Re: HOWTO monitor changes in installed packages within jails?
On 20.07.2013, at 18:34, Michael Grimm wrote: > On 20.07.2013, at 14:53, Matthew Seaman > wrote: >> On 20/07/2013 12:09, Michael Grimm wrote: > >>> I did migrate to pkgng some month ago, and ever since I am curious >>> how to monitor changes in installed packages within jails. I am >>> looking for a functionality/port that works like 490.status- >>> pkg-changes for my host. >>> >>> Question: is there any functionality within the periodic system or a >>> port that I might have missed to find? >> >> You can't just run 490.status-pkg-changes directly in your jail? > > Yes, I can ;-) > > But! I do have a lot of service jails running at my host, thus I would like > to omit modifying every jail's /etc/periodic.conf adding: > > | daily_status_pkg_changes_enable="YES"# Show package changes > | pkg_info="pkg info" # Use this program > > >> Try this patch: > > Thanks for that approach, namely adding "pkg -j jailname info" for every jail > running. Due to my amount of jails I might need to add some looping over "jls > -N" output instead of adding a lot of $daily_status_pkg_changes_flags. > > I was hoping that I could omit programming that functionality myself, but I > might need to do so. I ended up in adding: --- snip --- /usr/src/etc/periodic/daily/490.status-pkg-changes 2013-04-03 17:59:35.894705550 +0200 +++ /etc/periodic/daily/490.status-pkg-changes 2013-07-23 20:19:27.833641916 +0200 @@ -32,6 +32,24 @@ diff -U 0 $bak/pkg_info.bak2 $bak/pkg_info.bak \ | grep '^[-+][^-+]' | sort -k 1.2 fi + +# added jail(s) support +# + for jname in `jls -N | grep -v JID | awk '{print $1}'`; do + if [ -f $bak/pkg_info_${jname}.bak ]; then + mv -f $bak/pkg_info_${jname}.bak $bak/pkg_info_${jname}.bak2 + fi + jexec ${jname} ${pkg_info:-/usr/sbin/pkg_info} > $bak/pkg_info_${jname}.bak + + cmp -sz $bak/pkg_info_${jname}.bak $bak/pkg_info_${jname}.bak2 + if [ $? -eq 1 ]; then + echo "" + echo "Changes in installed packages (jail ${jname}):" + diff -U 0 $bak/pkg_info_${jname}.bak2 $bak/pkg_info_${jname}.bak \ + | grep '^[-+][^-+]' | sort -k 1.2 + fi + done + fi ;; --- snip Not perfect, really, but working at my side. Michael ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: HOWTO monitor changes in installed packages within jails?
On 20.07.2013, at 14:53, Matthew Seaman wrote: > On 20/07/2013 12:09, Michael Grimm wrote: >> I did migrate to pkgng some month ago, and ever since I am curious >> how to monitor changes in installed packages within jails. I am >> looking for a functionality/port that works like 490.status- >> pkg-changes for my host. >> >> Question: is there any functionality within the periodic system or a >> port that I might have missed to find? > > You can't just run 490.status-pkg-changes directly in your jail? Yes, I can ;-) But! I do have a lot of service jails running at my host, thus I would like to omit modifying every jail's /etc/periodic.conf adding: | daily_status_pkg_changes_enable="YES"# Show package changes | pkg_info="pkg info" # Use this program > Try this patch: Thanks for that approach, namely adding "pkg -j jailname info" for every jail running. Due to my amount of jails I might need to add some looping over "jls -N" output instead of adding a lot of $daily_status_pkg_changes_flags. I was hoping that I could omit programming that functionality myself, but I might need to do so. Thanks for your input and with kind regards, Michael ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: HOWTO monitor changes in installed packages within jails?
On 20/07/2013 12:09, Michael Grimm wrote: > I did migrate to pkgng some month ago, and ever since I am curious > how to monitor changes in installed packages within jails. I am > looking for a functionality/port that works like 490.status- > pkg-changes for my host. > > Question: is there any functionality within the periodic system or a > port that I might have missed to find? You can't just run 490.status-pkg-changes directly in your jail? Try this patch: lucid-nonsense:/tmp:% diff -u 490.status-pkg-changes{.orig,} --- 490.status-pkg-changes.orig 2013-07-20 13:43:44.306303775 +0100 +++ 490.status-pkg-changes 2013-07-20 13:44:42.055327506 +0100 @@ -10,7 +10,7 @@ case "$daily_status_pkg_changes_enable" in [Yy][Ee][Ss]) - pkgcmd=/usr/local/sbin/pkg + pkgcmd=/usr/local/sbin/pkg $daily_status_pkg_changes_flags echo echo 'Changes in installed packages:' Then add something like the following to /etc/periodic.conf: daily_status_pkg_changes_flags='-j jailname' Of course, this only lets you monitor changes in one jail at a time. You can cover more by copying the script and changing its name eg. sed -e 's/daily_status_pkg_changes/daily_status_pkg_changes2/g' \ < 490.status-pkg-changes > 490.status-pkg-changes2 Then add appropriate "daily_status_pkg_changes2_flags='-j otherjail'" settings to periodic.conf Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey JID: matt...@infracaninophile.co.uk signature.asc Description: OpenPGP digital signature
HOWTO monitor changes in installed packages within jails?
Hi -- I did migrate to pkgng some month ago, and ever since I am curious how to monitor changes in installed packages within jails. I am looking for a functionality/port that works like 490.status-pkg-changes for my host. Question: is there any functionality within the periodic system or a port that I might have missed to find? Thanks in advance and with kind regards, Michael ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: netgraph network setup for jail(8) vnet jails.
On Thu, 23 May 2013 09:42-0400, Joe wrote: > Teske, Devin wrote: > > snip... > > I rendered your output by saving it in a file ("joe.dot") and then running: > > > > dot -Tsvg -o joe.svg < joe.dot > > > > I then uploaded "joe.svg" to my website: > > > > http://druidbsd.sf.net/download/joe.svg > > > > Compare your output to any of the following: > > > > http://druidbsd.sf.net/download/warden0.jbsd.svg > > http://druidbsd.sourceforge.net/download/folsom.svg > > > > It looks like everything is connected properly. > > > > A couple thoughts off the top of my head: > > > > a. Did you enable promiscuous mode on rl0 via ngctl? (in your script > > perhaps?) > > > > b. Have you tried giving ngeth0 a new MAC address? (I do this through ngctl > > too, but I imagine ifconfig from within the jail could achieve the same > > thing) > > -- > > Devin > > Yes I enabled promiscuous mode and setautosrc 0 on rl0 via ngctl. > I can find no documentation on why this is done. Can you point me to some? > > Yes I gave the jail a unique MAC address. > > I tried to generate my own network map, but having problem. > > ngctl dot > file.dot works. > dot -Tsvg -o file.svg < file.dot > gives me "command dot not found". Please install graphics/graphviz, either from ports or from packages. > Tried ngctl dot -Tsvg -o file.svg < file.dot > and -T is illegal option. > What am I doing wrong? > > Thanks for your help > Joe -- +---++ | Vennlig hilsen, | Best regards, | | Trond Endrestøl, | Trond Endrestøl, | | IT-ansvarlig, | System administrator, | | Fagskolen Innlandet, | Gjøvik Technical College, Norway, | | tlf. mob. 952 62 567, | Cellular...: +47 952 62 567, | | sentralbord 61 14 54 00. | Switchboard: +47 61 14 54 00. | +---++___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: netgraph network setup for jail(8) vnet jails.
Teske, Devin wrote: snip... I rendered your output by saving it in a file ("joe.dot") and then running: dot -Tsvg -o joe.svg < joe.dot I then uploaded "joe.svg" to my website: http://druidbsd.sf.net/download/joe.svg Compare your output to any of the following: http://druidbsd.sf.net/download/warden0.jbsd.svg http://druidbsd.sourceforge.net/download/folsom.svg It looks like everything is connected properly. A couple thoughts off the top of my head: a. Did you enable promiscuous mode on rl0 via ngctl? (in your script perhaps?) b. Have you tried giving ngeth0 a new MAC address? (I do this through ngctl too, but I imagine ifconfig from within the jail could achieve the same thing) -- Devin Yes I enabled promiscuous mode and setautosrc 0 on rl0 via ngctl. I can find no documentation on why this is done. Can you point me to some? Yes I gave the jail a unique MAC address. I tried to generate my own network map, but having problem. ngctl dot > file.dot works. dot -Tsvg -o file.svg < file.dot gives me "command dot not found". Tried ngctl dot -Tsvg -o file.svg < file.dot and -T is illegal option. What am I doing wrong? Thanks for your help Joe ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: netgraph network setup for jail(8) vnet jails.
On May 18, 2013, at 5:51 PM, Joe wrote: Teske, Devin wrote: Sorry for top-post, but just wanted to add a quick note: The output of "ngctl dot" would be very helpful to others in debugging your setup. graph netgraph { edge [ weight = 1.0 ]; node [ shape = record, fontsize = 12 ] { "1" [ label = "{rl0:|{ether|[1]:}}" ]; "5" [ label = "{bridge0:|{bridge|[5]:}}" ]; "9" [ label = "{ngeth0:|{eiface|[9]:}}" ]; "e" [ label = "{ngctl2355:|{socket|[e]:}}" ]; }; subgraph cluster_disconnected { bgcolor = pink; "e"; }; node [ shape = octagon, fontsize = 10 ] { "1.upper" [ label = "upper" ]; "1.lower" [ label = "lower" ]; }; { edge [ weight = 2.0, style = bold ]; "1" -- "1.upper"; "1" -- "1.lower"; }; node [ shape = octagon, fontsize = 10 ] { "5.link2" [ label = "link2" ]; "5.link1" [ label = "link1" ]; "5.link0" [ label = "link0" ]; }; { edge [ weight = 2.0, style = bold ]; "5" -- "5.link2"; "5" -- "5.link1"; "5" -- "5.link0"; }; "5.link1" -- "1.upper"; "5.link0" -- "1.lower"; node [ shape = octagon, fontsize = 10 ] { "9.ether" [ label = "ether" ]; }; { edge [ weight = 2.0, style = bold ]; "9" -- "9.ether"; }; "9.ether" -- "5.link2"; }; I rendered your output by saving it in a file ("joe.dot") and then running: dot -Tsvg -o joe.svg < joe.dot I then uploaded "joe.svg" to my website: http://druidbsd.sf.net/download/joe.svg Compare your output to any of the following: http://druidbsd.sf.net/download/warden0.jbsd.svg http://druidbsd.sourceforge.net/download/folsom.svg It looks like everything is connected properly. A couple thoughts off the top of my head: a. Did you enable promiscuous mode on rl0 via ngctl? (in your script perhaps?) b. Have you tried giving ngeth0 a new MAC address? (I do this through ngctl too, but I imagine ifconfig from within the jail could achieve the same thing) -- Devin _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: netgraph network setup for jail(8) vnet jails.
Teske, Devin wrote: Sorry for top-post, but just wanted to add a quick note: The output of "ngctl dot" would be very helpful to others in debugging your setup. graph netgraph { edge [ weight = 1.0 ]; node [ shape = record, fontsize = 12 ] { "1" [ label = "{rl0:|{ether|[1]:}}" ]; "5" [ label = "{bridge0:|{bridge|[5]:}}" ]; "9" [ label = "{ngeth0:|{eiface|[9]:}}" ]; "e" [ label = "{ngctl2355:|{socket|[e]:}}" ]; }; subgraph cluster_disconnected { bgcolor = pink; "e"; }; node [ shape = octagon, fontsize = 10 ] { "1.upper" [ label = "upper" ]; "1.lower" [ label = "lower" ]; }; { edge [ weight = 2.0, style = bold ]; "1" -- "1.upper"; "1" -- "1.lower"; }; node [ shape = octagon, fontsize = 10 ] { "5.link2" [ label = "link2" ]; "5.link1" [ label = "link1" ]; "5.link0" [ label = "link0" ]; }; { edge [ weight = 2.0, style = bold ]; "5" -- "5.link2"; "5" -- "5.link1"; "5" -- "5.link0"; }; "5.link1" -- "1.upper"; "5.link0" -- "1.lower"; node [ shape = octagon, fontsize = 10 ] { "9.ether" [ label = "ether" ]; }; { edge [ weight = 2.0, style = bold ]; "9" -- "9.ether"; }; "9.ether" -- "5.link2"; }; ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: netgraph network setup for jail(8) vnet jails.
Sorry for top-post, but just wanted to add a quick note: The output of "ngctl dot" would be very helpful to others in debugging your setup. -- Devin On May 18, 2013, at 8:38 AM, Joe wrote: > Hello list > > I cant get to the internet using this netgraph setup script. > I sure would appreciate giving this console log a look over for > errors. My netgraph knowledge level is not sufficient to see what is > wrong. The goal is to run this script to setup and break down a netgraph > network for a single vnet jail at a time. rl0 is the real nic interface > device name of the nic facing the internet. This box is on my lan and > the gateway box does NAT for all lan boxes. The host running this script can > ping the internet ok. > > Thank you very much for your help. > > > > > > The host's kernel has modules with vimage & ipfw compiled in. > > From the host > # /root >ifconfig > rl0: flags=8843 metric 0 mtu > options=2008 > ether 00:0c:6e:09:8b:74 > inet 10.0.10.5 netmask 0xfff8 broadcast 10.0.10.7 > nd6 options=29 > media: Ethernet autoselect (100baseTX ) > status: active > plip0: flags=8810 metric 0 mtu 1500 > nd6 options=29 > ipfw0: flags=8801 metric 0 mtu 65536 > nd6 options=29 > lo0: flags=8049 metric 0 mtu 16384 > options=63 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8 > inet 127.0.0.1 netmask 0xff00 > nd6 options=21 > > The jails config file > # /root >cat /usr/local/etc/vnet/vdir4 > vdir4 { > host.hostname = "vdir4"; > path= "/usr/jails/vdir4"; > mount.fstab = "/usr/local/etc/fstab/vdir4"; > vnet; > persist; > } > > The netgraph script > # /root >cat /usr/local/bin/vnet.ng.test > #!/bin/sh > # snip comments for displaying here > # This script is based on this /usr/share/examples/netgraph/virtual.lan > > # Give the name of ethernet interface. > ETHER_INTF="rl0" > > # List the names of virtual nodes and their IP addresses. Use ':' > # character to separate node name from node IP address and netmask. > > #TARGET_TOPOLOGY="c1|10.0.2.20/24 c2|10.0.2.21/24 c3|10.0.2.22/24" > TARGET_TOPOLOGY="vdir4|10.0.2.20/24" > > # MAC manufacturer prefix. This can be modified according to needs. > MAC_PREFIX="00:1d:92" > > # Temporary file is important for proper execution of script. > TEMP_FILE="/var/tmp/virtual.lan.tmp" > > virtual_lan_start() { > > # Load netgraph KLD's as necessary. > > for KLD in ng_ether ng_bridge ng_eiface; do > if ! kldstat -v | grep -qw ${KLD}; then > echo -n "Loading ${KLD}.ko... " > kldload ${KLD} || exit 1 > echo "done" > fi > done > > # Reset all interfaces and jails. If temporary file can not be found > # script assumes that there is no previous configuration. > > if [ ! -e ${TEMP_FILE} ]; then > echo "No previous configuration(${TEMP_FILE}) found to clean-up." > else > echo -n "Cleaning previous configuration..." > virtual_lan_stop > echo "done" > fi > > # Create temporary file for usage. This file includes generated > # interface names and jail names. All bridges, interfaces and jails > # are written to file while created. In clean-up process written > # objects are cleaned (i.e. removed) from system. > > if [ -e ${TEMP_FILE} ]; then > touch ${TEMP_FILE} > fi > > echo -n "Verifying ethernet interface existence..." > # Verify ethernet interface exist. > if ! ngctl info ${ETHER_INTF}: >/dev/null 2>&1; then > echo "Error: interface ${ETHER_INTF} does not exist" > exit 1 > fi > > ifconfig ${ETHER_INTF} up || exit 1 > echo "done" > > # Get current number of bridge interfaces in the system. This number > # is used to create a name for new bridge. > BRIDGE_COUNT=`ngctl l | grep bridge | wc -l | sed -e "s/ //g"` > BRIDGE_NAME="bridge${BRIDGE_COUNT}" > > # Create new ng_bridge(4) node and attach it to the ethernet interface. > # Connect ng_ether:lower hook to bridge:link0 when creating bridge and > # connect ng_ether:upper hook to bridge:link1 after bridge name is set. > > echo "Creating bridge interface: ${BRIDGE_NAME}..." > ngctl mkpeer ${ETHER_INTF}: bridge lower link0 || exit 1 > ngctl name ${ETHER_INTF}:lower ${BRIDGE_NAME} || exit 1 > ngctl connect ${ETHER_INTF}: ${BRIDGE_NAME}: upper link1 || exit 1 > echo "Bridge ${BRIDGE_NAME}
netgraph network setup for jail(8) vnet jails.
