Re: rctl within jail
David Demelier wrote: Hello there, I wanted to use rctl within a jail to add more fine grained setting for some users, and default ones to. But it does not seem to work. Is it supported? Do we need to add a special flag to the jail creation? # rctl -a loginclass:default:maxproc:deny=30 rctl: rctl_add_rule: Operation not permitted Regards, David The rctl command is brand new. It does not have a group of users yet, so that is why you have not received any replies to your post. As far as I know you can not issue the "rctl" command from within the running jail. The "rctl" command is issued on the HOST only. You can apply rules to an entire jail if you want to, for example; to limit the amount of memory a jail can use: # rctl -a jail::memoryuse:deny=1G (where is the name of your jail). This would make sure the jail can't use more than (approximately) 1 gigabyte of memory. To enable rctl on the host, you need to compile a custom kernel that contains the following 2 parameters; options RACCT options RCTL I think your rctl command would look like this when issued from the host rctl -a jail::loginclass:default:maxproc:deny=30 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: rctl within jail
On 22.09.2013 15:45, Fbsd8 wrote: > David Demelier wrote: >> Hello there, >> >> I wanted to use rctl within a jail to add more fine grained setting for >> some users, and default ones to. But it does not seem to work. Is it >> supported? Do we need to add a special flag to the jail creation? >> >> # rctl -a loginclass:default:maxproc:deny=30 >> rctl: rctl_add_rule: Operation not permitted >> >> Regards, >> >> David > > The rctl command is brand new. It does not have a group of users yet, so > that is why you have not received any replies to your post. > > As far as I know you can not issue the "rctl" command from within the > running jail. > > The "rctl" command is issued on the HOST only. > > You can apply rules to an entire jail if you want to, for example; to > limit the amount of memory a jail can use: > > # rctl -a jail::memoryuse:deny=1G > > (where is the name of your jail). This would make sure the > jail can't use more than (approximately) 1 gigabyte of memory. > > To enable rctl on the host, you need to compile a custom kernel that > contains the following 2 parameters; > options RACCT > options RCTL > Yes, I will also post a PR for this because no manpage is saying that you requires this on your kernel. I will provide a new manpage and a bit more documentation. > I think your rctl command would look like this when issued from the host > rctl -a jail::loginclass:default:maxproc:deny=30 > What I really want, is to avoid users to spawn too much processes (aka fork bombs). But if I apply to the jail directly, it also apply to the services jails, which is a bit not wanted. Regards, David ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
rctl within jail
Hello there, I wanted to use rctl within a jail to add more fine grained setting for some users, and default ones to. But it does not seem to work. Is it supported? Do we need to add a special flag to the jail creation? # rctl -a loginclass:default:maxproc:deny=30 rctl: rctl_add_rule: Operation not permitted Regards, David ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jail with public IP alias
On Thu, Aug 29, 2013 at 7:53 PM, Alejandro Imass wrote: > On Thu, Aug 29, 2013 at 5:07 PM, Patrick wrote: >> On Thu, Aug 29, 2013 at 12:07 PM, Alejandro Imass >> wrote: >>> On Thu, Aug 29, 2013 at 5:03 AM, Frank Leonhardt wrote: On 29/08/2013 09:52, Frank Leonhardt wrote: > >>> > > [...] > >> Aliases should have a netmask of 255.255.255.255. What you seeing is >> not typical behaviour on FreeBSD. [...] > One of you asked about NAT. We are using natd to nat some public ports > to other ports on the private IPs that are aliases of lo0. This is for > the jails that don't have public IPs we just forward some ports to the > jail's ports like this: > > For example: > > redirect_port tcp 192.168.101.123:22 12322 > redirect_port tcp 192.168.101.123:80 12380 > > Could this have an effect on OUTBOUND connections?? Seems unlikely to > me but I think one of you asked about NAT I suspect for a good reason. > > I'll turn off the natting temporarily and test. > I can confirm that the culprit was natd. Now the question becomes why does natd affect the source IP for an outbound connection?? Is there a way to fix it and keep natd? Seems that Patrick's NAT hunch on hist first reply was right on the money. Thanks, -- Alejandro Imass ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jail with public IP alias
On Thu, Aug 29, 2013 at 5:07 PM, Patrick wrote: > On Thu, Aug 29, 2013 at 12:07 PM, Alejandro Imass wrote: >> On Thu, Aug 29, 2013 at 5:03 AM, Frank Leonhardt wrote: >>> On 29/08/2013 09:52, Frank Leonhardt wrote: >> [...] > Aliases should have a netmask of 255.255.255.255. What you seeing is > not typical behaviour on FreeBSD. > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/configtuning-virtual-hosts.html > > Patrick Thanks for pointing this out, the manual is effectively very clear on this. So, I changed the masks for ALL the aliases on that server to /32. It alone has more than 30 aliases on lo0 and 4 public IPs. I tested and still has the same problem. So I rebooted just in case and the problem still persists: $ ifconfig em0 em0: flags=8843 metric 0 mtu 1500 options=209b ether 00:30:48:bd:b9:1a inet xxx.yyy.52.74 netmask 0xff80 broadcast xxx.yyy.52.127 inet xxx.yyy.52.70 netmask 0x broadcast xxx.yyy.52.70 inet xxx.yyy.52.71 netmask 0x broadcast xxx.yyy.52.71 inet xxx.yyy.52.73 netmask 0x broadcast xxx.yyy.52.73 media: Ethernet autoselect (1000baseT ) status: active $ ssh -b xxx.yyy.52.70 foo@bar Password: 7:58PM up 131 days, 3:14, 1 user, load averages: 0.02, 0.01, 0.00 USER TTY FROM LOGIN@ IDLE WHAT foo pts/14 xxx.yyy.52.74 7:58PM - w -n $ ssh -b xxx.yyy.52.71 foo@bar Password: 7:58PM up 131 days, 3:14, 1 user, load averages: 0.02, 0.01, 0.00 USER TTY FROM LOGIN@ IDLE WHAT foo pts/14 xxx.yyy.52.74 7:58PM - w -n $ ssh -b xxx.yyy.52.73 foo@bar Password: 7:58PM up 131 days, 3:14, 1 user, load averages: 0.02, 0.01, 0.00 USER TTY FROM LOGIN@ IDLE WHAT foo pts/14 xxx.yyy.52.74 7:58PM - w -n I don't understand why I get different results than yours and Frank's. We run a pretty standard set-up so why is this not working for us. Could it be because we turned off TCO on the NIC ? One of you asked about NAT. We are using natd to nat some public ports to other ports on the private IPs that are aliases of lo0. This is for the jails that don't have public IPs we just forward some ports to the jail's ports like this: For example: redirect_port tcp 192.168.101.123:22 12322 redirect_port tcp 192.168.101.123:80 12380 Could this have an effect on OUTBOUND connections?? Seems unlikely to me but I think one of you asked about NAT I suspect for a good reason. I'll turn off the natting temporarily and test. Best, -- Alejandro Imass ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jail with public IP alias
On Thu, Aug 29, 2013 at 12:07 PM, Alejandro Imass wrote: > On Thu, Aug 29, 2013 at 5:03 AM, Frank Leonhardt wrote: >> On 29/08/2013 09:52, Frank Leonhardt wrote: >>> > > Hi Frank thanks for taking the time to try to replicate this. Here is > all the detailed info > > 8.1-RELEASE > > em0: flags=8843 metric 0 mtu 1500 > > options=209b > ether 00:31:88:bd:b9:3a > inet xxx.yyy.52.74 netmask 0xff80 broadcast xxx.yyy.52.127 > inet xxx.yyy.52.70 netmask 0xff80 broadcast xxx.yyy.52.127 > inet xxx.yyy.52.71 netmask 0xff80 broadcast xxx.yyy.52.127 > inet xxx.yyy.52.73 netmask 0xff80 broadcast xxx.yyy.52.127 > media: Ethernet autoselect (1000baseT ) > status: active > > I use rc.conf standard practice for aliases: > > ifconfig_em0="inet xxx.yyy.52.74 netmask 255.255.255.128 -tso" > ifconfig_em0_alias0="inet xxx.yyy.52.70 netmask 255.255.255.128 -tso" > ifconfig_em0_alias1="inet xxx.yyy.52.71 netmask 255.255.255.128 -tso" > ifconfig_em0_alias2="inet xxx.yyy.52.73 netmask 255.255.255.128 -tso" > > nune# netstat -rn > Routing tables > > Internet: > DestinationGatewayFlagsRefs Use Netif Expire > defaultxxx.yyy.52.1 UGS 168 182183463em0 > 127.0.0.1 link#4 UH 00lo0 > [... internal aliases to lo0 here...] > xxx.yyy.52.0/25link#1 U 068581em0 > xxx.yyy.52.70 link#1 UHS 014363lo0 > xxx.yyy.52.71 link#1 UHS 064765lo0 > xxx.yyy.52.73 link#1 UHS 00lo0 > xxx.yyy.52.74 link#1 UHS 029170lo0 > > Note the Netif Expire on 71,73,74 are showing lo0 could this be the problem? > > nune# ssh -b xxx.yyy.52.71 foo@bar > Password: > >> w -n > 3:15PM up 130 days, 22:30, 3 users, load averages: 0.00, 0.02, 0.00 > USER TTY FROM LOGIN@ IDLE WHAT > [...] > foo pts/24 xxx.yyy.52.74 3:14PM - w -n > > I don't know why mine is showing 74 and from your example it should be > showing 71. Did you see the article below? > > http://serverfault.com/questions/12285/when-ip-aliasing-how-does-the-os-determine-which-ip-address-will-be-used-as-sour > > This seems to be a pretty common issue or it's just a > miss-configuration problem? > > Thanks! > > Alejandro Imass > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" Aliases should have a netmask of 255.255.255.255. What you seeing is not typical behaviour on FreeBSD. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/configtuning-virtual-hosts.html Patrick ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jail with public IP alias
On Thu, Aug 29, 2013 at 5:03 AM, Frank Leonhardt wrote: > On 29/08/2013 09:52, Frank Leonhardt wrote: >> Hi Frank thanks for taking the time to try to replicate this. Here is all the detailed info 8.1-RELEASE em0: flags=8843 metric 0 mtu 1500 options=209b ether 00:31:88:bd:b9:3a inet xxx.yyy.52.74 netmask 0xff80 broadcast xxx.yyy.52.127 inet xxx.yyy.52.70 netmask 0xff80 broadcast xxx.yyy.52.127 inet xxx.yyy.52.71 netmask 0xff80 broadcast xxx.yyy.52.127 inet xxx.yyy.52.73 netmask 0xff80 broadcast xxx.yyy.52.127 media: Ethernet autoselect (1000baseT ) status: active I use rc.conf standard practice for aliases: ifconfig_em0="inet xxx.yyy.52.74 netmask 255.255.255.128 -tso" ifconfig_em0_alias0="inet xxx.yyy.52.70 netmask 255.255.255.128 -tso" ifconfig_em0_alias1="inet xxx.yyy.52.71 netmask 255.255.255.128 -tso" ifconfig_em0_alias2="inet xxx.yyy.52.73 netmask 255.255.255.128 -tso" nune# netstat -rn Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire defaultxxx.yyy.52.1 UGS 168 182183463em0 127.0.0.1 link#4 UH 00lo0 [... internal aliases to lo0 here...] xxx.yyy.52.0/25link#1 U 068581em0 xxx.yyy.52.70 link#1 UHS 014363lo0 xxx.yyy.52.71 link#1 UHS 064765lo0 xxx.yyy.52.73 link#1 UHS 00lo0 xxx.yyy.52.74 link#1 UHS 029170lo0 Note the Netif Expire on 71,73,74 are showing lo0 could this be the problem? nune# ssh -b xxx.yyy.52.71 foo@bar Password: > w -n 3:15PM up 130 days, 22:30, 3 users, load averages: 0.00, 0.02, 0.00 USER TTY FROM LOGIN@ IDLE WHAT [...] foo pts/24 xxx.yyy.52.74 3:14PM - w -n I don't know why mine is showing 74 and from your example it should be showing 71. Did you see the article below? http://serverfault.com/questions/12285/when-ip-aliasing-how-does-the-os-determine-which-ip-address-will-be-used-as-sour This seems to be a pretty common issue or it's just a miss-configuration problem? Thanks! Alejandro Imass ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jail with public IP alias
On 29/08/2013 09:52, Frank Leonhardt wrote: On 29/08/2013 02:08, Alejandro Imass wrote: On Wed, Aug 28, 2013 at 4:11 PM, Frank Leonhardt wrote: On 28/08/2013 19:42, Patrick wrote: On Wed, Aug 28, 2013 at 7:25 AM, Alejandro Imass wrote: On Wed, Aug 28, 2013 at 5:42 AM, Frank Leonhardt wrote: [...] Sorry guys - I had not intention of upsetting the EzJail fan club! No worries there I just think it's an awesome tool. We used plain old jails before, and we even went through the "service jail" path once, but EzJail is a lot more than just lightweight easy-to-use jailing. The fact remains that I've tried to recreate this problem on what comes to a similar set-up, but without EzJail, and I can't. I've only tested it on FreeBSD 8.2 so far, and I've only tested it from INSIDE a jail. I completely understood what you were saying about it doing weird stuff outside a jail, but my point is that this may or may not be related. Actually you can replicate it easily. Assign a number of IPs to any interface but that the interface has a default route. It will always use the "primary" or default IP on the other end. You can probably see this effect even on a private network provided all the aliases route through the same gateway. You will not be able to see this effect using aliases on the loopback AFAIK. You don't say what version you're running. I can try and recreate it on another version. It doesn't matter, it's a very basic network issue with aliases in FreeBSD, Linux and other OSs. Look here: http://serverfault.com/questions/12285/when-ip-aliasing-how-does-the-os-determine-which-ip-address-will-be-used-as-sour I would like to know how people deal with this on FBSD Okay, I'm trying here. I tried to recreate it thus: b1# ifconfig bge0: flags=8843 metric 0 mtu 1500 options=8009b ether 00:21:9b:fd:30:8b inet xx.yy.41.196 netmask 0xffc0 broadcast xx.yy.41.255 inet xx.yy.41.197 netmask 0x broadcast xx.yy.41.197 inet xx.yy.41.198 netmask 0x broadcast xx.yy.41.198 inet xx.yy.41.199 netmask 0x broadcast xx.yy.41.199 inet xx.yy.41.200 netmask 0x broadcast xx.yy.41.200 inet xx.yy.41.201 netmask 0x broadcast xx.yy.41.201 inet xx.yy.41.202 netmask 0x broadcast xx.yy.41.202 inet xx.yy.41.203 netmask 0x broadcast xx.yy.41.203 inet xx2.yy2.76.62 netmask 0xffc0 broadcast xx2.yy2.76.63 inet xx.yy.41.207 netmask 0x broadcast xx.yy.41.207 inet xx.yy.41.206 netmask 0x broadcast xx.yy.41.206 media: Ethernet autoselect (100baseTX ) status: active Then: b1# ssh -b xx.yy.41.197 b2 -l myname Open new session and... b1# ssh -b xx.yy.41.198 b2 -l myname Open new session and... b1# ssh -b xx.yy.41.199 b2 -l myname An so on Then on b2: b2# w -n 9:43AM up 803 days, 22:47, 5 users, load averages: 0.07, 0.06, 0.02 USER TTY FROM LOGIN@ IDLE WHAT myname p0 ns0.domainname.org.uk9:28AM14 -csh (csh) myname p1 ns1.domainname.net 9:29AM14 -csh (csh) myname p5 xx.yy.41.199 9:29AM13 -csh (csh) myname p6 xx.yy.41.201 9:30AM - w -n myname p7 xx.yy.41.207 9:30AM11 -csh (csh) The only problem I can see there is that the -n option isn't working on w! I'll look in to that. The reverse lookups match the IP addressed dialled in on. b2 has the same sshd bound to all IP addresses, incidentally. b1 has more than one interface, but all the IP addresses I used are on the same one. My guess, if you're not getting this, is that you're configuring the aliases in a different way, so the output of ipconfig might help, even if it just convinces me the netmask is correct and stops me worrying. I've obviously obfuscated the first part of mine. Or have I misunderstood the problem? Regards, Frank. P.S. Just for completeness: b1# netstat -r Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire defaultxx.yy.41.193 UGS112374 7203472736 bge0 The default route does go through that interface. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jail with public IP alias
On 29/08/2013 02:08, Alejandro Imass wrote: On Wed, Aug 28, 2013 at 4:11 PM, Frank Leonhardt wrote: On 28/08/2013 19:42, Patrick wrote: On Wed, Aug 28, 2013 at 7:25 AM, Alejandro Imass wrote: On Wed, Aug 28, 2013 at 5:42 AM, Frank Leonhardt wrote: [...] Sorry guys - I had not intention of upsetting the EzJail fan club! No worries there I just think it's an awesome tool. We used plain old jails before, and we even went through the "service jail" path once, but EzJail is a lot more than just lightweight easy-to-use jailing. The fact remains that I've tried to recreate this problem on what comes to a similar set-up, but without EzJail, and I can't. I've only tested it on FreeBSD 8.2 so far, and I've only tested it from INSIDE a jail. I completely understood what you were saying about it doing weird stuff outside a jail, but my point is that this may or may not be related. Actually you can replicate it easily. Assign a number of IPs to any interface but that the interface has a default route. It will always use the "primary" or default IP on the other end. You can probably see this effect even on a private network provided all the aliases route through the same gateway. You will not be able to see this effect using aliases on the loopback AFAIK. You don't say what version you're running. I can try and recreate it on another version. It doesn't matter, it's a very basic network issue with aliases in FreeBSD, Linux and other OSs. Look here: http://serverfault.com/questions/12285/when-ip-aliasing-how-does-the-os-determine-which-ip-address-will-be-used-as-sour I would like to know how people deal with this on FBSD Okay, I'm trying here. I tried to recreate it thus: b1# ifconfig bge0: flags=8843 metric 0 mtu 1500 options=8009b ether 00:21:9b:fd:30:8b inet xx.yy.41.196 netmask 0xffc0 broadcast xx.yy.41.255 inet xx.yy.41.197 netmask 0x broadcast xx.yy.41.197 inet xx.yy.41.198 netmask 0x broadcast xx.yy.41.198 inet xx.yy.41.199 netmask 0x broadcast xx.yy.41.199 inet xx.yy.41.200 netmask 0x broadcast xx.yy.41.200 inet xx.yy.41.201 netmask 0x broadcast xx.yy.41.201 inet xx.yy.41.202 netmask 0x broadcast xx.yy.41.202 inet xx.yy.41.203 netmask 0x broadcast xx.yy.41.203 inet xx2.yy2.76.62 netmask 0xffc0 broadcast xx2.yy2.76.63 inet xx.yy.41.207 netmask 0x broadcast xx.yy.41.207 inet xx.yy.41.206 netmask 0x broadcast xx.yy.41.206 media: Ethernet autoselect (100baseTX ) status: active Then: b1# ssh -b xx.yy.41.197 b2 -l myname Open new session and... b1# ssh -b xx.yy.41.198 b2 -l myname Open new session and... b1# ssh -b xx.yy.41.199 b2 -l myname An so on Then on b2: b2# w -n 9:43AM up 803 days, 22:47, 5 users, load averages: 0.07, 0.06, 0.02 USER TTY FROM LOGIN@ IDLE WHAT myname p0 ns0.domainname.org.uk9:28AM14 -csh (csh) myname p1 ns1.domainname.net 9:29AM14 -csh (csh) myname p5 xx.yy.41.199 9:29AM13 -csh (csh) myname p6 xx.yy.41.201 9:30AM - w -n myname p7 xx.yy.41.207 9:30AM11 -csh (csh) The only problem I can see there is that the -n option isn't working on w! I'll look in to that. The reverse lookups match the IP addressed dialled in on. b2 has the same sshd bound to all IP addresses, incidentally. b1 has more than one interface, but all the IP addresses I used are on the same one. My guess, if you're not getting this, is that you're configuring the aliases in a different way, so the output of ipconfig might help, even if it just convinces me the netmask is correct and stops me worrying. I've obviously obfuscated the first part of mine. Or have I misunderstood the problem? Regards, Frank. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jail with public IP alias
On Wed, Aug 28, 2013 at 4:11 PM, Frank Leonhardt wrote: > On 28/08/2013 19:42, Patrick wrote: >> >> On Wed, Aug 28, 2013 at 7:25 AM, Alejandro Imass >> wrote: >>> >>> On Wed, Aug 28, 2013 at 5:42 AM, Frank Leonhardt >>> wrote: >>>> [...] > Sorry guys - I had not intention of upsetting the EzJail fan club! > No worries there I just think it's an awesome tool. We used plain old jails before, and we even went through the "service jail" path once, but EzJail is a lot more than just lightweight easy-to-use jailing. > The fact remains that I've tried to recreate this problem on what comes to a > similar set-up, but without EzJail, and I can't. I've only tested it on > FreeBSD 8.2 so far, and I've only tested it from INSIDE a jail. I completely > understood what you were saying about it doing weird stuff outside a jail, > but my point is that this may or may not be related. > Actually you can replicate it easily. Assign a number of IPs to any interface but that the interface has a default route. It will always use the "primary" or default IP on the other end. You can probably see this effect even on a private network provided all the aliases route through the same gateway. You will not be able to see this effect using aliases on the loopback AFAIK. > You don't say what version you're running. I can try and recreate it on > another version. > It doesn't matter, it's a very basic network issue with aliases in FreeBSD, Linux and other OSs. Look here: http://serverfault.com/questions/12285/when-ip-aliasing-how-does-the-os-determine-which-ip-address-will-be-used-as-sour I would like to know how people deal with this on FBSD Thanks, -- Alejandro Imass ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jail with public IP alias
