Unable to get jail paramters values
Sorry for the stupid question, but I just realised that I'm unable to know the real value of a specific parameter. For example, I know that the allow.raw_sockets is set to "1" for the jail "jtest01", because I set so in the /etc/jail.conf file, but when I type the sysctl command inside the jail, it tells me that the value is "0" (which I guess is the default value). root@jtest01:~ # sysctl security.jail.jailed security.jail.jailed: 1 root@jtest01:~ # sysctl security.jail.param.allow.raw_sockets security.jail.param.allow.raw_sockets: 0 root@jtest01:~ # ping -c2 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8: icmp_seq=0 ttl=55 time=11.310 ms 64 bytes from 8.8.8.8: icmp_seq=1 ttl=55 time=9.525 ms --- 8.8.8.8 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 9.525/10.418/11.310/0.892 ms I noticed the same behaviour on both FreeBSD 10.3 and 11.1. How can I get real jail.param values for a specific running jail? Thanks. Andrew ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: setfib (ez)jails and wierd routing
From: Marko Cupać <marko.cu...@mimar.rs> Sent: Monday, October 23, 2017 1:58 PM To: Andrew Hotlab Cc: freebsd-jail@freebsd.org Subject: Re: setfib (ez)jails and wierd routing > On Tue, 17 Oct 2017 15:17:16 + > Andrew Hotlab <andrew.hot...@hotmail.com> wrote: > > > root@BSD11:~ # cat /etc/jail.conf > > exec.start = "/bin/sh /etc/rc"; > > exec.stop = "/bin/sh /etc/rc.shutdown"; > > exec.clean; > > mount.devfs; > > jtest01 { > > host.hostname = "jtest01.test.lab"; > > path = /usr/jails/jtest01; > > ip4.addr = "em0|172.21.10.101/32"; > > persist; > > allow.raw_sockets; > > exec.fib = "1"; > > } > > Andrew, > > do you have the ability to remove allow.raw_sockets line from jtest01 > jail and try to ping it while tcpdumping icmp on em1? You should see > reply packets leaving em1. > So sorry: I didn't notice that my own transcript shown exactly the behaviour you are describing... in fact you can see "echo request" packets, but no "echo reply" on em0 interface!! And I can confirm you that the problem does not happen in the same topology with a FreeBSD 10.3 host. At this point I guess that all responses to ICMP requests received on IP addresses assigned to jails linked to specific FIB on FreeBSD 11.x are not influenced by the FIB, while in FreeBSD 10.x they are. (No problem from ICMP traffic generated from the jail itself: I saw packets leaving and coming back through the right interface). Unfortunately I haven't the competence to point you to the right direction to solve, but I think it is a jail-related issue, thus this should be the right mailing list to discuss about this. I'll come back if I'll be able to understand something more. Andrew ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: setfib (ez)jails and wierd routing
From: Marko Cupać <marko.cu...@mimar.rs> Sent: Monday, October 16, 2017 4:18 PM To: Andrew Hotlab Cc: freebsd-jail@freebsd.org Subject: Re: setfib (ez)jails and wierd routing > On Sat, 30 Sep 2017 10:38:58 + > Andrew Hotlab <andrew.hot...@hotmail.com> wrote: > > > I'm running releng/10.3. Which release are you working on? > > sorry for late reply. I'm running 11.1-RELEASE-p1. I am definitely > seeing packets with source addresses of my DMZ jails (fib2) exiting > through interface on local LAN. Those are mostly icmp echo replies that > should be coming from jails but are not due to the fact that jails > don't have raw sockets enables. So, echo replies are returned from > host (and not jails), whose default gateway is on internal network. > I just setup a similar scenario on a FreeBSD 11.1 host. It seems that all is working fine (172.21.10.0/24 is the DMZ, while 192.168.1.0/24 is the LAN). Please see the following transcript: root@BSD11:~ # uname -msr FreeBSD 11.1-RELEASE amd64 root@BSD11:~ # ifconfig | egrep '^[a-z]|inet ' em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 inet 172.21.10.100 netmask 0xff00 broadcast 172.21.10.255 inet 172.21.10.101 netmask 0x broadcast 172.21.10.101 em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 inet 192.168.1.100 netmask 0xff00 broadcast 192.168.1.255 