RE: Ezjail & freebsd-update
>I had an opportunity to upgrade a server from freebsd 8.1 to 8.2 since >it had to be restarted any way. I upgraded it with freebsd-update and >compiled a custom kernel with no problem. However I haven't been able to >find a procedure for updating jails when they've been setup with ezjail. >I did 'ezjail-admin update -u' however it doesn't seem like that >upgraded things like the /etc/ dir inside jails. I'm not too worried >since everything is working however if anyone can point me in the right >direction I would appreciate it. I figure this will be especially >important when moving to 9.0 when it's released. I always use ezjail_admin update -i Then do the normal mergemaster steps for the jails mergemaster -iU -D /your/path/to/jail You need to do that for every jail you have So if you have three jails named jail_1, jail_2 and jail_3, you do this three times. mergemaster -iU -D /your/path/to/jail_1 mergemaster -iU -D /your/path/to/jail_2 mergemaster -iU -D /your/path/to/jail_3 regards, Johan Hendriks___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Ezjail & freebsd-update
Actually you don't have to rebuild the basejail. You may simply rerun "ezjail-admin install", which will fetch the binary files for your release (uname -r) and will apply them if needed. On Sun, Aug 21, 2011 at 06:27:56PM -0700, Rocky Borg wrote: > I had an opportunity to upgrade a server from freebsd 8.1 to 8.2 since > it had to be restarted any way. I upgraded it with freebsd-update and > compiled a custom kernel with no problem. However I haven't been able to > find a procedure for updating jails when they've been setup with ezjail. > I did 'ezjail-admin update -u' however it doesn't seem like that > upgraded things like the /etc/ dir inside jails. I'm not too worried > since everything is working however if anyone can point me in the right > direction I would appreciate it. I figure this will be especially > important when moving to 9.0 when it's released. > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Ezjail & freebsd-update
On Sun, 21 Aug 2011, Rocky Borg spaketh thusly: -}I had an opportunity to upgrade a server from freebsd 8.1 to 8.2 since it had -}to be restarted any way. I upgraded it with freebsd-update and compiled a -}custom kernel with no problem. However I haven't been able to find a procedure -}for updating jails when they've been setup with ezjail. I did 'ezjail-admin -}update -u' however it doesn't seem like that upgraded things like the /etc/ -}dir inside jails. I'm not too worried since everything is working however if -}anyone can point me in the right direction I would appreciate it. I figure -}this will be especially important when moving to 9.0 when it's released. My understanding of ezjail is you just say "ezjail-admin update". Ezjail then grabs the sources and rebuilds everything. If you already have everything built locally, e.g. you csup'd the sources, did the make buildworld, etc., you can then just issue an "ezjail-admin update -i". I'm not familiar with the "-u" option to ezjail and my man pages do not show it as an option. ;> -- Randy(schu...@earlham.edu) 765.983.1283 <*> nosce te ipsum ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Ezjail & freebsd-update
I had an opportunity to upgrade a server from freebsd 8.1 to 8.2 since it had to be restarted any way. I upgraded it with freebsd-update and compiled a custom kernel with no problem. However I haven't been able to find a procedure for updating jails when they've been setup with ezjail. I did 'ezjail-admin update -u' however it doesn't seem like that upgraded things like the /etc/ dir inside jails. I'm not too worried since everything is working however if anyone can point me in the right direction I would appreciate it. I figure this will be especially important when moving to 9.0 when it's released. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: src upgrading jails (no ezjail, no "service" jails)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 6/2/11 10:42 AM, Aleksandr Miroslav wrote: > On Wed, Jun 1, 2011 at 4:44 PM, Greg Larkin wrote: >> Those commands will update the base system in the jail directory >> "jaildir1" with the latest bits that were previously compiled with >> "make buildworld". don't believe they will disturb any other data in >> /usr/local, if that's what you are concerned about. > > Yeah, I ran it and it mostly worked, although running "mergemaster -p -D > /path/to/jail" before installworld didn't really back up files like it > normally does, but I was able to pull the most recent backup and fix > that. > >> I use ezjail here, and it will automate a lot of these steps for you. >> Is there a reason that you can't use it? > > I didn't create these jails with ezjails, so I was working under the > impression that I could not use ezjail to upgrade them. Is that not > correct? I should have written that sentence a bit differently. I was wondering why you didn't use ezjail to create the jails in the first place, not that you weren't using it to upgrade them now. Would it be painful to migrate your current jails to ezjail to make future updates easier? Regards, Greg - -- Greg Larkin http://www.FreeBSD.org/ - The Power To Serve http://www.sourcehosting.net/ - Ready. Set. Code. http://twitter.com/cpucycle/ - Follow you, follow me -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk3no/0ACgkQ0sRouByUApASpwCfccMPb2A9vLvvHRNPX7if/A95 F+IAnR2pBsKioXWwqoyPcBMZDQ4P8GGk =uKBs -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: src upgrading jails (no ezjail, no "service" jails)
On Wed, Jun 1, 2011 at 4:44 PM, Greg Larkin wrote: > Those commands will update the base system in the jail directory > "jaildir1" with the latest bits that were previously compiled with > "make buildworld". don't believe they will disturb any other data in > /usr/local, if that's what you are concerned about. Yeah, I ran it and it mostly worked, although running "mergemaster -p -D /path/to/jail" before installworld didn't really back up files like it normally does, but I was able to pull the most recent backup and fix that. > I use ezjail here, and it will automate a lot of these steps for you. > Is there a reason that you can't use it? I didn't create these jails with ezjails, so I was working under the impression that I could not use ezjail to upgrade them. Is that not correct? Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: src upgrading jails (no ezjail, no "service" jails)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 6/1/11 3:36 PM, Aleksandr Miroslav wrote: > On Wed, Jun 1, 2011 at 9:11 AM, Greg Larkin wrote: >>> I have 4 jails that are running 8.2-RELEASE that I would like to >>> upgrade. >>> >>> I did not create the jails using ezjails >>> I did not create the jails using the "template" method >> >> You can do this: >> cd /usr/src >> make installworld DESTDIR= >> make distribution DESTDIR= > > Would this not overwrite the data I already had in the existing jails? > > Also, presumably, I would have to run mergemaster in jail after doing > this, correct? > > Alex Hi Alex, Those commands will update the base system in the jail directory "jaildir1" with the latest bits that were previously compiled with "make buildworld". I don't believe they will disturb any other data in /usr/local, if that's what you are concerned about. Yes, you will also need to run mergemaster - I forgot about that step. You can run it outside of the jail in question if you use the "-D" option. I use ezjail here, and it will automate a lot of these steps for you. Is there a reason that you can't use it? Regards, Greg - -- Greg Larkin http://www.FreeBSD.org/ - The Power To Serve http://www.sourcehosting.net/ - Ready. Set. Code. http://twitter.com/cpucycle/ - Follow you, follow me -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk3mpLEACgkQ0sRouByUApDi/gCeJ7Bdcs+R3bzKqL029M3nIZFV 1psAoKcSsfvhC+ydizhfH35G2gz8nOZA =cg9H -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: src upgrading jails (no ezjail, no "service" jails)
On Wed, Jun 1, 2011 at 9:11 AM, Greg Larkin wrote: > > I have 4 jails that are running 8.2-RELEASE that I would like to > > upgrade. > > > > I did not create the jails using ezjails > > I did not create the jails using the "template" method > > You can do this: > cd /usr/src > make installworld DESTDIR= > make distribution DESTDIR= Would this not overwrite the data I already had in the existing jails? Also, presumably, I would have to run mergemaster in jail after doing this, correct? Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: src upgrading jails (no ezjail, no "service" jails)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 5/31/11 11:00 PM, Aleksandr Miroslav wrote: > I have 4 jails that are running 8.2-RELEASE that I would like to upgrade. > > The host system, which was also running 8.2-RELEASE, has been > successfully upgraded to 8.2-p2. I have /usr/src ready with the new > world and new kernel. > > I did not create the jails using ezjails, so I cannot use that utility > to upgrade it. > > I did not create the jails using the "template" method described in > Handbook (section 15.6.1.2), so the method recommended to upgrade > them, i.e.: > > > http://www.freebsd.org/doc/handbook/jails-application.html#JAILS-SERVICE-JAILS-UPGRADING > > would not work for me. > > What is the proper way for me to upgrade these jails? > > thanks, > Alex Hi Alex, You can do this: cd /usr/src make installworld DESTDIR= make distribution DESTDIR= ... ... make installworld DESTDIR= make distribution DESTDIR= Then restart your jails. Regards, Greg - -- Greg Larkin http://www.FreeBSD.org/ - The Power To Serve http://www.sourcehosting.net/ - Ready. Set. Code. http://twitter.com/cpucycle/ - Follow you, follow me -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk3mOp0ACgkQ0sRouByUApAvyQCfYDh/dwd5/PB2zElwPuz1NC+D I8kAoJ+tS9UaQqMDHmxophZ8F+dBuMuI =eiBQ -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
src upgrading jails (no ezjail, no "service" jails)
I have 4 jails that are running 8.2-RELEASE that I would like to upgrade. The host system, which was also running 8.2-RELEASE, has been successfully upgraded to 8.2-p2. I have /usr/src ready with the new world and new kernel. I did not create the jails using ezjails, so I cannot use that utility to upgrade it. I did not create the jails using the "template" method described in Handbook (section 15.6.1.2), so the method recommended to upgrade them, i.e.: http://www.freebsd.org/doc/handbook/jails-application.html#JAILS-SERVICE-JAILS-UPGRADING would not work for me. What is the proper way for me to upgrade these jails? thanks, Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Ezjail and Flavours
On Fri, Apr 29, 2011 at 3:46 PM, Alejandro Imass wrote: > Hi, > Answering myself here... [snip] > Mi idea is to soft-link the complete /usr/local directory of the > compiling jail in the specific flavour so after the packages get > installed I can just copy everything else over /usr/local > It should be pretty safe either way I guess but probably there are > people with a lot more experience with EzJail here ;-) > Did DID NOT work :-( First, Ezjail copies first and installs the packages on first start of the jail. I knew this but had forgotten so it is logical that first copy the pkg install, duh! Second, EzJail just copies the soft link and this of course will not work just like that for obvious security reasons. I erased the jail and tried a second time... So here is what I did and seems to work: 1) Create your jail flavour standard with packages and all 2) Start the jail. This will install packages 3) Stop the jail 4) Copy the entire /usr/local of your compile jail to your new jail 5) Start the working jail This seems easy enough and seems to be working perfectly! What I have is different flavors of compiling jails: php52, php53, catalyst 5.8, apache22, etc. Those are never used for production. Only to compile and generate the packages for the EzJail flavours. The other option would be to phisically copy the contents of /usr/local to the flavour but I think it's a better idea to let the packages install and _then_ copy /usr/local over that. Anyway, it's working so cool! Man, FBSD really rocks! Regardless of the thousands of technical benefits, the clean cut separation of system and applications, _and_ Jails is to me, one the greatest things about FBSD. -- Alejandro Imass > Thanks! > > -- > Alejandro Imass > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Ezjail and Flavours
Hi, I've been using flavors for a while but only simple stuff like /etc and /pkg So what I have is a bunch of base jails where I just install ports and the copythe packages over to the flavours. Now I want to create a Perl Catalyst base jail, but something I installed via ports and others via CPAN. Question: what gets executed first with EzJail? the pkg installation or the file copy? Mi idea is to soft-link the complete /usr/local directory of the compiling jail in the specific flavour so after the packages get installed I can just copy everything else over /usr/local It should be pretty safe either way I guess but probably there are people with a lot more experience with EzJail here ;-) Thanks! -- Alejandro Imass ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Help with "ezjail-admin create" command
