kDdAyxjLKTMzcP1Lkxh8j/RU8fxpPZQkIc6U/6dF56NGUob+99R6xsUt5P y3LgkMd1R6pOngrid3MXxB7pIlh6Hy/tSICgcpsUPYbXinKlSFrSKlX6PIHRZlj0 vIO89ofHMl2m8T0L52zZcAupcnP43i+cUI7paPBAekbmuV/VhaCOWxCZp97CUVKd 30dgngg0zKBZFPHbCeMZLsNT4gsCRnVEJdUYSnxKMg6tLFwK8uCnXU3wPoQ/Gm0u SVsVQTdHJfkHfjt0oEqZeBEPtTi8Nd5HCn6JAEOpXY6I9d4/4qifSM0goV5uyO0F Xo++r6ej+dN1Mo1/4TR0EomEI20hgASnKit9C2exAx77qqmpMpk95O6EZbvF4Q4U dNR/o72Qq5v7SFLV18DlA5sFUnLk7cZclNsaeNf60ZAzp6iCxrsSoZjmbIkX0qEv W5gn8NQbQqDFVy7XbJyk =KnnJ -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Noob Jail question.
Hi. As some of you may remember, I've managed to build a F'BSD V8.0 based system that provides me with:- Local GPS disiplined NTP server (working very well) the reason I built the thing in the first place, but it seems FreeBSD can do so much more, so I also have. Hiawatha webserver (also working well) FTPD for updating the web pages Hiawatha serves up (working well) Other systems here generate data, that is FTP'd over the LAN to the web page folders. SSH remote login for admin needs (But not for root login) Also working well. All this will start happily, boot and sort itself out as a headless machine, and if needed collapse gracefully and shutdown cleanly, with one press of the power button. I am impressed! I've been reading the FreeBSD Manual (a dangerous thing to do during lunchtimes!) relating to Jails. Other than making my head spin, I'm finding it a tad dificult finding out just what you can/cant do with a Jail. Mainly, because I'm not familiar with a lot of the terms used, and though the man pages are no doubt correct as a reference, they don't explain it well, in as much as how to use it, well in my addled mind at the moment. I think I'd like to run Hiawatha in a Jail, as it seems the right thing to do with something that will be exposed to the www. (Comments/advice?) But, how do I arrange it to safely get (read only) access to the website data, without preventing the FTPD service from having access to update that data. FTPD will only be reachable from LAN side of the main gateway router, Hiawatha will have an outside world port forwarded to it by the router. What I'm asking I guess, is.. Can a jail'd app, reach outside the jail in read only mode. (I suspect, maybe?) Or can an app outside the jail, drop stuff off inside the jail? (For whatever reason, I suspect not?) If anyone understands what the heck I'm blathering on about, please explain it to me, as I think I've lost the plot. Comments, advice, brickbats etc? Best Regards. Dave B. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Noob Jail question.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SSH remote login for admin needs (But not for root login) Also working well. Good! I think I'd like to run Hiawatha in a Jail, as it seems the right thing to do with something that will be exposed to the www. (Comments/advice?) - From a security standpoint it makes sense, as it confines a malicous user *if* they get in. But, how do I arrange it to safely get (read only) access to the website data, without preventing the FTPD service from having access to update that data. FTPD will only be reachable from LAN side of the main gateway router, Hiawatha will have an outside world port forwarded to it by the router. You notice the way jails work? they are essentially a fenced off part of your filesystem. So your jail may live in /usr/jails on the host system. You can access all the contents of the jail from the host of course. An easy answer to this would be something like, have a directory called /var/www and have the FTPD write to that. Then mount /var/www as a nullfs in read only mode to /usr/jails/var/www, and point your webserver (which inside the jail is unaware of some of this) to /var/www (or to the host, the /usr/jails/var/www) What I'm asking I guess, is.. Can a jail'd app, reach outside the jail in read only mode. (I suspect, maybe?) Or can an app outside the jail, drop stuff off inside the jail? (For whatever reason, I suspect not?) A jailed app cannot reach outside , this defeat the purpose. On the other hand the host can reach in The best way to learn is to try, so setting it up on a dev machine is probably the best way to go. Again, if you need more help, email this list. Sincerely William Brown pgp.mit.edu -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) iQIcBAEBAgAGBQJNCVW3AAoJEHF16AnLoz6JXo4P/Rg0+pdhxP8tiKeqSGi6n9dy hYj4KsnnG1diggB/+VI7tnffJqhm9HTqds9f+VXqx/YkTXNZirTBSbQtqAPz41Z6 FwAr1bAw5aUVQf8Pc80xsk9UMeI9L1wM7/rjRYRab1h6g8SBv2Gf/AZ4oLC3rO4C PQwigplntB/MIYMBrAsizpBar7f+sPPpftxlYAIl3s3prysja1KTOW4l+NDOPO4U OUQ2o5x4Gpbt/suhlrx/jjWhSRqyhwblN8DEXkwuIyR6HT9PuUOH05YDB1bg4nSs OW8N5ZD6VoTkcDP1kayBoD5kEcRQX4eji9LksTnsJoxXb4bers1JyT2wsAYZr5LC W45UEtvaHjidsP4mpnnaWMeHL7U89YEaUub8PtR3NYs2ky2A3stw2qKDemvQuP1q QntJVeq8VETig139aKjBcEs04NW/8MkEajKigkDFmUEoHpFfxAsIsIUZO6P0QElQ whcFTDLiq9IG+J+eeq3/YcykCWLJju1cnL0Nzah91L5GHTi866cR2vafP8aJN1/5 D2EQEoghbstIjgTtTBC5Y+csBDffzAS6MfjsJ0S8TC8fYBRSF5sAqQXAc3x/pNZ6 lw8GNgkAmLrrKMmRpbmnHJbGOs22udzfuqtEKMs+dme+L0xNeCuZSJGbxC2+CXtD qayfvD4Kqj8yK+vYMBAt =8A/f -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Noob Jail question.
On 12/16/10 09:32, Dave wrote: Hi. As some of you may remember, I've managed to build a F'BSD V8.0 based system that provides me with:- Local GPS disiplined NTP server (working very well) the reason I built the thing in the first place, but it seems FreeBSD can do so much more, so I also have. Hiawatha webserver (also working well) FTPD for updating the web pages Hiawatha serves up (working well) Other systems here generate data, that is FTP'd over the LAN to the web page folders. SSH remote login for admin needs (But not for root login) Also working well. All this will start happily, boot and sort itself out as a headless machine, and if needed collapse gracefully and shutdown cleanly, with one press of the power button. I am impressed! I've been reading the FreeBSD Manual (a dangerous thing to do during lunchtimes!) relating to Jails. Other than making my head spin, I'm finding it a tad dificult finding out just what you can/cant do with a Jail. Mainly, because I'm not familiar with a lot of the terms used, and though the man pages are no doubt correct as a reference, they don't explain it well, in as much as how to use it, well in my addled mind at the moment. I think I'd like to run Hiawatha in a Jail, as it seems the right thing to do with something that will be exposed to the www. (Comments/advice?) But, how do I arrange it to safely get (read only) access to the website data, without preventing the FTPD service from having access to update that data. FTPD will only be reachable from LAN side of the main gateway router, Hiawatha will have an outside world port forwarded to it by the router. What I'm asking I guess, is.. Can a jail'd app, reach outside the jail in read only mode. (I suspect, maybe?) Or can an app outside the jail, drop stuff off inside the jail? (For whatever reason, I suspect not?) If anyone understands what the heck I'm blathering on about, please explain it to me, as I think I've lost the plot. Comments, advice, brickbats etc? Best Regards. Dave B. Sounds good. A jail is essentially paravirtualisation, in other words it partitions your OS into distinct segments. Linux has just started making inroads on this with vserver and such. The kernel stays the same, but you actually have separately distinct kernel code, security, etc for each jail. So it make sense then to run just one service within it, but its possible to run an entire system- with multiple systems on one host. This method is extremely fast, barely any trade off compared to running say VirtualBox, VMWare, or Qemu. As you read, you hand off a branch in your file system to hold the data for the jail (kernel, world, and apps and associated data etc), and the jail system inside the jail can only see that branch. Thats its equivalent of / on the host. It can't see outside of that unless you place something inside that banch from the host. You even have to actually mount a separate devfs inside the jail if required. So you want FTPD to drop files into the webserver, and the webserver is in a jail; then (consider the security of what your attempting) either FTPD has to access the branch containing the jail and webroot, or mount using nullfs the branch containing FTPD directory inside the jail. HTH and good luck. For bonus points you can even try a service only jail, where you don't need the whole system in the jail, just the libraries needed by the service app :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail question
On 10/14/10 18:20, Matthew Law wrote: I have a single box on which I would like to run openvpn, smtp (postfix, dspam, greylist, clamav), imap (dovecot) apache22 and bind. This box also acts as a network gateway so it would give an attacker carte blanche to the internal nets if it was compromised, which makes me nervous. The plan is to run openvpn as the only unjailed service and the rest of the services in a single jail or their own jails. I have never touched jails before and I'm a bit unsure of the best way to go. I realise that I can jail a service or a copy of the whole system (service would be preferable for space efficiency) but I am unclear on how to deal with IP addresses in jailed environments and if I should create individual jails or a single jail for all services. At the moment I am leaning toward a single system jail for everything so I can keep the space in which openvpn runs as uncluttered as possible and also have a single postgres instance shared by the other services. Basically, if any of the public services in the jail are compromised I would like to make it very hard for the attacker to see the internal network. Since jails can do many things there are many helper utilities that can do much to simplify the process. If you can hack python, you can, for example, modify my script at http://ivoras.sharanet.org/stuff/mkjails.py which I've used to create a thousand very light-weight jails which are started and managed using only standard FreeBSD tools. In any case, read rc.conf(5) man page for the jail_* settings. If I use this scheme must I use separate public IPs for openvpn and the services jail or is it possible to use a single IP or some NAT/PAT scheme? -this box currently has 4 x NICs split into 2x lagg interfaces in failover mode (one public, one private), if that makes any difference This is the more complex question; I think that everything which needs direct access to the NIC (i.e. BPF, DHCP, IPFW, etc.) will need to be run on the host system. TCP services will work inside jails without problems, but with jails it's almost the same as if they were on another system. If you do use NAT you will have to configure it on the host. Instead, you can also use TCP proxies (like bsdproxy). It's up to you how much complexity do you want in your system, but for simplicity I would set up a single outward-facing IP address and then proxy TCP services where I need them. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail question
