Re: Jail with public IP alias
On 29/08/2013 02:08, Alejandro Imass wrote: On Wed, Aug 28, 2013 at 4:11 PM, Frank Leonhardt fra...@fjl.co.uk wrote: On 28/08/2013 19:42, Patrick wrote: On Wed, Aug 28, 2013 at 7:25 AM, Alejandro Imass aim...@yabarana.com wrote: On Wed, Aug 28, 2013 at 5:42 AM, Frank Leonhardt fra...@fjl.co.uk wrote: [...] Sorry guys - I had not intention of upsetting the EzJail fan club! No worries there I just think it's an awesome tool. We used plain old jails before, and we even went through the service jail path once, but EzJail is a lot more than just lightweight easy-to-use jailing. The fact remains that I've tried to recreate this problem on what comes to a similar set-up, but without EzJail, and I can't. I've only tested it on FreeBSD 8.2 so far, and I've only tested it from INSIDE a jail. I completely understood what you were saying about it doing weird stuff outside a jail, but my point is that this may or may not be related. Actually you can replicate it easily. Assign a number of IPs to any interface but that the interface has a default route. It will always use the primary or default IP on the other end. You can probably see this effect even on a private network provided all the aliases route through the same gateway. You will not be able to see this effect using aliases on the loopback AFAIK. You don't say what version you're running. I can try and recreate it on another version. It doesn't matter, it's a very basic network issue with aliases in FreeBSD, Linux and other OSs. Look here: http://serverfault.com/questions/12285/when-ip-aliasing-how-does-the-os-determine-which-ip-address-will-be-used-as-sour I would like to know how people deal with this on FBSD Okay, I'm trying here. I tried to recreate it thus: b1# ifconfig bge0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=8009bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LINKSTATE ether 00:21:9b:fd:30:8b inet xx.yy.41.196 netmask 0xffc0 broadcast xx.yy.41.255 inet xx.yy.41.197 netmask 0x broadcast xx.yy.41.197 inet xx.yy.41.198 netmask 0x broadcast xx.yy.41.198 inet xx.yy.41.199 netmask 0x broadcast xx.yy.41.199 inet xx.yy.41.200 netmask 0x broadcast xx.yy.41.200 inet xx.yy.41.201 netmask 0x broadcast xx.yy.41.201 inet xx.yy.41.202 netmask 0x broadcast xx.yy.41.202 inet xx.yy.41.203 netmask 0x broadcast xx.yy.41.203 inet xx2.yy2.76.62 netmask 0xffc0 broadcast xx2.yy2.76.63 inet xx.yy.41.207 netmask 0x broadcast xx.yy.41.207 inet xx.yy.41.206 netmask 0x broadcast xx.yy.41.206 media: Ethernet autoselect (100baseTX full-duplex,flowcontrol,rxpause,txpause) status: active etc... Then: b1# ssh -b xx.yy.41.197 b2 -l myname Open new session and... b1# ssh -b xx.yy.41.198 b2 -l myname Open new session and... b1# ssh -b xx.yy.41.199 b2 -l myname An so on Then on b2: b2# w -n 9:43AM up 803 days, 22:47, 5 users, load averages: 0.07, 0.06, 0.02 USER TTY FROM LOGIN@ IDLE WHAT myname p0 ns0.domainname.org.uk9:28AM14 -csh (csh) myname p1 ns1.domainname.net 9:29AM14 -csh (csh) myname p5 xx.yy.41.199 9:29AM13 -csh (csh) myname p6 xx.yy.41.201 9:30AM - w -n myname p7 xx.yy.41.207 9:30AM11 -csh (csh) The only problem I can see there is that the -n option isn't working on w! I'll look in to that. The reverse lookups match the IP addressed dialled in on. b2 has the same sshd bound to all IP addresses, incidentally. b1 has more than one interface, but all the IP addresses I used are on the same one. My guess, if you're not getting this, is that you're configuring the aliases in a different way, so the output of ipconfig might help, even if it just convinces me the netmask is correct and stops me worrying. I've obviously obfuscated the first part of mine. Or have I misunderstood the problem? Regards, Frank. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail with public IP alias
On 29/08/2013 09:52, Frank Leonhardt wrote: On 29/08/2013 02:08, Alejandro Imass wrote: On Wed, Aug 28, 2013 at 4:11 PM, Frank Leonhardt fra...@fjl.co.uk wrote: On 28/08/2013 19:42, Patrick wrote: On Wed, Aug 28, 2013 at 7:25 AM, Alejandro Imass aim...@yabarana.com wrote: On Wed, Aug 28, 2013 at 5:42 AM, Frank Leonhardt fra...@fjl.co.uk wrote: [...] Sorry guys - I had not intention of upsetting the EzJail fan club! No worries there I just think it's an awesome tool. We used plain old jails before, and we even went through the service jail path once, but EzJail is a lot more than just lightweight easy-to-use jailing. The fact remains that I've tried to recreate this problem on what comes to a similar set-up, but without EzJail, and I can't. I've only tested it on FreeBSD 8.2 so far, and I've only tested it from INSIDE a jail. I completely understood what you were saying about it doing weird stuff outside a jail, but my point is that this may or may not be related. Actually you can replicate it easily. Assign a number of IPs to any interface but that the interface has a default route. It will always use the primary or default IP on the other end. You can probably see this effect even on a private network provided all the aliases route through the same gateway. You will not be able to see this effect using aliases on the loopback AFAIK. You don't say what version you're running. I can try and recreate it on another version. It doesn't matter, it's a very basic network issue with aliases in FreeBSD, Linux and other OSs. Look here: http://serverfault.com/questions/12285/when-ip-aliasing-how-does-the-os-determine-which-ip-address-will-be-used-as-sour I would like to know how people deal with this on FBSD Okay, I'm trying here. I tried to recreate it thus: b1# ifconfig bge0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=8009bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LINKSTATE ether 00:21:9b:fd:30:8b inet xx.yy.41.196 netmask 0xffc0 broadcast xx.yy.41.255 inet xx.yy.41.197 netmask 0x broadcast xx.yy.41.197 inet xx.yy.41.198 netmask 0x broadcast xx.yy.41.198 inet xx.yy.41.199 netmask 0x broadcast xx.yy.41.199 inet xx.yy.41.200 netmask 0x broadcast xx.yy.41.200 inet xx.yy.41.201 netmask 0x broadcast xx.yy.41.201 inet xx.yy.41.202 netmask 0x broadcast xx.yy.41.202 inet xx.yy.41.203 netmask 0x broadcast xx.yy.41.203 inet xx2.yy2.76.62 netmask 0xffc0 broadcast xx2.yy2.76.63 inet xx.yy.41.207 netmask 0x broadcast xx.yy.41.207 inet xx.yy.41.206 netmask 0x broadcast xx.yy.41.206 media: Ethernet autoselect (100baseTX full-duplex,flowcontrol,rxpause,txpause) status: active etc... Then: b1# ssh -b xx.yy.41.197 b2 -l myname Open new session and... b1# ssh -b xx.yy.41.198 b2 -l myname Open new session and... b1# ssh -b xx.yy.41.199 b2 -l myname An so on Then on b2: b2# w -n 9:43AM up 803 days, 22:47, 5 users, load averages: 0.07, 0.06, 0.02 USER TTY FROM LOGIN@ IDLE WHAT myname p0 ns0.domainname.org.uk9:28AM14 -csh (csh) myname p1 ns1.domainname.net 9:29AM14 -csh (csh) myname p5 xx.yy.41.199 9:29AM13 -csh (csh) myname p6 xx.yy.41.201 9:30AM - w -n myname p7 xx.yy.41.207 9:30AM11 -csh (csh) The only problem I can see there is that the -n option isn't working on w! I'll look in to that. The reverse lookups match the IP addressed dialled in on. b2 has the same sshd bound to all IP addresses, incidentally. b1 has more than one interface, but all the IP addresses I used are on the same one. My guess, if you're not getting this, is that you're configuring the aliases in a different way, so the output of ipconfig might help, even if it just convinces me the netmask is correct and stops me worrying. I've obviously obfuscated the first part of mine. Or have I misunderstood the problem? Regards, Frank. P.S. Just for completeness: b1# netstat -r Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire defaultxx.yy.41.193 UGS112374 7203472736 bge0 etc... The default route does go through that interface. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail with public IP alias
On Thu, Aug 29, 2013 at 5:03 AM, Frank Leonhardt fra...@fjl.co.uk wrote: On 29/08/2013 09:52, Frank Leonhardt wrote: Hi Frank thanks for taking the time to try to replicate this. Here is all the detailed info 8.1-RELEASE em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=209bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC ether 00:31:88:bd:b9:3a inet xxx.yyy.52.74 netmask 0xff80 broadcast xxx.yyy.52.127 inet xxx.yyy.52.70 netmask 0xff80 broadcast xxx.yyy.52.127 inet xxx.yyy.52.71 netmask 0xff80 broadcast xxx.yyy.52.127 inet xxx.yyy.52.73 netmask 0xff80 broadcast xxx.yyy.52.127 media: Ethernet autoselect (1000baseT full-duplex) status: active I use rc.conf standard practice for aliases: ifconfig_em0=inet xxx.yyy.52.74 netmask 255.255.255.128 -tso ifconfig_em0_alias0=inet xxx.yyy.52.70 netmask 255.255.255.128 -tso ifconfig_em0_alias1=inet xxx.yyy.52.71 netmask 255.255.255.128 -tso ifconfig_em0_alias2=inet xxx.yyy.52.73 netmask 255.255.255.128 -tso nune# netstat -rn Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire defaultxxx.yyy.52.1 UGS 168 182183463em0 127.0.0.1 link#4 UH 00lo0 [... internal aliases to lo0 here...] xxx.yyy.52.0/25link#1 U 068581em0 xxx.yyy.52.70 link#1 UHS 014363lo0 xxx.yyy.52.71 link#1 UHS 064765lo0 xxx.yyy.52.73 link#1 UHS 00lo0 xxx.yyy.52.74 link#1 UHS 029170lo0 Note the Netif Expire on 71,73,74 are showing lo0 could this be the problem? nune# ssh -b xxx.yyy.52.71 foo@bar Password: w -n 3:15PM up 130 days, 22:30, 3 users, load averages: 0.00, 0.02, 0.00 USER TTY FROM LOGIN@ IDLE WHAT [...] foo pts/24 xxx.yyy.52.74 3:14PM - w -n I don't know why mine is showing 74 and from your example it should be showing 71. Did you see the article below? http://serverfault.com/questions/12285/when-ip-aliasing-how-does-the-os-determine-which-ip-address-will-be-used-as-sour This seems to be a pretty common issue or it's just a miss-configuration problem? Thanks! Alejandro Imass ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail with public IP alias
On Thu, Aug 29, 2013 at 12:07 PM, Alejandro Imass aim...@yabarana.com wrote: On Thu, Aug 29, 2013 at 5:03 AM, Frank Leonhardt fra...@fjl.co.uk wrote: On 29/08/2013 09:52, Frank Leonhardt wrote: Hi Frank thanks for taking the time to try to replicate this. Here is all the detailed info 8.1-RELEASE em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=209bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC ether 00:31:88:bd:b9:3a inet xxx.yyy.52.74 netmask 0xff80 broadcast xxx.yyy.52.127 inet xxx.yyy.52.70 netmask 0xff80 broadcast xxx.yyy.52.127 inet xxx.yyy.52.71 netmask 0xff80 broadcast xxx.yyy.52.127 inet xxx.yyy.52.73 netmask 0xff80 broadcast xxx.yyy.52.127 media: Ethernet autoselect (1000baseT full-duplex) status: active I use rc.conf standard practice for aliases: ifconfig_em0=inet xxx.yyy.52.74 netmask 255.255.255.128 -tso ifconfig_em0_alias0=inet xxx.yyy.52.70 netmask 255.255.255.128 -tso ifconfig_em0_alias1=inet xxx.yyy.52.71 netmask 255.255.255.128 -tso ifconfig_em0_alias2=inet xxx.yyy.52.73 netmask 255.255.255.128 -tso nune# netstat -rn Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire defaultxxx.yyy.52.1 UGS 168 182183463em0 127.0.0.1 link#4 UH 00lo0 [... internal aliases to lo0 here...] xxx.yyy.52.0/25link#1 U 068581em0 xxx.yyy.52.70 link#1 UHS 014363lo0 xxx.yyy.52.71 link#1 UHS 064765lo0 xxx.yyy.52.73 link#1 UHS 00lo0 xxx.yyy.52.74 link#1 UHS 029170lo0 Note the Netif Expire on 71,73,74 are showing lo0 could this be the problem? nune# ssh -b xxx.yyy.52.71 foo@bar Password: w -n 3:15PM up 130 days, 22:30, 3 users, load averages: 0.00, 0.02, 0.00 USER TTY FROM LOGIN@ IDLE WHAT [...] foo pts/24 xxx.yyy.52.74 3:14PM - w -n I don't know why mine is showing 74 and from your example it should be showing 71. Did you see the article below? http://serverfault.com/questions/12285/when-ip-aliasing-how-does-the-os-determine-which-ip-address-will-be-used-as-sour This seems to be a pretty common issue or it's just a miss-configuration problem? Thanks! Alejandro Imass ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Aliases should have a netmask of 255.255.255.255. What you seeing is not typical behaviour on FreeBSD. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/configtuning-virtual-hosts.html Patrick ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail with public IP alias
On Thu, Aug 29, 2013 at 5:07 PM, Patrick gibblert...@gmail.com wrote: On Thu, Aug 29, 2013 at 12:07 PM, Alejandro Imass aim...@yabarana.com wrote: On Thu, Aug 29, 2013 at 5:03 AM, Frank Leonhardt fra...@fjl.co.uk wrote: On 29/08/2013 09:52, Frank Leonhardt wrote: [...] Aliases should have a netmask of 255.255.255.255. What you seeing is not typical behaviour on FreeBSD. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/configtuning-virtual-hosts.html Patrick Thanks for pointing this out, the manual is effectively very clear on this. So, I changed the masks for ALL the aliases on that server to /32. It alone has more than 30 aliases on lo0 and 4 public IPs. I tested and still has the same problem. So I rebooted just in case and the problem still persists: $ ifconfig em0 em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=209bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC ether 00:30:48:bd:b9:1a inet xxx.yyy.52.74 netmask 0xff80 broadcast xxx.yyy.52.127 inet xxx.yyy.52.70 netmask 0x broadcast xxx.yyy.52.70 inet xxx.yyy.52.71 netmask 0x broadcast xxx.yyy.52.71 inet xxx.yyy.52.73 netmask 0x broadcast xxx.yyy.52.73 media: Ethernet autoselect (1000baseT full-duplex) status: active $ ssh -b xxx.yyy.52.70 foo@bar Password: 7:58PM up 131 days, 3:14, 1 user, load averages: 0.02, 0.01, 0.00 USER TTY FROM LOGIN@ IDLE WHAT foo pts/14 xxx.yyy.52.74 7:58PM - w -n $ ssh -b xxx.yyy.52.71 foo@bar Password: 7:58PM up 131 days, 3:14, 1 user, load averages: 0.02, 0.01, 0.00 USER TTY FROM LOGIN@ IDLE WHAT foo pts/14 xxx.yyy.52.74 7:58PM - w -n $ ssh -b xxx.yyy.52.73 foo@bar Password: 7:58PM up 131 days, 3:14, 1 user, load averages: 0.02, 0.01, 0.00 USER TTY FROM LOGIN@ IDLE WHAT foo pts/14 xxx.yyy.52.74 7:58PM - w -n I don't understand why I get different results than yours and Frank's. We run a pretty standard set-up so why is this not working for us. Could it be because we turned off TCO on the NIC ? One of you asked about NAT. We are using natd to nat some public ports to other ports on the private IPs that are aliases of lo0. This is for the jails that don't have public IPs we just forward some ports to the jail's ports like this: For example: redirect_port tcp 192.168.101.123:22 12322 redirect_port tcp 192.168.101.123:80 12380 Could this have an effect on OUTBOUND connections?? Seems unlikely to me but I think one of you asked about NAT I suspect for a good reason. I'll turn off the natting temporarily and test. Best, -- Alejandro Imass ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail with public IP alias
On Thu, Aug 29, 2013 at 7:53 PM, Alejandro Imass aim...@yabarana.com wrote: On Thu, Aug 29, 2013 at 5:07 PM, Patrick gibblert...@gmail.com wrote: On Thu, Aug 29, 2013 at 12:07 PM, Alejandro Imass aim...@yabarana.com wrote: On Thu, Aug 29, 2013 at 5:03 AM, Frank Leonhardt fra...@fjl.co.uk wrote: On 29/08/2013 09:52, Frank Leonhardt wrote: [...] Aliases should have a netmask of 255.255.255.255. What you seeing is not typical behaviour on FreeBSD. [...] One of you asked about NAT. We are using natd to nat some public ports to other ports on the private IPs that are aliases of lo0. This is for the jails that don't have public IPs we just forward some ports to the jail's ports like this: For example: redirect_port tcp 192.168.101.123:22 12322 redirect_port tcp 192.168.101.123:80 12380 Could this have an effect on OUTBOUND connections?? Seems unlikely to me but I think one of you asked about NAT I suspect for a good reason. I'll turn off the natting temporarily and test. I can confirm that the culprit was natd. Now the question becomes why does natd affect the source IP for an outbound connection?? Is there a way to fix it and keep natd? Seems that Patrick's NAT hunch on hist first reply was right on the money. Thanks, -- Alejandro Imass ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail with public IP alias
On28/08/2013 00:19, Patrick wrote: On Tue, Aug 27, 2013 at 3:42 PM, Alejandro Imass aim...@yabarana.com wrote: On Tue, Aug 27, 2013 at 6:28 PM, Patrick gibblert...@gmail.com wrote: That's not the behaviour I see. My jail has a private and public IP. Hi Patrick, thanks for your reply. The issue is actually more basic and it's because the same network card has multiple IPs on the same subnet so the routing table always chooses the primary IP assigned to that interface. I'm trying to figure out if I can fix it in the routing table or will need IPFW to re-write the source address. Thanks, -- Alejandro Imass Hi Alejandro, That's how I've got things setup, too, but I'm not seeing the same behaviour. So I was wondering if there was something different about your setup such as using NAT to allow a jail with a private IP to access the internet at large. Patrick (Tidied up so all now bottom posted) I can confirm that you shouldn't be seeing this behaviour because I don't. I don't use EzJail - i prefer vi. Seriously, setting up a jail is very straightforward anyway, and when I tried ezjail I found it was doing stuff I didn't like, so dropped it early on. It was a long time ago and I've forgotten the specifics. I guess if you're using it your new to this particular game, so please excuse me pointing out a few basics here. Although I can't exactly see how this would cause a problem, remember that many service will bind to ALL IP addresses when they start up, and if they pinch a port any subsequent jail trying to take the same one will fail. For SSH, edit /etc/ssh/sshd_config on the host OS and set the ListenAddress to the one you want to use instead of the default, which means all of them. I can't see a mechanism that would get the results you're seeing, but I don't know what ezjail might be doing. I suspect your problem is with ezjail or something bizzare on your network config; can you try it manually? Regards, Frank. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail with public IP alias