On Wed, Aug 28, 2013 at 2:42 PM, Patrick wrote: > On Wed, Aug 28, 2013 at 7:25 AM, Alejandro Imass wrote: >> On Wed, Aug 28, 2013 at 5:42 AM, Frank Leonhardt wrote: >>> On28/08/2013 00:19, Patrick wrote: [...] > I don't think that's true though in the case of jails. On the host > system, yes, but when a jail is bound to a particular IP, outbound > connections originate from that bound IP. At least they do for me in > all of my experience. Still wondering if you're using NAT with your > jails, as that could change things. > Nope, no NAT. I verified what you said using the aliases in lo0 and it does in fact use the correct private IP, and that is well, no surprise because we rarely have jails actually public IPs so I didn't notice this strange behaviour before. Actually, not so strange once you understand what's going on: It doesn't work the same using the public IP because, the public IP goes through a gateway so it's a different case. In that case it will use the "primary" IP assigned to the device in that subnet that goes through that routing rule. You can test this if you want but you will need to re-create a scenario where you have multiples IPs assigned to a physical network card and that routes through a common gateway. In this case, it will use only the primary IP assigned to network card. If you actually test it you will see it's not a jail issue, it simply works that way,and it will be consistent on a jail or the base system. The only ways to fix this are either through the routing table or source address re-writing with IPFW or similar. > (FWIW, we use ezjail as well. It doesn't do anything special except > make having lots of jails easy and lightweight.) > It does a lot more than that! We use flavours and have pre-loaded environments for easy deployment, much like people use VMWare. For example we do a lot of development in Catalyst and it takes forever to install a working Catalyst env which we only have to do once and then create Cat flavoured jails in minutes. We also, archive and re-instatiate jails in other servers or add more capacity in an existing env just by archiving and creating a clone jail on another server. So basically with EzJail we have our own cloud-type environment but running on the real hardware and with much more granular control. We also use Amazon AWS but not for anything that's core ot the company. We do a ton of other stuff that relies on EzJails tools, for example update one jail to test and the simply re-create that one to replace all the others. Plain old jails will do the same thing for sure, but if you manage hundreds you'll probably wind up re-inventing EzJail in the first place. Best, -- Alejandro Imass ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jail with public IP alias
On 28/08/2013 19:42, Patrick wrote: On Wed, Aug 28, 2013 at 7:25 AM, Alejandro Imass wrote: On Wed, Aug 28, 2013 at 5:42 AM, Frank Leonhardt wrote: On28/08/2013 00:19, Patrick wrote: On Tue, Aug 27, 2013 at 3:42 PM, Alejandro Imass wrote: [...] (Tidied up so all now bottom posted) I can confirm that you shouldn't be seeing this behaviour because I don't. I don't use EzJail - i prefer "vi". Seriously, setting up a jail is very straightforward anyway, and when I tried ezjail I found it was doing stuff I didn't like, so dropped it early on. It was a long time ago and I've forgotten the specifics. I guess if you're using it your new to this particular game, so please excuse me pointing out a few basics here. We use Ezjail not because it's easy or because we're new to jails, I think you might be confused on what EzJail actually is and why people use it. We use it because we manage a private cloud exclusively based on FBSD with about a dozen servers with a couple dozen jails each. I use EzJail because it allows us to manage just shy of 300 separate environments with only a couple of sysadmins, and with optimized system resources. We use it because IT ROCKS. Although I can't exactly see how this would cause a problem, remember that many service will bind to ALL IP addresses when they start up, and if they [...] I can't see a mechanism that would get the results you're seeing, but I don't know what ezjail might be doing. I suspect your problem is with ezjail or something bizzare on your network config; can you try it manually? After my OP I immediately sent out second mail stating that the problem is not with Jails or EzJail and it's related to the way that aliases behave on a network interface card. When you have aliases that are on the same subnet, the source IP is the primary IP , that is the first IP set on that network device. You can test this with out jails with a simple ssh connection to another server and then typing who. Even if you force ssh to bind to a particular IP using -b it will still show the primary IP. If you have aliases on different subnets this will not happen. I don't think that's true though in the case of jails. On the host system, yes, but when a jail is bound to a particular IP, outbound connections originate from that bound IP. At least they do for me in all of my experience. Still wondering if you're using NAT with your jails, as that could change things. (FWIW, we use ezjail as well. It doesn't do anything special except make having lots of jails easy and lightweight.) Sorry guys - I had not intention of upsetting the EzJail fan club! The fact remains that I've tried to recreate this problem on what comes to a similar set-up, but without EzJail, and I can't. I've only tested it on FreeBSD 8.2 so far, and I've only tested it from INSIDE a jail. I completely understood what you were saying about it doing weird stuff outside a jail, but my point is that this may or may not be related. You don't say what version you're running. I can try and recreate it on another version. Again basic, but when you set up an alias, what subnet do you use? "Same subnet" is ringing alarm bells here. The output of ifconfig might help. Regards, Frank. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jail with public IP alias
On Wed, Aug 28, 2013 at 7:25 AM, Alejandro Imass wrote: > On Wed, Aug 28, 2013 at 5:42 AM, Frank Leonhardt wrote: >> On28/08/2013 00:19, Patrick wrote: >>> >>> On Tue, Aug 27, 2013 at 3:42 PM, Alejandro Imass >>> wrote: >>>> > > [...] > >> >> (Tidied up so all now bottom posted) >> >> I can confirm that you shouldn't be seeing this behaviour because I don't. I >> don't use EzJail - i prefer "vi". Seriously, setting up a jail is very >> straightforward anyway, and when I tried ezjail I found it was doing stuff I >> didn't like, so dropped it early on. It was a long time ago and I've >> forgotten the specifics. >> >> I guess if you're using it your new to this particular game, so please >> excuse me pointing out a few basics here. >> > > We use Ezjail not because it's easy or because we're new to jails, I > think you might be confused on what EzJail actually is and why people > use it. We use it because we manage a private cloud exclusively based > on FBSD with about a dozen servers with a couple dozen jails each. I > use EzJail because it allows us to manage just shy of 300 separate > environments with only a couple of sysadmins, and with optimized > system resources. We use it because IT ROCKS. > >> Although I can't exactly see how this would cause a problem, remember that >> many service will bind to ALL IP addresses when they start up, and if they > > [...] > >> I can't see a mechanism that would get the results you're seeing, but I >> don't know what ezjail might be doing. I suspect your problem is with ezjail >> or something bizzare on your network config; can you try it manually? > > After my OP I immediately sent out second mail stating that the > problem is not with Jails or EzJail and it's related to the way that > aliases behave on a network interface card. When you have aliases that > are on the same subnet, the source IP is the primary IP , that is the > first IP set on that network device. You can test this with out jails > with a simple ssh connection to another server and then typing who. > Even if you force ssh to bind to a particular IP using -b it will > still show the primary IP. If you have aliases on different subnets > this will not happen. I don't think that's true though in the case of jails. On the host system, yes, but when a jail is bound to a particular IP, outbound connections originate from that bound IP. At least they do for me in all of my experience. Still wondering if you're using NAT with your jails, as that could change things. (FWIW, we use ezjail as well. It doesn't do anything special except make having lots of jails easy and lightweight.) Patrick ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jail with public IP alias
On Wed, Aug 28, 2013 at 5:42 AM, Frank Leonhardt wrote: > On28/08/2013 00:19, Patrick wrote: >> >> On Tue, Aug 27, 2013 at 3:42 PM, Alejandro Imass >> wrote: >>> [...] > > (Tidied up so all now bottom posted) > > I can confirm that you shouldn't be seeing this behaviour because I don't. I > don't use EzJail - i prefer "vi". Seriously, setting up a jail is very > straightforward anyway, and when I tried ezjail I found it was doing stuff I > didn't like, so dropped it early on. It was a long time ago and I've > forgotten the specifics. > > I guess if you're using it your new to this particular game, so please > excuse me pointing out a few basics here. > We use Ezjail not because it's easy or because we're new to jails, I think you might be confused on what EzJail actually is and why people use it. We use it because we manage a private cloud exclusively based on FBSD with about a dozen servers with a couple dozen jails each. I use EzJail because it allows us to manage just shy of 300 separate environments with only a couple of sysadmins, and with optimized system resources. We use it because IT ROCKS. > Although I can't exactly see how this would cause a problem, remember that > many service will bind to ALL IP addresses when they start up, and if they [...] > I can't see a mechanism that would get the results you're seeing, but I > don't know what ezjail might be doing. I suspect your problem is with ezjail > or something bizzare on your network config; can you try it manually? After my OP I immediately sent out second mail stating that the problem is not with Jails or EzJail and it's related to the way that aliases behave on a network interface card. When you have aliases that are on the same subnet, the source IP is the primary IP , that is the first IP set on that network device. You can test this with out jails with a simple ssh connection to another server and then typing who. Even if you force ssh to bind to a particular IP using -b it will still show the primary IP. If you have aliases on different subnets this will not happen. Best, -- Alejandro Imass ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jail with public IP alias
On28/08/2013 00:19, Patrick wrote: On Tue, Aug 27, 2013 at 3:42 PM, Alejandro Imass wrote: On Tue, Aug 27, 2013 at 6:28 PM, Patrick wrote: That's not the behaviour I see. My jail has a private and public IP. Hi Patrick, thanks for your reply. The issue is actually more basic and it's because the same network card has multiple IPs on the same subnet so the routing table always chooses the primary IP assigned to that interface. I'm trying to figure out if I can fix it in the routing table or will need IPFW to re-write the source address. Thanks, -- Alejandro Imass Hi Alejandro, That's how I've got things setup, too, but I'm not seeing the same behaviour. So I was wondering if there was something different about your setup such as using NAT to allow a jail with a private IP to access the internet at large. Patrick (Tidied up so all now bottom posted) I can confirm that you shouldn't be seeing this behaviour because I don't. I don't use EzJail - i prefer "vi". Seriously, setting up a jail is very straightforward anyway, and when I tried ezjail I found it was doing stuff I didn't like, so dropped it early on. It was a long time ago and I've forgotten the specifics. I guess if you're using it your new to this particular game, so please excuse me pointing out a few basics here. Although I can't exactly see how this would cause a problem, remember that many service will bind to ALL IP addresses when they start up, and if they pinch a port any subsequent jail trying to take the same one will fail. For SSH, edit /etc/ssh/sshd_config on the "host OS" and set the ListenAddress to the one you want to use instead of the default, which means all of them. I can't see a mechanism that would get the results you're seeing, but I don't know what ezjail might be doing. I suspect your problem is with ezjail or something bizzare on your network config; can you try it manually? Regards, Frank. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jail with public IP alias
Hi Alejandro, That's how I've got things setup, too, but I'm not seeing the same behaviour. So I was wondering if there was something different about your setup such as using NAT to allow a jail with a private IP to access the internet at large. Patrick On Tue, Aug 27, 2013 at 3:42 PM, Alejandro Imass wrote: > On Tue, Aug 27, 2013 at 6:28 PM, Patrick wrote: >> That's not the behaviour I see. My jail has a private and public IP. >> > > Hi Patrick, thanks for your reply. > > The issue is actually more basic and it's because the same network > card has multiple IPs on the same subnet so the routing table always > chooses the primary IP assigned to that interface. > > I'm trying to figure out if I can fix it in the routing table or will > need IPFW to re-write the source address. > > Thanks, > > -- > Alejandro Imass ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jail with public IP alias
On Tue, Aug 27, 2013 at 6:28 PM, Patrick wrote: > That's not the behaviour I see. My jail has a private and public IP. > Hi Patrick, thanks for your reply. The issue is actually more basic and it's because the same network card has multiple IPs on the same subnet so the routing table always chooses the primary IP assigned to that interface. I'm trying to figure out if I can fix it in the routing table or will need IPFW to re-write the source address. Thanks, -- Alejandro Imass ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jail with public IP alias
That's not the behaviour I see. My jail has a private and public IP. $ ifconfig bce1 bce1: flags=8843 metric 0 mtu 1500 options=c01bb ether a4:ba:db:29:7a:1b inet 192.168.42.23 netmask 0x broadcast 192.168.42.23 media: Ethernet autoselect (1000baseT ) status: active If I ssh into another host on the 192.168.42.0 network, I see: $ who patrick ttyp1Aug 27 15:21 (192.168.42.23) The host of the jail has multiple IPs on that private subnet: $ ifconfig bce1 bce1: flags=8843 metric 0 mtu 1500 options=c01bb ether a4:ba:db:29:7a:1b inet 192.168.42.17 netmask 0xff00 broadcast 192.168.42.255 inet 192.168.42.18 netmask 0x broadcast 192.168.42.18 inet 192.168.42.19 netmask 0x broadcast 192.168.42.19 inet 192.168.42.20 netmask 0x broadcast 192.168.42.20 inet 192.168.42.21 netmask 0x broadcast 192.168.42.21 inet 192.168.42.23 netmask 0x broadcast 192.168.42.23 inet 192.168.42.24 netmask 0x broadcast 192.168.42.24 media: Ethernet autoselect (1000baseT ) status: active Are you using NAT from your jail to the outside world? Patrick On Tue, Aug 27, 2013 at 2:21 PM, Alejandro Imass wrote: > On Tue, Aug 27, 2013 at 4:59 PM, Alejandro Imass wrote: >> Hi, >> >> I have a machine with several public IPs on the same NIC and I bound >> one of those IPs to a jail created with EzJail. Suppose the scenario >> is something like this: >> >> em0 >> 190.100.100.1 >> 190.100.100.2 >> 190.100.100.3 >> 190.100.100.4 >> >> In the jail we are bound only to 190.100.100.4 >> >> The default router is correctly set on the jail, etc. >> >> But when we ssh out of that jail, or send an email, the receiving end >> always sees 190.100.100.1 not 190.100.100.4 which is the IP the jail >> is bound to. > > > I think my problem is actually more basic than this. The problem > actually occurs on the base system as well and I think it's because > all the IPs are on the same subnet, then the kernel assumes to use the > primary IP as the source address. For the sake and usefulness of the > mail archives I will end this thread here and start another one with a > more appropriate title, not before researching to see if this can be > done with the routing table or if I need to use ipfw to re-write the > source address. > > Thanks, > > -- > Alejandro Imass > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jail with public IP alias
On Tue, Aug 27, 2013 at 4:59 PM, Alejandro Imass wrote: > Hi, > > I have a machine with several public IPs on the same NIC and I bound > one of those IPs to a jail created with EzJail. Suppose the scenario > is something like this: > > em0 > 190.100.100.1 > 190.100.100.2 > 190.100.100.3 > 190.100.100.4 > > In the jail we are bound only to 190.100.100.4 > > The default router is correctly set on the jail, etc. > > But when we ssh out of that jail, or send an email, the receiving end > always sees 190.100.100.1 not 190.100.100.4 which is the IP the jail > is bound to. I think my problem is actually more basic than this. The problem actually occurs on the base system as well and I think it's because all the IPs are on the same subnet, then the kernel assumes to use the primary IP as the source address. For the sake and usefulness of the mail archives I will end this thread here and start another one with a more appropriate title, not before researching to see if this can be done with the routing table or if I need to use ipfw to re-write the source address. Thanks, -- Alejandro Imass ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Jail with public IP alias
Hi, I have a machine with several public IPs on the same NIC and I bound one of those IPs to a jail created with EzJail. Suppose the scenario is something like this: em0 190.100.100.1 190.100.100.2 190.100.100.3 190.100.100.4 In the jail we are bound only to 190.100.100.4 The default router is correctly set on the jail, etc. But when we ssh out of that jail, or send an email, the receiving end always sees 190.100.100.1 not 190.100.100.4 which is the IP the jail is bound to. Since I can't use traceroute or netstat I can only guess that it's using the base systems routing table for link#1 and that's why it's always going out of the first IP of that NIC. Is there any way to fix this? Besides adding another NIC which we currently can't do. Thanks, -- Alejandro Imass ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sysvipc only for one jail
On 12.08.2013 19:46, Trond Endrestøl wrote:
On Mon, 12 Aug 2013 14:09+0200, Trond Endrestøl wrote:
On Mon, 12 Aug 2013 13:57+0200, David Demelier wrote:
2013/8/12 Trond Endrestøl :
On Mon, 12 Aug 2013 12:40+0200, David Demelier wrote:
2013/8/11 Maciej Suszko :
Maciej Suszko wrote:
[...]
You can specify different params for each jail using _parameters, for
example:
jail_jailname_params="allow.chflags=1 allow.sysvipc=1"
Sorry, my mistake - it should be jail_jailname_parameters= of course.
--
regards, Maciej Suszko.
Thanks for your message,
However, I could not find this setting in the manual of rc.conf(5)
neither in /etc/rc.d/jail :(. It does not seems to be applied.
Have a look at jail(8) and the last lines of /etc/default/rc.conf.
I see,
I've added what Maciej Suszko told me but the sysctls in the jail is
not set as it should be :
security.jail.param.allow.sysvipc: 0
security.jail.param.allow.chflags: 0
And thus, it's not enabled as postgresql tells:
creating template1 database in /usr/local/pgsql/data/base/1 ... FATAL:
could not create shared memory segment: Function not implemented
I'll look into this by creating a new jail for PostgreSQL 9.2 when I
get home.
My host is running 9.2-PRERELEASE, r254150, in VirtualBox 4.2.16.
The jails are running world, also at r254150.
I added the following to the host's /etc/rc.conf:
jail_enable="YES"
jail_list="postgresql"
jail_postgresql_rootdir="/jails/postgresql"
jail_postgresql_hostname="postgresql.bsd.net"
jail_postgresql_interface="vtnet0"
jail_postgresql_fib="0"
jail_postgresql_ip="10.0.2.103,2001:db8::103"
jail_postgresql_exec_start="/bin/sh /etc/rc"
jail_postgresql_exec_stop="/bin/sh /etc/rc.shutdown"
jail_postgresql_devfs_enable="YES"
jail_postgresql_parameters="enforce_statfs=1 allow.chflags=1 allow.sysvipc=1
allow.mount=1 allow.mount.zfs=1"
I added the following to the host's /etc/jail.conf:
postgresql {
path = /jails/postgresql;
enforce_statfs = 1;
allow.chflags;
allow.sysvipc;
allow.mount;
allow.mount.zfs;
mount.devfs;
host.hostname = postgresql.bsd.net;
ip4.addr = 10.0.2.103;
ip6.addr = 2001:db8::103;
interface = vtnet0;
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
}
PostgreSQL 9.2.4 had no problems running initdb nor running postgres
inside the jail:
root@freebsd-jails:/ # jexec 4 csh
root@postgresql:/ # /usr/local/etc/rc.d/postgresql status
pg_ctl: server is running (PID: 46623)
/usr/local/bin/postgres "-D" "/usr/local/pgsql/data"
root@postgresql:/ #
If you start the jail manually using jail(8), then /etc/jail.conf
comes into play, whereas the lines in /etc/rc.conf is used during
automatic startup of the jails when the host is rebooted. The whole
arrangement seems unnecessary redundant, and I truly wish this can be
merged sooner rather than later.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
I've updated to 9.2-RC1 and the _parameters did the trick, thanks!