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 inet 127.0.0.1 netmask 0xff00 root@BSD11:~ # netstat -rnfinet Routing tables Internet: DestinationGatewayFlags Netif Expire default192.168.1.254 UGS em1 127.0.0.1 link#3 UH lo0 172.21.10.0/24 link#1 U em0 172.21.10.100 link#1 UHS lo0 172.21.10.101 link#1 UHS lo0 172.21.10.101/32 link#1 U em0 192.168.1.0/24 link#2 U em1 192.168.1.100 link#2 UHS lo0 root@BSD11:~ # setfib 1 netstat -rfinet Routing tables (fib: 1) Internet: DestinationGatewayFlags Netif Expire default172.21.10.254 UGS em0 localhost link#3 UH lo0 172.21.10.0/24 link#1 U em0 172.21.10.101/32 link#1 U em0 192.168.1.0/24 link#2 U em1 root@BSD11:~ # cat /etc/jail.conf exec.start = "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc.shutdown"; exec.clean; mount.devfs; jtest01 { host.hostname = "jtest01.test.lab"; path = /usr/jails/jtest01; ip4.addr = "em0|172.21.10.101/32"; persist; allow.raw_sockets; exec.fib = "1"; } root@BSD11:~ # jls JID IP Address Hostname Path 8 172.21.10.101 jtest01.test.lab /usr/jails/jtest01 root@BSD11:~ # ssh 172.21.10.101 'sysctl net.my_fibnum' Password for r...@jtest01.test.lab: net.my_fibnum: 1 root@BSD11:~ # tcpdump -i em0 -n -p icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em0, link-type EN10MB (Ethernet), capture size 262144 bytes 17:07:19.524839 IP 172.21.1.81 > 172.21.10.101: ICMP echo request, id 65315, seq 0, length 64 17:07:20.539686 IP 172.21.1.81 > 172.21.10.101: ICMP echo request, id 65315, seq 1, length 64 17:07:21.551653 IP 172.21.1.81 > 172.21.10.101: ICMP echo request, id 65315, seq 2, length 64 17:07:22.562764 IP 172.21.1.81 > 172.21.10.101: ICMP echo request, id 65315, seq 3, length 64 ^C 4 packets captured 12 packets received by filter 0 packets dropped by kernel > Would freebsd-net be more appropriate list for this problem? Maybe, but I would double check your jail configuration before ask to that list. My guess is that your jail might not be associated to the right fib. ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
RE: setfib (ez)jails and wierd routing
Hi Marko. I'm running an almost identical setup, but I do not have this issue: ICMP echo reply packets are sent from the right interface. The only difference is that I didn't defined additional lo1 and lo2 interfaces, but I guess it shouldn't be the cause. I'm running releng/10.3. Which release are you working on? Andrew From: owner-freebsd-j...@freebsd.org [owner-freebsd-j...@freebsd.org] on behalf of Marko Cupać [marko.cu...@mimar.rs] Sent: Friday, September 29, 2017 10:32 AM To: freebsd-jail@freebsd.org Subject: setfib (ez)jails and wierd routing Hi, I notice wierd routing in my setfib (ez)jails setup. I have a server with multiple NICs. setfib should ensure that LAN jails (setfib 1) can not talk to DMZ jails (setfib 2) over loopbacks, but need to go through firewalls as though they were physical boxes. pacija@warden3:~ % sudo setfib 1 netstat -rn Routing tables (fib: 1) Internet: DestinationGatewayFlags Netif Expire default10.30.19.190 UGSbce0 10.30.19.160/2700:1c:c4:de:0a:86 US bce0 127.0.0.1 lo0UHS lo0 127.0.1.0/24 lo1US lo1 pacija@warden3:~ % sudo setfib 2 netstat -rn Routing tables (fib: 2) Internet: DestinationGatewayFlags Netif Expire default193.53.106.254 UGSbce1 127.0.0.1 lo0UHS lo0 127.0.2.0/24 lo2US lo2 193.53.106.0/2400:1c:c4:de:0a:84 US bce1 Host has the same default route as fib 1: pacija@warden3:~ % sudo netstat -rn Routing tables Internet: DestinationGatewayFlags Netif Expire default10.30.19.190 UGSbce0 ... If I ssh from the Internet into DMZ jail, everything works as expected. But if I ping DMZ jail from the Internet, I see reply packets leaving not the interface they came from (bce1, public address space, DMZ), but another one (bce0, private address space, LAN). This is kinda understandable, because jail on fib2 does not have ICMP enabled, so it is not DMZ jail, but the host (which is in fib 0) who replies to packets via its default gateway (router on a private LAN). Is there an easy and elegant way to solve this? Like binding IP address to fib? I wouldn't like to have to fire up pf on host and meddle with reply-to rules in order to achieve this, I'd rather revert to old setup of separate physical servers for each network. Thank you in advance, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/ ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org" ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: jailed process listening on host addresses