On Fri, 15 Oct 2010 09:32:44 -0400, Jerry freebsd.u...@seibercom.net wrote: On Fri, 15 Oct 2010 08:35:39 -0400 Fbsd8 fb...@a1poweruser.com articulated: Check out qjail. It has been submitted for addition to the ports collection, but the ports dept is very slow in performing their task of adding new ports to the system. So in the mean time you can get qjail from here. http://sourceforge.net/projects/qjail/files/ I have submitted new ports in the past and they were usually accepted and posted within a short period of time; usually 2 weeks or so. Perhaps there is a specific reason why this port has not been accepted/released into the ports system. Have you, or whom ever submitted the port, requested clarification as to why it has not been accepted/released? Before issuing a blank condemnation of the port's department it would seem like the logical course of action. If you don't receive a satisfactory reply with two weeks, then it might be worth escalating the matter. Just my 2¢. I'm pretty sure I've seen this conversation between the same people before. Ah, yes: http://www.mail-archive.com/freebsd-questions@freebsd.org/msg235282.html Noting that Aiza = FBSD8... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail question
On Fri, 15 Oct 2010 13:38:17 -0400 bdsf...@att.net bdsf...@att.net articulated: On Fri, 15 Oct 2010 09:32:44 -0400, Jerry freebsd.u...@seibercom.net wrote: On Fri, 15 Oct 2010 08:35:39 -0400 Fbsd8 fb...@a1poweruser.com articulated: Check out qjail. It has been submitted for addition to the ports collection, but the ports dept is very slow in performing their task of adding new ports to the system. So in the mean time you can get qjail from here. http://sourceforge.net/projects/qjail/files/ I have submitted new ports in the past and they were usually accepted and posted within a short period of time; usually 2 weeks or so. Perhaps there is a specific reason why this port has not been accepted/released into the ports system. Have you, or whom ever submitted the port, requested clarification as to why it has not been accepted/released? Before issuing a blank condemnation of the port's department it would seem like the logical course of action. If you don't receive a satisfactory reply with two weeks, then it might be worth escalating the matter. Just my 2¢. I'm pretty sure I've seen this conversation between the same people before. Ah, yes: http://www.mail-archive.com/freebsd-questions@freebsd.org/msg235282.html Noting that Aiza = FBSD8... That PR would be: http://www.freebsd.org/cgi/query-pr.cgi?pr=148777, originally submitted on Tue, 20 Jul 2010 02:47:18 GMT by Joe Barbish j...@a1poweruser.com There was a posting to it on October 15, 2010 sans reply. One would be led to believe that there is a specific reason that it is stuck in the queue. Perhaps m...@freebsd.org would care to respond. -- Jerry ✌ freebsd.u...@seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail question
On Fri, October 15, 2010 2:54 pm, Ivan Voras wrote: Since jails can do many things there are many helper utilities that can do much to simplify the process. If you can hack python, you can, for example, modify my script at http://ivoras.sharanet.org/stuff/mkjails.py which I've used to create a thousand very light-weight jails which are started and managed using only standard FreeBSD tools. In any case, read rc.conf(5) man page for the jail_* settings. snip This is the more complex question; I think that everything which needs direct access to the NIC (i.e. BPF, DHCP, IPFW, etc.) will need to be run on the host system. TCP services will work inside jails without problems, but with jails it's almost the same as if they were on another system. If you do use NAT you will have to configure it on the host. Instead, you can also use TCP proxies (like bsdproxy). It's up to you how much complexity do you want in your system, but for simplicity I would set up a single outward-facing IP address and then proxy TCP services where I need them. Thanks for the helpful replies. I am experimenting with some ideas on a VM now. It certainly does seem more logical to have the firewall, VPN and NAT rules in the base system and everything else jailed. I can just about get by with Python and your script looks like it could be of use - thanks for sharing it. Matt. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail question
In freebsd-questions Digest, Vol 333, Issue 2, Message: 1 On Fri, 15 Oct 2010 13:38:17 -0400 bdsf...@att.net wrote: On Fri, 15 Oct 2010 09:32:44 -0400, Jerry freebsd.u...@seibercom.net wrote: On Fri, 15 Oct 2010 08:35:39 -0400 Fbsd8 fb...@a1poweruser.com articulated: Check out qjail. It has been submitted for addition to the ports collection, but the ports dept is very slow in performing their task of adding new ports to the system. So in the mean time you can get qjail from here. http://sourceforge.net/projects/qjail/files/ I have submitted new ports in the past and they were usually accepted and posted within a short period of time; usually 2 weeks or so. Perhaps there is a specific reason why this port has not been accepted/released into the ports system. Have you, or whom ever submitted the port, requested clarification as to why it has not been accepted/released? Before issuing a blank condemnation of the port's department it would seem like the logical course of action. If you don't receive a satisfactory reply with two weeks, then it might be worth escalating the matter. Just my 2¢. I'm pretty sure I've seen this conversation between the same people before. Ah, yes: http://www.mail-archive.com/freebsd-questions@freebsd.org/msg235282.html Noting that Aiza = FBSD8... Also posting at various times as {fbsd1,fbsd_user,jo...@a1poweruser.com = Joe Barbish, reputed author of qjail. Never admits to using aliases, especially when appearing as 'someone else' in support of his position. The thing that amazes me most about qjail is that there has never been one single mention of it in freebsd-j...@freebsd.org, where jail kernel work, utilities and usage are developed, debugged and discussed. cheers, Ian___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail question
Matthew Law wrote: I have a single box on which I would like to run openvpn, smtp (postfix, dspam, greylist, clamav), imap (dovecot) apache22 and bind. This box also acts as a network gateway so it would give an attacker carte blanche to the internal nets if it was compromised, which makes me nervous. The plan is to run openvpn as the only unjailed service and the rest of the services in a single jail or their own jails. I have never touched jails before and I'm a bit unsure of the best way to go. I realise that I can jail a service or a copy of the whole system (service would be preferable for space efficiency) but I am unclear on how to deal with IP addresses in jailed environments and if I should create individual jails or a single jail for all services. At the moment I am leaning toward a single system jail for everything so I can keep the space in which openvpn runs as uncluttered as possible and also have a single postgres instance shared by the other services. Basically, if any of the public services in the jail are compromised I would like to make it very hard for the attacker to see the internal network. If I use this scheme must I use separate public IPs for openvpn and the services jail or is it possible to use a single IP or some NAT/PAT scheme? -this box currently has 4 x NICs split into 2x lagg interfaces in failover mode (one public, one private), if that makes any difference Sorry for the rambling question and I hope this makes sense! Matt. Check out qjail. It has been submitted for addition to the ports collection, but the ports dept is very slow in performing their task of adding new ports to the system. So in the mean time you can get qjail from here. http://sourceforge.net/projects/qjail/files/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail question
On Fri, 15 Oct 2010 08:35:39 -0400 Fbsd8 fb...@a1poweruser.com articulated: Check out qjail. It has been submitted for addition to the ports collection, but the ports dept is very slow in performing their task of adding new ports to the system. So in the mean time you can get qjail from here. http://sourceforge.net/projects/qjail/files/ I have submitted new ports in the past and they were usually accepted and posted within a short period of time; usually 2 weeks or so. Perhaps there is a specific reason why this port has not been accepted/released into the ports system. Have you, or whom ever submitted the port, requested clarification as to why it has not been accepted/released? Before issuing a blank condemnation of the port's department it would seem like the logical course of action. If you don't receive a satisfactory reply with two weeks, then it might be worth escalating the matter. Just my 2¢. -- Jerry ✌ freebsd.u...@seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Jail question