Cheers,
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sysvipc only for one jail
On Tue, Aug 13, 2013 at 12:14 AM, Shane Ambler wrote: > On 12/08/2013 21:39, Trond Endrestøl wrote: >> >> On Mon, 12 Aug 2013 13:57+0200, David Demelier wrote: > > >>> And thus, it's not enabled as postgresql tells: >>> >>> creating template1 database in /usr/local/pgsql/data/base/1 ... FATAL: >>> could not create shared memory segment: Function not implemented >> >> >> I'll look into this by creating a new jail for PostgreSQL 9.2 when I >> get home. >> > > While it is currently in beta maybe you could also try 9.3 and verify that > the shared memory update works or eliminates this configuration? > No need for any complication. Pg will work just fine by following this simple recipe. I compute a UID unique to the overall system by concatenating 70 (the natural UID for the pgsql user user in FBSD) and the last 3 digits of the Jails'IP, but you can come up with any numbering scheme as long as it's consistent and easily associated to a specific jail. For example for the Pg running on jail 192.168.101.124, install PostgreSQL and before doing anything else: pw usermod pgsql -u 70124 pw groupmod pgsql -g 70124 pw usermod pgsql -g 70124 chown -R pgsql /usr/local/pgsql/ chgrp -R pgsql /usr/local/pgsql/ Any other application that uses SYSV IPC should follow a similar recipe, and it's compatible with al versions of Jails. And that's it. I have dozens of jails with Pg running this way. Likewise also make sure all of your network daemons listen _specifically_ to that jail's IP, in Pg that would be postgresql.conf: listen_addresses = 'xx' although the default 'localhost' should work most of the time. Always double check all daemons with sockstat (e.g. sockstat -4l) to make sure they only listen on that jail's IP(s). Best, -- Alejandro Imass ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sysvipc only for one jail
On Tue, 13 Aug 2013 07:53-0400, Fbsd8 wrote: > What 9.3 are you talking about > 9.2-RC1 is the newest available. > Is 9.3 a typo and you really mean 9.2?? PostgreSQL 9.3beta2, you'll find it in ports as databases/postgresql93-server, etc. http://wiki.postgresql.org/wiki/What's_new_in_PostgreSQL_9.3 Among other things: o Switch to Posix shared memory and mmap(). (DONE) -- +---++ | Vennlig hilsen, | Best regards, | | Trond Endrestøl, | Trond Endrestøl, | | IT-ansvarlig, | System administrator, | | Fagskolen Innlandet, | Gjøvik Technical College, Norway, | | tlf. mob. 952 62 567, | Cellular...: +47 952 62 567, | | sentralbord 61 14 54 00. | Switchboard: +47 61 14 54 00. | +---++___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sysvipc only for one jail
Terje Elde wrote: On 12. aug. 2013, at 19.46, Trond Endrestøl wrote: If you start the jail manually using jail(8), then /etc/jail.conf comes into play, whereas the lines in /etc/rc.conf is used during automatic startup of the jails when the host is rebooted. The whole arrangement seems unnecessary redundant, and I truly wish this can be merged sooner rather than later. It *is* unnecessary redundant. If you're using /etc/rc.conf to define the jails, then start them with: /etc/rc.d/jail start jailname That is, if you're mostly using /etc/rc.conf to define the jails, then start them manually using that as well? Problem solved? Terje Here is a writeup about jails that you may find useful. It includes a boot time jail startup script for jail(8) defined jails. http://www.a1poweruser.com/35.00-Jails_guide_article.php ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sysvipc only for one jail
Shane Ambler wrote: On 12/08/2013 21:39, Trond Endrestøl wrote: While it is currently in beta maybe you could also try 9.3 and verify that the shared memory update works or eliminates this configuration? If you missed the change, 9.3 is implementing shared memory using mmap. What 9.3 are you talking about 9.2-RC1 is the newest available. Is 9.3 a typo and you really mean 9.2?? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sysvipc only for one jail
On 12. aug. 2013, at 19.46, Trond Endrestøl wrote: > If you start the jail manually using jail(8), then /etc/jail.conf > comes into play, whereas the lines in /etc/rc.conf is used during > automatic startup of the jails when the host is rebooted. The whole > arrangement seems unnecessary redundant, and I truly wish this can be > merged sooner rather than later. It *is* unnecessary redundant. If you're using /etc/rc.conf to define the jails, then start them with: /etc/rc.d/jail start jailname That is, if you're mostly using /etc/rc.conf to define the jails, then start them manually using that as well? Problem solved? Terje ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sysvipc only for one jail
On 13. aug. 2013, at 06:14, Shane Ambler wrote: > If you missed the change, 9.3 is implementing shared memory using mmap. But still using sysvipc for some locks/mutexes, so doesn't allow you to run "sysvipc-free". Terje ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sysvipc only for one jail
On 12/08/2013 21:39, Trond Endrestøl wrote: On Mon, 12 Aug 2013 13:57+0200, David Demelier wrote: And thus, it's not enabled as postgresql tells: creating template1 database in /usr/local/pgsql/data/base/1 ... FATAL: could not create shared memory segment: Function not implemented I'll look into this by creating a new jail for PostgreSQL 9.2 when I get home. While it is currently in beta maybe you could also try 9.3 and verify that the shared memory update works or eliminates this configuration? If you missed the change, 9.3 is implementing shared memory using mmap. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sysvipc only for one jail
On Mon, 12 Aug 2013 14:09+0200, Trond Endrestøl wrote:
> On Mon, 12 Aug 2013 13:57+0200, David Demelier wrote:
>
> > 2013/8/12 Trond Endrestøl :
> > > On Mon, 12 Aug 2013 12:40+0200, David Demelier wrote:
> > >
> > >> 2013/8/11 Maciej Suszko :
> > >> > Maciej Suszko wrote:
> > >> > [...]
> > >> >>
> > >> >> You can specify different params for each jail using _parameters, for
> > >> >> example:
> > >> >>
> > >> >> jail_jailname_params="allow.chflags=1 allow.sysvipc=1"
> > >> >
> > >> > Sorry, my mistake - it should be jail_jailname_parameters= of course.
> > >> > --
> > >> > regards, Maciej Suszko.
> > >>
> > >> Thanks for your message,
> > >>
> > >> However, I could not find this setting in the manual of rc.conf(5)
> > >> neither in /etc/rc.d/jail :(. It does not seems to be applied.
> > >
> > > Have a look at jail(8) and the last lines of /etc/default/rc.conf.
> >
> > I see,
> >
> > I've added what Maciej Suszko told me but the sysctls in the jail is
> > not set as it should be :
> >
> > security.jail.param.allow.sysvipc: 0
> > security.jail.param.allow.chflags: 0
> >
> > And thus, it's not enabled as postgresql tells:
> >
> > creating template1 database in /usr/local/pgsql/data/base/1 ... FATAL:
> > could not create shared memory segment: Function not implemented
>
> I'll look into this by creating a new jail for PostgreSQL 9.2 when I
> get home.
My host is running 9.2-PRERELEASE, r254150, in VirtualBox 4.2.16.
The jails are running world, also at r254150.
I added the following to the host's /etc/rc.conf:
jail_enable="YES"
jail_list="postgresql"
jail_postgresql_rootdir="/jails/postgresql"
jail_postgresql_hostname="postgresql.bsd.net"
jail_postgresql_interface="vtnet0"
jail_postgresql_fib="0"
jail_postgresql_ip="10.0.2.103,2001:db8::103"
jail_postgresql_exec_start="/bin/sh /etc/rc"
jail_postgresql_exec_stop="/bin/sh /etc/rc.shutdown"
jail_postgresql_devfs_enable="YES"
jail_postgresql_parameters="enforce_statfs=1 allow.chflags=1 allow.sysvipc=1
allow.mount=1 allow.mount.zfs=1"
I added the following to the host's /etc/jail.conf:
postgresql {
path = /jails/postgresql;
enforce_statfs = 1;
allow.chflags;
allow.sysvipc;
allow.mount;
allow.mount.zfs;
mount.devfs;
host.hostname = postgresql.bsd.net;
ip4.addr = 10.0.2.103;
ip6.addr = 2001:db8::103;
interface = vtnet0;
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
}
PostgreSQL 9.2.4 had no problems running initdb nor running postgres
inside the jail:
root@freebsd-jails:/ # jexec 4 csh
root@postgresql:/ # /usr/local/etc/rc.d/postgresql status
pg_ctl: server is running (PID: 46623)
/usr/local/bin/postgres "-D" "/usr/local/pgsql/data"
root@postgresql:/ #
If you start the jail manually using jail(8), then /etc/jail.conf
comes into play, whereas the lines in /etc/rc.conf is used during
automatic startup of the jails when the host is rebooted. The whole
arrangement seems unnecessary redundant, and I truly wish this can be
merged sooner rather than later.
--
+---++
| Vennlig hilsen, | Best regards, |
| Trond Endrestøl, | Trond Endrestøl, |
| IT-ansvarlig, | System administrator, |
| Fagskolen Innlandet, | Gjøvik Technical College, Norway, |
| tlf. mob. 952 62 567, | Cellular...: +47 952 62 567, |
| sentralbord 61 14 54 00. | Switchboard: +47 61 14 54 00. |
+---++___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sysvipc only for one jail
David Demelier wrote: > 2013/8/11 Maciej Suszko : > > Maciej Suszko wrote: > > [...] > >> > >> You can specify different params for each jail using _parameters, > >> for example: > >> > >> jail_jailname_params="allow.chflags=1 allow.sysvipc=1" > > > > Sorry, my mistake - it should be jail_jailname_parameters= of > > course. -- > > regards, Maciej Suszko. > > Thanks for your message, > > However, I could not find this setting in the manual of rc.conf(5) > neither in /etc/rc.d/jail :(. It does not seems to be applied. I suppose jail_(jname)_parameters rc.conf option is available in at least 9-STABLE. -- regards, Maciej Suszko. signature.asc Description: PGP signature
Re: sysvipc only for one jail
On Mon, 12 Aug 2013 13:57+0200, David Demelier wrote: > 2013/8/12 Trond Endrestøl : > > On Mon, 12 Aug 2013 12:40+0200, David Demelier wrote: > > > >> 2013/8/11 Maciej Suszko : > >> > Maciej Suszko wrote: > >> > [...] > >> >> > >> >> You can specify different params for each jail using _parameters, for > >> >> example: > >> >> > >> >> jail_jailname_params="allow.chflags=1 allow.sysvipc=1" > >> > > >> > Sorry, my mistake - it should be jail_jailname_parameters= of course. > >> > -- > >> > regards, Maciej Suszko. > >> > >> Thanks for your message, > >> > >> However, I could not find this setting in the manual of rc.conf(5) > >> neither in /etc/rc.d/jail :(. It does not seems to be applied. > > > > Have a look at jail(8) and the last lines of /etc/default/rc.conf. > > I see, > > I've added what Maciej Suszko told me but the sysctls in the jail is > not set as it should be : > > security.jail.param.allow.sysvipc: 0 > security.jail.param.allow.chflags: 0 > > And thus, it's not enabled as postgresql tells: > > creating template1 database in /usr/local/pgsql/data/base/1 ... FATAL: > could not create shared memory segment: Function not implemented I'll look into this by creating a new jail for PostgreSQL 9.2 when I get home. -- +---++ | Vennlig hilsen, | Best regards, | | Trond Endrestøl, | Trond Endrestøl, | | IT-ansvarlig, | System administrator, | | Fagskolen Innlandet, | Gjøvik Technical College, Norway, | | tlf. mob. 952 62 567, | Cellular...: +47 952 62 567, | | sentralbord 61 14 54 00. | Switchboard: +47 61 14 54 00. | +---++___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sysvipc only for one jail
2013/8/12 Trond Endrestøl : > On Mon, 12 Aug 2013 12:40+0200, David Demelier wrote: > >> 2013/8/11 Maciej Suszko : >> > Maciej Suszko wrote: >> > [...] >> >> >> >> You can specify different params for each jail using _parameters, for >> >> example: >> >> >> >> jail_jailname_params="allow.chflags=1 allow.sysvipc=1" >> > >> > Sorry, my mistake - it should be jail_jailname_parameters= of course. >> > -- >> > regards, Maciej Suszko. >> >> Thanks for your message, >> >> However, I could not find this setting in the manual of rc.conf(5) >> neither in /etc/rc.d/jail :(. It does not seems to be applied. > > Have a look at jail(8) and the last lines of /etc/default/rc.conf. > > -- > +---++ > | Vennlig hilsen, | Best regards, | > | Trond Endrestøl, | Trond Endrestøl, | > | IT-ansvarlig, | System administrator, | > | Fagskolen Innlandet, | Gjøvik Technical College, Norway, | > | tlf. mob. 952 62 567, | Cellular...: +47 952 62 567, | > | sentralbord 61 14 54 00. | Switchboard: +47 61 14 54 00. | > +---++ I see, I've added what Maciej Suszko told me but the sysctls in the jail is not set as it should be : security.jail.param.allow.sysvipc: 0 security.jail.param.allow.chflags: 0 And thus, it's not enabled as postgresql tells: creating template1 database in /usr/local/pgsql/data/base/1 ... FATAL: could not create shared memory segment: Function not implemented Cheers, -- Demelier David ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sysvipc only for one jail
On Mon, 12 Aug 2013 12:40+0200, David Demelier wrote: > 2013/8/11 Maciej Suszko : > > Maciej Suszko wrote: > > [...] > >> > >> You can specify different params for each jail using _parameters, for > >> example: > >> > >> jail_jailname_params="allow.chflags=1 allow.sysvipc=1" > > > > Sorry, my mistake - it should be jail_jailname_parameters= of course. > > -- > > regards, Maciej Suszko. > > Thanks for your message, > > However, I could not find this setting in the manual of rc.conf(5) > neither in /etc/rc.d/jail :(. It does not seems to be applied. Have a look at jail(8) and the last lines of /etc/default/rc.conf. -- +---++ | Vennlig hilsen, | Best regards, | | Trond Endrestøl, | Trond Endrestøl, | | IT-ansvarlig, | System administrator, | | Fagskolen Innlandet, | Gjøvik Technical College, Norway, | | tlf. mob. 952 62 567, | Cellular...: +47 952 62 567, | | sentralbord 61 14 54 00. | Switchboard: +47 61 14 54 00. | +---++___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sysvipc only for one jail
2013/8/11 Maciej Suszko : > Maciej Suszko wrote: > [...] >> >> You can specify different params for each jail using _parameters, for >> example: >> >> jail_jailname_params="allow.chflags=1 allow.sysvipc=1" > > Sorry, my mistake - it should be jail_jailname_parameters= of course. > -- > regards, Maciej Suszko. Thanks for your message, However, I could not find this setting in the manual of rc.conf(5) neither in /etc/rc.d/jail :(. It does not seems to be applied. Cheers, -- Demelier David ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sysvipc only for one jail
Maciej Suszko wrote: [...] > > You can specify different params for each jail using _parameters, for > example: > > jail_jailname_params="allow.chflags=1 allow.sysvipc=1" Sorry, my mistake - it should be jail_jailname_parameters= of course. -- regards, Maciej Suszko. signature.asc Description: PGP signature
Re: sysvipc only for one jail
David Demelier wrote: > Hi, > > I would like to enable sysvipc only for one jail (defined in > /etc/rc.conf). It's possible with jail.conf but this is not supported > with jails listed in /etc/rc.conf. > > Is it possible without using the global jail_sysvipc_allow ? You can specify different params for each jail using _parameters, for example: jail_jailname_params="allow.chflags=1 allow.sysvipc=1" -- regards, Maciej Suszko. signature.asc Description: PGP signature
sysvipc only for one jail
Hi, I would like to enable sysvipc only for one jail (defined in /etc/rc.conf). It's possible with jail.conf but this is not supported with jails listed in /etc/rc.conf. Is it possible without using the global jail_sysvipc_allow ? Cheers, -- Demelier David ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Static Jail ID's (JID's) for use with IPFW?
--On 07 August 2013 12:23 +0100 Arthur Chance wrote: I don't think the old /etc/rc.conf way of handling jails lets you do it, but the latest version of jail(8) introduced /etc/jail.conf and you should be able to add "jid = ;" parameters in there. Thanks - I'll check that out... I've no idea what will happen if your choice conflicts with an automatically generated jid, so you'll either have to make sure all jails have fixed jids, or choose a suitably high range for fixed ones and hope you never generate too many unfixed jids. I'll be making them all static - just to avoid that problem ;) Cheers, -Karl ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Static Jail ID's (JID's) for use with IPFW?
Karl Pielorz wrote: Hi, I have a number of jailed systems running - and I've been setting up ipfw rules for them. This is on FBSD 9.1. 'ipfw' lets you match on traffic to/from a Jail ID (JID) - however every time jails get started / stopped their JID changes [thus breaking the firewall rules]. I can't see anywhere to 'statically' configure a JID to a Jail (i.e. in /etc/rc.conf). Is this possible? / How? Thanks, -Karl Use the jails IP address in the hosts IPFW rules. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Static Jail ID's (JID's) for use with IPFW?
On 07/08/2013 09:28, Karl Pielorz wrote: I have a number of jailed systems running - and I've been setting up ipfw rules for them. This is on FBSD 9.1. 'ipfw' lets you match on traffic to/from a Jail ID (JID) - however every time jails get started / stopped their JID changes [thus breaking the firewall rules]. I can't see anywhere to 'statically' configure a JID to a Jail (i.e. in /etc/rc.conf). I don't think the old /etc/rc.conf way of handling jails lets you do it, but the latest version of jail(8) introduced /etc/jail.conf and you should be able to add "jid = ;" parameters in there. I've no idea what will happen if your choice conflicts with an automatically generated jid, so you'll either have to make sure all jails have fixed jids, or choose a suitably high range for fixed ones and hope you never generate too many unfixed jids. -- In the dungeons of Mordor, Sauron bred Orcs with LOLcats to create a new race of servants. Called Uruk-Oh-Hai in the Black Speech, they were cruel and delighted in torturing spelling and grammar. _Lord of the Rings 2.0, the Web Edition_ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Static Jail ID's (JID's) for use with IPFW?
Hi, I have a number of jailed systems running - and I've been setting up ipfw rules for them. This is on FBSD 9.1. 'ipfw' lets you match on traffic to/from a Jail ID (JID) - however every time jails get started / stopped their JID changes [thus breaking the firewall rules]. I can't see anywhere to 'statically' configure a JID to a Jail (i.e. in /etc/rc.conf). Is this possible? / How? Thanks, -Karl ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: netgraph network setup for jail(8) vnet jails.
On Thu, 23 May 2013 09:42-0400, Joe wrote:
> Teske, Devin wrote:
> > snip...
> > I rendered your output by saving it in a file ("joe.dot") and then running:
> >
> > dot -Tsvg -o joe.svg < joe.dot
> >
> > I then uploaded "joe.svg" to my website:
> >
> > http://druidbsd.sf.net/download/joe.svg
> >
> > Compare your output to any of the following:
> >
> > http://druidbsd.sf.net/download/warden0.jbsd.svg
> > http://druidbsd.sourceforge.net/download/folsom.svg
> >
> > It looks like everything is connected properly.
> >
> > A couple thoughts off the top of my head:
> >
> > a. Did you enable promiscuous mode on rl0 via ngctl? (in your script
> > perhaps?)
> >
> > b. Have you tried giving ngeth0 a new MAC address? (I do this through ngctl
> > too, but I imagine ifconfig from within the jail could achieve the same
> > thing)
> > --
> > Devin
>
> Yes I enabled promiscuous mode and setautosrc 0 on rl0 via ngctl.
> I can find no documentation on why this is done. Can you point me to some?
>
> Yes I gave the jail a unique MAC address.
>
> I tried to generate my own network map, but having problem.
>
> ngctl dot > file.dot works.
> dot -Tsvg -o file.svg < file.dot
> gives me "command dot not found".
Please install graphics/graphviz, either from ports or from packages.
