RE: Ezjail freebsd-update
I had an opportunity to upgrade a server from freebsd 8.1 to 8.2 since it had to be restarted any way. I upgraded it with freebsd-update and compiled a custom kernel with no problem. However I haven't been able to find a procedure for updating jails when they've been setup with ezjail. I did 'ezjail-admin update -u' however it doesn't seem like that upgraded things like the /etc/ dir inside jails. I'm not too worried since everything is working however if anyone can point me in the right direction I would appreciate it. I figure this will be especially important when moving to 9.0 when it's released. I always use ezjail_admin update -i Then do the normal mergemaster steps for the jails mergemaster -iU -D /your/path/to/jail You need to do that for every jail you have So if you have three jails named jail_1, jail_2 and jail_3, you do this three times. mergemaster -iU -D /your/path/to/jail_1 mergemaster -iU -D /your/path/to/jail_2 mergemaster -iU -D /your/path/to/jail_3 regards, Johan Hendriks___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Ezjail freebsd-update
On Sun, 21 Aug 2011, Rocky Borg spaketh thusly: -}I had an opportunity to upgrade a server from freebsd 8.1 to 8.2 since it had -}to be restarted any way. I upgraded it with freebsd-update and compiled a -}custom kernel with no problem. However I haven't been able to find a procedure -}for updating jails when they've been setup with ezjail. I did 'ezjail-admin -}update -u' however it doesn't seem like that upgraded things like the /etc/ -}dir inside jails. I'm not too worried since everything is working however if -}anyone can point me in the right direction I would appreciate it. I figure -}this will be especially important when moving to 9.0 when it's released. My understanding of ezjail is you just say ezjail-admin update. Ezjail then grabs the sources and rebuilds everything. If you already have everything built locally, e.g. you csup'd the sources, did the make buildworld, etc., you can then just issue an ezjail-admin update -i. I'm not familiar with the -u option to ezjail and my man pages do not show it as an option. ; -- Randy(schu...@earlham.edu) 765.983.1283 * nosce te ipsum ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Ezjail freebsd-update
Actually you don't have to rebuild the basejail. You may simply rerun ezjail-admin install, which will fetch the binary files for your release (uname -r) and will apply them if needed. On Sun, Aug 21, 2011 at 06:27:56PM -0700, Rocky Borg wrote: I had an opportunity to upgrade a server from freebsd 8.1 to 8.2 since it had to be restarted any way. I upgraded it with freebsd-update and compiled a custom kernel with no problem. However I haven't been able to find a procedure for updating jails when they've been setup with ezjail. I did 'ezjail-admin update -u' however it doesn't seem like that upgraded things like the /etc/ dir inside jails. I'm not too worried since everything is working however if anyone can point me in the right direction I would appreciate it. I figure this will be especially important when moving to 9.0 when it's released. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Ezjail and Flavours
On Fri, Apr 29, 2011 at 3:46 PM, Alejandro Imass a...@p2ee.org wrote: Hi, Answering myself here... [snip] Mi idea is to soft-link the complete /usr/local directory of the compiling jail in the specific flavour so after the packages get installed I can just copy everything else over /usr/local It should be pretty safe either way I guess but probably there are people with a lot more experience with EzJail here ;-) Did DID NOT work :-( First, Ezjail copies first and installs the packages on first start of the jail. I knew this but had forgotten so it is logical that first copy the pkg install, duh! Second, EzJail just copies the soft link and this of course will not work just like that for obvious security reasons. I erased the jail and tried a second time... So here is what I did and seems to work: 1) Create your jail flavour standard with packages and all 2) Start the jail. This will install packages 3) Stop the jail 4) Copy the entire /usr/local of your compile jail to your new jail 5) Start the working jail This seems easy enough and seems to be working perfectly! What I have is different flavors of compiling jails: php52, php53, catalyst 5.8, apache22, etc. Those are never used for production. Only to compile and generate the packages for the EzJail flavours. The other option would be to phisically copy the contents of /usr/local to the flavour but I think it's a better idea to let the packages install and _then_ copy /usr/local over that. Anyway, it's working so cool! Man, FBSD really rocks! Regardless of the thousands of technical benefits, the clean cut separation of system and applications, _and_ Jails is to me, one the greatest things about FBSD. -- Alejandro Imass Thanks! -- Alejandro Imass ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ezjail -vs- Do it yourself jail?