Hello list I cant get to the internet using this netgraph setup script. I sure would appreciate giving this console log a look over for errors. My netgraph knowledge level is not sufficient to see what is wrong. The goal is to run this script to setup and break down a netgraph network for a single vnet jail at a time. rl0 is the real nic interface device name of the nic facing the internet. This box is on my lan and the gateway box does NAT for all lan boxes. The host running this script can ping the internet ok. Thank you very much for your help. The host's kernel has modules with vimage & ipfw compiled in. From the host # /root >ifconfig rl0: flags=8843 metric 0 mtu options=2008 ether 00:0c:6e:09:8b:74 inet 10.0.10.5 netmask 0xfff8 broadcast 10.0.10.7 nd6 options=29 media: Ethernet autoselect (100baseTX ) status: active plip0: flags=8810 metric 0 mtu 1500 nd6 options=29 ipfw0: flags=8801 metric 0 mtu 65536 nd6 options=29 lo0: flags=8049 metric 0 mtu 16384 options=63 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8 inet 127.0.0.1 netmask 0xff00 nd6 options=21 The jails config file # /root >cat /usr/local/etc/vnet/vdir4 vdir4 { host.hostname = "vdir4"; path = "/usr/jails/vdir4"; mount.fstab = "/usr/local/etc/fstab/vdir4"; vnet; persist; } The netgraph script # /root >cat /usr/local/bin/vnet.ng.test #!/bin/sh # snip comments for displaying here # This script is based on this /usr/share/examples/netgraph/virtual.lan # Give the name of ethernet interface. ETHER_INTF="rl0" # List the names of virtual nodes and their IP addresses. Use ':' # character to separate node name from node IP address and netmask. #TARGET_TOPOLOGY="c1|10.0.2.20/24 c2|10.0.2.21/24 c3|10.0.2.22/24" TARGET_TOPOLOGY="vdir4|10.0.2.20/24" # MAC manufacturer prefix. This can be modified according to needs. MAC_PREFIX="00:1d:92" # Temporary file is important for proper execution of script. TEMP_FILE="/var/tmp/virtual.lan.tmp" virtual_lan_start() { # Load netgraph KLD's as necessary. for KLD in ng_ether ng_bridge ng_eiface; do if ! kldstat -v | grep -qw ${KLD}; then echo -n "Loading ${KLD}.ko... " kldload ${KLD} || exit 1 echo "done" fi done # Reset all interfaces and jails. If temporary file can not be found # script assumes that there is no previous configuration. if [ ! -e ${TEMP_FILE} ]; then echo "No previous configuration(${TEMP_FILE}) found to clean-up." else echo -n "Cleaning previous configuration..." virtual_lan_stop echo "done" fi # Create temporary file for usage. This file includes generated # interface names and jail names. All bridges, interfaces and jails # are written to file while created. In clean-up process written # objects are cleaned (i.e. removed) from system. if [ -e ${TEMP_FILE} ]; then touch ${TEMP_FILE} fi echo -n "Verifying ethernet interface existence..." # Verify ethernet interface exist. if ! ngctl info ${ETHER_INTF}: >/dev/null 2>&1; then echo "Error: interface ${ETHER_INTF} does not exist" exit 1 fi ifconfig ${ETHER_INTF} up || exit 1 echo "done" # Get current number of bridge interfaces in the system. This number # is used to create a name for new bridge. BRIDGE_COUNT=`ngctl l | grep bridge | wc -l | sed -e "s/ //g"` BRIDGE_NAME="bridge${BRIDGE_COUNT}" # Create new ng_bridge(4) node and attach it to the ethernet interface. # Connect ng_ether:lower hook to bridge:link0 when creating bridge and # connect ng_ether:upper hook to bridge:link1 after bridge name is set. echo "Creating bridge interface: ${BRIDGE_NAME}..." ngctl mkpeer ${ETHER_INTF}: bridge lower link0 || exit 1 ngctl name ${ETHER_INTF}:lower ${BRIDGE_NAME} || exit 1 ngctl connect ${ETHER_INTF}: ${BRIDGE_NAME}: upper link1 || exit 1 echo "Bridge ${BRIDGE_NAME} is created and ${ETHER_INTF} is connected." # In the above code block two hooks are connected to bridge interface, # therefore LINKNUM is set to 2 indicating total number of connected # hooks on the bridge interface. LINKNUM=2 # Write name of the bridge to temp file. Clean-up procedure will use # this name to shutdown bridge interface. echo "bridge ${BRIDGE_NAME}" > ${TEMP_FILE} # Attach vnet jail. for NODE in ${TARGET_TOPOLOGY}; do # Virtual nodes are defined in TARGET_TOPOLOGY variable. They # have the form of 'nodeName|IPaddr'. Below two lines split # node definition to get node name and node IP. NODE_NAME=`echo ${NODE} | awk -F"|" '{print $1}'` NODE_IP=`echo ${NODE} | awk -F"|" '{print $2}
SCTP: transport protocol and vimage jails
All the info on vimage jails say to nooption SCTP when compiling vimage into your kernel. Reason given is that sctp is not vimage aware. If that is ture, then why can't I find a PR on SCTP or vimage about this problem? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: /etc/jail.conf for automatically started jails listed in /etc/rc.conf
On 14/05/2013 14:31, dweimer wrote: > I can confirm that PostgreSQL will not run in a jail without sysvipc > enabled, I just setup a jail running PostgreSQL a few weeks ago and had > to do that as well. PostgreSQL will not start without it enabled, > though perhaps there is some setting change in PostgreSQL that will make > it not require this. In my case its the only jail, and I am the only > user with access to both the base system and the jail so I wasn't to > concerned about it allowing more access to the base system from the jail. postgresql-9.3beta1 was announced a few days ago, and one of the key new features is switching largely away from sysvipc to mmap for shared memory. http://www.postgresql.org/docs/devel/static/release-9-3.html Unfortunately I don't think it's entirely sysV IPC free yet. But postgresql93 is available in ports. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey signature.asc Description: OpenPGP digital signature
Re: /etc/jail.conf for automatically started jails listed in /etc/rc.conf
2013/5/14 Joe : > David Demelier wrote: >> >> 2013/5/14 Joe : >>> >>> David Demelier wrote: >>>> >>>> Le lundi 13 mai 2013 16:32:01 Joe a écrit : >>>>> >>>>> David Demelier wrote: >>>>>> >>>>>> Hello dear, >>>>>> >>>>>> Does jail.conf(5) does not work for jails listed in the rc.conf ? >>>>>> >>>>>> I've added in /etc/jail.conf: >>>>>> >>>>>> foo { >>>>>> >>>>>> hostname=Foo; >>>>>> path=/jails/foo; >>>>>> allow.sysvipc=1; >>>>>> >>>>>> } >>>>>> >>>>>> And in /etc/rc.conf only foo in the jail_list parameter, but when I >>>>>> try >>>>>> to >>>>>> start the jail it still complain about missing hostname. >>>>>> >>>>>> Regards, >>>>> >>>>> There are 2 methods for configuring jails. >>>>> >>>>> The legacy method which you put the jail config statements in the hosts >>>>> /etc/rc.conf file and start and stop control is done by the hosts >>>>> /etc/rc.d/jail script at boot time. >>>>> >>>>> The jail(8) method which has it's own jail config statements in the >>>>> hosts /etc/jail.conf file and uses the jail(8) program for starting and >>>>> stopping. You can create a jail.conf file for each jail(8) and start it >>>>> using jail -c -f "/etc/jailname.jail.conf" and stop by issuing >>>>> jail -f "/etc/jailname.jail.conf" -r jailname >>>>> >>>>> You can not mix the 2 methods. >>>> >>>> >>>> My real problem is that I wanted to add allow.sysvipc only for *one* >>>> jail >>>> and I can't find a real solution by jail_* flags in /etc/rc.conf >>>> >>>> There is jail_allow_sysvipc but it enable it for all jails. >>>> >>>> >>> >>> The jail(8) method does have a allow_sysvipc on a per jail basis. To use >>> it >>> you have to use the jail(8) method. The 9.1-RELEASE legacy method is a >>> work >>> in process to incorporate the jail(8) parameters into the rc.conf config >>> statements. >>> >>> About the allow_sysvipc parameter, this breaks the security the jail is >>> designed to provide and should NOT be used on any jails having public >>> internet access. >>> >>> What are you trying to do that you think you need to use the >>> allow_sysvipc >>> parameter? >>> >> >> PostgreSQL, usually I install it on the host instead of jails, but I >> needed a second instance on a different port for a public access.. >> >> Regards, >> >> -- >> Demelier David >> >> > That all sounds logical and is what jails are designed to do. > Why would running PostgreSQL in a jail need sysvipc? > Have you tried it? Did you get some PostgreSQL error? > Yes, unfortunately this is a very very old issue that has been reported so much often.. -- Demelier David ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: /etc/jail.conf for automatically started jails listed in /etc/rc.conf
On 05/14/2013 8:20 am, Joe wrote: David Demelier wrote: 2013/5/14 Joe : David Demelier wrote: Le lundi 13 mai 2013 16:32:01 Joe a écrit : David Demelier wrote: Hello dear, Does jail.conf(5) does not work for jails listed in the rc.conf ? I've added in /etc/jail.conf: foo { hostname=Foo; path=/jails/foo; allow.sysvipc=1; } And in /etc/rc.conf only foo in the jail_list parameter, but when I try to start the jail it still complain about missing hostname. Regards, There are 2 methods for configuring jails. The legacy method which you put the jail config statements in the hosts /etc/rc.conf file and start and stop control is done by the hosts /etc/rc.d/jail script at boot time. The jail(8) method which has it's own jail config statements in the hosts /etc/jail.conf file and uses the jail(8) program for starting and stopping. You can create a jail.conf file for each jail(8) and start it using jail -c -f "/etc/jailname.jail.conf" and stop by issuing jail -f "/etc/jailname.jail.conf" -r jailname You can not mix the 2 methods. My real problem is that I wanted to add allow.sysvipc only for *one* jail and I can't find a real solution by jail_* flags in /etc/rc.conf There is jail_allow_sysvipc but it enable it for all jails. The jail(8) method does have a allow_sysvipc on a per jail basis. To use it you have to use the jail(8) method. The 9.1-RELEASE legacy method is a work in process to incorporate the jail(8) parameters into the rc.conf config statements. About the allow_sysvipc parameter, this breaks the security the jail is designed to provide and should NOT be used on any jails having public internet access. What are you trying to do that you think you need to use the allow_sysvipc parameter? PostgreSQL, usually I install it on the host instead of jails, but I needed a second instance on a different port for a public access.. Regards, -- Demelier David That all sounds logical and is what jails are designed to do. Why would running PostgreSQL in a jail need sysvipc? Have you tried it? Did you get some PostgreSQL error? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" I can confirm that PostgreSQL will not run in a jail without sysvipc enabled, I just setup a jail running PostgreSQL a few weeks ago and had to do that as well. PostgreSQL will not start without it enabled, though perhaps there is some setting change in PostgreSQL that will make it not require this. In my case its the only jail, and I am the only user with access to both the base system and the jail so I wasn't to concerned about it allowing more access to the base system from the jail. -- Thanks, Dean E. Weimer http://www.dweimer.net/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: /etc/jail.conf for automatically started jails listed in /etc/rc.conf
David Demelier wrote: 2013/5/14 Joe : David Demelier wrote: Le lundi 13 mai 2013 16:32:01 Joe a écrit : David Demelier wrote: Hello dear, Does jail.conf(5) does not work for jails listed in the rc.conf ? I've added in /etc/jail.conf: foo { hostname=Foo; path=/jails/foo; allow.sysvipc=1; } And in /etc/rc.conf only foo in the jail_list parameter, but when I try to start the jail it still complain about missing hostname. Regards, There are 2 methods for configuring jails. The legacy method which you put the jail config statements in the hosts /etc/rc.conf file and start and stop control is done by the hosts /etc/rc.d/jail script at boot time. The jail(8) method which has it's own jail config statements in the hosts /etc/jail.conf file and uses the jail(8) program for starting and stopping. You can create a jail.conf file for each jail(8) and start it using jail -c -f "/etc/jailname.jail.conf" and stop by issuing jail -f "/etc/jailname.jail.conf" -r jailname You can not mix the 2 methods. My real problem is that I wanted to add allow.sysvipc only for *one* jail and I can't find a real solution by jail_* flags in /etc/rc.conf There is jail_allow_sysvipc but it enable it for all jails. The jail(8) method does have a allow_sysvipc on a per jail basis. To use it you have to use the jail(8) method. The 9.1-RELEASE legacy method is a work in process to incorporate the jail(8) parameters into the rc.conf config statements. About the allow_sysvipc parameter, this breaks the security the jail is designed to provide and should NOT be used on any jails having public internet access. What are you trying to do that you think you need to use the allow_sysvipc parameter? PostgreSQL, usually I install it on the host instead of jails, but I needed a second instance on a different port for a public access.. Regards, -- Demelier David That all sounds logical and is what jails are designed to do. Why would running PostgreSQL in a jail need sysvipc? Have you tried it? Did you get some PostgreSQL error? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: /etc/jail.conf for automatically started jails listed in /etc/rc.conf
2013/5/14 Joe : > David Demelier wrote: >> >> Le lundi 13 mai 2013 16:32:01 Joe a écrit : >>> >>> David Demelier wrote: >>>> >>>> Hello dear, >>>> >>>> Does jail.conf(5) does not work for jails listed in the rc.conf ? >>>> >>>> I've added in /etc/jail.conf: >>>> >>>> foo { >>>> >>>> hostname=Foo; >>>> path=/jails/foo; >>>> allow.sysvipc=1; >>>> >>>> } >>>> >>>> And in /etc/rc.conf only foo in the jail_list parameter, but when I try >>>> to >>>> start the jail it still complain about missing hostname. >>>> >>>> Regards, >>> >>> There are 2 methods for configuring jails. >>> >>> The legacy method which you put the jail config statements in the hosts >>> /etc/rc.conf file and start and stop control is done by the hosts >>> /etc/rc.d/jail script at boot time. >>> >>> The jail(8) method which has it's own jail config statements in the >>> hosts /etc/jail.conf file and uses the jail(8) program for starting and >>> stopping. You can create a jail.conf file for each jail(8) and start it >>> using jail -c -f "/etc/jailname.jail.conf" and stop by issuing >>> jail -f "/etc/jailname.jail.conf" -r jailname >>> >>> You can not mix the 2 methods. >> >> >> My real problem is that I wanted to add allow.sysvipc only for *one* jail >> and I can't find a real solution by jail_* flags in /etc/rc.conf >> >> There is jail_allow_sysvipc but it enable it for all jails. >> >> > > > The jail(8) method does have a allow_sysvipc on a per jail basis. To use it > you have to use the jail(8) method. The 9.1-RELEASE legacy method is a work > in process to incorporate the jail(8) parameters into the rc.conf config > statements. > > About the allow_sysvipc parameter, this breaks the security the jail is > designed to provide and should NOT be used on any jails having public > internet access. > > What are you trying to do that you think you need to use the allow_sysvipc > parameter? > PostgreSQL, usually I install it on the host instead of jails, but I needed a second instance on a different port for a public access.. Regards, -- Demelier David ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: /etc/jail.conf for automatically started jails listed in /etc/rc.conf
David Demelier wrote: Le lundi 13 mai 2013 16:32:01 Joe a écrit : David Demelier wrote: Hello dear, Does jail.conf(5) does not work for jails listed in the rc.conf ? I've added in /etc/jail.conf: foo { hostname=Foo; path=/jails/foo; allow.sysvipc=1; } And in /etc/rc.conf only foo in the jail_list parameter, but when I try to start the jail it still complain about missing hostname. Regards, There are 2 methods for configuring jails. The legacy method which you put the jail config statements in the hosts /etc/rc.conf file and start and stop control is done by the hosts /etc/rc.d/jail script at boot time. The jail(8) method which has it's own jail config statements in the hosts /etc/jail.conf file and uses the jail(8) program for starting and stopping. You can create a jail.conf file for each jail(8) and start it using jail -c -f "/etc/jailname.jail.conf" and stop by issuing jail -f "/etc/jailname.jail.conf" -r jailname You can not mix the 2 methods. My real problem is that I wanted to add allow.sysvipc only for *one* jail and I can't find a real solution by jail_* flags in /etc/rc.conf There is jail_allow_sysvipc but it enable it for all jails. The jail(8) method does have a allow_sysvipc on a per jail basis. To use it you have to use the jail(8) method. The 9.1-RELEASE legacy method is a work in process to incorporate the jail(8) parameters into the rc.conf config statements. About the allow_sysvipc parameter, this breaks the security the jail is designed to provide and should NOT be used on any jails having public internet access. What are you trying to do that you think you need to use the allow_sysvipc parameter? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: /etc/jail.conf for automatically started jails listed in /etc/rc.conf
Le lundi 13 mai 2013 16:32:01 Joe a écrit : > David Demelier wrote: > > Hello dear, > > > > Does jail.conf(5) does not work for jails listed in the rc.conf ? > > > > I've added in /etc/jail.conf: > > > > foo { > > > > hostname=Foo; > > path=/jails/foo; > > allow.sysvipc=1; > > > > } > > > > And in /etc/rc.conf only foo in the jail_list parameter, but when I try to > > start the jail it still complain about missing hostname. > > > > Regards, > > There are 2 methods for configuring jails. > > The legacy method which you put the jail config statements in the hosts > /etc/rc.conf file and start and stop control is done by the hosts > /etc/rc.d/jail script at boot time. > > The jail(8) method which has it's own jail config statements in the > hosts /etc/jail.conf file and uses the jail(8) program for starting and > stopping. You can create a jail.conf file for each jail(8) and start it > using jail -c -f "/etc/jailname.jail.conf" and stop by issuing > jail -f "/etc/jailname.jail.conf" -r jailname > > You can not mix the 2 methods. My real problem is that I wanted to add allow.sysvipc only for *one* jail and I can't find a real solution by jail_* flags in /etc/rc.conf There is jail_allow_sysvipc but it enable it for all jails. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: /etc/jail.conf for automatically started jails listed in /etc/rc.conf
David Demelier wrote: Hello dear, Does jail.conf(5) does not work for jails listed in the rc.conf ? I've added in /etc/jail.conf: foo { hostname=Foo; path=/jails/foo; allow.sysvipc=1; } And in /etc/rc.conf only foo in the jail_list parameter, but when I try to start the jail it still complain about missing hostname. Regards, There are 2 methods for configuring jails. The legacy method which you put the jail config statements in the hosts /etc/rc.conf file and start and stop control is done by the hosts /etc/rc.d/jail script at boot time. The jail(8) method which has it's own jail config statements in the hosts /etc/jail.conf file and uses the jail(8) program for starting and stopping. You can create a jail.conf file for each jail(8) and start it using jail -c -f "/etc/jailname.jail.conf" and stop by issuing jail -f "/etc/jailname.jail.conf" -r jailname You can not mix the 2 methods. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
/etc/jail.conf for automatically started jails listed in /etc/rc.conf
Hello dear, Does jail.conf(5) does not work for jails listed in the rc.conf ? I've added in /etc/jail.conf: foo { hostname=Foo; path=/jails/foo; allow.sysvipc=1; } And in /etc/rc.conf only foo in the jail_list parameter, but when I try to start the jail it still complain about missing hostname. Regards, ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
jails running xorg desktop, is it possible?