> Tried ngctl dot -Tsvg -o file.svg < file.dot
> and -T is illegal option.
> What am I doing wrong?
>
> Thanks for your help
> Joe
--
+---++
| Vennlig hilsen, | Best regards, |
| Trond Endrestøl, | Trond Endrestøl, |
| IT-ansvarlig, | System administrator, |
| Fagskolen Innlandet, | Gjøvik Technical College, Norway, |
| tlf. mob. 952 62 567, | Cellular...: +47 952 62 567, |
| sentralbord 61 14 54 00. | Switchboard: +47 61 14 54 00. |
+---++___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
netgraph network for jail(8) vnet jail unable to reach internet
Hello list.
Trying to get my script to work that creates a netgraph network for a
jail(8) vnet jail. Every thing seems to work, but from inside of the
started vnet jail I can not ping the public internet. The host can ping
the public internet so the problem has to be in the netgraph script. The
problem must be staring me in the face but I can just not see it. A
fresh pair of eyes may see things I am missing.
I'm running 9.1-RELEASE with vimage compiled into the kernel. Non-vnet
jails work fine and bridge/epair networked vnet jails work fine. The
host has a single ethernet interface (rl0) facing the public internet.
Dhcp is used to get the hosts ip address and dns server info. The
vnet.ng script is designed to create a single ng bridge to rl0 and
connect vnet jails to it as the jails are started. The following is a
walk through of a test cycle showing what I can see from the host. At
the end is a listing of the vnet.ng script.
Thanks for your help
# From the host lets see if there is a netgraph network before we start?
# Nope, no netgraph network running
# /root >ngctl ls -l
There are 2 total nodes:
Name: rl0 Type: ether ID: 0001 Num hooks: 0
Name: ngctl2850 Type: socketID: 0037 Num hooks: 0
# Here is the jail(8) jail.conf definition statements
# /root >cat /usr/local/etc/vnet/vdir9
vdir9 {
host.hostname = "vdir9";
path= "/usr/jails/vdir9";
mount.fstab = "/usr/local/etc/fstab/vdir9";
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.consolelog = "/var/log/vdir9.console.log";
devfs_ruleset = "4";
allow.mount.devfs;
vnet;
}
# Lets start the vnet jail
# /root >jail -f /usr/local/etc/qjail.vnet/vdir9 -c
vdir9: created
# Yes it’s really running.
# /root >jls
JID IP Address Hostname Path
4 - vdir9 /usr/jails/vdir9
# Lets start the netgraph network for the running vnet jail
# /root >vnet.ng start vdir9 rl0
Netgraph vnet jail network established successfully!
# Lets check the host for the vnet jail netgraph network
# Yep it’s there and looks complete to me.
# /root >ngctl ls -l
There are 4 total nodes:
Name: rl0 Type: ether ID: 0001 Num hooks: 2
Local hook Peer name Peer typePeer ID Peer
hook
-- - ----
-
upper bridge0 bridge 003dlink1
lower bridge0 bridge 003dlink0
Name: bridge0 Type: bridge ID: 003d Num hooks: 3
Local hook Peer name Peer typePeer ID Peer
hook
-- - ----
-
link2 vdir9 eiface 0041ether
link1 rl0 ether0001upper
link0 rl0 ether0001lower
Name: vdir9 Type: eiface ID: 0041 Num hooks: 1
Local hook Peer name Peer typePeer ID Peer
hook
-- - ----
-
ether bridge0 bridge 003dlink2
Name: ngctl3126 Type: socket ID: 0046 Num hooks: 0
# Lets log into the running jail
# /root >jexec vdir9 tcsh
# Lets ping freebsd.org ip address. No public internet connection
# even though host can do same ping and get good reply.
vdir9 / >ping -c4 8.8.178.135
PING 8.8.178.135 (8.8.178.135): 56 data bytes
--- 8.8.178.135 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
vdir9 / >exit
exit
# Now stop the vnet jails netgraph network
# /root >vnet.ng stop vdir9 rl0
Netgraph vnet jail network shutdown successfully!
# and yes the netgraph network is shutdown
# /root >ngctl ls -l
There are 2 total nodes:
Name: rl0 Type: etherID: 0001 Num hooks: 0
Name: ngctl3167 Type: socket ID: 004b Num hooks: 0
# Here is the vnet.ng script
# It starts and stops the vnet jail’s netgraph network
#!/bin/sh
function=$1
jailname=$2
nicname=$3
jid=`jls -j ${jailname} jid`
# Load netgraph kernel modules if not done already.
for module in ng_socket netgraph ng_bridge ng_eiface ng_ether; do
if ! kldstat -v | grep -qw ${module}; then
kldload ${module} || exit 1
fi
done
# mac manufacturer prefix. Modify if need be.
#mac_prefix="00:1d:92"
mac_prefix="07:22:49"
start() {
sysctl net.inet.ip.forwarding=1 > /dev/null 2> /dev/null
jid=`jls -j ${jailname} jid`
if [ "${jid}" -gt "100" ]; then
echo " "
echo "WARNING: The JID value is greater then 100."
echo "This may indicate many cycles of starting/stopping vnet
Re: netgraph network setup for jail(8) vnet jails.
Teske, Devin wrote:
snip...
I rendered your output by saving it in a file ("joe.dot") and then running:
dot -Tsvg -o joe.svg < joe.dot
I then uploaded "joe.svg" to my website:
http://druidbsd.sf.net/download/joe.svg
Compare your output to any of the following:
http://druidbsd.sf.net/download/warden0.jbsd.svg
http://druidbsd.sourceforge.net/download/folsom.svg
It looks like everything is connected properly.
A couple thoughts off the top of my head:
a. Did you enable promiscuous mode on rl0 via ngctl? (in your script perhaps?)
b. Have you tried giving ngeth0 a new MAC address? (I do this through ngctl
too, but I imagine ifconfig from within the jail could achieve the same thing)
--
Devin
Yes I enabled promiscuous mode and setautosrc 0 on rl0 via ngctl.
I can find no documentation on why this is done. Can you point me to some?
Yes I gave the jail a unique MAC address.
I tried to generate my own network map, but having problem.
ngctl dot > file.dot works.
dot -Tsvg -o file.svg < file.dot
gives me "command dot not found".
Tried ngctl dot -Tsvg -o file.svg < file.dot
and -T is illegal option.
What am I doing wrong?
Thanks for your help
Joe
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: netgraph network setup for jail(8) vnet jails.
On May 18, 2013, at 5:51 PM, Joe wrote:
Teske, Devin wrote:
Sorry for top-post, but just wanted to add a quick note:
The output of "ngctl dot" would be very helpful to others in debugging your
setup.
graph netgraph {
edge [ weight = 1.0 ];
node [ shape = record, fontsize = 12 ] {
"1" [ label = "{rl0:|{ether|[1]:}}" ];
"5" [ label = "{bridge0:|{bridge|[5]:}}" ];
"9" [ label = "{ngeth0:|{eiface|[9]:}}" ];
"e" [ label = "{ngctl2355:|{socket|[e]:}}" ];
};
subgraph cluster_disconnected {
bgcolor = pink;
"e";
};
node [ shape = octagon, fontsize = 10 ] {
"1.upper" [ label = "upper" ];
"1.lower" [ label = "lower" ];
};
{
edge [ weight = 2.0, style = bold ];
"1" -- "1.upper";
"1" -- "1.lower";
};
node [ shape = octagon, fontsize = 10 ] {
"5.link2" [ label = "link2" ];
"5.link1" [ label = "link1" ];
"5.link0" [ label = "link0" ];
};
{
edge [ weight = 2.0, style = bold ];
"5" -- "5.link2";
"5" -- "5.link1";
"5" -- "5.link0";
};
"5.link1" -- "1.upper";
"5.link0" -- "1.lower";
node [ shape = octagon, fontsize = 10 ] {
"9.ether" [ label = "ether" ];
};
{
edge [ weight = 2.0, style = bold ];
"9" -- "9.ether";
};
"9.ether" -- "5.link2";
};
I rendered your output by saving it in a file ("joe.dot") and then running:
dot -Tsvg -o joe.svg < joe.dot
I then uploaded "joe.svg" to my website:
http://druidbsd.sf.net/download/joe.svg
Compare your output to any of the following:
http://druidbsd.sf.net/download/warden0.jbsd.svg
http://druidbsd.sourceforge.net/download/folsom.svg
It looks like everything is connected properly.
A couple thoughts off the top of my head:
a. Did you enable promiscuous mode on rl0 via ngctl? (in your script perhaps?)
b. Have you tried giving ngeth0 a new MAC address? (I do this through ngctl
too, but I imagine ifconfig from within the jail could achieve the same thing)
--
Devin
_
The information contained in this message is proprietary and/or confidential.
If you are not the intended recipient, please: (i) delete the message and all
copies; (ii) do not disclose, distribute or use the message in any manner; and
(iii) notify the sender immediately. In addition, please be aware that any
message addressed to our domain is subject to archiving and review by persons
other than the intended recipient. Thank you.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: netgraph network setup for jail(8) vnet jails.
Teske, Devin wrote:
Sorry for top-post, but just wanted to add a quick note:
The output of "ngctl dot" would be very helpful to others in debugging your
setup.
graph netgraph {
edge [ weight = 1.0 ];
node [ shape = record, fontsize = 12 ] {
"1" [ label = "{rl0:|{ether|[1]:}}" ];
"5" [ label = "{bridge0:|{bridge|[5]:}}" ];
"9" [ label = "{ngeth0:|{eiface|[9]:}}" ];
"e" [ label = "{ngctl2355:|{socket|[e]:}}" ];
};
subgraph cluster_disconnected {
bgcolor = pink;
"e";
};
node [ shape = octagon, fontsize = 10 ] {
"1.upper" [ label = "upper" ];
"1.lower" [ label = "lower" ];
};
{
edge [ weight = 2.0, style = bold ];
"1" -- "1.upper";
"1" -- "1.lower";
};
node [ shape = octagon, fontsize = 10 ] {
"5.link2" [ label = "link2" ];
"5.link1" [ label = "link1" ];
"5.link0" [ label = "link0" ];
};
{
edge [ weight = 2.0, style = bold ];
"5" -- "5.link2";
"5" -- "5.link1";
"5" -- "5.link0";
};
"5.link1" -- "1.upper";
"5.link0" -- "1.lower";
node [ shape = octagon, fontsize = 10 ] {
"9.ether" [ label = "ether" ];
};
{
edge [ weight = 2.0, style = bold ];
"9" -- "9.ether";
};
"9.ether" -- "5.link2";
};
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: netgraph network setup for jail(8) vnet jails.
Sorry for top-post, but just wanted to add a quick note:
The output of "ngctl dot" would be very helpful to others in debugging your
setup.
--
Devin
On May 18, 2013, at 8:38 AM, Joe wrote:
> Hello list
>
> I cant get to the internet using this netgraph setup script.
> I sure would appreciate giving this console log a look over for
> errors. My netgraph knowledge level is not sufficient to see what is
> wrong. The goal is to run this script to setup and break down a netgraph
> network for a single vnet jail at a time. rl0 is the real nic interface
> device name of the nic facing the internet. This box is on my lan and
> the gateway box does NAT for all lan boxes. The host running this script can
> ping the internet ok.
>
> Thank you very much for your help.
>
>
>
>
>
> The host's kernel has modules with vimage & ipfw compiled in.
>
> From the host
> # /root >ifconfig
> rl0: flags=8843 metric 0 mtu
> options=2008
> ether 00:0c:6e:09:8b:74
> inet 10.0.10.5 netmask 0xfff8 broadcast 10.0.10.7
> nd6 options=29
> media: Ethernet autoselect (100baseTX )
> status: active
> plip0: flags=8810 metric 0 mtu 1500
> nd6 options=29
> ipfw0: flags=8801 metric 0 mtu 65536
> nd6 options=29
> lo0: flags=8049 metric 0 mtu 16384
> options=63
> inet6 ::1 prefixlen 128
> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8
> inet 127.0.0.1 netmask 0xff00
> nd6 options=21
>
> The jails config file
> # /root >cat /usr/local/etc/vnet/vdir4
> vdir4 {
> host.hostname = "vdir4";
> path= "/usr/jails/vdir4";
> mount.fstab = "/usr/local/etc/fstab/vdir4";
> vnet;
> persist;
> }
>
> The netgraph script
> # /root >cat /usr/local/bin/vnet.ng.test
> #!/bin/sh
> # snip comments for displaying here
> # This script is based on this /usr/share/examples/netgraph/virtual.lan
>
> # Give the name of ethernet interface.
> ETHER_INTF="rl0"
>
> # List the names of virtual nodes and their IP addresses. Use ':'
> # character to separate node name from node IP address and netmask.
>
> #TARGET_TOPOLOGY="c1|10.0.2.20/24 c2|10.0.2.21/24 c3|10.0.2.22/24"
> TARGET_TOPOLOGY="vdir4|10.0.2.20/24"
>
> # MAC manufacturer prefix. This can be modified according to needs.
> MAC_PREFIX="00:1d:92"
>
> # Temporary file is important for proper execution of script.
> TEMP_FILE="/var/tmp/virtual.lan.tmp"
>
> virtual_lan_start() {
>
> # Load netgraph KLD's as necessary.
>
> for KLD in ng_ether ng_bridge ng_eiface; do
> if ! kldstat -v | grep -qw ${KLD}; then
> echo -n "Loading ${KLD}.ko... "
> kldload ${KLD} || exit 1
> echo "done"
> fi
> done
>
> # Reset all interfaces and jails. If temporary file can not be found
> # script assumes that there is no previous configuration.
>
> if [ ! -e ${TEMP_FILE} ]; then
> echo "No previous configuration(${TEMP_FILE}) found to clean-up."
> else
> echo -n "Cleaning previous configuration..."
> virtual_lan_stop
> echo "done"
> fi
>
> # Create temporary file for usage. This file includes generated
> # interface names and jail names. All bridges, interfaces and jails
> # are written to file while created. In clean-up process written
> # objects are cleaned (i.e. removed) from system.
>
> if [ -e ${TEMP_FILE} ]; then
> touch ${TEMP_FILE}
> fi
>
> echo -n "Verifying ethernet interface existence..."
> # Verify ethernet interface exist.
> if ! ngctl info ${ETHER_INTF}: >/dev/null 2>&1; then
> echo "Error: interface ${ETHER_INTF} does not exist"
> exit 1
> fi
>
> ifconfig ${ETHER_INTF} up || exit 1
> echo "done"
>
> # Get current number of bridge interfaces in the system. This number
> # is used to create a name for new bridge.
> BRIDGE_COUNT=`ngctl l | grep bridge | wc -l | sed -e "s/ //g"`
> BRIDGE_NAME="bridge${BRIDGE_COUNT}"
>
> # Create new ng_bridge(4) node and attach it to the ethernet interface.
> # Connect ng_ether:lower hook to bridge:link0 when creating bridge and
> # connect ng_ether:upper hook to bridge:link1 after bridge name is set.
>
> echo "Creating bridge interface: ${BRIDGE_NAME}..."
> ngctl mkpeer ${ETHER_INTF}: bridge lower link0 || exit 1
> ngctl name ${ETHER_INTF}:lower ${BRIDGE_NAME} || exit 1
> ngctl connect ${ETHER_INTF}: ${BRIDGE_NAME}: upper link1 || exit 1
> echo "Bridge ${BRIDGE_NAME}
netgraph network setup for jail(8) vnet jails.
Hello list
I cant get to the internet using this netgraph setup script.
I sure would appreciate giving this console log a look over for
errors. My netgraph knowledge level is not sufficient to see what is
wrong. The goal is to run this script to setup and break down a netgraph
network for a single vnet jail at a time. rl0 is the real nic interface
device name of the nic facing the internet. This box is on my lan and
the gateway box does NAT for all lan boxes. The host running this script
can ping the internet ok.
Thank you very much for your help.
The host's kernel has modules with vimage & ipfw compiled in.
From the host
# /root >ifconfig
rl0: flags=8843 metric 0 mtu
options=2008
ether 00:0c:6e:09:8b:74
inet 10.0.10.5 netmask 0xfff8 broadcast 10.0.10.7
nd6 options=29
media: Ethernet autoselect (100baseTX )
status: active
plip0: flags=8810 metric 0 mtu 1500
nd6 options=29
ipfw0: flags=8801 metric 0 mtu 65536
nd6 options=29
lo0: flags=8049 metric 0 mtu 16384
options=63
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8
inet 127.0.0.1 netmask 0xff00
nd6 options=21
The jails config file
# /root >cat /usr/local/etc/vnet/vdir4
vdir4 {
host.hostname = "vdir4";
path= "/usr/jails/vdir4";
mount.fstab = "/usr/local/etc/fstab/vdir4";
vnet;
persist;
}
The netgraph script
# /root >cat /usr/local/bin/vnet.ng.test
#!/bin/sh
# snip comments for displaying here
# This script is based on this /usr/share/examples/netgraph/virtual.lan
# Give the name of ethernet interface.
ETHER_INTF="rl0"
# List the names of virtual nodes and their IP addresses. Use ':'
# character to separate node name from node IP address and netmask.
#TARGET_TOPOLOGY="c1|10.0.2.20/24 c2|10.0.2.21/24 c3|10.0.2.22/24"
TARGET_TOPOLOGY="vdir4|10.0.2.20/24"
# MAC manufacturer prefix. This can be modified according to needs.
MAC_PREFIX="00:1d:92"
# Temporary file is important for proper execution of script.
TEMP_FILE="/var/tmp/virtual.lan.tmp"
virtual_lan_start() {
# Load netgraph KLD's as necessary.
for KLD in ng_ether ng_bridge ng_eiface; do
if ! kldstat -v | grep -qw ${KLD}; then
echo -n "Loading ${KLD}.ko... "
kldload ${KLD} || exit 1
echo "done"
fi
done
# Reset all interfaces and jails. If temporary file can not be found
# script assumes that there is no previous configuration.
if [ ! -e ${TEMP_FILE} ]; then
echo "No previous configuration(${TEMP_FILE}) found to clean-up."
else
echo -n "Cleaning previous configuration..."
virtual_lan_stop
echo "done"
fi
# Create temporary file for usage. This file includes generated
# interface names and jail names. All bridges, interfaces and jails
# are written to file while created. In clean-up process written
# objects are cleaned (i.e. removed) from system.
if [ -e ${TEMP_FILE} ]; then
touch ${TEMP_FILE}
fi
echo -n "Verifying ethernet interface existence..."
# Verify ethernet interface exist.
if ! ngctl info ${ETHER_INTF}: >/dev/null 2>&1; then
echo "Error: interface ${ETHER_INTF} does not exist"
exit 1
fi
ifconfig ${ETHER_INTF} up || exit 1
echo "done"
# Get current number of bridge interfaces in the system. This number
# is used to create a name for new bridge.
BRIDGE_COUNT=`ngctl l | grep bridge | wc -l | sed -e "s/ //g"`
BRIDGE_NAME="bridge${BRIDGE_COUNT}"
# Create new ng_bridge(4) node and attach it to the ethernet interface.
# Connect ng_ether:lower hook to bridge:link0 when creating bridge and
# connect ng_ether:upper hook to bridge:link1 after bridge name is set.
echo "Creating bridge interface: ${BRIDGE_NAME}..."
ngctl mkpeer ${ETHER_INTF}: bridge lower link0 || exit 1
ngctl name ${ETHER_INTF}:lower ${BRIDGE_NAME} || exit 1
ngctl connect ${ETHER_INTF}: ${BRIDGE_NAME}: upper link1 || exit 1
echo "Bridge ${BRIDGE_NAME} is created and ${ETHER_INTF} is connected."
# In the above code block two hooks are connected to bridge interface,
# therefore LINKNUM is set to 2 indicating total number of connected
# hooks on the bridge interface.
LINKNUM=2
# Write name of the bridge to temp file. Clean-up procedure will use
# this name to shutdown bridge interface.
echo "bridge ${BRIDGE_NAME}" > ${TEMP_FILE}
# Attach vnet jail.
for NODE in ${TARGET_TOPOLOGY}; do
# Virtual nodes are defined in TARGET_TOPOLOGY variable. They
# have the form of 'nodeName|IPaddr'. Below two lines split
# node definition to get node name and node IP.
NODE_NAME=`echo ${NODE} | awk -F"|" '{print $1}'`
NODE_IP=`echo ${NODE} | awk -F"|" '{print $2}
jail(8) vimage epair bridge
Hello questions list
I am using jail(8) trying to get a functional vimage environment on my
9.1-RELEASE system. My PC only has a single real NIC facing the public
internet. My goal is to be able to have multiple vimage jails, each with
their own epairXa epairXb and bridgeX where the "X" is the jails JID
number all having their traffic passing through the single rl0 real
interface. The vnet.start script shown below handles this nicely.