On Fri, Jul 9, 2010 at 9:50 AM, Ed Flecko edfle...@gmail.com wrote: I'm trying to set up a FreeBSD 8.0 server to run Apache that will be facing the nasty and unforgiving WWW. I have several good books on Apache that describe how to set up the jail, when I came across several websites that reference the ezjail package. Are there some caveats or downsides to using the ezjail route for setting up my server with Apache? It sure sounds like an easier way to go and less goof-proof, but as we all know, easier is not always better! It depends on how you're using it. If all you intend on having is a single jail with apache running in it, then it may be easier to use it standard method. Remember that ezjail is just a wrapper around FreeBSD jails, a management utility if you will. You can have both ezjail jails and traditional jails running concurrently. You can experiment with both to find out which method you like. I find ezjail more convenient in situation where there are multiples jails running on a system. I imagine if you have found a use for one jail, it won't be long until you find need for another. -- Adam Vande More ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ezjail -vs- Do it yourself jail?
On 9-7-2010 17:13, Adam Vande More wrote: On Fri, Jul 9, 2010 at 9:50 AM, Ed Flecko edfle...@gmail.com wrote: I'm trying to set up a FreeBSD 8.0 server to run Apache that will be facing the nasty and unforgiving WWW. I have several good books on Apache that describe how to set up the jail, when I came across several websites that reference the ezjail package. Are there some caveats or downsides to using the ezjail route for setting up my server with Apache? It sure sounds like an easier way to go and less goof-proof, but as we all know, easier is not always better! It depends on how you're using it. If all you intend on having is a single jail with apache running in it, then it may be easier to use it standard method. Remember that ezjail is just a wrapper around FreeBSD jails, a management utility if you will. You can have both ezjail jails and traditional jails running concurrently. You can experiment with both to find out which method you like. I find ezjail more convenient in situation where there are multiples jails running on a system. I imagine if you have found a use for one jail, it won't be long until you find need for another. One of the main advantages of ezjail is that it out of the box saves disk space for more than one jail, because of the shared nullfs mounts. That can be done by hand as well (the handbook shows how), but ezjail already invented the wheel. Peter -- http://www.boosten.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ezjail -vs- Do it yourself jail?
On Fri, Jul 09, 2010 at 07:50:26AM -0700, Ed Flecko wrote: I'm trying to set up a FreeBSD 8.0 server to run Apache that will be facing the nasty and unforgiving WWW. I have several good books on Apache that describe how to set up the jail, when I came across several websites that reference the ezjail package. Are there some caveats or downsides to using the ezjail route for setting up my server with Apache? It sure sounds like an easier way to go and less goof-proof, but as we all know, easier is not always better! It depends on how many jails you want to create. If you want to set up multiple jails, ezjail can save you disk space and management effort. If you are only setting up a single jail, I don't think ezjail will save much. I've documented the process I used for setting up a virtual server manually on one of my webpages; http://www.xs4all.nl/~rsmith/unix/misc.xhtml#creatingavirtualserveronfreebsdwithajail8 Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) pgpggxrpH41gP.pgp Description: PGP signature
Re: ezjail
Aiza wrote: Ruben de Groot wrote: On Mon, Mar 22, 2010 at 11:23:54AM +0100, Dh?nin Jean-Jacques typed: on the lan gives me no sockets mesg. And ftp from 10.0.10.6 to 10.0.20.30 the ftp jail gives me no connection error. add sysctl security.jail.allow_raw_sockets=1 or in /etc/sysctl.conf on the host (not in in the jail) This will enable him to ping another host from within the jail. I won't do anything for ftp. OP: what exact error do you get? And does ftp work *within* the jail (ftp localhost)? with sysctl security.jail.allow_raw_sockets=1 done on the host. From within the jail did ping -c 2 10.0.10.6 which is a pc on the lan gives me socket: Operation not permitted mesg. And ftp from 10.0.10.6 to 10.0.20.30 the ftp jail gives me no connection error. Just how am i to determine if ftp work *within* the jail ftp localhost? For the archives. This is the results from the original poster. My original goal was to test jails on the gateway for access only from the lan users. To wanted a jailed ftp service for LAN users to upload and download stuff between them selfs. I already have a working lan users ftp setup on the gateway server so this jail setup is not really needed. So it's not a problem of knowing how to setup ftp. My main vehicle of jail management was ezjail. Did not play with the native jail command. The final outcome is I could not get jails to communicate over the private LAN. Seeing as jails design uses public ip address, it's little wonder it wont work with private LAN ip address. In time jails and ezjail will mature and maybe evolve into working with jails with private ip address. But for now jails don't serve my purposes. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ezjail