I have a single box on which I would like to run openvpn, smtp (postfix, dspam, greylist, clamav), imap (dovecot) apache22 and bind. This box also acts as a network gateway so it would give an attacker carte blanche to the internal nets if it was compromised, which makes me nervous. The plan is to run openvpn as the only unjailed service and the rest of the services in a single jail or their own jails. I have never touched jails before and I'm a bit unsure of the best way to go. I realise that I can jail a service or a copy of the whole system (service would be preferable for space efficiency) but I am unclear on how to deal with IP addresses in jailed environments and if I should create individual jails or a single jail for all services. At the moment I am leaning toward a single system jail for everything so I can keep the space in which openvpn runs as uncluttered as possible and also have a single postgres instance shared by the other services. Basically, if any of the public services in the jail are compromised I would like to make it very hard for the attacker to see the internal network. If I use this scheme must I use separate public IPs for openvpn and the services jail or is it possible to use a single IP or some NAT/PAT scheme? -this box currently has 4 x NICs split into 2x lagg interfaces in failover mode (one public, one private), if that makes any difference Sorry for the rambling question and I hope this makes sense! Matt. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail question
On Thu, 14 Oct 2010, Matthew Law wrote: I have a single box on which I would like to run openvpn, smtp (postfix, dspam, greylist, clamav), imap (dovecot) apache22 and bind. This box also acts as a network gateway so it would give an attacker carte blanche to the internal nets if it was compromised, which makes me nervous. The plan is to run openvpn as the only unjailed service and the rest of the services in a single jail or their own jails. I have never touched jails before and I'm a bit unsure of the best way to go. I realise that I can jail a service or a copy of the whole system (service would be preferable for space efficiency) but I am unclear on how to deal with IP addresses in jailed environments and if I should create individual jails or a single jail for all services. At the moment I am leaning toward a single system jail for everything so I can keep the space in which openvpn runs as uncluttered as possible and also have a single postgres instance shared by the other services. Basically, if any of the public services in the jail are compromised I would like to make it very hard for the attacker to see the internal network. If I use this scheme must I use separate public IPs for openvpn and the services jail or is it possible to use a single IP or some NAT/PAT scheme? -this box currently has 4 x NICs split into 2x lagg interfaces in failover mode (one public, one private), if that makes any difference Sorry for the rambling question and I hope this makes sense! Matt. Starting with FreeBSD 8 jails may have multiple IPs and can use sockets. AFAIK this makes a jail pretty much like a separate physical system in a functional sense. Between man jail and the handbook there is a clear explaination of the management and setup procedures. Hopefully those with a better understanding of the internals will weigh in with the liabilities for what you want to do. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail question
On 14 October 2010 19:19, doug d...@fledge.watson.org wrote: On Thu, 14 Oct 2010, Matthew Law wrote: I have a single box on which I would like to run openvpn, smtp (postfix, dspam, greylist, clamav), imap (dovecot) apache22 and bind. This box also acts as a network gateway so it would give an attacker carte blanche to the internal nets if it was compromised, which makes me nervous. The plan is to run openvpn as the only unjailed service and the rest of the services in a single jail or their own jails. I have never touched jails before and I'm a bit unsure of the best way to go. I realise that I can jail a service or a copy of the whole system (service would be preferable for space efficiency) but I am unclear on how to deal with IP addresses in jailed environments and if I should create individual jails or a single jail for all services. At the moment I am leaning toward a single system jail for everything so I can keep the space in which openvpn runs as uncluttered as possible and also have a single postgres instance shared by the other services. Basically, if any of the public services in the jail are compromised I would like to make it very hard for the attacker to see the internal network. If I use this scheme must I use separate public IPs for openvpn and the services jail or is it possible to use a single IP or some NAT/PAT scheme? -this box currently has 4 x NICs split into 2x lagg interfaces in failover mode (one public, one private), if that makes any difference Sorry for the rambling question and I hope this makes sense! Matt. Starting with FreeBSD 8 jails may have multiple IPs and can use sockets. AFAIK this makes a jail pretty much like a separate physical system in a functional sense. Between man jail and the handbook there is a clear explaination of the management and setup procedures. Hopefully those with a better understanding of the internals will weigh in with the liabilities for what you want to do. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.orgo how ever you decide to do it have a look a qjail, as its a good managment tool especially if you have multiple jails ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: dovecot/jail question
I have: (Samba+LDAP = PDC + Dovecot+Postix ) ---JailA (amavisd-new+spamassassin+clamd --spam gateway ) ---JailB FreeBSD 8.0 Release. My src.conf for my jails: WITHOUT_AMD=yes WITHOUT_APM=yes WITHOUT_ASSERT_DEBUG=yes WITHOUT_ATM=yes WITHOUT_AUTHPF=yes WITHOUT_BIND=yes WITHOUT_BLUETOOTH=yes WITHOUT_BOOT=yes WITHOUT_CALENDAR=yes WITHOUT_CDDL=yes WITHOUT_CTM=yes WITHOUT_CVS=yes WITHOUT_DICT=yes WITHOUT_EXAMPLES=yes WITHOUT_FLOPPY=yes WITHOUT_FREEBSD_UPDATE=yes WITHOUT_GAMES=yes WITHOUT_GPIB=yes WITHOUT_HTML=yes WITHOUT_INET6=yes WITHOUT_IPFILTER=yes WITHOUT_IPFW=yes WITHOUT_IPX=yes WITHOUT_JAIL=yes WITHOUT_KVM=yes WITHOUT_LPR=yes WITHOUT_MAIL=yes WITHOUT_MAN=yes WITHOUT_NCP=yes WITHOUT_NDIS=yes WITHOUT_NTP=yes WITHOUT_PF=yes WITHOUT_PMC=yes WITHOUT_PPP=yes WITHOUT_PROFILE=yes WITHOUT_QUOTAS=yes WITHOUT_RCMDS=yes WITHOU_RCS=yes WITHOUT_SHAREDOCS=yes WITHOUT_TELNET=yes WITHOUT_USB=yes WITHOUT_WIRELESS=yes WITHOUT_WPA_SUPPLICANT_EAPOL=yes Running without a issue, Greetings!!! On Wed, Jan 20, 2010 at 1:34 PM, Michael Grimm trash...@odo.in-berlin.dewrote: Sam Fourman Jr. sfour...@gmail.com wrote: On Tue, Jan 19, 2010 at 4:18 PM, Jim stapleton...@gmail.com wrote: First, Thanks all for the help with my previous sendmail question. I rebuilt the jail without postfix and that at least seems happy. So does this mean that you can NOT run postfix in a FreeBSD 8 Jail? I didn't know this, I just assumed postfix in a Jail would work. if possible could someone confirm this? I can confirm that Postfix, Dovecot, and Squirrelmail do run in jails, and I do assume that almost every mailing system will do as well. Regards, Michael -- to let ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: dovecot/jail question
Sam Fourman Jr. sfour...@gmail.com wrote: On Tue, Jan 19, 2010 at 4:18 PM, Jim stapleton...@gmail.com wrote: First, Thanks all for the help with my previous sendmail question. I rebuilt the jail without postfix and that at least seems happy. So does this mean that you can NOT run postfix in a FreeBSD 8 Jail? I didn't know this, I just assumed postfix in a Jail would work. if possible could someone confirm this? I can confirm that Postfix, Dovecot, and Squirrelmail do run in jails, and I do assume that almost every mailing system will do as well. Regards, Michael -- to let ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
pf + jail question.
Hi all, May be this question is better to post on -pf or -jail but I really don't know where the problem is. So post here first. I have a FreeBSD-8.0-RELEASE-p2 box with two NICs acting as gateway using pf (with ftp-proxy enabled) in my home network configured as follow: LAN: 10.7.13.0/24 ( + tap0 10.7.14.0/24 for VPN) WAN: IP obtained from ISP. gateway: 10.7.13.254 When I played with jail, I found that fp didn't block the traffic that it should. For example, I have the following line in pf.conf: block quick proto tcp from any to any port 21 Then in the host(gateway): [host] ~ ftp ftp.mozilla.org ftp: connect: Operation not permitted In the jail: [jail1] ~ ftp ftp.mozilla.org Connected to dm-ftp01.mozilla.org. ...(welcome message) Other client on the LAN(Windows): C:\Users\test-userftp ftp.mozilla.org Connected to dm-ftp01.mozilla.org. Connection closed by remote host. The ftp-proxy log when windows client is connecting: #5 accepted connection from 10.7.13.1 #5 proxy cannot connect to server 63.245.208.138: Operation not permitted #5 ending session My jail's IP 10.7.13.99 which is within the subnet of LAN. Do anyone know where the problem is? It seems that the traffic from jail bypasses the pf filtering rules? The following is part of my pf.conf: === ext_if=wan0 int_if={ lan0 } self=10.7.13.254 internal_net={ 10.7.13.0/24, 10.7.14.0/24 } scrub in nat pass on $ext_if from $internal_net to any - ($ext_if) static-port # handling FTP nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* no rdr on $int_if proto tcp from $internal_net to $self port 21 rdr pass on $int_if proto tcp from $internal_net to any port 21 - \ 127.0.0.1 port 8021 anchor ftp-proxy/* block quick proto tcp from any to any port 21 Thanks, C.C. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
pf + jail question.
