Re: 7.x and multiple IPs in jails
Hi, there's a patch by Bjoern A.Zeeb, available at http://people.freebsd.org/~bz/bz_jail7-20080920-01-at150161.diff which succeeds and works well with 7.1-PRERELEASE currently. I had similar issues to solve and patched several hosts with it, so far with success. Sadly, SVN rev 184481 (of today) breaks these patches :-( Is there an updated patch-set available or planned? Michael ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 7.x and multiple IPs in jails
On Thu, 30 Oct 2008, Michael Butler wrote: Hi, Hi, there's a patch by Bjoern A.Zeeb, available at http://people.freebsd.org/~bz/bz_jail7-20080920-01-at150161.diff which succeeds and works well with 7.1-PRERELEASE currently. I had similar issues to solve and patched several hosts with it, so far with success. Sadly, SVN rev 184481 (of today) breaks these patches :-( Is there an updated patch-set available or planned? I wonder if that was one of my MFCs - I guess so. One of the reasons I am doing those MFCs is to keep the diff between HEAD and 7 down to a minimum so that I have to ship less patches integrated into the jail patch for 7. So yes the plan is to finish the MFCs and generate a new patch for 7 the next days (most likely beginning of next week). Regards, Bjoern -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 7.x and multiple IPs in jails
On Tue, 28 Oct 2008, Chris St Denis wrote: Hi, [ jail patches ] Serious question here (not trolling). These patches have been around for years, why have they never been committed to trunk/stable? Well, the multi-ipv4 patch has been for a while - what we are talking about at the moment is more. If you look at older status reports they said soemthing like there is the need for this at the moment but it's not considered to be the right thing. There are multiple reasons for that, that I can think of: 1) some larger parts (of the network stack|kernel) get plastered with all kinds of if (this) if (that) checks complicating code, making it unreadbale, having to be maintained, not ignored for security, ... It's important to really catch all the places, .. which it seems we had been doing well though not 100% well as I just found out currerntly preparing more if (this) if (that) checks for something not really important but still being a problem - since the first day it turns out. 2) there is questionable logic in them and while we had been living with it up to now, it came up during review process for the commit to HEAD (so it could be merged to stable) and it turns out that properly solving it isn't a easy or simple task and multiple people have been pondering over this for days now. Even after removing some optional code paths for simplicity things are still not always definite in what would happen. 3) just insert more other stuff here Nonetheless they are very helpful and very usable (else I wouldn't have worked on it). The plan as the status report will say is to get this in, merge it to stable/7 before 7.2 and keep it in 8. 8 will also have vimages and ideally I'd like to see this entire jail IP hacks be gone for 9, when vimage will provide the infrastructure, etc. This means that 8 would be the transition period. But that's just me and my ideas - we'll see how it'll go. /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 7.x and multiple IPs in jails
On Tue, 28 Oct 2008, Chris St Denis wrote: Serious question here (not trolling). These patches have been around for years, why have they never been committed to trunk/stable? Network stacks are incredibly complicated pieces of software, and some of the short-cuts jail took to accomplish its goals without implementing true virtualization break down when generalized. The patches to date have made the code more complicated and added more edge cases, and we'd like to avoid adding more edge cases to the stack if we can avoid it, as every edge case offers the opportunity for bugs and maintenance issues. The current patches Bjoern is preparing address most of these concerns, and they've been undergoing review and testing for a few months now. I'd like to think they will be in 8.x relatively shortly (next week or two), and in 7.x before 7.2. Robert N M Watson Computer Laboratory University of Cambridge ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 7.x and multiple IPs in jails
On Wed, 29 Oct 2008, Robert Watson wrote: On Tue, 28 Oct 2008, Chris St Denis wrote: Serious question here (not trolling). These patches have been around for years, why have they never been committed to trunk/stable? ... The current patches Bjoern is preparing address most of these concerns, and they've been undergoing review and testing for a few months now. I'd like to think they will be in 8.x relatively shortly (next week or two), and in 7.x before 7.2. That is great news! I have always avoided running patches like this on anything that I expect to be maintaining over a long period of time, since you can't know for sure whether new patches will be developed going forward. Having this very useful feature become part of the base really helps me and anyone else doing VPS-type stuff. I did find the vimage work eventually, but it's more than I need and I was not too certain about how stable it is at this point. Thanks, Charles Robert N M Watson Computer Laboratory University of Cambridge ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 7.x and multiple IPs in jails