Mark Shroyer wrote: On 3/21/2010 8:21 PM, Aiza wrote: Does the ip address notation for the jail include the port number? Like 10.0.20.2:80 Nat port forwarding is the long way around just to get the correct port number to the jail ip address. Nope, jails are assigned one (or more) specific IP addresses, but not specific port numbers. So if you don't have a separate public IP for your jail, you'll be relying on some sort of packet filter to redirect traffic to its private IP address. This isn't as big a deal as it may sound, especially if you're already using PF, which has built-in packet redirection capabilities that do not require you to run a separate NAT daemon. My host 8.0 system is the gateway to the public internet. I have ipfilter running blocking all inbound request for service. I only allow out bound request from the LAN behind the gateway and use keep state to allow the packet conversation to continue. All this has worked fine for years across many releases of Freebsd. Now comes playing with jails. I created 3 jails, www, ftp, telnet and used ip address of 10.0.20.20, 10.0.20.30, 10.0.20.40. The goal is to target those jails from other PC on the private LAN who are using ip address in the 10.0.10.2 through 10.0.10.8 range. I used ezjail-admin onestart and all the jails start. Then did ezjail-admin console ftp.local.com and got logged into that jail. Edited /etc/inetd.conf and uncommented the ftp line. Edited /etc/rc.conf adding inetd_enable=YES exited the ftp jail. Did ezjail-admin onestop followed by ezjail-admin onestart to cycle the ftp jail to activate the ftp function. ezjail-admin console ftp.local.com to get logged into that jail again. From within the jail did ping -c 2 10.0.10.6 which is a pc on the lan gives me no sockets mesg. And ftp from 10.0.10.6 to 10.0.20.30 the ftp jail gives me no connection error. What is the problem here? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ezjail
On Mon, Mar 22, 2010 at 05:47:09PM +0800, Aiza typed: Mark Shroyer wrote: On 3/21/2010 8:21 PM, Aiza wrote: Does the ip address notation for the jail include the port number? Like 10.0.20.2:80 Nat port forwarding is the long way around just to get the correct port number to the jail ip address. Nope, jails are assigned one (or more) specific IP addresses, but not specific port numbers. So if you don't have a separate public IP for your jail, you'll be relying on some sort of packet filter to redirect traffic to its private IP address. This isn't as big a deal as it may sound, especially if you're already using PF, which has built-in packet redirection capabilities that do not require you to run a separate NAT daemon. My host 8.0 system is the gateway to the public internet. I have ipfilter running blocking all inbound request for service. I only allow out bound request from the LAN behind the gateway and use keep state to allow the packet conversation to continue. All this has worked fine for years across many releases of Freebsd. Now comes playing with jails. I created 3 jails, www, ftp, telnet and used ip address of 10.0.20.20, 10.0.20.30, 10.0.20.40. The goal is to target those jails from other PC on the private LAN who are using ip address in the 10.0.10.2 through 10.0.10.8 range. I used ezjail-admin onestart and all the jails start. Then did ezjail-admin console ftp.local.com and got logged into that jail. Edited /etc/inetd.conf and uncommented the ftp line. Edited /etc/rc.conf adding inetd_enable=YES exited the ftp jail. Did ezjail-admin onestop followed by ezjail-admin onestart to cycle the ftp jail to activate the ftp function. ezjail-admin console ftp.local.com to get logged into that jail again. From within the jail did ping -c 2 10.0.10.6 which is a pc on the lan gives me no sockets mesg. And ftp from 10.0.10.6 to 10.0.20.30 the ftp jail gives me no connection error. What is the problem here? How are we supposed to know? Ruben ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ezjail
2010/3/22 Ruben de Groot mai...@bzerk.org My host 8.0 system is the gateway to the public internet. I have ipfilter running blocking all inbound request for service. I only allow out bound request from the LAN behind the gateway and use keep state to allow the packet conversation to continue. All this has worked fine for years across many releases of Freebsd. Now comes playing with jails. I created 3 jails, www, ftp, telnet and used ip address of 10.0.20.20, 10.0.20.30, 10.0.20.40. The goal is to target those jails from other PC on the private LAN who are using ip address in the 10.0.10.2 through 10.0.10.8 range. I used ezjail-admin onestart and all the jails start. Then did ezjail-admin console ftp.local.com and got logged into that jail. Edited /etc/inetd.conf and uncommented the ftp line. Edited /etc/rc.conf adding inetd_enable=YES exited the ftp jail. Did ezjail-admin onestop followed by ezjail-admin onestart to cycle the ftp jail to activate the ftp function. ezjail-admin console ftp.local.com to get logged into that jail again. From within the jail did ping -c 2 10.0.10.6 which is a pc on the lan gives me no sockets mesg. And ftp from 10.0.10.6 to 10.0.20.30 the ftp jail gives me no connection error. What is the problem here? How are we supposed to know? Ruben ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org add sysctl security.jail.allow_raw_sockets=1 or in /etc/sysctl.conf on the host (not in in the jail) Cordialement - (° Dhénin Jean-Jacques / ) 48, rue de la Justice 78300 Poissy ^^ jean-jacq...@dhenin.fr - ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ezjail
