Re: jail.conf ignoring exec.fib?
--On 20 August 2013 18:02 +0100 Arthur Chance free...@qeng-ho.org wrote: And that's just made me think of something else - I have a horrible feeling that jexec will attach to the jail using whatever fib it's running under, i.e. the fib from the host environment. Do you have (or can you enable) ssh running in the jail? If so, log into the jail that way, and see what sysctl net.my_fibnum shows then, because you'll be running under the environment created by /etc/rc. Ok, one word: Bingo. That was it. I'll spare you the gory details of how I cut myself off from the machine, managed to create a jail with no access etc. etc. But yes, that was it - in summary: jail -c -v Does not actually *show* the fib being set, but will show an error if the setfib call fails. jexec Runs a process in the jail, using the prevailing fib - not the jails fib, you can rectify this by using 'setfib X jexec jail tcsh' I don't know if that last point should be considered a 'bug' or not... Many thanks for your help! -Karl ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail.conf ignoring exec.fib?
On 21/08/2013 11:35, Karl Pielorz wrote: --On 20 August 2013 18:02 +0100 Arthur Chance free...@qeng-ho.org wrote: And that's just made me think of something else - I have a horrible feeling that jexec will attach to the jail using whatever fib it's running under, i.e. the fib from the host environment. Do you have (or can you enable) ssh running in the jail? If so, log into the jail that way, and see what sysctl net.my_fibnum shows then, because you'll be running under the environment created by /etc/rc. Ok, one word: Bingo. That was it. I'll spare you the gory details of how I cut myself off from the machine, managed to create a jail with no access etc. etc. But yes, that was it - in summary: jail -c -v Does not actually *show* the fib being set, but will show an error if the setfib call fails. jexec Runs a process in the jail, using the prevailing fib - not the jails fib, you can rectify this by using 'setfib X jexec jail tcsh' I don't know if that last point should be considered a 'bug' or not... Certainly the jexec problem is going to bite people again and again, so you should probably file a PR for it. As for the -v option, the man page says Print a message on every operation, so it's down to what is or isn't regarded as an operation worth reporting. Many thanks for your help! No problem, it helps me understand jails better as well. -- In the dungeons of Mordor, Sauron bred Orcs with LOLcats to create a new race of servants. Called Uruk-Oh-Hai in the Black Speech, they were cruel and delighted in torturing spelling and grammar. _Lord of the Rings 2.0, the Web Edition_ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail.conf ignoring exec.fib?
On 19/08/2013 21:02, Karl Pielorz wrote: --On 17 August 2013 17:32:18 +0100 Arthur Chance free...@qeng-ho.org wrote: What do you get in the jail from sysctl net.fibs sysctl net.my_fibnum ? I didn't know those sysctl's existed :) I only stumbled on them by doing sysctl -a | grep fib It's often surprising what you find that way. If I fire up the jail, and jexec to it, and run the above - I get: root@jail:/ # sysctl net.fibs net.fibs: 4 root@jail:/ # sysctl net.my_fibnum net.my_fibnum: 0 (I have 'ROUTETABLES=4' in the Kernel, so the 4 above is correct). That's for a jail which has: jail { jid = 100; exec.fib = 1; ... In /etc/jail.conf So, on the surface it looks like 'exec.fib' is being ignored :( I tried it without quotes as well, to no avail. In the source the exec.fib parameter is given as an integer, so the quotes probably shouldn't be there, but I'm not sure whether it matters. There's definitely a setfib call in the source that's done if exec.fib exists. All I can think of right now is that you try firing up the jail using the -v verbose flag. This should show everything the jail command does as the jail is created. -- In the dungeons of Mordor, Sauron bred Orcs with LOLcats to create a new race of servants. Called Uruk-Oh-Hai in the Black Speech, they were cruel and delighted in torturing spelling and grammar. _Lord of the Rings 2.0, the Web Edition_ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail.conf ignoring exec.fib?
--On 20 August 2013 08:27 +0100 Arthur Chance free...@qeng-ho.org wrote: In the source the exec.fib parameter is given as an integer, so the quotes probably shouldn't be there, but I'm not sure whether it matters. I tried it just as 'exec.fib = 1;' originally, and it makes no difference :( There's definitely a setfib call in the source that's done if exec.fib exists. All I can think of right now is that you try firing up the jail using the -v verbose flag. This should show everything the jail command does as the jail is created. Ok, I tried that and got: root# jail -v -c jail jail: run command: /sbin/mount -t devfs -oruleset=4 . /usr2/jails/jail/dev jail: jail_set(JAIL_CREATE) persist name=jail devfs_ruleset=4 jid=100 path=/usr2/jails/jail host.hostname=jail.somedomain.com ip4.addr=192.186.0.20 allow.raw_sockets jail: created jail: run command in jail: /bin/sh /etc/rc Setting hostname: jail.somedomain.com ELF ldconfig path: /lib /usr/lib /usr/lib/compat /usr/local/lib 32-bit compatibility ldconfig path: /usr/lib32 Creating and/or trimming log files. ln: /dev/log: Operation not permitted Starting syslogd. Clearing /tmp (X related). Updating motd:. Starting cron. Tue Aug 20 11:39:20 UTC 2013 jail: jail_set(JAIL_UPDATE) jid=100 nopersist Certainly more detail, but no mention of fib's :( - I tried it both with, and without quotes around the FIB value. You can also see I have raw sockets available for debugging. -Karl ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail.conf ignoring exec.fib?