On Wed, Aug 28, 2013 at 5:42 AM, Frank Leonhardt fra...@fjl.co.uk wrote: On28/08/2013 00:19, Patrick wrote: On Tue, Aug 27, 2013 at 3:42 PM, Alejandro Imass aim...@yabarana.com wrote: [...] (Tidied up so all now bottom posted) I can confirm that you shouldn't be seeing this behaviour because I don't. I don't use EzJail - i prefer vi. Seriously, setting up a jail is very straightforward anyway, and when I tried ezjail I found it was doing stuff I didn't like, so dropped it early on. It was a long time ago and I've forgotten the specifics. I guess if you're using it your new to this particular game, so please excuse me pointing out a few basics here. We use Ezjail not because it's easy or because we're new to jails, I think you might be confused on what EzJail actually is and why people use it. We use it because we manage a private cloud exclusively based on FBSD with about a dozen servers with a couple dozen jails each. I use EzJail because it allows us to manage just shy of 300 separate environments with only a couple of sysadmins, and with optimized system resources. We use it because IT ROCKS. Although I can't exactly see how this would cause a problem, remember that many service will bind to ALL IP addresses when they start up, and if they [...] I can't see a mechanism that would get the results you're seeing, but I don't know what ezjail might be doing. I suspect your problem is with ezjail or something bizzare on your network config; can you try it manually? After my OP I immediately sent out second mail stating that the problem is not with Jails or EzJail and it's related to the way that aliases behave on a network interface card. When you have aliases that are on the same subnet, the source IP is the primary IP , that is the first IP set on that network device. You can test this with out jails with a simple ssh connection to another server and then typing who. Even if you force ssh to bind to a particular IP using -b it will still show the primary IP. If you have aliases on different subnets this will not happen. Best, -- Alejandro Imass ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail with public IP alias
On Wed, Aug 28, 2013 at 7:25 AM, Alejandro Imass aim...@yabarana.com wrote: On Wed, Aug 28, 2013 at 5:42 AM, Frank Leonhardt fra...@fjl.co.uk wrote: On28/08/2013 00:19, Patrick wrote: On Tue, Aug 27, 2013 at 3:42 PM, Alejandro Imass aim...@yabarana.com wrote: [...] (Tidied up so all now bottom posted) I can confirm that you shouldn't be seeing this behaviour because I don't. I don't use EzJail - i prefer vi. Seriously, setting up a jail is very straightforward anyway, and when I tried ezjail I found it was doing stuff I didn't like, so dropped it early on. It was a long time ago and I've forgotten the specifics. I guess if you're using it your new to this particular game, so please excuse me pointing out a few basics here. We use Ezjail not because it's easy or because we're new to jails, I think you might be confused on what EzJail actually is and why people use it. We use it because we manage a private cloud exclusively based on FBSD with about a dozen servers with a couple dozen jails each. I use EzJail because it allows us to manage just shy of 300 separate environments with only a couple of sysadmins, and with optimized system resources. We use it because IT ROCKS. Although I can't exactly see how this would cause a problem, remember that many service will bind to ALL IP addresses when they start up, and if they [...] I can't see a mechanism that would get the results you're seeing, but I don't know what ezjail might be doing. I suspect your problem is with ezjail or something bizzare on your network config; can you try it manually? After my OP I immediately sent out second mail stating that the problem is not with Jails or EzJail and it's related to the way that aliases behave on a network interface card. When you have aliases that are on the same subnet, the source IP is the primary IP , that is the first IP set on that network device. You can test this with out jails with a simple ssh connection to another server and then typing who. Even if you force ssh to bind to a particular IP using -b it will still show the primary IP. If you have aliases on different subnets this will not happen. I don't think that's true though in the case of jails. On the host system, yes, but when a jail is bound to a particular IP, outbound connections originate from that bound IP. At least they do for me in all of my experience. Still wondering if you're using NAT with your jails, as that could change things. (FWIW, we use ezjail as well. It doesn't do anything special except make having lots of jails easy and lightweight.) Patrick ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail with public IP alias
On 28/08/2013 19:42, Patrick wrote: On Wed, Aug 28, 2013 at 7:25 AM, Alejandro Imass aim...@yabarana.com wrote: On Wed, Aug 28, 2013 at 5:42 AM, Frank Leonhardt fra...@fjl.co.uk wrote: On28/08/2013 00:19, Patrick wrote: On Tue, Aug 27, 2013 at 3:42 PM, Alejandro Imass aim...@yabarana.com wrote: [...] (Tidied up so all now bottom posted) I can confirm that you shouldn't be seeing this behaviour because I don't. I don't use EzJail - i prefer vi. Seriously, setting up a jail is very straightforward anyway, and when I tried ezjail I found it was doing stuff I didn't like, so dropped it early on. It was a long time ago and I've forgotten the specifics. I guess if you're using it your new to this particular game, so please excuse me pointing out a few basics here. We use Ezjail not because it's easy or because we're new to jails, I think you might be confused on what EzJail actually is and why people use it. We use it because we manage a private cloud exclusively based on FBSD with about a dozen servers with a couple dozen jails each. I use EzJail because it allows us to manage just shy of 300 separate environments with only a couple of sysadmins, and with optimized system resources. We use it because IT ROCKS. Although I can't exactly see how this would cause a problem, remember that many service will bind to ALL IP addresses when they start up, and if they [...] I can't see a mechanism that would get the results you're seeing, but I don't know what ezjail might be doing. I suspect your problem is with ezjail or something bizzare on your network config; can you try it manually? After my OP I immediately sent out second mail stating that the problem is not with Jails or EzJail and it's related to the way that aliases behave on a network interface card. When you have aliases that are on the same subnet, the source IP is the primary IP , that is the first IP set on that network device. You can test this with out jails with a simple ssh connection to another server and then typing who. Even if you force ssh to bind to a particular IP using -b it will still show the primary IP. If you have aliases on different subnets this will not happen. I don't think that's true though in the case of jails. On the host system, yes, but when a jail is bound to a particular IP, outbound connections originate from that bound IP. At least they do for me in all of my experience. Still wondering if you're using NAT with your jails, as that could change things. (FWIW, we use ezjail as well. It doesn't do anything special except make having lots of jails easy and lightweight.) Sorry guys - I had not intention of upsetting the EzJail fan club! The fact remains that I've tried to recreate this problem on what comes to a similar set-up, but without EzJail, and I can't. I've only tested it on FreeBSD 8.2 so far, and I've only tested it from INSIDE a jail. I completely understood what you were saying about it doing weird stuff outside a jail, but my point is that this may or may not be related. You don't say what version you're running. I can try and recreate it on another version. Again basic, but when you set up an alias, what subnet do you use? Same subnet is ringing alarm bells here. The output of ifconfig might help. Regards, Frank. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail with public IP alias
On Wed, Aug 28, 2013 at 2:42 PM, Patrick gibblert...@gmail.com wrote: On Wed, Aug 28, 2013 at 7:25 AM, Alejandro Imass aim...@yabarana.com wrote: On Wed, Aug 28, 2013 at 5:42 AM, Frank Leonhardt fra...@fjl.co.uk wrote: On28/08/2013 00:19, Patrick wrote: [...] I don't think that's true though in the case of jails. On the host system, yes, but when a jail is bound to a particular IP, outbound connections originate from that bound IP. At least they do for me in all of my experience. Still wondering if you're using NAT with your jails, as that could change things. Nope, no NAT. I verified what you said using the aliases in lo0 and it does in fact use the correct private IP, and that is well, no surprise because we rarely have jails actually public IPs so I didn't notice this strange behaviour before. Actually, not so strange once you understand what's going on: It doesn't work the same using the public IP because, the public IP goes through a gateway so it's a different case. In that case it will use the primary IP assigned to the device in that subnet that goes through that routing rule. You can test this if you want but you will need to re-create a scenario where you have multiples IPs assigned to a physical network card and that routes through a common gateway. In this case, it will use only the primary IP assigned to network card. If you actually test it you will see it's not a jail issue, it simply works that way,and it will be consistent on a jail or the base system. The only ways to fix this are either through the routing table or source address re-writing with IPFW or similar. (FWIW, we use ezjail as well. It doesn't do anything special except make having lots of jails easy and lightweight.) It does a lot more than that! We use flavours and have pre-loaded environments for easy deployment, much like people use VMWare. For example we do a lot of development in Catalyst and it takes forever to install a working Catalyst env which we only have to do once and then create Cat flavoured jails in minutes. We also, archive and re-instatiate jails in other servers or add more capacity in an existing env just by archiving and creating a clone jail on another server. So basically with EzJail we have our own cloud-type environment but running on the real hardware and with much more granular control. We also use Amazon AWS but not for anything that's core ot the company. We do a ton of other stuff that relies on EzJails tools, for example update one jail to test and the simply re-create that one to replace all the others. Plain old jails will do the same thing for sure, but if you manage hundreds you'll probably wind up re-inventing EzJail in the first place. Best, -- Alejandro Imass ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail with public IP alias
On Wed, Aug 28, 2013 at 4:11 PM, Frank Leonhardt fra...@fjl.co.uk wrote: On 28/08/2013 19:42, Patrick wrote: On Wed, Aug 28, 2013 at 7:25 AM, Alejandro Imass aim...@yabarana.com wrote: On Wed, Aug 28, 2013 at 5:42 AM, Frank Leonhardt fra...@fjl.co.uk wrote: [...] Sorry guys - I had not intention of upsetting the EzJail fan club! No worries there I just think it's an awesome tool. We used plain old jails before, and we even went through the service jail path once, but EzJail is a lot more than just lightweight easy-to-use jailing. The fact remains that I've tried to recreate this problem on what comes to a similar set-up, but without EzJail, and I can't. I've only tested it on FreeBSD 8.2 so far, and I've only tested it from INSIDE a jail. I completely understood what you were saying about it doing weird stuff outside a jail, but my point is that this may or may not be related. Actually you can replicate it easily. Assign a number of IPs to any interface but that the interface has a default route. It will always use the primary or default IP on the other end. You can probably see this effect even on a private network provided all the aliases route through the same gateway. You will not be able to see this effect using aliases on the loopback AFAIK. You don't say what version you're running. I can try and recreate it on another version. It doesn't matter, it's a very basic network issue with aliases in FreeBSD, Linux and other OSs. Look here: http://serverfault.com/questions/12285/when-ip-aliasing-how-does-the-os-determine-which-ip-address-will-be-used-as-sour I would like to know how people deal with this on FBSD Thanks, -- Alejandro Imass ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail with public IP alias
On Tue, Aug 27, 2013 at 4:59 PM, Alejandro Imass aim...@yabarana.com wrote: Hi, I have a machine with several public IPs on the same NIC and I bound one of those IPs to a jail created with EzJail. Suppose the scenario is something like this: em0 190.100.100.1 190.100.100.2 190.100.100.3 190.100.100.4 In the jail we are bound only to 190.100.100.4 The default router is correctly set on the jail, etc. But when we ssh out of that jail, or send an email, the receiving end always sees 190.100.100.1 not 190.100.100.4 which is the IP the jail is bound to. I think my problem is actually more basic than this. The problem actually occurs on the base system as well and I think it's because all the IPs are on the same subnet, then the kernel assumes to use the primary IP as the source address. For the sake and usefulness of the mail archives I will end this thread here and start another one with a more appropriate title, not before researching to see if this can be done with the routing table or if I need to use ipfw to re-write the source address. Thanks, -- Alejandro Imass ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail with public IP alias
That's not the behaviour I see. My jail has a private and public IP. $ ifconfig bce1 bce1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=c01bbRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE ether a4:ba:db:29:7a:1b inet 192.168.42.23 netmask 0x broadcast 192.168.42.23 media: Ethernet autoselect (1000baseT full-duplex) status: active If I ssh into another host on the 192.168.42.0 network, I see: $ who patrick ttyp1Aug 27 15:21 (192.168.42.23) The host of the jail has multiple IPs on that private subnet: $ ifconfig bce1 bce1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=c01bbRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE ether a4:ba:db:29:7a:1b inet 192.168.42.17 netmask 0xff00 broadcast 192.168.42.255 inet 192.168.42.18 netmask 0x broadcast 192.168.42.18 inet 192.168.42.19 netmask 0x broadcast 192.168.42.19 inet 192.168.42.20 netmask 0x broadcast 192.168.42.20 inet 192.168.42.21 netmask 0x broadcast 192.168.42.21 inet 192.168.42.23 netmask 0x broadcast 192.168.42.23 inet 192.168.42.24 netmask 0x broadcast 192.168.42.24 media: Ethernet autoselect (1000baseT full-duplex) status: active Are you using NAT from your jail to the outside world? Patrick On Tue, Aug 27, 2013 at 2:21 PM, Alejandro Imass aim...@yabarana.com wrote: On Tue, Aug 27, 2013 at 4:59 PM, Alejandro Imass aim...@yabarana.com wrote: Hi, I have a machine with several public IPs on the same NIC and I bound one of those IPs to a jail created with EzJail. Suppose the scenario is something like this: em0 190.100.100.1 190.100.100.2 190.100.100.3 190.100.100.4 In the jail we are bound only to 190.100.100.4 The default router is correctly set on the jail, etc. But when we ssh out of that jail, or send an email, the receiving end always sees 190.100.100.1 not 190.100.100.4 which is the IP the jail is bound to. I think my problem is actually more basic than this. The problem actually occurs on the base system as well and I think it's because all the IPs are on the same subnet, then the kernel assumes to use the primary IP as the source address. For the sake and usefulness of the mail archives I will end this thread here and start another one with a more appropriate title, not before researching to see if this can be done with the routing table or if I need to use ipfw to re-write the source address. Thanks, -- Alejandro Imass ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail with public IP alias
On Tue, Aug 27, 2013 at 6:28 PM, Patrick gibblert...@gmail.com wrote: That's not the behaviour I see. My jail has a private and public IP. Hi Patrick, thanks for your reply. The issue is actually more basic and it's because the same network card has multiple IPs on the same subnet so the routing table always chooses the primary IP assigned to that interface. I'm trying to figure out if I can fix it in the routing table or will need IPFW to re-write the source address. Thanks, -- Alejandro Imass ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail with public IP alias
Hi Alejandro, That's how I've got things setup, too, but I'm not seeing the same behaviour. So I was wondering if there was something different about your setup such as using NAT to allow a jail with a private IP to access the internet at large. Patrick On Tue, Aug 27, 2013 at 3:42 PM, Alejandro Imass aim...@yabarana.com wrote: On Tue, Aug 27, 2013 at 6:28 PM, Patrick gibblert...@gmail.com wrote: That's not the behaviour I see. My jail has a private and public IP. Hi Patrick, thanks for your reply. The issue is actually more basic and it's because the same network card has multiple IPs on the same subnet so the routing table always chooses the primary IP assigned to that interface. I'm trying to figure out if I can fix it in the routing table or will need IPFW to re-write the source address. Thanks, -- Alejandro Imass ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: Jail question
On Fri, 01 Mar 2013, Bernt Hansson wrote: On 2013-02-27 11:19, Bernt Hansson wrote: 2013-02-26 15:18, Teske, Devin skrev: Yes, this is possible. When I get into work, I'll share with you the recipe Please do share with us. Ok I rephrase my question. How do I install freebsd 4.9 in a jail on 8.3 amd64. Step 1. Download the following files/directories... bin/ catpages/ cdrom.inf compat1x/ compat22/ compat3x/ compat4x/ crypto/ dict/ doc/ games/ info/ manpages/ proflibs/ from: ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/old-releases/i386/4.9-RELEASE/ NOTE: For example, download those files/directories to /usr/repos/FreeBSD-4.9/4.9-RELEASE Step 2. Download my jail_build script from: http://druidbsd.sourceforge.net/download.shtml#jail_build Step 3: Run jail_build NOTE: If you put your downloaded files in /usr/repos/FreeBSD-4.9/4.9-RELEASE then jail_build will automatically find them and present 4.9 as an option. After selecting FreeBSD-4.9, it will then prompt you to enter the root directory where to unpack the jail to. When jail_build completes, you'll have a freshly unpacked FreeBSD-4.9 in the desired root directory. Step 4: Grab and install my vimage package: http://druidbsd.sourceforge.net/download.shtml#vimage About: http://druidbsd.sourceforge.net/vimage.shtml Step 5: Configure your vimage in /etc/rc.conf (see /etc/rc.conf.d/vimage for a sample). Example: vimage_enable=YES vimage_list=fbsd4_9 vimage_fbsd4_9_rootdir=/usr/jails/fbsd4_9 vimage_fbsd4_9_hostname=fbsd4_9 vimage_fbsd4_9_bridges=bge0 vimage_fbsd4_9_devfs_enable=YES vimage_fbsd4_9_procfs_enable=YES Step 6: [Pre-]configure the network interface for the visage Example: chroot /usr/jails/fbsd4_9 vi /etc/rc.conf NOTE: Since the vimage (aka vnet jail) isn't running yet, we use chroot instead of jexec. (Also note that the chroot is only for pedantic safety ... it prevents things such as what if /etc/rc.conf is a symlink to /etc/rc.conf.other -- without the chroot you'd accidentally edit the host machines /etc/rc.conf.other). Add the following: ifconfig_ng0_fbsd4_9=inet 192.168.1.123 netmask 255.255.255.0 defaultrouter=192.168.1.1 # or whatever fits your network # Don't forget /etc/resolv.conf # Don't forget to set sshd_enable=YES in rc.conf(5) if you want to be able to ssh into the vimage Step 7: Fix some binaries in the 4.9 distribution to work under the 8.3 kernel... Download my update411binaries.sh script (should work fine for 4.9 jails too) from... http://druidbsd.sf.net/download/update411binares.sh Step 8: Run update411binares.sh with a first argument of (for example) /usr/jails/fbsd4_9 Step 9: Fire up the vimage service vimage start fbsd4_9 Step 10: Check things out... jls ssh 192.168.1.123 jexec fbsd4_9 csh etc. etc. -- HTH Devin _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail question