On Mon, Mar 22, 2010 at 11:23:54AM +0100, Dh?nin Jean-Jacques typed: on the lan gives me no sockets mesg. And ftp from 10.0.10.6 to 10.0.20.30 the ftp jail gives me no connection error. add sysctl security.jail.allow_raw_sockets=1 or in /etc/sysctl.conf on the host (not in in the jail) This will enable him to ping another host from within the jail. I won't do anything for ftp. OP: what exact error do you get? And does ftp work *within* the jail (ftp localhost)? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ezjail
Ruben de Groot wrote: On Mon, Mar 22, 2010 at 11:23:54AM +0100, Dh?nin Jean-Jacques typed: on the lan gives me no sockets mesg. And ftp from 10.0.10.6 to 10.0.20.30 the ftp jail gives me no connection error. add sysctl security.jail.allow_raw_sockets=1 or in /etc/sysctl.conf on the host (not in in the jail) This will enable him to ping another host from within the jail. I won't do anything for ftp. OP: what exact error do you get? And does ftp work *within* the jail (ftp localhost)? with sysctl security.jail.allow_raw_sockets=1 done on the host. From within the jail did ping -c 2 10.0.10.6 which is a pc on the lan gives me socket: Operation not permitted mesg. And ftp from 10.0.10.6 to 10.0.20.30 the ftp jail gives me no connection error. Just how am i to determine if ftp work *within* the jail ftp localhost? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ezjail
Aiza aiz...@comclark.com writes: Now I would like to play with jails. One for postfix, apache, and ftp. My reading of EZJAIL and the jails section of the handbook lead me to believe I need a unique IP address for each jail. Is that correct? No. As long as you use different ports for different jails/services you may use one ip-address for those jails: - % jls JID IP Address Hostname Path 1 192.168.100.10 ftp.xxx.ru/jails/ftp.xxx.ru 2 192.168.100.10 mx.xxx.ru /jails/mx.xxx.ru 3 192.168.100.10 http.xxx.ru /jails/http.xxx.ru - -- WBR, bsam ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ezjail
On Mon, Mar 22, 2010 at 08:40:58PM +0800, Aiza typed: This will enable him to ping another host from within the jail. I won't do anything for ftp. OP: what exact error do you get? And does ftp work *within* the jail (ftp localhost)? with sysctl security.jail.allow_raw_sockets=1 done on the host. From within the jail did ping -c 2 10.0.10.6 which is a pc on the lan gives me socket: Operation not permitted mesg. weird. did you actually execute the sysctl statement or just put it in /etc/sysctl.conf? And ftp from 10.0.10.6 to 10.0.20.30 the ftp jail gives me no connection error. This is not helpfull. Copy/paste the exact error message (and what you did. We are not psychics). Just how am i to determine if ftp work *within* the jail ftp localhost? As I said: from within the jail, execute the command ftp localhost. No rocket science involved. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ezjail
On 3/21/2010 1:10 AM, Aiza wrote: I don't have sources installed on my system. Just use the binary Freebsd-update function. At new releases I do a clean install. I only have a single public IP address. Now I would like to play with jails. One for postfix, apache, and ftp. My reading of EZJAIL and the jails section of the handbook lead me to believe I need a unique IP address for each jail. Is that correct? Yes. But if you have only one public IP address, you can give the jail a loopback interface with an address in 127.0.0/24 or one of the RFC 1918 private blocks (there's some debate as to which is the more correct type of address to use, but either will work), then use NAT if you need your jail to be able to access the Internet. If it helps you to reason about this, keep in mind that your jail does *not* have its own virtualized network stack, like with Solaris Zones for instance. The best way to think about your jails is as a group of processes running on the same operating system as the host, just with the restriction that (among other things) they can only communicate with the outside world using a limited subset of the IP addresses available to non-jailed processes. I have no need to build world or install world because it does this from /usr/src which i don't install. Is there some EZJAIL option to just copy over the running system binaries instead of the sources? Until recently, the method for creating ezjail's basejail was to issue the ezjail-admin update command, which compiles the basejail from /usr/src. Just recently an ezjail-admin install command was added, which downloads binaries from a FreeBSD FTP server instead. So you shouldn't need sources to get started, however I'm not sure what the update mechanism is if you use the install command. The handbook 15.4 Creating and Controlling Jails talks about “complete” jails, which resemble a real FreeBSD system, and “service” jails, dedicated to one application or service. Section 15.4 is the procedure for building a complete jail using the jail command. The 