Thank you Peter! Well in MY case, I'm not planning on running anything on this server (at least at the moment) other than Apache, so I shouldn't have any difficulties (I hope). Also, what's the "ezjail-admin update -P -i" command? I've tried "googling" it, but I don't see much. Is it similar to the "ezjail-admin install" command somehow? Ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Help with "ezjail-admin create" command
On 14 jul 2010, at 23:57, Ed Flecko wrote: > Thank you. > > :-) > > What services are you referring to on the host that need to be reconfigured??? > ezjail tells you what services are running, which might conflict with the jail. But that highly depends on the services running on the host, and which you are planning to run in the jail. In my case it was: sshd, openldap, apache, syslog-ng, postfix, nfs, netatalk, samba. -- Peter Boosten http://www.boosten.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Help with "ezjail-admin create" command
Thank you. :-) What services are you referring to on the host that need to be reconfigured??? Ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Help with "ezjail-admin create" command
On 14 jul 2010, at 22:18, Ed Flecko wrote: > Peter, > I don't quite understand what you mean "I think you're better off > creating a fresh jail, and install apache via the ports collection. > for the templates to work you need to specify all dependencies by > hand." > > Are you suggesting NOT using ezjail? No, that's not what I'm suggesting. from the start: first thing is to create the base: (one time) ezjail-admin update -P -i After reconfiguring the services on the host machine (one time), you can add an alias to your existing ip address (see ifconfig how to to that) then create a jail: ezjail-admin create assuming your ezjail.conf is oke. replace hostname with a name you want to identify the jail with, and the ipaddress should be replaced by the alias ip address in the previous step. You will then have a good jail. You can start this jail with /usr/local/etc/rc.d/ezjail.sh onestart (or start, if you edited /etc/rc.conf) and access the running jail with: ezjail-admin console after that you go to the ports collection and install apache, including all its dependencies (which are a lot) cd /usr/ports/www/apache22 make all install clean jsut like you would do on a non-jailed machine. > Or do you mean just install > Apache into a jail (created by ezjail) and don't worry about creating > a "template" like this website shows? How would I do that? I'm new to > the whole "jail" thing so it's a little confusing. I like the idea of > using the ezjail, because is seems more "idiot proof" for a relative > newbie. ezjail is good. > > :-) > > Also, what do you mean "for the templates to work you need to specify > all dependencies by hand"? I'm not stuck on following this website, > but IF the steps are fairly accurate, it seems to be a good roadmap > and it doesn't mention anything about specifying any dependencies by > hand. That's what I read from the creators website: The default flavour demonstrates how to pkg_add some prefetched packages. Since no remote fetching of missing packages is requested, you need to provide all package dependencies yourself. -- Peter Boosten http://www.boosten.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Help with "ezjail-admin create" command
Peter, I don't quite understand what you mean "I think you're better off creating a fresh jail, and install apache via the ports collection. for the templates to work you need to specify all dependencies by hand." Are you suggesting NOT using ezjail? Or do you mean just install Apache into a jail (created by ezjail) and don't worry about creating a "template" like this website shows? How would I do that? I'm new to the whole "jail" thing so it's a little confusing. I like the idea of using the ezjail, because is seems more "idiot proof" for a relative newbie. :-) Also, what do you mean "for the templates to work you need to specify all dependencies by hand"? I'm not stuck on following this website, but IF the steps are fairly accurate, it seems to be a good roadmap and it doesn't mention anything about specifying any dependencies by hand. Comments? Thank you, Ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Help with "ezjail-admin create" command
On 14 jul 2010, at 21:49, Ed Flecko wrote: > Hi folks, > I've found a website ( http://wiki.freebsd.org/AppserverJailsHOWTO ) > with a tutorial that steps me through most if what I'm trying to > set-up; I'm trying to use ezjail to set up the latest version of > Apache with my website. I've carefully followed the steps, and the > only step that I've found that seems to be wrong is the author's > reference to "default" which doesn't seem to exist; it's actually > "example" so I've changed my commands accordingly. > > I'm confused about the "ezjail-admin create" command. > > When I installed FreeBSD, I set up a partition called "www", because I > thought it might be easier for me to backup all of my web sites, etc., > and it's easier for me to remember where I installed Apache. > > I've modified my ezjail.conf file and the ezjail_jaildir line to read: > ezjail_jaildir=/www/jails > > When I issue this command: > > ezjail-admin create -f example apache 192.168.225.128 > > I get this error: > > find: /www/jails/apache/pkg/: no such file or directory > Note: Shell scripts for flavour example installed, flavourizing on > jails first startup. I think you're better off creating a fresh jail, and install apache via the ports collection. for the templates to work you need to specify all dependencies by hand. > > It also throws an error about "some services already seem to be > listening on IP 192.168.225.128" > > 1.) What did I screw up? This isn't normal, is it? This is a normal thing. By default services on FreeBSD listen on all interfaces, and since jails use an alias on an existing interface, it'll listen on that as well. You will need to change the configurations of the services on the host for at least all services you will run on the jail as well (so if your host runs apache, you'll need to reconfigure apache to listen only on one IP address, or have apache in the jail listen on another port than 80). Same goes for sshd and other services. > > 2.) When using the "ezjail-admin create" command, the IP address that > I'm passing is supposed to be the IP address of the HOST machine > (because it has the "basejail", right?), isn't it? No, the IP address the jail will have (but you have to create an alias on the host to that IP address) > > 3.) When I type: find / -name apache > > I get: > > /usr/local/etc/ezjail/apache and /www/jails/apache > > Does the ezjail program create TWO instances of what will be my > "jailed" Apache? Why does it do that? Did I goof something else up, or > is that "normal"? Those are probably symlinks... Peter -- Peter Boosten http://www.boosten.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Help with "ezjail-admin create" command
Hi folks, I've found a website ( http://wiki.freebsd.org/AppserverJailsHOWTO ) with a tutorial that steps me through most if what I'm trying to set-up; I'm trying to use ezjail to set up the latest version of Apache with my website. I've carefully followed the steps, and the only step that I've found that seems to be wrong is the author's reference to "default" which doesn't seem to exist; it's actually "example" so I've changed my commands accordingly. I'm confused about the "ezjail-admin create" command. When I installed FreeBSD, I set up a partition called "www", because I thought it might be easier for me to backup all of my web sites, etc., and it's easier for me to remember where I installed Apache. I've modified my ezjail.conf file and the ezjail_jaildir line to read: ezjail_jaildir=/www/jails When I issue this command: ezjail-admin create -f example apache 192.168.225.128 I get this error: find: /www/jails/apache/pkg/: no such file or directory Note: Shell scripts for flavour example installed, flavourizing on jails first startup. It also throws an error about "some services already seem to be listening on IP 192.168.225.128" 1.) What did I screw up? This isn't normal, is it? 2.) When using the "ezjail-admin create" command, the IP address that I'm passing is supposed to be the IP address of the HOST machine (because it has the "basejail", right?), isn't it? 3.) When I type: find / -name apache I get: /usr/local/etc/ezjail/apache and /www/jails/apache Does the ezjail program create TWO instances of what will be my "jailed" Apache? Why does it do that? Did I goof something else up, or is that "normal"? Suggestions??? Thank you, Ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ezjail -vs- "Do it yourself" jail?
On Fri, Jul 09, 2010 at 07:50:26AM -0700, Ed Flecko wrote: > I'm trying to set up a FreeBSD 8.0 server to run Apache that will be > facing the nasty and unforgiving WWW. > > I have several good books on Apache that describe how to set up the > jail, when I came across several websites that reference the "ezjail" > package. > > Are there some caveats or downsides to using the ezjail route for > setting up my server with Apache? It sure sounds like an easier way to > go and less "goof-proof", but as we all know, easier is not always > better! It depends on how many jails you want to create. If you want to set up multiple jails, ezjail can save you disk space and management effort. If you are only setting up a single jail, I don't think ezjail will save much. I've documented the process I used for setting up a virtual server manually on one of my webpages; http://www.xs4all.nl/~rsmith/unix/misc.xhtml#creatingavirtualserveronfreebsdwithajail8 Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) pgpggxrpH41gP.pgp Description: PGP signature
Re: ezjail -vs- "Do it yourself" jail?
On 9-7-2010 17:13, Adam Vande More wrote: > On Fri, Jul 9, 2010 at 9:50 AM, Ed Flecko wrote: > >> I'm trying to set up a FreeBSD 8.0 server to run Apache that will be >> facing the nasty and unforgiving WWW. >> >> I have several good books on Apache that describe how to set up the >> jail, when I came across several websites that reference the "ezjail" >> package. >> >> Are there some caveats or downsides to using the ezjail route for >> setting up my server with Apache? It sure sounds like an easier way to >> go and less "goof-proof", but as we all know, easier is not always >> better! >> > > It depends on how you're using it. If all you intend on having is a single > jail with apache running in it, then it may be easier to use it standard > method. Remember that ezjail is just a wrapper around FreeBSD jails, a > management utility if you will. You can have both ezjail jails and > traditional jails running concurrently. You can experiment with both to > find out which method you like. I find ezjail more convenient in situation > where there are multiples jails running on a system. I imagine if you have > found a use for one jail, it won't be long until you find need for another. > One of the main advantages of ezjail is that it out of the box saves disk space for more than one jail, because of the shared nullfs mounts. That can be done by hand as well (the handbook shows how), but ezjail already invented the wheel. Peter -- http://www.boosten.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ezjail -vs- "Do it yourself" jail?
On Fri, Jul 9, 2010 at 9:50 AM, Ed Flecko wrote: > I'm trying to set up a FreeBSD 8.0 server to run Apache that will be > facing the nasty and unforgiving WWW. > > I have several good books on Apache that describe how to set up the > jail, when I came across several websites that reference the "ezjail" > package. > > Are there some caveats or downsides to using the ezjail route for > setting up my server with Apache? It sure sounds like an easier way to > go and less "goof-proof", but as we all know, easier is not always > better! > It depends on how you're using it. If all you intend on having is a single jail with apache running in it, then it may be easier to use it standard method. Remember that ezjail is just a wrapper around FreeBSD jails, a management utility if you will. You can have both ezjail jails and traditional jails running concurrently. You can experiment with both to find out which method you like. I find ezjail more convenient in situation where there are multiples jails running on a system. I imagine if you have found a use for one jail, it won't be long until you find need for another. -- Adam Vande More ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
ezjail -vs- "Do it yourself" jail?
