From owner-freebsd-jail@FreeBSD.ORG Sun Apr 21 10:55:59 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id A339BCD3; Sun, 21 Apr 2013 10:55:59 +0000 (UTC) (envelope-from lukasz@wasikowski.net) Received: from mail.wasikowski.net (mail.wasikowski.net [IPv6:2001:6a0:1cb::b]) by mx1.freebsd.org (Postfix) with ESMTP id 4B45AF12; Sun, 21 Apr 2013 10:55:59 +0000 (UTC) Received: from mail.wasikowski.net (mail.wasikowski.net [IPv6:2001:6a0:1cb::b]) by mail.wasikowski.net (Postfix) with ESMTP id 8B976177F; Sun, 21 Apr 2013 12:55:56 +0200 (CEST) X-Virus-Scanned: amavisd-new at wasikowski.net Received: from mail.wasikowski.net ([91.204.91.44]) by mail.wasikowski.net (scan.wasikowski.net [91.204.91.44]) (amavisd-new, port 10026) with ESMTP id N-jBZw9-FJYC; Sun, 21 Apr 2013 12:55:56 +0200 (CEST) Received: from [192.168.168.2] (89-66-94-11.dynamic.chello.pl [89.66.94.11]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail.wasikowski.net (Postfix) with ESMTPSA id BA6C9177B; Sun, 21 Apr 2013 12:55:54 +0200 (CEST) Message-ID: <5173C5BD.6080101@wasikowski.net> Date: Sun, 21 Apr 2013 12:55:57 +0200 From: =?UTF-8?B?xYF1a2FzeiBXxIVzaWtvd3NraQ==?= User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130328 Thunderbird/17.0.5 MIME-Version: 1.0 To: Jamie Gritton Subject: =?UTF-8?B?UmU6IElQdjQgYWRkcmVzc2VzIGNsYXNoIC8gamFpbHMgbm90IHdvcms=?= =?UTF-8?B?aW5nIGFmdGVyIHJlYm9vdOKApg==?= References: <55865.68.255.104.38.1362619385.squirrel@cosmo.uchicago.edu> <6C130E1F-6CDC-4328-A300-5B483B8B4940@gmail.com> <513864D5.1070900@passap.ru> <51392119.2090502@FreeBSD.org> <51683BF7.1040702@wasikowski.net> <51683E39.7000703@FreeBSD.org> In-Reply-To: <51683E39.7000703@FreeBSD.org> X-Enigmail-Version: 1.5.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Apr 2013 10:55:59 -0000 W dniu 2013-04-12 19:02, Jamie Gritton pisze: > On 04/12/13 10:53, Łukasz Wąsikowski wrote: >> W dniu 2013-03-08 00:22, Jamie Gritton pisze: >> >>> You're allowed to have the same address in multiple jails, but only in >>> the case of jails that have one address (i.e. one IPv4 address in this >>> case). Jails with multiple IP addresses can't share any of those >>> addresses with other jails. I don't know why it should work once and >>> then not work later though. >> >> That's not true. You can have multiple IPs in jails. You can have >> multiple jails sharing the same IP. You can have multiple jails sharing >> the same multiple IPs. So: >> >> jail1: ipv4_ip1 >> jail2: ipv4_ip2, ipv6_ip1, ipv6_ip2 >> jail3: ipv4_ip2, ipv6_ip1, ipv6_ip2 >> >> will work. But configuration like this: >> >> jail1: ipv4_ip1 >> jail2: ipv4_ip2, ipv6_ip1, ipv6_ip2 >> jail3: ipv4_ip2, ipv6_ip1 >> >> will not, because jail2 and jail3 share only some IPs. I've tried >> configuration like this on 9.1-STABLE around december 2012 and it ended >> with panic. So I'm using the configuration from the first example and it >> works ok. > > Well ending in a panic is beyond the bounds of what's supported, and > into what apparently is broken - I was just talking about the intent as > I read it into the code. Is this panic of yours repeatable? I'd like to > get the exact configuration you were using, so I could try to repeat > (and fix) whatever the problem was. I'm sorry for the delay, I simply didn't have much time to test it. The simpliest way to reproduce this problem is: 1. Install i386 version (didn't tried amd64) of 9.1-RELEASE. Do default install, nothing fancy, install ports and src. 2. Add to GENERIC kernel options RACCT options RCTL Without those I couldn't reproduce the problem. 3. Add some IP aliases to your interface (ie. 192.168.100.1, 192.168.100.2 and 192.168.100.3). 