15.6 Application of Jails (service jails) talks about creating a root skeleton containing the host running files which are shared with all the guest jails in read only mode. This eliminates the massive duplication of running system files in each jail as in the complete jail system talked about in handbook section 15.4 Creating and Controlling Jails. Now reading the ezjail man pages I see that ezjail also creates a base template that is shared between all jails. Is this the same method talked about in the handbook section 15.6 Application of Jails (service jail)? It's essentially the same approach. (With ezjail you'll still be duplicating binaries between the host system and the basejail, but I wouldn't loose sleep over it.) -- Mark Shroyer http://markshroyer.com/contact/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ezjail
Mark Shroyer wrote: On 3/21/2010 1:10 AM, Aiza wrote: I don't have sources installed on my system. Just use the binary Freebsd-update function. At new releases I do a clean install. I only have a single public IP address. Now I would like to play with jails. One for postfix, apache, and ftp. My reading of EZJAIL and the jails section of the handbook lead me to believe I need a unique IP address for each jail. Is that correct? Yes. But if you have only one public IP address, you can give the jail a loopback interface with an address in 127.0.0/24 or one of the RFC 1918 private blocks (there's some debate as to which is the more correct type of address to use, but either will work), then use NAT if you need your jail to be able to access the Internet. If it helps you to reason about this, keep in mind that your jail does *not* have its own virtualized network stack, like with Solaris Zones for instance. The best way to think about your jails is as a group of processes running on the same operating system as the host, just with the restriction that (among other things) they can only communicate with the outside world using a limited subset of the IP addresses available to non-jailed processes. You might find the below interesting. Only just begun reading/studying it myself. http://www.freebsd.org/releases/8.0R/relnotes-detailed.html#KERNEL [snip] -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ezjail
On 21/03/2010 21:53, Mark Shroyer wrote: Until recently, the method for creating ezjail's basejail was to issue the ezjail-admin update command, which compiles the basejail from /usr/src. Just recently an ezjail-admin install command was added, which downloads binaries from a FreeBSD FTP server instead. So you shouldn't need sources to get started, however I'm not sure what the update mechanism is if you use the install command. you can use ezjail-admin update -u which uses freebsd-update, for some reason this isnt in the manpage. Vince ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ezjail
Mark Shroyer wrote: On 3/21/2010 1:10 AM, Aiza wrote: I don't have sources installed on my system. Just use the binary Freebsd-update function. At new releases I do a clean install. I only have a single public IP address. Now I would like to play with jails. One for postfix, apache, and ftp. My reading of EZJAIL and the jails section of the handbook lead me to believe I need a unique IP address for each jail. Is that correct? Yes. But if you have only one public IP address, you can give the jail a loopback interface with an address in 127.0.0/24 or one of the RFC 1918 private blocks (there's some debate as to which is the more correct type of address to use, but either will work), then use NAT if you need your jail to be able to access the Internet. If it helps you to reason about this, keep in mind that your jail does *not* have its own virtualized network stack, like with Solaris Zones for instance. The best way to think about your jails is as a group of processes running on the same operating system as the host, just with the restriction that (among other things) they can only communicate with the outside world using a limited subset of the IP addresses available to non-jailed processes. Does the ip address notation for the jail include the port number? Like 10.0.20.2:80 Nat port forwarding is the long way around just to get the correct port number to the jail ip address. I have no need to build world or install world because it does this from /usr/src which i don't install. Is there some EZJAIL option to just copy over the running system binaries instead of the sources? Until recently, the method for creating ezjail's basejail was to issue the ezjail-admin update command, which compiles the basejail from /usr/src. Just recently an ezjail-admin install command was added, which downloads binaries from a FreeBSD FTP server instead. So you shouldn't need sources to get started, however I'm not sure what the update mechanism is if you use the install command. I found the man ezjail-admin has this format ezjail-admin install -h file:// Where -h file:// means get the binaries from the host system the jails are running on. Am I correct? The handbook 15.4 Creating and Controlling Jails talks about “complete” jails, which resemble a real FreeBSD system, and “service” jails, dedicated to one application or service. Section 15.4 is the procedure for building a complete jail using the jail command. The 15.6 Application of Jails (service