Has anyone been able to get a xorg desktop to run inside of a jail? All information and links to howto's welcome. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: jails bind ip
Hi, First of all usage of 127.0.0.1 as second address is nothing but wrong, as this is the loopback address :) For the second part of the question - I suppose it has nothing to do with the BSD and the jail subsystem. I am not sure why you have eth1 tbh, you should only have eth0, maybe because of this binding to 127.0.0.1, which fails as you already have this address on lo0. But from your logs: INFO 2013-01-26 16:03:03.085 Created socket: /127.0.0.1:5001 [main] ERROR 2013-01-26 16:03:03.186 A serious error occurred during PMS init org.jboss.netty.channel.ChannelException: Failed to bind to: /127.0.0.1:5001 Obviously you have error in your config, as you are not binding to address, but on local socket at the root of the system. So my guess is you must eighter change your software configuration or you should giva access to root folder to the user running the application. Regards, Ivailo Tanusheff "Zyumbilev, Peter" Sent by: owner-freebsd-questi...@freebsd.org 26.01.2013 15:18 To "freebsd-questions@freebsd.org" cc Subject jails bind ip Hi, I have successfully run multiple jails on freebsd 9.1 Two of the jails are FreeBSD and I have no problems with them. However I havesome strange problem with Debian 6.0 Jail. This is my config jail_debian_rootdir="/jail/debian" jail_debian_hostname="debian.bivol.net" jail_debian_ip="192.168.30.12,127.0.0.1" jail_debian_interface="bge0" jail_debian_devfs_enable="YES" jail_debian_devfs_ruleset="devfsrules_jail" jail_debian_flags="-n debian" #jail_debian_mount_enable="YES" # mount YES|NO jail_debian_fstab="/jail/conf/fstab.debian" # File with Filesystems to mount I tried with and without 127.0.0.1. This is how ifconfig looks from inside debian: root@debian:/# ifconfig eth0 Link encap:Ethernet HWaddr e8:39:35:25:d2:ef inet addr:192.168.30.12 Bcast:192.168.30.12 Mask:255.255.255.255 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:425676061 errors:0 dropped:0 overruns:0 frame:0 TX packets:483122783 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:478459387769 (445.6 GiB) TX bytes:190485214007 (177.4 GiB) eth1 Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MULTICAST MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) lo0 Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MULTICAST MTU:16384 Metric:1 RX packets:1273268 errors:0 dropped:0 overruns:0 frame:0 TX packets:1273274 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:103125473 (98.3 MiB) TX bytes:103125585 (98.3 MiB) usbus0Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus1Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus2Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus3Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus4Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus5Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) However, applications have problem binding. Two applications that fail are plexmedia server and psmedia server. 1. PS3 media server throws crazy errors like that it canncot bind - no matter which IP I choose: [main] INFO 2013-01-26 16:03:02.833 Loading configuration file: Panasonic.conf [
Re: jails bind ip
On 26/01/2013 23:06, Fbsd8 wrote: > Zyumbilev, Peter wrote: >>> Are you saying you installed the Debian 6.0 operating system >>> inside of a Freebsd jail and expect it to function? >>> >>> >> >> >> on top of all works ;-) Look at mailing list archives earlier ...See >> mails from me. >> >> >> Peter > > > Ok I read the archive thread subject "jails". > You read a reply pointing you to a French howto. > > http://blog.etoilebsd.net/post/Emprisonner_une_debian_dans_un_FreeBSD > > I don't read French so have no idea what you did. > In another post you said you did this procedure > 1. Use > http://download.openvz.org/template/precreated/debian-6.0-x86.tar.gz > instead of the file listed in the French howto. > 2. Run sysctl compat.linux.osrelease=2.6.32 in Freebsd shell before > starting the jail, otherwise you will get error "kernel too old". > > Don't understand what you mean by "shell" in the the above #2 sentence. > > The info you provided is so lacking in details. People here on the list > are not going to try to duplicate your steps just to get a understanding > of your situation. > > When asking a question it's your job to describe in detail what your > situation is. What your trying to achieve by using a jail. What > applications you installed in your jail. The jail statements you used to > create your jail. So on and so forth. > > No details results in no replies. > If you want helpful replies start with more and better details. > > From a very general point of view. You can populate a jails directory > tree with anything you want and the jail will still start. Having the > jail start does not mean anything you put in side of the jail is > working. Which is what I think is happening in your case. > > With out details I can not help you any further. > > Good luck. > > Hi, I know chances are slim someone to help. I believe my question is asked right. Even if noone can help it was worth asking - at least you learned that debian can run inside Freebsd :-) You know the idea is everyone to learn from this. Peter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: jails bind ip
Zyumbilev, Peter wrote: Are you saying you installed the Debian 6.0 operating system inside of a Freebsd jail and expect it to function? on top of all works ;-) Look at mailing list archives earlier ...See mails from me. Peter Ok I read the archive thread subject "jails". You read a reply pointing you to a French howto. http://blog.etoilebsd.net/post/Emprisonner_une_debian_dans_un_FreeBSD I don't read French so have no idea what you did. In another post you said you did this procedure 1. Use http://download.openvz.org/template/precreated/debian-6.0-x86.tar.gz instead of the file listed in the French howto. 2. Run sysctl compat.linux.osrelease=2.6.32 in Freebsd shell before starting the jail, otherwise you will get error "kernel too old". Don't understand what you mean by "shell" in the the above #2 sentence. The info you provided is so lacking in details. People here on the list are not going to try to duplicate your steps just to get a understanding of your situation. When asking a question it's your job to describe in detail what your situation is. What your trying to achieve by using a jail. What applications you installed in your jail. The jail statements you used to create your jail. So on and so forth. No details results in no replies. If you want helpful replies start with more and better details. From a very general point of view. You can populate a jails directory tree with anything you want and the jail will still start. Having the jail start does not mean anything you put in side of the jail is working. Which is what I think is happening in your case. With out details I can not help you any further. Good luck. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: jails bind ip
> Are you saying you installed the Debian 6.0 operating system > inside of a Freebsd jail and expect it to function? > > on top of all works ;-) Look at mailing list archives earlier ...See mails from me. Peter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: jails bind ip
Zyumbilev, Peter wrote: Hi, I have successfully run multiple jails on freebsd 9.1 Two of the jails are FreeBSD and I have no problems with them. However I havesome strange problem with Debian 6.0 Jail. This is my config jail_debian_rootdir="/jail/debian" jail_debian_hostname="debian.bivol.net" jail_debian_ip="192.168.30.12,127.0.0.1" jail_debian_interface="bge0" jail_debian_devfs_enable="YES" jail_debian_devfs_ruleset="devfsrules_jail" jail_debian_flags="-n debian" #jail_debian_mount_enable="YES" # mount YES|NO jail_debian_fstab="/jail/conf/fstab.debian" # File with Filesystems to mount I tried with and without 127.0.0.1. This is how ifconfig looks from inside debian: root@debian:/# ifconfig eth0 Link encap:Ethernet HWaddr e8:39:35:25:d2:ef inet addr:192.168.30.12 Bcast:192.168.30.12 Mask:255.255.255.255 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:425676061 errors:0 dropped:0 overruns:0 frame:0 TX packets:483122783 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:478459387769 (445.6 GiB) TX bytes:190485214007 (177.4 GiB) eth1 Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MULTICAST MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) lo0 Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MULTICAST MTU:16384 Metric:1 RX packets:1273268 errors:0 dropped:0 overruns:0 frame:0 TX packets:1273274 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:103125473 (98.3 MiB) TX bytes:103125585 (98.3 MiB) usbus0Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus1Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus2Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus3Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus4Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus5Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) However, applications have problem binding. Two applications that fail are plexmedia server and psmedia server. 1. PS3 media server throws crazy errors like that it canncot bind - no matter which IP I choose: [main] INFO 2013-01-26 16:03:02.833 Loading configuration file: Panasonic.conf [main] DEBUG 2013-01-26 16:03:02.833 Base path set to file:///etc/ps3mediaserver/renderers/Panasonic.conf [main] INFO 2013-01-26 16:03:02.855 Loading configuration file: PS3.conf [main] DEBUG 2013-01-26 16:03:02.855 Base path set to file:///etc/ps3mediaserver/renderers/PS3.conf [main] INFO 2013-01-26 16:03:02.861 Loading configuration file: AirPlayer.conf [main] DEBUG 2013-01-26 16:03:02.862 Base path set to file:///etc/ps3mediaserver/renderers/AirPlayer.conf [main] INFO 2013-01-26 16:03:02.864 Checking MPlayer font cache. It can take a minute or so. [main] DEBUG 2013-01-26 16:03:02.865 launching: /usr/lib/ps3mediaserver/linux/mplayer [main] INFO 2013-01-26 16:03:03.008 Done! [main] INFO 2013-01-26 16:03:03.016 Searching for plugins in /usr/lib/ps3mediaserver/plugins [main] INFO 2013-01-26 16:03:03.029 No plugins found [main] INFO 2013-01-26 16:03:03.060 Registering transcoding engine: FFmpeg Audio [main] INFO 2013-01-26 16:03:03.078 Registering transcoding engine: MEncoder [main] INFO 2013-01-26 16:03:03.079 Registering transcoding engine: MPlayer Aud
jails bind ip
Hi, I have successfully run multiple jails on freebsd 9.1 Two of the jails are FreeBSD and I have no problems with them. However I havesome strange problem with Debian 6.0 Jail. This is my config jail_debian_rootdir="/jail/debian" jail_debian_hostname="debian.bivol.net" jail_debian_ip="192.168.30.12,127.0.0.1" jail_debian_interface="bge0" jail_debian_devfs_enable="YES" jail_debian_devfs_ruleset="devfsrules_jail" jail_debian_flags="-n debian" #jail_debian_mount_enable="YES" # mount YES|NO jail_debian_fstab="/jail/conf/fstab.debian" # File with Filesystems to mount I tried with and without 127.0.0.1. This is how ifconfig looks from inside debian: root@debian:/# ifconfig eth0 Link encap:Ethernet HWaddr e8:39:35:25:d2:ef inet addr:192.168.30.12 Bcast:192.168.30.12 Mask:255.255.255.255 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:425676061 errors:0 dropped:0 overruns:0 frame:0 TX packets:483122783 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:478459387769 (445.6 GiB) TX bytes:190485214007 (177.4 GiB) eth1 Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MULTICAST MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) lo0 Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MULTICAST MTU:16384 Metric:1 RX packets:1273268 errors:0 dropped:0 overruns:0 frame:0 TX packets:1273274 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:103125473 (98.3 MiB) TX bytes:103125585 (98.3 MiB) usbus0Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus1Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus2Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus3Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus4Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus5Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) However, applications have problem binding. Two applications that fail are plexmedia server and psmedia server. 1. PS3 media server throws crazy errors like that it canncot bind - no matter which IP I choose: [main] INFO 2013-01-26 16:03:02.833 Loading configuration file: Panasonic.conf [main] DEBUG 2013-01-26 16:03:02.833 Base path set to file:///etc/ps3mediaserver/renderers/Panasonic.conf [main] INFO 2013-01-26 16:03:02.855 Loading configuration file: PS3.conf [main] DEBUG 2013-01-26 16:03:02.855 Base path set to file:///etc/ps3mediaserver/renderers/PS3.conf [main] INFO 2013-01-26 16:03:02.861 Loading configuration file: AirPlayer.conf [main] DEBUG 2013-01-26 16:03:02.862 Base path set to file:///etc/ps3mediaserver/renderers/AirPlayer.conf [main] INFO 2013-01-26 16:03:02.864 Checking MPlayer font cache. It can take a minute or so. [main] DEBUG 2013-01-26 16:03:02.865 launching: /usr/lib/ps3mediaserver/linux/mplayer [main] INFO 2013-01-26 16:03:03.008 Done! [main] INFO 2013-01-26 16:03:03.016 Searching for plugins in /usr/lib/ps3mediaserver/plugins [main] INFO 2013-01-26 16:03:03.029 No plugins found [main] INFO 2013-01-26 16:03:03.060 Registering transcoding engine: FFmpeg Audio [main] INFO 2013-01-26 16:03:03.078 Registering transcoding engine: MEncoder [main] INFO 2013-01-26 16:03:03.079 Registering transcoding engine: MPlayer Audio [main] INFO 2013-01-
Re: Best approach to jails + zfs
On Fri, 25 Jan 2013 19:14:45 +0100 bsd wrote: > Le 25 janv. 2013 à 18:41, Steve O'Hara-Smith a écrit : > > > On Fri, 25 Jan 2013 18:25:06 +0100 > > bsd wrote: > > > >> Hi, > >> > >> I wanted to have the point of view of the community on the best > >> approach in order to handle a quite large system with couple of jails > >> (shouldn't have more than 5 to 10). Whole system is based on zfs. I'll > >> use this as a backup server. > > > > You might like the sysutils/ezjail port - I use it for a very > > similar purpose and find it works well. > > > > -- > > Steve O'Hara-Smith > > > > I am a bit skeptical on the third party script approach. > > How stable has It been ? Rock solid - for me YMMV of course. The underpinnings are quite straightforward so it should be easy to fix anything that does go astray. > ZFS has introduced a new challenge, but now that I have understood (more > or less) how It is working, I found It really great! Just trying to > figure out the best way to use both Jail + ZFS. > > But I might re-consider my position… Does ezjail comply with the latest > FreeBSD 9 / 9.1 advances in jail / ZFS management improvement ? I'm using it on a 9,1 box to admin a bunch of 9.1 jails. It doesn't require ZFS but it can use it (along with a variety of other storage options). It uses standard ZFS commands to do it's work with ZFS. It's just a shell script program (albeit a 1500 line one), I might have written a simpler, cruder one myself had it not existed and worked. -- Steve O'Hara-Smith ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Best approach to jails + zfs
Le 25 janv. 2013 à 18:41, Steve O'Hara-Smith a écrit : > On Fri, 25 Jan 2013 18:25:06 +0100 > bsd wrote: > >> Hi, >> >> I wanted to have the point of view of the community on the best approach >> in order to handle a quite large system with couple of jails (shouldn't >> have more than 5 to 10). Whole system is based on zfs. I'll use this as a >> backup server. > > You might like the sysutils/ezjail port - I use it for a very > similar purpose and find it works well. > > -- > Steve O'Hara-Smith I am a bit skeptical on the third party script approach. How stable has It been ? I have been using warden with PC-BSD "TrueOS" for testing and I have encountered all sorts of problems (not stable when you have two pools of disks - can't delete jail…)… Quite interesting approach, but not mature enough to be launched in production. I have finally gotten back to the FreeBSD root file system which I am using since couple of years now. It is not fancy, It does not provide script to ease your pain… But you understand what you are doing and It does what you tell him to do !! ZFS has introduced a new challenge, but now that I have understood (more or less) how It is working, I found It really great! Just trying to figure out the best way to use both Jail + ZFS. But I might re-consider my position… Does ezjail comply with the latest FreeBSD 9 / 9.1 advances in jail / ZFS management improvement ? Thanks for your feedback. –– -> Grégory Bernard Director <- ---> www.osnet.eu <--- --> Your provider of OpenSource appliances <-- –– OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Best approach to jails + zfs
On Fri, 25 Jan 2013 18:25:06 +0100 bsd wrote: > Hi, > > I wanted to have the point of view of the community on the best approach > in order to handle a quite large system with couple of jails (shouldn't > have more than 5 to 10). Whole system is based on zfs. I'll use this as a > backup server. You might like the sysutils/ezjail port - I use it for a very similar purpose and find it works well. -- Steve O'Hara-Smith ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Best approach to jails + zfs
Hi, I wanted to have the point of view of the community on the best approach in order to handle a quite large system with couple of jails (shouldn't have more than 5 to 10). Whole system is based on zfs. I'll use this as a backup server. I have been using the "handbook" approach so far. It is quite stable but the linked directories inside each jail is quite error prone and may be confusing. With this approach you can update all your jails at once… this is quite tempting, but if you have an error… all your jails are gone at once ! == you can't afford to have a kernel compile problem while updating your system or you're dead !! http://www.freebsd.org/doc//handbook/jails-build.html The other approach that I have found is to use create a base jail system using sysinstall and then zfs snapshot to clone It. You then use this to create a jail. You end up with couple of independent jails which are not linked to each other in any way. You can / need to update each jail one by one. http://vocalbit.com/article/402/freebsd-jails-using-zfs-and-bsdinstall • I wanted to know if the handbook approach is still the most recent one considering the latest progress in FBSD jail management ? • I wanted to know if you had some "mixed" approach that can leverage the risk of the handbook approach ? • Last but not least - do you have any good pointer to recent guide / howto / studies on the subject ? Thanks –– -> Grégory Bernard Director <- ---> www.osnet.eu <--- --> Your provider of OpenSource appliances <-- –– OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: jails & ip addresses
Le Thu, 24 Jan 2013 11:51:46 -0500, Fbsd8 a écrit : > Is there any situation where assigning the same IP address to a new > jail that has already been assigned to a previous jail valid? > > I think not, but want verification. > > What are your thoughts? I'm sure they are case of this. One example is poudriere (a package builder), it starts several jails to build the packages and all the jails are bound to 127.0.0.1. The jail IP enforces that the jailed processus cannot use another one IP but that's all. Regards. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