-Original Message- From: Nikos Vassiliadis Sent: Wednesday, January 04, 2012 9:54 AM To: Andrew Hotlab Cc: FreeBSD-Jail Subject: Re: jailed process listening on host addresses On 1/4/2012 3:10 AM, Andrew Hotlab wrote: I noticed a strange behavior some days ago, but I can't say how much long it have been happening for. Some processes which are running in different jails on the same host seems to be listening on all host IPs. It's happening on several host right now (all are running FreeBSD/amd64 8.2-RELEASE-p5), with both UDP and TCP listeners. Any jail is using a single unicast IP address. I really hope to miss something important... or should I guess that these processes are escaping from the jails?! :S Could you share more about your setup? ifconfig, jls, ps in the jail, commands given to create the jail... I tried to reproduce the problem on a amd64 8.2-RELEASE, without success. Thank you Nikos, the following commands are executed on the host: # ifconfig xl0 xl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=82009RXCSUM,VLAN_MTU,WOL_MAGIC,LINKSTATE ether 00:01:02:aa:9f:c2 inet 172.19.2.48 netmask 0xff00 broadcast 172.19.2.255 inet 172.19.2.49 netmask 0x broadcast 172.19.2.49 inet 172.19.2.50 netmask 0x broadcast 172.19.2.50 inet 172.19.2.51 netmask 0x broadcast 172.19.2.51 inet 172.19.2.52 netmask 0x broadcast 172.19.2.52 inet 172.19.2.53 netmask 0x broadcast 172.19.2.53 inet 172.19.2.54 netmask 0x broadcast 172.19.2.54 inet 172.19.2.55 netmask 0x broadcast 172.19.2.55 inet 172.19.2.56 netmask 0x broadcast 172.19.2.56 inet 172.19.2.57 netmask 0x broadcast 172.19.2.57 inet 172.19.2.58 netmask 0x broadcast 172.19.2.58 inet 172.19.2.59 netmask 0x broadcast 172.19.2.59 inet 172.19.2.60 netmask 0x broadcast 172.19.2.60 inet 172.19.2.61 netmask 0x broadcast 172.19.2.61 inet 172.19.2.62 netmask 0x broadcast 172.19.2.62 inet 172.19.2.63 netmask 0x broadcast 172.19.2.63 media: Ethernet autoselect (100baseTX full-duplex,flowcontrol,rxpause,txpause) status: active # jls | grep 172.19.2.50 5 172.19.2.50 rjpbx01/usr/jails/rjpbx01 # jexec 5 /usr/local/etc/rc.d/asterisk start Starting asterisk. # sockstat -4l | grep asterisk 931 asterisk 91780 11 udp4 172.19.2.50:5060 *:* 931 asterisk 91780 12 tcp4 172.19.2.50:2000 *:* 931 asterisk 91780 18 tcp4 172.19.2.50:1720 *:* 931 asterisk 91780 19 udp4 172.19.2.50:2727 *:* 931 asterisk 91780 22 udp4 172.19.2.50:4569 *:* 931 asterisk 91780 23 udp4 *:* *:* 931 asterisk 91780 24 udp4 172.19.2.50:4520 *:* I think there might be a problem with specific processes (in this case, asterisk), because if I run several other commands (for example the nc(1) you showed me), all is working as expected. Until now, I noticed this behavior with these processes: unfsd, rpcbind, asterisk, transmission-daemon, mDNSResponderPosix. I'll try to test the same daemons in a jail with another version of FreeBSD as soon as possible. I will also verify whether these daemon are really listening on all IP addresses, by analyzing some traffic with tcpdump(1). Andrew ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: jailed process listening on host addresses
-Original Message- From: Eirik Øverby Sent: Wednesday, January 04, 2012 11:35 AM To: Andrew Hotlab Cc: FreeBSD-Jail Subject: Re: jailed process listening on host addresses On 4. jan. 2012, at 02:10, Andrew Hotlab andrew.hot...