Hi all, May be this question is better to post on -pf or -jail but I really don't know where the problem is. So post here first. I have a FreeBSD-8.0-RELEASE-p2 box with two NICs acting as gateway using pf (with ftp-proxy enabled) in my home network configured as follow: LAN: 10.7.13.0/24 ( + tap0 10.7.14.0/24 for VPN) WAN: IP obtained from ISP. gateway: 10.7.13.254 When I played with jail, I found that fp didn't block the traffic that it should. For example, I have the following line in pf.conf: block quick proto tcp from any to any port 21 Then in the host(gateway): [host] ~ ftp ftp.mozilla.org ftp: connect: Operation not permitted In the jail: [jail1] ~ ftp ftp.mozilla.org Connected to dm-ftp01.mozilla.org. ...(welcome message) Other client on the LAN(Windows): C:\Users\test-userftp ftp.mozilla.org Connected to dm-ftp01.mozilla.org. Connection closed by remote host. The ftp-proxy log when windows client is connecting: #5 accepted connection from 10.7.13.1 #5 proxy cannot connect to server 63.245.208.138: Operation not permitted #5 ending session My jail's IP 10.7.13.99 which is within the subnet of LAN. Do anyone know where the problem is? It seems that the traffic from jail bypasses the pf filtering rules? The following is part of my pf.conf: === ext_if=wan0 int_if={ lan0 } self=10.7.13.254 internal_net={ 10.7.13.0/24, 10.7.14.0/24 } scrub in nat pass on $ext_if from $internal_net to any - ($ext_if) static-port # handling FTP nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* no rdr on $int_if proto tcp from $internal_net to $self port 21 rdr pass on $int_if proto tcp from $internal_net to any port 21 - \ 127.0.0.1 port 8021 anchor ftp-proxy/* block quick proto tcp from any to any port 21 Thanks, C.C. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
dovecot/jail question
First, Thanks all for the help with my previous sendmail question. I rebuilt the jail without postfix and that at least seems happy. The main question; has anyone built/ran dovecot in a jail? It runs fine on the host system fine, but if I put it in a jail, I get issues with the !import_try command. I'm going to try some things to fix it, and it could have been something I've done in my setup. I want to see if this is a jail-specific issue. Thanks, ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: dovecot/jail question
On Tue, Jan 19, 2010 at 4:18 PM, Jim stapleton...@gmail.com wrote: First, Thanks all for the help with my previous sendmail question. I rebuilt the jail without postfix and that at least seems happy. So does this mean that you can NOT run postfix in a FreeBSD 8 Jail? I didn't know this, I just assumed postfix in a Jail would work. if possible could someone confirm this? Sam Fourman Jr. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: dovecot/jail question
On Tue, Jan 19, 2010 at 10:41 PM, Sam Fourman Jr. sfour...@gmail.com wrote: On Tue, Jan 19, 2010 at 4:18 PM, Jim stapleton...@gmail.com wrote: First, Thanks all for the help with my previous sendmail question. I rebuilt the jail without postfix and that at least seems happy. So does this mean that you can NOT run postfix in a FreeBSD 8 Jail? I didn't know this, I just assumed postfix in a Jail would work. if possible could someone confirm this? Sam Fourman Jr. No, it means I don't know how to configure postfix, and didn't realize installing the postfix port also set it up to replace sendmail without any further intervention. Since I was already familiar with sendmail, I didn't want to bother figuring out postfix. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Jail question
Ladies and Gentlemen, I want to check the understanding of jails. My understanding is a jail uses the existing kernel configuration and cannot use its own kernel configuration. Is this correct? Thanks, Jay ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Jail question
I want to check the understanding of jails. My understanding is a jail uses the existing kernel configuration and cannot use its own kernel configuration. Is this correct? Yes. The jail is being executed by the same kernel as the host system. The jail just has restricted access to certain system calls, which creates the sandbox. -- / Peter Schuller PGP userID: 0xE9758B7D or 'Peter Schuller [EMAIL PROTECTED]' Key retrieval: Send an E-Mail to [EMAIL PROTECTED] E-Mail: [EMAIL PROTECTED] Web: http://www.scode.org signature.asc Description: This is a digitally signed message part.
jail question
hi I running fbsd 6.2 and I would like to my first jail setup, but I have this error when I start the jail (jail0): srv1# /etc/rc.d/jail start Configuring jails:. Starting jails:ifconfig: interface alias does not exist jail0. srv1# What I do wrong ? Thanks in advance. roberto This is my /etc/rc.conf # -- sysinstall generated deltas -- # Mon Apr 23 09:32:04 2007 # Created: Mon Apr 23 09:32:04 2007 # Enable network daemons for user convenience. # Please make all changes to this file, not to /etc/defaults/rc.conf. # This file now contains just the overrides from /etc/defaults/rc.conf. defaultrouter=192.168.0.2 hostname=srv1.gualeguaychu.gov.ar ifconfig_sk0=inet 192.168.0.1 netmask 255.255.0.0 keymap=spanish.iso.acc linux_enable=YES sshd_enable=YES usbd_enable=YES # -- sysinstall generated deltas -- # Mon Apr 23 12:52:02 2007 moused_port=/dev/cuad0 moused_type=auto moused_enable=YES ## jails sendmail_enable=NO inetd_flags=-wW -a 192.168.0.1 rpcbind_enable=NO jail_enable=YES # Set to NO to disable starting of any jails jail_list=jail0 # Space separated list of names of jails jail_jail0_rootdir=/usr/home/jails/jail0 # jail's root directory jail_jail0_hostname=jail0 # jail's hostname jail_jail0_ip=192.168.0.3 # jail's IP address #jail_jail0_devfs_enable=YES # mount devfs in the jail #jail_jail0_devfs_ruleset=www_ruleset # devfs ruleset to apply to jail -- Ing. Roberto Pereyra ContenidosOnline http://www.contenidosonline.com.ar ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: jail question
On Thu, 26 Apr 2007, Roberto Pereyra wrote: hi I running fbsd 6.2 and I would like to my first jail setup, but I have this error when I start the jail (jail0): srv1# /etc/rc.d/jail start Configuring jails:. Starting jails:ifconfig: interface alias does not exist jail0. srv1# What I do wrong ? Thanks in advance. roberto This is my /etc/rc.conf # -- sysinstall generated deltas -- # Mon Apr 23 09:32:04 2007 # Created: Mon Apr 23 09:32:04 2007 # Enable network daemons for user convenience. # Please make all changes to this file, not to /etc/defaults/rc.conf. # This file now contains just the overrides from /etc/defaults/rc.conf. defaultrouter=192.168.0.2 hostname=srv1.gualeguaychu.gov.ar ifconfig_sk0=inet 192.168.0.1 netmask 255.255.0.0 keymap=spanish.iso.acc linux_enable=YES sshd_enable=YES usbd_enable=YES # -- sysinstall generated deltas -- # Mon Apr 23 12:52:02 2007 moused_port=/dev/cuad0 moused_type=auto moused_enable=YES ## jails sendmail_enable=NO inetd_flags=-wW -a 192.168.0.1 rpcbind_enable=NO jail_enable=YES # Set to NO to disable starting of any jails jail_list=jail0 # Space separated list of names of jails jail_jail0_rootdir=/usr/home/jails/jail0 # jail's root directory jail_jail0_hostname=jail0 # jail's hostname jail_jail0_ip=192.168.0.3 # jail's IP address #jail_jail0_devfs_enable=YES # mount devfs in the jail #jail_jail0_devfs_ruleset=www_ruleset # devfs ruleset to apply to jail You do not have your jail IP set up as an alias on your network interface. You need to add ifconfig_sk0_alias0=inet 192.168.0.3 netmask 255.255.0.0 after your primary interface ifconfig_sk0=inet 192.168.0.1 netmask 255.255.0.0 in the /etc/rc.conf. Then do an ifconfig sk0 inet 192.168.0.3 netmask 255.255.0.0 alias to make it live without having to reboot. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: jail question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Roberto Pereyra wrote: hi I running fbsd 6.2 and I would like to my first jail setup, but I have this error when I start the jail (jail0): srv1# /etc/rc.d/jail start Configuring jails:. Starting jails:ifconfig: interface alias does not exist jail0. srv1# What I do wrong ? [snip] This is my /etc/rc.conf [...] ifconfig_sk0=inet 192.168.0.1 netmask 255.255.0.0 [...] jail_jail0_ip=192.168.0.3 # jail's IP address Is 192.168.0.3 assigned to any interface? Have a look at ifconfig(8) output. You can add an alias with ifconfig and/or put something similar to /etc/rc.conf (assuming sk0 interface): % ifconfig_sk0_alias0=inet 192.168.0.3 netmask 255.255.255.255 HTH, Karol - -- Karol Kwiatkowski karol.kwiat at gmail dot com OpenPGP 0x06E09309 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGMI7fezeoPAwGIYsRCEy1AKCDhJxHggkdcANKc6GToJUSLFMfVwCdF+I4 GFW56bytWUfTavzmfhKzfJw= =0fDD -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: jail question
Thanks to all!!! roberto 2007/4/26, Karol Kwiatkowski [EMAIL PROTECTED]: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Roberto Pereyra wrote: hi I running fbsd 6.2 and I would like to my first jail setup, but I have this error when I start the jail (jail0): srv1# /etc/rc.d/jail start Configuring jails:. Starting jails:ifconfig: interface alias does not exist jail0. srv1# What I do wrong ? [snip] This is my /etc/rc.conf [...] ifconfig_sk0=inet 192.168.0.1 netmask 255.255.0.0 [...] jail_jail0_ip=192.168.0.3 # jail's IP address Is 192.168.0.3 assigned to any interface? Have a look at ifconfig(8) output. You can add an alias with ifconfig and/or put something similar to /etc/rc.conf (assuming sk0 interface): % ifconfig_sk0_alias0=inet 192.168.0.3 netmask 255.255.255.255 HTH, Karol - -- Karol Kwiatkowski karol.kwiat at gmail dot com OpenPGP 0x06E09309 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGMI7fezeoPAwGIYsRCEy1AKCDhJxHggkdcANKc6GToJUSLFMfVwCdF+I4 GFW56bytWUfTavzmfhKzfJw= =0fDD -END PGP SIGNATURE- -- Ing. Roberto Pereyra ContenidosOnline http://www.contenidosonline.com.ar ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
another jail question
is there a way to configure a jail to use more than one ip address? in the same sense of configuring an alias ip for any other freebsd host? thanks, jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: another jail question