jails) talks about creating a root skeleton containing the host running files which are shared with all the guest jails in read only mode. This eliminates the massive duplication of running system files in each jail as in the complete jail system talked about in handbook section 15.4 Creating and Controlling Jails. Now reading the ezjail man pages I see that ezjail also creates a base template that is shared between all jails. Is this the same method talked about in the handbook section 15.6 Application of Jails (service jail)? It's essentially the same approach. (With ezjail you'll still be duplicating binaries between the host system and the basejail, but I wouldn't loose sleep over it.) My understanding of handbook section 15.6 Application of Jails (service jails)is a copy of the host binaries is populated into the basejail and all the other jails have read only access to it. Each guest jail also has a read/write space for installing ports/packages unique to that jail including /var /usr /etc. Am I correct? Is this how ezjail is configured now? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ezjail
On 3/21/2010 8:21 PM, Aiza wrote: Does the ip address notation for the jail include the port number? Like 10.0.20.2:80 Nat port forwarding is the long way around just to get the correct port number to the jail ip address. Nope, jails are assigned one (or more) specific IP addresses, but not specific port numbers. So if you don't have a separate public IP for your jail, you'll be relying on some sort of packet filter to redirect traffic to its private IP address. This isn't as big a deal as it may sound, especially if you're already using PF, which has built-in packet redirection capabilities that do not require you to run a separate NAT daemon. I found the man ezjail-admin has this format ezjail-admin install -h file:// Where -h file:// means get the binaries from the host system the jails are running on. Am I correct? Yes, according to the man page. I haven't tried it yet myself, since I set up my basejail before this option was available. My understanding of handbook section 15.6 Application of Jails (service jails)is a copy of the host binaries is populated into the basejail and all the other jails have read only access to it. Each guest jail also has a read/write space for installing ports/packages unique to that jail including /var /usr /etc. Am I correct? Is this how ezjail is configured now? Yes, that's correct. -- Mark Shroyer http://markshroyer.com/contact/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ezjail
I found the man ezjail-admin has this format ezjail-admin install -h file:// Where -h file:// means get the binaries from the host system the jails are running on. Am I correct? Yes, according to the man page. I haven't tried it yet myself, since I set up my basejail before this option was available. Well I tried it. The man page does not explain it clearly. What the -h really means is the -h file:// is the location for the release-8.0/base/ files. These files are not part of the base release directory tree that are part of the running system. They are only on the .iso install image such as the disc1.iso. I mounted the Release 8.0 disc1 install cd and changed into directory cd /cdrom/8.0-RELEASE and issued ezjail-admin install -h file:// it ran creating 3 jails, /usr/jails/basejail, /usr/jails/newjail, /usr/jails/flavours. This is not the same as copying the binaries from the host system. Next step is to ID directory names in the basejail and recreate basejail using the cpdup command to copy the host binaries. I see 2 questionable directories in the basejail, boot and rescue. Can I remove them from the basejail? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ezjail bsd 8.0
On Fri, 18 Dec 2009 12:44:51 - Graeme Dargie a...@tangerine-army.co.uk wrote: I am trying to get ezjail running on bds 8.0 and I keep hitting the same wall FreeBSD amalthea.galaxy.lan.lcl 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08 UTC 2009 /usr/obj/usr/src/sys/GENERIC amd64 I have update /usr/src using csup When I issue a ezjail-admin update -ip It runs for a while then dies with Installing everything -- cd /usr/src; make -f Makefile.inc1 install === share/info (install) install -o root -g wheel -m 444 dir-tmpl /usr/jails/fulljail/usr/share/info/dir install:No such file or directory *** Error code 1 Stop in /usr/src/share/info. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. *** Error code 1 Now I suspect it is something stupid I have done or not done but I cant seem to see what it is. Regards Graeme ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Did you do make buildworld in /usr/src after csup? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Ezjail, Perl, upgrading best practices advise please