@hotmail.com wrote: I noticed a strange behavior some days ago, but I can't say how much long it have been happening for. Some processes which are running in different jails on the same host seems to be listening on all host IPs. It's happening on several host right now (all are running FreeBSD/amd64 8.2-RELEASE-p5), with both UDP and TCP listeners. Any jail is using a single unicast IP address. I really hope to miss something important... or should I guess that these processes are escaping from the jails?! :S Did you try to actually connect to any of those listeners? I see the same here, but I cannot actually connect to the ports on anything but the jail IP.. I've just tried to connect to the TCP port 2049 (the unfsd daemon is running in a jail), and actually I can only telnet to the address assigned to the jail where the daemon is running, even if sockstat(1) tells me that the process is listening on all IP addresses. Thus the sockstat(1) command might not be able to display correctly the actual sockets used by some jailed processes?! It sounds pretty strange to me... maybe these processes are sharing something with the host because they are using SysV IPC or something else I ignore? Andrew ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
jailed process listening on host addresses
I noticed a strange behavior some days ago, but I can't say how much long it have been happening for. Some processes which are running in different jails on the same host seems to be listening on all host IPs. Here is an example: #sockstat -4l | grep 4 \*: root mDNSRespon 69801 3 udp4 *:45258 *:* root mDNSRespon 69801 4 udp4 *:5353*:* root unfsd 69761 3 udp4 *:2049*:* root unfsd 69761 4 tcp4 *:2049*:* root rpcbind69703 7 udp4 *:111 *:* root rpcbind69703 8 udp4 *:732 *:* root rpcbind69703 9 tcp4 *:111 *:* 921 transmissi 29851 10 udp4 *:* *:* 931 asterisk 29805 25 udp4 *:* *:* It's happening on several host right now (all are running FreeBSD/amd64 8.2-RELEASE-p5), with both UDP and TCP listeners. Any jail is using a single unicast IP address. I really hope to miss something important... or should I guess that these processes are escaping from the jails?! :S Thank very much for any explanation anyone would be so kind to give me. Andrew ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
RE: Jail hot migration
Date: Fri, 10 Sep 2010 16:28:15 +1200 From: free...@snap.net.nz To: freebsd-jail@freebsd.org Subject: Jail hot migration Hi guys, I was lately thinking around jail hot-migration feature where one jail could be moved from one host to another without shutting it down, something like vmotion in VMware world. The storage layer should be easy with zfs send and receive or some form of shared storage. The tricky part would be a memory copy from one node to another and also the CPU handling. Anyone has an idea how this could be achieved? I guess it would require a kernel module which could take care of memory reservations and a daemon to copy and incrementally sync the jails memory across. Then also there is the CPU problem.. Sounds like a fair amount of work and development. All comments are welcomed! Well, I'm not a developer, but I think that the jail framework surely deservestobe evolved in something more friendly from a sysadmin's point of view. The architecture is great, and that's just enough to consolidate a lot of workloads,but for some applications there are features (resource containers, offline andonline migration of jails, etc.) that need to be improved to be affordable in aproduction environment. I think that a lot of work is getting done (resource container and virtualizationstack projects have ben just sponsored by the FreeBSD Foundation), I do not knowhow much time will take to reach a complete business-ready virtualizationframework, neither if they are on the right path, but I'm quite confident, because I'msure that the simplicity of the FreeBSD solution will rule any other virtualizationframework out there. As the feature you are asking for, I think that resource containers and offlinemigration should be considered first, because overall they'll have more impact onbusiness environments. Further, I believe that building a hot migration procedureworking with third-party running applications will be a very complex task to achieve,maybe too expensive at this time, compared to the amount of work required. That's an interesting argument, I'll be glad if more member of the Community willcontribute with their considerations. Sincerely. Andrew ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
RE: Jail hot migration