Bjoern A. Zeeb wrote: On Tue, 28 Oct 2008, Chris St Denis wrote: Hi, [ jail patches ] Serious question here (not trolling). These patches have been around for years, why have they never been committed to trunk/stable? Well, the multi-ipv4 patch has been for a while - what we are talking about at the moment is more. If you look at older status reports they said soemthing like there is the need for this at the moment but it's not considered to be the right thing. There are multiple reasons for that, that I can think of: 1) some larger parts (of the network stack|kernel) get plastered with all kinds of if (this) if (that) checks complicating code, making it unreadbale, having to be maintained, not ignored for security, ... It's important to really catch all the places, .. which it seems we had been doing well though not 100% well as I just found out currerntly preparing more if (this) if (that) checks for something not really important but still being a problem - since the first day it turns out. 2) there is questionable logic in them and while we had been living with it up to now, it came up during review process for the commit to HEAD (so it could be merged to stable) and it turns out that properly solving it isn't a easy or simple task and multiple people have been pondering over this for days now. Even after removing some optional code paths for simplicity things are still not always definite in what would happen. 3) just insert more other stuff here Nonetheless they are very helpful and very usable (else I wouldn't have worked on it). The plan as the status report will say is to get this in, merge it to stable/7 before 7.2 and keep it in 8. 8 will also have vimages and ideally I'd like to see this entire jail IP hacks be gone for 9, when vimage will provide the infrastructure, etc. This means that 8 would be the transition period. But that's just me and my ideas - we'll see how it'll go. /bz Thanks for the info from all who responded. I hadn't heard of vimage before, but after doing some searching on it it sounds like it will be very good improvement to jails. If we can get resource limits on jails too in a near future release, Jails will become a competitive solution for VPS systems. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 7.x and multiple IPs in jails
Bjoern A. Zeeb wrote: The plan as the status report will say is to get this in, merge it to stable/7 before 7.2 and keep it in 8. 8 will also have vimages and ideally I'd like to see this entire jail IP hacks be gone for 9, when vimage will provide the infrastructure, etc. This means that 8 would be the transition period. But that's just me and my ideas - we'll see how it'll go. I'm not convinced vimage is the only kind of network virtualization we want to give the option of. The IP addresses assigned to jails seems a lighter weight alternative, and allows some things that vimage doesn't do easily, such as system processes that listen on the virtual addresses for some services, leaving the jail to handle others. - Jamie ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
7.x and multiple IPs in jails
Hello all, I've been searching around and have come up with no current discussions on this issue. I'll keep it brief: In 7.0 or 7.1 is there any provision to have multiple IP addresses in a jail? I'm stumped on this, as I just started a new hosting project that needs a few jails. At least one of those requires multiple IPs, which is something I never really even realized was not supported. What puzzles me more is that before I decided to host this stuff myself, I was shopping for FreeBSD VPS providers, and I noticed that Verio is actually offering what looks like jails as VPSs, and they are offering multiple IPs. Is this something they hacked up and did not contribute back? Is there any firewall hackery to be had that can at least let me do IP based virtual hosts for web hosting? Thanks, Charles ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 7.x and multiple IPs in jails
On Tue, 28 Oct 2008, Charles Sprickman wrote: Hello all, I've been searching around and have come up with no current discussions on this issue. I'll keep it brief: In 7.0 or 7.1 is there any provision to have multiple IP addresses in a jail? Subscribe to the freebsd-jail mailinglist and check the archives. You'll find patches there. /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 7.x and multiple IPs in jails
Charles Sprickman wrote: [...] Is there any firewall hackery to be had that can at least let me do IP based virtual hosts for web hosting? A common solution is to put the jail on a localhost IP (e.g. 127.0.0.2, whatever). The apache inside is bound to several arbitrary port numbers. For example, the first virtual host listens on port 800, the next one on port 801, then 802, and so on. Everything on the same jail IP. Then use packet filter and NAT rules to forward incoming connections from the real IP addresses to the respective port on your jail IP: 11.22.33.44 : 80 -- 127.0.0.2 : 800 11.22.33.45 : 80 -- 127.0.0.2 : 801 11.22.33.46 : 80 -- 127.0.0.2 : 802 11.22.33.47 : 80 -- 127.0.0.2 : 803 ... You should be able to do that with any of the included firewall packages (IPFW, IPF, PF). Personally I prefer IPFW, which is used like this: ipfw nat 1 config redirect_port tcp 127.0.0.2:800 11.22.33.44:80 ipfw nat 1 tcp from any to 11.22.33.44 80 ipfw nat 1 tcp from 127.0.0.2 800 to any ipfw nat 2 config redirect_port tcp 127.0.0.2:801 11.22.33.45:80 ipfw nat 2 tcp from any to 11.22.33.45 80 ipfw nat 2 tcp from 127.0.0.2 801 to any .. and so on. Of course you can add additional NAT rules for port 443 (https). Works perfectly fine for me. (You need to enable IPFIREWALL_NAT and LIBALIAS in your kernel, or load libalias.ko and ipfw_nat.ko with kldload.) Best regards Oliver -- Oliver Fromme, secnetix GmbH Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd [...] one observation we can make here is that Python makes an excellent pseudocoding language, with the wonderful attribute that it can actually be executed. -- Bruce Eckel ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 7.x and multiple IPs in jails