Jonathan Horne wrote: is there a way to configure a jail to use more than one ip address? in the same sense of configuring an alias ip for any other freebsd host? jail(8) only allows you one IP -- there are some patches around which will let you create jails with more IPs, and even better there's a clonable network stack under development -- meaning each jail can have it's own firewall instance etc. etc. However none of that is really ready for prime time usage just yet. In fact, that's all rather experimental at the moment and suitable only for gurus to play with. There is an alternative. You can achieve something like what you want with a bit of firewall trickery. Add an alias IP to the loopback interface -- say 127.0.0.2 :# ifconfig lo0 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff00 inet 127.0.0.2 netmask 0x Now create a jail using that IP. Something like this in /etc/rc.conf is what you'll need, plus following the instructions in jail(8) to create the filesystems in the jail: jail_enable=YES jail_list=j1 jail_j1_hostname=j1.example.com jail_j1_interface=lo0 jail_j1_mount_enable=YES jail_j1_fstab=/etc/fstab.jail.j1 jail_j1_ip=127.0.0.2 jail_j1_rootdir=/jail/j1.example.com Fire up whatever services you want inside your jail -- within it, you'll have to configure everything to bind to the jail IP 127.0.0.2 specifically, but that's just the way things are in jails even without this redirection trick. Now, configure the IPs on interfaces you want the outside world to see as belonging to your jail -- for illustrative purposes I'll choose 12.34.56.78 and 12.34.56.79 as example addresses to use for the jail. Then use firewall NAT functionality to redirect traffic into the jail. If you use pf (definitely recommended) then a snippet like the following should be useful in /etc/pf.conf: jail_int=127.0.0.2 jail_ext0=12.34.56.78 jail_ext1=12.34.56.79 # Outward connections from within the jail nat on $ext_if proto { tcp udp } \ from $jail_int\ to !$jail_int - $jail_ext0 static-port # Incoming connections to the jail rdr on $ext_if proto tcp \ from any \ to { $jail_ext0 $jail_ext1 } port { 25 80 } - $jail_int If you want to run multiple HTTPS v-hosts from within the jail you'll have to configure them to all run on distinct port numbers within apache, and use something like this to generate the mapping: rdr on $ext_if proto tcp \ from any \ to $jail_ext0 port 443 - $jail_int port 8443 rdr on $ext_if proto tcp \ from any \ to $jail_ext1 port 443 - $jail_int port 9443 This approach works pretty well for many protocols, but it does have the basic limitation that you can tell a priori from within the jail which external address the traffic went to. Either you've got to determine the answer by looking at the traffic payload (eg. HTTP has a header saying which v-host the request is for) or apply the sort of port remapping shown above. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
RE: another jail question
-Original Message- From: [EMAIL PROTECTED] [mailto:owner-freebsd- [EMAIL PROTECTED] On Behalf Of Matthew Seaman Sent: Saturday, March 24, 2007 1:38 PM To: Jonathan Horne Cc: freebsd-questions@freebsd.org Subject: Re: another jail question Jonathan Horne wrote: is there a way to configure a jail to use more than one ip address? in the same sense of configuring an alias ip for any other freebsd host? jail(8) only allows you one IP -- there are some patches around which will let you create jails with more IPs, and even better there's a clonable network stack under development -- meaning each jail can have it's own firewall instance etc. etc. However none of that is really ready for prime time usage just yet. In fact, that's all rather experimental at the moment and suitable only for gurus to play with. There is an alternative. You can achieve something like what you want with a bit of firewall trickery. Add an alias IP to the loopback interface -- say 127.0.0.2 :# ifconfig lo0 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff00 inet 127.0.0.2 netmask 0x Now create a jail using that IP. Something like this in /etc/rc.conf is what you'll need, plus following the instructions in jail(8) to create the filesystems in the jail: jail_enable=YES jail_list=j1 jail_j1_hostname=j1.example.com jail_j1_interface=lo0 jail_j1_mount_enable=YES jail_j1_fstab=/etc/fstab.jail.j1 jail_j1_ip=127.0.0.2 jail_j1_rootdir=/jail/j1.example.com Fire up whatever services you want inside your jail -- within it, you'll have to configure everything to bind to the jail IP 127.0.0.2 specifically, but that's just the way things are in jails even without this redirection trick. Now, configure the IPs on interfaces you want the outside world to see as belonging to your jail -- for illustrative purposes I'll choose 12.34.56.78 and 12.34.56.79 as example addresses to use for the jail. Then use firewall NAT functionality to redirect traffic into the jail. If you use pf (definitely recommended) then a snippet like the following should be useful in /etc/pf.conf: jail_int=127.0.0.2 jail_ext0=12.34.56.78 jail_ext1=12.34.56.79 # Outward connections from within the jail nat on $ext_if proto { tcp udp } \ from $jail_int\ to !$jail_int - $jail_ext0 static-port # Incoming connections to the jail rdr on $ext_if proto tcp \ from any \ to { $jail_ext0 $jail_ext1 } port { 25 80 } - $jail_int If you want to run multiple HTTPS v-hosts from within the jail you'll have to configure them to all run on distinct port numbers within apache, and use something like this to generate the mapping: rdr on $ext_if proto tcp \ from any \ to $jail_ext0 port 443 - $jail_int port 8443 rdr on $ext_if proto tcp \ from any \ to $jail_ext1 port 443 - $jail_int port 9443 This approach works pretty well for many protocols, but it does have the basic limitation that you can tell a priori from within the jail which external address the traffic went to. Either you've got to determine the answer by looking at the traffic payload (eg. HTTP has a header saying which v-host the request is for) or apply the sort of port remapping shown above. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW You have a very interesting work around to the problem. I am using jails as virtual servers and was wondering about the same thing myself. I will have to try this. Thanks for the idea. Rick Apichairuk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: another jail question
is there a way to configure a jail to use more than one ip address? in the same sense of configuring an alias ip for any other freebsd host? IMHO not. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: another jail question
Wojciech Puchar wrote: is there a way to configure a jail to use more than one ip address? in the same sense of configuring an alias ip for any other freebsd host? IMHO not. Not entirely true apparently. see http://blog.cg.nu/?p=9 for details of someone who adapted PJD's patch for current to 6.1 (so presumably its adapatable for 6.2) Not something I've tried though. Vince ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: another jail question
On 3/24/07, Jonathan Horne [EMAIL PROTECTED] wrote: is there a way to configure a jail to use more than one ip address? in the same sense of configuring an alias ip for any other freebsd host? As others have posted, not without either doing IP address manipulation or using the patches available out there. In terms of working around the issue, I guess it depends on what you're trying to accomplish. In a situation where I wanted a jail host to have an internal private address and an external public address, the problem was solved by assigning the private address to the jail and then using a firewall to redirect connections destined to the public address in to the private address. I'll also add my voice to the recommendations to use ezjail -- it does all the heavy lifting for you. M ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: jail question
On 11.02.2007 12:54, * Dino Vliet wrote: Hi folks, I'm installing a nice system to use as my multimedia box and already succeeded with geom-mirror. I want to use a jail to isolate the p2p applications like amule/emule and want to make sure that they only write to an encrypted disk (currently RTFM on geli and gbde) However, I was wondering what happens with a jail if I update the host system due to a security issue or something else (recompile kernel and install world). Do I need to define the jail again? If not, won't the files in the jail stay at their previous versions although the host system has been updated to a new version? Or should I just RTFM on jails and come back a few Unfortunately there is not much to read for end-users, like us. weeks from now:-) Thanks in advanced. Hi, Its never been a problem for my systems. Two machines running 19 jails. Done around a dozen system updates and also changing release from 6.0 to 6.2 using the same method was no problem at all. First proceed as the handbook describes for the host-system. After everything completes and your system and jails are up again rebuild you jails with as follows: # make -j4 buildworld # mergemaster -p -D /jails/example # make installworld DESTDIR=/jails/example # mergemaster -D /jails/example After that restart Jail. Done. In my case I work with different make.conf files for jails and host system, thats the reason why I rebuild world for the jails, If not you can just make installworld without rebuilding. If you have multiple jails, you can skip buildworld after first one. Hope this helps. Greetings Alain ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
jail question
Hi folks, I'm installing a nice system to use as my multimedia box and already succeeded with geom-mirror. I want to use a jail to isolate the p2p applications like amule/emule and want to make sure that they only write to an encrypted disk (currently RTFM on geli and gbde) However, I was wondering what happens with a jail if I update the host system due to a security issue or something else (recompile kernel and install world). Do I need to define the jail again? If not, won't the files in the jail stay at their previous versions although the host system has been updated to a new version? Or should I just RTFM on jails and come back a few weeks from now:-) Thanks in advanced. It's here! Your new message! Get new email alerts with the free Yahoo! Toolbar. http://tools.search.yahoo.com/toolbar/features/mail/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: jail question
Dino Vliet [EMAIL PROTECTED] wrote: Hi folks, I'm installing a nice system to use as my multimedia box and already succeeded with geom-mirror. I want to use a jail to isolate the p2p applications like amule/emule and want to make sure that they only write to an encrypted disk (currently RTFM on geli and gbde) However, I was wondering what happens with a jail if I update the host system due to a security issue or something else (recompile kernel and install world). Do I need to define the jail again? If not, won't the files in the jail stay at their previous versions although the host system has been updated to a new version? Yes, that is a problem you have to deal with. Have a look at the ezjail port, which makes this a lot easier to deal with. -Bill ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
jail question -- why can a user programatically see more than one IP address inside a jail?