jails & ip addresses
Is there any situation where assigning the same IP address to a new jail that has already been assigned to a previous jail valid? I think not, but want verification. What are your thoughts? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jails
- Original Message - > From: "Zyumbilev, Peter" > To: "freebsd-questions@FreeBSD.org" > Cc: > Sent: Tuesday, January 15, 2013 3:12 AM > Subject: Re: Jails > > On 15/01/2013 02:10, Leonardo M. Ramé wrote: > >> >> Yes, and also defined /etc/resolv.conf. Any hint? >> >> >> Leonardo M. Ramé >> http://leonardorame.blogspot.com > > > This is my jail conf. > > jail_debian_rootdir="/jail/debian" > jail_debian_hostname="debian.bivol.net" > jail_debian_ip="192.168.30.12" > jail_debian_interface="bge0" > jail_debian_devfs_enable="YES" > jail_debian_devfs_ruleset="devfsrules_jail" > jail_debian_flags="-n debian" > #jail_debian_mount_enable="YES" # mount YES|NO > jail_debian_fstab="/jail/conf/fstab.debian" > > > you have ip & interface settings correct ? Mine card is bge0, but your > one might be different. > > Peter Peter, last night I finally used apt-get to install g++, so, it's working!. The only thing that doesn't work is ping, but I won't care about it. Leonardo M. Ramé http://leonardorame.blogspot.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jails
On Jan 14, 2013, at 10:12 PM, Zyumbilev, Peter wrote: > On 15/01/2013 02:10, Leonardo M. Ramé wrote: > >> >> Yes, and also defined /etc/resolv.conf. Any hint? >> >> >> Leonardo M. Ramé >> http://leonardorame.blogspot.com > > > This is my jail conf. > > jail_debian_rootdir="/jail/debian" > jail_debian_hostname="debian.bivol.net" > jail_debian_ip="192.168.30.12" > jail_debian_interface="bge0" NOTE: You can optionally combine/collapse those last 2 lines into one: jail_debian_ip="bge0|192.168.30.12" (with the "pipe" character [|] separating the interface and IP) -- Devin > jail_debian_devfs_enable="YES" > jail_debian_devfs_ruleset="devfsrules_jail" > jail_debian_flags="-n debian" > #jail_debian_mount_enable="YES" # mount YES|NO > jail_debian_fstab="/jail/conf/fstab.debian" > > > you have ip & interface settings correct ? Mine card is bge0, but your > one might be different. > > Peter > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jails
On 15/01/2013 02:10, Leonardo M. Ramé wrote: > > Yes, and also defined /etc/resolv.conf. Any hint? > > > Leonardo M. Ramé > http://leonardorame.blogspot.com This is my jail conf. jail_debian_rootdir="/jail/debian" jail_debian_hostname="debian.bivol.net" jail_debian_ip="192.168.30.12" jail_debian_interface="bge0" jail_debian_devfs_enable="YES" jail_debian_devfs_ruleset="devfsrules_jail" jail_debian_flags="-n debian" #jail_debian_mount_enable="YES" # mount YES|NO jail_debian_fstab="/jail/conf/fstab.debian" you have ip & interface settings correct ? Mine card is bge0, but your one might be different. Peter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jails
> > From: "Zyumbilev, Peter" >To: "freebsd-questions@FreeBSD.org" >Sent: Monday, January 14, 2013 3:53 AM >Subject: Re: Jails > > > >On 13/01/2013 23:58, Leonardo M. Ramé wrote: >> >> > >> root@debian:/# ping www.google.com >> WARNING: setsockopt(ICMP_FILTER): Protocol not available >> WARNING: your kernel is veeery old. No problems. >> PING www.google.com (173.194.42.16) 56(84) bytes of data. >> ping: recvmsg: Invalid argument >> ping: recvmsg: Invalid argument >> ping: recvmsg: Invalid argument >> ping: recvmsg: Invalid argument >> >> --- www.google.com ping statistics --- >> 4 packets transmitted, 0 received, 100% packet loss, time 3078ms >> >> root@debian:/# > > >Hvae you run in FreeBSD: > >sysctl compat.linux.osrelease=2.6.32 > >? > Yes, and also defined /etc/resolv.conf. Any hint? Leonardo M. Ramé http://leonardorame.blogspot.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jails
On 13/01/2013 23:58, Leonardo M. Ramé wrote: > root@debian:/# ping www.google.com > WARNING: setsockopt(ICMP_FILTER): Protocol not available > WARNING: your kernel is veeery old. No problems. > PING www.google.com (173.194.42.16) 56(84) bytes of data. > ping: recvmsg: Invalid argument > ping: recvmsg: Invalid argument > ping: recvmsg: Invalid argument > ping: recvmsg: Invalid argument > > --- www.google.com ping statistics --- > 4 packets transmitted, 0 received, 100% packet loss, time 3078ms > > root@debian:/# > > > Also make sure you /etc/resolv.conf looks like this: nameserver 8.8.8.8 Peter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jails
On 13/01/2013 23:58, Leonardo M. Ramé wrote: > > > root@debian:/# ping www.google.com > WARNING: setsockopt(ICMP_FILTER): Protocol not available > WARNING: your kernel is veeery old. No problems. > PING www.google.com (173.194.42.16) 56(84) bytes of data. > ping: recvmsg: Invalid argument > ping: recvmsg: Invalid argument > ping: recvmsg: Invalid argument > ping: recvmsg: Invalid argument > > --- www.google.com ping statistics --- > 4 packets transmitted, 0 received, 100% packet loss, time 3078ms > > root@debian:/# Hvae you run in FreeBSD: sysctl compat.linux.osrelease=2.6.32 ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jails
- Original Message - > From: Devin Teske > To: Leonardo M. Ramé > Cc: "freebsd-questions@FreeBSD.org" > Sent: Sunday, January 13, 2013 2:23 PM > Subject: Re: Jails > > > On Jan 13, 2013, at 7:45 AM, Leonardo M. Ramé wrote: > >>> >> >>> From: "Zyumbilev, Peter" >>> To: freebsd-questions@FreeBSD.org >>> Cc: Mark Felder ; Devin Teske > ; Devin Teske >>> Sent: Sunday, January 13, 2013 7:09 AM >>> Subject: Re: Jails >>> >>> >>> On 12/01/2013 18:41, Devin Teske wrote: >>>> >>>> On Jan 11, 2013, at 11:31 PM, Zyumbilev, Peter wrote: >>>> >>>>> Hi, >>>>> >>>>> I have not tested it, but so far things do not look > promising... >>>>> >>>>> I cannot even run "netstat -nvatp" properly, however > sopcast seemed to >>>>> run, but have not tested it, for plex - have not tried yet. >>>>> >>>> >>>> netstat isn't allowed in traditional jails (but is allowed in > "vimage" jails which have their own network stack). >>>> >>>> If you're able/willing to compile a new kernel to enable the > "VIMAGE" feature, then this can be improved so that you can indeed use > netstat within the jail. >>>> >>>> NOTE: netstat is not allowed within traditional (non-VIMAGE) jails > due to security restrictions. >>>> >>> >>> My host os is Nas4Free and is stripped version of freebsd - e.g I >>> cannot even compile ports - that is why I use jails - so no new kernel >>> for me there :) >>> >>> So far I am quite happy with it - I use it mainly as DLNA >>> server(Serviio), ZFS,UPS support & Transmission made it quite good >>> platform - would take plenty of time to get all this in plain FreeBSD >>> install. >>> >>> The only thing that I might be missing is Plex, but due to lack > "browser >>> per folder feature", I will stick to open standard - DLNA. >>> >>> Peter >> >> >> Hi, I've installed debian 6 in a jail, from FreeBsd 9.1 x86-64 by > following the instructions from this thread. However, I also updated my > /etc/resolv.conf inside the jail, but I get this error when I do ping: > > ping is usually denied from within a jail (for security purposes). > > Add the following to /etc/rc.conf: > > jail_sysvipc_allow="YES" > > And then reboot. I've tried that, but I got the same results: root@debian:/# ping www.google.com WARNING: setsockopt(ICMP_FILTER): Protocol not available WARNING: your kernel is veeery old. No problems. PING www.google.com (173.194.42.16) 56(84) bytes of data. ping: recvmsg: Invalid argument ping: recvmsg: Invalid argument ping: recvmsg: Invalid argument ping: recvmsg: Invalid argument --- www.google.com ping statistics --- 4 packets transmitted, 0 received, 100% packet loss, time 3078ms root@debian:/# Leonardo M. Ramé http://leonardorame.blogspot.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jails
On Jan 13, 2013, at 7:45 AM, Leonardo M. Ramé wrote: >> > >> From: "Zyumbilev, Peter" >> To: freebsd-questions@FreeBSD.org >> Cc: Mark Felder ; Devin Teske ; Devin >> Teske >> Sent: Sunday, January 13, 2013 7:09 AM >> Subject: Re: Jails >> >> >> On 12/01/2013 18:41, Devin Teske wrote: >>> >>> On Jan 11, 2013, at 11:31 PM, Zyumbilev, Peter wrote: >>> >>>> Hi, >>>> >>>> I have not tested it, but so far things do not look promising... >>>> >>>> I cannot even run "netstat -nvatp" properly, however sopcast seemed to >>>> run, but have not tested it, for plex - have not tried yet. >>>> >>> >>> netstat isn't allowed in traditional jails (but is allowed in "vimage" >>> jails which have their own network stack). >>> >>> If you're able/willing to compile a new kernel to enable the "VIMAGE" >>> feature, then this can be improved so that you can indeed use netstat >>> within the jail. >>> >>> NOTE: netstat is not allowed within traditional (non-VIMAGE) jails due to >>> security restrictions. >>> >> >> My host os is Nas4Free and is stripped version of freebsd - e.g I >> cannot even compile ports - that is why I use jails - so no new kernel >> for me there :) >> >> So far I am quite happy with it - I use it mainly as DLNA >> server(Serviio), ZFS,UPS support & Transmission made it quite good >> platform - would take plenty of time to get all this in plain FreeBSD >> install. >> >> The only thing that I might be missing is Plex, but due to lack "browser >> per folder feature", I will stick to open standard - DLNA. >> >> Peter > > > Hi, I've installed debian 6 in a jail, from FreeBsd 9.1 x86-64 by following > the instructions from this thread. However, I also updated my > /etc/resolv.conf inside the jail, but I get this error when I do ping: ping is usually denied from within a jail (for security purposes). Add the following to /etc/rc.conf: jail_sysvipc_allow="YES" And then reboot. -- Devin _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jails
> > From: "Zyumbilev, Peter" >To: freebsd-questions@FreeBSD.org >Cc: Mark Felder ; Devin Teske ; Devin Teske > >Sent: Sunday, January 13, 2013 7:09 AM >Subject: Re: Jails > > >On 12/01/2013 18:41, Devin Teske wrote: >> >> On Jan 11, 2013, at 11:31 PM, Zyumbilev, Peter wrote: >> >>> Hi, >>> >>> I have not tested it, but so far things do not look promising... >>> >>> I cannot even run "netstat -nvatp" properly, however sopcast seemed to >>> run, but have not tested it, for plex - have not tried yet. >>> >> >> netstat isn't allowed in traditional jails (but is allowed in "vimage" jails >> which have their own network stack). >> >> If you're able/willing to compile a new kernel to enable the "VIMAGE" >> feature, then this can be improved so that you can indeed use netstat within >> the jail. >> >> NOTE: netstat is not allowed within traditional (non-VIMAGE) jails due to >> security restrictions. >> > >My host os is Nas4Free and is stripped version of freebsd - e.g I >cannot even compile ports - that is why I use jails - so no new kernel >for me there :) > >So far I am quite happy with it - I use it mainly as DLNA >server(Serviio), ZFS,UPS support & Transmission made it quite good >platform - would take plenty of time to get all this in plain FreeBSD >install. > >The only thing that I might be missing is Plex, but due to lack "browser >per folder feature", I will stick to open standard - DLNA. > >Peter Hi, I've installed debian 6 in a jail, from FreeBsd 9.1 x86-64 by following the instructions from this thread. However, I also updated my /etc/resolv.conf inside the jail, but I get this error when I do ping: server# /etc/rc.d/jail start debian Configuring jails:. Starting jails: debian. server# jls JID IP Address Hostname Path 13 192.168.0.250 debian /usr/home/jails/debian server# jexec 13 bash root@debian:/# uname -a Linux debian 2.6.32 FreeBSD 9.1-RELEASE #0 r243825: Tue Dec 4 09:23:10 UTC 2012 i686 GNU/Linux root@debian:/# ping www.google.com WARNING: WARNING: your kernel is veeery old. No problems. PING www.google.com (173.194.42.17) 56(84) bytes of data. ping: recvmsg: Invalid argument ping: recvmsg: Invalid argument Apart from getting those ping errors, I cannot "apt-get update": root@debian:/# apt-get update Get:1 http://security.debian.org squeeze/updates Release.gpg [836 B] Ign http://security.debian.org/ squeeze/updates/contrib Translation-en Get:2 http://ftp.debian.org squeeze Release.gpg [1672 B] Ign http://ftp.debian.org/debian/ squeeze/contrib Translation-en 99% [Working]FATAL -> Could not set non-blocking flag Bad file descriptor E: Method http has died unexpectedly! E: Sub-process http returned an error code (100) I need apt-get to install g++, to be able to compile a linux c++ app from FreeBsd. -- Leonardo M. Ramé http://leonardorame.blogspot.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jails
On 12/01/2013 18:41, Devin Teske wrote: > > On Jan 11, 2013, at 11:31 PM, Zyumbilev, Peter wrote: > >> Hi, >> >> I have not tested it, but so far things do not look promising... >> >> I cannot even run "netstat -nvatp" properly, however sopcast seemed to >> run, but have not tested it, for plex - have not tried yet. >> > > netstat isn't allowed in traditional jails (but is allowed in "vimage" jails > which have their own network stack). > > If you're able/willing to compile a new kernel to enable the "VIMAGE" > feature, then this can be improved so that you can indeed use netstat within > the jail. > > NOTE: netstat is not allowed within traditional (non-VIMAGE) jails due to > security restrictions. > My host os is Nas4Free and is stripped version of freebsd - e.g I cannot even compile ports - that is why I use jails - so no new kernel for me there :) So far I am quite happy with it - I use it mainly as DLNA server(Serviio), ZFS,UPS support & Transmission made it quite good platform - would take plenty of time to get all this in plain FreeBSD install. The only thing that I might be missing is Plex, but due to lack "browser per folder feature", I will stick to open standard - DLNA. Peter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jails
On Jan 11, 2013, at 11:31 PM, Zyumbilev, Peter wrote: > Hi, > > I have not tested it, but so far things do not look promising... > > I cannot even run "netstat -nvatp" properly, however sopcast seemed to > run, but have not tested it, for plex - have not tried yet. > netstat isn't allowed in traditional jails (but is allowed in "vimage" jails which have their own network stack). If you're able/willing to compile a new kernel to enable the "VIMAGE" feature, then this can be improved so that you can indeed use netstat within the jail. NOTE: netstat is not allowed within traditional (non-VIMAGE) jails due to security restrictions. -- Devin > On 11/01/2013 21:19, Mark Felder wrote: >> On Fri, 11 Jan 2013 18:28:41 +0200 >> "Zyumbilev, Peter" wrote: >> >>> 1. Use >>> http://download.openvz.org/template/precreated/debian-6.0-x86.tar.gz >>> instead the file listed in the howto. >>> >>> 2. Run sysctl compat.linux.osrelease=2.6.32 in Freebsd shell before >>> starting the jail, otherwise you will get error "kernel too old". >> >> Does PLEX work? I'm highly interested in this I even posted asking for >> FreeBSD support on the relevant forum post... >> > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jails
Hi, I have not tested it, but so far things do not look promising... I cannot even run "netstat -nvatp" properly, however sopcast seemed to run, but have not tested it, for plex - have not tried yet. Peter On 11/01/2013 21:19, Mark Felder wrote: > On Fri, 11 Jan 2013 18:28:41 +0200 > "Zyumbilev, Peter" wrote: > >> 1. Use >> http://download.openvz.org/template/precreated/debian-6.0-x86.tar.gz >> instead the file listed in the howto. >> >> 2. Run sysctl compat.linux.osrelease=2.6.32 in Freebsd shell before >> starting the jail, otherwise you will get error "kernel too old". > > Does PLEX work? I'm highly interested in this I even posted asking for > FreeBSD support on the relevant forum post... > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jails
On Fri, 11 Jan 2013 18:28:41 +0200 "Zyumbilev, Peter" wrote: > 1. Use > http://download.openvz.org/template/precreated/debian-6.0-x86.tar.gz > instead the file listed in the howto. > > 2. Run sysctl compat.linux.osrelease=2.6.32 in Freebsd shell before > starting the jail, otherwise you will get error "kernel too old". Does PLEX work? I'm highly interested in this I even posted asking for FreeBSD support on the relevant forum post... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jails
On 11/01/2013 17:31, Patrick Lamaiziere wrote: > Le Fri, 11 Jan 2013 17:02:19 +0200, > "Zyumbilev, Peter" a écrit : > >> Hi, >> >> I run FreeBSD 9.1 64 bit(Nas4free). I have no problem setting up >> FreeBSD jails inside. However, I wonder, is there any tutorial on how >> to make Debian Squeeze run inside a jail ? I know it is possible with >> PC-BSD, should be possible with FreeBSD, but I have not documentation >> on how to utilize this feature. > > Baptiste (bapt@) made a small doc for this in the past, but in french. > > http://blog.etoilebsd.net/post/Emprisonner_une_debian_dans_un_FreeBSD > > > Regards > For future reference: I've got it work, just 2 things: 1. Use http://download.openvz.org/template/precreated/debian-6.0-x86.tar.gz instead the file listed in the howto. 2. Run sysctl compat.linux.osrelease=2.6.32 in Freebsd shell before starting the jail, otherwise you will get error "kernel too old". Otherwise, so far so good :-) Peter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jails
On 11/01/2013 17:31, Patrick Lamaiziere wrote: > Baptiste (bapt@) made a small doc for this in the past, but in french. > > http://blog.etoilebsd.net/post/Emprisonner_une_debian_dans_un_FreeBSD > > > Regards > Will do the job :-) Thanks ! How stable it is ? Anyone have some experience ? I want to try to run things like plex media player(http://www.plexapp.com/) and sopcast(http://www.sopcast.com/). It is not mission critical: for my home media server but I still hope it will work good enough. Peter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jails
Le Fri, 11 Jan 2013 17:02:19 +0200, "Zyumbilev, Peter" a écrit : > Hi, > > I run FreeBSD 9.1 64 bit(Nas4free). I have no problem setting up > FreeBSD jails inside. However, I wonder, is there any tutorial on how > to make Debian Squeeze run inside a jail ? I know it is possible with > PC-BSD, should be possible with FreeBSD, but I have not documentation > on how to utilize this feature. Baptiste (bapt@) made a small doc for this in the past, but in french. http://blog.etoilebsd.net/post/Emprisonner_une_debian_dans_un_FreeBSD Regards ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Jails
Hi, I run FreeBSD 9.1 64 bit(Nas4free). I have no problem setting up FreeBSD jails inside. However, I wonder, is there any tutorial on how to make Debian Squeeze run inside a jail ? I know it is possible with PC-BSD, should be possible with FreeBSD, but I have not documentation on how to utilize this feature. Any ideas ?:-) Peter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: How do you manage jails?