Hi, there's a patch by Bjoern A.Zeeb, available at http://people.freebsd.org/~bz/bz_jail7-20080920-01-at150161.diff which succeeds and works well with 7.1-PRERELEASE currently. I had similar issues to solve and patched several hosts with it, so far with success. Bjoern has made an excellent work in patching all relevant parts, so you'll be able to use the stock rc.d/jail script as well as having an updated manpage and a jls -v which shows all the IPs while preserving compatibility with scripts making assumptions on the usual jls output. Please see the freebsd-jail mailing list archives of the last weeks and months for more info. I hope very much that these patches will be included officially in RELENG_7 soon. Regards, Lorenzo On 28.10.2008, at 07:32, Charles Sprickman wrote: Hello all, I've been searching around and have come up with no current discussions on this issue. I'll keep it brief: In 7.0 or 7.1 is there any provision to have multiple IP addresses in a jail? I'm stumped on this, as I just started a new hosting project that needs a few jails. At least one of those requires multiple IPs, which is something I never really even realized was not supported. What puzzles me more is that before I decided to host this stuff myself, I was shopping for FreeBSD VPS providers, and I noticed that Verio is actually offering what looks like jails as VPSs, and they are offering multiple IPs. Is this something they hacked up and did not contribute back? Is there any firewall hackery to be had that can at least let me do IP based virtual hosts for web hosting? Thanks, Charles ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 7.x and multiple IPs in jails
Lorenzo Perone wrote: Hi, there's a patch by Bjoern A.Zeeb, available at http://people.freebsd.org/~bz/bz_jail7-20080920-01-at150161.diff which succeeds and works well with 7.1-PRERELEASE currently. I had similar issues to solve and patched several hosts with it, so far with success. Bjoern has made an excellent work in patching all relevant parts, so you'll be able to use the stock rc.d/jail script as well as having an updated manpage and a jls -v which shows all the IPs while preserving compatibility with scripts making assumptions on the usual jls output. Please see the freebsd-jail mailing list archives of the last weeks and months for more info. I hope very much that these patches will be included officially in RELENG_7 soon. This seems to imply that, at last, IPv6 addresses can be used in jails - is that true? Michael ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 7.x and multiple IPs in jails
On Tue, 28 Oct 2008, Michael Butler wrote: Lorenzo Perone wrote: Hi, there's a patch by Bjoern A.Zeeb, available at http://people.freebsd.org/~bz/bz_jail7-20080920-01-at150161.diff which succeeds and works well with 7.1-PRERELEASE currently. I had similar issues to solve and patched several hosts with it, so far with success. Bjoern has made an excellent work in patching all relevant parts, so you'll be able to use the stock rc.d/jail script as well as having an updated manpage and a jls -v which shows all the IPs while preserving compatibility with scripts making assumptions on the usual jls output. Please see the freebsd-jail mailing list archives of the last weeks and months for more info. I hope very much that these patches will be included officially in RELENG_7 soon. This seems to imply that, at last, IPv6 addresses can be used in jails - is that true? yes -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 7.x and multiple IPs in jails
Bjoern A. Zeeb wrote: This seems to imply that, at last, IPv6 addresses can be used in jails - is that true? yes Woohoo! THANKS! :-) Michael ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: 7.x and multiple IPs in jails
Lorenzo Perone wrote: Hi, there's a patch by Bjoern A.Zeeb, available at http://people.freebsd.org/~bz/bz_jail7-20080920-01-at150161.diff which succeeds and works well with 7.1-PRERELEASE currently. I had similar issues to solve and patched several hosts with it, so far with success. Bjoern has made an excellent work in patching all relevant parts, so you'll be able to use the stock rc.d/jail script as well as having an updated manpage and a jls -v which shows all the IPs while preserving compatibility with scripts making assumptions on the usual jls output. Please see the freebsd-jail mailing list archives of the last weeks and months for more info. I hope very much that these patches will be included officially in RELENG_7 soon. Regards, Lorenzo On 28.10.2008, at 07:32, Charles Sprickman wrote: Hello all, I've been searching around and have come up with no current discussions on this issue. I'll keep it brief: In 7.0 or 7.1 is there any provision to have multiple IP addresses in a jail? I'm stumped on this, as I just started a new hosting project that needs a few jails. At least one of those requires multiple IPs, which is something I never really even realized was not supported. What puzzles me more is that before I decided to host this stuff myself, I was shopping for FreeBSD VPS providers, and I noticed that Verio is actually offering what looks like jails as VPSs, and they are offering multiple IPs. Is this something they hacked up and did not contribute back? Is there any firewall hackery to be had that can at least let me do IP based virtual hosts for web hosting? Thanks, Charles ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED] Serious question here (not trolling). These patches have been around for years, why have they never been committed to trunk/stable? ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]