2013-02-26 15:18, Teske, Devin skrev: Yes, this is possible. When I get into work, I'll share with you the recipe Please do share with us. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: Jail question
Got it... (script inline below) The first (and only) argument is to be a path to a 4.11 jail's root directory. For example, if you take a FreeBSD-4 box and rsync it to /usr/jails/myold4box on a FreeBSD-8 machine, you should then execute: update411binaries.sh /usr/jails/myold4box Then just configure the jail and fire it up. Of course, these are vnet jails. Further instructions on http://druidbsd.sf.net/vimage.shtml with my vimage package here: http://druidbsd.sf.net/download.shtml#vimage === #!/bin/sh if [ $( id -u ) != 0 ]; then echo Must run as root! 2 exit 1 fi if [ $# -lt 1 ]; then echo Usage: $0 directory 2 exit 1 fi dir=$1 if [ ! -d $dir ]; then echo $dir: No such file or directory 2 exit 1 fi mkdir -p $dir/libexec $dir/lib $dir/usr/lib for file in \ /bin/ps \ /libexec/ld-elf.so.1\ /lib/libm.so.5 \ /lib/libkvm.so.5\ /lib/libc.so.7 \ /sbin/ifconfig \ /lib/libbsdxml.so.4 \ /lib/libjail.so.1 \ /lib/libsbuf.so.5 \ /lib/libipx.so.5\ /sbin/route \ /usr/bin/top\ /lib/libncurses.so.8\ /usr/bin/netstat\ /usr/lib/libmemstat.so.3\ /lib/libutil.so.8 \ /usr/lib/libnetgraph.so.4 \ ; do cp -pfv $file $dir$file done -Original Message- From: Bernt Hansson [mailto:b...@bananmonarki.se] Sent: Wednesday, February 27, 2013 2:19 AM To: Teske, Devin Cc: questions FreeBSD Subject: Re: Jail question 2013-02-26 15:18, Teske, Devin skrev: Yes, this is possible. When I get into work, I'll share with you the recipe Please do share with us. _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: Jail question
Yes, this is possible. When I get into work, I'll share with you the recipe (I have a script called update4.sh which I run after building [or rsync'ing] a 4.x box to an 8.x box to become a vimage; note that I didn't say jail -- 4.x runs better as a VNET jail than a regular jail). We've not had much luck in running 4.x as a non-vnet jail under 8.x whereas vnet-jail works wonders (with a couple binaries replaced, like netstat, ifconfig, ps, and top for example). -- Devin From: owner-freebsd-questi...@freebsd.org [owner-freebsd-questi...@freebsd.org] on behalf of Bernt Hansson [b...@bananmonarki.se] Sent: Tuesday, February 26, 2013 5:23 AM To: questions FreeBSD Subject: Jail question Hello list! I would like to install an old version of freebsd let's say 4.6 in a jail. Is that possible. Host is 8.3-stable amd64 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail question
Bernt Hansson wrote: I would like to install an old version of freebsd let's say 4.6 in a jail. Is that possible. Host is 8.3-stable amd64 Things like ps won't run, but you can copy static binaries from host:/rescue to jail:/{bin,sbin} as appropriate and that helps a lot. I just installed a 5.4-RELEASE/i386 jail on a 9.1-STABLE/amd64 system. Mysqld would not run (dumped core), so I relocated that to a separate jail running 9.1-STABLE/amd64 One gotcha I found is that while you can run an old i386 system in a jail on an amd64 host, you can't build an amd64 kernel with COMPAT_AOUT, so if you have an a.out binary from days of old, you need an i386 kernel. Devin Teske wrote: Yes, this is possible. When I get into work, I'll share with you the recipe (I have a script called update4.sh which I run after building [or rsync'ing] a 4.x box to an 8.x box to become a vimage; note that I didn't say jail -- 4.x runs better as a VNET jail than a regular jail). We've not had much luck in running 4.x as a non-vnet jail under 8.x whereas vnet-jail works wonders (with a couple binaries replaced, like netstat, ifconfig, ps, and top for example). Devin, Please share your script with us all (especially me :-) ) Thanks, Danny ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail and networking
On Thu, 21 Feb 2013, Shane Ambler wrote: It's been a while since I experimented with jails but I'm pretty sure it is the reason I changed my sshd_config When you start sshd on the base system by default it binds against 0.0.0.0 and :: which is every ip4 and ip6 address configured on the base system, which includes the aliased ip's for your jails. This is represented by the *:22 from sockstat. When you start the jail it can't start sshd because the base already has that address/port in use. In /etc/ssh/sshd_config comment out the ListenAddress 0.0.0.0 and ListenAddress :: then add ListenAddress 10.0.0.3 service sshd restart start your jail and try again The jail config is fine as the jail only sees the one ip address assigned to it. This is what fixed the problem. From the jail man page, ... The following frequently deployed services must have their individual configuration files modified to limit the application to listening to a specific IP address It then specifically mentions ssh and send mail. The system I looked at runs seven jails fine without my having made that change. I am not sure why I am getting away with this, but I also thank you ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: jail and networking
-Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd- questi...@freebsd.org] On Behalf Of d...@safeport.com Sent: Thursday, February 21, 2013 11:00 AM To: Shane Ambler Cc: freebsd-questions@freebsd.org; Bernt Hansson Subject: Re: jail and networking On Thu, 21 Feb 2013, Shane Ambler wrote: It's been a while since I experimented with jails but I'm pretty sure it is the reason I changed my sshd_config When you start sshd on the base system by default it binds against 0.0.0.0 and :: which is every ip4 and ip6 address configured on the base system, which includes the aliased ip's for your jails. This is represented by the *:22 from sockstat. When you start the jail it can't start sshd because the base already has that address/port in use. In /etc/ssh/sshd_config comment out the ListenAddress 0.0.0.0 and ListenAddress :: then add ListenAddress 10.0.0.3 service sshd restart start your jail and try again The jail config is fine as the jail only sees the one ip address assigned to it. This is what fixed the problem. From the jail man page, ... The following frequently deployed services must have their individual configuration files modified to limit the application to listening to a specific IP address It then specifically mentions ssh and send mail. The system I looked at runs seven jails fine without my having made that change. I am not sure why I am getting away with this, but I also thank you What I find strange is that: 1. I knew about ListenAddress w/respect to jails, but... 2. We are not changing it (sshd_config has no ListenAddress -- leading to default values used), yet... 3. Base machine and jails both work fine Not sure when it's required versus not, because we're running fine without that change here with over a dozen jails. The only thing I've ever noticed is that we tend to use jail_NAME_ip=iface|addr while most everybody else seems to be using jail_NAME_ip=addr. -- Devin _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail and networking
On 22/02/2013 05:52, Devin Teske wrote: What I find strange is that: 1. I knew about ListenAddress w/respect to jails, but... 2. We are not changing it (sshd_config has no ListenAddress -- leading to default values used), yet... 3. Base machine and jails both work fine Not sure when it's required versus not, because we're running fine without that change here with over a dozen jails. The only thing I've ever noticed is that we tend to use jail_NAME_ip=iface|addr while most everybody else seems to be using jail_NAME_ip=addr. We may need to expand out from that. I use jail_NAME_ip=addr but also ipv4_addrs_re0=10.0.0.254/24 10.0.0.1-5/24 route_jaillan0=-net 10.0.0.0/24 10.0.0.254 static_routes=jaillan0 Don't recall where I got that from but think it was an easy way to alias a number of ip's whereas ifconfig_iface_alias0 sets one ip at a time and is also deprecated. If you use jail_NAME_ip=iface|addr does this mean you don't have ip addresses aliased to the iface on startup and they get aliased as the jail starts? That would be why sshd isn't bound to the address before. man rc.conf for jail_jname_ip says ... Additionally each address can be prefixed by the name of an interface followed by a pipe to overwrite does that mean it clears the ip from the base system and re-creates it for the jail? I also see jail_jname_interface ...When set, sets the interface to use when setting IP address alias. Note that the alias is created at jail startup and removed at jail shutdown. Which is what sounds like the solution to not have ip's available when sshd starts so it isn't bound to them. Also what sys version were these options added? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: jail and networking
On Thu, 21 Feb 2013, Shane Ambler wrote: On 22/02/2013 05:52, Devin Teske wrote: What I find strange is that: 1. I knew about ListenAddress w/respect to jails, but... 2. We are not changing it (sshd_config has no ListenAddress -- leading to default values used), yet... 3. Base machine and jails both work fine Not sure when it's required versus not, because we're running fine without that change here with over a dozen jails. The only thing I've ever noticed is that we tend to use jail_NAME_ip=iface|addr while most everybody else seems to be using jail_NAME_ip=addr. We may need to expand out from that. I use jail_NAME_ip=addr but also ipv4_addrs_re0=10.0.0.254/24 10.0.0.1-5/24 route_jaillan0=-net 10.0.0.0/24 10.0.0.254 static_routes=jaillan0 Don't recall where I got that from but think it was an easy way to alias a number of ip's whereas ifconfig_iface_alias0 sets one ip at a time and is also deprecated. If you use jail_NAME_ip=iface|addr does this mean you don't have ip addresses aliased to the iface on startup and they get aliased as the jail starts? That would be why sshd isn't bound to the address before. Correct, and this was my leading theory. man rc.conf for jail_jname_ip says ... Additionally each address can be prefixed by the name of an interface followed by a pipe to overwrite does that mean it clears the ip from the base system and re-creates it for the jail? Dunno -- I first learned about iface|addr from reading the code. It did what I wanted _and_ improved the clarity/readability of rc.conf(5) in the case of multiple jails utilizing separate interfaces on similar subnets. Thus, it was embraced. I also see jail_jname_interface ...When set, sets the interface to use when setting IP address alias. Note that the alias is created at jail startup and removed at jail shutdown. Never used that setting before. Which is what sounds like the solution to not have ip's available when sshd starts so it isn't bound to them. Right-o. Also what sys version were these options added? I would guess 8.x as we're using iface|addr in 8.1 (as previously mentioned, not using jail_jname_interface -- dunno about that one). The following URLs might be of assistance in tracking down the origins of various options: http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.d/jail http://svnweb.freebsd.org/base/head/etc/rc.d/jail -- Devin _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: jail and networking
On Wed, 20 Feb 2013, Bernt Hansson wrote: Hello list! I dont seem to get net working in a test jail. These I've tried; ftp, fetch, telnet They time out. Ssh sort of work. 32bit# ssh 10.0.0.3 ssh_askpass: exec(/usr/local/bin/ssh-askpass): No such file or directory Host key verification failed. jail is 8.3-STABLE i386 GENERIC host is FreeBSD 8.3-STABLE amd64 GENERIC I'm sure you want more info so just tell me what info. Commonly the problem is that you are jexec'd into the jail and I find that tools like ssh, ftp, telnet, etc. don't work when you're in the jail via jexec but instead what works way better is if you ssh into the jail (via the jail'd ssh process of course). Does that seem to be the case in your situation? -- Devin _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail and networking
On 02/20/2013 19:42, Bernt Hansson wrote: On 2013-02-20 17:23, Teske, Devin wrote: On Wed, 20 Feb 2013, Bernt Hansson wrote: Hello list! I dont seem to get net working in a test jail. These I've tried; ftp, fetch, telnet They time out. Ssh sort of work. 32bit# ssh 10.0.0.3 ssh_askpass: exec(/usr/local/bin/ssh-askpass): No such file or directory Host key verification failed. jail is 8.3-STABLE i386 GENERIC host is FreeBSD 8.3-STABLE amd64 GENERIC I'm sure you want more info so just tell me what info. Commonly the problem is that you are jexec'd into the jail and I find that tools like ssh, ftp, telnet, etc. don't work when you're in the jail via jexec but instead what works way better is if you ssh into the jail (via the jail'd ssh process of course). Does that seem to be the case in your situation? If you mean this sshd IsJ0:00,00 /usr/sbin/sshd Then no. %ssh 10.0.0.10 ssh: connect to host 10.0.0.10 port 22: Operation timed out I did have an alias on the host to the jail's ip. Tried to restart the jail it went fine, but now I can't jexec in to the jail. testbox# jexec 1 tcsh jexec: jail_attach(1): Invalid argument Sooo... I'm kind of out of ideas. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org What does jls command say? If you have restarted your jail, it's ID most likely has changed. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail and networking
On 20/02/2013 18:23, Bernt Hansson wrote: The ID did change, didn't know about that, thank you. But still, sshd isn't running in the jail 32bit# ps ax PID TT STAT TIME COMMAND 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2464 0 SJ 0:00,01 tcsh 2482 0 R+J0:00,00 ps ax testbox# ps ax | grep J 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2488 0 S+ 0:00,00 grep J testbox is the host. I assume you setup the /etc/resolv.conf? I have found that my network does not start until I have this setup. -- Regards, Gary J. Hayers g...@hayers.org PGP Signature http://www.hayers.org/pgp ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: jail and networking
On Wed, 20 Feb 2013, Bernt Hansson wrote: On 2013-02-20 17:23, Teske, Devin wrote: On Wed, 20 Feb 2013, Bernt Hansson wrote: Hello list! I dont seem to get net working in a test jail. These I've tried; ftp, fetch, telnet They time out. Ssh sort of work. 32bit# ssh 10.0.0.3 ssh_askpass: exec(/usr/local/bin/ssh-askpass): No such file or directory Host key verification failed. jail is 8.3-STABLE i386 GENERIC host is FreeBSD 8.3-STABLE amd64 GENERIC I'm sure you want more info so just tell me what info. Commonly the problem is that you are jexec'd into the jail and I find that tools like ssh, ftp, telnet, etc. don't work when you're in the jail via jexec but instead what works way better is if you ssh into the jail (via the jail'd ssh process of course). Does that seem to be the case in your situation? If you mean this sshd IsJ0:00,00 /usr/sbin/sshd Then no. %ssh 10.0.0.10 ssh: connect to host 10.0.0.10 port 22: Operation timed out I did have an alias on the host to the jail's ip. Tried to restart the jail it went fine, but now I can't jexec in to the jail. testbox# jexec 1 tcsh jexec: jail_attach(1): Invalid argument Sooo... I'm kind of out of ideas. When you restart a jail it's jid (the first argument to jexec) changes. Instead of using the jid you can use the jail name (example below): jexec NAME tcsh Otherwise, you're going to have to do jls to get the new jid after restarting the jail. -- Devin _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: jail and networking
On Wed, 20 Feb 2013, Bernt Hansson wrote: On 2013-02-20 19:07, Jeff Tipton wrote: On 02/20/2013 19:42, Bernt Hansson wrote: On 2013-02-20 17:23, Teske, Devin wrote: On Wed, 20 Feb 2013, Bernt Hansson wrote: Hello list! I dont seem to get net working in a test jail. These I've tried; ftp, fetch, telnet They time out. Ssh sort of work. 32bit# ssh 10.0.0.3 ssh_askpass: exec(/usr/local/bin/ssh-askpass): No such file or directory Host key verification failed. jail is 8.3-STABLE i386 GENERIC host is FreeBSD 8.3-STABLE amd64 GENERIC I'm sure you want more info so just tell me what info. Commonly the problem is that you are jexec'd into the jail and I find that tools like ssh, ftp, telnet, etc. don't work when you're in the jail via jexec but instead what works way better is if you ssh into the jail (via the jail'd ssh process of course). Does that seem to be the case in your situation? If you mean this sshd IsJ0:00,00 /usr/sbin/sshd Then no. %ssh 10.0.0.10 ssh: connect to host 10.0.0.10 port 22: Operation timed out I did have an alias on the host to the jail's ip. Tried to restart the jail it went fine, but now I can't jexec in to the jail. testbox# jexec 1 tcsh jexec: jail_attach(1): Invalid argument Sooo... I'm kind of out of ideas. What does jls command say? If you have restarted your jail, it's ID most likely has changed. The ID did change, didn't know about that, thank you. But still, sshd isn't running in the jail 32bit# ps ax PID TT STAT TIME COMMAND 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2464 0 SJ 0:00,01 tcsh 2482 0 R+J0:00,00 ps ax testbox# ps ax | grep J 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2488 0 S+ 0:00,00 grep J testbox is the host. A stab in the dark, but... Did you add sshd_enable=YES to the jail's rc.conf(5)? -- Devin _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail and networking