> On 11/29/2012 13:34, Fbsd8 wrote: > >> Stay away from using vimage with production jails (vimage provides a >> network stack for each jail). Vimage is marked as experimental and use >> at your own risk. You have to compile it into your kernel to deploy it. >> > > FWIW we are using vimages for several critical systems and have had > great results for many months. > I've been doing tests with 9.[01]/vimage jails and it works fine unless I throw PF into the mix. After that I get a panic about one minute after the first network activity. I need to try it with IPFW, just never used it before so I need to read up to convert over what I'm trying to do. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: How do you manage jails?
On 11/29/2012 13:34, Fbsd8 wrote: > Stay away from using vimage with production jails (vimage provides a > network stack for each jail). Vimage is marked as experimental and use > at your own risk. You have to compile it into your kernel to deploy it. > FWIW we are using vimages for several critical systems and have had great results for many months. -- Dave Robison Sales Solution Architect II FIS Banking Solutions 510/621-2089 (w) 530/518-5194 (c) 510/621-2020 (f) da...@vicor.com david.robi...@fisglobal.com _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: How do you manage jails?
Rick Miller wrote: Hi All, I want to inquire how the majority of users manage jails within their own environments. Do you use the utilities described in the handbook in chapter 16 or some other management facility like qjail or ezjail? Found qjail to be much more function rich than ezjail. Would never use the manual method described in chapter 16 of the handbook. It becomes very cumbersome and hard to manage more than 3 jail. Stay away from using vimage with production jails (vimage provides a network stack for each jail). Vimage is marked as experimental and use at your own risk. You have to compile it into your kernel to deploy it. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: How do you manage jails?
On Nov 29, 2012, at 6:12 AM, Devin Teske wrote: > > On Nov 29, 2012, at 6:05 AM, Rick Miller wrote: > >> Hi All, >> >> I want to inquire how the majority of users manage jails within their >> own environments. Do you use the utilities described in the handbook >> in chapter 16 or some other management facility like qjail or ezjail? >> > > I use my own home grown solution (freely available as a package): > http://druidbsd.sf.net/vimage.shtml > http://druidbsd.sf.net/download.shtml#vimage > Oh, and for what it's worth… because they are vimages (jails with network stack), we're able to run FreeBSD-4.11 jails under 8.x. Our other attempts at running FreeBSD-4.11 in a jail failed miserably when we didn't have the VIMAGE option enabled and using vnets as is documented/packaged above. -- Devin _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: How do you manage jails?
On Thu, 29 Nov 2012 09:05:30 -0500 Rick Miller wrote: > Hi All, > > I want to inquire how the majority of users manage jails within their > own environments. Do you use the utilities described in the handbook > in chapter 16 or some other management facility like qjail or ezjail? ezjail here - my fileserver runs a bunch of jails for various services as well as a build jail. I find it convenient and it hasn't annoyed me yet. -- Steve O'Hara-Smith --- Begin Message --- On Thu, 29 Nov 2012 09:05:30 -0500 Rick Miller wrote: > Hi All, > > I want to inquire how the majority of users manage jails within their > own environments. Do you use the utilities described in the handbook > in chapter 16 or some other management facility like qjail or ezjail? ezjail here - my fileserver runs a bunch of jails for various services as well as a build jail. I find it convenient and it hasn't annoyed me yet. -- Steve O'Hara-Smith --- End Message --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: How do you manage jails?
On Nov 29, 2012, at 6:05 AM, Rick Miller wrote: > Hi All, > > I want to inquire how the majority of users manage jails within their > own environments. Do you use the utilities described in the handbook > in chapter 16 or some other management facility like qjail or ezjail? > I use my own home grown solution (freely available as a package): http://druidbsd.sf.net/vimage.shtml http://druidbsd.sf.net/download.shtml#vimage -- Devin _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
How do you manage jails?
Hi All, I want to inquire how the majority of users manage jails within their own environments. Do you use the utilities described in the handbook in chapter 16 or some other management facility like qjail or ezjail? -- Take care Rick Miller ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ZFS / Boot Environments / Jails / Upgrading form Source Code
On 2012-10-19 02:48, Shane Ambler wrote: On 19/10/2012 07:44, dweimer wrote: First step replace the usr/src within the jail with new source using svn, easy enough. Then start make buildworld... oops, I have a problem now, the usr/obj/usr stuff is now under /usr/obj/usr/jails/release91rc2..., However I want it to be under /usr/jails/release91rc2/usr/obj/usr. If the jails base dir is /usr/obj/usr/jails/release91rc2 then it can only access files below that base dir. That is part of the jails security. If your jail is based at /usr/obj/usr/jails/release91rc2 then the jail by default will buildworld into /usr/obj of the jail system which translates to /usr/obj/usr/jails/release91rc2/usr/obj on the base system. You can adjust the settings within the jail but it will always be within the release91rc2 dir so you can't use the jail to install into /usr/jails of the base system. The base of the Jail, is /usr/jails/release91rc2, however, I did forget to mention that I was running the buildworld and buildkernel from the base system, with the intent to install using the DESTDIR=/usr/jails/release91rc2 command line option From looking at the usr/src/Makefile It looks like I need to set the MAKEOBJDIRPREFIX=/usr/jails/relase91rc2/usr/obj/usr/src/tmp environment variable, but is that the best solution here? There's also a /usr/obj/lib32 directory (system is running amd64, I assume this is for 32 bit libraries), so I would likely need to do something here as well, that I haven't gotten to yet. lib32 is part of the final system - you don't need to handle it separately. See man src.conf if you want to turn off the creation of 32bit libs. Got it, Fine with leaving it there, just wanted to know if there was a separate option to define where it ended up. You can set MAKEOBJDIRPREFIX (default /usr/obj ) to define where the binary files are made. You can also set DESTDIR (default is / ) for the installworld step to define where they get installed. It appears I went to deep on my definition of the MAKOBJDIRPREFIX, made the above path after seeing some output at the start of one of my buildworld attempts, which is what led me to believe there would be a second choice. When you start a buildworld or buildkernel the compiled binaries are stored within MAKEOBJDIRPREFIX. When that is complete the installworld or installkernel steps install the files from MAKEOBJDIRPREFIX into DESTDIR to create a workable system. That prevents a failed build from destroying part of your running system. If you want to experiment with different versions then you can also try- mkdir /usr/jails cd /usr/jails svn co http://svn0.us-west.FreeBSD.org/base/releng/9.0 9.0-src cd 9.0-src set MAKEOBJDIRPREFIX = /usr/jails/9.0-obj set DESTDIR = /usr/jails/9.0-base make buildworld && make installworld cd /usr/jails svn co http://svn0.us-east.FreeBSD.org/base/releng/9.1 9.1-src cd 9.1-src set MAKEOBJDIRPREFIX = /usr/jails/9.1-obj set DESTDIR = /usr/jails/9.1-base make buildworld && make installworld Here was the key information I needed, found several examples searching but none stated the MAKEOBJDIRPREFIX=, as you state below they are not needed for the running system, guessing most people clean them up afterwards so they aren't concerned they don't exist in the same boot environment in the end. I prefer to keep them in the same boot environment if possible, just so that if I delete a boot environment I know I got rid of everything that belonged to it and don't end up uselessly eating up extra disk space. I do delete the /usr/obj/usr directory prior to any rebuild, from old documentation I read when I first started doing source upgrades as a method of improving the speed of the buildworld. I am sure those were written for a 32bit system, which is why the lib32 directory wasn't included in those instructions. I know the /usr/obj/usr directory can be deleted after the installation of the source, does the same go for the /usr/obj/lib32 directory? if so Anything in MAKEOBJDIRPREFIX (/usr/obj) can be deleted after you have installed it, including lib32 which are libs to allow running 32bit programs on a 64bit system. Looks like I am on the right path, now time to give it a try with the new environment variables, thanks for your help Shane. If all goes well on this step, only things I have left to figured out and test is creating zfs snapshots by hand of volumes outside my boot environment, and mounting those read write within the jailed systems base so that I can fully test my applications against the latest live data without changing the actual data. Don't expect to have any trouble with this one. And then last of all need to test removing a HD from my Virtual Machine, adding a replacement, and rebuilding the mirror, again don't expect this to be a problem, just need to work my way through them and get the step
Re: ZFS / Boot Environments / Jails / Upgrading form Source Code
On 19/10/2012 07:44, dweimer wrote: First step replace the usr/src within the jail with new source using svn, easy enough. Then start make buildworld... oops, I have a problem now, the usr/obj/usr stuff is now under /usr/obj/usr/jails/release91rc2..., However I want it to be under /usr/jails/release91rc2/usr/obj/usr. If the jails base dir is /usr/obj/usr/jails/release91rc2 then it can only access files below that base dir. That is part of the jails security. If your jail is based at /usr/obj/usr/jails/release91rc2 then the jail by default will buildworld into /usr/obj of the jail system which translates to /usr/obj/usr/jails/release91rc2/usr/obj on the base system. You can adjust the settings within the jail but it will always be within the release91rc2 dir so you can't use the jail to install into /usr/jails of the base system. From looking at the usr/src/Makefile It looks like I need to set the MAKEOBJDIRPREFIX=/usr/jails/relase91rc2/usr/obj/usr/src/tmp environment variable, but is that the best solution here? There's also a /usr/obj/lib32 directory (system is running amd64, I assume this is for 32 bit libraries), so I would likely need to do something here as well, that I haven't gotten to yet. lib32 is part of the final system - you don't need to handle it separately. See man src.conf if you want to turn off the creation of 32bit libs. You can set MAKEOBJDIRPREFIX (default /usr/obj ) to define where the binary files are made. You can also set DESTDIR (default is / ) for the installworld step to define where they get installed. When you start a buildworld or buildkernel the compiled binaries are stored within MAKEOBJDIRPREFIX. When that is complete the installworld or installkernel steps install the files from MAKEOBJDIRPREFIX into DESTDIR to create a workable system. That prevents a failed build from destroying part of your running system. If you want to experiment with different versions then you can also try- mkdir /usr/jails cd /usr/jails svn co http://svn0.us-west.FreeBSD.org/base/releng/9.0 9.0-src cd 9.0-src set MAKEOBJDIRPREFIX = /usr/jails/9.0-obj set DESTDIR = /usr/jails/9.0-base make buildworld && make installworld cd /usr/jails svn co http://svn0.us-east.FreeBSD.org/base/releng/9.1 9.1-src cd 9.1-src set MAKEOBJDIRPREFIX = /usr/jails/9.1-obj set DESTDIR = /usr/jails/9.1-base make buildworld && make installworld I know the /usr/obj/usr directory can be deleted after the installation of the source, does the same go for the /usr/obj/lib32 directory? if so Anything in MAKEOBJDIRPREFIX (/usr/obj) can be deleted after you have installed it, including lib32 which are libs to allow running 32bit programs on a 64bit system. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
ZFS / Boot Environments / Jails / Upgrading form Source Code
I have been playing around with different build layouts etc trying to come up with a plan to make updates smoother and more easily recoverable if it goes horribly wrong. I think I have almost figured things out, just have a couple things left to figure out, one of which I am hoping someone on this list can help em out with, to save me some trial an error. Steps already figured out, mount new boot environment (using 9.1rc2 to test with) in /usr/jails/release91rc2, added the necessary settings to rc.conf, started jail, so far so good. I now know I can run the boot environment from within the jail, stop the jail and begin the upgrade from source. First step replace the usr/src within the jail with new source using svn, easy enough. Then start make buildworld... oops, I have a problem now, the usr/obj/usr stuff is now under /usr/obj/usr/jails/release91rc2..., However I want it to be under /usr/jails/release91rc2/usr/obj/usr. From looking at the usr/src/Makefile It looks like I need to set the MAKEOBJDIRPREFIX=/usr/jails/relase91rc2/usr/obj/usr/src/tmp environment variable, but is that the best solution here? There's also a /usr/obj/lib32 directory (system is running amd64, I assume this is for 32 bit libraries), so I would likely need to do something here as well, that I haven't gotten to yet. I know the /usr/obj/usr directory can be deleted after the installation of the source, does the same go for the /usr/obj/lib32 directory? if so perhaps it is a better option to make a new zfs data set outside the boot environments to mount under /usr/obj directory, let the default prefixes handle which sub directory to use, and just delete the directories when I am done working with the boot environment. -- Thanks, Dean E. Weimer http://www.dweimer.net/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Resolvconf with FreeBSD jails
On 07/30/2012 18:03, Grzegorz Junka wrote: FreeBSD 9 uses resolvconf tool to manage the resolv.conf file. How can I make it working with FreeBSD jails? In my case I am moving my laptop between networks and every time I boot FreeBSD it gets assigned a different DNS server. The file /etc/resolv.conf gets updated but the same file in each of the jails is not. I need resolv.conf in each jail in order for that jail to connect to the external network. If you really need your resolv.conf for connecting to an external network (and not to resolve local machine names), why not just add public DNS servers there and let them stay the same all he time? I tried to make a link from resolv.conf in a jail to the same file in the host system, but inside jail the link doesn't work. I could copy the resolv.conf every time I boot FreeBSD after the DHCP obtained new DNS and updated resolv.conf but before ezjail starts any of the jails, but where I would need to put such copying? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Resolvconf with FreeBSD jails
FreeBSD 9 uses resolvconf tool to manage the resolv.conf file. How can I make it working with FreeBSD jails? In my case I am moving my laptop between networks and every time I boot FreeBSD it gets assigned a different DNS server. The file /etc/resolv.conf gets updated but the same file in each of the jails is not. I need resolv.conf in each jail in order for that jail to connect to the external network. I tried to make a link from resolv.conf in a jail to the same file in the host system, but inside jail the link doesn't work. I could copy the resolv.conf every time I boot FreeBSD after the DHCP obtained new DNS and updated resolv.conf but before ezjail starts any of the jails, but where I would need to put such copying? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jails on FreeBSD 9.0
On Mon, Jul 23, 2012 at 8:31 AM, Eitan Adler wrote: > If this is a fxp bug, can you please file a PR explaining the issue > and how to reproduce it? kern/170081 -- Herbert ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jails on FreeBSD 9.0