Date: Fri, 10 Sep 2010 19:45:20 + From: k...@7he.at To: freebsd-jail@freebsd.org Subject: Re: Jail hot migration On Fri, Sep 10, 2010 at 04:28:15PM +1200, Peter Toth wrote: Hi guys, I was lately thinking around jail hot-migration feature where one jail could be moved from one host to another without shutting it down, something like vmotion in VMware world. I implemented a working prototype of a container-style virtualization for FreeBSD, capable of live/hot migration. It has nothing to do with jail, but it makes use of vimage/vnet. I am going to do a presentation at the EuroBSDCon in October, but a paper and a demo video (no sources yet, sorry) are already online at: http://www.7he.at/freebsd/vps/ I was really impressed by the live migration demo video and I wish to ask you a few questions about your solution... At this time VPS technology lacks resource limiting capability, do you think it could be compatible with the resource container project sponsored by the FreeBSD Foundation? Multiple virtual instances of FreeBSD running as VPS are required to share the same kernel, as in the Jail paradigm, or they may run different kernels, as in NetBSD (http://www.NetBSD.org/docs/rump/)? How many resources do you estimate in order to complete your project? It seems that it will be far more difficult to implement the live migration feature on the Jail framework than in VPS, but how about offline migration and resource control? Some work has been done to achieve that with the current Jail paradigm, do you think that VPS will be able to do a better job in these areas too? Sorry if any question sounds stupid: I do not know much on the internals of the technologies I mentioned. Thank you very much for your work. Andrew P.S. I'm sorry for the format of the e-mail, I'm using this awful Hotmail web interface. :( ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
RE: Strange things happening with jails?? Not starting up on boot or services not running inside!
Date: Thu, 3 Jun 2010 22:15:21 +0300 From: samank...@netscape.net To: freebsd-jail@freebsd.org Subject: Strange things happening with jails?? Not starting up on boot or services not running inside! I have managed to create 4 and migrate many services in them already. The only issue is that one Jail containing the Postfix MTA which I use as an SMTP mail relay agent for my mail servers is not starting up when the OS has been rebooted or booted for that matter?? I can't give any error logs as there are none but I can post the config which is here: JID IP Address Hostname Path 1 192.168.1.100 ns1.optiplex-networks.com /var/jail/named_1 2 192.168.1.101 ns2.optiplex-networks.com /var/jail/named_2 3 192.168.1.110 proxy.optiplex-networks.com /var/jail/squid 4 192.168.1.115 relay.optiplex-networks.com /var/jail/postfix jail_enable=YES jail_list=named_1 named_2 squid jail_named_1_rootdir=/var/jail/named_1 jail_named_1_hostname=ns1.optiplex-networks.com jail_interface=em0 jail_named_1_ip=192.168.1.100 #jail_named_1_exec_start=/usr/local/bin/named jail_named_1_devfs_enable=YES jail_named_2_rootdir=/var/jail/named_2 jail_named_2_hostname=ns2.optiplex-networks.com jail_interface=em0 jail_named_2_ip=192.168.1.101 jail_named_2_devfs_enable=YES jail_squid_rootdir=/var/jail/squid jail_squid_hostname=proxy.optiplex-networks.com jail_interface=em0 jail_squid_ip=192.168.1.110 jail_squid_devfs_enable=YES jail_postfix_rootdir=/var/jail/postfix jail_postfix_hostname=relay.optiplex-networks.com jail_interface=em0 jail_postfix_ip=192.168.1.115 jail_postfix_devfs_enable=YES These lines are in the file /etc/rc.conf on the jail host? If you created all jails with ezjail, there should be nothing like that: all jail_ vars would have been written in files stored in /usr/local/etc/ezjail/ (by default). If you are managing all jails with ezjail you can safely delete all these entries in the host's rc.conf (only remember to leave ezjail_enable=YES if you want automatic startup of all jails at boot time) Now another few issues related to the services inside is that I'm trying to start Squid for my reverse proxy inside a Jail. However, the service won't start on it's own as I'm needing port 80 and there seems to be a block against normal users using ports 1024. I tested this by getting Squid to run on it's