On 02/20/2013 20:59, Teske, Devin wrote: On Wed, 20 Feb 2013, Bernt Hansson wrote: On 2013-02-20 19:07, Jeff Tipton wrote: On 02/20/2013 19:42, Bernt Hansson wrote: On 2013-02-20 17:23, Teske, Devin wrote: On Wed, 20 Feb 2013, Bernt Hansson wrote: Hello list! I dont seem to get net working in a test jail. These I've tried; ftp, fetch, telnet They time out. Ssh sort of work. 32bit# ssh 10.0.0.3 ssh_askpass: exec(/usr/local/bin/ssh-askpass): No such file or directory Host key verification failed. jail is 8.3-STABLE i386 GENERIC host is FreeBSD 8.3-STABLE amd64 GENERIC I'm sure you want more info so just tell me what info. Commonly the problem is that you are jexec'd into the jail and I find that tools like ssh, ftp, telnet, etc. don't work when you're in the jail via jexec but instead what works way better is if you ssh into the jail (via the jail'd ssh process of course). Does that seem to be the case in your situation? If you mean this sshd IsJ0:00,00 /usr/sbin/sshd Then no. %ssh 10.0.0.10 ssh: connect to host 10.0.0.10 port 22: Operation timed out I did have an alias on the host to the jail's ip. Tried to restart the jail it went fine, but now I can't jexec in to the jail. testbox# jexec 1 tcsh jexec: jail_attach(1): Invalid argument Sooo... I'm kind of out of ideas. What does jls command say? If you have restarted your jail, it's ID most likely has changed. The ID did change, didn't know about that, thank you. But still, sshd isn't running in the jail 32bit# ps ax PID TT STAT TIME COMMAND 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2464 0 SJ 0:00,01 tcsh 2482 0 R+J0:00,00 ps ax testbox# ps ax | grep J 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2488 0 S+ 0:00,00 grep J testbox is the host. A stab in the dark, but... Did you add sshd_enable=YES to the jail's rc.conf(5)? Or, from within the jail, what does service sshd status say? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail and networking
On Wed, 20 Feb 2013, Jeff Tipton wrote: On 02/20/2013 20:59, Teske, Devin wrote: On Wed, 20 Feb 2013, Bernt Hansson wrote: On 2013-02-20 19:07, Jeff Tipton wrote: On 02/20/2013 19:42, Bernt Hansson wrote: On 2013-02-20 17:23, Teske, Devin wrote: On Wed, 20 Feb 2013, Bernt Hansson wrote: Hello list! I dont seem to get net working in a test jail. These I've tried; ftp, fetch, telnet They time out. Ssh sort of work. 32bit# ssh 10.0.0.3 ssh_askpass: exec(/usr/local/bin/ssh-askpass): No such file or directory Host key verification failed. jail is 8.3-STABLE i386 GENERIC host is FreeBSD 8.3-STABLE amd64 GENERIC I'm sure you want more info so just tell me what info. Commonly the problem is that you are jexec'd into the jail and I find that tools like ssh, ftp, telnet, etc. don't work when you're in the jail via jexec but instead what works way better is if you ssh into the jail (via the jail'd ssh process of course). Does that seem to be the case in your situation? If you mean this sshd IsJ0:00,00 /usr/sbin/sshd Then no. %ssh 10.0.0.10 ssh: connect to host 10.0.0.10 port 22: Operation timed out I did have an alias on the host to the jail's ip. Tried to restart the jail it went fine, but now I can't jexec in to the jail. testbox# jexec 1 tcsh jexec: jail_attach(1): Invalid argument Sooo... I'm kind of out of ideas. What does jls command say? If you have restarted your jail, it's ID most likely has changed. The ID did change, didn't know about that, thank you. But still, sshd isn't running in the jail 32bit# ps ax PID TT STAT TIME COMMAND 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2464 0 SJ 0:00,01 tcsh 2482 0 R+J0:00,00 ps ax testbox# ps ax | grep J 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2488 0 S+ 0:00,00 grep J testbox is the host. A stab in the dark, but... Did you add sshd_enable=YES to the jail's rc.conf(5)? Or, from within the jail, what does service sshd status say? Or from the host: sockstat | grep :22. You should see something like root sshd 2016 3 tcp4 192.168.17.15:22 *:* for each jail ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail and networking
2013-02-20 19:59, Teske, Devin skrev: On Wed, 20 Feb 2013, Bernt Hansson wrote: On 2013-02-20 19:07, Jeff Tipton wrote: On 02/20/2013 19:42, Bernt Hansson wrote: On 2013-02-20 17:23, Teske, Devin wrote: On Wed, 20 Feb 2013, Bernt Hansson wrote: Hello list! I dont seem to get net working in a test jail. These I've tried; ftp, fetch, telnet They time out. Ssh sort of work. 32bit# ssh 10.0.0.3 ssh_askpass: exec(/usr/local/bin/ssh-askpass): No such file or directory Host key verification failed. jail is 8.3-STABLE i386 GENERIC host is FreeBSD 8.3-STABLE amd64 GENERIC I'm sure you want more info so just tell me what info. Commonly the problem is that you are jexec'd into the jail and I find that tools like ssh, ftp, telnet, etc. don't work when you're in the jail via jexec but instead what works way better is if you ssh into the jail (via the jail'd ssh process of course). Does that seem to be the case in your situation? If you mean this sshd IsJ0:00,00 /usr/sbin/sshd Then no. %ssh 10.0.0.10 ssh: connect to host 10.0.0.10 port 22: Operation timed out I did have an alias on the host to the jail's ip. Tried to restart the jail it went fine, but now I can't jexec in to the jail. testbox# jexec 1 tcsh jexec: jail_attach(1): Invalid argument Sooo... I'm kind of out of ideas. What does jls command say? If you have restarted your jail, it's ID most likely has changed. The ID did change, didn't know about that, thank you. But still, sshd isn't running in the jail 32bit# ps ax PID TT STAT TIME COMMAND 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2464 0 SJ 0:00,01 tcsh 2482 0 R+J0:00,00 ps ax testbox# ps ax | grep J 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2488 0 S+ 0:00,00 grep J testbox is the host. A stab in the dark, but... Did you add sshd_enable=YES to the jail's rc.conf(5)? Yes, yes I did. rc.conf from the jail #ifconfig_xl0=DHCP #defaultrouter=10.0.0.3 sendmail_enable=NO #inetd_enable=NO sshd_enable=YES #ntpdate_enable=YES #ntpdate_flags=time1.stupi.se # -- sysinstall generated deltas -- # Mon Jan 21 01:22:37 2013 keymap=swedish.iso ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail and networking
2013-02-20 20:10, Jeff Tipton skrev: On 02/20/2013 20:59, Teske, Devin wrote: On Wed, 20 Feb 2013, Bernt Hansson wrote: On 2013-02-20 19:07, Jeff Tipton wrote: On 02/20/2013 19:42, Bernt Hansson wrote: On 2013-02-20 17:23, Teske, Devin wrote: On Wed, 20 Feb 2013, Bernt Hansson wrote: Hello list! I dont seem to get net working in a test jail. These I've tried; ftp, fetch, telnet They time out. Ssh sort of work. 32bit# ssh 10.0.0.3 ssh_askpass: exec(/usr/local/bin/ssh-askpass): No such file or directory Host key verification failed. jail is 8.3-STABLE i386 GENERIC host is FreeBSD 8.3-STABLE amd64 GENERIC I'm sure you want more info so just tell me what info. Commonly the problem is that you are jexec'd into the jail and I find that tools like ssh, ftp, telnet, etc. don't work when you're in the jail via jexec but instead what works way better is if you ssh into the jail (via the jail'd ssh process of course). Does that seem to be the case in your situation? If you mean this sshd IsJ0:00,00 /usr/sbin/sshd Then no. %ssh 10.0.0.10 ssh: connect to host 10.0.0.10 port 22: Operation timed out I did have an alias on the host to the jail's ip. Tried to restart the jail it went fine, but now I can't jexec in to the jail. testbox# jexec 1 tcsh jexec: jail_attach(1): Invalid argument Sooo... I'm kind of out of ideas. What does jls command say? If you have restarted your jail, it's ID most likely has changed. The ID did change, didn't know about that, thank you. But still, sshd isn't running in the jail 32bit# ps ax PID TT STAT TIME COMMAND 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2464 0 SJ 0:00,01 tcsh 2482 0 R+J0:00,00 ps ax testbox# ps ax | grep J 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2488 0 S+ 0:00,00 grep J testbox is the host. A stab in the dark, but... Did you add sshd_enable=YES to the jail's rc.conf(5)? Or, from within the jail, what does service sshd status say? 32bit# service sshd status sshd is not running. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail and networking
2013-02-20 22:17, doug skrev: On Wed, 20 Feb 2013, Jeff Tipton wrote: On 02/20/2013 20:59, Teske, Devin wrote: On Wed, 20 Feb 2013, Bernt Hansson wrote: On 2013-02-20 19:07, Jeff Tipton wrote: On 02/20/2013 19:42, Bernt Hansson wrote: On 2013-02-20 17:23, Teske, Devin wrote: On Wed, 20 Feb 2013, Bernt Hansson wrote: Hello list! I dont seem to get net working in a test jail. These I've tried; ftp, fetch, telnet They time out. Ssh sort of work. 32bit# ssh 10.0.0.3 ssh_askpass: exec(/usr/local/bin/ssh-askpass): No such file or directory Host key verification failed. jail is 8.3-STABLE i386 GENERIC host is FreeBSD 8.3-STABLE amd64 GENERIC I'm sure you want more info so just tell me what info. Commonly the problem is that you are jexec'd into the jail and I find that tools like ssh, ftp, telnet, etc. don't work when you're in the jail via jexec but instead what works way better is if you ssh into the jail (via the jail'd ssh process of course). Does that seem to be the case in your situation? If you mean this sshd IsJ0:00,00 /usr/sbin/sshd Then no. %ssh 10.0.0.10 ssh: connect to host 10.0.0.10 port 22: Operation timed out I did have an alias on the host to the jail's ip. Tried to restart the jail it went fine, but now I can't jexec in to the jail. testbox# jexec 1 tcsh jexec: jail_attach(1): Invalid argument Sooo... I'm kind of out of ideas. What does jls command say? If you have restarted your jail, it's ID most likely has changed. The ID did change, didn't know about that, thank you. But still, sshd isn't running in the jail 32bit# ps ax PID TT STAT TIME COMMAND 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2464 0 SJ 0:00,01 tcsh 2482 0 R+J0:00,00 ps ax testbox# ps ax | grep J 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2488 0 S+ 0:00,00 grep J testbox is the host. Or from the host: sockstat | grep :22. You should see something like root sshd 2016 3 tcp4 192.168.17.15:22 *:* for each jail testbox# sockstat | grep :22 berntsshd 3541 3 tcp4 10.0.0.3:22 80.x.x.x:25605 root sshd 3539 3 tcp4 10.0.0.3:22 80.x.x.x:25605 root sshd 1296 3 tcp6 *:22 *:* root sshd 1296 4 tcp4 *:22 *:* The jail has ip 10.0.0.10. There is only one jail. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail and networking
On Wed, 20 Feb 2013, Bernt Hansson wrote: 2013-02-20 22:17, doug skrev: On Wed, 20 Feb 2013, Jeff Tipton wrote: On 02/20/2013 20:59, Teske, Devin wrote: On Wed, 20 Feb 2013, Bernt Hansson wrote: On 2013-02-20 19:07, Jeff Tipton wrote: On 02/20/2013 19:42, Bernt Hansson wrote: On 2013-02-20 17:23, Teske, Devin wrote: On Wed, 20 Feb 2013, Bernt Hansson wrote: Hello list! I dont seem to get net working in a test jail. These I've tried; ftp, fetch, telnet They time out. Ssh sort of work. 32bit# ssh 10.0.0.3 ssh_askpass: exec(/usr/local/bin/ssh-askpass): No such file or directory Host key verification failed. jail is 8.3-STABLE i386 GENERIC host is FreeBSD 8.3-STABLE amd64 GENERIC I'm sure you want more info so just tell me what info. Commonly the problem is that you are jexec'd into the jail and I find that tools like ssh, ftp, telnet, etc. don't work when you're in the jail via jexec but instead what works way better is if you ssh into the jail (via the jail'd ssh process of course). Does that seem to be the case in your situation? If you mean this sshd IsJ0:00,00 /usr/sbin/sshd Then no. %ssh 10.0.0.10 ssh: connect to host 10.0.0.10 port 22: Operation timed out I did have an alias on the host to the jail's ip. Tried to restart the jail it went fine, but now I can't jexec in to the jail. testbox# jexec 1 tcsh jexec: jail_attach(1): Invalid argument Sooo... I'm kind of out of ideas. What does jls command say? If you have restarted your jail, it's ID most likely has changed. The ID did change, didn't know about that, thank you. But still, sshd isn't running in the jail 32bit# ps ax PID TT STAT TIME COMMAND 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2464 0 SJ 0:00,01 tcsh 2482 0 R+J0:00,00 ps ax testbox# ps ax | grep J 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2488 0 S+ 0:00,00 grep J testbox is the host. Or from the host: sockstat | grep :22. You should see something like root sshd 2016 3 tcp4 192.168.17.15:22 *:* for each jail testbox# sockstat | grep :22 berntsshd 3541 3 tcp4 10.0.0.3:22 80.x.x.x:25605 root sshd 3539 3 tcp4 10.0.0.3:22 80.x.x.x:25605 root sshd 1296 3 tcp6 *:22 *:* root sshd 1296 4 tcp4 *:22 *:* The jail has ip 10.0.0.10. There is only one jail. I could not see anything you are doing wrong, so here are the relevant parts of a host/jail we use for testing. I got all this by following the jail man page and/or hacking things that are working. Ihope this helps. This is all on an 8.2 system. Host config rc.conf - hostname=bcr.boltsys.com ifconfig_em0=DHCP sshd_enable=YES : #jail base settings inetd_flags=-wW -a 10.1.10.110 rpcbind_enable=NO # Jail general settings ifconfig_em0_alias0=inet 10.1.10.111 netmask 255.255.255.255 jail_set_hostname_allow=NO jail_enable=YES jail_interface=em0 jail_devfs_enable=YES jail_procfs_enable=YES jail_list=webmail jail_webmail_rootdir=/usr/home/webmail jail_webmail_hostname=webmail.boltsys.com jail_webmail_ip=10.1.10.111 ifconfig (host) inet 10.1.10.111 netmask 0x broadcast 10.1.10.111 inet 10.1.10.110 netmask 0xff00 broadcast 10.1.10.255 Jail config rc.conf - network_interfaces= hostname=webmail.boltsys.com sshd_enable=YES sendmail_enable=NO sendmail_outbound_enable=YES inetd_flags=-wW -a 10.1.10.111 inetd_enable=NO rpcbind_enable=NO _ Douglas Denault http://www.safeport.com d...@safeport.com Voice: 301-217-9220 Fax: 301-217-9277 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail and networking
It's been a while since I experimented with jails but I'm pretty sure it is the reason I changed my sshd_config When you start sshd on the base system by default it binds against 0.0.0.0 and :: which is every ip4 and ip6 address configured on the base system, which includes the aliased ip's for your jails. This is represented by the *:22 from sockstat. When you start the jail it can't start sshd because the base already has that address/port in use. In /etc/ssh/sshd_config comment out the ListenAddress 0.0.0.0 and ListenAddress :: then add ListenAddress 10.0.0.3 service sshd restart start your jail and try again The jail config is fine as the jail only sees the one ip address assigned to it. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail v2 documentation?
On Apr 14, 2012, at 2:19 PM, Mark Felder wrote: On Sat, 14 Apr 2012 14:59:47 -0500, fb...@a1poweruser.com wrote: I don't see any v2 in the jail environment. Vimage is a separate software module that is not part of the the system base release. It has to be compiled into a custom kernel to be enabled and it's labeled as experimental, use at your own risk. Not some thing I would want in my jail environment. So the bottom line is there is no version 2 of the jail environment,(IE changes to the jail command and its associate commands). Actual changes to the jail command can be found here: http://lists.freebsd.org/pipermail/freebsd-jail/2011-July/001568.html How to use the jails v2 is covered many places. It does indeed exist, and you can probably use the package here to get yourself started because the rc.d script for jails is not updated to handle v2 jails. http://druidbsd.sourceforge.net/vimage.html The .shtml that I added in the website re-design looks nicer ^_^ http://druidbsd.sourceforge.net/vimage.shtml I'm also planning on updating it with nice and pretty netgraph drawings. When you're using my vimage package, you can use the following command to produce a nice diagram of your network: sudo ngctl dot | dot -Tsvg -o $HOSTNAME-vimages.svg Requires graphics/graphviz from ports/packages. NOTE: I personally like SVG as it scales very nicely. Five command-line driven X11 applications that can display SVG are graphics/gimmage, graphics/gthumb, graphics/gqview, graphics/gx, and graphics/eog. Also, the latest version of every browser (including Firefox10/11, Chrome13, Safari5, and IE9) can display SVG. Latent versions of Operating Systems have built-in support as well (including Mac OS X Lion and Windows 7). Alternatively, you can generate PNG or JPG using one of: sudo ngctl dot | dot -Tpng -o $HOSTNAME-vimages.png sudo ngctl dot | dot -Tjpg -o $HOSTNAME-vimages.jpg I've uploaded a PNG for viewing pleasure: http://druidbsd.sourceforge.net/download/warden0.jbsd.svg NOTE: If you really need JPG or PNG, graphics/ImageMagick has the convert utility which is, well, almost magical in a sense (if not already hinted-at by the name). ^_^ How to read the diagram: The pink cluster at the top-right are unused interfaces. Unused in the sense that netgraph doesn't have anything to do with them. In my graph for our FreeBSD-8.1 server named warden0.jbsd.vicor.com (it runs jails, get it? haha; and it's on the jbsd network, for jailed-bsd hosts). In the diagram, igb1 is shown as unused (it's displayed in the pink disconnected cluster -- which, if you're viewing in the browser, mousing over the cluster will display cluster_disconnected as a reminder of its purpose). This is not entirely true, it's in-use by the base-hose (warden0.jbsd). The other unused item is the socket we used to dump the dot(1) graph (see ng_socket(4) and ngctl(8)). In the SVG diagram, there are a total of 5 vimage jails running on the host, sharing one physical Ethernet port and one physical wire (flowing through the igb0 interface). The five hosts are named (in rc.conf(5)): kps0a_dev kps64a_dev kws82a_dev kws411a_dev kws411b_dev All these hosts are using the same On-board Intel Gigabit (igb(4)) network interface as illustrated in the above linked-to SVG image. An ether-link is created for each vimage and hooked into a bridge that is created for the specific hardware interface. An upper-link is then created between the bridge and the hardware interface. Finally (for convenience) a lower-link is created between the bridge and the hardware interface (allowing the base host -- warden0.jbsd -- to interact with the vimages). The links and their types are rendered in octagons and the netgraph objects are rendered as records (multi-field boxes). At the bottom-left of each record (the lower-left field) is the netgraph type. For example, At the top-left of the graph you'll see a record where the top-field is ng0_kps64a_dev: (explained below), the lower-left field is eiface, and the lower-right field is [15]:, the eiface is the netgraph type. For each of the netgraph types, such as eiface, ether, bridge, and socket, you can say man ng_{type} (for exampe, man ng_bridge or man ng_ether). The aforementioned top-field of each record is the interface name visible by ifconfig(8) inside the vimage. The format is ngNN_NAME where NN is the number starting at zero for each bridged interface (regardless of which underlying hardware interface is backing the netgraph(4)-created interface) and NAME is the rc.conf(5) name of the vimage. Here's another SVG showing a machine running 7 high-security vimages: http://druidbsd.sourceforge.net/download/bastion.svg We see something very different from this system. In this system, we're not utilizing bridging versus simply shoving multiple network interfaces into various vimages. In this case, each vimage is
Re: jail v2 documentation?