On 10/2/09, Troy Kocher t...@kocherfamily.org wrote: All, Couple issues: 1) I need some understanding on how to deploy and upgrade perl properly in this jailed environment. 2) I need some help on my current tangle of Perl library complaints Issue #1: In a jailed environment how many installations of perl are recommended (ie 1 host system 2 basejail 3 each jail) ? My sense would be that one on the host and one in the basejail, would be the most efficient. If that is the case how do I upgrade the perl in the basejail? How do I handle different versions of perl installed in each of the jails? Your questions indicate you setup a base jail and nullfs mount the points to the other jails. Although it is written it can be done, I have to ask why you decided to do it this way? base distribution only takes about 128MB of disk space, and nearly nothing for RAM (by today's disk and RAM sizes). I recommend each jail have their own world installed, preferrably the same world because since the jails share the world with the hosts' kernel, and world+kernel must be kept in sync, setup a host on release, and all jails on a release too. I'm currently experimenting (for fun) a -stable host, and -release jails, which is unsupported. It gets a tad annoying when you manage multiple jails that it has no concept of already built ports and to use them, so I find myself cancelling out of a lot of builds to install the package created from another jail. Issue #2: My lack of understanding has me in a mess currently. My host environment is using (perl-threaded-5.8.9_3), in jail #1 I have (perl-5.8.9_3) when I try to use cpan here is what happens: jail1#perl -MCPAN -e 'shell' Terminal does not support AddHistory. cpan shell -- CPAN exploration and modules installation (v1.9301) ReadLine support available (maybe install Bundle::CPAN or Bundle::CPANxxl?) print() on closed filehandle FOUT at /usr/local/lib/perl5/5.8.9/Term/ReadLine.pm line 193. readline() on closed filehandle FIN at /usr/local/lib/perl5/5.8.9/Term/ReadLine.pm line 301. print() on closed filehandle FOUT at /usr/local/lib/perl5/5.8.9/Term/ReadLine.pm line 203. Terminal does not support GetHistory. Lockfile removed. Can't comment on this, seems a missing dependency and other problems. In Jail #2 another issue. . : jail2#pkg_info |grep perl mod_perl2-2.0.3_3,3 Embeds a Perl interpreter in the Apache2 server p5-DBI-1.60.1 The perl5 Database Interface. Required for DBD::* modules p5-Devel-Symdump-2.0800 A perl5 module that dumps symbol names or the symbol table p5-Error-0.17012Perl module to provide Error/exception support for perl: Er p5-GD-2.35_1A perl5 interface to Gd Graphics Library version2 p5-GD-Graph-1.44.01_1 Graph plotting module for perl5 p5-MIME-Tools-5.426,2 A set of perl5 modules for MIME p5-Scalar-List-Utils-1.19,1 Perl subroutines that would be nice to have in the perl cor p5-Storable-2.18Persistency for perl data structures p5-Term-ReadKey-2.30 A perl5 module for simple terminal control p5-Test-Harness-3.10 Run perl standard test scripts with statistics p5-Test-Simple-0.80 Basic utilities for writing tests in perl p5-Time-HiRes-1.9712,1 A perl5 module implementing High resolution time, sleep, an perl-5.8.8_1 then I try cpan jail2# perl -MCPAN -e 'shell' /libexec/ld-elf.so.1: Shared object libm.so.4 not found, required by perl A jail that has been updated from (for example) a 6.x release to a 7.x release with ports from 6.x will look for the shared libraries from 6.x, when 7.x has them updated and possibly renamed. Has jail2 been updated? Troubleshooting this complaint on jail2 I discovered the time stamp on the host was different than the time stamp on the basejail. what time stamp? of what? where? Anyway I'm puzzled, and I'm not really sure where to go from here. . I'd appreciate any help.. Thanks Troy It won't be a do these and you'll be fixed - given the initial post. I'm trying to gain more information before I can help. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ezjail / 6.2-RELEASE-p3
On Tue, Apr 17, 2007 at 06:19:44PM +0200, Oliver Peter wrote: Dear, Is there a possibilty to use a self-build release (from source) with ezjail instead of the ftp-RELEASEs ? I didn't find prebuilt binary packages for 6.2-RELEASE-p3 on the ftp sites so I'm thinking about building my own. 'make release', look for documentation on the website. Kris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ezjail on FreeBSD 6.2
Hello Dave...responses below On 4/4/07, Dave [EMAIL PROTECTED] wrote: Hello, Is anyone running ezjail on 6.2? Yes, 6.2-stable GENERIC. At install time I created a separate partition for, /usr/jails which makes it default to the ezjail-admin create jail default location. I've got to set up three similar jails and i'd like to run them off of one base. I'd like to create a jail flavor, where one jail has file x while the others do not. My limited understanding of Flavours...These are like templates to quick rebuild or create 'like' jail containers. While your maybe similiar, what x is (and how big) may make them different. Two problems i'm having with flavors is one adding packages such as shells Got me here. Something I need to learn as well. , and two adding users and giving them the shells just added? I would think the adding users could either be done from an ssh session into a running jail, or using # jexec JID adduser. I'm not sure how to do the shells, except to say that I know I read somewhere...where you can setup/change the default shell, then for each new user added, they would get this profile. I'd also like it if i could mount my host system's ports tree in the jail itself, so i wouldn't have to get multiple copies of the ports tree. The only way i've found thus far of doing this is via nullfs on the base system and was wondering if there was an easier method of doing this? Now this one I know can be done a couple of different ways. First is in the FAQ. The other is in a post I just made last week for the same reason. I read man ezjail-admin. Just issue the following # ezjail-admin update -p. This will update existing ezjails to have access to the host ports tree. From within a running jail, when you type # cd /usr/ports, your will really be going to /basejail/usr/ports. pkg_add -r and make/make install clean all work fine. Ezjail also has a list you can join, if interested...although it is not very active. Responses are reasonably quick, given the support is free :) Regards Don ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ezjail ip conflicts