I'm trying to set up a FreeBSD 8.0 server to run Apache that will be facing the nasty and unforgiving WWW. I have several good books on Apache that describe how to set up the jail, when I came across several websites that reference the "ezjail" package. Are there some caveats or downsides to using the ezjail route for setting up my server with Apache? It sure sounds like an easier way to go and less "goof-proof", but as we all know, easier is not always better! Thank you, Ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
ezjail and dmsg -a command
I have a directory tree type of ezjail up and running. When in jail console I enter dmesg -a and i get the hosts last boot messages not the jails. Why is this dmesg command issued from within the jail have access to the host world? Something wrong here! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: bizarre mount_nullfs issue with jails / ezjail
On Wed, Apr 7, 2010 at 10:10 AM, Aiza wrote: > Dan Naumov wrote: >>>> >>>> An additional question: how come "sade" and "sysinstall" which are run >>>> inside the jail can see (and I can only assume they can also operate >>>> on and damage) the real underlying disks of the host? >>>> >>> Disks (as well as others you have in your host's /dev) aren't visible >>> inside jails. >> >> Well, somehow they are on my system. >> >> I guess I should've also clarified that the jail was installed using >> ezjail and not completely manually >> >>> From /usr/local/etc/ezjail/semipublic >> >> export jail_semipublic_devfs_enable="YES" >> export jail_semipublic_devfs_ruleset="devfsrules_jail" >> >> - Sincerely, >> Dan Naumov >> >> > You are not in a jail but as the host. Use ezjail-admin console jailname and > things will look alot different. What you are playing with are ezjails > system control files. No, I am not, I am running sade / sysinstall INSIDE THE JAIL (AFTER ezjail-admin console jailname or after connecting to the jail via ssh). - Sincerely, Dan Naumov ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: bizarre mount_nullfs issue with jails / ezjail
Dan Naumov wrote: An additional question: how come "sade" and "sysinstall" which are run inside the jail can see (and I can only assume they can also operate on and damage) the real underlying disks of the host? Disks (as well as others you have in your host's /dev) aren't visible inside jails. Well, somehow they are on my system. I guess I should've also clarified that the jail was installed using ezjail and not completely manually From /usr/local/etc/ezjail/semipublic export jail_semipublic_devfs_enable="YES" export jail_semipublic_devfs_ruleset="devfsrules_jail" - Sincerely, Dan Naumov You are not in a jail but as the host. Use ezjail-admin console jailname and things will look alot different. What you are playing with are ezjails system control files. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: bizarre mount_nullfs issue with jails / ezjail
On Wed, Apr 7, 2010 at 2:28 PM, Dan Naumov wrote: >>> An additional question: how come "sade" and "sysinstall" which are run >>> inside the jail can see (and I can only assume they can also operate >>> on and damage) the real underlying disks of the host? >>> >> >> Disks (as well as others you have in your host's /dev) aren't visible >> inside jails. > > Well, somehow they are on my system. > > I guess I should've also clarified that the jail was installed using > ezjail and not completely manually > > From /usr/local/etc/ezjail/semipublic > > export jail_semipublic_devfs_enable="YES" > export jail_semipublic_devfs_ruleset="devfsrules_jail" > Well I'm not entirely familiar w/ ezjail but I use jails all the time, and I can tell you that /dev in jails is very limited, here's a /dev jail of mine: m...@spry9:~> ls -al /dev/ total 2 crw-rw-rw- 1 root wheel0, 58 Mar 27 03:02 crypto dr-xr-xr-x 2 root wheel 512 Mar 27 03:12 fd dr-xr-xr-x 2 root wheel 512 Mar 30 20:00 iso9660 lrwxr-xr-x 1 root wheel14 Mar 27 03:12 log -> ../var/run/log crw-rw-rw- 1 root wheel0, 33 Apr 7 14:33 null crw-rw-rw- 1 root wheel0, 7 Mar 27 03:02 ptmx dr-xr-xr-x 2 root wheel 512 Mar 27 03:22 pts crw-rw-rw- 1 root wheel0, 10 Mar 27 11:12 random lrwxr-xr-x 1 root wheel 4 Mar 27 03:12 stderr -> fd/2 lrwxr-xr-x 1 root wheel 4 Mar 27 03:12 stdin -> fd/0 lrwxr-xr-x 1 root wheel 4 Mar 27 03:12 stdout -> fd/1 lrwxr-xr-x 1 root wheel 6 Mar 27 03:12 urandom -> random crw-rw-rw- 1 root wheel0, 34 Mar 27 03:02 zero m...@spry9:~> So I guess it's a configuration issue w/ your jails. > - Sincerely, > Dan Naumov > -- cheers mars - ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: bizarre mount_nullfs issue with jails / ezjail
>> An additional question: how come "sade" and "sysinstall" which are run >> inside the jail can see (and I can only assume they can also operate >> on and damage) the real underlying disks of the host? >> > > Disks (as well as others you have in your host's /dev) aren't visible > inside jails. Well, somehow they are on my system. I guess I should've also clarified that the jail was installed using ezjail and not completely manually >From /usr/local/etc/ezjail/semipublic export jail_semipublic_devfs_enable="YES" export jail_semipublic_devfs_ruleset="devfsrules_jail" - Sincerely, Dan Naumov ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: bizarre mount_nullfs issue with jails / ezjail
On Wed, Apr 7, 2010 at 5:43 AM, Dan Naumov wrote: > On Wed, Apr 7, 2010 at 12:37 AM, Glen Barber wrote: >> Hi Dan, >> >> Dan Naumov wrote: >>> So, I want the basejail to only contain the world and link the ports >>> tree from the host into each individual jail when it's time to update >>> the ports inside them, but I am running into a bit of a bizarre issue: >>> I can mount_nullfs /usr/ports elsewhere on the host just fine, but it >>> doesn't work if I try to mount_nullfs it to /usr/ports inside the >>> jail: >>> >>> mount_nullfs /usr/ports/ /usr/ports2 >>> >>> df -H | grep ports >>> cerberus/usr-ports 34G 241M 34G 1% /usr/ports >>> cerberus/usr-ports-distfiles 34G 0B 34G 0% >>> /usr/ports/distfiles >>> cerberus/usr-ports-packages 34G 0B 34G 0% >>> /usr/ports/packages >>> /usr/ports 34G 241M 34G 1% /usr/ports2 >>> >>> mount | grep ports >>> cerberus/usr-ports on /usr/ports (zfs, local) >>> cerberus/usr-ports-distfiles on /usr/ports/distfiles (zfs, local) >>> cerberus/usr-ports-packages on /usr/ports/packages (zfs, local) >>> /usr/ports on /usr/ports2 (nullfs, local) >>> >>> mount_nullfs /usr/ports/ /usr/jails/semipublic/usr/ports >>> mount_nullfs: /basejail: No such file or directory >>> >>> What is going on here? I also note that the error actually wants a >>> /basejail on the host, which is even more bizarre: >>> >>> mount_nullfs /usr/ports/ /usr/jails/semipublic/usr/ports >>> mount_nullfs: /basejail: No such file or directory >>> >>> mkdir /basejail >>> >>> mount_nullfs /usr/ports/ /usr/jails/semipublic/usr/ports >>> mount_nullfs: /basejail/usr: No such file or directory >>> >>> Yet, this works: >>> >>> mkdir /usr/jails/semipublic/test >>> mount_nullfs /usr/ports/ /usr/jails/semipublic/test >>> umount /usr/jails/semipublic/test >>> >>> Any ideas? >>> >>> >> >> The ports directory in an ezjail is a link to /basejail/usr/ports (in the >> jail). >> >> Breaking the link (from the host) allows the mount to work successfully. >> >> orion# ll usr/ports >> lrwxr-xr-x 1 root wheel 19 Mar 8 18:06 usr/ports -> /basejail/usr/ports >> orion# unlink usr/ports >> orion# mkdir usr/ports >> orion# mount_nullfs /usr/ports usr/ports >> orion# >> >> Regards, >> >> -- >> Glen Barber > > Thanks for the tip. > > An additional question: how come "sade" and "sysinstall" which are run > inside the jail can see (and I can only assume they can also operate > on and damage) the real underlying disks of the host? > Disks (as well as others you have in your host's /dev) aren't visible inside jails. > - Sincerely > Dan Naumov > ___ > freebsd-j...@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org" > -- cheers mars - ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: bizarre mount_nullfs issue with jails / ezjail
On Wed, Apr 7, 2010 at 12:37 AM, Glen Barber wrote: > Hi Dan, > > Dan Naumov wrote: >> So, I want the basejail to only contain the world and link the ports >> tree from the host into each individual jail when it's time to update >> the ports inside them, but I am running into a bit of a bizarre issue: >> I can mount_nullfs /usr/ports elsewhere on the host just fine, but it >> doesn't work if I try to mount_nullfs it to /usr/ports inside the >> jail: >> >> mount_nullfs /usr/ports/ /usr/ports2 >> >> df -H | grep ports >> cerberus/usr-ports 34G 241M 34G 1% /usr/ports >> cerberus/usr-ports-distfiles 34G 0B 34G 0% >> /usr/ports/distfiles >> cerberus/usr-ports-packages 34G 0B 34G 0% >> /usr/ports/packages >> /usr/ports 34G 241M 34G 1% /usr/ports2 >> >> mount | grep ports >> cerberus/usr-ports on /usr/ports (zfs, local) >> cerberus/usr-ports-distfiles on /usr/ports/distfiles (zfs, local) >> cerberus/usr-ports-packages on /usr/ports/packages (zfs, local) >> /usr/ports on /usr/ports2 (nullfs, local) >> >> mount_nullfs /usr/ports/ /usr/jails/semipublic/usr/ports >> mount_nullfs: /basejail: No such file or directory >> >> What is going on here? I also note that the error actually wants a >> /basejail on the host, which is even more bizarre: >> >> mount_nullfs /usr/ports/ /usr/jails/semipublic/usr/ports >> mount_nullfs: /basejail: No such file or directory >> >> mkdir /basejail >> >> mount_nullfs /usr/ports/ /usr/jails/semipublic/usr/ports >> mount_nullfs: /basejail/usr: No such file or directory >> >> Yet, this works: >> >> mkdir /usr/jails/semipublic/test >> mount_nullfs /usr/ports/ /usr/jails/semipublic/test >> umount /usr/jails/semipublic/test >> >> Any ideas? >> >> > > The ports directory in an ezjail is a link to /basejail/usr/ports (in the > jail). > > Breaking the link (from the host) allows the mount to work successfully. > > orion# ll usr/ports > lrwxr-xr-x 1 root wheel 19 Mar 8 18:06 usr/ports -> /basejail/usr/ports > orion# unlink usr/ports > orion# mkdir usr/ports > orion# mount_nullfs /usr/ports usr/ports > orion# > > Regards, > > -- > Glen Barber Thanks for the tip. An additional question: how come "sade" and "sysinstall" which are run inside the jail can see (and I can only assume they can also operate on and damage) the real underlying disks of the host? - Sincerely Dan Naumov ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: bizarre mount_nullfs issue with jails / ezjail
Hi Dan, Dan Naumov wrote: > So, I want the basejail to only contain the world and link the ports > tree from the host into each individual jail when it's time to update > the ports inside them, but I am running into a bit of a bizarre issue: > I can mount_nullfs /usr/ports elsewhere on the host just fine, but it > doesn't work if I try to mount_nullfs it to /usr/ports inside the > jail: > > mount_nullfs /usr/ports/ /usr/ports2 > > df -H | grep ports > cerberus/usr-ports34G241M 34G 1%/usr/ports > cerberus/usr-ports-distfiles 34G 0B 34G 0% > /usr/ports/distfiles > cerberus/usr-ports-packages 34G 0B 34G 0% > /usr/ports/packages > /usr/ports34G241M 34G 1%/usr/ports2 > > mount | grep ports > cerberus/usr-ports on /usr/ports (zfs, local) > cerberus/usr-ports-distfiles on /usr/ports/distfiles (zfs, local) > cerberus/usr-ports-packages on /usr/ports/packages (zfs, local) > /usr/ports on /usr/ports2 (nullfs, local) > > mount_nullfs /usr/ports/ /usr/jails/semipublic/usr/ports > mount_nullfs: /basejail: No such file or directory > > What is going on here? I also note that the error actually wants a > /basejail on the host, which is even more bizarre: > > mount_nullfs /usr/ports/ /usr/jails/semipublic/usr/ports > mount_nullfs: /basejail: No such file or directory > > mkdir /basejail > > mount_nullfs /usr/ports/ /usr/jails/semipublic/usr/ports > mount_nullfs: /basejail/usr: No such file or directory > > Yet, this works: > > mkdir /usr/jails/semipublic/test > mount_nullfs /usr/ports/ /usr/jails/semipublic/test > umount /usr/jails/semipublic/test > > Any ideas? > > The ports directory in an ezjail is a link to /basejail/usr/ports (in the jail). Breaking the link (from the host) allows the mount to work successfully. orion# ll usr/ports lrwxr-xr-x 1 root wheel 19 Mar 8 18:06 usr/ports -> /basejail/usr/ports orion# unlink usr/ports orion# mkdir usr/ports orion# mount_nullfs /usr/ports usr/ports orion# Regards, -- Glen Barber ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
bizarre mount_nullfs issue with jails / ezjail
So, I want the basejail to only contain the world and link the ports tree from the host into each individual jail when it's time to update the ports inside them, but I am running into a bit of a bizarre issue: I can mount_nullfs /usr/ports elsewhere on the host just fine, but it doesn't work if I try to mount_nullfs it to /usr/ports inside the jail: mount_nullfs /usr/ports/ /usr/ports2 df -H | grep ports cerberus/usr-ports34G241M 34G 1%/usr/ports cerberus/usr-ports-distfiles 34G 0B 34G 0% /usr/ports/distfiles cerberus/usr-ports-packages 34G 0B 34G 0% /usr/ports/packages /usr/ports34G241M 34G 1%/usr/ports2 mount | grep ports cerberus/usr-ports on /usr/ports (zfs, local) cerberus/usr-ports-distfiles on /usr/ports/distfiles (zfs, local) cerberus/usr-ports-packages on /usr/ports/packages (zfs, local) /usr/ports on /usr/ports2 (nullfs, local) mount_nullfs /usr/ports/ /usr/jails/semipublic/usr/ports mount_nullfs: /basejail: No such file or directory What is going on here? I also note that the error actually wants a /basejail on the host, which is even more bizarre: mount_nullfs /usr/ports/ /usr/jails/semipublic/usr/ports mount_nullfs: /basejail: No such file or directory mkdir /basejail mount_nullfs /usr/ports/ /usr/jails/semipublic/usr/ports mount_nullfs: /basejail/usr: No such file or directory Yet, this works: mkdir /usr/jails/semipublic/test mount_nullfs /usr/ports/ /usr/jails/semipublic/test umount /usr/jails/semipublic/test Any ideas? - Sincerely, Dan Naumov ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ezjail