default port 3128 and it works. However the logs or screen readout just tells me that the service cannot connect to port 80?? May 31 17:47:11 proxy squid[4360]: Cannot open HTTP Port May 31 17:47:11 proxy squid[4358]: Squid Parent: child process 4360 exited due to signal 6 May 31 17:47:14 proxy squid[4358]: Squid Parent: child process 4364 started May 31 17:47:15 proxy squid[4364]: Cannot open HTTP Port May 31 17:47:15 proxy squid[4358]: Squid Parent: child process 4364 exited due to signal 6 May 31 17:47:18 proxy squid[4358]: Squid Parent: child process 4367 started May 31 17:47:18 proxy squid[4367]: Cannot open HTTP Port May 31 17:47:18 proxy squid[4358]: Squid Parent: child process 4367 exited due to signal 6 May 31 17:47:21 proxy squid[4358]: Squid Parent: child process 4370 started May 31 17:47:21 proxy squid[4370]: Cannot open HTTP Port May 31 17:47:21 proxy squid[4358]: Squid Parent: child process 4370 exited due to signal 6 I tried adding the user's Proxy and Squid to the group Wheel however again no such luck :-( I've never had to make Squid listening on port 80, but referring its startup script in /usr/local/etc/rc.d/: # squid_user: The user id that should be used to run the Squid master # process. Default: squid. # Note that you probably need to define squid_user=root if # you want to run Squid in reverse proxy setups or if you want # Squid to listen on a privileged port 1024. So you only need to write the following line in /etc/rc.conf to have Squid listening on this privileged port: squid_user=root I've just tried that with Squid 3.0 and it works (check the output of the command sockstat -4l). This is obviously a Squid-related issue, the fact that it's running in a jail is not relevant here. Andrew _ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
RE: Creating jails to run Squid and multiple Bind services - Newbee
Date: Sat, 29 May 2010 23:46:31 +0300 From: samank...@netscape.net To: freebsd-jail@freebsd.org Subject: Creating jails to run Squid and multiple Bind services - Newbee Hi, am attempting to create a set of Jails for the first time!! Welcome to the club! :) If you are coming from Solaris Zones it won't take you much time to feel at home with FreeBSD Jails. So far what I've done is this: cd /usr/src make buildworld I straight away then get an error saying: /usr/src/usr.bin/make ***error code 2 Stop in /usr/src ***error code 1 Basically what I want to do is something very similar to how I use Solaris Zones; create a directory structure which will run 1 specific service only on a specific IP address I am not certain if I can run 2 instances of Bind in two different Jails but would be cool if I could. I just have no idea how to start!! :-( I really appreciate if someone could give me a hand getting started as I'm totally lost on creating the jails as I can configure the services that I need to run in them easily!! Am on BSD 8.0 RELEASE 'current' edition x64. If you are a newcomer to FreeBSD, I suggest you to use a -RELEASE or errata branch. -CURRENT is for developers and hardcore users. To make a so-called service jail actually seems the way to get what you are looking for, but I think you will feel much better by using a full jail management framework such ezjail (http://www.FreeBSD.org/cgi/url.cgi?ports/sysutils/ezjail/pkg-descr). It will definitely help you to get a working environment in minutes, enabling you to manage it with a more Zones-like approach. This tool is also interesting because it makes all jails use a single read-only userland, thus keeping both disk space consumption and administrative efforts low. That's the easy way, just to make you feel the power without spend too much time... but I strongly suggest you to make your hands dirty by following the official way to build jails, to really understand how this great OS partitioning system works! The better source is obviously the Handbook (http://www.freebsd.org/handbook/jails.html). When I was a newcomer to jails, I wrote something about my first experiences, maybe it might be agreeable to have a look at it: http://weblogs.valsania.it/bsdlab/2007/07/04/freebsd-jail-“how-to”/ Hoping that these little suggestions will be somewhat useful to you. Sincerely. Andrew _ Hotmail: Free, trusted and rich email service. https://signup.live.com/signup.aspx?id=60969___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