The problem is after the first vimage jail is started the rl0 interface
gets marked as busy when the second vimage jail is started.
How do I get all vnet jails to pass through the real rl0 interface?
Thanks for you help
# /root >cat /etc/jail.conf
vimage33 {
host.hostname = "vimage33";
path= "/usr/jails/vimage33";
mount.fstab = "/usr/local/etc/fstab/vimage33";
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.consolelog = "/var/log/vimage33.console.log";
devfs_ruleset = "4";
allow.mount.devfs;
vnet;
exec.poststart="vnet.start vimage33 rl0";
exec.prestop="vnet.stop vimage33";
}
# /root >cat /usr/local/bin/vnet.start
#!/bin/sh
jailname=$1
nicname=$2
jid=`jls -j ${jailname} jid`
if [ "${jid}" -gt "100" ]; then
echo " "
echo "The JID value is greater then 100."
echo "You must shutdown the host and reboot"
echo "to zero out the JID counter and recover"
echo "the lost memory from stopping vimage jails."
echo " "
exit 2
fi
ifconfig bridge${jid} create > /dev/null 2> /dev/null
ifconfig bridge${jid} 10.${jid}.0.1
ifconfig bridge${jid} up
ifconfig epair${jid} create > /dev/null 2> /dev/null
ifconfig bridge${jid} addm ${nicname} addm epair${jid}a
ifconfig epair${jid}a up
ifconfig epair${jid}b vnet ${jid}
jexec ${jailname} ifconfig epair${jid}b 10.${jid}.0.2
jexec ${jailname} route add default 10.${jid}.0.1 > /dev/null 2> /dev/null
jexec ${jailname} ifconfig lo0 127.0.0.1
# Display the hosts network view before starting any vnet jails
# /root >ifconfig
rl0: flags=8843 metric 0 mtu
options=2008
ether 00:0c:6e:09:8b:74
inet 10.0.10.5 netmask 0xfff8 broadcast 10.0.10.7
nd6 options=29
media: Ethernet autoselect (100baseTX )
status: active
plip0: flags=8810 metric 0 mtu 1500
nd6 options=29
lo0: flags=8049 metric 0 mtu 16384
options=63
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
inet 127.0.0.1 netmask 0xff00
nd6 options=21
# Start the first vnet jail
# /root >jail -f /etc/jail.conf -c vimage33
vimage33: created
bridge1: Ethernet address: 02:8f:94:84:0c:02
epair1a: Ethernet address: 02:c0:a4:00:0b:0a
epair1b: Ethernet address: 02:c0:a4:00:0c:0b
# /root >jls
JID IP Address Hostname Path
1 - vimage33 /usr/jails/vimage33
# Lets display the hosts network after the first vnet jail has started
# /root >ifconfig
rl0: flags=8943 metric 0
options=2008
ether 00:0c:6e:09:8b:74
inet 10.0.10.5 netmask 0xfff8 broadcast 10.0.10.7
nd6 options=29
media: Ethernet autoselect (100baseTX )
status: active
plip0: flags=8810 metric 0 mtu 1500
nd6 options=29
lo0: flags=8049 metric 0 mtu 16384
options=63
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
inet 127.0.0.1 netmask 0xff00
nd6 options=21
bridge1: flags=8843 metric 0 mtu
ether 02:8f:94:84:0c:01
inet 10.1.0.1 netmask 0xff00 broadcast 10.255.255.255
nd6 options=21
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: epair1a flags=143
ifmaxaddr 0 port 9 priority 128 path cost 14183
member: rl0 flags=143
ifmaxaddr 0 port 5 priority 128 path cost 20
epair1a: flags=8943
options=8
ether 02:c0:a4:00:09:0a
inet6 fe80::c0:a4ff:fe00:90a%epair1a prefixlen 64 scopeid 0x9
nd6 options=21
media: Ethernet 10Gbase-T (10Gbase-T )
status: active
# Login to the vnet jail and display the jails view of the network
# /root >jexec vimage33 tcsh
vimage33 / >ifconfig
lo0: flags=8049 metric 0 mtu 16384
options=63
inet 127.0.0.1 netmask 0xff00
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
nd6 options=21
epair1b: flags=8843 metric 0
options=8
ether 02:c0:a4:00:0a:0b
inet 10.1.0.2 netmask 0xff00 broadcast
Re: Debian/kFreeBSD vs linux jail?
On Thu, 04 Apr 2013 19:50:40 -0500 Joshua Isom wrote: > Considering Debian's ported the "standard Linux userland" to the FreeBSD > kernel, I'm wondering if it's possible/practical to use Debian inside of > a jail instead of a Linux CentOS jail, which has been documented. I > know some applications are linux specific, but are they really linux > specific or gnu specific? I'm going to retry getting a printer driver > working with cups that had issues with FreeBSD in the past, but I don't > know if it's FreeBSD userland or FreeBSD kernel that caused the quirks. > Has anyone tried using Debian's kFreeBSD userland inside a jail? Is > it just pointless on a FreeBSD system? A bit old tutorial (2011) about this topic http://blog.vx.sk/archives/22-Updated-Tutorial-Debian-GNUkFreeBSD-in-a-FreeBSD-jail.html --- --- Eduardo Morras ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Debian/kFreeBSD vs linux jail?
Hi! Joshua Isom writes: > Considering Debian's ported the "standard Linux userland" to the > FreeBSD kernel, I'm wondering if it's possible/practical to use Debian > inside of a jail instead of a Linux CentOS jail, which has been > documented. I know some applications are linux specific, but are they > really linux specific or gnu specific? I'm going to retry getting a > printer driver working with cups that had issues with FreeBSD in the > past, but I don't know if it's FreeBSD userland or FreeBSD kernel that > caused the quirks. Has anyone tried using Debian's kFreeBSD userland > inside a jail? Is it just pointless on a FreeBSD system? If it is a free software CUPS driver, chances are it is a GNU thing and Debian GNU/kFreeBSD might work for you. For all the proprietary stuff (say flash, acrobat, ..) Debian GNU/kFreeBSD usually is worse of than either GNU/Linux or pure FreeBSD systems (because no comercial vendor ever builds for this platform). Christoph ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Debian/kFreeBSD vs linux jail?
Considering Debian's ported the "standard Linux userland" to the FreeBSD kernel, I'm wondering if it's possible/practical to use Debian inside of a jail instead of a Linux CentOS jail, which has been documented. I know some applications are linux specific, but are they really linux specific or gnu specific? I'm going to retry getting a printer driver working with cups that had issues with FreeBSD in the past, but I don't know if it's FreeBSD userland or FreeBSD kernel that caused the quirks. Has anyone tried using Debian's kFreeBSD userland inside a jail? Is it just pointless on a FreeBSD system? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: qjail fork attribution was Handbook Jail Chapter rewrite available for critique (fwd)
On Tue, 2 Apr 2013 01:00:44 -0400, Stephen Cook wrote: > On 4/1/2013 5:23 AM, Ian Smith wrote: Actually, I forwarded a message that Joe posted to -jail and -ports. Proper attribution is what this issue's all about. It's been pointed out to me privately that cross-posting is frowned upon in FreeBSD lists and I would usually concur, but this matter started in -questions and I believe that it's an issue of some public importance. So, it was Joe who wrote: > > One does not have to be a lawyer to know the lack of any license verbiage > > embedded in computer programs released to the public becomes property of > > public > > domain forever. Putting license verbiage on your next port version is > > unenforceable because it's already property of public domain. > I don't know enough about the original disagreement to comment on it, but > this part is completely untrue. IANAL but I can use Google and common sense. > > Under the Berne Convention, if there is no notice included with a > copyrightable work, it defaults to "all rights reserved". Until you receive > explicit permission, or a permissive license is included, it is assumed that > you *cannot* legally copy or derive from that work. This certainly appears to be the concensus view. > So, if there is no license at all attached to ezjail, as you say, you are > infringing copyright. Luckily for you, the ezjail web page declares it to be > licensed as Beer Ware after all. Hm, let's look at a Beerware licence. There are 106 of them in /usr/src at 8.2-RELEASE; here's an apropos one from /usr/src/usr.sbin/jail/jail.8 .\" .\" Copyright (c) 2000, 2003 Robert N. M. Watson .\" Copyright (c) 2008 James Gritton .\" All rights reserved. .\" [.. standard two-clause BSD licence and disclaimer, followed by ..] .\" .\" "THE BEER-WARE LICENSE" (Revision 42): .\" wrote this file. As long as you retain this notice you .\" can do whatever you want with this stuff. If we meet some day, and you think .\" this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp .\" "As long as you retain this notice" is the issue, at least in spirit; that is, as long as qjail's original authorship is properly attributed. As far as I can tell, Dirk is (rightfully) insisting only upon that. > Nothing personal, I just tend to correct people when they make up laws, > especially after a long enough period where I didn't get to criticize > anyone's grammar. :-) Indeed. Feel free to criticise mine, modulo unAmerican spelling :) cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: qjail fork attribution was Handbook Jail Chapter rewrite available for critique (fwd)
On 4/1/2013 5:23 AM, Ian Smith wrote: One does not have to be a lawyer to know the lack of any license verbiage embedded in computer programs released to the public becomes property of public domain forever. Putting license verbiage on your next port version is unenforceable because it's already property of public domain. I don't know enough about the original disagreement to comment on it, but this part is completely untrue. IANAL but I can use Google and common sense. Under the Berne Convention, if there is no notice included with a copyrightable work, it defaults to "all rights reserved". Until you receive explicit permission, or a permissive license is included, it is assumed that you *cannot* legally copy or derive from that work. So, if there is no license at all attached to ezjail, as you say, you are infringing copyright. Luckily for you, the ezjail web page declares it to be licensed as Beer Ware after all. Nothing personal, I just tend to correct people when they make up laws, especially after a long enough period where I didn't get to criticize anyone's grammar. :-) -- Stephen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: qjail fork attribution was Handbook Jail Chapter rewrite available for critique (fwd)
Posted so people following -questions can gather what Joe Barbish is fishing for in the present thread regarding copyright and licensing. cheers, Ian -- Forwarded message -- Date: Tue, 26 Mar 2013 12:26:16 -0400 From: Fbsd8 To: Dirk Engling Cc: po...@freebsd.org, freebsd-j...@freebsd.org Subject: Re:qjail fork attribution was Handbook Jail Chapter rewrite available for critique Dirk Engling wrote: > Dear JoeB, > > since you just threatened me via private email to expose my evil plans > of preventing your ubercool project from taking FreeBSD by storm, I > would like to comment on your views and your project publicly > > On 22.03.13 23:12, Fbsd8 wrote: > > > On the subject of qjail being a fork of ezjail, of course it is. > > So, you've decided to run along with an existing code base to fork a > project. Congratulations. > > You surely must have had reasons, like including features that the > original author told you never to implement. Like you found the project > abandoned and no one replied to your requests. > > Well, except you did not. I found out about your fork by chance, after > someone directed my attention to your constant bragging and nagging. > Why, after all, would you ever feel the need to talk to me directly > about the fork? After all, what common interests might we possibly share? > > So I think the only reason to rip off ezjails code was to boost your ego > with some impressive looking column of shell script you obviously had > trouble understanding, which comes as no surprise as you _still_ seem to > have trouble grasping even the basic concepts of shell scripting: > > http://lists.freebsd.org/pipermail/freebsd-questions/2013-January/248558.html > > http://lists.freebsd.org/pipermail/freebsd-questions/2013-January/247723.html > > Reading this I find it very disturbing that you try to lure users into > using your bumbling hack that pokes in one of the core security features > of FreeBSD. To put it more plainly: What you do is dangerous. Stop doing > it. You're putting your users at risk. > > > British member concluded that the author of ezjail must be British based > > solely on the spelling of the flavour directory. He also convinced us > > that his Beerware license was British humor, a joke, and should not be > > taken serous. In our review of other jail ports we did not see this > > Then tell your "British member" to read up on some contemporary > literature, maybe Wikipedia > > http://en.wikipedia.org/wiki/Beerware > > so he has a chance to understand what connects Beerware and FreeBSD. Do > not use your confused team member as pretext to violate the terms of > license you obviously found by yourself and chose to ignore. > > > file. It was inserted in the front like they have. We though that was > > how you make software opensource which was the intention. There are no > > formal copyright documents; it's just a extrapolation from the FreeBSD > > comments. > > Besides completely failing to see the point what the difference between > open source and public domain is, you do not have the slightest idea, > what a community of people sharing their code as open source is about. > > The simple fact that you resort to Windows and IIS to serve your web > site should have warned me, that you do not actually have any connection > to the scene besides your gimme-gimme-gimme attitude. > > To make my point clear: Open source software is about attribution. For > multiple reasons, most important to me: getting to socialize. Beerware > is not so much about getting the actual beer, but to have a chance to > sit together and talk with people sharing common interests. Now you rob > me of the chance to ever hear from people using my code disguised as yours. > > Another reason, of course, is the pride we take in spending nearly ten > years on ezjail and we definitely do not like some script kiddie running > around adorn himself with plumes plucked from our asses. > > > section is not appropriate to include qjail under Freebsd opensource > > type of license, then we can change the comments to say "totally free to > > do as you wish as opensource" and leave it at that. If something else is > > needed, please inform what that is by private email. To continue this > > this subject in public is not appropriate. Please respect our wish in > > this matter. > > No, I will not respect your wishes, as you chose to ignore mine. You are > not totally free to do as you wish with the ezjail authors' code and you > can not grant that rights to someone else. > > Regarding your fork: I can not and I will not prevent forks from > happeni
Re: gettext-0.18.1.1_1 fails to build under jail
Paul Macdonald wrote on 28.03.2013 11:46: this port upgrades fine on the host system but not under a jail.. FreeBSD 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243825: Tue Dec 4 09:23:10 UTC 2012 r...@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 config.status: executing depfiles commands sed: 2: " s/^include inclu ...": unterminated substitute pattern sed: 1: "s/$(DEPDIR)/.deps .deps/g ": unescaped newline inside substitute pattern I've been getting this message, also. For quite a while, iirc, in jails and on hosts. ./localename.c: In function '_nl_locale_name_thread_unsafe': ./localename.c:2607: error: 'locale_t' undeclared (first use in this function) ./localename.c:2607: error: (Each undeclared identifier is reported only once ./localename.c:2607: error: for each function it appears in.) ./localename.c:2607: error: expected ';' before 'thread_locale' ./localename.c:2608: error: 'thread_locale' undeclared (first use in this function) ./localename.c:2608: error: 'LC_GLOBAL_LOCALE' undeclared (first use in this function) *** Error code 1 Stop in /var/ports/basejail/usr/ports/devel/gettext/work/gettext-0.18.1.1/gettext-runtime/intl. *** Error code 1 Stop in /var/ports/basejail/usr/ports/devel/gettext/work/gettext-0.18.1.1/gettext-runtime. *** Error code 1 Stop in /var/ports/basejail/usr/ports/devel/gettext/work/gettext-0.18.1.1/gettext-runtime. *** Error code 1 Stop in /var/ports/basejail/usr/ports/devel/gettext/work/gettext-0.18.1.1. *** Error code 1 Stop in /basejail/usr/ports/devel/gettext. I didn't run into this, but seeing, that you're also using ezjail, maybe this thread in the FreeBSD forums can provide hints: http://forums.freebsd.org/showthread.php?t=38558 MfG CoCo ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
gettext-0.18.1.1_1 fails to build under jail
this port upgrades fine on the host system but not under a jail.. FreeBSD 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243825: Tue Dec 4 09:23:10 UTC 2012 r...@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 config.status: executing depfiles commands sed: 2: " s/^include inclu ...": unterminated substitute pattern sed: 1: "s/$(DEPDIR)/.deps .deps/g ": unescaped newline inside substitute pattern ./localename.c: In function '_nl_locale_name_thread_unsafe': ./localename.c:2607: error: 'locale_t' undeclared (first use in this function) ./localename.c:2607: error: (Each undeclared identifier is reported only once ./localename.c:2607: error: for each function it appears in.) ./localename.c:2607: error: expected ';' before 'thread_locale' ./localename.c:2608: error: 'thread_locale' undeclared (first use in this function) ./localename.c:2608: error: 'LC_GLOBAL_LOCALE' undeclared (first use in this function) *** Error code 1 Stop in /var/ports/basejail/usr/ports/devel/gettext/work/gettext-0.18.1.1/gettext-runtime/intl. *** Error code 1 Stop in /var/ports/basejail/usr/ports/devel/gettext/work/gettext-0.18.1.1/gettext-runtime. *** Error code 1 Stop in /var/ports/basejail/usr/ports/devel/gettext/work/gettext-0.18.1.1/gettext-runtime. *** Error code 1 Stop in /var/ports/basejail/usr/ports/devel/gettext/work/gettext-0.18.1.1. *** Error code 1 Stop in /basejail/usr/ports/devel/gettext. -- - Paul Macdonald IFDNRG Ltd Web and video hosting - t: 0131 5548070 m: 07970339546 e: p...@ifdnrg.com w: http://www.ifdnrg.com - IFDNRG 40 Maritime Street Edinburgh EH6 6SA High Specification Dedicated Servers from £100.00pm ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Handbook Jail Chapter rewrite available for critique (fwd)
Joe, your mailer dropped -questions from the ccs on your response. Fixed, Ian -- Forwarded message -- Date: Fri, 22 Mar 2013 18:12:18 -0400 From: Fbsd8 To: freebsd-j...@freebsd.org Cc: Ian Smith , Dirk Engling Subject: Re: Handbook Jail Chapter rewrite available for critique Ian Smith wrote: > On Tue, 19 Mar 2013 17:53:30 +0100, Dirk Engling wrote: > > On 18.03.13 20:16, s...@tormail.org wrote: > > > > to configure things themselves. In my experience, ezjail is a much > better > > > solution. I also see that you are the maintainer/author of qjail and like > > > to shovel your opinion as the only solution, both in this "rewrite" and > > > all over the FreeBSD forums. > > > Taking a look at the qjail code I can not help to notice several odd > > similarities with the ezjail-admin script, down to the very basic bail > > out routines. I would not go so far to claim it was just a global > > search/replace job but to me the code looks familiar enough to find the > > > # Copyright 2010, Qjail project. All rights reserved. > > > offensive. I am usually quite open with the license of my software, > > beerware is as permissive as it gets. I just can not take some script > > kiddie right out copying my code verbatim and selling it as his, not > > even acknowledging me as the original author. > > > Anyone here with suggestions how to properly react to this kind of > "fork"? > > Yes. Publicity. Making sure the FreeBSD community gets to finds out. > > You may be polite and un-selfserving enough to not go so far Dirk, but I will. > Huge swathes of qjail are direct copies of your code, in most cases only with > the names of the variables changed from ezjail_* to qjail_*. I found it cute > renaming 'flavour' to the American spelling. > > Anyone looking at bin/qjail from qjail-2.1.tbz alongside the latest > ezjail-admin (mine downloaded from your cvsweb) cannot fail to notice > within the first couple of screens. Sure there are changes, additions and > deletions, but to fail to acknowledge the original authorship of this code, > and the implication that Joe Barbish (aka 'Qjail project') is its original > author is entirely outrageous; not ethical, even if legal. > > To that end I'm cross-posting this to -questions, where Mr Barbish has also > posted about his proposed "rewrite" of Chapter 16 of the Handbook, which is > nothing but a huge and poorly written manual for 'the qjail way', with its > peculiar assumptions and unique "jailcell" terminology. "Fourth Generation", > no less! > > The idea that the "doc gang" would entertain the idea of removing all of the > worthy content of the present Chapter 16 - even if it does need some updating > - and replace it with this effort is laughable, yet stranger things have > happened if there's any disconnect between developers and documenters .. > witness the Handbook firewalls section, by Joe Barbish. > > cheers, Ian > Boy this simple critique request sure has gotten out of hand. So lets set the record straight. On the subject ezjail not being referenced in the document like it is in the current version of the online handbook is just a writing content error. The document being critiqued is the first public draft. Pointing out over sights like not included ezjail in that section is the type of constructive feedback that is desired. Any inference it was done on purpose is just crazy. When it comes to the question of the handbook jail chapter needing updating, A member of the document team has already offered to partner up with me to get it added to the handbook as fast as possible. To me that means the document team is already aware the current handbook jail chapter is outdated and has just been waiting for someone to write a update which is just what I did. If you people have a beef with that, take it up with the document team not me. If any of you think you can do a better job then NOW is the time to step up or shut up. On the subject of qjail being a fork of ezjail, of course it is. Qjail was developed by the qjail project team who are a group of FreeBSD users who live around Angeles City, Philippines. Of the seven members 2 are foreigners living in the area, one American and one British. Our British member concluded that the author of ezjail must be British based solely on the spelling of the flavour directory. He also convinced us that his Beerware license was British humor, a joke, and should not be taken serous. In our review of other jail ports we did not see this Beerware license again or for that matter, see it in any of the 5000+ ports we looked at or use. So the group coincided to the British members v
Re: Handbook Jail Chapter rewrite available for critique
On Fri, Mar 22, 2013 at 9:03 AM, Ian Smith wrote: > On Thu, 21 Mar 2013 11:21:29 -0400, Alejandro Imass wrote: > > On Thu, Mar 21, 2013 at 3:35 AM, Ian Smith wrote: > > > On Tue, 19 Mar 2013 17:53:30 +0100, Dirk Engling wrote: > [...] >> mentioned anywhere in this new proposal and why it isn't mentioned in >> the current handbook either under in section "16.5.2 High-Level >> Administrative Tools in the FreeBSD Ports Collection". If there is >> __any__ tool that should be mentioned in the jails chapter it is [..] > Actually, ezjail has been explicitly mentioned in '16.6 Application of > Jails' http://www.freebsd.org/doc/handbook/jails-application.html since > revision 30226 by danger, Mon May 28 20:02:46 2007 UTC, which section > was just 6 weeks ago updated with a (preceding) similar port reference > to qjail: http://svnweb.freebsd.org/doc?view=revision&revision=40900 > Never seen it before. First time I read about service jails it wasn't there. Further to my point doesn't it make more sense to mention them under "16.5.2 High-Level Administrative Tools in the FreeBSD Ports Collection" or in both places? [...] > > There have been about 20 messages in freebsd-jail@ referring to ezjail > this year so far before this thread, as in previous years; try browsing > the archives from http://lists.freebsd.org/pipermail/freebsd-jail/ > I posted on the wrong list then ;-) Subscribing today, thanks! -- Alejandro Imass ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Handbook Jail Chapter rewrite available for critique