I have some jails. On 5.3R i386 Some software (some C based, some java) for various reasons, like licensing, look at all the IP addresses/interfaces available in the running system. Inside the jail they return more than just the jails IP address. For example, FrontBase database (www.frontbase.com) sees the following inside the jail Host name and IP and ethernet address information = Name of this host : db.shire.net IP address of this host : XXX.70.252.100 IP address : XXX.70.252.132 IP address : 192.168.2.2 IP address : 127.0.0.1 No ethernet interfaces configured WARNING: The IP address, XXX.70.252.100 for this host db.shire.net is not configured on any network device. The main address shown, XXX.70.252.100 is the jail's IP. XXX.70.252.132 is the main address assigned to bge0 on the jail's host 192.168.2.2 is the main address assigned to bge1 on the jail's host 127.0.0.1 is the main address assigned to lo0 on the jail's host The other bunch of alias IPs assigned to bge0 do not show through. I was wondering why the jailed processes can see these addresses though they do not show in ifconfig for example and you cannot do anything with them... On a related note we have some java software that is trying to do multicast inside a jail to do the mDNS stuff for ZeroConf and it is getting confused for similar reasons it appears (still gathering details on this) thanks Chad --- Chad Leigh -- Shire.Net LLC Your Web App and Email hosting provider [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
sendmail and jail question
Hey, I would like to use sendmail only to send daily reports of it's own host and it's running jails, to an outside mail system! host (192.168.0.2) with sendmail - should send mail/reports etc to [EMAIL PROTECTED] jail1 (192.168.0.3) with sendmail - should send mail/reports etc to [EMAIL PROTECTED] jail2 (192.168.0.4) with sendmail - should send mail/reports etc to [EMAIL PROTECTED] I've modified the alias files of the host and the jails and run newaliases! 1) What lines/options do you have to add to the host's and jail's rc.conf to use it for my purpose? 2) What is the most secure to achive my goal, I don't want others to use it as a relay? I've tried this setting on the host: sendmail_enable=NO So, sendmail is only listening on the localhost! This is great! BUT! Setting the same setting in the jail makes sendmail listening on: 192.168.0.3 jail1 3) This makes sendmail accessible from the outside how do you prevent this? 4) Can a jail have it's personal loopback interface? 5) How do you make sendmail listening only to a specific ip address (when using ip alias), what flags do you have to use? 6) I'm sure other persons use this kind of configurations, how do you run sendmail (which flags) on these systems? Thanks a lot! Didier To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: sendmail and jail question
On Mon, Dec 30, 2002 at 12:01:38PM +0100, Didier Wiroth wrote: I would like to use sendmail only to send daily reports of it's own host and it's running jails, to an outside mail system! host (192.168.0.2) with sendmail - should send mail/reports etc to [EMAIL PROTECTED] jail1 (192.168.0.3) with sendmail - should send mail/reports etc to [EMAIL PROTECTED] jail2 (192.168.0.4) with sendmail - should send mail/reports etc to [EMAIL PROTECTED] I've modified the alias files of the host and the jails and run newaliases! 1) What lines/options do you have to add to the host's and jail's rc.conf to use it for my purpose? 2) What is the most secure to achive my goal, I don't want others to use it as a relay? I've tried this setting on the host: sendmail_enable=NO So, sendmail is only listening on the localhost! This is great! BUT! Setting the same setting in the jail makes sendmail listening on: 192.168.0.3 jail1 3) This makes sendmail accessible from the outside how do you prevent this? 4) Can a jail have it's personal loopback interface? 5) How do you make sendmail listening only to a specific ip address (when using ip alias), what flags do you have to use? 6) I'm sure other persons use this kind of configurations, how do you run sendmail (which flags) on these systems? You don't need to have a persistent sendmail process running on a machine in order to send e-mail from there. In principle, all that is required is to feed the properly formatted new e-mail into the stdin of /usr/sbin/sendmail, which will then forward that one message as required and immediately quit. However, in practice things are a bit more complicated. If the machine to which the message would have been delivered is off-line then the local sendmail will copy the message into the mail queue (/var/spool/mqueue) to be dealt with at a later time. Unless you run a sendmail process to check the queue occasionally, nothing further would ever happen to get that message delivered. It is perfectly possible to run a sendmail process that does nothing except wake up occasionally and deal with any messages that are sitting in the queue. Particularly it won't listen on port 25 for incoming messages. Before the split of sendmail into separate sm-msp and sm-mta processes, you could achieve these states of affairs quite simply. In the first case (no persistent sendmail process running at all, and no second try at resending messages that didn't succeed first time) all you needed was: sendmail_enable=NO in /etc/rc.conf For the second case (running a sendmail process that would do nothing but check the outgoing mail queue occasionally), you just needed to change the sendmail flags to drop '-bd' meaning don't listen for new connections on port 25: sendmail_enable=YES sendmail_flags=-q30m Now with the advent of the sm-msp / sm-mta split, things are a bit more complicated, and the number of sendmail_* variables in /etc/defaults/rc.conf has quadrupled as a consequence. The thing to realise is that the sm-msp (Mail Submission Protocol) process *never* needs to listen to a network socket, whereas the sm-mta (Mail Transport Agent) process *always* needs to listen to one or more network sockets. Sending e-mail by piping it into /usr/sbin/sendmail is implicitly talking to a sm-msp instance. However, the sm-msp process can't do final delivery of mail: it can only operate by feeding the message into a sm-mta process listening on a network interface. That is usually done to a sm-mta process on the same host listening on the loopback interface. This combination of flags in /etc/rc.conf will achieve the same effect as the second case above --- a send only sendmail setup which will check for and flush queued messages at regular intervals: sendmail_enable=NO sendmail_outbound_enable=NO sendmail_submit_enable=YES # This is the default setting sendmail_msp_queue_enable=YES # This is the default setting However, it doesn't matter what the 'sendmail_outbound_enable' variable is set to, as it's ignored if 'sendmail_submit_enable' is set to YES. This gives you: a sm-msp process that doesn't listen to any network sockets and does nothing except flush the /var/spool/clientmqueue mail queue every so often (passing any messages to the sm-mta process). a sm-mta process that flushes the /var/spool/mqueue mail queue at regular intervals and only listens to the loopback interface (hence can't be used as a relay by arbitrary hosts on the 'net). Now, I hear you say, that's all very well and good, but I've got a rack of servers here that never send any e-mail except for the two or three messages generated every day by the periodic scripts. Surely I don't need to run two sendmail processes all the time just for that? No, you don't. If you have a central e-mail smart host that does all of the real sendmail-fu you can drop the sm-mta process on your other machines
Jail question
Hey, I'm a freebsd newbie. I was experimenting with jails. I've build an entire jail under /usr/local/jail/test which I'm accessing through the network using ssh. I thought that you can't grep any path or any information outside the jail but when I use the command df, I can clearly see the disk slice, partition and path to the jail. Is this normal? Thanks Didier To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Jail question
On Wed, 4 Dec 2002, Didier Wiroth wrote: Hey, I'm a freebsd newbie. I was experimenting with jails. I've build an entire jail under /usr/local/jail/test which I'm accessing through the network using ssh. I thought that you can't grep any path or any information outside the jail but when I use the command df, I can clearly see the disk slice, partition and path to the jail. Is this normal? Thanks Didier This have been discussed earlier, and I even think some one did file a PR with a patch to correct it. Try to search the mailarchives. Best regards, Paul To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Jail question
On Wed, Dec 04, 2002 at 02:35:11PM +0100, Paul Everlund typed: On Wed, 4 Dec 2002, Didier Wiroth wrote: Hey, I'm a freebsd newbie. I was experimenting with jails. I've build an entire jail under /usr/local/jail/test which I'm accessing through the network using ssh. I thought that you can't grep any path or any information outside the jail but when I use the command df, I can clearly see the disk slice, partition and path to the jail. Is this normal? Thanks Didier This have been discussed earlier, and I even think some one did file a PR with a patch to correct it. Try to search the mailarchives. Not a patch, a kernel module. I just tried it today and it looks good. It's downloadable from http://garage.freebsd.pl cheers, Ruben Best regards, Paul To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Another Jail Question