RE: Creating jails to run Squid and multiple Bind services - Newbee
Date: Sun, 30 May 2010 02:23:05 +0300 From: samank...@netscape.net To: andrew.hot...@hotmail.com CC: 000.f...@quip.cz; freebsd-jail@freebsd.org Subject: Re: Creating jails to run Squid and multiple Bind services - Newbee Many thanks Miroslav and Andrew, Am on BSD 8.0 RELEASE 'current' edition x64. If you are a newcomer to FreeBSD, I suggest you to use a -RELEASE or errata branch. -CURRENT is for developers and hardcore users. I am using the -RELEASE branch, it's just that I can't post the output of uname -a as am in Windows 7 currently running Cygwin to SSH into my box. If you are still working on Windows, you definitely should take a look at PuTTY (http://www.chiark.greenend.org.uk/~sgtatham/putty/) Andrew _ Hotmail: Trusted email with Microsoft’s powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
RE: 32-bit jails on a 64-bit system?
Date: Thu, 21 Jan 2010 10:12:20 +0100 From: 000.f...@quip.cz To: sp...@bway.net CC: freebsd-jail@FreeBSD.org; freebsd-sta...@freebsd.org Subject: Re: 32-bit jails on a 64-bit system? The jail(8) subsystem has been updated. Changes include: Compatibility support which permits 32-bit jail binaries to be used on 64-bit systems to manage jails has been added. I know prior to 8.0 with some fancy footwork you could do some interesting things (for example, I have a jail running a bunch of 32-bit 4.11 stuff on a 7.2 amd64 box), but it was not easy. Looking at the jail manpage and handbook entries, I'm not seeing anything that further explains the changes. I've been able to get some things working in a test setup, but not everything. Any pointers to what exactly that blurb in the release notes actually means? Google is getting me nowhere. (freebsd-jail@ was added in to Cc:) I think it is nothing new to 8.0, it is the same as release note for 7.2. I didn't test it, but I think you can install (copy) i386 jail (or whole system) in to amd64 host and just run it as any other jail. It might be useful this thread about 32-bit jail on 64-bit host: http://lists.freebsd.org/pipermail/freebsd-i386/2009-January/007553.html Regards. Andrew _ Windows Live Hotmail: Your friends can get your Facebook updates, right from Hotmail®. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:092009___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
RE: ezjail.flavour
Thank you so much Philipp, I'll get the CVS version as soon as possible. In the meantime I tried to add support for FIBs to the ports version and (that's incredible!) it seems to function! Excuse my enthusiasm, but it's not my job, and I really need multiple routing table support, since I maintain a few host running multiple jails in different IP subnets (and each subnet has a different default gateway). Until now I have manipulated traffic to/from jails using a couple of simple PF rules, but these rudimentary patches (see the attachments) finally let me leverage the multiple FIBs feature on my FreeBSD RELENG_7_2 hosts. I assume the ROUTETABLES kernel options has been included, and I make ezjail-admin to insert the variable jail_${jailname}_fib to 0 in each new jail's definition file under ${ezjail_prefix}/etc/ezjail/.An administrator has to assign the correct FIB number to this variable, and both the scripts ezjail.sh and ezjail-admin read its value before starting or creating a console session for the registered jail. I can't wait to test all new ezjail features from the current CVS release! Greetings Andrew Date: Mon, 28 Dec 2009 17:41:19 +0100 From: cryx-free...@h3q.com To: andrew.hot...@hotmail.com CC: b...@ipt.ru; freebsd-questi...