On 22 July 2012 21:55, Herbert J. Skuhra wrote: > On Sat, 21 Jul 2012 16:10:56 +0200 > "Herbert J. Skuhra" wrote: > >> On Sat, Jul 21, 2012 at 11:24 AM, Herbert J. Skuhra >> wrote: >> > Hi, >> > >> > ok, this is obviously a pf problem and the reason why the network in >> > the jail doesn't work. >> > >> > ifconfig lo1 create >> > ifconfig lo1 10.0.0.10 netmask 0xff00 >> > nc -s 10.0.0.10 xx.xx.xx.xx 25 >> > >> > With pf: connections fails; server receives SYN-ACK, but nc continues >> > sending SYNs until nc gives up >> > >> > With ipfw: connection OK >> > >> > On my Soekris box at home (9.1-PRERELEASE i386) both ipfw and pf works. >> >> Could this be a bug in the fxp driver? >> I have a 2nd machine with a fxp nic. Same problem. > > Thanks to yongari@ the issue could be resolved on both machines by > disabling receive checksum offloading (ifconfig fxp0 -rxsum). If this is a fxp bug, can you please file a PR explaining the issue and how to reproduce it? -- Eitan Adler ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jails on FreeBSD 9.0
On Sat, 21 Jul 2012 16:10:56 +0200 "Herbert J. Skuhra" wrote: > On Sat, Jul 21, 2012 at 11:24 AM, Herbert J. Skuhra > wrote: > > Hi, > > > > ok, this is obviously a pf problem and the reason why the network in > > the jail doesn't work. > > > > ifconfig lo1 create > > ifconfig lo1 10.0.0.10 netmask 0xff00 > > nc -s 10.0.0.10 xx.xx.xx.xx 25 > > > > With pf: connections fails; server receives SYN-ACK, but nc continues > > sending SYNs until nc gives up > > > > With ipfw: connection OK > > > > On my Soekris box at home (9.1-PRERELEASE i386) both ipfw and pf works. > > Could this be a bug in the fxp driver? > I have a 2nd machine with a fxp nic. Same problem. Thanks to yongari@ the issue could be resolved on both machines by disabling receive checksum offloading (ifconfig fxp0 -rxsum). -- Herbert ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jails on FreeBSD 9.0
On Sat, Jul 21, 2012 at 11:24 AM, Herbert J. Skuhra wrote: > Hi, > > ok, this is obviously a pf problem and the reason why the network in > the jail doesn't work. > > ifconfig lo1 create > ifconfig lo1 10.0.0.10 netmask 0xff00 > nc -s 10.0.0.10 xx.xx.xx.xx 25 > > With pf: connections fails; server receives SYN-ACK, but nc continues > sending SYNs until nc gives up > > With ipfw: connection OK > > On my Soekris box at home (9.1-PRERELEASE i386) both ipfw and pf works. Could this be a bug in the fxp driver? I have a 2nd machine with a fxp nic. Same problem. -- Herbert ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jails on FreeBSD 9.0
Hi, ok, this is obviously a pf problem and the reason why the network in the jail doesn't work. ifconfig lo1 create ifconfig lo1 10.0.0.10 netmask 0xff00 nc -s 10.0.0.10 xx.xx.xx.xx 25 With pf: connections fails; server receives SYN-ACK, but nc continues sending SYNs until nc gives up With ipfw: connection OK On my Soekris box at home (9.1-PRERELEASE i386) both ipfw and pf works. Thanks. -- Herbert ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jails on FreeBSD 9.0
On Tue, Jul 17, 2012 at 11:46 AM, Herbert J. Skuhra wrote: > With pf: > > I see the packets going out/coming in on fxp0 but somehow the jail > does not "see" them. Running 'nc 173.194.35.177 80" 'pfctl -ss' shows: all tcp xx.xxx.xx.xxx:54724 (192.168.1.1:30177) -> 173.194.35.177:80 ESTABLISHED:SYN_SENT tcpdump on pflog0 shows : 16:32:28.489495 rule 11..16777216/0(match): pass out on fxp0: xx.xxx.xx.xxx.54724 > 173.194.35.177.80: Flags [S], seq 3219071188, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 13114581 ecr 0], length 0 16:32:28.499804 rule 0..16777216/0(match): nat in on fxp0: 173.194.35.177.80 > 192.168.1.1.30177: Flags [S.], seq 3667423105, ack 3219071189, win 14180, options [mss 1430,sackOK,TS val 1463073042 ecr 13114581,nop,wscale 6], length 0 16:32:28.893420 rule 0..16777216/0(match): nat in on fxp0: 173.194.35.177.80 > 192.168.1.1.30177: Flags [S.], seq 3667423105, ack 3219071189, win 14180, options [mss 1430,sackOK,TS val 1463073436 ecr 13114581,nop,wscale 6], length 0 16:32:29.494073 rule 0..16777216/0(match): nat in on fxp0: 173.194.35.177.80 > 192.168.1.1.30177: Flags [S.], seq 3667423105, ack 3219071189, win 14180, options [mss 1430,sackOK,TS val 1463074036 ecr 13114581,nop,wscale 6], length 0 16:32:30.695744 rule 0..16777216/0(match): nat in on fxp0: 173.194.35.177.80 > 192.168.1.1.30177: Flags [S.], seq 3667423105, ack 3219071189, win 14180, options [mss 1430,sackOK,TS val 1463075237 ecr 13114581,nop,wscale 6], length 0 16:32:31.489462 rule 0..16777216/0(match): nat out on fxp0: xx.xxx.xx.xxx.54724 > 173.194.35.177.80: Flags [S], seq 3219071188, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 13117581 ecr 0], length 0 16:32:31.500226 rule 0..16777216/0(match): nat in on fxp0: 173.194.35.177.80 > 192.168.1.1.30177: Flags [S.], seq 3667423105, ack 3219071189, win 14180, options [mss 1430,sackOK,TS val 1463076040 ecr 13114581,nop,wscale 6], length 0 16:32:33.098531 rule 0..16777216/0(match): nat in on fxp0: 173.194.35.177.80 > 192.168.1.1.30177: Flags [S.], seq 3667423105, ack 3219071189, win 14180, options [mss 1430,sackOK,TS val 1463077639 ecr 13114581,nop,wscale 6], length 0 16:32:34.689460 rule 0..16777216/0(match): nat out on fxp0: xx.xxx.xx.xxx.54724 > 173.194.35.177.80: Flags [S], seq 3219071188, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 13120781 ecr 0], length 0 16:32:34.699834 rule 0..16777216/0(match): nat in on fxp0: 173.194.35.177.80 > 192.168.1.1.30177: Flags [S.], seq 3667423105, ack 3219071189, win 14180, options [mss 1430,sackOK,TS val 1463079239 ecr 13114581,nop,wscale 6], length 0 16:32:37.889462 rule 0..16777216/0(match): nat out on fxp0: xx.xxx.xx.xxx.54724 > 173.194.35.177.80: Flags [S], seq 3219071188, win 65535, options [mss 1460,sackOK,eol], length 0 16:32:37.899648 rule 0..16777216/0(match): nat in on fxp0: 173.194.35.177.80 > 192.168.1.1.30177: Flags [S.], seq 3667423105, ack 3219071189, win 14180, options [mss 1430,sackOK,TS val 1463082437 ecr 13114581,nop,wscale 6], length 0 16:32:37.906102 rule 0..16777216/0(match): nat in on fxp0: 173.194.35.177.80 > 192.168.1.1.30177: Flags [S.], seq 3667423105, ack 3219071189, win 14180, options [mss 1430,sackOK,TS val 1463082444 ecr 13114581,nop,wscale 6], length 0 16:32:41.089474 rule 0..16777216/0(match): nat out on fxp0: xx.xxx.xx.xxx.54724 > 173.194.35.177.80: Flags [S], seq 3219071188, win 65535, options [mss 1460,sackOK,eol], length 0 16:32:41.100282 rule 0..16777216/0(match): nat in on fxp0: 173.194.35.177.80 > 192.168.1.1.30177: Flags [S.], seq 3667423105, ack 3219071189, win 14180, options [mss 1430,sackOK,TS val 1463085636 ecr 13114581,nop,wscale 6], length 0 16:32:44.289462 rule 0..16777216/0(match): nat out on fxp0: xx.xxx.xx.xxx.54724 > 173.194.35.177.80: Flags [S], seq 3219071188, win 65535, options [mss 1460,sackOK,eol], length 0 16:32:44.300060 rule 0..16777216/0(match): nat in on fxp0: 173.194.35.177.80 > 192.168.1.1.30177: Flags [S.], seq 3667423105, ack 3219071189, win 14180, options [mss 1430,sackOK,TS val 1463088834 ecr 13114581,nop,wscale 6], length 0 What's wrong? In the meantime I've found kern/164271. Regards, Herbert ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jails on FreeBSD 9.0
On Tue, Jul 17, 2012 at 9:59 AM, Kalle Møller wrote: > On Thu, Jul 12, 2012 at 9:04 PM, Herbert J. Skuhra wrote: >> On Thu, Jul 12, 2012 at 11:56 AM, joris dedieu >> wrote: >>> 2012/7/12 Herbert J. Skuhra : >>>> On Wed, Jul 11, 2012 at 11:59 PM, Herbert J. Skuhra >>>> wrote: >>>>> Hi, >>>>> >>>>> although I've followed the instructions in jail(8) and jail.conf(5) I >>>>> cannot manage to setup jails on FreeBSD 9.0 STABLE (r238334). >>>>> >>>>> The symptons: >>>>> >>>>> * ssh'ing to jail works, but it takes about 20 seconds until password >>>>> prompt appears >>> >>> Does it still the same with UseDNS=no in /etc/ssh/sshd_config ? >> >> No, I can login instantly. >> >>>>> * netstat -r in the jail takes about 150 seconds to finish >>> >>> Does netstat -rn does the same ? >> >> No, the output appears immediately. >> >>>>> * connections to the internet time out; with tcpdump I see that >>>>> packets leave and enter the public interface on the host, but never >>>>> reach the jail >>>>> >>>>> I use lo1 interface and ip address 192.168.1.1/24 for the jail. Public >>>>> interface is fxp0 with both an IPv4 and an IPv6 address assigned. >>>>> Of course, nat is enable via pf on the public interface. >>> >>> Can you post your PF configuration ? >>>> >>>> After switching to ipfw/natd networking in the jail works. >>>> Could this be a bug? >>> >>> I think you had an issue with firewall that block name resolution and >>> makes everything goes slow. At least you need one single line on your >>> pf.conf : >>> >>> nat on $public_interface form $jail_ip to any -> ($public_interface) >> >> Even when loading only the nat rule it doesn't work: >> >> nat on fxp0 from 192.168.1.0/24 to any -> $ext_addr >> >> Thanks. >> Herbert > > > As Mark Felder wrote > > You don't have anything in /etc/resolv.conf, in the jail do you? :-) I have two nameservers listed! If I boot a kernel with ipfirewall/ipdivert and run natd the network in the jail works! With pf: I see the packets going out/coming in on fxp0 but somehow the jail does not "see" them. A 'dig www.google.com' in the jail fails with "connection timed out; no servers could be reached", but 11:39:45.30 IP xxx.yyy.zzz.64452 > google-public-dns-a.google.com.domain: 10794+ A? www.google.com. (32) 11:39:45.694045 IP google-public-dns-a.google.com.domain > xxx.yyy.zzz.64452: 10794 6/0/0 CNAME www.l.google.com., A 173.194.35.177, A 173.194.35.176, A 173.194.35.179, A 173.194.35.180, A 173.194.35.178 (132) 11:39:50.667799 IP xxx.yyy.zzz.64452 > google-public-dns-a.google.com.domain: 10794+ A? www.google.com. (32) 11:39:50.687083 IP google-public-dns-a.google.com.domain > xxx.yyy.zzz.64452: 10794 6/0/0 CNAME www.l.google.com., A 173.194.35.177, A 173.194.35.178, A 173.194.35.179, A 173.194.35.180, A 173.194.35.176 (132) 11:39:55.668783 IP xxx.yyy.zzz.64452 > google-public-dns-a.google.com.domain: 10794+ A? www.google.com. (32) 11:39:55.675917 IP google-public-dns-a.google.com.domain > xxx.yyy.zzz.64452: 10794 6/0/0 CNAME www.l.google.com., A 173.194.35.180, A 173.194.35.177, A 173.194.35.179, A 173.194.35.176, A 173.194.35.178 (132) And 'nc 173.194.35.177 80': 11:41:52.176904 IP muc03s02-in-f17.1e100.net.http > xxx.yyy.zzz.56936: Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss 1430,sackOK,TS val 1445658553 ecr 8593173,nop,wscale 6], length 0 11:41:53.382320 IP muc03s02-in-f17.1e100.net.http > xxx.yyy.zzz.56936: Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss 1430,sackOK,TS val 1445659753 ecr 8593173,nop,wscale 6], length 0 11:41:54.088585 IP xxx.yyy.zzz.56936 > muc03s02-in-f17.1e100.net.http: Flags [S], seq 2143442670, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 8596173 ecr 0], length 0 11:41:54.098838 IP muc03s02-in-f17.1e100.net.http > xxx.yyy.zzz.56936: Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss 1430,sackOK,TS val 1445660466 ecr 8593173,nop,wscale 6], length 0 11:41:55.796638 IP muc03s02-in-f17.1e100.net.http > xxx.yyy.zzz.56936: Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss 1430,sackOK,TS val 1445662155 ecr 8593173,nop,wscale 6], length 0 11:41:57.288596 IP xxx.yyy.zzz.56936 > muc03s02-in-f17.1e100.net.http: Flags [S], seq 2143442670, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 8599373 ecr 0], length 0 11:41:57.299125 IP
Re: Jails on FreeBSD 9.0
On Thu, Jul 12, 2012 at 9:04 PM, Herbert J. Skuhra wrote: > On Thu, Jul 12, 2012 at 11:56 AM, joris dedieu wrote: >> 2012/7/12 Herbert J. Skuhra : >>> On Wed, Jul 11, 2012 at 11:59 PM, Herbert J. Skuhra >>> wrote: >>>> Hi, >>>> >>>> although I've followed the instructions in jail(8) and jail.conf(5) I >>>> cannot manage to setup jails on FreeBSD 9.0 STABLE (r238334). >>>> >>>> The symptons: >>>> >>>> * ssh'ing to jail works, but it takes about 20 seconds until password >>>> prompt appears >> >> Does it still the same with UseDNS=no in /etc/ssh/sshd_config ? > > No, I can login instantly. > >>>> * netstat -r in the jail takes about 150 seconds to finish >> >> Does netstat -rn does the same ? > > No, the output appears immediately. > >>>> * connections to the internet time out; with tcpdump I see that >>>> packets leave and enter the public interface on the host, but never >>>> reach the jail >>>> >>>> I use lo1 interface and ip address 192.168.1.1/24 for the jail. Public >>>> interface is fxp0 with both an IPv4 and an IPv6 address assigned. >>>> Of course, nat is enable via pf on the public interface. >> >> Can you post your PF configuration ? >>> >>> After switching to ipfw/natd networking in the jail works. >>> Could this be a bug? >> >> I think you had an issue with firewall that block name resolution and >> makes everything goes slow. At least you need one single line on your >> pf.conf : >> >> nat on $public_interface form $jail_ip to any -> ($public_interface) > > Even when loading only the nat rule it doesn't work: > > nat on fxp0 from 192.168.1.0/24 to any -> $ext_addr > > Thanks. > Herbert > ___ > freebsd-j...@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org" As Mark Felder wrote You don't have anything in /etc/resolv.conf, in the jail do you? :-) -- Med Venlig Hilsen Kalle R. Møller ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: IPNAT seems to affect network performance? of jails on lo0 (10.0.0.0/24) - why?
I know that ssh does a reverse dns lookup of the ip you connect from - no matter if its local or not. On Tue, Jun 26, 2012 at 4:58 PM, Christopher J. Ruwe wrote: > On Mon, 25 Jun 2012 18:23:56 -0400 > Robert Huff wrote: > >> >> Christopher J. Ruwe writes: >> >> > On a KVM virtualized host, I run FreeBSD 8.3-RELEASE-p3 and some >> > qjails, 8.3-RELEASE. The jails are connected all via lo0 on >> > 10.0.0.0. >> > >> > While by the large working as expected, I have noticed one >> > pecularity I have failed to pinpoint: When launching processes >> > with some network interaction, like sshing into one of the jails >> > from the platform or launching emacs, the command spends ages ( >> > ~(1-2) minutes) idling? (nothing happens) before becoming >> > interactive. >> >> If the number is very close to 90 seconds, my first guess >> would be you have a DNS problem. >> >> >> Robert Huff >> >> ___ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to >> "freebsd-questions-unsubscr...@freebsd.org" > > Thanks for the hint. It was DNS ... I have copied a resolv.conf into the > jails for future use, but did not enable NAT from the start. > > The issue disappeared when I commented out the nameserver entries and > switched NAT off again, i.e., I could login using ssh in a matter of > seconds, not minutes. > > Now to the followup: Why does ssh and emacs! require DNS for entirely local > connections or just to be started? > > Anyway, thanks for that hint, cheers, > -- > Christopher > TZ: GMT + 2h -- Med Venlig Hilsen Kalle R. Møller ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: IPNAT seems to affect network performance? of jails on lo0 (10.0.0.0/24) - why?
On Mon, 25 Jun 2012 18:23:56 -0400 Robert Huff wrote: > > Christopher J. Ruwe writes: > > > On a KVM virtualized host, I run FreeBSD 8.3-RELEASE-p3 and some > > qjails, 8.3-RELEASE. The jails are connected all via lo0 on > > 10.0.0.0. > > > > While by the large working as expected, I have noticed one > > pecularity I have failed to pinpoint: When launching processes > > with some network interaction, like sshing into one of the jails > > from the platform or launching emacs, the command spends ages ( > > ~(1-2) minutes) idling? (nothing happens) before becoming > > interactive. > > If the number is very close to 90 seconds, my first guess > would be you have a DNS problem. > > > Robert Huff > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscr...@freebsd.org" Thanks for the hint. It was DNS ... I have copied a resolv.conf into the jails for future use, but did not enable NAT from the start. The issue disappeared when I commented out the nameserver entries and switched NAT off again, i.e., I could login using ssh in a matter of seconds, not minutes. Now to the followup: Why does ssh and emacs! require DNS for entirely local connections or just to be started? Anyway, thanks for that hint, cheers, -- Christopher TZ: GMT + 2h signature.asc Description: PGP signature
IPNAT seems to affect network performance? of jails on lo0 (10.0.0.0/24) - why?