Hi, I have been thinking about running 2 jails on my home server one for work sensitive data, the other for personal fun stuff. However i only have 1 ip at my house [static]. Could i take the server taht will have jails on it, put it behind a natd box so it has 2 ip's [192.168.0.1 and .2] and just make the nat box, forward packets to teh appropriate jail based upon what port they come in on ? also, if i have host machine with 2 jails in it, i know i can't run PostgreSQL in the jails, can i run it on the host environment and make the jails access it via TCP ? server is a dual PII 300 with 512 megs of ram, this should be fine to handle 2 jails, right ? thanks. jeff. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Another Jail Question
On Wed, Dec 04, 2002 at 09:27:33AM -0500, Jeff MacDonald typed: Hi, I have been thinking about running 2 jails on my home server one for work sensitive data, the other for personal fun stuff. However i only have 1 ip at my house [static]. Could i take the server taht will have jails on it, put it behind a natd box so it has 2 ip's [192.168.0.1 and .2] and just make the nat box, forward packets to teh appropriate jail based upon what port they come in on ? Alternatively, you can run both jails on the same IP address. As long each jail uses different portnumbers there will be no conflicts. also, if i have host machine with 2 jails in it, i know i can't run PostgreSQL in the jails, can i run it on the host environment and make the jails access it via TCP ? server is a dual PII 300 with 512 megs of ram, this should be fine to handle 2 jails, right ? thanks. jeff. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Another Jail Question
At 2002-12-04T14:27:33Z, Jeff MacDonald [EMAIL PROTECTED] writes: Could i take the server taht will have jails on it, put it behind a natd box so it has 2 ip's [192.168.0.1 and .2] and just make the nat box, forward packets to teh appropriate jail based upon what port they come in on ? Yep. also, if i have host machine with 2 jails in it, i know i can't run PostgreSQL in the jails, can i run it on the host environment and make the jails access it via TCP ? Yep. server is a dual PII 300 with 512 megs of ram, this should be fine to handle 2 jails, right ? Yep. You should be able to do what you're asking without any trouble. -- Kirk Strauser In Googlis non est, ergo non est. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Another Jail Question
On Wed, 4 Dec 2002, Jeff MacDonald wrote: Hi, I have been thinking about running 2 jails on my home server one for work sensitive data, the other for personal fun stuff. However i only have 1 ip at my house [static]. Could i take the server taht will have jails on it, put it behind a natd box so it has 2 ip's [192.168.0.1 and .2] and just make the nat box, forward packets to teh appropriate jail based upon what port they come in on ? Yes. Or you could just run both jails on the same IP address. also, if i have host machine with 2 jails in it, i know i can't run PostgreSQL in the jails, can i run it on the host environment and make the jails access it via TCP ? You can run PostgreSQL in a jail - though you do need to turn the jail.sysvipc_allowed sysctl on first. You can also run it in the host environment and talk via TCP if you wish. server is a dual PII 300 with 512 megs of ram, this should be fine to handle 2 jails, right ? That depends what you run in them :-) I don't think there's any remotely significant overhead in having a process run in a jail compared to having one run outside a jail. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Another Jail Question
On Wed, 4 Dec 2002, Jeff MacDonald wrote: Hi, I have been thinking about running 2 jails on my home server one for work sensitive data, the other for personal fun stuff. However i only have 1 ip at my house [static]. Could i take the server taht will have jails on it, put it behind a natd box so it has 2 ip's [192.168.0.1 and .2] and just make the nat box, forward packets to teh appropriate jail based upon what port they come in on ? Jeff, check with Chris on this, as I believe he's actually running a game server inside of one of his jails, with his machine running off of the one IP ... in fact, and I may be wrong about this, but you *should* be able to avoid the other machine altogether and use IPFW for this, as I *believe* (haven't played with it yet) IPFW has a redirect facility that might do it for you ... so you'd have use dummynet to create a 'fake ethernet' for the 192.168.0.* address(es) for the jail's to bind on ... also, if i have host machine with 2 jails in it, i know i can't run PostgreSQL in the jails, can i run it on the host environment and make the jails access it via TCP ? Actually, you *can* run PgSQL inside of the jail ... the issue is that there are security implications of doing that ... the shared memory isn't per jail, so someone in another jail could attach to the shared memory in another jail ... by default, shared memory access is disabled inside a jail, but there is a sysctl value you can set to enable it ... but, yes, you can access the server via tcp at the host level as well ... server is a dual PII 300 with 512 megs of ram, this should be fine to handle 2 jails, right ? unless you start gettinjg into high memory circumstances (ie. jakarta-tomcat is a major dog for memory), 2 wouldn't be a problem ... To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Another Jail Question
Jeff MacDonald [EMAIL PROTECTED] writes: Hi, I have been thinking about running 2 jails on my home server one for work sensitive data, the other for personal fun stuff. However i only have 1 ip at my house [static]. Could i take the server taht will have jails on it, put it behind a natd box so it has 2 ip's [192.168.0.1 and .2] and just make the nat box, forward packets to teh appropriate jail based upon what port they come in on ? Yes, and you don't even need a separate box to do NAT - the jail host can do it by itself. Here's a how-to for a jailed FTP process configured like this: http://ezine.daemonnews.org/200212/ftpjail.html -- Dan Pelleg To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: Another Jail Question
Hi, I run proftpd which aready allows jailed processes in a matter of speaking that is, it chroots particular users. but i have a spare sparc laying here, that is gonna do nat just fine, so i might as well use it as a dedicated firewall as well. jeff. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Dan Pelleg Sent: Wednesday, December 04, 2002 11:08 AM To: Jeff MacDonald Cc: [EMAIL PROTECTED] Subject: Re: Another Jail Question Jeff MacDonald [EMAIL PROTECTED] writes: Hi, I have been thinking about running 2 jails on my home server one for work sensitive data, the other for personal fun stuff. However i only have 1 ip at my house [static]. Could i take the server taht will have jails on it, put it behind a natd box so it has 2 ip's [192.168.0.1 and .2] and just make the nat box, forward packets to teh appropriate jail based upon what port they come in on ? Yes, and you don't even need a separate box to do NAT - the jail host can do it by itself. Here's a how-to for a jailed FTP process configured like this: http://ezine.daemonnews.org/200212/ftpjail.html -- Dan Pelleg To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: Another Jail Question
On Wed, 4 Dec 2002, Jeff MacDonald wrote: You can run PostgreSQL in a jail - though you do need to turn the jail.sysvipc_allowed sysctl on first. You can also run it in the host environment and talk via TCP if you wish. some folks have said this is a security risk, as the shared mem is not per jail Note that the 'security risk' is more based on the trust level you have for your users ... if its just you, or you and a few friends, you shouldn't have an issue with it ... the one issue you will have with shared memory and jails is that I *believe* that Apache2 requires shared memory to work, so if you decide to start working with that, you have to open it up anyway ... The machine hardly has any load on it now, but i'd effectivly be going from running 1 instance of fbsd to 3. figure on ~20 or so processes extra per instance ... about the only major difference between runnig a process in a jail vs outside ... if you look at /proc/*/status, you will see that the processes are 'tag'd so that ps knows whether which processes to list ... beyond that, from what I've been able to determine, the changes are in how a socket is bound ... for instance, normally when you run inetd, it binds to ADDR_IANY(?), whereas when yousetu pa server for ajail'd env, you bind inetd to a specific IP so that the other ones are more or less 'dangling' until you bind somethingto them... processes inside of the jail only *see* the one IP, so binding to ADDR_IANY will only see the one IP to bind to ... One thing to note when you are setting things up ... if you are using sendmail, make sure you sent DontProbeInterfaces to True (Default is false), else you get some weird results when not all jails are up and running ... To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: Another Jail Question
ha ! ;) it's a sparc classic, 50mhz proc, 64 ram, 2 gig scsi drive. it's got 2 nics, so it's perfect for a house natd box, and that's about it. -Original Message- From: Marc G. Fournier [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 04, 2002 12:15 PM To: Jeff MacDonald Cc: [EMAIL PROTECTED] Subject: RE: Another Jail Question On Wed, 4 Dec 2002, Jeff MacDonald wrote: Yeah, i think i'll go the safe route and keep away from shared memory as such will likly run it on the host. not sure what your sparc is, but you might look at putting postgresql over there, which might allow you to create a larger cache buffer ... at the University, our firewall logs to PostgreSQL, and has a 1gig cache buffer to handle it, but it all depends on what you are doing with the database ... To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: Another Jail Question