On 20/08/2013 12:50, Karl Pielorz wrote: --On 20 August 2013 08:27 +0100 Arthur Chance free...@qeng-ho.org wrote: In the source the exec.fib parameter is given as an integer, so the quotes probably shouldn't be there, but I'm not sure whether it matters. I tried it just as 'exec.fib = 1;' originally, and it makes no difference :( There's definitely a setfib call in the source that's done if exec.fib exists. All I can think of right now is that you try firing up the jail using the -v verbose flag. This should show everything the jail command does as the jail is created. Ok, I tried that and got: root# jail -v -c jail jail: run command: /sbin/mount -t devfs -oruleset=4 . /usr2/jails/jail/dev jail: jail_set(JAIL_CREATE) persist name=jail devfs_ruleset=4 jid=100 path=/usr2/jails/jail host.hostname=jail.somedomain.com ip4.addr=192.186.0.20 allow.raw_sockets jail: created jail: run command in jail: /bin/sh /etc/rc Setting hostname: jail.somedomain.com ELF ldconfig path: /lib /usr/lib /usr/lib/compat /usr/local/lib 32-bit compatibility ldconfig path: /usr/lib32 Creating and/or trimming log files. ln: /dev/log: Operation not permitted Starting syslogd. Clearing /tmp (X related). Updating motd:. Starting cron. Tue Aug 20 11:39:20 UTC 2013 jail: jail_set(JAIL_UPDATE) jid=100 nopersist Certainly more detail, but no mention of fib's :( - I tried it both with, and without quotes around the FIB value. You can also see I have raw sockets available for debugging. I can't test this directly, as I'm running a generic kernel so only have one fib. However, if I add the invalid (under GENERIC) exec.fib = 1; to my jail.conf and try launching the jail with -v I get (slightly cut) testjail: run command: /sbin/mount -t devfs -oruleset=4 . /jails/jail/testjail/root/dev testjail: jail_set(JAIL_CREATE) persist name=testjail enforce_statfs=2 ip6=disable path=/jails/jail/testjail/root host.hostname=testjail.home.qeng-ho.org allow.set_hostname=false ip4.addr=172.16.4.2 securelevel=1 testjail: created testjail: run command in jail: /bin/sh /etc/rc jail: testjail: setfib: Invalid argument jail: testjail: /bin/sh /etc/rc: failed testjail: removed so it certainly has tried the setfib and knows it has failed. And that's just made me think of something else - I have a horrible feeling that jexec will attach to the jail using whatever fib it's running under, i.e. the fib from the host environment. Do you have (or can you enable) ssh running in the jail? If so, log into the jail that way, and see what sysctl net.my_fibnum shows then, because you'll be running under the environment created by /etc/rc. -- In the dungeons of Mordor, Sauron bred Orcs with LOLcats to create a new race of servants. Called Uruk-Oh-Hai in the Black Speech, they were cruel and delighted in torturing spelling and grammar. _Lord of the Rings 2.0, the Web Edition_ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail.conf ignoring exec.fib?
--On 17 August 2013 17:32:18 +0100 Arthur Chance free...@qeng-ho.org wrote: What do you get in the jail from sysctl net.fibs sysctl net.my_fibnum ? I didn't know those sysctl's existed :) If I fire up the jail, and jexec to it, and run the above - I get: root@jail:/ # sysctl net.fibs net.fibs: 4 root@jail:/ # sysctl net.my_fibnum net.my_fibnum: 0 (I have 'ROUTETABLES=4' in the Kernel, so the 4 above is correct). That's for a jail which has: jail { jid = 100; exec.fib = 1; ... In /etc/jail.conf So, on the surface it looks like 'exec.fib' is being ignored :( I tried it without quotes as well, to no avail. -Karl ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail.conf ignoring exec.fib?