Aiza wrote: Ruben de Groot wrote: On Mon, Mar 22, 2010 at 11:23:54AM +0100, Dh?nin Jean-Jacques typed: on the lan gives me no sockets mesg. And ftp from 10.0.10.6 to 10.0.20.30 the ftp jail gives me no connection error. add sysctl security.jail.allow_raw_sockets=1 or in /etc/sysctl.conf on the host (not in in the jail) This will enable him to ping another host from within the jail. I won't do anything for ftp. OP: what exact error do you get? And does ftp work *within* the jail (ftp localhost)? with sysctl security.jail.allow_raw_sockets=1 done on the host. From within the jail did ping -c 2 10.0.10.6 which is a pc on the lan gives me socket: Operation not permitted mesg. And ftp from 10.0.10.6 to 10.0.20.30 the ftp jail gives me no connection error. Just how am i to determine if ftp work *within* the jail ftp localhost? For the archives. This is the results from the original poster. My original goal was to test jails on the gateway for access only from the lan users. To wanted a jailed ftp service for LAN users to upload and download stuff between them selfs. I already have a working lan users ftp setup on the gateway server so this jail setup is not really needed. So it's not a problem of knowing how to setup ftp. My main vehicle of jail management was ezjail. Did not play with the native jail command. The final outcome is I could not get jails to communicate over the private LAN. Seeing as jails design uses public ip address, it's little wonder it wont work with private LAN ip address. In time jails and ezjail will mature and maybe evolve into working with jails with private ip address. But for now jails don't serve my purposes. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ezjail
On Mon, Mar 22, 2010 at 08:40:58PM +0800, Aiza typed: > > > >This will enable him to ping another host from within the jail. I won't > >do anything for ftp. > > > >OP: what exact error do you get? And does ftp work *within* the jail > >(ftp localhost)? > > with sysctl security.jail.allow_raw_sockets=1 done on the host. From > within the jail did ping -c 2 10.0.10.6 which is a pc on the lan gives > me socket: Operation not permitted mesg. weird. did you actually execute the sysctl statement or just put it in /etc/sysctl.conf? > And ftp from 10.0.10.6 to 10.0.20.30 the ftp jail gives me no connection > error. This is not helpfull. Copy/paste the exact error message (and what you did. We are not psychics). > Just how am i to determine if ftp work *within* the jail ftp localhost? As I said: from within the jail, execute the command "ftp localhost". No rocket science involved. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ezjail
Aiza writes: > Now I would like to play with jails. One for postfix, apache, and ftp. > My reading of EZJAIL and the jails section of the handbook lead me to > believe I need a unique IP address for each jail. Is that correct? No. As long as you use different ports for different jails/services you may use one ip-address for those jails: - % jls JID IP Address Hostname Path 1 192.168.100.10 ftp.xxx.ru/jails/ftp.xxx.ru 2 192.168.100.10 mx.xxx.ru /jails/mx.xxx.ru 3 192.168.100.10 http.xxx.ru /jails/http.xxx.ru - -- WBR, bsam ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ezjail
Ruben de Groot wrote: On Mon, Mar 22, 2010 at 11:23:54AM +0100, Dh?nin Jean-Jacques typed: on the lan gives me no sockets mesg. And ftp from 10.0.10.6 to 10.0.20.30 the ftp jail gives me no connection error. add sysctl security.jail.allow_raw_sockets=1 or in /etc/sysctl.conf on the host (not in in the jail) This will enable him to ping another host from within the jail. I won't do anything for ftp. OP: what exact error do you get? And does ftp work *within* the jail (ftp localhost)? with sysctl security.jail.allow_raw_sockets=1 done on the host. From within the jail did ping -c 2 10.0.10.6 which is a pc on the lan gives me socket: Operation not permitted mesg. And ftp from 10.0.10.6 to 10.0.20.30 the ftp jail gives me no connection error. Just how am i to determine if ftp work *within* the jail ftp localhost? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ezjail
On Mon, Mar 22, 2010 at 11:23:54AM +0100, Dh?nin Jean-Jacques typed: > > > on the lan gives me no sockets mesg. And ftp from 10.0.10.6 to > > > 10.0.20.30 the ftp jail gives me no connection error. > add > > sysctl security.jail.allow_raw_sockets=1 > or in /etc/sysctl.conf > on the host (not in in the jail) This will enable him to ping another host from within the jail. I won't do anything for ftp. OP: what exact error do you get? And does ftp work *within* the jail (ftp localhost)? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ezjail
2010/3/22 Ruben de Groot > > > > > My host 8.0 system is the gateway to the public internet. > > I have ipfilter running blocking all inbound request for service. > > I only allow out bound request from the LAN behind the gateway and use > > keep state to allow the packet conversation to continue. All this has > > worked fine for years across many releases of Freebsd. > > > > Now comes playing with jails. I created 3 jails, www, ftp, telnet and > > used ip address of 10.0.20.20, 10.0.20.30, 10.0.20.40. The goal is to > > target those jails from other PC on the private LAN who are using ip > > address in the 10.0.10.2 through 10.0.10.8 range. > > > > I used ezjail-admin onestart and all the jails start. Then did > > ezjail-admin console ftp.local.com and got logged into that jail. Edited > > /etc/inetd.conf and uncommented the ftp line. Edited /etc/rc.conf adding > > inetd_enable="YES" exited the ftp jail. Did ezjail-admin onestop > > followed by ezjail-admin onestart to cycle the ftp jail to activate the > > ftp function. ezjail-admin console ftp.local.com to get logged into that > > jail again. From within the jail did ping -c 2 10.0.10.6 which is a pc > > on the lan gives me no sockets mesg. And ftp from 10.0.10.6 to > > 10.0.20.30 the ftp jail gives me no connection error. > > > > What is the problem here? > > > How are we supposed to know? > > Ruben > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscr...@freebsd.org" > add sysctl security.jail.allow_raw_sockets=1 or in /etc/sysctl.conf on the host (not in in the jail) Cordialement - (°> Dhénin Jean-Jacques / ) 48, rue de la Justice 78300 Poissy ^^ jean-jacq...@dhenin.fr - ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ezjail
On Mon, Mar 22, 2010 at 05:47:09PM +0800, Aiza typed: > Mark Shroyer wrote: > >On 3/21/2010 8:21 PM, Aiza wrote: > >>Does the ip address notation for the jail include the port number? > >>Like 10.0.20.2:80 Nat port forwarding is the long way around just to get > >>the correct port number to the jail ip address. > > > >Nope, jails are assigned one (or more) specific IP addresses, but not > >specific port numbers. So if you don't have a separate public IP for > >your jail, you'll be relying on some sort of packet filter to redirect > >traffic to its private IP address. > > > >This isn't as big a deal as it may sound, especially if you're already > >using PF, which has built-in packet redirection capabilities that do not > >require you to run a separate NAT daemon. > > > > > > My host 8.0 system is the gateway to the public internet. > I have ipfilter running blocking all inbound request for service. > I only allow out bound request from the LAN behind the gateway and use > keep state to allow the packet conversation to continue. All this has > worked fine for years across many releases of Freebsd. > > Now comes playing with jails. I created 3 jails, www, ftp, telnet and > used ip address of 10.0.20.20, 10.0.20.30, 10.0.20.40. The goal is to > target those jails from other PC on the private LAN who are using ip > address in the 10.0.10.2 through 10.0.10.8 range. > > I used ezjail-admin onestart and all the jails start. Then did > ezjail-admin console ftp.local.com and got logged into that jail. Edited > /etc/inetd.conf and uncommented the ftp line. Edited /etc/rc.conf adding > inetd_enable="YES" exited the ftp jail. Did ezjail-admin onestop > followed by ezjail-admin onestart to cycle the ftp jail to activate the > ftp function. ezjail-admin console ftp.local.com to get logged into that > jail again. From within the jail did ping -c 2 10.0.10.6 which is a pc > on the lan gives me no sockets mesg. And ftp from 10.0.10.6 to > 10.0.20.30 the ftp jail gives me no connection error. > > What is the problem here? How are we supposed to know? Ruben ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ezjail
Mark Shroyer wrote: On 3/21/2010 8:21 PM, Aiza wrote: Does the ip address notation for the jail include the port number? Like 10.0.20.2:80 Nat port forwarding is the long way around just to get the correct port number to the jail ip address. Nope, jails are assigned one (or more) specific IP addresses, but not specific port numbers. So if you don't have a separate public IP for your jail, you'll be relying on some sort of packet filter to redirect traffic to its private IP address. This isn't as big a deal as it may sound, especially if you're already using PF, which has built-in packet redirection capabilities that do not require you to run a separate NAT daemon. My host 8.0 system is the gateway to the public internet. I have ipfilter running blocking all inbound request for service. I only allow out bound request from the LAN behind the gateway and use keep state to allow the packet conversation to continue. All this has worked fine for years across many releases of Freebsd. Now comes playing with jails. I created 3 jails, www, ftp, telnet and used ip address of 10.0.20.20, 10.0.20.30, 10.0.20.40. The goal is to target those jails from other PC on the private LAN who are using ip address in the 10.0.10.2 through 10.0.10.8 range. I used ezjail-admin onestart and all the jails start. Then did ezjail-admin console ftp.local.com and got logged into that jail. Edited /etc/inetd.conf and uncommented the ftp line. Edited /etc/rc.conf adding inetd_enable="YES" exited the ftp jail. Did ezjail-admin onestop followed by ezjail-admin onestart to cycle the ftp jail to activate the ftp function. ezjail-admin console ftp.local.com to get logged into that jail again. From within the jail did ping -c 2 10.0.10.6 which is a pc on the lan gives me no sockets mesg. And ftp from 10.0.10.6 to 10.0.20.30 the ftp jail gives me no connection error. What is the problem here? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ezjail
I found the man ezjail-admin has this format ezjail-admin install -h file:// Where -h file:// means get the binaries from the host system the jails are running on. Am I correct? Yes, according to the man page. I haven't tried it yet myself, since I set up my basejail before this option was available. Well I tried it. The man page does not explain it clearly. What the -h really means is the -h file:// is the location for the release-8.0/base/ files. These files are not part of the base release directory tree that are part of the running system. They are only on the .iso install image such as the disc1.iso. I mounted the Release 8.0 disc1 install cd and changed into directory cd /cdrom/8.0-RELEASE and issued ezjail-admin install -h file:// it ran creating 3 jails, /usr/jails/basejail, /usr/jails/newjail, /usr/jails/flavours. This is not the same as copying the binaries from the host system. Next step is to ID directory names in the basejail and recreate basejail using the cpdup command to copy the host binaries. I see 2 questionable directories in the basejail, boot and rescue. Can I remove them from the basejail? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ezjail
On 3/21/2010 8:21 PM, Aiza wrote: > Does the ip address notation for the jail include the port number? > Like 10.0.20.2:80 Nat port forwarding is the long way around just to get > the correct port number to the jail ip address. Nope, jails are assigned one (or more) specific IP addresses, but not specific port numbers. So if you don't have a separate public IP for your jail, you'll be relying on some sort of packet filter to redirect traffic to its private IP address. This isn't as big a deal as it may sound, especially if you're already using PF, which has built-in packet redirection capabilities that do not require you to run a separate NAT daemon. > I found the man ezjail-admin has this format > ezjail-admin install -h file:// Where -h file:// means get the > binaries from the host system the jails are running on. Am I correct? Yes, according to the man page. I haven't tried it yet myself, since I set up my basejail before this option was available. > My understanding of handbook section 15.6 Application of Jails > (service jails)is a copy of the host binaries is populated into the > basejail and all the other jails have read only access to it. Each guest > jail also has a read/write space for installing ports/packages unique to > that jail including /var /usr /etc. Am I correct? Is this how ezjail is > configured now? Yes, that's correct. -- Mark Shroyer http://markshroyer.com/contact/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ezjail
