On Thu, 29 May 2008, Oliver Fromme wrote:
Pawel Jakub Dawidek wrote: > On Mon, May 26, 2008 at 11:57:49AM +0000, Michael Reifenberger wrote: > > mr 2008-05-26 11:57:49 UTC > > > > FreeBSD src repository > > > > Modified files: > > usr.sbin/jexec jexec.8 jexec.c > > Log: > > Extend jexec to accept hostname or ip-number besides jail-id. > > As many already suggested using IP numbers and hostnames can be tricky > (and risky). I think that an admin who decides to use jexec with IP numbers or hostnames should be expected to be aware that there can be ambiguities, and that he should make sure that his IP numbers and/or hostnames are unique.
I think that's a bad policy but ... As it already fetched the entire data from the kernel, it would be easy to walk the list to the end and barf on duplicates.
Now with the above new jexec feature, those scripts can be simplified greatly. Of course I _do_ make sure that all of my jails have unique hostnames.
lucky you your jail goes away immediately when you stop it and the TCP socket has to be teared down, still and you restarted it and end up in the 'dead' one.
However, I do share the concern that there's an ambiguity in the syntax: "127" can be a jail ID as well as an IP number (same as 0.0.0.127) or a hostname. Either the
actually 127.0.0.0
syntax should be changed so the meaning of the argument is clear, or the manpage should be updated to include a warning and a clear description of the order in which the argument is tried to match. A simple way to resolve it would be to require at least one dot for IP numbers, otherwise it is matched as a jail ID. In practice I've never seen people using single numbers (without dots) for IP numbers. In fact I've been stared at with disbelief by coworkers many times when using 127.1 as a shotcut for 127.0.0.1.
Yes. because that is 127.1.0.0 and not 127.0.0.1.
> What do you think about using jail name from /etc/rc.conf? Personally I don't set up my jails via the rc.d stuff (and I suspect I'm not the only one), so that would only be of limited usefulness, I'm afraid.
sorry we don't support private stuff.
> PS. I'm not against this functionality, but we should be much more > careful, especially with hostnames when > security.jail.set_hostname_allowed=1. I agree. If that sysctl is set to 1 (default!), matching against the jails' hostnames should not be attempted.
Anyway people have been discussing this more than it is worth. The bugs in the code are still not fixed. As Christian has pointed out we will have a 'jail name' soon. Either this all will be fixed very soon or I'll miss it with my next integrate... -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "[EMAIL PROTECTED]"