Karl Pielorz wrote: --On 14 August 2013 08:58 -0400 Fbsd8 fb...@a1poweruser.com wrote: The jail(8) man page lacks details about how to use exec.fib. It requires either a new kernel (with options ROUTETABLES=2 or however many you want), or a boot-time setting with net.fibs=2 in /boot/loader.conf (requiring a reboot). Yup, done that :) setfib 1 route add default 198.192.64.21 creates routing table number 1 with that IP address. In this example exec.fib=1 would be coded. See setfib(8) and setfib(2) for details. Yeah, I do that as well - but 'netstat -r -n' from within the jail shows the systems default routing table. As opposed to 'setfib 1 netstat -r -n' (outside the jail) which shows fib either has no default gateway, or the one I set (which is right). Just within the jail, it only every shows it's using the systems default routing table :( Fib's work fine outside the jail (i.e. I can show them, set differing default gateways) - but no matter what I do, the 'exec.fib=' line in jail.conf seems to be ignored, when the jail is run up - it only ever sees the default routing table :( -Karl What your describing seems that the netstat command issued from within the jail is not JAIL aware. Develop another way from the host to verify that jail's 'exec.fib=' parameter is working or not. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail.conf ignoring exec.fib?
On 14/08/2013 16:49, Karl Pielorz wrote: --On 14 August 2013 08:58 -0400 Fbsd8 fb...@a1poweruser.com wrote: The jail(8) man page lacks details about how to use exec.fib. It requires either a new kernel (with options ROUTETABLES=2 or however many you want), or a boot-time setting with net.fibs=2 in /boot/loader.conf (requiring a reboot). Yup, done that :) setfib 1 route add default 198.192.64.21 creates routing table number 1 with that IP address. In this example exec.fib=1 would be coded. See setfib(8) and setfib(2) for details. Yeah, I do that as well - but 'netstat -r -n' from within the jail shows the systems default routing table. As opposed to 'setfib 1 netstat -r -n' (outside the jail) which shows fib either has no default gateway, or the one I set (which is right). Just within the jail, it only every shows it's using the systems default routing table :( Fib's work fine outside the jail (i.e. I can show them, set differing default gateways) - but no matter what I do, the 'exec.fib=' line in jail.conf seems to be ignored, when the jail is run up - it only ever sees the default routing table :( What do you get in the jail from sysctl net.fibs sysctl net.my_fibnum ? You should be getting 2 and 1 respectively. If you are, what happens in the jail when you ping an address that's covered by the fib 0 default route but that should be unroutable in the jail? You will need to enable allow.raw_sockets for the jail temporarily to try that. -- In the dungeons of Mordor, Sauron bred Orcs with LOLcats to create a new race of servants. Called Uruk-Oh-Hai in the Black Speech, they were cruel and delighted in torturing spelling and grammar. _Lord of the Rings 2.0, the Web Edition_ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail.conf ignoring exec.fib?
Karl Pielorz wrote: I'm running 9.2-RC2 amd64 on a system, with a number of jails. The jails are setup using '/etc/jail.conf' - but the exec.fib in jail.conf seems to be being ignored? e.g. in /etc/jail.conf I have: testjail { jid = 100; exec.fib = 1; Set FIB 1 path = /usr2/jails/testjail; host.hostname = testjail.somedomain.com; ip4.addr = 192.168.0.40; mount.devfs; } But if I run up that jail and connect to it, 'netstat -r -n' shows it's still using fib 0 (i.e. the default gateway is set). If before running the jail, I do 'setfib 1 route add default 192.186.0.90' - when the jail is run up, again - netstat within it still shows the systems default gateway, not the gateway from fib 1? -Karl The jail(8) man page lacks details about how to use exec.fib. It requires either a new kernel (with options ROUTETABLES=2 or however many you want), or a boot-time setting with net.fibs=2 in /boot/loader.conf (requiring a reboot). setfib 1 route add default 198.192.64.21 creates routing table number 1 with that IP address. In this example exec.fib=1 would be coded. See setfib(8) and setfib(2) for details. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail.conf ignoring exec.fib?
--On 14 August 2013 08:58 -0400 Fbsd8 fb...@a1poweruser.com wrote: The jail(8) man page lacks details about how to use exec.fib. It requires either a new kernel (with options ROUTETABLES=2 or however many you want), or a boot-time setting with net.fibs=2 in /boot/loader.conf (requiring a reboot). Yup, done that :) setfib 1 route add default 198.192.64.21 creates routing table number 1 with that IP address. In this example exec.fib=1 would be coded. See setfib(8) and setfib(2) for details. Yeah, I do that as well - but 'netstat -r -n' from within the jail shows the systems default routing table. As opposed to 'setfib 1 netstat -r -n' (outside the jail) which shows fib either has no default gateway, or the one I set (which is right). Just within the jail, it only every shows it's using the systems default routing table :( Fib's work fine outside the jail (i.e. I can show them, set differing default gateways) - but no matter what I do, the 'exec.fib=' line in jail.conf seems to be ignored, when the jail is run up - it only ever sees the default routing table :( -Karl ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org