Mark Shroyer wrote: On 3/21/2010 1:10 AM, Aiza wrote: I don't have sources installed on my system. Just use the binary Freebsd-update function. At new releases I do a clean install. I only have a single public IP address. Now I would like to play with jails. One for postfix, apache, and ftp. My reading of EZJAIL and the jails section of the handbook lead me to believe I need a unique IP address for each jail. Is that correct? Yes. But if you have only one public IP address, you can give the jail a loopback interface with an address in 127.0.0/24 or one of the RFC 1918 private blocks (there's some debate as to which is the more "correct" type of address to use, but either will work), then use NAT if you need your jail to be able to access the Internet. If it helps you to reason about this, keep in mind that your jail does *not* have its own virtualized network stack, like with Solaris Zones for instance. The best way to think about your jails is as a group of processes running on the same operating system as the host, just with the restriction that (among other things) they can only communicate with the outside world using a limited subset of the IP addresses available to non-jailed processes. Does the ip address notation for the jail include the port number? Like 10.0.20.2:80 Nat port forwarding is the long way around just to get the correct port number to the jail ip address. I have no need to build world or install world because it does this from /usr/src which i don't install. Is there some EZJAIL option to just copy over the running system binaries instead of the sources? Until recently, the method for creating ezjail's "basejail" was to issue the "ezjail-admin update" command, which compiles the basejail from /usr/src. Just recently an "ezjail-admin install" command was added, which downloads binaries from a FreeBSD FTP server instead. So you shouldn't need sources to get started, however I'm not sure what the update mechanism is if you use the install command. I found the man ezjail-admin has this format ezjail-admin install -h file:// Where -h file:// means get the binaries from the host system the jails are running on. Am I correct? The handbook "15.4 Creating and Controlling Jails" talks about “complete” jails, which resemble a real FreeBSD system, and “service” jails, dedicated to one application or service. Section 15.4 is the procedure for building a "complete jail" using the jail command. The 15.6 Application of Jails (service jails) talks about creating a root skeleton containing the host running files which are shared with all the guest jails in read only mode. This eliminates the massive duplication of running system files in each jail as in the complete jail system talked about in handbook section "15.4 Creating and Controlling Jails". Now reading the ezjail man pages I see that ezjail also creates a base template that is shared between all jails. Is this the same method talked about in the handbook section 15.6 Application of Jails (service jail)? It's essentially the same approach. (With ezjail you'll still be duplicating binaries between the host system and the basejail, but I wouldn't loose sleep over it.) My understanding of handbook section 15.6 Application of Jails (service jails)is a copy of the host binaries is populated into the basejail and all the other jails have read only access to it. Each guest jail also has a read/write space for installing ports/packages unique to that jail including /var /usr /etc. Am I correct? Is this how ezjail is configured now? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ezjail
On 21/03/2010 21:53, Mark Shroyer wrote: > Until recently, the method for creating ezjail's "basejail" was to issue > the "ezjail-admin update" command, which compiles the basejail from > /usr/src. Just recently an "ezjail-admin install" command was added, > which downloads binaries from a FreeBSD FTP server instead. So you > shouldn't need sources to get started, however I'm not sure what the > update mechanism is if you use the install command. > > you can use ezjail-admin update -u which uses freebsd-update, for some reason this isnt in the manpage. Vince ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ezjail
Mark Shroyer wrote: > On 3/21/2010 1:10 AM, Aiza wrote: >> I don't have sources installed on my system. Just use the binary >> Freebsd-update function. At new releases I do a clean install. >> I only have a single public IP address. >> >> Now I would like to play with jails. One for postfix, apache, and ftp. >> My reading of EZJAIL and the jails section of the handbook lead me to >> believe I need a unique IP address for each jail. Is that correct? > > Yes. But if you have only one public IP address, you can give the jail > a loopback interface with an address in 127.0.0/24 or one of the RFC > 1918 private blocks (there's some debate as to which is the more > "correct" type of address to use, but either will work), then use NAT if > you need your jail to be able to access the Internet. > > If it helps you to reason about this, keep in mind that your jail does > *not* have its own virtualized network stack, like with Solaris Zones > for instance. The best way to think about your jails is as a group of > processes running on the same operating system as the host, just with > the restriction that (among other things) they can only communicate with > the outside world using a limited subset of the IP addresses available > to non-jailed processes. > You might find the below interesting. Only just begun reading/studying it myself. http://www.freebsd.org/releases/8.0R/relnotes-detailed.html#KERNEL [snip] -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ezjail
On 3/21/2010 1:10 AM, Aiza wrote: > I don't have sources installed on my system. Just use the binary > Freebsd-update function. At new releases I do a clean install. > I only have a single public IP address. > > Now I would like to play with jails. One for postfix, apache, and ftp. > My reading of EZJAIL and the jails section of the handbook lead me to > believe I need a unique IP address for each jail. Is that correct? Yes. But if you have only one public IP address, you can give the jail a loopback interface with an address in 127.0.0/24 or one of the RFC 1918 private blocks (there's some debate as to which is the more "correct" type of address to use, but either will work), then use NAT if you need your jail to be able to access the Internet. If it helps you to reason about this, keep in mind that your jail does *not* have its own virtualized network stack, like with Solaris Zones for instance. The best way to think about your jails is as a group of processes running on the same operating system as the host, just with the restriction that (among other things) they can only communicate with the outside world using a limited subset of the IP addresses available to non-jailed processes. > I have no need to build world or install world because it does this from > /usr/src which i don't install. Is there some EZJAIL option to just copy > over the running system binaries instead of the sources? Until recently, the method for creating ezjail's "basejail" was to issue the "ezjail-admin update" command, which compiles the basejail from /usr/src. Just recently an "ezjail-admin install" command was added, which downloads binaries from a FreeBSD FTP server instead. So you shouldn't need sources to get started, however I'm not sure what the update mechanism is if you use the install command. > The handbook "15.4 Creating and Controlling Jails" talks about > “complete” jails, which resemble a real FreeBSD system, and “service” > jails, dedicated to one application or service. Section 15.4 is the > procedure for building a "complete jail" using the jail command. > > The 15.6 Application of Jails (service jails) talks about creating a > root skeleton containing the host running files which are shared with > all the guest jails in read only mode. This eliminates the massive > duplication of running system files in each jail as in the complete jail > system talked about in handbook section "15.4 Creating and Controlling > Jails". > > Now reading the ezjail man pages I see that ezjail also creates a base > template that is shared between all jails. Is this the same method > talked about in the handbook section 15.6 Application of Jails (service > jail)? It's essentially the same approach. (With ezjail you'll still be duplicating binaries between the host system and the basejail, but I wouldn't loose sleep over it.) -- Mark Shroyer http://markshroyer.com/contact/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
ezjail
I don't have sources installed on my system. Just use the binary Freebsd-update function. At new releases I do a clean install. I only have a single public IP address. Now I would like to play with jails. One for postfix, apache, and ftp. My reading of EZJAIL and the jails section of the handbook lead me to believe I need a unique IP address for each jail. Is that correct? I have no need to build world or install world because it does this from /usr/src which i don't install. Is there some EZJAIL option to just copy over the running system binaries instead of the sources? The handbook "15.4 Creating and Controlling Jails" talks about “complete” jails, which resemble a real FreeBSD system, and “service” jails, dedicated to one application or service. Section 15.4 is the procedure for building a "complete jail" using the jail command. The 15.6 Application of Jails (service jails) talks about creating a root skeleton containing the host running files which are shared with all the guest jails in read only mode. This eliminates the massive duplication of running system files in each jail as in the complete jail system talked about in handbook section "15.4 Creating and Controlling Jails". Now reading the ezjail man pages I see that ezjail also creates a base template that is shared between all jails. Is this the same method talked about in the handbook section 15.6 Application of Jails (service jail)? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ezjail bsd 8.0
On Fri, 18 Dec 2009 12:44:51 - "Graeme Dargie" wrote: > I am trying to get ezjail running on bds 8.0 and I keep hitting the > same wall > > > > FreeBSD amalthea.galaxy.lan.lcl 8.0-RELEASE FreeBSD 8.0-RELEASE #0: > Sat Nov 21 15:02:08 UTC 2009 /usr/obj/usr/src/sys/GENERIC amd64 > > > > I have update /usr/src using csup > > > > When I issue a ezjail-admin update -ip > > > > It runs for a while then dies with > > > > >>> Installing everything > > -- > > cd /usr/src; make -f Makefile.inc1 install > > ===> share/info (install) > > install -o root -g wheel -m 444 dir-tmpl > /usr/jails/fulljail/usr/share/info/dir > > install:No such file or directory > > *** Error code 1 > > > > Stop in /usr/src/share/info. > > *** Error code 1 > > > > Stop in /usr/src. > > *** Error code 1 > > > > Stop in /usr/src. > > *** Error code 1 > > > > Stop in /usr/src. > > *** Error code 1 > > > > > > Now I suspect it is something stupid I have done or not done but I > cant seem to see what it is. > > > > Regards > > > > Graeme > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscr...@freebsd.org" Did you do make buildworld in /usr/src after csup? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
ezjail bsd 8.0
I am trying to get ezjail running on bds 8.0 and I keep hitting the same wall FreeBSD amalthea.galaxy.lan.lcl 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08 UTC 2009 /usr/obj/usr/src/sys/GENERIC amd64 I have update /usr/src using csup When I issue a ezjail-admin update -ip It runs for a while then dies with >>> Installing everything -- cd /usr/src; make -f Makefile.inc1 install ===> share/info (install) install -o root -g wheel -m 444 dir-tmpl /usr/jails/fulljail/usr/share/info/dir install:No such file or directory *** Error code 1 Stop in /usr/src/share/info. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. *** Error code 1 Now I suspect it is something stupid I have done or not done but I cant seem to see what it is. Regards Graeme ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Ezjail, Perl, upgrading & best practices advise please
On 10/2/09, Troy Kocher wrote: > All, > Couple issues: > 1) I need some understanding on how to deploy and upgrade perl > properly in this jailed environment. > 2) I need some help on my current tangle of Perl library complaints > > Issue #1: In a jailed environment how many installations of perl are > recommended (ie 1 host system 2 basejail 3 each jail) ? My sense > would be that one on the host and one in the basejail, would be the > most efficient. If that is the case how do I upgrade the perl in the > basejail? How do I handle different versions of perl installed in > each of the jails? Your questions indicate you setup a base jail and nullfs mount the points to the other jails. Although it is written it can be done, I have to ask why you decided to do it this way? base distribution only takes about 128MB of disk space, and nearly nothing for RAM (by today's disk and RAM sizes). I recommend each jail have their own world installed, preferrably the same world because since the jails share the world with the hosts' kernel, and world+kernel must be kept in sync, setup a host on release, and all jails on a release too. I'm currently experimenting (for fun) a -stable host, and -release jails, which is unsupported. It gets a tad annoying when you manage multiple jails that it has no concept of already built ports and to use them, so I find myself cancelling out of a lot of builds to install the package created from another jail. > Issue #2: My lack of understanding has me in a mess currently. My > host environment is using (perl-threaded-5.8.9_3), in jail #1 I have > (perl-5.8.9_3) when I try to use cpan here is what happens: > > jail1#perl -MCPAN -e 'shell' > Terminal does not support AddHistory. > cpan shell -- CPAN exploration and modules installation (v1.9301) > ReadLine support available (maybe install Bundle::CPAN or Bundle::CPANxxl?) > print() on closed filehandle FOUT at > /usr/local/lib/perl5/5.8.9/Term/ReadLine.pm line 193. > readline() on closed filehandle FIN at > /usr/local/lib/perl5/5.8.9/Term/ReadLine.pm line 301. > print() on closed filehandle FOUT at > /usr/local/lib/perl5/5.8.9/Term/ReadLine.pm line 203. > Terminal does not support GetHistory. > Lockfile removed. Can't comment on this, seems a missing dependency and other problems. > In Jail #2 another issue. . : > > jail2#pkg_info |grep perl > mod_perl2-2.0.3_3,3 Embeds a Perl interpreter in the Apache2 server > p5-DBI-1.60.1 The perl5 Database Interface. Required for DBD::* > modules > p5-Devel-Symdump-2.0800 A perl5 module that dumps symbol names or the > symbol table > p5-Error-0.17012Perl module to provide Error/exception support for perl: > Er > p5-GD-2.35_1A perl5 interface to Gd Graphics Library version2 > p5-GD-Graph-1.44.01_1 Graph plotting module for perl5 > p5-MIME-Tools-5.426,2 A set of perl5 modules for MIME > p5-Scalar-List-Utils-1.19,1 Perl subroutines that would be nice to > have in the perl cor > p5-Storable-2.18Persistency for perl data structures > p5-Term-ReadKey-2.30 A perl5 module for simple terminal control > p5-Test-Harness-3.10 Run perl standard test scripts with statistics > p5-Test-Simple-0.80 Basic utilities for writing tests in perl > p5-Time-HiRes-1.9712,1 A perl5 module implementing High resolution > time, sleep, an > perl-5.8.8_1 > > then I try cpan > jail2# perl -MCPAN -e 'shell' > /libexec/ld-elf.so.1: Shared object "libm.so.4" not found, required by > "perl" A jail that has been updated from (for example) a 6.x release to a 7.x release with ports from 6.x will look for the shared libraries from 6.x, when 7.x has them updated and possibly renamed. Has jail2 been updated? > Troubleshooting this complaint on jail2 I discovered the time stamp on > the host was different than the time stamp on the basejail. > what time stamp? of what? where? > > Anyway I'm puzzled, and I'm not really sure where to go from here. . > I'd appreciate any help.. > > Thanks > Troy It won't be a "do these and you'll be fixed" - given the initial post. I'm trying to gain more information before I can help. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Ezjail, Perl, upgrading & best practices advise please