Mark Felder wrote: On Fri, 13 Apr 2012 15:18:05 -0500, fb...@a1poweruser.com wrote: Where can I find documentation on version 2 of jail? It's quite scare because it's still experimental. I'd look up VNET and VIMAGE. You can probably get more questions answered on the freebsd-jails@ mailing list. I don't see any v2 in the jail environment. Vimage is a separate software module that is not part of the the system base release. It has to be compiled into a custom kernel to be enabled and it's labeled as experimental, use at your own risk. Not some thing I would want in my jail environment. So the bottom line is there is no version 2 of the jail environment,(IE changes to the jail command and its associate commands). ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail v2 documentation?
On Sat, 14 Apr 2012 14:59:47 -0500, fb...@a1poweruser.com wrote: I don't see any v2 in the jail environment. Vimage is a separate software module that is not part of the the system base release. It has to be compiled into a custom kernel to be enabled and it's labeled as experimental, use at your own risk. Not some thing I would want in my jail environment. So the bottom line is there is no version 2 of the jail environment,(IE changes to the jail command and its associate commands). Actual changes to the jail command can be found here: http://lists.freebsd.org/pipermail/freebsd-jail/2011-July/001568.html How to use the jails v2 is covered many places. It does indeed exist, and you can probably use the package here to get yourself started because the rc.d script for jails is not updated to handle v2 jails. http://druidbsd.sourceforge.net/vimage.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail v2 documentation?
On Fri, 13 Apr 2012 15:18:05 -0500, fb...@a1poweruser.com wrote: Where can I find documentation on version 2 of jail? It's quite scare because it's still experimental. I'd look up VNET and VIMAGE. You can probably get more questions answered on the freebsd-jails@ mailing list. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail v2 documentation?
On Fri, 13 Apr 2012 18:01:08 -0500, Mark Felder f...@feld.me wrote: freebsd-jails@ My apologies; this should be singular and not plural: freebsd-jail@ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail and questions
On 03/13/12 09:15, Bernt Hansson wrote: Hello list I've setup a 32-bit jail on amd64 freebsd 8.2-stable. It works, sort of, but when i run portsnap extract in the jail it say Building new INDEX files... make_index: fopen(/dev/stdin): No such file or directory #ls /dev lrwxr-xr-x 1 root wheel12 6 Mar 02:56 log - /var/run/log -rw-r--r-- 1 root wheel76 12 Mar 23:09 null -rw-r--r-- 1 root wheel 0 10 Mar 03:01 stderr -rw-r--r-- 1 root wheel 1360 7 Mar 04:44 stdout Where is stdin? or running #ps ps: /boot/kernel/kernel: No such file or directory You may have to unhide it and enable the specific rules for the jail system. I thought stdin was enabled by default, but I could be wrong. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail source address selection in 8.1-RELEASE
On Wed, 24 Nov 2010, Steve Polyack wrote: Hi, There appears to be a loosely documented sysctl 'security.jail.param.ip4.saddrsel' which should limit source IP selection of jails to their primary jail interface/IP. The sysctl does not appear to do anything, however: # sysctl security.jail.param.ip4.saddrsel=0 - # echo $? 0 # sysctl security.jail.param.ip4.saddrsel # # sysctl -d security.jail.param.ip4.saddrsel security.jail.param.ip4.saddrsel: Do (not) use IPv4 source address selection rather than the primary jail IPv4 address. Is this tunable only available when VIMAGE jails are built? The 8.1-RELEASE Release Notes suggest it is for VIMAGE jail(8) containers, while 7.3-RELEASE Release Notes suggest that it is available for the entire jail(8) subsystem as 'security.jail.ip4_saddrsel', a different OID. Don't use the systctl; the param tree only tells you which options are available; ip4.saddrsel is an option to the jail -c|-m command. /bz -- Bjoern A. Zeeb Welcome a new stage of life. ks Going to jail sucks -- bz All my daemons like it! http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail question
On 10/14/10 18:20, Matthew Law wrote: I have a single box on which I would like to run openvpn, smtp (postfix, dspam, greylist, clamav), imap (dovecot) apache22 and bind. This box also acts as a network gateway so it would give an attacker carte blanche to the internal nets if it was compromised, which makes me nervous. The plan is to run openvpn as the only unjailed service and the rest of the services in a single jail or their own jails. I have never touched jails before and I'm a bit unsure of the best way to go. I realise that I can jail a service or a copy of the whole system (service would be preferable for space efficiency) but I am unclear on how to deal with IP addresses in jailed environments and if I should create individual jails or a single jail for all services. At the moment I am leaning toward a single system jail for everything so I can keep the space in which openvpn runs as uncluttered as possible and also have a single postgres instance shared by the other services. Basically, if any of the public services in the jail are compromised I would like to make it very hard for the attacker to see the internal network. Since jails can do many things there are many helper utilities that can do much to simplify the process. If you can hack python, you can, for example, modify my script at http://ivoras.sharanet.org/stuff/mkjails.py which I've used to create a thousand very light-weight jails which are started and managed using only standard FreeBSD tools. In any case, read rc.conf(5) man page for the jail_* settings. If I use this scheme must I use separate public IPs for openvpn and the services jail or is it possible to use a single IP or some NAT/PAT scheme? -this box currently has 4 x NICs split into 2x lagg interfaces in failover mode (one public, one private), if that makes any difference This is the more complex question; I think that everything which needs direct access to the NIC (i.e. BPF, DHCP, IPFW, etc.) will need to be run on the host system. TCP services will work inside jails without problems, but with jails it's almost the same as if they were on another system. If you do use NAT you will have to configure it on the host. Instead, you can also use TCP proxies (like bsdproxy). It's up to you how much complexity do you want in your system, but for simplicity I would set up a single outward-facing IP address and then proxy TCP services where I need them. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail question
On Fri, 15 Oct 2010 09:32:44 -0400, Jerry freebsd.u...@seibercom.net wrote: On Fri, 15 Oct 2010 08:35:39 -0400 Fbsd8 fb...@a1poweruser.com articulated: Check out qjail. It has been submitted for addition to the ports collection, but the ports dept is very slow in performing their task of adding new ports to the system. So in the mean time you can get qjail from here. http://sourceforge.net/projects/qjail/files/ I have submitted new ports in the past and they were usually accepted and posted within a short period of time; usually 2 weeks or so. Perhaps there is a specific reason why this port has not been accepted/released into the ports system. Have you, or whom ever submitted the port, requested clarification as to why it has not been accepted/released? Before issuing a blank condemnation of the port's department it would seem like the logical course of action. If you don't receive a satisfactory reply with two weeks, then it might be worth escalating the matter. Just my 2¢. I'm pretty sure I've seen this conversation between the same people before. Ah, yes: http://www.mail-archive.com/freebsd-questions@freebsd.org/msg235282.html Noting that Aiza = FBSD8... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail question
On Fri, 15 Oct 2010 13:38:17 -0400 bdsf...@att.net bdsf...@att.net articulated: On Fri, 15 Oct 2010 09:32:44 -0400, Jerry freebsd.u...@seibercom.net wrote: On Fri, 15 Oct 2010 08:35:39 -0400 Fbsd8 fb...@a1poweruser.com articulated: Check out qjail. It has been submitted for addition to the ports collection, but the ports dept is very slow in performing their task of adding new ports to the system. So in the mean time you can get qjail from here. http://sourceforge.net/projects/qjail/files/ I have submitted new ports in the past and they were usually accepted and posted within a short period of time; usually 2 weeks or so. Perhaps there is a specific reason why this port has not been accepted/released into the ports system. Have you, or whom ever submitted the port, requested clarification as to why it has not been accepted/released? Before issuing a blank condemnation of the port's department it would seem like the logical course of action. If you don't receive a satisfactory reply with two weeks, then it might be worth escalating the matter. Just my 2¢. I'm pretty sure I've seen this conversation between the same people before. Ah, yes: http://www.mail-archive.com/freebsd-questions@freebsd.org/msg235282.html Noting that Aiza = FBSD8... That PR would be: http://www.freebsd.org/cgi/query-pr.cgi?pr=148777, originally submitted on Tue, 20 Jul 2010 02:47:18 GMT by Joe Barbish j...@a1poweruser.com There was a posting to it on October 15, 2010 sans reply. One would be led to believe that there is a specific reason that it is stuck in the queue. Perhaps m...@freebsd.org would care to respond. -- Jerry ✌ freebsd.u...@seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail question
On Fri, October 15, 2010 2:54 pm, Ivan Voras wrote: Since jails can do many things there are many helper utilities that can do much to simplify the process. If you can hack python, you can, for example, modify my script at http://ivoras.sharanet.org/stuff/mkjails.py which I've used to create a thousand very light-weight jails which are started and managed using only standard FreeBSD tools. In any case, read rc.conf(5) man page for the jail_* settings. snip This is the more complex question; I think that everything which needs direct access to the NIC (i.e. BPF, DHCP, IPFW, etc.) will need to be run on the host system. TCP services will work inside jails without problems, but with jails it's almost the same as if they were on another system. If you do use NAT you will have to configure it on the host. Instead, you can also use TCP proxies (like bsdproxy). It's up to you how much complexity do you want in your system, but for simplicity I would set up a single outward-facing IP address and then proxy TCP services where I need them. Thanks for the helpful replies. I am experimenting with some ideas on a VM now. It certainly does seem more logical to have the firewall, VPN and NAT rules in the base system and everything else jailed. I can just about get by with Python and your script looks like it could be of use - thanks for sharing it. Matt. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail question
In freebsd-questions Digest, Vol 333, Issue 2, Message: 1 On Fri, 15 Oct 2010 13:38:17 -0400 bdsf...@att.net wrote: On Fri, 15 Oct 2010 09:32:44 -0400, Jerry freebsd.u...@seibercom.net wrote: On Fri, 15 Oct 2010 08:35:39 -0400 Fbsd8 fb...@a1poweruser.com articulated: Check out qjail. It has been submitted for addition to the ports collection, but the ports dept is very slow in performing their task of adding new ports to the system. So in the mean time you can get qjail from here. http://sourceforge.net/projects/qjail/files/ I have submitted new ports in the past and they were usually accepted and posted within a short period of time; usually 2 weeks or so. Perhaps there is a specific reason why this port has not been accepted/released into the ports system. Have you, or whom ever submitted the port, requested clarification as to why it has not been accepted/released? Before issuing a blank condemnation of the port's department it would seem like the logical course of action. If you don't receive a satisfactory reply with two weeks, then it might be worth escalating the matter. Just my 2¢. I'm pretty sure I've seen this conversation between the same people before. Ah, yes: http://www.mail-archive.com/freebsd-questions@freebsd.org/msg235282.html Noting that Aiza = FBSD8... Also posting at various times as {fbsd1,fbsd_user,jo...@a1poweruser.com = Joe Barbish, reputed author of qjail. Never admits to using aliases, especially when appearing as 'someone else' in support of his position. The thing that amazes me most about qjail is that there has never been one single mention of it in freebsd-j...@freebsd.org, where jail kernel work, utilities and usage are developed, debugged and discussed. cheers, Ian___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail question
Matthew Law wrote: I have a single box on which I would like to run openvpn, smtp (postfix, dspam, greylist, clamav), imap (dovecot) apache22 and bind. This box also acts as a network gateway so it would give an attacker carte blanche to the internal nets if it was compromised, which makes me nervous. The plan is to run openvpn as the only unjailed service and the rest of the services in a single jail or their own jails. I have never touched jails before and I'm a bit unsure of the best way to go. I realise that I can jail a service or a copy of the whole system (service would be preferable for space efficiency) but I am unclear on how to deal with IP addresses in jailed environments and if I should create individual jails or a single jail for all services. At the moment I am leaning toward a single system jail for everything so I can keep the space in which openvpn runs as uncluttered as possible and also have a single postgres instance shared by the other services. Basically, if any of the public services in the jail are compromised I would like to make it very hard for the attacker to see the internal network. If I use this scheme must I use separate public IPs for openvpn and the services jail or is it possible to use a single IP or some NAT/PAT scheme? -this box currently has 4 x NICs split into 2x lagg interfaces in failover mode (one public, one private), if that makes any difference Sorry for the rambling question and I hope this makes sense! Matt. Check out qjail. It has been submitted for addition to the ports collection, but the ports dept is very slow in performing their task of adding new ports to the system. So in the mean time you can get qjail from here. http://sourceforge.net/projects/qjail/files/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail question
On Fri, 15 Oct 2010 08:35:39 -0400 Fbsd8 fb...@a1poweruser.com articulated: Check out qjail. It has been submitted for addition to the ports collection, but the ports dept is very slow in performing their task of adding new ports to the system. So in the mean time you can get qjail from here. http://sourceforge.net/projects/qjail/files/ I have submitted new ports in the past and they were usually accepted and posted within a short period of time; usually 2 weeks or so. Perhaps there is a specific reason why this port has not been accepted/released into the ports system. Have you, or whom ever submitted the port, requested clarification as to why it has not been accepted/released? Before issuing a blank condemnation of the port's department it would seem like the logical course of action. If you don't receive a satisfactory reply with two weeks, then it might be worth escalating the matter. Just my 2¢. -- Jerry ✌ freebsd.u...@seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail question
On Thu, 14 Oct 2010, Matthew Law wrote: I have a single box on which I would like to run openvpn, smtp (postfix, dspam, greylist, clamav), imap (dovecot) apache22 and bind. This box also acts as a network gateway so it would give an attacker carte blanche to the internal nets if it was compromised, which makes me nervous. The plan is to run openvpn as the only unjailed service and the rest of the services in a single jail or their own jails. I have never touched jails before and I'm a bit unsure of the best way to go. I realise that I can jail a service or a copy of the whole system (service would be preferable for space efficiency) but I am unclear on how to deal with IP addresses in jailed environments and if I should create individual jails or a single jail for all services. At the moment I am leaning toward a single system jail for everything so I can keep the space in which openvpn runs as uncluttered as possible and also have a single postgres instance shared by the other services. Basically, if any of the public services in the jail are compromised I would like to make it very hard for the attacker to see the internal network. If I use this scheme must I use separate public IPs for openvpn and the services jail or is it possible to use a single IP or some NAT/PAT scheme? -this box currently has 4 x NICs split into 2x lagg interfaces in failover mode (one public, one private), if that makes any difference Sorry for the rambling question and I hope this makes sense! Matt. Starting with FreeBSD 8 jails may have multiple IPs and can use sockets. AFAIK this makes a jail pretty much like a separate physical system in a functional sense. Between man jail and the handbook there is a clear explaination of the management and setup procedures. Hopefully those with a better understanding of the internals will weigh in with the liabilities for what you want to do. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail question
On 14 October 2010 19:19, doug d...@fledge.watson.org wrote: On Thu, 14 Oct 2010, Matthew Law wrote: I have a single box on which I would like to run openvpn, smtp (postfix, dspam, greylist, clamav), imap (dovecot) apache22 and bind. This box also acts as a network gateway so it would give an attacker carte blanche to the internal nets if it was compromised, which makes me nervous. The plan is to run openvpn as the only unjailed service and the rest of the services in a single jail or their own jails. I have never touched jails before and I'm a bit unsure of the best way to go. I realise that I can jail a service or a copy of the whole system (service would be preferable for space efficiency) but I am unclear on how to deal with IP addresses in jailed environments and if I should create individual jails or a single jail for all services. At the moment I am leaning toward a single system jail for everything so I can keep the space in which openvpn runs as uncluttered as possible and also have a single postgres instance shared by the other services. Basically, if any of the public services in the jail are compromised I would like to make it very hard for the attacker to see the internal network. If I use this scheme must I use separate public IPs for openvpn and the services jail or is it possible to use a single IP or some NAT/PAT scheme? -this box currently has 4 x NICs split into 2x lagg interfaces in failover mode (one public, one private), if that makes any difference Sorry for the rambling question and I hope this makes sense! Matt. Starting with FreeBSD 8 jails may have multiple IPs and can use sockets. AFAIK this makes a jail pretty much like a separate physical system in a functional sense. Between man jail and the handbook there is a clear explaination of the management and setup procedures. Hopefully those with a better understanding of the internals will weigh in with the liabilities for what you want to do. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.orgo how ever you decide to do it have a look a qjail, as its a good managment tool especially if you have multiple jails ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail from dump/restore?