Robin Becker wrote: I'm getting these ip conflicts whilst trying to create a jail ezjail-admin create xxx.xxx.xxx.27 Warning: IP xxx.xxx.xxx.27 not configured on a local interface. Warning: Some services already seem to be listening on all IP, (including xxx.xxx.xxx.27) This may cause some confusion, here they are: mysqlmysqld 505 10 tcp4 *:3306*:* root syslogd291 6 udp4 *:514 *:* my rc.conf has ifconfig_fxp0=inet xxx.xxx.xxx.26 netmask 255.255.255.248 defaultrouter=xxx.xxx.xxx.25 inetd_flags=-wW -a xxx.xxx.xxx.26 so I believe the xxx.xxx.xxx.27 address is OK, but I guess I need to make mysqld and syslogd listen only on xxx.xxx.xxx.26. I don't actually understand what's preventing sshd from listening on all the addresses in range unless it's the inetd flags, but I thought sshd is started by init nowadays. Anyhow I think I can fix the mysqld problem by having mysql_args=--bind-address=xxx.xxx.xxx.26 in the rc.conf, but I don't see any easy way to configure syslogd to start with a -b xxx.xxx.xxx.26 how do I fix this or perhaps I don't need to? syslogd_flags=-ss in rc.conf sshd is configured in /etc/ssh/sshd_config. Ta, Joe ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ezjail ip conflicts
Robin Becker wrote: I'm getting these ip conflicts whilst trying to create a jail ezjail-admin create xxx.xxx.xxx.27 Warning: IP xxx.xxx.xxx.27 not configured on a local interface. Warning: Some services already seem to be listening on all IP, (including xxx.xxx.xxx.27) This may cause some confusion, here they are: mysqlmysqld 505 10 tcp4 *:3306*:* root syslogd291 6 udp4 *:514 *:* my rc.conf has ifconfig_fxp0=inet xxx.xxx.xxx.26 netmask 255.255.255.248 defaultrouter=xxx.xxx.xxx.25 inetd_flags=-wW -a xxx.xxx.xxx.26 so I believe the xxx.xxx.xxx.27 address is OK, but I guess I need to make mysqld and syslogd listen only on xxx.xxx.xxx.26. I don't actually understand what's preventing sshd from listening on all the addresses in range unless it's the inetd flags, but I thought sshd is started by init nowadays. If you're using sshd as a daemon have a look at ListenAddress directive in /etc/ssh/sshd_config. You can have multiple of those. Anyhow I think I can fix the mysqld problem by having mysql_args=--bind-address=xxx.xxx.xxx.26 in the rc.conf, but I don't see any easy way to configure syslogd to start with a -b xxx.xxx.xxx.26 How about adding 'syslogd_flags' in /etc/rc.conf? Those are the defaults: # grep syslogd /etc/defaults/rc.conf syslogd_enable=YES# Run syslog daemon (or NO). syslogd_program=/usr/sbin/syslogd # path to syslogd syslogd_flags=-s # Flags to syslogd (if enabled). Also, if you don't need it to bind at all it's better to use '-ss'. how do I fix this or perhaps I don't need to? You could filter traffic at firewall but it's always better to have a simpler setup. HTH, Karol -- Karol Kwiatkowski karol.kwiat at gmail dot com OpenPGP 0x06E09309 signature.asc Description: OpenPGP digital signature
Re: ezjail ip conflicts
Joe Holden wrote: how do I fix this or perhaps I don't need to? syslogd_flags=-ss in rc.conf sshd is configured in /etc/ssh/sshd_config. . I looked in vain in /etc/rc.d/syslogd for references to syslogd_ and didn't find any, but now I see \$rc_flags which I guess must be what is used. Thanks Joe and Karol. I now get a message saying Warning: IP 209.67.217.27 not configured on a local interface. but I think that just means I don't have an alias set up yet. -- Robin Becker ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ezjail ip conflicts
In response to Robin Becker [EMAIL PROTECTED]: I now get a message saying Warning: IP 209.67.217.27 not configured on a local interface. but I think that just means I don't have an alias set up yet. Yes. That's what that means. It's rather deceiving, because you don't actually need to create an alias, ezjail will do it for you when you start up the jail. Actually, now that I think of it, I'd call it a bug. -- Bill Moran http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ezjail ip conflicts
Robin Becker wrote: Joe Holden wrote: how do I fix this or perhaps I don't need to? syslogd_flags=-ss in rc.conf sshd is configured in /etc/ssh/sshd_config. . I looked in vain in /etc/rc.d/syslogd for references to syslogd_ and didn't find any, but now I see \$rc_flags which I guess must be what is used. Thanks Joe and Karol. I now get a message saying Warning: IP 209.67.217.27 not configured on a local interface. but I think that just means I don't have an alias set up yet. BTW, all the poential flags for rc.conf are in /etc/defaults/rc.conf ;) Not sure about the ezjail error, only ever done them manually. Ta, Joe ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]