All, Couple issues: 1) I need some understanding on how to deploy and upgrade perl properly in this jailed environment. 2) I need some help on my current tangle of Perl library complaints Issue #1: In a jailed environment how many installations of perl are recommended (ie 1 host system 2 basejail 3 each jail) ? My sense would be that one on the host and one in the basejail, would be the most efficient. If that is the case how do I upgrade the perl in the basejail? How do I handle different versions of perl installed in each of the jails? Issue #2: My lack of understanding has me in a mess currently. My host environment is using (perl-threaded-5.8.9_3), in jail #1 I have (perl-5.8.9_3) when I try to use cpan here is what happens: jail1#perl -MCPAN -e 'shell' Terminal does not support AddHistory. cpan shell -- CPAN exploration and modules installation (v1.9301) ReadLine support available (maybe install Bundle::CPAN or Bundle::CPANxxl?) print() on closed filehandle FOUT at /usr/local/lib/perl5/5.8.9/Term/ReadLine.pm line 193. readline() on closed filehandle FIN at /usr/local/lib/perl5/5.8.9/Term/ReadLine.pm line 301. print() on closed filehandle FOUT at /usr/local/lib/perl5/5.8.9/Term/ReadLine.pm line 203. Terminal does not support GetHistory. Lockfile removed. In Jail #2 another issue. . : jail2#pkg_info |grep perl mod_perl2-2.0.3_3,3 Embeds a Perl interpreter in the Apache2 server p5-DBI-1.60.1 The perl5 Database Interface. Required for DBD::* modules p5-Devel-Symdump-2.0800 A perl5 module that dumps symbol names or the symbol table p5-Error-0.17012Perl module to provide Error/exception support for perl: Er p5-GD-2.35_1A perl5 interface to Gd Graphics Library version2 p5-GD-Graph-1.44.01_1 Graph plotting module for perl5 p5-MIME-Tools-5.426,2 A set of perl5 modules for MIME p5-Scalar-List-Utils-1.19,1 Perl subroutines that would be nice to have in the perl cor p5-Storable-2.18Persistency for perl data structures p5-Term-ReadKey-2.30 A perl5 module for simple terminal control p5-Test-Harness-3.10 Run perl standard test scripts with statistics p5-Test-Simple-0.80 Basic utilities for writing tests in perl p5-Time-HiRes-1.9712,1 A perl5 module implementing High resolution time, sleep, an perl-5.8.8_1 then I try cpan jail2# perl -MCPAN -e 'shell' /libexec/ld-elf.so.1: Shared object "libm.so.4" not found, required by "perl" Troubleshooting this complaint on jail2 I discovered the time stamp on the host was different than the time stamp on the basejail. Anyway I'm puzzled, and I'm not really sure where to go from here. . I'd appreciate any help.. Thanks Troy ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
ezjail jail migration
Has anyone tried to migrate ezjail jails between 7.2 and 6.4? I've read it works fine 6.4 -> 7.2, but what about 7.2 -> 6.4. Is there any chance I could get away with this by not being forced to reinstall all the running stuff - proftpd, apache? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: FreeBSD Networking Questions / vlan, lagg, routing, FIBs, ezjail
> Now, it is my suspicion that the apparent need for promisc at the router > end indeed is an apperent one and not really the router's fault but rather > the other end's. The other end, in this case, is the server below. > > If the server, with its single MIB, default-routes its packets through one > specific of its vlans which may not be the one, at the router's end, with > the corresponding IP network the traffic entered into the net, would it be > possible that there's something preventing them be received? Unless there's > promisc on, of course... > > I'll grab the laptop next time I think of it and have the switch monitor > traffic to it to see what really is on the wire, maybe that helps and gives > me a clue. I just keep forgetting the bl**dy thing each time I leave... Ok, after a good portion of fiddling with the switch, it seems that you cannot copy traffic from link-aggregated ports to a monitor port on a Linksys SRW2016. Now out at my wits end here it seems. I'll try the FIB approach hopefully next week then. > > - On my "server", is there any way to set up individual > > > "default" routes (to the router) for each of the vlans short of > > > tucking the ezjails behind the vlan interfaces each into their own > > > FIB (btw,. has anyone ever done that?)? > > > > Yes, from FreeBSD-7.1 and beyond, there is support > > for up to 16 routing tables. Use the setfib command > > to select routing table for outgoing connections. > > So, I interpret your response as that I am correct, I have a single > default route per FIB, and that's it. Which effectively means that I do need > FIBs. I agree that this behaviour might make some sense :) > > > Something like, "setfib 10 jail $JAILOPTSANDARGS", > > in the jail case. You have to compile a kernel > > with the option ROUTETABLES=n. Read the message for > > revision 1.1485 from here: > > http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/conf/NOTES > (...) > Generally speaking, or rather, inquiring, has anyone ever done FIBs with > ezjail? It probably is very easy, and I consider(ed) looking into it myself > but I currently spend about max. an hour every 2-3 days on FreeBSE so I > don't really progress. Well, might eventually, but that'll be dunno when. But > well, such is life, and this is pleasure not work :) and I hope to learn > something useful on the way. (...) > [1] > http://lists.freebsd.org/pipermail/freebsd-arch/2007-December/007331.html Regards, Peter. -- Pt! Schon vom neuen GMX MultiMessenger gehört? Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger01 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: FreeBSD Networking Questions / vlan, lagg, routing, FIBs, ezjail
Hiya Nikos, re list, > Hm, the promiscuous mode must be needed for the vlan driver. > But you don't have to set it. It does not work without, at the router end. Suspicions, please see below. > I can't think of any implication in a switched ethernet environment. > > It is just that every frame received from the cable is offered > to the operating system for further evaluation. In a switched > ethernet environment every frame that will reach your card will > be either: > 1) for you. > 2) a broadcast frame. > 3) a multicast frame. And hence there should be no (notable) effect. That is my interpretation, yes. > Things would be very different, if your system was connected to a > hub where a multitude of frames(every frame on the ethernet) would > be interrupting the kernel for no reason. Exactly. But I connect to a switch and hence expect the behaviour detailed above. Now, it is my suspicion that the apparent need for promisc at the router end indeed is an apperent one and not really the router's fault but rather the other end's. The other end, in this case, is the server below. If the server, with its single MIB, default-routes its packets through one specific of its vlans which may not be the one, at the router's end, with the corresponding IP network the traffic entered into the net, would it be possible that there's something preventing them be received? Unless there's promisc on, of course... I'll grab the laptop next time I think of it and have the switch monitor traffic to it to see what really is on the wire, maybe that helps and gives me a clue. I just keep forgetting the bl**dy thing each time I leave... > - On my "server", is there any way to set up individual > > "default" routes (to the router) for each of the vlans short of > > tucking the ezjails behind the vlan interfaces each into their own > > FIB (btw,. has anyone ever done that?)? > > Yes, from FreeBSD-7.1 and beyond, there is support > for up to 16 routing tables. Use the setfib command > to select routing table for outgoing connections. So, I interpret your response as that I am correct, I have a single default route per FIB, and that's it. Which effectively means that I do need FIBs. I agree that this behaviour might make some sense :) > Something like, "setfib 10 jail $JAILOPTSANDARGS", > in the jail case. You have to compile a kernel > with the option ROUTETABLES=n. Read the message for > revision 1.1485 from here: > http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/conf/NOTES I have seen that section as a separate posting [1] which is why I suspected to possibly be able to resolve my issues above with it. It is my intention to insert 4 to 8 FIBs asap but I currently don't know when I take my time doing so. Generally speaking, or rather, inquiring, has anyone ever done FIBs with ezjail? It probably is very easy, and I consider(ed) looking into it myself but I currently spend about max. an hour every 2-3 days on FreeBSE so I don't really progress. Well, might eventually, but that'll be dunno when. But well, such is life, and this is pleasure not work :) and I hope to learn something useful on the way. Thanks a lot, and All the best, Peter. [1] http://lists.freebsd.org/pipermail/freebsd-arch/2007-December/007331.html -- Pt! Schon vom neuen GMX MultiMessenger gehört? Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger01 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: FreeBSD Networking Questions / vlan, lagg, routing, FIBs, ezjail
Peter Cornelius wrote: - On my router, why do I have to set the base interface to promiscuous mode in order to get packets from/to my vlans through? Am I doing something wrong? Are there any implications of working this way? Hm, the promiscuous mode must be needed for the vlan driver. But you don't have to set it. I can't think of any implication in a switched ethernet environment. It is just that every frame received from the cable is offered to the operating system for further evaluation. In a switched ethernet environment every frame that will reach your card will be either: 1) for you. 2) a broadcast frame. 3) a multicast frame. Things would be very different, if your system was connected to a hub where a multitude of frames(every frame on the ethernet) would be interrupting the kernel for no reason. - On my "server", is there any way to set up individual "default" routes (to the router) for each of the vlans short of tucking the ezjails behind the vlan interfaces each into their own FIB (btw,. has anyone ever done that?)? Yes, from FreeBSD-7.1 and beyond, there is support for up to 16 routing tables. Use the setfib command to select routing table for outgoing connections. Something like, "setfib 10 jail $JAILOPTSANDARGS", in the jail case. You have to compile a kernel with the option ROUTETABLES=n. Read the message for revision 1.1485 from here: http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/conf/NOTES Nikos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
FreeBSD Networking Questions / vlan, lagg, routing, FIBs, ezjail
Dear all, While I'm at it, I don't seem to be able to get my head around some networking items I observed (currently only vlan(4), not ng_vlan(4), if that makes a difference): - On my router, why do I have to set the base interface to promiscuous mode in order to get packets from/to my vlans through? Am I doing something wrong? Are there any implications of working this way? - On my "server", is there any way to set up individual "default" routes (to the router) for each of the vlans short of tucking the ezjails behind the vlan interfaces each into their own FIB (btw,. has anyone ever done that?)? So I'm stuck and would appreciate a hand. It probably is something pretty obvious which I persistently ignore, or something stupid I attempt to do here but I got curious now :) Thanks a lot, and All the best, Peter. -- Nur bis 16.03.! DSL-Komplettanschluss inkl. WLAN-Modem für nur 17,95 ¿/mtl. + 1 Monat gratis!* http://dsl.gmx.de/?ac=OM.AD.PD003K11308T4569a ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Problem with ezjail: Manually restarted jails don't come up again
On Wednesday 28 January 2009 16:09:26 Frank Steinborn wrote:
> On Wed, Jan 28, 2009 at 03:23:33PM -0900, Mel wrote:
> > On Wednesday 28 January 2009 12:24:31 Frank Steinborn wrote:
> > > 37948 p3 TJ 0:00.01 -su -c /bin/sh -c ^I"/usr/local/bin/mlnet ^I
> > > ^I ^I>> /dev/null 2>&1 &" (zsh)
> >
> > ^^^
> > Why is zsh shell involved?