Christopher J. Ruwe writes: > On a KVM virtualized host, I run FreeBSD 8.3-RELEASE-p3 and some > qjails, 8.3-RELEASE. The jails are connected all via lo0 on > 10.0.0.0. > > While by the large working as expected, I have noticed one > pecularity I have failed to pinpoint: When launching processes > with some network interaction, like sshing into one of the jails > from the platform or launching emacs, the command spends ages ( > ~(1-2) minutes) idling? (nothing happens) before becoming > interactive. If the number is very close to 90 seconds, my first guess would be you have a DNS problem. Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
IPNAT seems to affect network performance? of jails on lo0 (10.0.0.0/24) - why?
On a KVM virtualized host, I run FreeBSD 8.3-RELEASE-p3 and some qjails, 8.3-RELEASE. The jails are connected all via lo0 on 10.0.0.0. While by the large working as expected, I have noticed one pecularity I have failed to pinpoint: When launching processes with some network interaction, like sshing into one of the jails from the platform or launching emacs, the command spends ages ( ~(1-2) minutes) idling? (nothing happens) before becoming interactive. For reasons unreleated, I have enabled NAT with ipf for the jails on 10.0.0.0/24 (to the external re0 IF and some IP) and, out of the blue, logging into the jails or starting emacs became snappy again. Why? Why does ipnatting jails which should be connected via the same lo0 on 10.0.0.0 have any impact? Don't get me wrong, I am not complaining and it solved an issue which gave me kind of headaches, but I would like to understand. Thanks and cheers, -- Christopher TZ: GMT + 2h signature.asc Description: PGP signature
Re: Synchronising jails
/usr/ports/net/rsync On Fri, 27 Apr 2012, Frank Staals wrote: Hey Everyone, I'm looking for a way to synchronise two jails. More specifically, I would like to keep/maintain an exact copy of a given jail. As an example: Suppose I build a jail A on some system (in my particular case build with ezjail) , and I copy the jail into jail B on some other system (using tar, as is mentioned here: http://forums.freebsd.org/showthread.php?t=17813). Now stuff happens in Jail A, e.g. files change, new stuff is installed etc. I would like to propagate these changes to jail B, but since the transfer is over WAN I would like not to have to copy the entire jail again, just the stuff that has changed since the last backup. It is safe to assume nothing in Jail B changes: I basically want to maintain the exact copy so if something would happen to the system running Jail A I can immediately switch to jail B without much hassle. Normally I would say this a perfect use case for rsync. But as the aforementioned thread mentions ``scp or similar wont work to copy a jail'', and I consider rsync similar to scp, I am under the impression that rsync would not be usable in this situation. Can anyone shed some light on this, or suggest an alternative to synchronise the jails? Regards, -- - Frank ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Synchronising jails
Frank Staals wrote: Hey Everyone, I'm looking for a way to synchronise two jails. More specifically, I would like to keep/maintain an exact copy of a given jail. As an example: Suppose I build a jail A on some system (in my particular case build with ezjail) , and I copy the jail into jail B on some other system (using tar, as is mentioned here: http://forums.freebsd.org/showthread.php?t=17813). Now stuff happens in Jail A, e.g. files change, new stuff is installed etc. I would like to propagate these changes to jail B, but since the transfer is over WAN I would like not to have to copy the entire jail again, just the stuff that has changed since the last backup. It is safe to assume nothing in Jail B changes: I basically want to maintain the exact copy so if something would happen to the system running Jail A I can immediately switch to jail B without much hassle. Normally I would say this a perfect use case for rsync. But as the aforementioned thread mentions ``scp or similar wont work to copy a jail'', and I consider rsync similar to scp, I am under the impression that rsync would not be usable in this situation. Can anyone shed some light on this, or suggest an alternative to synchronise the jails? Regards, I have 3 different ideas that would work. Method 1. move changes to basejail. Use qjail to create your hosta-jaila and hostb-jaila. Qjail has a bkup function that you can backup the hosta-jaila basejail in compressed dump format and move that file to hostb any way you want and then use qjail restore function to restore that dump file to hostb-jaila basejail. bkuping up basejail takes less than one minute. method 2. move user data changes to jaila. create hosta-jaila and hosta-jailb both being the same. After changes to hosta-jaila run diff on hosta-jaila, hosta-jailb and them move the diff file to hostb and apply the diff to hostb-jaila. method 3. move user data changes to jaila. Use qjail to backup hosta-jaila and restore it to hostb-jaila. Backing up a jail takes less than 15 seconds. Note, Both hosta and hostb must be at same operating system version level. Ezjail also has function to bkup a jail but no way to bkup basejail. You can issue a "dump" command on the command line to create one after all jails are stopped. In my book rsync is the automated way to keep two live system in sync real time. Maybe overkill in something that is pretty much stable. If say hosta/jaila is running a mail server or a website that remote users enter info into, then rsync is the only solution. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Synchronising jails
> > Hey Everyone, > > I'm looking for a way to synchronise two jails. More specifically, I > would like to keep/maintain an exact copy of a given jail. As an > example: Suppose I build a jail A on some system (in my particular case > build with ezjail) , and I copy the jail > into jail B on some other system (using tar, as is mentioned > here: http://forums.freebsd.org/showthread.php?t=17813). Now stuff > happens in Jail A, e.g. files change, new stuff is installed etc. I > would like to propagate these changes to jail B, but since the transfer > is over WAN I would like not to have to copy the entire jail again, just > the stuff that has changed since the last backup. It is safe to assume > nothing in Jail B changes: I basically want to maintain the exact copy > so if something would happen to the system running Jail A I can > immediately switch to jail B without much hassle. > > Normally I would say this a perfect use case for rsync. But as the > aforementioned thread mentions ``scp or similar wont work to copy a > jail'', and I consider rsync similar to scp, I am under the impression > that rsync would not be usable in this situation. Can anyone shed some > light on this, or suggest an alternative to synchronise the jails? > > > Regards, > > -- > > - Frank > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" Maybe you can store your jails on a per jail zfs filesystem. Then use zfs send/receive to send the incremental changes to the remote machine. Regards, Johan Hendriks___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Synchronising jails
Frank Staals writes: > Hey Everyone, > > I'm looking for a way to synchronise two jails. More specifically, I > would like to keep/maintain an exact copy of a given jail. As an > example: Suppose I build a jail A on some system (in my particular case > build with ezjail) , and I copy the jail > into jail B on some other system (using tar, as is mentioned > here: http://forums.freebsd.org/showthread.php?t=17813). Now stuff > happens in Jail A, e.g. files change, new stuff is installed etc. I > would like to propagate these changes to jail B, but since the transfer > is over WAN I would like not to have to copy the entire jail again, just > the stuff that has changed since the last backup. It is safe to assume > nothing in Jail B changes: I basically want to maintain the exact copy > so if something would happen to the system running Jail A I can > immediately switch to jail B without much hassle. > > Normally I would say this a perfect use case for rsync. But as the > aforementioned thread mentions ``scp or similar wont work to copy a > jail'', and I consider rsync similar to scp, I am under the impression > that rsync would not be usable in this situation. Can anyone shed some > light on this, or suggest an alternative to synchronise the jails? I didn't don't know of any problem with using rsync (over ssh) for this, and after reading the thread to which you refer, I still don't. Set up a testbed using rsync and see if it works for you. If it doesn't, *then* you'll have something we can try to solve. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Synchronising jails
On 04/27/2012 09:35, Frank Staals wrote: > > Hey Everyone, > > I'm looking for a way to synchronise two jails. More specifically, I > would like to keep/maintain an exact copy of a given jail. As an > example: Suppose I build a jail A on some system (in my particular case > build with ezjail) , and I copy the jail > into jail B on some other system (using tar, as is mentioned > here: http://forums.freebsd.org/showthread.php?t=17813). Now stuff > happens in Jail A, e.g. files change, new stuff is installed etc. I > would like to propagate these changes to jail B, but since the transfer > is over WAN I would like not to have to copy the entire jail again, just > the stuff that has changed since the last backup. It is safe to assume > nothing in Jail B changes: I basically want to maintain the exact copy > so if something would happen to the system running Jail A I can > immediately switch to jail B without much hassle. > > Normally I would say this a perfect use case for rsync. But as the > aforementioned thread mentions ``scp or similar wont work to copy a > jail'', and I consider rsync similar to scp, rsync is dissimilar in that it is capable of preserving links. It may likely do the job? > I am under the impression > that rsync would not be usable in this situation. Can anyone shed some > light on this, or suggest an alternative to synchronise the jails? > > > Regards, > signature.asc Description: OpenPGP digital signature
Synchronising jails
Hey Everyone, I'm looking for a way to synchronise two jails. More specifically, I would like to keep/maintain an exact copy of a given jail. As an example: Suppose I build a jail A on some system (in my particular case build with ezjail) , and I copy the jail into jail B on some other system (using tar, as is mentioned here: http://forums.freebsd.org/showthread.php?t=17813). Now stuff happens in Jail A, e.g. files change, new stuff is installed etc. I would like to propagate these changes to jail B, but since the transfer is over WAN I would like not to have to copy the entire jail again, just the stuff that has changed since the last backup. It is safe to assume nothing in Jail B changes: I basically want to maintain the exact copy so if something would happen to the system running Jail A I can immediately switch to jail B without much hassle. Normally I would say this a perfect use case for rsync. But as the aforementioned thread mentions ``scp or similar wont work to copy a jail'', and I consider rsync similar to scp, I am under the impression that rsync would not be usable in this situation. Can anyone shed some light on this, or suggest an alternative to synchronise the jails? Regards, -- - Frank ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Best practices about Jails
On 04/04/12 16:06, Fbsd8 wrote: This is overkill. I single ports tree on the host is fine. Matter of fact I use packages for everything accept for php which I have to compile in apache module. I even pre-install all of php's dependents as packages before doing "make install" on the php port. As far as portsclean goes its only for the paranoid. Ok, I've gone this way. If you dont have full ports tree in the jail then no need for portaudit in the jail. Portaudit doesn't check the port tree; it checks installed ports. Best practices is not to create a jail environment by hand as documented in the Freebsd handbook. The port utility qjail simplifies and automates the process to the point where you dont even have to know about the jail command. http://qjail.sourceforge.net/ use the port version for 8.x & 9.0 I've had a look at qjail; it seems very simliar to ezjails, which I used (I didn't do jails by hand). bye & Thanks av. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Changes in Jails from FreeBSD 6 to FreeBSD 9 -- particularly, networking and routing
On Apr 13, 2012, at 4:58 PM, Mark Felder wrote: > On Fri, 13 Apr 2012 15:53:49 -0500, Chad Leigh Shire.Net LLC > wrote: > >> No NAT needed since they share the network stack under Jails v1 they share >> the routing tables. It works. Try it. > > You're clearly exploiting a bug in FreeBSD 6's jails. It was a documented behavior when I first started using jails ca. 2004 in FreeBSD 5. Which is why I did it that way. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Changes in Jails from FreeBSD 6 to FreeBSD 9 -- particularly, networking and routing
On Fri, 13 Apr 2012 15:53:49 -0500, Chad Leigh Shire.Net LLC wrote: No NAT needed since they share the network stack under Jails v1 they share the routing tables. It works. Try it. You're clearly exploiting a bug in FreeBSD 6's jails. It must get confused and send your public IP on those packets. I have no idea how it processes the return traffic successfully, but "that's a neat trick!". There is no possible way for this to work without NAT or whatever bug this is. If a Jail has a 192.168 IP all packets would leave with a source of 192.168. When Google or whoever on the internet gets your packets it would see 192.168 and probably drop it because that's not a publicly routable network. Without NAT it's impossible for any device anywhere on the planet to access the internet with an RFC 1918 IP address. I urge you to share your experience on the freebsd-jail@ mailing list. Those guys might be able to lend some further insight. I bet the change came with the update to jails that allows multiple IPs. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Changes in Jails from FreeBSD 6 to FreeBSD 9 -- particularly, networking and routing
On Apr 13, 2012, at 1:50 PM, Mark Felder wrote: > Do I understand this right? > > > Working in FreeBSD 6.x: > > interface em0: 1.2.3.4/24 <-- public IP, host only > 192.168.1.1/24 <-- private IP, host only > 192.168.1.2/24 <-- Jail #1 > 192.168.1.3/24 <-- Jail #2 > > > With this configuration you had no problems accessing the internet from the > jails. correct. (not that it did not matter I don't think is the private IP, host only exists and ALL IP exist on the host in addition to whatever Jail they are assigned to) > > Is this correct? This seems bizarre; this should only be possible if you're > doing NAT somewhere in there and that is not possible with Jails v1 (which > share a network stack) and is only possible in Jails v2 (vnet). No NAT needed since they share the network stack under Jails v1 they share the routing tables. It works. Try it. The question is, is it possible to do something similar with FreeBSD 9 jails (v2 I guess) without the overhead of running NAT? The jail with the private IP *can* access the HOST's public services but not anyone else's Chad ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Changes in Jails from FreeBSD 6 to FreeBSD 9 -- particularly, networking and routing
Do I understand this right? Working in FreeBSD 6.x: interface em0: 1.2.3.4/24 <-- public IP, host only 192.168.1.1/24 <-- private IP, host only 192.168.1.2/24 <-- Jail #1 192.168.1.3/24 <-- Jail #2 With this configuration you had no problems accessing the internet from the jails. Is this correct? This seems bizarre; this should only be possible if you're doing NAT somewhere in there and that is not possible with Jails v1 (which share a network stack) and is only possible in Jails v2 (vnet). ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Changes in Jails from FreeBSD 6 to FreeBSD 9 -- particularly, networking and routing
Hi All OK, so I have a server that has been running FreeBSD 6.1 and a bunch of jails, providing a few limited services. I am migrating these from real hardware and FreeBSD 6.1 with jail running, to a Xen based VPS running FreeBSD 9.0-R with a kernel rebuild from a GENERIC kernel to GENERIC plus the Xen pci device. There is one network device on the new server and it shares all addresses and the default route goes out it. Because jails in FBSD 6 shared a network stack, I could have a public network x.x.x.0/24 and public address on the host machine, and a default route in that network as well, and use a 192.168.1.0/24 address aliased on the same network interface as the IP for my jail. When doing that, from inside the jail, I could still reach the internet since it shared the route with the underlying machine. That seems to have changed on FBSD 9. Now, if I add in the 192.168.1.0/24 address and run a jail on it, with the host machine in a public network/address/route as described above, from inside the jail I CANNOT reach the internet (it is not a resolver issue as services going to numeric addresses also fail). However, the jail with the private 192.168.1.0/24 address CAN reach the host machines services even if it cannot get out onto the internet. And the HOST machine can access services on the jail running on the private IP address. (The purpose of the jail is to provide services to other jails and hosts on the same public network [all VPS on the same public vlan] and NOT to provide services to the internet. Things like local ldap or a local dns etc. But the private jail still needs to reach the internet for things like name servers it needs to access that are outside of the public network the host lives in. So I don't care if the internet itself can reach the private jail, just the local jails and hosts it co-exists with. The answer shouldn't be natd etc (was not needed in 6.0 and I am not sharing one public address with a range of private jails behind it). If I launch the jail with an address from the same public range as the host, it works fine. The jail can access the internet fine and vice versa. The host can access the jail services as well. If I launch the jail with a private address, the jail cannot reach the internet. It can reach the host in the public network, but not other machines in the same public network (ie, the other VPS I have running which are all in the same public network). If I launch the jail with both a private address and a public address, it can reach the internet and other VPS on the same public network. I may have to end up doing that and just not having any services run on the public IP but I'd rather avoid using up an address like that. What changes happened in the jails between FBSD 6 and FBSD 9 that would give the symptoms I have been experiencing? Thanks Chad ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Best practices about Jails
On Wed, Apr 4, 2012 at 3:16 AM, Andrea Venturoli wrote: > Second question: from inside the jail I can access all services on > localhost (eg. telnet localhost pop3, where a pop3 server is running on the > host). Can this be avoided, e.g. with ipfw? > Ideally, since this jail will run only one deamon and it will be accessed > through Apache mod_proxy from the host, I'll just need inbound access to > its port and outbound access to smtp and web proxy on the host system. No > direct access from/to other hosts. > Is this possible? > I use http://druidbsd.sourceforge.net/vimage.shtml to manage VIMAGE jails. It works well. I don't use any of the jail frameworks in ports because I don't run a large amount of jails which is where one sees the greatest benefit from them. Of course they make certain optimization and procedures easier, but there is something to be said for learning the canonical way jails operate before implementing them in a more abstract framework. My statements are not considering the rc.d/jail* and vimage package as frameworks(although they are in a way at least). -- Adam Vande More ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Best practices about Jails