On Thu, 21 Mar 2013 11:21:29 -0400, Alejandro Imass wrote: > On Thu, Mar 21, 2013 at 3:35 AM, Ian Smith wrote: > > On Tue, 19 Mar 2013 17:53:30 +0100, Dirk Engling wrote: [.. also chopping mercilessly ..] > > > # Copyright 2010, Qjail project. All rights reserved. > > > > > > offensive. I am usually quite open with the license of my software, > > > beerware is as permissive as it gets. I just can not take some script > > > kiddie right out copying my code verbatim and selling it as his, not > > > even acknowledging me as the original author. > > > > > > Anyone here with suggestions how to properly react to this kind of > > "fork"? > > > > Yes. Publicity. Making sure the FreeBSD community gets to finds out. > > > > [...] > > > To that end I'm cross-posting this to -questions, where Mr Barbish has > > also posted about his proposed "rewrite" of Chapter 16 of the Handbook, > > which is nothing but a huge and poorly written manual for 'the qjail > > way', with its peculiar assumptions and unique "jailcell" terminology. > > "Fourth Generation", no less! > > > > +1 > > Thank you Ian for cross-posting here. > > The first thing I did when I got the new chapter for review was search > for the work EzJail and I was curious as to why EzJail is not > mentioned anywhere in this new proposal and why it isn't mentioned in > the current handbook either under in section "16.5.2 High-Level > Administrative Tools in the FreeBSD Ports Collection". If there is > __any__ tool that should be mentioned in the jails chapter it is > EzJail because it's really easy to use and does a damn good job. Actually, ezjail has been explicitly mentioned in '16.6 Application of Jails' http://www.freebsd.org/doc/handbook/jails-application.html since revision 30226 by danger, Mon May 28 20:02:46 2007 UTC, which section was just 6 weeks ago updated with a (preceding) similar port reference to qjail: http://svnweb.freebsd.org/doc?view=revision&revision=40900 [..] > NOW some things start to make sense to me, when I posted a problem > with EzJail here last year that very few people, if any, knew what I > was talking about. An how could they? if it's not mentioned anywhere > in the handbook or that jail man page(s). man pages aren't an appropriate place to recommend particular ports; there are others, and there will be more. The above are mentioned in the handbook page in the context of simpler alternatives to following the more detailed procedures presented to actually teach one how jail technology may be implemented, which - in my view - is the Good Stuff. There have been about 20 messages in freebsd-jail@ referring to ezjail this year so far before this thread, as in previous years; try browsing the archives from http://lists.freebsd.org/pipermail/freebsd-jail/ OTOH, I've seen no prior posts in jail@ about qjail before this thread. cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Handbook Jail Chapter rewrite available for critique
On Thu, Mar 21, 2013 at 3:35 AM, Ian Smith wrote: > On Tue, 19 Mar 2013 17:53:30 +0100, Dirk Engling wrote: > > On 18.03.13 20:16, s...@tormail.org wrote: > > > > > to configure things themselves. In my experience, ezjail is a much better > > > solution. I also see that you are the maintainer/author of qjail and like > > > to shovel your opinion as the only solution, both in this "rewrite" and > > > all over the FreeBSD forums. [...] > > > > # Copyright 2010, Qjail project. All rights reserved. > > > > offensive. I am usually quite open with the license of my software, > > beerware is as permissive as it gets. I just can not take some script > > kiddie right out copying my code verbatim and selling it as his, not > > even acknowledging me as the original author. > > > > Anyone here with suggestions how to properly react to this kind of "fork"? > > Yes. Publicity. Making sure the FreeBSD community gets to finds out. > [...] > To that end I'm cross-posting this to -questions, where Mr Barbish has > also posted about his proposed "rewrite" of Chapter 16 of the Handbook, > which is nothing but a huge and poorly written manual for 'the qjail > way', with its peculiar assumptions and unique "jailcell" terminology. > "Fourth Generation", no less! > +1 Thank you Ian for cross-posting here. The first thing I did when I got the new chapter for review was search for the work EzJail and I was curious as to why EzJail is not mentioned anywhere in this new proposal and why it isn't mentioned in the current handbook either under in section "16.5.2 High-Level Administrative Tools in the FreeBSD Ports Collection". If there is __any__ tool that should be mentioned in the jails chapter it is EzJail because it's really easy to use and does a damn good job. We've been using it in production __extensively__ since about 2010 and the one and only issue we've had was probably related to some sort of border-line bug with nullfs which has never happened since. We currently run half a dozen servers with anywhere from 12 to 24 jails each and we've only had a single isolated incident and it wasn't even related directly to EzJail. We use flavours extensively and constantly derive jails from others and move jails between servers, much like if we were using VMWare; it's that easy, or easier, and works every time. NOW some things start to make sense to me, when I posted a problem with EzJail here last year that very few people, if any, knew what I was talking about. An how could they? if it's not mentioned anywhere in the handbook or that jail man page(s). In fact, looking back at this thread[1] I can see that great deal of misunderstanding an unnecessary confusion could have been that the term "EzJail" meant nothing to most people commenting on the thread. When I commented the problem to Dirk he immediately recognized that it could have been a problem with nullfs and so did "jb"[2], who not only immediately thought of nulls, but actually found some bugs that were very similar to my situation[3], and which is BTW still open AFAICT. Anyway, the point I'm trying to make is that it seems quite odd that EzJail is not very publicized and I would like to see it prominently mentioned in the handbook and man pages as a great tool for Jail administration. Thanks, -- Alejandro Imass [1] http://lists.freebsd.org/pipermail/freebsd-questions/2012-April/240468.html http://lists.freebsd.org/pipermail/freebsd-questions/2012-April/240501.html http://lists.freebsd.org/pipermail/freebsd-questions/2012-April/240551.html [2] http://lists.freebsd.org/pipermail/freebsd-questions/2012-April/240566.html http://lists.freebsd.org/pipermail/freebsd-questions/2012-April/240569.html [3] PR#147420 http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/147420 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Handbook Jail Chapter rewrite available for critique
On Tue, 19 Mar 2013 17:53:30 +0100, Dirk Engling wrote: > On 18.03.13 20:16, s...@tormail.org wrote: > > > to configure things themselves. In my experience, ezjail is a much better > > solution. I also see that you are the maintainer/author of qjail and like > > to shovel your opinion as the only solution, both in this "rewrite" and > > all over the FreeBSD forums. > > Taking a look at the qjail code I can not help to notice several odd > similarities with the ezjail-admin script, down to the very basic bail > out routines. I would not go so far to claim it was just a global > search/replace job but to me the code looks familiar enough to find the > > # Copyright 2010, Qjail project. All rights reserved. > > offensive. I am usually quite open with the license of my software, > beerware is as permissive as it gets. I just can not take some script > kiddie right out copying my code verbatim and selling it as his, not > even acknowledging me as the original author. > > Anyone here with suggestions how to properly react to this kind of "fork"? Yes. Publicity. Making sure the FreeBSD community gets to finds out. You may be polite and un-selfserving enough to not go so far Dirk, but I will. Huge swathes of qjail are direct copies of your code, in most cases only with the names of the variables changed from ezjail_* to qjail_*. I found it cute renaming 'flavour' to the American spelling. Anyone looking at bin/qjail from qjail-2.1.tbz alongside the latest ezjail-admin (mine downloaded from your cvsweb) cannot fail to notice within the first couple of screens. Sure there are changes, additions and deletions, but to fail to acknowledge the original authorship of this code, and the implication that Joe Barbish (aka 'Qjail project') is its original author is entirely outrageous; not ethical, even if legal. To that end I'm cross-posting this to -questions, where Mr Barbish has also posted about his proposed "rewrite" of Chapter 16 of the Handbook, which is nothing but a huge and poorly written manual for 'the qjail way', with its peculiar assumptions and unique "jailcell" terminology. "Fourth Generation", no less! The idea that the "doc gang" would entertain the idea of removing all of the worthy content of the present Chapter 16 - even if it does need some updating - and replace it with this effort is laughable, yet stranger things have happened if there's any disconnect between developers and documenters .. witness the Handbook firewalls section, by Joe Barbish. cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Handbook Jail Chapter rewrite available for critique
useful doc,greate job! find a mybe copy/past mistake in 16.7.1: > *exec.stop* This is the normal script used to *start *the jail. should be: *exec.stop* This is the normal script used to *stop *the jail. regards, 2013/3/19 Fbsd8 > To all interested parties; > > I have completed the final draft of the total rewrite of FreeBSD's > handbook Chapter 16 on Jails. > > Before submitting my work for submission to the documentation group for > insertion in the handbook I am looking for critique of the work to find > errors in concept, wrong use of words, or anything to make it better. > > All feedback welcomed. > > Use this URL to access it > http://www.jails.a1poweruser.**com/<http://www.jails.a1poweruser.com/> > > > Thank You. > > __**_ > freebsd-curr...@freebsd.org mailing list > http://lists.freebsd.org/**mailman/listinfo/freebsd-**current<http://lists.freebsd.org/mailman/listinfo/freebsd-current> > To unsubscribe, send any mail to "freebsd-current-unsubscribe@** > freebsd.org " > -- Jov blog: http:amutu.com/blog <http://amutu.com/blog> ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Handbook Jail Chapter rewrite available for critique
On Mon, Mar 18, 2013 at 6:45 PM, Robert Huff wrote: > > Isaac (.ike) Levy writes: > > > Pretty heavy cross-posting here, could you perhaps reign this in > > to the freebsd-jail@ list, where it can be discussed in-context? > > This will help keep the noise down. > > It will also keep down the signal from people who use or are > interested in jails, but do not (and do not plan to) subscribe to > that list. > Respectfully, > > > Robert Huff > > Great! There really was a need to modernize the handbook with regards to jails. Since I'm not a native English speaker I'll leave grammar and spelling for those who are ;) My first impressions are along the lines: To much scripts, to few examples/scenarios. Our users are smart, show them what can be accomplished with "high-level" config, leave minutiae to some part of the appendix. Also the exclusion of zfs and vnet is surprising, as those really make jails shine, imo ( although jails really need to be thought about the "gray" area visa-vi networking in rc-scripts that vnet provides ). How about the resource control, which further makes jails really spiffy. I would have preferred top-level separation of the different methods, ie after the introduction there was one "track" manual, one for old-school rc-, one for new-school rc- and one for jail.conf-style jails. More specifically I agree with Isaac Levy's, especially in regards to the "jail cell" terminology: "16.1 Synopsis": the term jail cell is used, long before being defined. "16.2 Introduction": Mentioning jail cells in a historic contest is imho a "blatant" lie ( they were never known as such ). As far as I know, no official documentation has called them cells, either. That does not mean that it's not an appropriate term, though. As a contrast there is Solaris vocabulary of zones ( "cells" ) and global zone ( "jail system" ). In this regard I prefer the solaris one. Most importantly, a large chunk of 16.2 would imo fit much better as a "history"-appendix. Current and new users don't need to know and consider the limitations of earlier implementations. The "generations" talked about could perhaps be quantified with a release version :) There are, as stated by Isaac Levy, many (good) utils for managing jails. Why the focus on qjail? I also think that most of the strong points of jails are rendered moot without, in order, zfs and vimage. Linux jails might also interest quite a few people. Best regards Andreas ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Handbook Jail Chapter rewrite available for critique
Isaac (.ike) Levy writes: > Pretty heavy cross-posting here, could you perhaps reign this in > to the freebsd-jail@ list, where it can be discussed in-context? > This will help keep the noise down. It will also keep down the signal from people who use or are interested in jails, but do not (and do not plan to) subscribe to that list. Respectfully, Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Handbook Jail Chapter rewrite available for critique
Pretty heavy cross-posting here, could you perhaps reign this in to the freebsd-jail@ list, where it can be discussed in-context? This will help keep the noise down. On Mar 18, 2013, at 12:57 PM, Fbsd8 wrote: > To all interested parties; > > I have completed the final draft of the total rewrite of FreeBSD's handbook > Chapter 16 on Jails. > > Before submitting my work for submission to the documentation group for > insertion in the handbook I am looking for critique of the work to find > errors in concept, wrong use of words, or anything to make it better. > > All feedback welcomed. > > Use this URL to access it http://www.jails.a1poweruser.com/ > > > Thank You. Wow, overall that's really quite cool. - Do you have a rough timeframe for when you want feedback? (I would like to give this the time it deserves). -- Feedback right off the bat, (please tell me if I'm off track here): - After a short skim- I do not believe the qjail utilities referenced are appropriate for the FreeBSD handbook. There are many 3rd party approaches to handling/managing jails, some of them with quite long histories and loyal user bases- it is impractical and not appropriate to try to cover any/all of them here. - The "Jail Cell" vocabulary is a serious departure- and may create some confusion- I'll read thoroughly to get your context right. In what I understand to be the majority of uses, it's confusing to think of the hardware host as the 'jail' and the jailed instance as the 'cell'. - The references and history cite some works, but do not cite the original (and possibly most important) document on jailing, http://docs.freebsd.org/44doc/papers/jail/jail.ps.gz - There are a number of common lexical errors right off the bat, (There instead of Their), etc… -- I look foreword to reading this on my subway commute this week- Best, .ike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Handbook Jail Chapter rewrite available for critique
To all interested parties; I have completed the final draft of the total rewrite of FreeBSD's handbook Chapter 16 on Jails. Before submitting my work for submission to the documentation group for insertion in the handbook I am looking for critique of the work to find errors in concept, wrong use of words, or anything to make it better. All feedback welcomed. Use this URL to access it http://www.jails.a1poweruser.com/ Thank You. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Limiting jail CPU & memory resources
Mark Felder wrote: On Fri, 01 Mar 2013 09:52:41 -0600, wrote: Read that all ready and left me with more question than answers. Its experimental and has to be compiled into the kernel. Need solutions that are provided as part of the base system. Such as a loadable kernel module. Can not be risking the security of production jails on some experimental software. Unfortunately there's nothing else available yet. You'd be better off using full-fledged hypervisors like Xen, KVM, or ESXi. I'm also anxiously awaiting some improvement in this area. What do you think about the new jail.conf parameter cpuset.id from jail(8)? Seems to me it's a way to dedicate one or more CPUs to a single jail for increased jail performance. Really the opposite of limiting cpu resources to a jail. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
RE: Jail question
On Fri, 01 Mar 2013, Bernt Hansson wrote: > On 2013-02-27 11:19, Bernt Hansson wrote: > > > 2013-02-26 15:18, Teske, Devin skrev: > > > > > Yes, this is possible. > > > > > > When I get into work, I'll share with you the recipe > > > > Please do share with us. > > Ok I rephrase my question. How do I install freebsd 4.9 in a jail on 8.3 > amd64. Step 1. Download the following files/directories... bin/ catpages/ cdrom.inf compat1x/ compat22/ compat3x/ compat4x/ crypto/ dict/ doc/ games/ info/ manpages/ proflibs/ from: ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/old-releases/i386/4.9-RELEASE/ NOTE: For example, download those files/directories to /usr/repos/FreeBSD-4.9/4.9-RELEASE Step 2. Download my "jail_build" script from: http://druidbsd.sourceforge.net/download.shtml#jail_build Step 3: Run jail_build NOTE: If you put your downloaded files in /usr/repos/FreeBSD-4.9/4.9-RELEASE then jail_build will automatically find them and present 4.9 as an option. After selecting FreeBSD-4.9, it will then prompt you to enter the root directory where to unpack the jail to. When jail_build completes, you'll have a freshly unpacked FreeBSD-4.9 in the desired root directory. Step 4: Grab and install my vimage package: http://druidbsd.sourceforge.net/download.shtml#vimage About: http://druidbsd.sourceforge.net/vimage.shtml Step 5: Configure your vimage in /etc/rc.conf (see /etc/rc.conf.d/vimage for a sample). Example: vimage_enable="YES" vimage_list="fbsd4_9" vimage_fbsd4_9_rootdir="/usr/jails/fbsd4_9" vimage_fbsd4_9_hostname="fbsd4_9" vimage_fbsd4_9_bridges="bge0" vimage_fbsd4_9_devfs_enable="YES" vimage_fbsd4_9_procfs_enable="YES" Step 6: [Pre-]configure the network interface for the visage Example: chroot /usr/jails/fbsd4_9 vi /etc/rc.conf NOTE: Since the vimage (aka vnet jail) isn't running yet, we use chroot instead of jexec. (Also note that the chroot is only for pedantic safety ... it prevents things such as "what if /etc/rc.conf is a symlink to /etc/rc.conf.other -- without the chroot you'd accidentally edit the host machines /etc/rc.conf.other). Add the following: ifconfig_ng0_fbsd4_9="inet 192.168.1.123 netmask 255.255.255.0" defaultrouter="192.168.1.1" # or whatever fits your network # Don't forget /etc/resolv.conf # Don't forget to set sshd_enable="YES" in rc.conf(5) if you want to be able to ssh into the vimage Step 7: Fix some binaries in the 4.9 distribution to work under the 8.3 kernel... Download my "update411binaries.sh" script (should work fine for 4.9 jails too) from... http://druidbsd.sf.net/download/update411binares.sh Step 8: Run update411binares.sh with a first argument of (for example) /usr/jails/fbsd4_9 Step 9: Fire up the vimage service vimage start fbsd4_9 Step 10: Check things out... jls ssh 192.168.1.123 jexec fbsd4_9 csh etc. etc. -- HTH Devin _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Limiting jail CPU & memory resources
On Fri, 01 Mar 2013 09:52:41 -0600, wrote: Read that all ready and left me with more question than answers. Its experimental and has to be compiled into the kernel. Need solutions that are provided as part of the base system. Such as a loadable kernel module. Can not be risking the security of production jails on some experimental software. Unfortunately there's nothing else available yet. You'd be better off using full-fledged hypervisors like Xen, KVM, or ESXi. I'm also anxiously awaiting some improvement in this area. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Limiting jail CPU & memory resources
Mark Felder wrote: On Fri, 01 Mar 2013 08:38:05 -0600, wrote: Is there anything in 9.1 to Limit jail CPU & memory resources? https://wiki.freebsd.org/Hierarchical_Resource_Limits Read that all ready and left me with more question than answers. Its experimental and has to be compiled into the kernel. Need solutions that are provided as part of the base system. Such as a loadable kernel module. Can not be risking the security of production jails on some experimental software. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Limiting jail CPU & memory resources
On Fri, 01 Mar 2013 08:38:05 -0600, wrote: Is there anything in 9.1 to Limit jail CPU & memory resources? https://wiki.freebsd.org/Hierarchical_Resource_Limits ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Limiting jail CPU & memory resources
Is there anything in 9.1 to Limit jail CPU & memory resources? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
RE: Jail question
Got it... (script inline below) The first (and only) argument is to be a path to a 4.11 jail's root directory. For example, if you take a FreeBSD-4 box and rsync it to "/usr/jails/myold4box" on a FreeBSD-8 machine, you should then execute: update411binaries.sh /usr/jails/myold4box Then just configure the jail and fire it up. Of course, these are vnet jails. Further instructions on http://druidbsd.sf.net/vimage.shtml with my vimage package here: http://druidbsd.sf.net/download.shtml#vimage === #!/bin/sh if [ "$( id -u )" != "0" ]; then echo "Must run as root!" >&2 exit 1 fi if [ $# -lt 1 ]; then echo "Usage: $0 directory" >&2 exit 1 fi dir="$1" if [ ! -d "$dir" ]; then echo "$dir: No such file or directory" >&2 exit 1 fi mkdir -p "$dir/libexec" "$dir/lib" "$dir/usr/lib" for file in \ /bin/ps \ /libexec/ld-elf.so.1\ /lib/libm.so.5 \ /lib/libkvm.so.5\ /lib/libc.so.7 \ /sbin/ifconfig \ /lib/libbsdxml.so.4 \ /lib/libjail.so.1 \ /lib/libsbuf.so.5 \ /lib/libipx.so.5\ /sbin/route \ /usr/bin/top\ /lib/libncurses.so.8\ /usr/bin/netstat\ /usr/lib/libmemstat.so.3\ /lib/libutil.so.8 \ /usr/lib/libnetgraph.so.4 \ ; do cp -pfv "$file" "$dir$file" done > -Original Message----- > From: Bernt Hansson [mailto:b...@bananmonarki.se] > Sent: Wednesday, February 27, 2013 2:19 AM > To: Teske, Devin > Cc: questions FreeBSD > Subject: Re: Jail question > > 2013-02-26 15:18, Teske, Devin skrev: > > Yes, this is possible. > > > > When I get into work, I'll share with you the recipe > > Please do share with us. _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jail question
2013-02-26 15:18, Teske, Devin skrev: Yes, this is possible. When I get into work, I'll share with you the recipe Please do share with us. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Jail question
Bernt Hansson wrote:
I would like to install an old version of freebsd let's say 4.6 in a
jail. Is that possible.