@k-moeller.dk; freebsd-jail@freebsd.org Subject: Re: ezjail.flavour Andrew Hotlab wrote: I think ezjail urgently needs some updates in order not to remain behind the new features in FreeBSD which can dramatically improve the jail system usage (vnet, ZFS, multiple FIB support, etc). I'm not a shell script expert, but my everyday work gives me the chance to have a pretty high-level view on what is needed. I'll be glad to be contacted off-list by someone with some shell scripting skills and a few hours of spare time to spend with me on this very useful tool. The ezjail ports version is heavily outdated, the CVS version is much more up-to-date. The cvs version has support for jails in dedicated ZFS-datasets etc. Currently I'm working on support for zfs jail in ezjail as well as support for FIBs and cpusets. I commited your patch to the CVS. greetings, philipp PS: there is a dedicated ezjail mailinglist http://erdgeist.org/arts/software/ezjail/#Author _ Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail you. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010 ezjail-admin.patch Description: Binary data ezjail.sh.patch Description: Binary data ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
RE: ezjail.flavour
It seems that FreeBSD 8 does not like to start rc scripts named *.sh. Here is a little patch for the script ezjail-admin which seems to fix the problem. --- ezjail-admin2009/12/20 23:28:09 1.1+++ ezjail-admin 2009/12/20 23:28:26 @@ -550,7 +550,7 @@ # If a config is found, make it auto run on jails startup if [ -f ${ezjail_rootdir}/ezjail.flavour ]; then - ln -s /ezjail.flavour ${ezjail_rootdir}/etc/rc.d/ezjail-config.sh + ln -s /ezjail.flavour ${ezjail_rootdir}/etc/rc.d/ezjail-config chmod 0700 ${ezjail_rootdir}/ezjail.flavour echo Note: Shell scripts installed, flavourizing on jails first startup. fi I think ezjail urgently needs some updates in order not to remain behind the new features in FreeBSD which can dramatically improve the jail system usage (vnet, ZFS, multiple FIB support, etc). I'm not a shell script expert, but my everyday work gives me the chance to have a pretty high-level view on what is needed. I'll be glad to be contacted off-list by someone with some shell scripting skills and a few hours of spare time to spend with me on this very useful tool. Andrew To: freebsd-questi...@k-moeller.dk From: b...@ipt.ru Date: Thu, 17 Dec 2009 11:35:51 +0300 CC: freebsd-jail@freebsd.org Subject: Re: ezjail.flavour Kalle Møller writes: I've got the same behaviour. Seems that the script ezjail.flavour is not executed because it uses old rc rules and so it is ingored at startup. What are the new rc rules, because it looks fair simple to correct, went through the code yesterday. Well, I'm not an rc guru. But seems that RC(8) may be a good start. -- WBR, bsam ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org _ Windows Live Hotmail: Your friends can get your Facebook updates, right from Hotmail®. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:092009___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
How to better update a jail host system
Hi to all. That's my first post to this list, and I want to tanks all the guys who spend their time helping the FreeBSD Community to obtain the most from this wonderful OS, and I'll be glad to grow my experience as fast as possible to be able to donate my modest contribute too. Coming from a MSFT professional experience, I've been particularly impressed by the FreeBSD jail system, and I'm using the ezjail framework to manage some jails on a FreeBSD 6.2-RELEASE host in a pre-production environment. To track the security branch both on the host and the jails I'm using the update from source method: I synchronize the source tree with csup(1), build and install the kernel, build and install the userland for the host first and then for the jails (using the ezjail-admin(1) update -i switch). All that is working fine now, but I wonder if I could speed up the whole process, by switching to the binary update method. By using the freebsd-update(8) utility on the host I think to maintain the system cleaner (this utility only updates the installed distributions) and to reduce the administrative effort (no mergemaster(8) required, I'm right?). Do you think my thinking is right, or there are some aspects I'm missing? (As I said, I'm not a very experienced FreeBSD sysadmin) :) TIA Andrew _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to [EMAIL PROTECTED]