On Wed, Apr 04, 2012 at 10:16:37AM +0200, Andrea Venturoli wrote: > Hello. > > Plase forgive the long post and the amount of questions, but I'm new to > jails and I'd like to be sure of what I'm doing before deploying more > than a test one. > Right now I need to run a commercial Java app, which, ideally, I would > forbid to access files outside its directory. > This might be done by simple chrooting it, but I read a jail is a better > solution, so I started with ezjails. > First of all, I'm wondering whether it would be possible/useful to use > chroot even inside that jail. Any opinions? Not very usefull. If one chroot is safe, a double is overkill. If chroot can be broken out of, an extra chroot is at most an inconvenience. > Second question: from inside the jail I can access all services on > localhost (eg. telnet localhost pop3, where a pop3 server is running on > the host). Can this be avoided, e.g. with ipfw? The pf firewall allows you to explicitly exlude aliases from interface names. I'm assuming ipfw has similar capabilities. If you make a _pass_ rule for just the real interface without the aliases, you should be able to block stuff. Maybe you can create a loopback device, and associate the jail with that. Than you can filter the traffic to/from that to your hearts' content. > Ideally, since this jail will run only one deamon and it will be > accessed through Apache mod_proxy from the host, I'll just need inbound > access to its port and outbound access to smtp and web proxy on the host > system. No direct access from/to other hosts. > Is this possible? I think so if you make alias the jail to a new loopback interface, you can filter on that. > Next... ezjail's author suggests I have a copy of the port tree just for > the jails and, furthermore, a repository for distfiles for every jail. > Since this would waste a lot of space, I already used a single distfile > repository, but I'm also wondering whether it would be a bad idea to use > the host's port tree. I know lot of people do this and, keeping it tidy > with portsclean -CD, I wonder if it really would be a security risk in > my case. Does your daemon even use ports? If not, there is no use for the ports tree. But if you want it, you can use a combination of nullfs and unionfs to get a read-only "view" of the hosts' ports tree in the jail, while the "writes" are done in the unionfs. This means that you only have to update the hosts' ports tree, and the jail will automagically see it. Suppose the root of your jail is in /var/jails/192.168.0.100/. You do the following (in the host) to set it up: # cd /var/jails/192.168.0.100/usr # mkdir tmp/foo # mount_nullfs /usr/ports/ ports/ # mount_unionfs -o noatime tmp/foo ports/ To tear this down when you don't need it anymore, do this; # umount /var/jails/192.168.0.100/usr/ports # umount /var/jails/192.168.0.100/usr/ports # cd /var/jails/192.168.0.100/usr # rm -rf tmp/foo/* And yes, the umount command _does_ need to be run twice: once for the unionfs, and once for the nullfs! The contents of `/var/jails/192.168.0.100/usr/tmp/foo/*` are deleted to save space. > What about jails? Should I install portaudit there too and let them flood me > with reports? Is there a way to let the host's portaudit check jails too? With the nullfs/unionfs combo, you only need to update the ports tree once. You do need to update the ports in your jail with e.g. portmaster. Roland -- R.F.Smith http://rsmith.home.xs4all.nl/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) pgpzGRyvo31AX.pgp Description: PGP signature
Re: Best practices about Jails
On Wed, 04 Apr 2012 09:06:25 -0500, wrote: Firewall in a jail will not work. Only the host firewall has access to the network. Jailsv2 allows your own firewall in the jail. You get a full network stack. This is not supported by ezjails, and should still be marked rather EXPERIMENTAL but isn't. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Best practices about Jails
Andrea Venturoli wrote: Hello. Plase forgive the long post and the amount of questions, but I'm new to jails and I'd like to be sure of what I'm doing before deploying more than a test one. Right now I need to run a commercial Java app, which, ideally, I would forbid to access files outside its directory. This might be done by simple chrooting it, but I read a jail is a better solution, so I started with ezjails. First of all, I'm wondering whether it would be possible/useful to use chroot even inside that jail. Any opinions? Possible yes, useful not at all. Second question: from inside the jail I can access all services on localhost (eg. telnet localhost pop3, where a pop3 server is running on the host). Can this be avoided, e.g. with ipfw? Ideally, since this jail will run only one deamon and it will be accessed through Apache mod_proxy from the host, I'll just need inbound access to its port and outbound access to smtp and web proxy on the host system. No direct access from/to other hosts. Is this possible? Firewall in a jail will not work. Only the host firewall has access to the network. Next... ezjail's author suggests I have a copy of the port tree just for the jails and, furthermore, a repository for distfiles for every jail. Since this would waste a lot of space, I already used a single distfile repository, but I'm also wondering whether it would be a bad idea to use the host's port tree. I know lot of people do this and, keeping it tidy with portsclean -CD, I wonder if it really would be a security risk in my case. This is overkill. I single ports tree on the host is fine. Matter of fact I use packages for everything accept for php which I have to compile in apache module. I even pre-install all of php's dependents as packages before doing "make install" on the php port. As far as portsclean goes its only for the paranoid. Finally (for now :): I usually install portaudit and receive every day a report about vulnerabilities in the host system's installed ports. What about jails? Should I install portaudit there too and let them flood me with reports? Is there a way to let the host's portaudit check jails too? If you dont have full ports tree in the jail then no need for portaudit in the jail. I'm sure I'll have other questions in some days... Thanks in advance for now to anyone who will answer. Best practices is not to create a jail environment by hand as documented in the Freebsd handbook. The port utility qjail simplifies and automates the process to the point where you dont even have to know about the jail command. http://qjail.sourceforge.net/ use the port version for 8.x & 9.0 bye av. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Best practices about Jails
Hello. Plase forgive the long post and the amount of questions, but I'm new to jails and I'd like to be sure of what I'm doing before deploying more than a test one. Right now I need to run a commercial Java app, which, ideally, I would forbid to access files outside its directory. This might be done by simple chrooting it, but I read a jail is a better solution, so I started with ezjails. First of all, I'm wondering whether it would be possible/useful to use chroot even inside that jail. Any opinions? Second question: from inside the jail I can access all services on localhost (eg. telnet localhost pop3, where a pop3 server is running on the host). Can this be avoided, e.g. with ipfw? Ideally, since this jail will run only one deamon and it will be accessed through Apache mod_proxy from the host, I'll just need inbound access to its port and outbound access to smtp and web proxy on the host system. No direct access from/to other hosts. Is this possible? Next... ezjail's author suggests I have a copy of the port tree just for the jails and, furthermore, a repository for distfiles for every jail. Since this would waste a lot of space, I already used a single distfile repository, but I'm also wondering whether it would be a bad idea to use the host's port tree. I know lot of people do this and, keeping it tidy with portsclean -CD, I wonder if it really would be a security risk in my case. Finally (for now :): I usually install portaudit and receive every day a report about vulnerabilities in the host system's installed ports. What about jails? Should I install portaudit there too and let them flood me with reports? Is there a way to let the host's portaudit check jails too? I'm sure I'll have other questions in some days... Thanks in advance for now to anyone who will answer. bye av. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
RE: Email issues, relay failure, perhaps Jails is causing it.
Does anybody have an idea on how to clear the bruteforCE TABLE ON PFCTL ? An adaptive fw or pftcl device is blocking some of my email? Thanks -Original Message- From: Bernt Hansson [mailto:b...@bananmonarki.se] Sent: Sunday, February 26, 2012 2:20 AM To: Bender, Chris Cc: freebsd-questions@freebsd.org Subject: Re: Email issues, relay failure, perhaps Jails is causing it. 2012-02-26 00:54, Bender, Chris skrev: > Hi Brent > > Yes the system we are calling X, is jailed by another system. > > Here is the jailer system: > > zs1# netstat -aptcp | grep smtp > tcp4 0 0 tools2.smtp10.156.31.20.45081 > SYN_RCVD > tcp4 0 0 tools2.smtp*.* LISTEN > tcp4 0 0 rt3.smtp *.* LISTEN > tcp4 0 0 npims.smtp *.* LISTEN > tcp4 0 0 wiki.smtp *.* LISTEN > tcp4 0 0 localhost.smtp *.* LISTEN Here is about jails; http://www.uk.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails.html Have you tried to telnet into the other jailed hostnames and ip-addresses, like telnet rt3.* 25 What does it say? Can you connect? There seems to be either a jail problem or a routing problem You can look at your routing table with netstat -r ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
RE: Email issues, relay failure, perhaps Jails is causing it.
Hello Can anybody assist me with pfctl on freebsd? I have pfctl running as adaptive. It is blocking some smtp mail. I am uncertain about flushing the states or machining some of the TIMEWAITING constraints go away. Which is really blocking my email. Can anyone assist? Thanks -Original Message- From: Bernt Hansson [mailto:b...@bananmonarki.se] Sent: Sunday, February 26, 2012 2:20 AM To: Bender, Chris Cc: freebsd-questions@freebsd.org Subject: Re: Email issues, relay failure, perhaps Jails is causing it. 2012-02-26 00:54, Bender, Chris skrev: > Hi Brent > > Yes the system we are calling X, is jailed by another system. > > Here is the jailer system: > > zs1# netstat -aptcp | grep smtp > tcp4 0 0 tools2.smtp10.156.31.20.45081 > SYN_RCVD > tcp4 0 0 tools2.smtp*.* LISTEN > tcp4 0 0 rt3.smtp *.* LISTEN > tcp4 0 0 npims.smtp *.* LISTEN > tcp4 0 0 wiki.smtp *.* LISTEN > tcp4 0 0 localhost.smtp *.* LISTEN Here is about jails; http://www.uk.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails.html Have you tried to telnet into the other jailed hostnames and ip-addresses, like telnet rt3.* 25 What does it say? Can you connect? There seems to be either a jail problem or a routing problem You can look at your routing table with netstat -r ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Email issues, relay failure, perhaps Jails is causing it.
--As of February 26, 2012 8:20:14 AM +0100, Bernt Hansson is alleged to have said: http://www.uk.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails.html Have you tried to telnet into the other jailed hostnames and ip-addresses, like telnet rt3.* 25 What does it say? Can you connect? There seems to be either a jail problem or a routing problem You can look at your routing table with netstat -r --As for the rest, it is mine. This is my strong suspicion as well. To separate out what the problem is: 'su' to root in the jailed system. Shut down postfix. (`postfix stop`, or `/etc/rc.d/postfix stop`) Then run `nc -l 25`. This will echo anything that comes in on port 25 direct to your terminal. Then try telneting to it. If it works, the problem is postfix. If it doesn't, restart postfix and ignore it: It's not the problem. Daniel T. Staal --- This email copyright the author. Unless otherwise noted, you are expressly allowed to retransmit, quote, or otherwise use the contents for non-commercial purposes. This copyright will expire 5 years after the author's death, or in 30 years, whichever is longer, unless such a period is in excess of local copyright law. --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Email issues, relay failure, perhaps Jails is causing it.
2012-02-26 00:54, Bender, Chris skrev: Hi Brent Yes the system we are calling X, is jailed by another system. Here is the jailer system: zs1# netstat -aptcp | grep smtp tcp4 0 0 tools2.smtp10.156.31.20.45081 SYN_RCVD tcp4 0 0 tools2.smtp*.*LISTEN tcp4 0 0 rt3.smtp *.*LISTEN tcp4 0 0 npims.smtp *.*LISTEN tcp4 0 0 wiki.smtp *.*LISTEN tcp4 0 0 localhost.smtp *.*LISTEN Here is about jails; http://www.uk.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails.html Have you tried to telnet into the other jailed hostnames and ip-addresses, like telnet rt3.* 25 What does it say? Can you connect? There seems to be either a jail problem or a routing problem You can look at your routing table with netstat -r ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
RE: Email issues, relay failure, perhaps Jails is causing it.
Hi Brent Yes the system we are calling X, is jailed by another system. Here is the jailer system: zs1# netstat -aptcp | grep smtp tcp4 0 0 tools2.smtp10.156.31.20.45081 SYN_RCVD tcp4 0 0 tools2.smtp*.*LISTEN tcp4 0 0 rt3.smtp *.*LISTEN tcp4 0 0 npims.smtp *.*LISTEN tcp4 0 0 wiki.smtp *.*LISTEN tcp4 0 0 localhost.smtp *.*LISTEN I see smtp running on several systems it has jailed including system X. I see above a smtp conversation between system X and 10.156.31.20. But that is never delivered from what I have seen. I am not sure about the queues Or how to see in postfix what exactly is happening? I think a lot of this stopped working after we rebooted the jailer system. Jails really should have no affect on This it is a virtual machine essentially, at least that is my thoughts. What happen to your thought that snmp needs to run as a non mailer system? Thanks regards -Original Message- From: Bernt Hansson [mailto:b...@bananmonarki.se] Sent: Saturday, February 25, 2012 6:11 PM To: Bender, Chris Cc: freebsd-questions@freebsd.org; Jon Radel Subject: Re: Email issues, relay failure 2012-02-25 23:29, Bender, Chris skrev: > Hi Brent, > Thanks for that, I am still digesting it. > > tools2# uname -a > FreeBSD tools2 8.2-RELEASE-p2 FreeBSD 8.2-RELEASE-p2 # > > So I put a 0 in the first two octets of the ip address below, but > that IP address is A. > I am not sure what that means. I was horsing around and tried to start > sendmail On X then I tried to send an email from A. I have no idea > what all that means. > > Here is netstat results: > netstat: kvm not available: /dev/mem: No such file or directory > tcp4 0 0 tools2.smtp0.0.81.10.33679 SYN_RCVD > tcp4 0 0 tools2.smtp*.* LISTEN Ok. I'm stabbing in the dark here, but didn't you say that X was a jail system? Is every postfix process in a jail? I have never used a jailed system. So my WILD guess it's a something with jail, or jail setup. > What is non $mail_owner privileges or how to determine that? > > tools2# postconf -d | grep mail_version mail_version = 2.7.0 > milter_macro_v = $mail_name $mail_version > > I am still not sure about the non mail owner issue yet, but I would > think because this has run in the past that it wouldn't have changed. > And how do I run smtp as a non mail user when I am root? > > Hopfully we are getting somewhere. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jails V2, VIMAGE, and integration in the base system
On Feb 4, 2012, at 10:45 AM, Hugo Silva wrote: > On 02/03/12 17:02, Devin Teske wrote: >> Please give this a try: >> >> http://druidbsd.sf.net/vimage.shtml >> http://druidbsd.sf.net/download.shtml >> > > Hi, > > Interesting. > > Is it safe to run in production (VIMAGE/vnets) ? I can't speak to every application, release, or even purpose, but we've been using between 2 and 3 dozen vimages for various purposes without problem on 8.1-RELEASE-p6 (just haven't got around to updating to -p7 which is lated RELENG_8_1 security patch). We've been running amd64 hosts with both amd64 and i386 jails. Doing compiler builds, using them as web servers, shell servers, bastion's, gateways, proxies (both shell and web), and even for running legacy releases of FreeBSD (running 4.11 i386 on an amd64 8.1 host). So the VIMAGE/vnets support seems pretty stable in 8.1-RELEASE. Oh, we did have to MFC SVN r207194 to fix a bug in sys/net/rtsock.c when running i386 route(8) in VIMAGE under amd64 host. Though you don't have to apply the patch, as the workaround was simple -- copy the host's amd64 route(8) over vimage's i386 one. That's really the only bug we ever hit, but your mileage may vary. We've been generally very happy with VIMAGE/vnets so far. Now, with respect to the script being production ready, I'd say yes with one minor nit... Unnecessarily starting/stopping vimages after boot is bad for two reasons: 1. In 8.1-RELEASE there's an necessary loss in VM pages everytime you remove a vimage jail with "jail -r" (this has been fixed in later releases). 2. The Ethernet HW address auto-calculations performed in my script are based on the order in which vimages are started and stopped. This is easily overcome by setting the HW address in the ifconfig_* line within rc.conf(5) (within the vimage rootdir). -- Devin _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jails V2, VIMAGE, and integration in the base system
On 02/03/12 17:02, Devin Teske wrote: Please give this a try: http://druidbsd.sf.net/vimage.shtml http://druidbsd.sf.net/download.shtml Hi, Interesting. Is it safe to run in production (VIMAGE/vnets) ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jails V2, VIMAGE, and integration in the base system
Hugo Silva wrote: Hello, I didn't find much about jails v2 + epair + vimage on google; The FreeBSD wiki pages concerning this subject seem fairly outdated (that or not much has happened in 3 years), and the manpages don't mention much about vimage/vnet. According to http://ivoras.net/freebsd/freebsd8.html it should be in FreeBSD 8.0 (VIMAGE, Jails v2), and maybe it is, but if it's not integrated in the base system and information/documentarion is scarse, few will use it. Found this: http://www.freebsd.org/cgi/query-pr.cgi?pr=142972 - nearly 2 years old. My question is, how wise would it be to attempt to use these features in production? IMO this is very interesting stuff, having these things integrated would be a worthy addition to FreeBSD. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" Yes VIMAGE & Jails are part of the 8.x releases. Jail is in the base release in its manual form and you have to recompile the kernel to enable VIMAGE which is labeled experimental. Jails are used in many production environments managed by the sysutil/qjail port but use VIMAGE at your own risk. Have no info on epair. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
RE: Jails V2, VIMAGE, and integration in the base system
> -Original Message- > From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd- > questi...@freebsd.org] On Behalf Of Hugo Silva > Sent: Friday, February 03, 2012 8:17 AM > To: freebsd-questions@freebsd.org > Subject: Jails V2, VIMAGE, and integration in the base system > > Hello, > > I didn't find much about jails v2 + epair + vimage on google; The > FreeBSD wiki pages concerning this subject seem fairly outdated (that or > not much has happened in 3 years), and the manpages don't mention much > about vimage/vnet. > > According to http://ivoras.net/freebsd/freebsd8.html it should be in > FreeBSD 8.0 (VIMAGE, Jails v2), and maybe it is, but if it's not > integrated in the base system and information/documentarion is scarse, > few will use it. > > > Found this: http://www.freebsd.org/cgi/query-pr.cgi?pr=142972 - nearly 2 > years old. > > > My question is, how wise would it be to attempt to use these features in > production? IMO this is very interesting stuff, having these things > integrated would be a worthy addition to FreeBSD. Please give this a try: http://druidbsd.sf.net/vimage.shtml http://druidbsd.sf.net/download.shtml -- Devin _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"