On Wed, Aug 11, 2010 at 10:57 PM, Chris Maness ch...@chrismaness.com wrote: Is it possible to create a jail from a dump/restore of a real system. If so, would I just restore the dump to the jail tld? That should be possible yes. But it's probably a better idea to just create a new jail and transfer the data, then you'll get rid of old cruft. -- chs, ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail date and time
In the last episode (Jul 13), Derek Funk said: how do i change the date and time within a jail? Host date and time are correct why isn't the jails? date yymmddhhmm returns date: settimeofday (timeval): Operation not permitted Jails share the same clock as the host. Are you sure you don't just need to set the timezone in your jail (run tzsetup, or copy the hosts's /etc/localtime into the jail)? -- Dan Nelson dnel...@allantgroup.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail and uname
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/07/2010 07:13:13, Aiza wrote: From the console of a jail I issue uname –r and get 8.0-RELEASE-p3, which is the release level of the host. I know the jail is running a pristine minimum install of 8.0-RELEASE. The uname information is compiled into the kernel -- so all jails will show the information relevant to the host system. The problem arises when a security patch applies to userland, and not the kernel, as updating the host system does not necessarily mean the update has been applied to the jails. I would think issuing uname from within a jail environment should respond with the info of the jail environment. Is this not a security violation? It can result in security problems, yes. The real problem there is an incorrect approach to applying security updates to jailed systems. Even so, not having a reliable means of telling per-jail that patches have or have not been applied is a flaw. Whether you can do this within the POSIX specification for uname without adversely affecting backwards compatibility is a good question (http://www.opengroup.org/onlinepubs/009695399/utilities/uname.html). Perhaps a simple solution would be to compile a constant string value showing system version and patch level into libc.so and have a small utility to print that data out. Since this is independent of the kernel, it should fulfill the requirements, but it does mean that *every* system update requires a new libc.so and hence a restart of all running processes to apply fully. While I'm here -- why doesn't FreeBSD use a simple version number like 7.3.4 rather than saying 7.3-RELEASE-p4? I realize that historically there have been point releases like 5.2.1-RELEASE but the whole Security/Errata branch concept was developed partly in response to such things, and the whole release engineering process is done differently now. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwu4aMACgkQ8Mjk52CukIzd2wCfQSLaRz+G5FK62+DQ0ZT4gXA0 gAQAn0eu7SY28lrfElvlwVWtRieiWk5W =PuxL -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail and uname
Le Sat, 03 Jul 2010 14:13:13 +0800, Aiza aiz...@comclark.com a écrit : From the console of a jail I issue uname –r and get 8.0-RELEASE-p3, which is the release level of the host. I know the jail is running a pristine minimum install of 8.0-RELEASE. I would think issuing uname from within a jail environment should respond with the info of the jail environment. Uname uses some sysctl to retrieve OS information, so they are stored in the kernel. For example : kern.ostype: FreeBSD kern.osrelease: 8.1-PRERELEASE Is this not a security violation? No I don't think. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail and uname
On Sat, Jul 03, 2010 at 02:13:13PM +0800, Aiza wrote: From the console of a jail I issue uname -r and get 8.0-RELEASE-p3, which is the release level of the host. I know the jail is running a pristine minimum install of 8.0-RELEASE. I would think issuing uname from within a jail environment should respond with the info of the jail environment. Is this not a security violation? I'm guessing your understanding of jails is a bit off. A FreeBSD jail isn't a fully virtualised system. As implemented, jails share the host system's kernel. The Handbook makes clear that a jail is essentially defined by a directory subtree, a hostname, an IP address, and a command. Well, that, and things like user accounts. So when you run uname, what's reported is kernel information as stored in various sysctl(8) MIBs (kern.ostype, kern.osrelease, kern.osrevision, kern.version, etc.). And because there's only one kernel, you'll get the same output from running uname on the host as you would get from running it inside a jail. -- George ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail - beginner questions
The address 192.168.0.11 must be assigned to a interface in the host FreeBSD. You can do it before starting the jail, or when the jail is being started. To assign the address before starting the jail do somthing like this: # ifconfig lnc0 alias 192.168.0.11/24 where lnc0 is the name of nic in the host FreeBSD Great. Here is what I did: sorb# mkdir -p /usr/jails/vm1 sorb# cd /usr/src sorb# setenv D /usr/jails/vm1 sorb# make installworld DESTDIR=$D sorb# make distribution DESTDIR=$D sorb# cat /etc/rc.conf jail_enable=YES jail_list=vm1 jail_vm1_rootdir=/usr/jails/vm1 jail_vm1_hostname=vm1.localdomain jail_vm1_ip=192.168.0.11 jail_vm1_interface=lnc0 jail_vm1_devfs_enable=YES jail_vm1_devfs_ruleset=vm1_ruleset ^D sorb#mount -t devfs devfs $D /dev sorb# /etc/rc.d/jail start vm1 Configuring jails:. Starting jails:ifconfig: interface lnc0 does not exist vm1.localdomain. See, I do not understand how this works. If I use a real physical interface then it works: sorb# ifconfig re0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=389bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC ether 00:1a:4d:7b:cf:d6 inet X.X.X.X netmask 0xff00 broadcast X.X.X.255 inet 192.168.0.11 netmask 0x broadcast 192.168.0.11 media: Ethernet autoselect (100baseTX full-duplex) status: active where X.X.X.X is my public internet IP address. But I do not like this. I do not want to expose my jail's private IP address to the internet. Am I too paranoid? Should I just add rules like ipfw add 1000 allow all from X.X.X.X to 192.168.0.11 ipfw add 1001 allow all from 192.168.0.11 to X.X.X.X ipfw add 1002 deny all from any to 192.168.0.11 ipfw add 1003 deny all from 192.168.0.11 to any and be happy? Or would it be better to create a virtual ethernet interface for my jails? Somehow? d.) It requires to use firewall either ipfw or pf. For example you can add to your /etc/pf.conf: nat on lnc0 from 192.168.0.11 to any - 192.168.37.133 But the firewall requires more lines then this one to work correcly with all network traffic. And you have to know exactly what you want to get for using it. I'm using ipfw. I think I'll use natd+divert on the host. Thank you very much! I feel I'm over the hard part. :-) Laszlo ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail - beginner questions
Laszlo Nagy gand...@shopzeus.com writes: I do not want to expose my jail's private IP address to the internet. Use loopback interface and 127.x.x.x address. -- WBR, bsam ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail - beginner questions
I really think that it should be corrected to: cd /usr/src make distribution DESTDIR=$D That's almost certainly correct, but it notes: Notes [1] This step is not required on FreeBSD 6.0 and later. But then I get this error in syslog: bind: Can't assign requested address That's a general ntworking error. We'd need to see your ifconfig(8)/netstat(8) -rn and rc.conf(5) network settings to figure that out. ~BAS ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail - beginner questions
On Wed, Nov 18, 2009 at 09:09:32AM +0100, Laszlo Nagy wrote: Great. Here is what I did: sorb# mkdir -p /usr/jails/vm1 sorb# cd /usr/src sorb# setenv D /usr/jails/vm1 sorb# make installworld DESTDIR=$D sorb# make distribution DESTDIR=$D sorb# cat /etc/rc.conf jail_enable=YES jail_list=vm1 jail_vm1_rootdir=/usr/jails/vm1 jail_vm1_hostname=vm1.localdomain jail_vm1_ip=192.168.0.11 jail_vm1_interface=lnc0 jail_vm1_devfs_enable=YES jail_vm1_devfs_ruleset=vm1_ruleset ^D sorb#mount -t devfs devfs $D /dev sorb# /etc/rc.d/jail start vm1 Configuring jails:. Starting jails:ifconfig: interface lnc0 does not exist vm1.localdomain. See, I do not understand how this works. If I use a real physical interface then it works: sorb# ifconfig re0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=389bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC ether 00:1a:4d:7b:cf:d6 inet X.X.X.X netmask 0xff00 broadcast X.X.X.255 inet 192.168.0.11 netmask 0x broadcast 192.168.0.11 media: Ethernet autoselect (100baseTX full-duplex) status: active I thought that your physical interface is the lnc0 on the host FreeBSD. The jail startup script doesn't create any interfaces itself. It uses any interface that extists in the host OS, and sets the ip address on it. So, you can use either re0 or lo0. where X.X.X.X is my public internet IP address. But I do not like this. I do not want to expose my jail's private IP address to the internet. Am I too paranoid? Should I just add rules like ipfw add 1000 allow all from X.X.X.X to 192.168.0.11 ipfw add 1001 allow all from 192.168.0.11 to X.X.X.X ipfw add 1002 deny all from any to 192.168.0.11 ipfw add 1003 deny all from 192.168.0.11 to any and be happy? Or would it be better to create a virtual ethernet interface for my jails? Somehow? If you want to hide your jail then you can use the interface lo0. jail_vm1_interface=lo0 Suppose that your public ip address is 192.168.201.50. Then start the natd: # natd -a 192.168.201.50 and add to ipfw these divert rules: # ipfw add 10 divert natd all from any to 192.168.201.50 in # ipfw add 20 divert natd all from 192.168.0.11 to any out after that add to ipfw rules to allow the traffic diverted above or you can allow all for testing: # ipfw add 30 allow all from any to any Now your jail is hidden from the outer network. But inside the jail the network is working. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail - beginner questions
Laszlo Nagy gand...@shopzeus.com writes: I'm experimenting with jails. I have installed a 7.2 stable FreeBSD inside vmware. Then I have created two jails, using the method written in the handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-build.html The only thing that didn't work is this: cd /etc make distribution DESTDIR=$D I really think that it should be corrected to: cd /usr/src make distribution DESTDIR=$D No, I think you added the '/' before 'etc', which isn't in the web page. After mounting devfs (mount -t devfs devfs /vm1/dev) I try to start it: /etc/rc.d/vm1 start vm1 But then I get this error in syslog: bind: Can't assign requested address Here is the config from /etc/rc.conf (in the host): jail_enable=YES# Set to NO to disable starting of any jails jail_list=vm1 vm2 # Space separated list of names of jails jail_vm1_rootdir=/vm1 # jail's root directory jail_vm1_hostname=vm1.localdomain # jail's hostname jail_vm1_ip=192.168.0.11 # jail's IP address jail_vm1_devfs_enable=YES # mount devfs in the jail jail_vm1_devfs_ruleset=vm1_ruleset # devfs ruleset to apply to jail jail_vm2_rootdir=/vm2 # jail's root directory jail_vm2_hostname=vm2.localdomain # jail's hostname jail_vm2_ip=192.168.0.12 # jail's IP address jail_vm2_devfs_enable=YES # mount devfs in the jail jail_vm2_devfs_ruleset=vm2_ruleset # devfs ruleset to apply to jail Is the problem perhaps in your /etc/rc.d/vm1 script? Normally you would use /etc/rc.d/jail. Are those addresses already assigned on the host? Was the jail perhaps already running? -- Lowell Gilbert, embedded/networking software engineer, Boston area http://be-well.ilk.org/~lowell/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail - beginner questions
No, I think you added the '/' before 'etc', which isn't in the web page. Gotcha. Is the problem perhaps in your /etc/rc.d/vm1 script? Normally you would use /etc/rc.d/jail. Yes, I'm. Sorry - it was a typo. I used this: /etc/rc.d/jail start vm1 Are those addresses already assigned on the host? Was the jail perhaps already running? My computer is a windows machine, with address 192.168.0.X Then the FreeBSD host is actually a guest os running in wvmare. It has address 192.168.37.133 And finally, the vm1 jail should have 192.168.0.11 I don't know why 192.168.0.11 is not working for the jail. Anyway, if I change the jail's address to 192.168.10.11 then /etc/rc.d/jail start vm1 Starting jails: vm1.localdomain. Now the next question: how can I access the hosted (jailed) OS? I know it is a dumb question, but I have no idea. I would like to: a.) run sshd in the jail b.) login from the host to the jailed (hosted) OS c.) install programs on the jail, configure them and finally d.) use NATD to divert some pacakges from the host to the jail and back Probably this is what everybody does, so if you could point me to a tutorial or something, I would appriciate it. Thanks, Laszlo ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail - beginner questions
On Tue, Nov 17, 2009 at 10:41:14PM +0430, Laszlo Nagy wrote: My computer is a windows machine, with address 192.168.0.X Then the FreeBSD host is actually a guest os running in wvmare. It has address 192.168.37.133 And finally, the vm1 jail should have 192.168.0.11 I don't know why 192.168.0.11 is not working for the jail. Anyway, if I change the jail's address to 192.168.10.11 then /etc/rc.d/jail start vm1 Starting jails: vm1.localdomain. The address 192.168.0.11 must be assigned to a interface in the host FreeBSD. You can do it before starting the jail, or when the jail is being started. To assign the address before starting the jail do somthing like this: # ifconfig lnc0 alias 192.168.0.11/24 where lnc0 is the name of nic in the host FreeBSD And you can add to /etc/rc.conf: ifconfig_lnc0_alias0=inet 192.168.0.11/24 to assign the address then the host FreeBSD is booting. To assing the address when the jail is being started just add to /etc/rc.conf this: jail_vm1_interface=lnc0 This way is preferred. Now the next question: how can I access the hosted (jailed) OS? I know it is a dumb question, but I have no idea. I would like to: a.) run sshd in the jail b.) login from the host to the jailed (hosted) OS c.) install programs on the jail, configure them and finally d.) use NATD to divert some pacakges from the host to the jail and back b.) 1. get the jails list: # jls JID IP Address Hostname Path 9 192.168.64.14 mx1.loc /store/jail/mx1 8 192.168.64.25 nslst.loc /store/jail/nslst 2. select required jail by JID, for example 9 for mx1.loc and do: # jexec 9 tcsh 3. you're in a.) Login inside the jail. Now add to /etc/rc.conf sshd_enable=YES and execute: # /etc/rc.d/sshd start c.) When you're inside the jail you can install software like in the host system. You can use the pkg_add or the ports system. d.) It requires to use firewall either ipfw or pf. For example you can add to your /etc/pf.conf: nat on lnc0 from 192.168.0.11 to any - 192.168.37.133 But the firewall requires more lines then this one to work correcly with all network traffic. And you have to know exactly what you want to get for using it. Probably this is what everybody does, so if you could point me to a tutorial or something, I would appriciate it. Thanks, Laszlo ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail - unable to print from inside jail
Raymond Gibson said the following on 2009-10-02 22:31: Something doesn't seem right with you devfs.rules file. Mine looks like this: [system=10] add path 'unlpt*' mode 0660 group cups add path 'ulpt*' mode 0660 group cups add path 'lpt*' mode 0660 group cups i change permissions on /dev/ulpt0 (in the jail) and now i can print a test page from Cups administration page. PrintServer# ls -l /dev | grep ulpt0 crw-r--r-- 1 root operator0, 79 Oct 2 10:51 ulpt0 PrintServer# chmod 666 /dev/ulpt0 PrintServer# ls -l /dev | grep ulpt0 crw-rw-rw- 1 root operator0, 79 Oct 2 10:51 ulpt0 i tried to set 666 for devfs.rules devfs.conf in both host and jail, but that didn't work. any more ideas? I don't have an usb printer attached. ls -l /dev/lp* crw-rw 1 root cups0, 38 Sep 23 18:27 /dev/lpt0 crw-rw 1 root cups0, 39 Sep 19 22:30 /dev/lpt0.ctl That's on the print server, no jail, and I think you do not need to change the devfs.conf file. Mine isn't changed looks like this: # Historically X depended on this, but version 4.3.0 doesn't seem to anymore #link ttyv0 vga # Commonly used by many ports #link acd0cdrom # Allow a user in the wheel group to query the smb0 device #perm smb00660 # Allow members of group operator to cat things to the speaker #ownspeaker root:operator #perm speaker 0660 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail - unable to print from inside jail
Raymond Gibson said the following on 2009-10-01 22:33: I'm trying to setup CUPS (in a jail) using a USB printer on my host machine. My host was built with as a minimal FreeBSD 7.2-Release install. I added ezjail and created two jails. Both jails are working and I can login to both using ssh. On the host i did the following: I added this to /etc/devfs.conf own ultp0 root:cups permultp0 0660 I added this to /etc/devfs.rules # Printers add path ltp[0-9]* mode 0660 group cups add path ultp[0-9]* mode 0660 group cups add path unltp[0-9]* mode 0660 group cups [devfsrules_jail_PrintServer=10] add path ltp[0-9]* mode 0660 group cups add path ultp[0-9]* mode 0660 group cups add path unltp[0-9]* mode 0660 group cups Something doesn't seem right with you devfs.rules file. Mine looks like this: [system=10] add path 'unlpt*' mode 0660 group cups add path 'ulpt*' mode 0660 group cups add path 'lpt*' mode 0660 group cups After a reboot, I can access the administration website. I added a printer and allowed remote access. From administration page - printer status: Description: HP Photosmart 7350 Location: Home Printer Driver: HP PhotoSmart 7350 Foomatic/hpijs (recommended) Printer State: idle, accepting jobs, published. Device URI: usb:/dev/ulpt0 Wen printing a test page from administration page i get permission denied. HPPhotosmart7350 (Default Printer) Unable to open device file /dev/ulpt0: Permission denied How do i solve this? Please let me know if more information is needed. I thank you for your time and help in advance. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail - unable to print from inside jail