>
> This was it. I should not have used the root-account inside the jails
> with zsh. I now use the toor account on zsh and put the shell of root
> back to csh everywhere.
>
> However, I don't understand why zsh is invoked, since all rc.d-scripts
> have shebang lines telling them to use /bin/sh? I'm a bit confused,
> maybe can someone give a bit light on this...
su invokes $SHELL of the target user, from su(8):
By default, the environment is unmodified with the exception of USER,
HOME, and SHELL. HOME and SHELL are set to the target login's default
values. USER is set to the target login, unless the target login has a
user ID of 0, in which case it is unmodified. The invoked shell is the
one belonging to the target login. This is the traditional behavior of
su.
So:
su root -c /bin/sh expands to ${SHELL} /bin/sh
--
Mel
Problem with today's modular software: they start with the modules
and never get to the software part.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Problem with ezjail: Manually restarted jails don't come up again
On Wed, Jan 28, 2009 at 03:23:33PM -0900, Mel wrote: > On Wednesday 28 January 2009 12:24:31 Frank Steinborn wrote: > > I guess i found a possible answer to my problem: The jail is running > > mldonkey, which is started via /etc/rc.conf. If I don't start it, the > > jail comes up as expected. These are the last two processes spawned in > > the jail: > > > > 37947 p3 T+J0:00.01 su -l mldonkey -c /bin/sh -c > > ^I"/usr/local/bin/mlnet ^I ^I ^I>> /dev/null 2>&1 &" > > 37948 p3 TJ 0:00.01 -su -c /bin/sh -c ^I"/usr/local/bin/mlnet ^I > > ^I ^I>> /dev/null 2>&1 &" (zsh) > ^^^ > Why is zsh shell involved? This was it. I should not have used the root-account inside the jails with zsh. I now use the toor account on zsh and put the shell of root back to csh everywhere. However, I don't understand why zsh is invoked, since all rc.d-scripts have shebang lines telling them to use /bin/sh? I'm a bit confused, maybe can someone give a bit light on this... However, it works now. Thanks, Frank ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Problem with ezjail: Manually restarted jails don't come up again
On Wednesday 28 January 2009 12:24:31 Frank Steinborn wrote: > On Wed, Jan 28, 2009 at 09:02:35PM +, Bjoern A. Zeeb wrote: > > if it's network services hanging on startup, check firewall and > > resolve.conf inside the jail or wait a few minutes to let possible dns > > queries timeout. > > Also tpcdumping on the nase system for the jail IP might give a clue > > in that case. > > > > If it's something else that's hanging you can find out easily looking > > at jail startup logs and/or the last process started inside the > > jail... > > > > /bz > > I guess i found a possible answer to my problem: The jail is running > mldonkey, which is started via /etc/rc.conf. If I don't start it, the > jail comes up as expected. These are the last two processes spawned in > the jail: > > 37947 p3 T+J0:00.01 su -l mldonkey -c /bin/sh -c > ^I"/usr/local/bin/mlnet ^I ^I ^I>> /dev/null 2>&1 &" > 37948 p3 TJ 0:00.01 -su -c /bin/sh -c ^I"/usr/local/bin/mlnet ^I > ^I ^I>> /dev/null 2>&1 &" (zsh) ^^^ Why is zsh shell involved? -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Problem with ezjail: Manually restarted jails don't come up again
On Wed, Jan 28, 2009 at 12:50:40PM -0900, Mel wrote: > On Wednesday 28 January 2009 11:25:56 Frank Steinborn wrote: > > > # /usr/local/etc/rc.d/ezjail.sh start mldonkey.local > > Configuring jails:. > > Starting jails: > > > > If I check with jls and 'pgrep -lfj ', i see that there are processes > > inside the hanging jail running, including /etc/rc. I guess the > > jails are hanging somewhere in the boot-process, and i guess it's > > /etc/rc. > > Install sysutils/pstree. On the host, type pstree|less. Search for the rc > process, then see what's running 'underneath' it. Those scripts/services are > hanging and take it from there. Please see my reply to Bjoern, the two processes shown there are the ones hanging under /etc/rc... I don't have a clue why this happens, if i start the rc-script for this port manually, it works without a hitch. And even more noteable: On reboot, all comes up without a problem too. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Problem with ezjail: Manually restarted jails don't come up again
On Wednesday 28 January 2009 11:25:56 Frank Steinborn wrote: > # /usr/local/etc/rc.d/ezjail.sh start mldonkey.local > Configuring jails:. > Starting jails: > > If I check with jls and 'pgrep -lfj ', i see that there are processes > inside the hanging jail running, including /etc/rc. I guess the > jails are hanging somewhere in the boot-process, and i guess it's > /etc/rc. Install sysutils/pstree. On the host, type pstree|less. Search for the rc process, then see what's running 'underneath' it. Those scripts/services are hanging and take it from there. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Problem with ezjail: Manually restarted jails don't come up again
On Wed, 28 Jan 2009, Frank Steinborn wrote: ... jails are hanging somewhere in the boot-process, and i guess it's /etc/rc. I even doubt that this is an ezjail-only problem, but this is just a guess. Any hints? if it's network services hanging on startup, check firewall and resolve.conf inside the jail or wait a few minutes to let possible dns queries timeout. Also tpcdumping on the nase system for the jail IP might give a clue in that case. If it's something else that's hanging you can find out easily looking at jail startup logs and/or the last process started inside the jail... /bz -- Bjoern A. Zeeb The greatest risk is not taking one. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Problem with ezjail: Manually restarted jails don't come up again
On Wed, Jan 28, 2009 at 09:02:35PM +, Bjoern A. Zeeb wrote: > if it's network services hanging on startup, check firewall and > resolve.conf inside the jail or wait a few minutes to let possible dns > queries timeout. > Also tpcdumping on the nase system for the jail IP might give a clue > in that case. > > If it's something else that's hanging you can find out easily looking > at jail startup logs and/or the last process started inside the > jail... > > /bz I guess i found a possible answer to my problem: The jail is running mldonkey, which is started via /etc/rc.conf. If I don't start it, the jail comes up as expected. These are the last two processes spawned in the jail: 37947 p3 T+J0:00.01 su -l mldonkey -c /bin/sh -c ^I"/usr/local/bin/mlnet ^I ^I ^I>> /dev/null 2>&1 &" 37948 p3 TJ 0:00.01 -su -c /bin/sh -c ^I"/usr/local/bin/mlnet ^I ^I ^I>> /dev/null 2>&1 &" (zsh) It's suspicious that there are ^I's in there. And as a side-note: Other jails have the same problem, with completely different services to start up. What to do about it? If I start mldonkey manually when the jail came up, it works as expected, but this is really suboptimal... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Problem with ezjail: Manually restarted jails don't come up again
I installed the jail utilities (forgot which ones) has a 'jkill' utility. I then added a /etc/rc.conf.d/ezjail with a pre-stop() command that calls a jkill. then all works fine. Frank Steinborn wrote: Hi folks, I have a strange problem on my 7.1-RELEASE with ezjail here. I have 5 jails configured with ezjail, and they run flawlessy - they come up on boot without problems. However, if i stop a jail (via /usr/local/etc/rc.d/ezjail.sh stop ) and then want to restart it via the rc-script, it stalls here: # /usr/local/etc/rc.d/ezjail.sh start mldonkey.local Configuring jails:. Starting jails: If I check with jls and 'pgrep -lfj ', i see that there are processes inside the hanging jail running, including /etc/rc. I guess the jails are hanging somewhere in the boot-process, and i guess it's /etc/rc. I even doubt that this is an ezjail-only problem, but this is just a guess. Any hints? Thanks, Frank ___ freebsd-j...@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org" -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * King of Spam Filters, SC Magazine 2008 * Information Security Award 2008, Info Security Products Guide * CRN Magazine Top 40 Emerging Security Vendors * Finalist 2009 Network Products Guide Hot Companies _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Problem with ezjail: Manually restarted jails don't come up again
Hi folks, I have a strange problem on my 7.1-RELEASE with ezjail here. I have 5 jails configured with ezjail, and they run flawlessy - they come up on boot without problems. However, if i stop a jail (via /usr/local/etc/rc.d/ezjail.sh stop ) and then want to restart it via the rc-script, it stalls here: # /usr/local/etc/rc.d/ezjail.sh start mldonkey.local Configuring jails:. Starting jails: If I check with jls and 'pgrep -lfj ', i see that there are processes inside the hanging jail running, including /etc/rc. I guess the jails are hanging somewhere in the boot-process, and i guess it's /etc/rc. I even doubt that this is an ezjail-only problem, but this is just a guess. Any hints? Thanks, Frank ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ezjail / 6.2-RELEASE-p3
On Tue, Apr 17, 2007 at 06:19:44PM +0200, Oliver Peter wrote: > Dear, > > Is there a possibilty to use a self-build release (from source) with > ezjail instead of the ftp-RELEASEs ? > I didn't find prebuilt binary packages for 6.2-RELEASE-p3 on the ftp > sites so I'm thinking about building my own. 'make release', look for documentation on the website. Kris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ezjail / 6.2-RELEASE-p3
Dear, Is there a possibilty to use a self-build release (from source) with ezjail instead of the ftp-RELEASEs ? I didn't find prebuilt binary packages for 6.2-RELEASE-p3 on the ftp sites so I'm thinking about building my own. Maybe it's interesting for -CURRENT and -STABLE users, too. Bye Ollie -- Oliver PETER, email: [EMAIL PROTECTED], ICQ# 113969174 "Worker bees can leave. Even drones can fly away. The Queen is their slave." pgpZJh8uhEfKh.pgp Description: PGP signature
Re: ezjail on FreeBSD 6.2
Hello Dave...responses below On 4/4/07, Dave <[EMAIL PROTECTED]> wrote: Hello, Is anyone running ezjail on 6.2? Yes, 6.2-stable GENERIC. At install time I created a separate partition for, /usr/jails which makes it default to the ezjail-admin create jail default location. I've got to set up three similar jails and i'd like to run them off of one base. I'd like to create a jail flavor, where one jail has file x while the others do not. My limited understanding of Flavours...These are like templates to quick rebuild or create 'like' jail containers. While your maybe similiar, what x is (and how big) may make them different. Two problems i'm having with flavors is one adding packages such as shells Got me here. Something I need to learn as well. , and two adding users and giving them the shells just added? I would think the adding users could either be done from an ssh session into a running jail, or using # jexec JID adduser. I'm not sure how to do the shells, except to say that I know I read somewhere...where you can setup/change the default shell, then for each new user added, they would get this profile. I'd also like it if i could mount my host system's ports tree in the jail itself, so i wouldn't have to get multiple copies of the ports tree. The only way i've found thus far of doing this is via nullfs on the base system and was wondering if there was an easier method of doing this? Now this one I know can be done a couple of different ways. First is in the FAQ. The other is in a post I just made last week for the same reason. I read man ezjail-admin. Just issue the following # ezjail-admin update -p. This will update existing ezjails to have access to the host ports tree. From within a running jail, when you type # cd /usr/ports, your will really be going to /basejail/usr/ports. pkg_add -r and make/make install clean all work fine. Ezjail also has a list you can join, if interested...although it is not very active. Responses are reasonably quick, given the support is free :) Regards Don ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ezjail on FreeBSD 6.2