On Wed, 4 Dec 2002, Jeff MacDonald wrote: I run qmail, cause combined with vpopmail, it kicks ass for virtual domains. Postfix with CyrusIMAPd v2.2, cause, well, Cyrus IMAPd is just in a class all its own :) Note that CyrusIMAPd was extended several months back to do full virtual domain under a single IP hosting ... eachdomain has its own admin, own sieve filtering, own name space, etc ... and configuration is as simple as create new directory structure for new domain, so no configfiles to modify ... To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: Another Jail Question
wow, the sieve filtering really turns me on [yuck i know]. currently with qmail/vpopmail i've not found a really great way to do filtering of things like mailing lists. TMDA does anti spam, but i want more. does teh cyrus admin have a series of commands for making new virtual domains, or is it a matter of know what direcotires to make.. etc ? jeff. -Original Message- From: Marc G. Fournier [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 04, 2002 1:33 PM To: Jeff MacDonald Cc: Alex Hayward; [EMAIL PROTECTED] Subject: RE: Another Jail Question On Wed, 4 Dec 2002, Jeff MacDonald wrote: I run qmail, cause combined with vpopmail, it kicks ass for virtual domains. Postfix with CyrusIMAPd v2.2, cause, well, Cyrus IMAPd is just in a class all its own :) Note that CyrusIMAPd was extended several months back to do full virtual domain under a single IP hosting ... eachdomain has its own admin, own sieve filtering, own name space, etc ... and configuration is as simple as create new directory structure for new domain, so no configfiles to modify ... To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: Another Jail Question
server is a dual PII 300 with 512 megs of ram, this should be fine to handle 2 jails, right ? unless you start gettinjg into high memory circumstances (ie. jakarta-tomcat is a major dog for memory), 2 wouldn't be a problem ... Just for comparison... I'm running four jails - apache/php on all, mysql on one, and postgres on the host on a 700Mhz, 512mb ram, 2x9gb scsi drives. Top says: last pid: 86606; load averages: 0.00, 0.02, 0.00up 53+20:08:57 10:48:36 93 processes: 1 running, 92 sleeping CPU states: 1.9% user, 0.0% nice, 2.6% system, 0.0% interrupt, 95.5% idle Mem: 203M Active, 173M Inact, 90M Wired, 27M Cache, 61M Buf, 7856K Free Swap: 512M Total, 756K Used, 511M Free Hardly any traffic... it's an internal dev machine hit by about 10 people... -philip To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: Another Jail Question
On Wed, 4 Dec 2002, Jeff MacDonald wrote: wow, the sieve filtering really turns me on [yuck i know]. currently with qmail/vpopmail i've not found a really great way to do filtering of things like mailing lists. TMDA does anti spam, but i want more. does teh cyrus admin have a series of commands for making new virtual domains, or is it a matter of know what direcotires to make.. etc ? mkimap domainname you have to get a special branch of cyrus, since the code hasn't been merged into the main tree yet: sun# cvs status README === File: READMEStatus: Up-to-date Working revision:1.10 Repository revision: 1.10/cvs/src/cyrus/README,v Sticky Tag: cyrus-imapd-2_2 (branch: 1.10.4) Sticky Date: (none) Sticky Options: (none) jeff. -Original Message- From: Marc G. Fournier [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 04, 2002 1:33 PM To: Jeff MacDonald Cc: Alex Hayward; [EMAIL PROTECTED] Subject: RE: Another Jail Question On Wed, 4 Dec 2002, Jeff MacDonald wrote: I run qmail, cause combined with vpopmail, it kicks ass for virtual domains. Postfix with CyrusIMAPd v2.2, cause, well, Cyrus IMAPd is just in a class all its own :) Note that CyrusIMAPd was extended several months back to do full virtual domain under a single IP hosting ... eachdomain has its own admin, own sieve filtering, own name space, etc ... and configuration is as simple as create new directory structure for new domain, so no configfiles to modify ... To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: Another Jail Question
On Wed, 4 Dec 2002, Philip Hallstrom wrote: server is a dual PII 300 with 512 megs of ram, this should be fine to handle 2 jails, right ? unless you start gettinjg into high memory circumstances (ie. jakarta-tomcat is a major dog for memory), 2 wouldn't be a problem ... Just for comparison... I'm running four jails - apache/php on all, mysql on one, and postgres on the host on a 700Mhz, 512mb ram, 2x9gb scsi drives. Top says: last pid: 86606; load averages: 0.00, 0.02, 0.00up 53+20:08:57 10:48:36 93 processes: 1 running, 92 sleeping CPU states: 1.9% user, 0.0% nice, 2.6% system, 0.0% interrupt, 95.5% idle Mem: 203M Active, 173M Inact, 90M Wired, 27M Cache, 61M Buf, 7856K Free Swap: 512M Total, 756K Used, 511M Free Hardly any traffic... it's an internal dev machine hit by about 10 people... 101 Jails: last pid: 13467; load averages: 21.09, 13.50, 19.54up 17+12:23:50 13:43:55 1576 processes:4 running, 1572 sleeping CPU states: 59.0% user, 0.0% nice, 9.0% system, 0.0% interrupt, 32.1% idle Mem: 2553M Active, 649M Inact, 474M Wired, 157M Cache, 199M Buf, 9120K Free Swap: 3072M Total, 184M Used, 2888M Free, 5% Inuse I think I peaked that machine around 196 jails at one point, before we picked up a second server as well as before we were able to do multiple domains per VM cleaner then one jail each ... the load average is mis-leading, as I've seen it hit as high as 1000 and still allow me to type on the machine, in order to rectify the problem process(es) ... God, I love FreeBSD :) To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: Another Jail Question
Any idea when it will be merged into the main code base ? i tend to stay away from development branches.. that being said, why the hell am i running apache2.. who knows. Jeff. -Original Message- From: Marc G. Fournier [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 04, 2002 2:43 PM To: Jeff MacDonald Cc: Alex Hayward; [EMAIL PROTECTED] Subject: RE: Another Jail Question On Wed, 4 Dec 2002, Jeff MacDonald wrote: wow, the sieve filtering really turns me on [yuck i know]. currently with qmail/vpopmail i've not found a really great way to do filtering of things like mailing lists. TMDA does anti spam, but i want more. does teh cyrus admin have a series of commands for making new virtual domains, or is it a matter of know what direcotires to make.. etc ? mkimap domainname you have to get a special branch of cyrus, since the code hasn't been merged into the main tree yet: sun# cvs status README === File: READMEStatus: Up-to-date Working revision:1.10 Repository revision: 1.10/cvs/src/cyrus/README,v Sticky Tag: cyrus-imapd-2_2 (branch: 1.10.4) Sticky Date: (none) Sticky Options: (none) jeff. -Original Message- From: Marc G. Fournier [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 04, 2002 1:33 PM To: Jeff MacDonald Cc: Alex Hayward; [EMAIL PROTECTED] Subject: RE: Another Jail Question On Wed, 4 Dec 2002, Jeff MacDonald wrote: I run qmail, cause combined with vpopmail, it kicks ass for virtual domains. Postfix with CyrusIMAPd v2.2, cause, well, Cyrus IMAPd is just in a class all its own :) Note that CyrusIMAPd was extended several months back to do full virtual domain under a single IP hosting ... eachdomain has its own admin, own sieve filtering, own name space, etc ... and configuration is as simple as create new directory structure for new domain, so no configfiles to modify ... To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: Another Jail Question
On Wed, 4 Dec 2002, Jeff MacDonald wrote: Any idea when it will be merged into the main code base ? i tend to stay away from development branches.. not sure, I believe not until 2.2 is fully released ... since I'm one of the ones that pushed for it to happen, I kinda had to be one of those willing to pound it too :) that being said, why the hell am i running apache2.. who knows. Actually, Apache2 has some nice features, but the PHP4 guys are having too much of a time keeping themselves in sync, we haven't fully deployed it ... she stable, but don't expect to upgrade when they release new versions, since chances are your PHP4 will be broken for awhile :( To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Another Jail Question
On Wed, Dec 04, 2002 at 03:47:10PM -0400, Marc G. Fournier [EMAIL PROTECTED] wrote: Hardly any traffic... it's an internal dev machine hit by about 10 people... 101 Jails: last pid: 13467; load averages: 21.09, 13.50, 19.54up 17+12:23:50 13:43:55 1576 processes:4 running, 1572 sleeping CPU states: 59.0% user, 0.0% nice, 9.0% system, 0.0% interrupt, 32.1% idle Mem: 2553M Active, 649M Inact, 474M Wired, 157M Cache, 199M Buf, 9120K Free Swap: 3072M Total, 184M Used, 2888M Free, 5% Inuse I think I peaked that machine around 196 jails at one point, before we picked up a second server as well as before we were able to do multiple domains per VM cleaner then one jail each ... the load average is mis-leading, as I've seen it hit as high as 1000 and still allow me to type on the machine, in order to rectify the problem process(es) ... God, I love FreeBSD :) Sounds like really good -advocacy material :-) The guys over there will happily morph it into big marketing buzz, I'm sure :) -- Vallo Kallaste [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message