On Friday 02 October 2009 02:31:06 am Bernt Hansson wrote: Raymond Gibson said the following on 2009-10-01 22:33: I'm trying to setup CUPS (in a jail) using a USB printer on my host machine. My host was built with as a minimal FreeBSD 7.2-Release install. I added ezjail and created two jails. Both jails are working and I can login to both using ssh. On the host i did the following: I added this to /etc/devfs.conf own ultp0 root:cups permultp0 0660 I added this to /etc/devfs.rules # Printers add path ltp[0-9]* mode 0660 group cups add path ultp[0-9]* mode 0660 group cups add path unltp[0-9]* mode 0660 group cups [devfsrules_jail_PrintServer=10] add path ltp[0-9]* mode 0660 group cups add path ultp[0-9]* mode 0660 group cups add path unltp[0-9]* mode 0660 group cups Something doesn't seem right with you devfs.rules file. Mine looks like this: [system=10] add path 'unlpt*' mode 0660 group cups add path 'ulpt*' mode 0660 group cups add path 'lpt*' mode 0660 group cups After a reboot, I can access the administration website. I added a printer and allowed remote access. From administration page - printer status: Description: HP Photosmart 7350 Location: Home Printer Driver: HP PhotoSmart 7350 Foomatic/hpijs (recommended) Printer State: idle, accepting jobs, published. Device URI: usb:/dev/ulpt0 Wen printing a test page from administration page i get permission denied. HPPhotosmart7350 (Default Printer) Unable to open device file /dev/ulpt0: Permission denied How do i solve this? Please let me know if more information is needed. I thank you for your time and help in advance. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org I changed /etc/devfs.rules, but no luck. i change permissions on /dev/ulpt0 (in the jail) and now i can print a test page from Cups administration page. PrintServer# ls -l /dev | grep ulpt0 crw-r--r-- 1 root operator0, 79 Oct 2 10:51 ulpt0 PrintServer# chmod 666 /dev/ulpt0 PrintServer# ls -l /dev | grep ulpt0 crw-rw-rw- 1 root operator0, 79 Oct 2 10:51 ulpt0 i tried to set 666 for devfs.rules devfs.conf in both host and jail, but that didn't work. any more ideas? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail - unable to print from inside jail
Le Fri, 02 Oct 2009 15:31:55 -0500, Raymond Gibson raymond.gib...@verizon.net a écrit : On Friday 02 October 2009 02:31:06 am Bernt Hansson wrote: Raymond Gibson said the following on 2009-10-01 22:33: I'm trying to setup CUPS (in a jail) using a USB printer on my host machine. My host was built with as a minimal FreeBSD 7.2-Release install. I added ezjail and created two jails. Both jails are working and I can login to both using ssh. i tried to set 666 for devfs.rules devfs.conf in both host and jail, but that didn't work. any more ideas? How do you start your jail? For a jail, the devfs rule applied is the one specified for the jail in /etc/rc.conf, something like jail_jailname_devfs_ruleset=devfsrules_jail # devfs ruleset to apply to jail Regards. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail - unable to print from inside jail
On Friday 02 October 2009 04:32:23 pm Patrick Lamaiziere wrote: Le Fri, 02 Oct 2009 15:31:55 -0500, Raymond Gibson raymond.gib...@verizon.net a écrit : On Friday 02 October 2009 02:31:06 am Bernt Hansson wrote: Raymond Gibson said the following on 2009-10-01 22:33: I'm trying to setup CUPS (in a jail) using a USB printer on my host machine. My host was built with as a minimal FreeBSD 7.2-Release install. I added ezjail and created two jails. Both jails are working and I can login to both using ssh. i tried to set 666 for devfs.rules devfs.conf in both host and jail, but that didn't work. any more ideas? How do you start your jail? For a jail, the devfs rule applied is the one specified for the jail in /etc/rc.conf, something like jail_jailname_devfs_ruleset=devfsrules_jail # devfs ruleset to apply to jail Regards. i'm using ezjail. ezjail is started from /etc/rc.conf with ezjail_enable=YES. i thought the following would be read into the jail's configuration. /usr/local/etc/ezjail/PrintServer export jail_PrintServer_hostname=PrintServer export jail_PrintServer_ip=192.168.1.52 export jail_PrintServer_rootdir=/usr/jails/PrintServer export jail_PrintServer_exec=/bin/sh /etc/rc export jail_PrintServer_mount_enable=YES export jail_PrintServer_devfs_enable=YES export jail_PrintServer_devfs_ruleset=devfsrules_jail_PrintServer export jail_PrintServer_procfs_enable=YES export jail_PrintServer_fdescfs_enable=YES export jail_PrintServer_image= export jail_PrintServer_imagetype= export jail_PrintServer_attachparams= export jail_PrintServer_attachblocking= export jail_PrintServer_forceblocking= i put PrintServer_devfs_ruleset=devfsrules_jail_PrintServer into my rc.conf and rebooted. no luck, i still get permission denied. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail/system crash with mount_unionfs
On Thu, Jul 09, 2009 at 10:37:40AM -0400, Jim typed: As you can see, there is a work around, so I'm not that /bothered/ by this, but it'd be nice to know what's up. Am I doing something wrong? If not, can anyone replicate this? Should I file a bug report? according to the manpage, unionfs is still buggy in 7.2: BUGS THIS FILE SYSTEM TYPE IS NOT YET FULLY SUPPORTED (READ: IT DOESN'T WORK) AND USING IT MAY, IN FACT, DESTROY DATA ON YOUR SYSTEM. USE AT YOUR OWN RISK. BEWARE OF DOG. SLIPPERY WHEN WET. I'm using nullfs to do what you're trying and it just works. regards, Ruben ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail stop
On Mon, 2009-04-06 at 15:27 -0400, alexus wrote: cannot stop jail mx. No jail id in /var/run $ uname -a There were problems with TTY code in older versions that would cause processes to get stuck, ghosting jails. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail stop
Brian A. Seklecki wrote: On Mon, 2009-04-06 at 15:27 -0400, alexus wrote: cannot stop jail mx. No jail id in /var/run $ uname -a There were problems with TTY code in older versions that would cause processes to get stuck, ghosting jails. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org I believe I have seen other causes of this issue since it happens on 7.1. jkill takes care of it. Probably happens due to user error, here at least. -- Adam Vandemore Systems Administrator IMED Mobility (605) 498-1610 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail stop
On Mon, Apr 6, 2009 at 3:49 PM, Adam Vandemore amvandem...@gmail.com wrote: Brian A. Seklecki wrote: On Mon, 2009-04-06 at 15:27 -0400, alexus wrote: cannot stop jail mx. No jail id in /var/run $ uname -a There were problems with TTY code in older versions that would cause processes to get stuck, ghosting jails. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org I believe I have seen other causes of this issue since it happens on 7.1. jkill takes care of it. Probably happens due to user error, here at least. -- Adam Vandemore Systems Administrator IMED Mobility (605) 498-1610 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org dd# jkill jkill: Command not found. dd# i assume jkill isn't part of standard OS, right? -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail stop
alexus wrote: On Mon, Apr 6, 2009 at 3:49 PM, Adam Vandemore amvandem...@gmail.com wrote: Brian A. Seklecki wrote: On Mon, 2009-04-06 at 15:27 -0400, alexus wrote: cannot stop jail mx. No jail id in /var/run $ uname -a There were problems with TTY code in older versions that would cause processes to get stuck, ghosting jails. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org I believe I have seen other causes of this issue since it happens on 7.1. jkill takes care of it. Probably happens due to user error, here at least. -- Adam Vandemore Systems Administrator IMED Mobility (605) 498-1610 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org dd# jkill jkill: Command not found. dd# i assume jkill isn't part of standard OS, right? right, it's here: /usr/ports/sysutils/jailutils -- Adam Vandemore Systems Administrator IMED Mobility (605) 498-1610 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail stop
On Mon, 6 Apr 2009, alexus wrote: On Mon, Apr 6, 2009 at 3:49 PM, Adam Vandemore amvandem...@gmail.com wrote: Brian A. Seklecki wrote: On Mon, 2009-04-06 at 15:27 -0400, alexus wrote: cannot stop jail mx. No jail id in /var/run $ uname -a There were problems with TTY code in older versions that would cause processes to get stuck, ghosting jails. I believe I have seen other causes of this issue since it happens on 7.1. jkill takes care of it. Probably happens due to user error, here at least. dd# jkill jkill: Command not found. dd# i assume jkill isn't part of standard OS, right? Correct. It can be found here: /usr/ports/sysutils/jkill ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail stop
On Mon, Apr 6, 2009 at 5:08 PM, Duane Hill d.h...@yournetplus.com wrote: On Mon, 6 Apr 2009, alexus wrote: On Mon, Apr 6, 2009 at 3:49 PM, Adam Vandemore amvandem...@gmail.com wrote: Brian A. Seklecki wrote: On Mon, 2009-04-06 at 15:27 -0400, alexus wrote: cannot stop jail mx. No jail id in /var/run $ uname -a There were problems with TTY code in older versions that would cause processes to get stuck, ghosting jails. I believe I have seen other causes of this issue since it happens on 7.1. jkill takes care of it. Probably happens due to user error, here at least. dd# jkill jkill: Command not found. dd# i assume jkill isn't part of standard OS, right? Correct. It can be found here: /usr/ports/sysutils/jkill ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org okay, but freebsd thinking about fixing it? or did someone submit a bug report (or are they already aware of that?) -- http://alexus.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail limits
Espartano wrote: Hi folk, sorry for my bat english, i have a question: there is any initiative to implements limits (like cpu limits, memory limits) inside a jail ? or already exists anything to do it ? thanks a lot. You can check sysctl MIB entries for security.jail.* Using login.conf you can control resource limits and account limits. Take a look at man login.conf maybe it can help you on your situation. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail limits
On Wed, Mar 18, 2009 at 11:23 AM, Ricardo Jesus ricardo.meb.je...@gmail.com wrote: Espartano wrote: Hi folk, sorry for my bat english, i have a question: there is any initiative to implements limits (like cpu limits, memory limits) inside a jail ? or already exists anything to do it ? thanks a lot. You can check sysctl MIB entries for security.jail.* Using login.conf you can control resource limits and account limits. Take a look at man login.conf maybe it can help you on your situation. I will do it, thanks a lot my friend :) -- Linux is for people who hate Windows, BSD is for people who love UNIX. Social Engineer - Because there is no patch for human stupidity The Unix Guru's View of Sex unzip ; strip ; touch ; grep ; finger ; mount ; fsck ; more ; yes ; umount ; sleep. Documentation is like sex: when it is good, it is very, very good; and when it is bad, it is better than nothing. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail devfs openpty
It appeared to work after rule apply unhide. Will find out more. Just how to delete or view the ruleset? Thanks. Seem to get on it. Looks like it's not very obvious. The cure was: === devfs -m /jailpath/dev rule -s 5 add type tty unhide === the unobvious for me was to put -s in the right place. And, I'm still in question how should I delete the ruleset once added for devfs. Thanks all. 2009/01/25 17:08:14 -0900 Mel fbsd.questi...@rachie.is-a-geek.net = To freebsd-questions@freebsd.org : 73! Peter -- http://vereshagin.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail devfs openpty
You'll never silence the voice of the voiceless, Mel! Probably that was caused by overall instability of my 7.1 system: === # devfs -m /jailpath/dev rule apply path ttyp* unhide # chroot /jailpath/ # ls /dev dsp0.1 lpt0mixer0 random ttyp1 ttyp3 ttyp5 zero log lpt0.ctlnullttyp0 ttyp2 ttyp4 urandom # script script: openpty: Resource temporarily unavailable # exit exit # devfs -m /jailpath/dev rule apply path pty* unhide # chroot /jailpath/ # script script: openpty: Permission denied # exit exit # devfs -m /jailpath/dev rule apply path * unhide devfs rule: unknown argument: Desktop # devfs -m /jailpath/dev rule apply type tty unhide # chroot /jailpath/ # script Script started, output file is typescript # exit Script done, output file is typescript # exit exit # === Now this seem to work, after the reboot. Although I'd like to ask if I used the major/minor numbers for temporary rules when portupgraded the 5/6 systems, what kind of rule I should specify to avoid 'openpty' reason of script(1) failure? Which tty devices does it use? You may see I try the path pty* and path ttyp* without that luck though. Major/minor numbers are gone since some of 6.X. 2009/01/25 17:08:14 -0900 Mel fbsd.questi...@rachie.is-a-geek.net = To freebsd-questions@freebsd.org : M On Sunday 25 January 2009 02:25:17 Peter Vereshagin wrote: M Hello, M M I am doing the portupgrade inside my jail. M I see that script(1) have no permission on openpty. M I deleted all the devfs rules on tha jail's /dev both by hand and by M deleting the ruleset string in master's rc.conf. So i stopped jail and M mounted devfs by hand. Started jail. It appears to work, the portupgrade. I M suppose that if mounted with /etc/rc.d/jail the devfs has some tweak that M makes it different from mounted by hand. M M Are you sure that's the problem? M When going inside a jail with jexec(8) there is no /dev/tty. You have to login M using ssh to get fully functional tty's. M M -- M Mel M M Problem with today's modular software: they start with the modules M and never get to the software part. 73! Peter -- http://vereshagin.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail devfs openpty
You'll never silence the voice of the voiceless, Mel! Sorry the script(1) did work, but stopped since the portupgrade tried it: === # portupgrade -varRp --- Session started at: Mon, 26 Jan 2009 15:58:54 +0400 [Updating the pkgdb format:bdb1_btree in /var/db/pkg ... - 190 packages found (-0 +1) . done] ** Port marked as IGNORE: mail/cclient: is forbidden: multiple vulnerabilities http://www.vuxml.org/freebsd/a6713190-dfea-11dd-a765-0030843d3802.html http://www.vuxml.org/freebsd/69a20ce4-dfee-11dd-a765-0030843d3802.html --- Upgrade of mail/courier-imap started at: Mon, 26 Jan 2009 15:59:40 +0400 --- Upgrading 'courier-imap-4.3.1,2' to 'courier-imap-4.4.1,2' (mail/courier-imap) --- Build of mail/courier-imap started at: Mon, 26 Jan 2009 15:59:40 +0400 --- Building '/usr/ports/mail/courier-imap' script: openpty: Permission denied === Same as with script(1) by hand now. I do all this in chroot. No difference if under gnu screen or in ttyv4. 2009/01/25 17:08:14 -0900 Mel fbsd.questi...@rachie.is-a-geek.net = To freebsd-questions@freebsd.org : M On Sunday 25 January 2009 02:25:17 Peter Vereshagin wrote: M Hello, M M I am doing the portupgrade inside my jail. M I see that script(1) have no permission on openpty. M I deleted all the devfs rules on tha jail's /dev both by hand and by M deleting the ruleset string in master's rc.conf. So i stopped jail and M mounted devfs by hand. Started jail. It appears to work, the portupgrade. I M suppose that if mounted with /etc/rc.d/jail the devfs has some tweak that M makes it different from mounted by hand. M M Are you sure that's the problem? M When going inside a jail with jexec(8) there is no /dev/tty. You have to login M using ssh to get fully functional tty's. M M -- M Mel M M Problem with today's modular software: they start with the modules M and never get to the software part. 73! Peter -- http://vereshagin.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail init, but another question
You'll never silence the voice of the voiceless, Mel! Yes. Ruleset name did not resolve into the number. So rc.subr asked for a digit and I provided a number that way. It was too obvious for me to specify the 'devfsrules_' prefix for the case it cannot be anything other than devfs rules. And so it did not resolve by provided meaningful part ( e. g., 'example' ) of ruleset name only. Thanks! 2009/01/25 17:06:15 -0900 Mel fbsd.questi...@rachie.is-a-geek.net = To freebsd-questions@freebsd.org : M Something else is wrong. Set rc_debug=YES in /etc/rc.conf then M /etc/rc.d/jail start example M to trace how the rulesets are evaluated. 73! Peter -- http://vereshagin.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail devfs openpty
It appeared to work after rule apply unhide. Will find out more. Just how to delete or view the ruleset? Thanks. 2009/01/25 17:08:14 -0900 Mel fbsd.questi...@rachie.is-a-geek.net = To freebsd-questions@freebsd.org : M On Sunday 25 January 2009 02:25:17 Peter Vereshagin wrote: M Hello, M M I am doing the portupgrade inside my jail. M I see that script(1) have no permission on openpty. M I deleted all the devfs rules on tha jail's /dev both by hand and by M deleting the ruleset string in master's rc.conf. So i stopped jail and M mounted devfs by hand. Started jail. It appears to work, the portupgrade. I M suppose that if mounted with /etc/rc.d/jail the devfs has some tweak that M makes it different from mounted by hand. M M Are you sure that's the problem? M When going inside a jail with jexec(8) there is no /dev/tty. You have to login M using ssh to get fully functional tty's. M M -- M Mel M M Problem with today's modular software: they start with the modules M and never get to the software part. 73! Peter -- http://vereshagin.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail init, but another question
On Sunday 25 January 2009 02:35:16 Peter Vereshagin wrote: Hello, I always try to set up the devfs ruleset in rc.conf. So my question is about this in /etc/defaults/rc.conf: === #jail_example_devfs_ruleset=ruleset_name # devfs ruleset to apply to jail === It appears not to work in /etc/rc.conf without this rc.subr patch: === $ diff -u /etc/rc.subr /usr/src/etc/rc.subr --- /etc/rc.subr2008-07-20 19:26:20.0 +0500 +++ /usr/src/etc/rc.subr2008-05-12 12:29:03.0 +0500 @@ -1242,7 +1242,7 @@ devfs_set_ruleset() { local devdir rs _me - [ -n $1 ] eval rs=\$1 || rs= + [ -n $1 ] eval rs=\$$1 || rs= [ -n $2 ] devdir=-m $2 || devdir= _me=devfs_set_ruleset === And, by far the ruleset_name does not work in favour of ruleset number. your patch broke it. eval rs=\$1 means rs will be set to the literal $1, while it should expand to the ruleset number, using the ruleset name, because devfs_rulesets_from_file sets: eval $rulename=\$rulenum Something else is wrong. Set rc_debug=YES in /etc/rc.conf then /etc/rc.d/jail start example to trace how the rulesets are evaluated. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail devfs openpty
On Sunday 25 January 2009 02:25:17 Peter Vereshagin wrote: Hello, I am doing the portupgrade inside my jail. I see that script(1) have no permission on openpty. I deleted all the devfs rules on tha jail's /dev both by hand and by deleting the ruleset string in master's rc.conf. So i stopped jail and mounted devfs by hand. Started jail. It appears to work, the portupgrade. I suppose that if mounted with /etc/rc.d/jail the devfs has some tweak that makes it different from mounted by hand. Are you sure that's the problem? When going inside a jail with jexec(8) there is no /dev/tty. You have to login using ssh to get fully functional tty's. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Jail, pf and ftpd: Connection refused