Host is 8.3-stable amd64
Things like ps won't run, but you can copy static binaries from host:/rescue to
jail:/{bin,sbin} as appropriate and that helps a lot.
I just installed a 5.4-RELEASE/i386 jail on a 9.1-STABLE/amd64 system.
Mysqld would not run (dumped core), so I relocated that to a separate jail
running 9.1-STABLE/amd64
One gotcha I found is that while you can run an old i386 system in a jail on an
amd64 host, you can't build an amd64 kernel with COMPAT_AOUT, so if you have an
a.out binary from days of old, you need an i386 kernel.
Devin Teske wrote:
Yes, this is possible.
When I get into work, I'll share with you the recipe (I have a script called "update4.sh"
which I run after building [or rsync'ing] a 4.x box to an 8.x box to become a vimage; note that I
didn't say "jail" -- 4.x runs better as a VNET jail than a regular jail).
We've not had much luck in running 4.x as a non-vnet jail under 8.x whereas
vnet-jail works wonders (with a couple binaries replaced, like netstat,
ifconfig, ps, and top for example).
Devin,
Please share your script with us all (especially me :-) )
Thanks,
Danny
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
RE: Jail question
Yes, this is possible. When I get into work, I'll share with you the recipe (I have a script called "update4.sh" which I run after building [or rsync'ing] a 4.x box to an 8.x box to become a vimage; note that I didn't say "jail" -- 4.x runs better as a VNET jail than a regular jail). We've not had much luck in running 4.x as a non-vnet jail under 8.x whereas vnet-jail works wonders (with a couple binaries replaced, like netstat, ifconfig, ps, and top for example). -- Devin From: owner-freebsd-questi...@freebsd.org [owner-freebsd-questi...@freebsd.org] on behalf of Bernt Hansson [b...@bananmonarki.se] Sent: Tuesday, February 26, 2013 5:23 AM To: questions FreeBSD Subject: Jail question Hello list! I would like to install an old version of freebsd let's say 4.6 in a jail. Is that possible. Host is 8.3-stable amd64 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Jail question
Hello list! I would like to install an old version of freebsd let's say 4.6 in a jail. Is that possible. Host is 8.3-stable amd64 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
RE: jail and networking
On Thu, 21 Feb 2013, Shane Ambler wrote: > On 22/02/2013 05:52, Devin Teske wrote: > > > What I find strange is that: > > > > 1. I knew about ListenAddress w/respect to jails, but... > > > > 2. We are not changing it (sshd_config has no ListenAddress -- leading to > > default values used), yet... > > > > 3. Base machine and jails both work fine > > > > Not sure when it's required versus not, because we're running fine without > > that > > change here with over a dozen jails. > > > > The only thing I've ever noticed is that we tend to use > > jail_NAME_ip="iface|addr" while most everybody else seems to be using > > jail_NAME_ip="addr". > > > > We may need to expand out from that. I use jail_NAME_ip="addr" but also > > ipv4_addrs_re0="10.0.0.254/24 10.0.0.1-5/24" > route_jaillan0="-net 10.0.0.0/24 10.0.0.254" > static_routes="jaillan0" > > Don't recall where I got that from but think it was an easy way to alias > a number of ip's whereas ifconfig__alias0 sets one ip at a time > and is also deprecated. > > If you use jail_NAME_ip="iface|addr" does this mean you don't have ip > addresses aliased to the iface on startup and they get aliased as the > jail starts? That would be why sshd isn't bound to the address before. Correct, and this was my leading theory. > man rc.conf for jail__ip says "... Additionally each address can > be prefixed by the name of an interface followed by a pipe to overwrite" > does that mean it clears the ip from the base system and re-creates it > for the jail? Dunno -- I first learned about "iface|addr" from reading the code. It did what I wanted _and_ improved the clarity/readability of rc.conf(5) in the case of multiple jails utilizing separate interfaces on similar subnets. Thus, it was embraced. > I also see jail__interface "...When set, sets the interface to > use when setting IP address alias. Note that the alias is created at > jail startup and removed at jail shutdown." Never used that setting before. > Which is what sounds like the solution to not have ip's available when > sshd starts so it isn't bound to them. Right-o. > Also what sys version were these options added? I would guess 8.x as we're using iface|addr in 8.1 (as previously mentioned, not using jail__interface -- dunno about that one). The following URLs might be of assistance in tracking down the origins of various options: http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.d/jail http://svnweb.freebsd.org/base/head/etc/rc.d/jail -- Devin _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: jail and networking
On 22/02/2013 05:52, Devin Teske wrote: What I find strange is that: 1. I knew about ListenAddress w/respect to jails, but... 2. We are not changing it (sshd_config has no ListenAddress -- leading to default values used), yet... 3. Base machine and jails both work fine Not sure when it's required versus not, because we're running fine without that change here with over a dozen jails. The only thing I've ever noticed is that we tend to use jail_NAME_ip="iface|addr" while most everybody else seems to be using jail_NAME_ip="addr". We may need to expand out from that. I use jail_NAME_ip="addr" but also ipv4_addrs_re0="10.0.0.254/24 10.0.0.1-5/24" route_jaillan0="-net 10.0.0.0/24 10.0.0.254" static_routes="jaillan0" Don't recall where I got that from but think it was an easy way to alias a number of ip's whereas ifconfig__alias0 sets one ip at a time and is also deprecated. If you use jail_NAME_ip="iface|addr" does this mean you don't have ip addresses aliased to the iface on startup and they get aliased as the jail starts? That would be why sshd isn't bound to the address before. man rc.conf for jail__ip says "... Additionally each address can be prefixed by the name of an interface followed by a pipe to overwrite" does that mean it clears the ip from the base system and re-creates it for the jail? I also see jail__interface "...When set, sets the interface to use when setting IP address alias. Note that the alias is created at jail startup and removed at jail shutdown." Which is what sounds like the solution to not have ip's available when sshd starts so it isn't bound to them. Also what sys version were these options added? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
RE: jail and networking
> -Original Message- > From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd- > questi...@freebsd.org] On Behalf Of d...@safeport.com > Sent: Thursday, February 21, 2013 11:00 AM > To: Shane Ambler > Cc: freebsd-questions@freebsd.org; Bernt Hansson > Subject: Re: jail and networking > > On Thu, 21 Feb 2013, Shane Ambler wrote: > > > It's been a while since I experimented with jails but I'm pretty sure it is > > the reason I changed my sshd_config > > > > When you start sshd on the base system by default it binds against 0.0.0.0 > > and :: which is every ip4 and ip6 address configured on the base system, > > which includes the aliased ip's for your jails. This is represented by the > > *:22 from sockstat. When you start the jail it can't start sshd because the > > base already has that address/port in use. > > > > In /etc/ssh/sshd_config comment out the ListenAddress 0.0.0.0 and > > ListenAddress :: then add ListenAddress 10.0.0.3 > > > > service sshd restart > > > > start your jail and try again > > > > The jail config is fine as the jail only sees the one ip address assigned to > > it. > > This is what fixed the problem. From the jail man page, "... The following > frequently deployed services must have their individual configuration files > modified to limit the application to listening to a specific IP address ...". It > then specifically mentions ssh and send mail. > > The system I looked at runs seven jails fine without my having made that change. > I am not sure why I am getting away with this, but I also thank you > What I find strange is that: 1. I knew about ListenAddress w/respect to jails, but... 2. We are not changing it (sshd_config has no ListenAddress -- leading to default values used), yet... 3. Base machine and jails both work fine Not sure when it's required versus not, because we're running fine without that change here with over a dozen jails. The only thing I've ever noticed is that we tend to use jail_NAME_ip="iface|addr" while most everybody else seems to be using jail_NAME_ip="addr". -- Devin _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: jail and networking
On Thu, 21 Feb 2013, Shane Ambler wrote: It's been a while since I experimented with jails but I'm pretty sure it is the reason I changed my sshd_config When you start sshd on the base system by default it binds against 0.0.0.0 and :: which is every ip4 and ip6 address configured on the base system, which includes the aliased ip's for your jails. This is represented by the *:22 from sockstat. When you start the jail it can't start sshd because the base already has that address/port in use. In /etc/ssh/sshd_config comment out the ListenAddress 0.0.0.0 and ListenAddress :: then add ListenAddress 10.0.0.3 service sshd restart start your jail and try again The jail config is fine as the jail only sees the one ip address assigned to it. This is what fixed the problem. From the jail man page, "... The following frequently deployed services must have their individual configuration files modified to limit the application to listening to a specific IP address ...". It then specifically mentions ssh and send mail. The system I looked at runs seven jails fine without my having made that change. I am not sure why I am getting away with this, but I also thank you ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: jail and networking
It's been a while since I experimented with jails but I'm pretty sure it is the reason I changed my sshd_config When you start sshd on the base system by default it binds against 0.0.0.0 and :: which is every ip4 and ip6 address configured on the base system, which includes the aliased ip's for your jails. This is represented by the *:22 from sockstat. When you start the jail it can't start sshd because the base already has that address/port in use. In /etc/ssh/sshd_config comment out the ListenAddress 0.0.0.0 and ListenAddress :: then add ListenAddress 10.0.0.3 service sshd restart start your jail and try again The jail config is fine as the jail only sees the one ip address assigned to it. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: jail and networking
On Wed, 20 Feb 2013, Bernt Hansson wrote: 2013-02-20 22:17, doug skrev: On Wed, 20 Feb 2013, Jeff Tipton wrote: On 02/20/2013 20:59, Teske, Devin wrote: On Wed, 20 Feb 2013, Bernt Hansson wrote: On 2013-02-20 19:07, Jeff Tipton wrote: On 02/20/2013 19:42, Bernt Hansson wrote: On 2013-02-20 17:23, Teske, Devin wrote: On Wed, 20 Feb 2013, Bernt Hansson wrote: Hello list! I dont seem to get net working in a test jail. These I've tried; ftp, fetch, telnet They time out. Ssh sort of work. 32bit# ssh 10.0.0.3 ssh_askpass: exec(/usr/local/bin/ssh-askpass): No such file or directory Host key verification failed. jail is 8.3-STABLE i386 GENERIC host is FreeBSD 8.3-STABLE amd64 GENERIC I'm sure you want more info so just tell me what info. Commonly the problem is that you are "jexec'd" into the jail and I find that tools like ssh, ftp, telnet, etc. don't work when you're in the jail via "jexec" but instead what works way better is if you ssh into the jail (via the jail'd ssh process of course). Does that seem to be the case in your situation? If you mean this sshd IsJ0:00,00 /usr/sbin/sshd Then no. %ssh 10.0.0.10 ssh: connect to host 10.0.0.10 port 22: Operation timed out I did have an alias on the host to the jail's ip. Tried to restart the jail it went fine, but now I can't jexec in to the jail. testbox# jexec 1 tcsh jexec: jail_attach(1): Invalid argument Sooo... I'm kind of out of ideas. What does "jls" command say? If you have restarted your jail, it's ID most likely has changed. The ID did change, didn't know about that, thank you. But still, sshd isn't running in the jail 32bit# ps ax PID TT STAT TIME COMMAND 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2464 0 SJ 0:00,01 tcsh 2482 0 R+J0:00,00 ps ax testbox# ps ax | grep J 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2488 0 S+ 0:00,00 grep J testbox is the host. Or from the host: sockstat | grep :22. You should see something like root sshd 2016 3 tcp4 192.168.17.15:22 *:* for each jail testbox# sockstat | grep :22 berntsshd 3541 3 tcp4 10.0.0.3:22 80.x.x.x:25605 root sshd 3539 3 tcp4 10.0.0.3:22 80.x.x.x:25605 root sshd 1296 3 tcp6 *:22 *:* root sshd 1296 4 tcp4 *:22 *:* The jail has ip 10.0.0.10. There is only one jail. I could not see anything you are doing wrong, so here are the relevant parts of a host/jail we use for testing. I got all this by following the jail man page and/or hacking things that are working. Ihope this helps. This is all on an 8.2 system. Host config rc.conf - hostname="bcr.boltsys.com" ifconfig_em0="DHCP" sshd_enable="YES" : #jail base settings inetd_flags="-wW -a 10.1.10.110" rpcbind_enable="NO" # Jail general settings ifconfig_em0_alias0="inet 10.1.10.111 netmask 255.255.255.255" jail_set_hostname_allow="NO" jail_enable="YES" jail_interface="em0" jail_devfs_enable="YES" jail_procfs_enable="YES" jail_list="webmail" jail_webmail_rootdir="/usr/home/webmail" jail_webmail_hostname="webmail.boltsys.com" jail_webmail_ip="10.1.10.111" ifconfig (host) inet 10.1.10.111 netmask 0x broadcast 10.1.10.111 inet 10.1.10.110 netmask 0xff00 broadcast 10.1.10.255 Jail config rc.conf - network_interfaces="" hostname="webmail.boltsys.com" sshd_enable="YES" sendmail_enable="NO" sendmail_outbound_enable="YES" inetd_flags="-wW -a 10.1.10.111" inetd_enable="NO" rpcbind_enable="NO" _ Douglas Denault http://www.safeport.com d...@safeport.com Voice: 301-217-9220 Fax: 301-217-9277 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: jail and networking
2013-02-20 22:17, doug skrev: On Wed, 20 Feb 2013, Jeff Tipton wrote: On 02/20/2013 20:59, Teske, Devin wrote: On Wed, 20 Feb 2013, Bernt Hansson wrote: On 2013-02-20 19:07, Jeff Tipton wrote: On 02/20/2013 19:42, Bernt Hansson wrote: On 2013-02-20 17:23, Teske, Devin wrote: On Wed, 20 Feb 2013, Bernt Hansson wrote: Hello list! I dont seem to get net working in a test jail. These I've tried; ftp, fetch, telnet They time out. Ssh sort of work. 32bit# ssh 10.0.0.3 ssh_askpass: exec(/usr/local/bin/ssh-askpass): No such file or directory Host key verification failed. jail is 8.3-STABLE i386 GENERIC host is FreeBSD 8.3-STABLE amd64 GENERIC I'm sure you want more info so just tell me what info. Commonly the problem is that you are "jexec'd" into the jail and I find that tools like ssh, ftp, telnet, etc. don't work when you're in the jail via "jexec" but instead what works way better is if you ssh into the jail (via the jail'd ssh process of course). Does that seem to be the case in your situation? If you mean this sshd IsJ0:00,00 /usr/sbin/sshd Then no. %ssh 10.0.0.10 ssh: connect to host 10.0.0.10 port 22: Operation timed out I did have an alias on the host to the jail's ip. Tried to restart the jail it went fine, but now I can't jexec in to the jail. testbox# jexec 1 tcsh jexec: jail_attach(1): Invalid argument Sooo... I'm kind of out of ideas. What does "jls" command say? If you have restarted your jail, it's ID most likely has changed. The ID did change, didn't know about that, thank you. But still, sshd isn't running in the jail 32bit# ps ax PID TT STAT TIME COMMAND 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2464 0 SJ 0:00,01 tcsh 2482 0 R+J0:00,00 ps ax testbox# ps ax | grep J 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2488 0 S+ 0:00,00 grep J testbox is the host. Or from the host: sockstat | grep :22. You should see something like root sshd 2016 3 tcp4 192.168.17.15:22 *:* for each jail testbox# sockstat | grep :22 berntsshd 3541 3 tcp4 10.0.0.3:22 80.x.x.x:25605 root sshd 3539 3 tcp4 10.0.0.3:22 80.x.x.x:25605 root sshd 1296 3 tcp6 *:22 *:* root sshd 1296 4 tcp4 *:22 *:* The jail has ip 10.0.0.10. There is only one jail. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: jail and networking
2013-02-20 20:10, Jeff Tipton skrev: On 02/20/2013 20:59, Teske, Devin wrote: On Wed, 20 Feb 2013, Bernt Hansson wrote: On 2013-02-20 19:07, Jeff Tipton wrote: On 02/20/2013 19:42, Bernt Hansson wrote: On 2013-02-20 17:23, Teske, Devin wrote: On Wed, 20 Feb 2013, Bernt Hansson wrote: Hello list! I dont seem to get net working in a test jail. These I've tried; ftp, fetch, telnet They time out. Ssh sort of work. 32bit# ssh 10.0.0.3 ssh_askpass: exec(/usr/local/bin/ssh-askpass): No such file or directory Host key verification failed. jail is 8.3-STABLE i386 GENERIC host is FreeBSD 8.3-STABLE amd64 GENERIC I'm sure you want more info so just tell me what info. Commonly the problem is that you are "jexec'd" into the jail and I find that tools like ssh, ftp, telnet, etc. don't work when you're in the jail via "jexec" but instead what works way better is if you ssh into the jail (via the jail'd ssh process of course). Does that seem to be the case in your situation? If you mean this sshd IsJ0:00,00 /usr/sbin/sshd Then no. %ssh 10.0.0.10 ssh: connect to host 10.0.0.10 port 22: Operation timed out I did have an alias on the host to the jail's ip. Tried to restart the jail it went fine, but now I can't jexec in to the jail. testbox# jexec 1 tcsh jexec: jail_attach(1): Invalid argument Sooo... I'm kind of out of ideas. What does "jls" command say? If you have restarted your jail, it's ID most likely has changed. The ID did change, didn't know about that, thank you. But still, sshd isn't running in the jail 32bit# ps ax PID TT STAT TIME COMMAND 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2464 0 SJ 0:00,01 tcsh 2482 0 R+J0:00,00 ps ax testbox# ps ax | grep J 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2488 0 S+ 0:00,00 grep J testbox is the host. A stab in the dark, but... Did you add sshd_enable="YES" to the jail's rc.conf(5)? Or, from within the jail, what does service sshd status say? 32bit# service sshd status sshd is not running. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: jail and networking