Hello, Is anyone running ezjail on 6.2? I've got to set up three similar jails and i'd like to run them off of one base. I'd like to create a jail flavor, where one jail has file x while the others do not. Two problems i'm having with flavors is one adding packages such as shells, and two adding users and giving them the shells just added? I'd also like it if i could mount my host system's ports tree in the jail itself, so i wouldn't have to get multiple copies of the ports tree. The only way i've found thus far of doing this is via nullfs on the base system and was wondering if there was an easier method of doing this? Thanks. Dave. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ezjail ip conflicts
Robin Becker wrote: Joe Holden wrote: >> >> how do I fix this or perhaps I don't need to? > syslogd_flags="-ss" in rc.conf > sshd is configured in /etc/ssh/sshd_config. . I looked in vain in /etc/rc.d/syslogd for references to syslogd_ and didn't find any, but now I see \$rc_flags which I guess must be what is used. Thanks Joe and Karol. I now get a message saying Warning: IP 209.67.217.27 not configured on a local interface. but I think that just means I don't have an alias set up yet. BTW, all the poential flags for rc.conf are in /etc/defaults/rc.conf ;) Not sure about the ezjail error, only ever done them manually. Ta, Joe ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ezjail ip conflicts
In response to Robin Becker <[EMAIL PROTECTED]>: > > I now get a message saying > > Warning: IP 209.67.217.27 not configured on a local interface. > > but I think that just means I don't have an alias set up yet. Yes. That's what that means. It's rather deceiving, because you don't actually need to create an alias, ezjail will do it for you when you start up the jail. Actually, now that I think of it, I'd call it a bug. -- Bill Moran http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ezjail ip conflicts
Joe Holden wrote: >> >> how do I fix this or perhaps I don't need to? > syslogd_flags="-ss" in rc.conf > sshd is configured in /etc/ssh/sshd_config. . I looked in vain in /etc/rc.d/syslogd for references to syslogd_ and didn't find any, but now I see \$rc_flags which I guess must be what is used. Thanks Joe and Karol. I now get a message saying Warning: IP 209.67.217.27 not configured on a local interface. but I think that just means I don't have an alias set up yet. -- Robin Becker ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ezjail ip conflicts
Robin Becker wrote: > I'm getting these ip conflicts whilst trying to create a jail > > ezjail-admin create xxx.xxx.xxx.27 > > Warning: IP xxx.xxx.xxx.27 not configured on a local interface. > Warning: Some services already seem to be listening on all IP, > (including xxx.xxx.xxx.27) > This may cause some confusion, here they are: > mysqlmysqld 505 10 tcp4 *:3306*:* > root syslogd291 6 udp4 *:514 *:* > > > my rc.conf has > > ifconfig_fxp0="inet xxx.xxx.xxx.26 netmask 255.255.255.248" > defaultrouter="xxx.xxx.xxx.25" > inetd_flags="-wW -a xxx.xxx.xxx.26" > > > so I believe the xxx.xxx.xxx.27 address is OK, but I guess I need to > make mysqld and syslogd listen only on xxx.xxx.xxx.26. I don't actually > understand what's preventing sshd from listening on all the addresses in > range unless it's the inetd flags, but I thought sshd is started by init > nowadays. If you're using sshd as a daemon have a look at "ListenAddress" directive in /etc/ssh/sshd_config. You can have multiple of those. > Anyhow I think I can fix the mysqld problem by having > > mysql_args="--bind-address=xxx.xxx.xxx.26" > > in the rc.conf, but I don't see any easy way to configure syslogd to > start with a -b xxx.xxx.xxx.26 How about adding 'syslogd_flags' in /etc/rc.conf? Those are the defaults: # grep syslogd /etc/defaults/rc.conf syslogd_enable="YES"# Run syslog daemon (or NO). syslogd_program="/usr/sbin/syslogd" # path to syslogd syslogd_flags="-s" # Flags to syslogd (if enabled). Also, if you don't need it to bind at all it's better to use '-ss'. > how do I fix this or perhaps I don't need to? You could filter traffic at firewall but it's always better to have a simpler setup. HTH, Karol -- Karol Kwiatkowski OpenPGP 0x06E09309 signature.asc Description: OpenPGP digital signature
Re: ezjail ip conflicts
Robin Becker wrote: I'm getting these ip conflicts whilst trying to create a jail ezjail-admin create xxx.xxx.xxx.27 Warning: IP xxx.xxx.xxx.27 not configured on a local interface. Warning: Some services already seem to be listening on all IP, (including xxx.xxx.xxx.27) This may cause some confusion, here they are: mysqlmysqld 505 10 tcp4 *:3306*:* root syslogd291 6 udp4 *:514 *:* my rc.conf has ifconfig_fxp0="inet xxx.xxx.xxx.26 netmask 255.255.255.248" defaultrouter="xxx.xxx.xxx.25" inetd_flags="-wW -a xxx.xxx.xxx.26" so I believe the xxx.xxx.xxx.27 address is OK, but I guess I need to make mysqld and syslogd listen only on xxx.xxx.xxx.26. I don't actually understand what's preventing sshd from listening on all the addresses in range unless it's the inetd flags, but I thought sshd is started by init nowadays. Anyhow I think I can fix the mysqld problem by having mysql_args="--bind-address=xxx.xxx.xxx.26" in the rc.conf, but I don't see any easy way to configure syslogd to start with a -b xxx.xxx.xxx.26 how do I fix this or perhaps I don't need to? syslogd_flags="-ss" in rc.conf sshd is configured in /etc/ssh/sshd_config. Ta, Joe ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ezjail ip conflicts
I'm getting these ip conflicts whilst trying to create a jail ezjail-admin create xxx.xxx.xxx.27 Warning: IP xxx.xxx.xxx.27 not configured on a local interface. Warning: Some services already seem to be listening on all IP, (including xxx.xxx.xxx.27) This may cause some confusion, here they are: mysqlmysqld 505 10 tcp4 *:3306*:* root syslogd291 6 udp4 *:514 *:* my rc.conf has ifconfig_fxp0="inet xxx.xxx.xxx.26 netmask 255.255.255.248" defaultrouter="xxx.xxx.xxx.25" inetd_flags="-wW -a xxx.xxx.xxx.26" so I believe the xxx.xxx.xxx.27 address is OK, but I guess I need to make mysqld and syslogd listen only on xxx.xxx.xxx.26. I don't actually understand what's preventing sshd from listening on all the addresses in range unless it's the inetd flags, but I thought sshd is started by init nowadays. Anyhow I think I can fix the mysqld problem by having mysql_args="--bind-address=xxx.xxx.xxx.26" in the rc.conf, but I don't see any easy way to configure syslogd to start with a -b xxx.xxx.xxx.26 how do I fix this or perhaps I don't need to? -- Robin Becker ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Confused with jails (ezjail) and mergemaster
On Tue, Jan 16, 2007 at 09:08:07AM -0500, Dave wrote: > - Original Message - > From: "Doug Poland" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, December 19, 2006 11:37 PM > Subject: Confused with jails (ezjail) and mergemaster > > >I have just built and installed world on a 6.1-STABLE i386 machine > >and run mergemaster. For the jails, I have run: > > > >root# ezjail-admin update -i > > > >and it performed an installworld. Cool so far. > > > >What about mergemaster on the jails? Do I need to run mergemaster on > >the basejail and each jail instance? > > > >root# mergemaster -D /usr/jails/basejail > >root# mergemaster -D /usr/jails/jail-01 > >root# mergemaster -D /usr/jails/jail-99 > > > >Or just mergemaster on basejail? If I do just run mergemaster on > >basejail, how do the config file changes make it into the individual > >jails? Ezjail is a great utility but running mergemaster on every > >jail instance seems daunting, not to mention the potential problems > >with end-user modified config files. > > > > Hello, > It's been a while since i checked my email, but did you ever get any > responses on this question? I'm not at the point of needing to update > any of my ezjails, but when 6.2 comes out or i deide to update to it > whichever, i will at that point. > No, I didn't get any responses. After more analysis, I reasoned that one must run mergemaster on the "basejail" and on each individual jail. It's a lot of work, but it appears that's the only way. > On a separate subject do you have ports in any of your jails as in the > ports tree? If so how did you pull that off? Thanks. > I use portupgrade so I needed to add the following to /usr/local/etc/pkgtools.conf + ENV['PACKAGES'] ||= '/var/ports/packages' + ENV['PKG_PATH'] ||= '/var/ports/packages/All' + ENV['PKG_BACKUP_DIR'] ||= '/var/tmp/pkg_backup' + ENV['PORTS_INDEX'] ||= '/var/ports/INDEX' HTH -- Regards, Doug ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ezjail and ports
Hello, I've created three jails with ezjail on a 6.1 machine. When i did so i did not need ports, now i do in one of the jails. I've tried nullfs mounting the host system's /usr/ports tree, but it didn't automount on jail startup. So, i fetched a new copy of the ports tree in to /var/ports, but when i tried to install a port, bash3 in this case, the ports are referencing /usr/ports/share/MK which it can not find, that's a read-only symlink to the basejail filesystem. A side question, pinging the jail works fine from the host system, but nmapping it does not show anything even though i have running services. I've tried with and without the -P0 option. Does anyone have this working? Thanks. Dave. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Confused with jails (ezjail) and mergemaster
Hello, Sorry for the confusion here, but I just am not getting it ... I have just built and installed world on a 6.1-STABLE i386 machine and run mergemaster. For the jails, I have run: root# ezjail-admin update -i and it performed an installworld. Cool so far. What about mergemaster on the jails? Do I need to run mergemaster on the basejail and each jail instance? root# mergemaster -D /usr/jails/basejail root# mergemaster -D /usr/jails/jail-01 root# mergemaster -D /usr/jails/jail-99 Or just mergemaster on basejail? If I do just run mergemaster on basejail, how do the config file changes make it into the individual jails? Ezjail is a great utility but running mergemaster on every jail instance seems daunting, not to mention the potential problems with end-user modified config files. Many thanks for clarification, pointers, slaps upside the head, etc. -- Regards, Doug ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