On Fri, Oct 3, 2008 at 11:56 AM, Max Laier [EMAIL PROTECTED] wrote: See ftp-proxy(8). Note that active works with the ruleset you provided (due to the pass out keep state-rule), but there is obviously a firewall problem on the client preventing that. Are you sure I need ftp-proxy? I opened the datarange 49152:65535 and now I no longer get a connection refused. I seem to be able to list, download, you know the usual stuff. I still get the getpeername(control_sock): Transport endpoint is not connected though. If I do need ftp-proxy, I take it it's the FTP Server Protected by an External PF Firewall Running NAT at http://www.openbsd.org/faq/pf/ftp.html that applies to my setup? I can't quite comprehend the nat/rdr rules in that example, as I ain't really got an int_if. As I stated earlier, I have a FreeBSD server running pf and two jails, and I'm trying to get ftpd running smoothly inside one of those jails. Thank you so much. -- http://www.home.no/reddvinylene ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Jail, pf and ftpd: Connection refused
On Fri, Oct 3, 2008 at 11:56 AM, Max Laier [EMAIL PROTECTED] wrote: See ftp-proxy(8). Note that active works with the ruleset you provided (due to the pass out keep state-rule), but there is obviously a firewall problem on the client preventing that. Nevermind, I think the Transport endpoint is not connected is most likely due to lftp. Nonetheless, much obliged for the assistance! -- http://www.home.no/reddvinylene ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Jail, pf and ftpd: Connection refused
On Friday 03 October 2008 11:11:57 Redd Vinylene wrote: Greetings ladies and gentlemen! Why does the below pf.conf (run from box1) give me getpeername(control_sock): Transport endpoint is not connected, Socket error (Connection refused) - reconnecting when trying to log onto box3 via passive FTP? Active FTP gives me 425 Can't build data connection: Connection refused. (box2 and box3 are jails running off box1) See ftp-proxy(8). Note that active works with the ruleset you provided (due to the pass out keep state-rule), but there is obviously a firewall problem on the client preventing that. - [EMAIL PROTECTED] cat /etc/pf.conf box1 = 80.203.2.2 box2 = 80.203.2.3 box3 = { 80.203.2.4 [...] 80.203.2.127 } ext_if = rl0 set block-policy return set skip on { lo0 } scrub in pass out keep state block in pass in on $ext_if inet proto tcp from any to any port { 22 } keep state pass in on $ext_if inet proto tcp from any to $box2 port { 25, 53, 80, 110 } keep state pass in on $ext_if inet proto udp from any to $box2 port 53 keep state pass in on $ext_if inet proto tcp from any to $box3 port { 20, 21, 113 } keep state pass in on $ext_if inet proto icmp from any to any keep state - [EMAIL PROTECTED] cat /etc/inetd.conf ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l - I hope I've been verbose enough. Thank you! -- /\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: jail stop extracting iso file
the problem is already here at the host system (not in the jail) i wasnt able to get rid of jail and can't access to device in jail somehow i must access mdconfig and mount but i shouldnt stop jail. On Sun, Aug 31, 2008 at 11:19 PM, Olli Hauer [EMAIL PROTECTED] wrote: In server jail and squid is running on it as lots of another packet. i want to extract iso image in this server. But i havent do it. #mdconfig -a -t vnode -f big_bcbcv.iso #mdconfig: open(/dev/mdctl): No such file or directory you can't jail doesn't allow it. Yes, but why don't mount the ISO at the host system and do a nullfs mount into the jail? at the host system (not in the jail) # mdconfig -a -t vnode -u 10 -f ${path_to_iso_image} # mount_cd9660 -o ro /dev/md10 /mnt/ # mount_nullfs /mnt ${path_to_jail}/mnt ssh into the jail # pkg_add /mnt/filename -- GMX Kostenlose Spiele: Einfach online spielen und Spaß haben mit Pastry Passion! http://games.entertainment.gmx.net/de/entertainment/games/free/puzzle/6169196 -- Share now a pigeon's flight Bluebound along the ancient skies, Its women forever hair and mammal, A Mediterranean town may arise If you rip apart a pigeon's heart. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: jail stop extracting iso file
In server jail and squid is running on it as lots of another packet. i want to extract iso image in this server. But i havent do it. #mdconfig -a -t vnode -f big_bcbcv.iso #mdconfig: open(/dev/mdctl): No such file or directory you can't jail doesn't allow it. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: jail stop extracting iso file
İ see, i should extract this iso image (not using tar) may i close this jail? and can i restart correctly? i am hesitate since squid in running on jail? process is like [EMAIL PROTECTED] /etc]# ps ax -o pid,jid,args PIDJID COMMAND 8415 0 /usr/local/sbin/httpd -k start 10414 0 sshd: mary [priv] (sshd) 10417 0 sshd: [EMAIL PROTECTED] (sshd) 17168 0 /usr/local/sbin/squid -D 17170 0 (squid) -D (squid) 17171 0 (unlinkd) (unlinkd) 20754 0 /usr/sbin/syslogd -ss 20871 0 /usr/sbin/sshd 35688 0 sshd: andy [priv] (sshd) 35691 0 sshd: [EMAIL PROTECTED] (sshd) 42074 0 /usr/local/sbin/munin-node (perl) 48630 0 /usr/local/sbin/httpd -k start 64266 0 screen 67740 0 /usr/local/sbin/httpd -k start 71171 0 /usr/local/sbin/httpd -k start 76426 0 /usr/local/sbin/httpd -k start 92862 0 /usr/local/sbin/httpd -k start 93912 0 sshd: alex [priv] (sshd) 93929 0 sshd: [EMAIL PROTECTED] (sshd) 93955 0 screen 10418 0 -bash (bash) 35692 0 -bash (bash) 35693 0 su - 35694 0 -su (csh) 64268 0 /usr/local/bin/bash 93930 0 -bash (bash) 93932 0 su - 93933 0 -su (bash) 93954 0 screen 93956 0 /usr/local/bin/bash 94654 0 ps ax -o pid,jid,args [EMAIL PROTECTED] /etc]# i think so i can stop jail by this command? (but it run) /etc/rc.d/jail start /etc/rc.d/jail stop OR i can kill jail process and than /etc/rc.d/jail stop and i can disable in sysctl jail line #security.jail.set_hostname_allowed=1 #security.jail.socket_unixiproute_only=1 #security.jail.sysvipc_allowed=0 #security.jail.enforce_statfs=2 #security.jail.allow_raw_sockets=0 #security.jail.chflags_allowed=0 #security.jail.jailed=0 than extract iso file and restart jail? possible? and it contains any risk? since squid is so so important since i ve read this paper http://www.freebsd.org/doc/en/books/handbook/jails-application.html but i wasn't able to find some jail details/setting in this server but neverthless jail is running regards 2008/8/31 Robert Watson [EMAIL PROTECTED] On Sun, 31 Aug 2008, tethys ocean wrote: In server jail and squid is running on it as lots of another packet. i want to extract iso image in this server. But i havent do it. You are correct that direct manipulation of md(4) devices is not allowed in jail. However, you may be running on a version FreeBSD in which tar(1) can be used to extract iso files, which is quite a bit more convenient for many uses. Robert N M Watson Computer Laboratory University of Cambridge #mdconfig -a -t vnode -f big_bcbcv.iso #mdconfig: open(/dev/mdctl): No such file or directory #ls -l /dev/md* #ls -ls /dev/mdctl ls: /dev/mdctl: No such file or directory i am not familiar with jail. only i can extract my iso file. İ suppose that jail stop me, jail blocking me for access some source is it true? 1-how can extract this iso file 2-is jail stop me? or any other trouble about my mdctl? regard -- Share now a pigeon's flight Bluebound along the ancient skies, Its women forever hair and mammal, A Mediterranean town may arise If you rip apart a pigeon's heart. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: jail stop extracting iso file
In server jail and squid is running on it as lots of another packet. i want to extract iso image in this server. But i havent do it. #mdconfig -a -t vnode -f big_bcbcv.iso #mdconfig: open(/dev/mdctl): No such file or directory you can't jail doesn't allow it. Yes, but why don't mount the ISO at the host system and do a nullfs mount into the jail? at the host system (not in the jail) # mdconfig -a -t vnode -u 10 -f ${path_to_iso_image} # mount_cd9660 -o ro /dev/md10 /mnt/ # mount_nullfs /mnt ${path_to_jail}/mnt ssh into the jail # pkg_add /mnt/filename -- GMX Kostenlose Spiele: Einfach online spielen und Spaß haben mit Pastry Passion! http://games.entertainment.gmx.net/de/entertainment/games/free/puzzle/6169196 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: jail stop extracting iso file
On Sun, Aug 31, 2008 at 12:08:31AM +0300, tethys ocean wrote: Hi all In server jail and squid is running on it as lots of another packet. i want to extract iso image in this server. But i havent do it. #mdconfig -a -t vnode -f big_bcbcv.iso #mdconfig: open(/dev/mdctl): No such file or directory #ls -l /dev/md* #ls -ls /dev/mdctl ls: /dev/mdctl: No such file or directory i am not familiar with jail. only i can extract my iso file. İ suppose that jail stop me, jail blocking me for access some source is it true? 1-how can extract this iso file 2-is jail stop me? or any other trouble about my mdctl? You can use tar to extract iso images, i.e.: # tar xvf image.iso You can also use mdconfig, but you must add a devfs rule to add md devices, i.e.: add path 'md*' mode 0660 See devfs(8) and devfs.rules(5) -- Martin Tournoij [EMAIL PROTECTED] http://www.daemonforums.org QOTD: Beware of a tall blond man with one black shoe. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: jail stop extracting iso file
On Sun, 31 Aug 2008, tethys ocean wrote: In server jail and squid is running on it as lots of another packet. i want to extract iso image in this server. But i havent do it. You are correct that direct manipulation of md(4) devices is not allowed in jail. However, you may be running on a version FreeBSD in which tar(1) can be used to extract iso files, which is quite a bit more convenient for many uses. Robert N M Watson Computer Laboratory University of Cambridge #mdconfig -a -t vnode -f big_bcbcv.iso #mdconfig: open(/dev/mdctl): No such file or directory #ls -l /dev/md* #ls -ls /dev/mdctl ls: /dev/mdctl: No such file or directory i am not familiar with jail. only i can extract my iso file. İ suppose that jail stop me, jail blocking me for access some source is it true? 1-how can extract this iso file 2-is jail stop me? or any other trouble about my mdctl? regard -- Share now a pigeon's flight Bluebound along the ancient skies, Its women forever hair and mammal, A Mediterranean town may arise If you rip apart a pigeon's heart.___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Jail problem while starting
On Fri, 2008-06-20 at 01:02 +0500, Jo Pesko wrote: Hi, I'm using FreeBSD 7.0 version and expecting some problems with jail. /etc/rc.d/jail script hangs when it try to map jail's interface to alias address of my nic. Script successfully starting if i removing alias Hard to say. Paste your config and rc.d/* output? ~BAS address from rc.conf(or manually via ifconfig). Any info will be helpful. Thanks. Best Regards, Jo Pesko ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: jail on ZFS - Unable to mount devfs
On Tue, January 8, 2008 02:43, snowcrash+freebsd wrote: i've moved from a fbsd 62r + jails system, to fbsd 70rc1. i've set up ZFS, zfs list NAME USED AVAIL REFER MOUNTPOINT z6.49G 212G 247M /z z/home 28.5K 212G 28.5K /home z/j 988M 212G 988M /j z/tmp 408K 212G 408K /tmp z/usr5.17G 212G 5.17G /usr z/var 103M 212G 102M /var now trying to setup jails. following threads, http://groups.google.com/group/lucky.freebsd.current/browse_thread/thread/d6499483a264f3b9 http://lists.freebsd.org/pipermail/freebsd-current/2007-December/080920.html i have, grep jail /etc/rc.conf ifconfig_nfe0_alias0=inet 10.0.0.200 netmask 255.255.255.255 # jTEST jail_enable=YES jail_set_hostname_allow=NO jail_list=TEST jail_TEST_hostname=jTEST.internal.net jail_TEST_ip=10.0.0.200 jail_TEST_rootdir=/j/jTEST jail_TEST_devfs_enable=YES jail_TEST_devfs_ruleset=zfsenable and, cat /etc/devfs.rules [zfsenable=10] add path 'zfs' unhide i've populated my jail ROOT from previously created ServiceTemplates, exactly as I'd done on 62R, per instructions at, http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-application.html when i 1st try, /etc/rc.d/jail start Configuring jails: set_hostname_allow=NO. Starting jails:df: /j/jTEST/dev: No such file or directory mount: /j/jTEST/dev: No such file or directory /etc/rc.d/jail: WARNING: devfs_domount(): Unable to mount devfs on /j/jTEST/dev /etc/rc.d/jail: WARNING: devfs_mount_jail: devfs was not mounted on /j/jTEST/dev cd: can't cd to /j/jTEST/dev cannot start jail TEST: jail: getpwnam: root: No such file or directory there's a missing dir. not surprising, as step (4) @ .../handbook/jails-application.html had me rm -R bin boot lib libexec mnt proc rescue sbin sys usr dev - forcing it here (i do't think this is really what needs to be done) with, mkdir -p /j/jTEST/dev just to test, then, /etc/rc.d/jail start Configuring jails:. Starting jails: cannot start jail TEST: jail: getpwnam: root: No such file or directory If I remember correctly there was no password file for in the jail. I think you have to rerun a certain command. Of course I do not remember the command :( The command should create the master password database. Also you have to run within in the jail newaliases to create the aliases file, do a touch /etc/fstab to stop complaints about unable to read mountpoints. No more information in the /var/log/messages when starting the jails? Furthermore I am not sure that you can run a jail on a zfs file system. The setup I have is that I run my jails on ufs and have a zfs filesystem available within the jail. Rgds, Patrick clearly gets farther, but still no luck starting the jails. apparently, something's changed in the process of devfs creation/mount now that i'm using ZFS? or, have i missed an obvious step? do i perhaps need to set /j/jTEST as a separate ZFS mountpoint? e.g., zfs create z/j/jTEST zfs set mountpoint=/j/jTEST z/j/jTEST ? any suggestions ? thanks! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: jail on ZFS - Unable to mount devfs
hi patrick, If I remember correctly there was no password file for in the jail. I think you have to rerun a certain command. Of course I do not remember the command :( The command should create the master password database. using the ServiceJail model, after populating the jail skeleton and running mergemaster, the two commands i run are, /usr/bin/cap_mkdb /j/jSKEL/etc/login.conf /usr/sbin/pwd_mkdb -d /j/jSKEL/etc -p /j/j/etc/master.passwd which should take care of that. Also you have to run within in the jail newaliases to create the aliases file, do a touch /etc/fstab to stop complaints about unable to read mountpoints. hm. i did not do that this time around. i'd built my jail-world with *both* NO_MAILWRAPPER=true NO_SENDMAIL=true, so i mayhave caused myself a problem. rather than cp'ing bins, tobe safe, i'll just rebuild world ... and see in a bit if that helps. thanks. Furthermore I am not sure that you can run a jail on a zfs file system. The setup I have is that I run my jails on ufs and have a zfs filesystem available within the jail. ?? if that's true, then that renders the rest moot -- and i have a problem. atm, i have cat /etc/fstab /dev/mirror/gm0s1a /bootdirufs rw1 1 /dev/mirror/gm0s1b noneswapsw0 0 /dev/acd0 /cdrom cd9660 ro,noauto 0 0 /j/jMROOT /j/jTESTnullfs ro0 0 /j/s/jTEST /j/jTEST/s nullfs rw0 0 zfs list NAME USED AVAIL REFER MOUNTPOINT z5.23G 213G 250M /z z/data 20K 213G20K /data z/home 28.5K 213G 28.5K /home z/j23K 213G23K /j z/tmp 406K 213G 406K /tmp z/usr4.88G 213G 4.88G /usr z/var 105M 213G 105M /var where z/j is a zfs mount. i *can* access the jail, and do just about 'all' i need to in the jail (builds, exec, etc). but do *not* yet know if, by running the jail on zfs space whehter i've compromised anything. do you have a reference for your comment? or, perhaps, someone else can comment, as well? thanks! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: jail on ZFS - Unable to mount devfs
On Tue, Jan 08, 2008 at 07:08:04AM -0800, snowcrash+freebsd wrote: hi patrick, If I remember correctly there was no password file for in the jail. I think you have to rerun a certain command. Of course I do not remember the command :( The command should create the master password database. using the ServiceJail model, after populating the jail skeleton and running mergemaster, the two commands i run are, /usr/bin/cap_mkdb /j/jSKEL/etc/login.conf /usr/sbin/pwd_mkdb -d /j/jSKEL/etc -p /j/j/etc/master.passwd which should take care of that. Also you have to run within in the jail newaliases to create the aliases file, do a touch /etc/fstab to stop complaints about unable to read mountpoints. hm. i did not do that this time around. i'd built my jail-world with *both* NO_MAILWRAPPER=true NO_SENDMAIL=true, so i mayhave caused myself a problem. rather than cp'ing bins, tobe safe, i'll just rebuild world ... and see in a bit if that helps. thanks. Furthermore I am not sure that you can run a jail on a zfs file system. The setup I have is that I run my jails on ufs and have a zfs filesystem available within the jail. ?? if that's true, then that renders the rest moot -- and i have a problem. atm, i have cat /etc/fstab /dev/mirror/gm0s1a /bootdirufs rw1 1 /dev/mirror/gm0s1b noneswapsw0 0 /dev/acd0 /cdrom cd9660 ro,noauto 0 0 /j/jMROOT /j/jTESTnullfs ro0 0 /j/s/jTEST /j/jTEST/s nullfs rw0 0 zfs list NAME USED AVAIL REFER MOUNTPOINT z5.23G 213G 250M /z z/data 20K 213G20K /data z/home 28.5K 213G 28.5K /home z/j23K 213G23K /j z/tmp 406K 213G 406K /tmp z/usr4.88G 213G 4.88G /usr z/var 105M 213G 105M /var where z/j is a zfs mount. i *can* access the jail, and do just about 'all' i need to in the jail (builds, exec, etc). but do *not* yet know if, by running the jail on zfs space whehter i've compromised anything. do you have a reference for your comment? or, perhaps, someone else can comment, as well? I have a jail running in a ZFS environment. [EMAIL PROTECTED] ~ % jls JID IP Address Hostname Path 3 192.168.1.100 asterisk /u/jails/asterisk [EMAIL PROTECTED] ~ % mount | grep data data on /u (zfs, NFS exported, local, noatime) [EMAIL PROTECTED] ~ % mount | grep devfs devfs on /dev (devfs, local) devfs on /u/jails/asterisk/dev (devfs, local) [EMAIL PROTECTED] ~ % -- WXS ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: jail on ZFS - Unable to mount devfs
hi wesley, I have a jail running in a ZFS environment. [EMAIL PROTECTED] ~ % jls JID IP Address Hostname Path 3 192.168.1.100 asterisk /u/jails/asterisk [EMAIL PROTECTED] ~ % mount | grep data data on /u (zfs, NFS exported, local, noatime) [EMAIL PROTECTED] ~ % mount | grep devfs devfs on /dev (devfs, local) devfs on /u/jails/asterisk/dev (devfs, local) [EMAIL PROTECTED] ~ % here's what i have jls JID IP Address Hostname Path 1 10.0.0.200 jTEST.internal.net /j/jTEST mount z on / (zfs, local) devfs on /dev (devfs, local) /dev/mirror/gm0s1a on /bootdir (ufs, local, soft-updates) z/data on /data (zfs, local) z/home on /home (zfs, local) z/j on /j (zfs, local) z/tmp on /tmp (zfs, local) z/usr on /usr (zfs, local) z/var on /var (zfs, local) /j/jMROOT on /j/jTEST (nullfs, local, read-only) /j/s/jTEST on /j/jTEST/s (nullfs, local) devfs on /j/jTEST/dev (devfs, local) which, i think?, says the same. argh. confused. following too many threads with partial solutions ... can you share your setup-a-jail-on-a-zfs'd-host steps? thanks! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]