2013-02-20 19:59, Teske, Devin skrev: On Wed, 20 Feb 2013, Bernt Hansson wrote: On 2013-02-20 19:07, Jeff Tipton wrote: On 02/20/2013 19:42, Bernt Hansson wrote: On 2013-02-20 17:23, Teske, Devin wrote: On Wed, 20 Feb 2013, Bernt Hansson wrote: Hello list! I dont seem to get net working in a test jail. These I've tried; ftp, fetch, telnet They time out. Ssh sort of work. 32bit# ssh 10.0.0.3 ssh_askpass: exec(/usr/local/bin/ssh-askpass): No such file or directory Host key verification failed. jail is 8.3-STABLE i386 GENERIC host is FreeBSD 8.3-STABLE amd64 GENERIC I'm sure you want more info so just tell me what info. Commonly the problem is that you are "jexec'd" into the jail and I find that tools like ssh, ftp, telnet, etc. don't work when you're in the jail via "jexec" but instead what works way better is if you ssh into the jail (via the jail'd ssh process of course). Does that seem to be the case in your situation? If you mean this sshd IsJ0:00,00 /usr/sbin/sshd Then no. %ssh 10.0.0.10 ssh: connect to host 10.0.0.10 port 22: Operation timed out I did have an alias on the host to the jail's ip. Tried to restart the jail it went fine, but now I can't jexec in to the jail. testbox# jexec 1 tcsh jexec: jail_attach(1): Invalid argument Sooo... I'm kind of out of ideas. What does "jls" command say? If you have restarted your jail, it's ID most likely has changed. The ID did change, didn't know about that, thank you. But still, sshd isn't running in the jail 32bit# ps ax PID TT STAT TIME COMMAND 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2464 0 SJ 0:00,01 tcsh 2482 0 R+J0:00,00 ps ax testbox# ps ax | grep J 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2488 0 S+ 0:00,00 grep J testbox is the host. A stab in the dark, but... Did you add sshd_enable="YES" to the jail's rc.conf(5)? Yes, yes I did. rc.conf from the jail #ifconfig_xl0="DHCP" #defaultrouter="10.0.0.3" sendmail_enable="NO" #inetd_enable="NO" sshd_enable="YES" #ntpdate_enable="YES" #ntpdate_flags="time1.stupi.se" # -- sysinstall generated deltas -- # Mon Jan 21 01:22:37 2013 keymap="swedish.iso" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: jail and networking
On Wed, 20 Feb 2013, Jeff Tipton wrote: On 02/20/2013 20:59, Teske, Devin wrote: On Wed, 20 Feb 2013, Bernt Hansson wrote: On 2013-02-20 19:07, Jeff Tipton wrote: On 02/20/2013 19:42, Bernt Hansson wrote: On 2013-02-20 17:23, Teske, Devin wrote: On Wed, 20 Feb 2013, Bernt Hansson wrote: Hello list! I dont seem to get net working in a test jail. These I've tried; ftp, fetch, telnet They time out. Ssh sort of work. 32bit# ssh 10.0.0.3 ssh_askpass: exec(/usr/local/bin/ssh-askpass): No such file or directory Host key verification failed. jail is 8.3-STABLE i386 GENERIC host is FreeBSD 8.3-STABLE amd64 GENERIC I'm sure you want more info so just tell me what info. Commonly the problem is that you are "jexec'd" into the jail and I find that tools like ssh, ftp, telnet, etc. don't work when you're in the jail via "jexec" but instead what works way better is if you ssh into the jail (via the jail'd ssh process of course). Does that seem to be the case in your situation? If you mean this sshd IsJ0:00,00 /usr/sbin/sshd Then no. %ssh 10.0.0.10 ssh: connect to host 10.0.0.10 port 22: Operation timed out I did have an alias on the host to the jail's ip. Tried to restart the jail it went fine, but now I can't jexec in to the jail. testbox# jexec 1 tcsh jexec: jail_attach(1): Invalid argument Sooo... I'm kind of out of ideas. What does "jls" command say? If you have restarted your jail, it's ID most likely has changed. The ID did change, didn't know about that, thank you. But still, sshd isn't running in the jail 32bit# ps ax PID TT STAT TIME COMMAND 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2464 0 SJ 0:00,01 tcsh 2482 0 R+J0:00,00 ps ax testbox# ps ax | grep J 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2488 0 S+ 0:00,00 grep J testbox is the host. A stab in the dark, but... Did you add sshd_enable="YES" to the jail's rc.conf(5)? Or, from within the jail, what does service sshd status say? Or from the host: sockstat | grep :22. You should see something like root sshd 2016 3 tcp4 192.168.17.15:22 *:* for each jail ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: jail and networking
On 02/20/2013 20:59, Teske, Devin wrote: On Wed, 20 Feb 2013, Bernt Hansson wrote: On 2013-02-20 19:07, Jeff Tipton wrote: On 02/20/2013 19:42, Bernt Hansson wrote: On 2013-02-20 17:23, Teske, Devin wrote: On Wed, 20 Feb 2013, Bernt Hansson wrote: Hello list! I dont seem to get net working in a test jail. These I've tried; ftp, fetch, telnet They time out. Ssh sort of work. 32bit# ssh 10.0.0.3 ssh_askpass: exec(/usr/local/bin/ssh-askpass): No such file or directory Host key verification failed. jail is 8.3-STABLE i386 GENERIC host is FreeBSD 8.3-STABLE amd64 GENERIC I'm sure you want more info so just tell me what info. Commonly the problem is that you are "jexec'd" into the jail and I find that tools like ssh, ftp, telnet, etc. don't work when you're in the jail via "jexec" but instead what works way better is if you ssh into the jail (via the jail'd ssh process of course). Does that seem to be the case in your situation? If you mean this sshd IsJ0:00,00 /usr/sbin/sshd Then no. %ssh 10.0.0.10 ssh: connect to host 10.0.0.10 port 22: Operation timed out I did have an alias on the host to the jail's ip. Tried to restart the jail it went fine, but now I can't jexec in to the jail. testbox# jexec 1 tcsh jexec: jail_attach(1): Invalid argument Sooo... I'm kind of out of ideas. What does "jls" command say? If you have restarted your jail, it's ID most likely has changed. The ID did change, didn't know about that, thank you. But still, sshd isn't running in the jail 32bit# ps ax PID TT STAT TIME COMMAND 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2464 0 SJ 0:00,01 tcsh 2482 0 R+J0:00,00 ps ax testbox# ps ax | grep J 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2488 0 S+ 0:00,00 grep J testbox is the host. A stab in the dark, but... Did you add sshd_enable="YES" to the jail's rc.conf(5)? Or, from within the jail, what does service sshd status say? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
RE: jail and networking
On Wed, 20 Feb 2013, Bernt Hansson wrote: > On 2013-02-20 19:07, Jeff Tipton wrote: > > On 02/20/2013 19:42, Bernt Hansson wrote: > >> On 2013-02-20 17:23, Teske, Devin wrote: > >>> On Wed, 20 Feb 2013, Bernt Hansson wrote: > >>> > >>>> Hello list! > >>>> > >>>> I dont seem to get net working in a test jail. > >>>> > >>>> These I've tried; > >>>> > >>>> ftp, fetch, telnet > >>>> > >>>> They time out. > >>>> > >>>> Ssh sort of work. > >>>> > >>>> 32bit# ssh 10.0.0.3 > >>>> ssh_askpass: exec(/usr/local/bin/ssh-askpass): No such file or > >>>> directory > >>>> Host key verification failed. > >>>> > >>>> jail is 8.3-STABLE i386 GENERIC > >>>> > >>>> host is FreeBSD 8.3-STABLE amd64 GENERIC > >>>> > >>>> I'm sure you want more info so just tell me what info. > >>> > >>> Commonly the problem is that you are "jexec'd" into the jail and I > >>> find that tools like ssh, ftp, telnet, etc. don't work when you're in > >>> the jail via "jexec" but instead what works way better is if you ssh > >>> into the jail (via the jail'd ssh process of course). > >>> > >>> Does that seem to be the case in your situation? > >> > >> If you mean this sshd IsJ0:00,00 /usr/sbin/sshd > >> > >> Then no. > >> > >> %ssh 10.0.0.10 ssh: connect to host 10.0.0.10 port 22: Operation timed > >> out > >> > >> I did have an alias on the host to the jail's ip. > >> Tried to restart the jail it went fine, but now I can't jexec in to > >> the jail. > >> > >> testbox# jexec 1 tcsh > >> jexec: jail_attach(1): Invalid argument > >> > >> Sooo... I'm kind of out of ideas. > > > What does "jls" command say? If you have restarted your jail, it's ID > > most likely has changed. > > The ID did change, didn't know about that, thank you. > > But still, sshd isn't running in the jail > > 32bit# ps ax >PID TT STAT TIME COMMAND > 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for > /var/spool/clientmqueue (sendmail) > 2391 ?? SsJ0:00,00 /usr/sbin/cron -s > 2464 0 SJ 0:00,01 tcsh > 2482 0 R+J0:00,00 ps ax > > testbox# ps ax | grep J > 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for > /var/spool/clientmqueue (sendmail) > 2391 ?? SsJ0:00,00 /usr/sbin/cron -s > 2488 0 S+ 0:00,00 grep J > > testbox is the host. A stab in the dark, but... Did you add sshd_enable="YES" to the jail's rc.conf(5)? -- Devin _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
RE: jail and networking
On Wed, 20 Feb 2013, Bernt Hansson wrote: > On 2013-02-20 17:23, Teske, Devin wrote: > > On Wed, 20 Feb 2013, Bernt Hansson wrote: > > > >> Hello list! > >> > >> I dont seem to get net working in a test jail. > >> > >> These I've tried; > >> > >> ftp, fetch, telnet > >> > >> They time out. > >> > >> Ssh sort of work. > >> > >> 32bit# ssh 10.0.0.3 > >> ssh_askpass: exec(/usr/local/bin/ssh-askpass): No such file or directory > >> Host key verification failed. > >> > >> jail is 8.3-STABLE i386 GENERIC > >> > >> host is FreeBSD 8.3-STABLE amd64 GENERIC > >> > >> I'm sure you want more info so just tell me what info. > > > > Commonly the problem is that you are "jexec'd" into the jail and I find > > that tools like ssh, ftp, telnet, etc. don't work when you're in the jail > > via "jexec" but instead what works way better is if you ssh into the jail > > (via the jail'd ssh process of course). > > > > Does that seem to be the case in your situation? > > If you mean this sshd IsJ0:00,00 /usr/sbin/sshd > > Then no. > > %ssh 10.0.0.10 ssh: connect to host 10.0.0.10 port 22: Operation timed out > > I did have an alias on the host to the jail's ip. > Tried to restart the jail it went fine, but now I can't jexec in to the > jail. > > testbox# jexec 1 tcsh > jexec: jail_attach(1): Invalid argument > > Sooo... I'm kind of out of ideas. When you restart a jail it's jid (the first argument to jexec) changes. Instead of using the jid you can use the jail name (example below): jexec NAME tcsh Otherwise, you're going to have to do "jls" to get the new jid after restarting the jail. -- Devin _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: jail and networking
On 20/02/2013 18:23, Bernt Hansson wrote: The ID did change, didn't know about that, thank you. But still, sshd isn't running in the jail 32bit# ps ax PID TT STAT TIME COMMAND 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2464 0 SJ 0:00,01 tcsh 2482 0 R+J0:00,00 ps ax testbox# ps ax | grep J 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2488 0 S+ 0:00,00 grep J testbox is the host. I assume you setup the /etc/resolv.conf? I have found that my network does not start until I have this setup. -- Regards, Gary J. Hayers g...@hayers.org PGP Signature http://www.hayers.org/pgp ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: jail and networking
On 02/20/2013 19:42, Bernt Hansson wrote: On 2013-02-20 17:23, Teske, Devin wrote: On Wed, 20 Feb 2013, Bernt Hansson wrote: Hello list! I dont seem to get net working in a test jail. These I've tried; ftp, fetch, telnet They time out. Ssh sort of work. 32bit# ssh 10.0.0.3 ssh_askpass: exec(/usr/local/bin/ssh-askpass): No such file or directory Host key verification failed. jail is 8.3-STABLE i386 GENERIC host is FreeBSD 8.3-STABLE amd64 GENERIC I'm sure you want more info so just tell me what info. Commonly the problem is that you are "jexec'd" into the jail and I find that tools like ssh, ftp, telnet, etc. don't work when you're in the jail via "jexec" but instead what works way better is if you ssh into the jail (via the jail'd ssh process of course). Does that seem to be the case in your situation? If you mean this sshd IsJ0:00,00 /usr/sbin/sshd Then no. %ssh 10.0.0.10 ssh: connect to host 10.0.0.10 port 22: Operation timed out I did have an alias on the host to the jail's ip. Tried to restart the jail it went fine, but now I can't jexec in to the jail. testbox# jexec 1 tcsh jexec: jail_attach(1): Invalid argument Sooo... I'm kind of out of ideas. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" What does "jls" command say? If you have restarted your jail, it's ID most likely has changed. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
RE: jail and networking
On Wed, 20 Feb 2013, Bernt Hansson wrote: > Hello list! > > I dont seem to get net working in a test jail. > > These I've tried; > > ftp, fetch, telnet > > They time out. > > Ssh sort of work. > > 32bit# ssh 10.0.0.3 > ssh_askpass: exec(/usr/local/bin/ssh-askpass): No such file or directory > Host key verification failed. > > jail is 8.3-STABLE i386 GENERIC > > host is FreeBSD 8.3-STABLE amd64 GENERIC > > I'm sure you want more info so just tell me what info. Commonly the problem is that you are "jexec'd" into the jail and I find that tools like ssh, ftp, telnet, etc. don't work when you're in the jail via "jexec" but instead what works way better is if you ssh into the jail (via the jail'd ssh process of course). Does that seem to be the case in your situation? -- Devin _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: setting MIBs on a per jail bases
schrieb Harald Schmalzbauer am 14.02.2013 14:18 (localtime): > schrieb Fbsd8 am 06.02.2013 17:57 (localtime): >> Fleuriot Damien wrote: >>> Running 8.3 here and the answer is no. >>> >>> >>> On Feb 6, 2013, at 5:39 PM, Fbsd8 wrote: >>> >>>> Is there a way to set these MIBs >>>> on a per jail bases? >>>> >>>> allow.mount.nullfs >>>> allow.raw_sockets >>>> cpuset.id >>>> securelevel >>> >>> >> Rereading the "man jail" for 9.1 talks about securelevel as a jail >> parammeter. So correct me if I an wrong. All the security.jail.param.* >> MIBs are set in rc.conf or /etc/jail.conf file on a per jail bases by >> changing the word "parm" to the jailname? >> > This applies to jail.conf(5). > That's a entirely new way to handle jails in FreeBSD 9.1. Very nice, but > not included in rc.d. > > If you want to keep the traditional way running jails, I made a patch > some time ago to control more per-jail tunables. > Here you can donwload it for -9: > ftp://ftp.omnilan.de/pub/FreeBSD/OmniLAN/deploy-tools/local-patches/src/jail-allow-selectables.patch_9 > That also irons some ip configuration cosmetics, see defaults/rc.conf. See also http://docs.freebsd.org/cgi/getmsg.cgi?fetch=686783+0+archive/2010/freebsd-stable/20100704.freebsd-stable -Harry signature.asc Description: OpenPGP digital signature
Re: setting MIBs on a per jail bases
schrieb Fbsd8 am 06.02.2013 17:57 (localtime):
> Fleuriot Damien wrote:
>> Running 8.3 here and the answer is no.
>>
>>
>> On Feb 6, 2013, at 5:39 PM, Fbsd8 wrote:
>>
>>> Is there a way to set these MIBs
>>> on a per jail bases?
>>>
>>> allow.mount.nullfs
>>> allow.raw_sockets
>>> cpuset.id
>>> securelevel
>>
>>
>>
>
> Rereading the "man jail" for 9.1 talks about securelevel as a jail
> parammeter. So correct me if I an wrong. All the security.jail.param.*
> MIBs are set in rc.conf or /etc/jail.conf file on a per jail bases by
> changing the word "parm" to the jailname?
>
This applies to jail.conf(5).
That's a entirely new way to handle jails in FreeBSD 9.1. Very nice, but
not included in rc.d.
If you want to keep the traditional way running jails, I made a patch
some time ago to control more per-jail tunables.
Here you can donwload it for -9:
ftp://ftp.omnilan.de/pub/FreeBSD/OmniLAN/deploy-tools/local-patches/src/jail-allow-selectables.patch_9
That also irons some ip configuration cosmetics, see defaults/rc.conf.
If you want to give the new jail(8) and jail.conf capabilities a try,
here's like I use it with vnet (vimage, virtual per-jail-network stack):
Compile a kernel with "options VIMAGE"
remove "# keyword nojail" in jail's etc/rc.d/netif and routing (if you
want to set IP addresses inside the jail)
And here's the corresponding jail.conf:
###
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown && sleep 2";
exec.clean;
allow.mount;
allow.mount.devfs;
allow.set_hostname;
mount.devfs;
devfs_ruleset=4;
# Dynamic wildcard parameter:
# Base the path off the jail name.
path = "/.jail.$name";
mount.fstab="/etc/fstab.$name";
yourname {
mount;
name = "inno";
# host.hostname = .your hostname.net"; but also set inside the
jail along with network setup
vnet = "new";
vnet.interface = "jbb$name";
}
###
You can add "allow.raw_sockets" anywhere.
But with vnet, you don't need that any more.
Just to point you into the right direction.
-Harry
signature.asc
Description: OpenPGP digital signature
Re: setting MIBs on a per jail bases
On Feb 6, 2013, at 5:57 PM, Fbsd8 wrote: > Fleuriot Damien wrote: >> Running 8.3 here and the answer is no. >> On Feb 6, 2013, at 5:39 PM, Fbsd8 wrote: >>> Is there a way to set these MIBs >>> on a per jail bases? >>> >>> allow.mount.nullfs >>> allow.raw_sockets >>> cpuset.id >>> securelevel > > Rereading the "man jail" for 9.1 talks about securelevel as a jail > parammeter. So correct me if I an wrong. All the security.jail.param.* MIBs > are set in rc.conf or /etc/jail.conf file on a per jail bases by > changing the word "parm" to the jailname? > I'm afraid I wouldn't know, I don't have a single 9.x box here. Does the man mention the secure level as a PER JAIL parameter, or as a systemwide parameter applied only to jails ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: setting MIBs on a per jail bases
Fleuriot Damien wrote: Running 8.3 here and the answer is no. On Feb 6, 2013, at 5:39 PM, Fbsd8 wrote: Is there a way to set these MIBs on a per jail bases? allow.mount.nullfs allow.raw_sockets cpuset.id securelevel Rereading the "man jail" for 9.1 talks about securelevel as a jail parammeter. So correct me if I an wrong. All the security.jail.param.* MIBs are set in rc.conf or /etc/jail.conf file on a per jail bases by changing the word "parm" to the jailname? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: setting MIBs on a per jail bases
Running 8.3 here and the answer is no. On Feb 6, 2013, at 5:39 PM, Fbsd8 wrote: > Is there a way to set these MIBs > on a per jail bases? > > allow.mount.nullfs > allow.raw_sockets > cpuset.id > securelevel > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
setting MIBs on a per jail bases
Is there a way to set these MIBs on a per jail bases? allow.mount.nullfs allow.raw_sockets cpuset.id securelevel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