4. Create some multiip jails which share some (but not all) IPs and try to start it. It will end in panic. I use ezjail for it, so: cd /usr/ports/sysutils/ezjail && make install clean && mkdir /usr/jails && ezjail-admin install && ezjail-admin create jtest1 192.168.100.1,192.168.100.2 && ezjail-admin create jtest2 192.168.100.1,192.168.100.2,192.168.100.3 service ezjail onestart and it ends with panic: panic: page fault GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-marcel-freebsd"... Unread portion of the kernel message buffer: processor eflags = interrupt enabled, resume, IOPL = 0 current process = 1350 (jail) trap number = 12 panic: page fault cpuid = 2 KDB: stack backtrace: #0 0xc0af88ff at kdb_backtrace+0x4f #1 0xc0ac51bf at panic+0x16f #2 0xc0e2b933 at trap_fatal+0x323 #3 0xc0e2ba3b at trap_pfault+0xfb #4 0xc0e2c9aa at trap+0x44a #5 0xc0e15f8c at calltrap+0x6 #6 0xc0a9897a at prison_deref+0x42a #7 0xc0a9dd3e at kern_jail_set+0x3b7e #8 0xc0a9e0c0 at sys_jail_set+0x50 #9 0xc0e2c0ba at syscall+0x34a #10 0xc0e15ff1 at Xint0x80_syscall+0x21 Uptime: 47s -- best regards, Lukasz Wasikowski From owner-freebsd-jail@FreeBSD.ORG Mon Apr 22 09:17:16 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 991F1A6F for ; Mon, 22 Apr 2013 09:17:16 +0000 (UTC) (envelope-from mjguzik@gmail.com) Received: from mail-wi0-x229.google.com (mail-wi0-x229.google.com [IPv6:2a00:1450:400c:c05::229]) by mx1.freebsd.org (Postfix) with ESMTP id 340DD1A81 for ; Mon, 22 Apr 2013 09:17:16 +0000 (UTC) Received: by mail-wi0-f169.google.com with SMTP id h11so4216526wiv.4 for ; Mon, 22 Apr 2013 02:17:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:date:from:to:subject:message-id:mime-version :content-type:content-disposition:user-agent; bh=SsyEMyoiSkPc18ZMCHKPMOAPQ/XVwBuYyFpdp0PIElg=; b=oVf3T2Ax5fKupWC5J1o2zZpsgVCJWeUH9mt+cmqDZR7rR5bljMLnwy5+OeLG7lvRHT fu4SGdngo4PNgo0HIi0aXlbpUfOStI8myC3VLJkOh0pkBqru766K0/nUCn6YPQexde3O pUzQDBByk3AuTdcxiHhx6S+dwG9dZKSNMoOZddeaFMViQeG1ScpROFzaayEs+OocWRTW Ue6512bBNWiTHwPvIebs6WGEfirF22gx22JSHHScjyHWZ0aR8XdpgaLj2rYMvIJaZUca XIOacOzDtwu+vQMMWRZJ+Q2x/uQ62ap01pXtRdijUc1jQSsUFrVYWS/sl+t9tyUD4xA8 c9Yw== X-Received: by 10.180.92.41 with SMTP id cj9mr17952341wib.7.1366622235374; Mon, 22 Apr 2013 02:17:15 -0700 (PDT) Received: from dft-labs.eu (n1x0n-1-pt.tunnel.tserv5.lon1.ipv6.he.net. [2001:470:1f08:1f7::2]) by mx.google.com with ESMTPSA id fp2sm18770065wib.7.2013.04.22.02.17.13 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Mon, 22 Apr 2013 02:17:13 -0700 (PDT) Date: Mon, 22 Apr 2013 11:17:11 +0200 From: Mateusz Guzik To: freebsd-jail@freebsd.org Subject: automatic garbage collection of stuff mounted (etc.) by jailed root Message-ID: <20130422091711.GA3115@dft-labs.eu> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline User-Agent: Mutt/1.5.20 (2009-06-14) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Apr 2013 09:17:16 -0000 Hello, This is something that imho could be done by GSoC student. It is possible to allow jailed root to mount various filesystems. But once all processes are dead, mounts done by jailed root that he didn't clean up are still hanging around. As time passes and more stuff gets jailable we should expect problems like this in different subsystems. So I propose that someone(tm) implements a solution which cleans this stuff during jail destruction. One idea how to do it: implement a list with clean up operations. Using mount example: you add a filesystem to be cleaned up after it is mounted, you delete it after it is unmounted. When the jail is going to die you just traverse the list backwareds and call cleaning functions, in this case unmounting filesystems. Maybe this is is a bad idea in the first place and it is better to take a look at mount tree and traverse that, I don't know, you should investigate. :) Note that the code has to be robust in case of errors (e.g. given fs may not be unmountable because someone from prison0 is inside). Again, the goal is to have jails clean up automatically after anything jailed root was permitted to do. Thoughts? -- Mateusz Guzik From owner-freebsd-jail@FreeBSD.ORG Mon Apr 22 11:06:46 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id A42F05B0 for ; Mon, 22 Apr 2013 11:06:46 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 958B5107D for ; Mon, 22 Apr 2013 11:06:46 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r3MB6k0w089144 for ; Mon, 22 Apr 2013 11:06:46 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r3MB6kjo089142 for freebsd-jail@FreeBSD.org; Mon, 22 Apr 2013 11:06:46 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 22 Apr 2013 11:06:46 GMT Message-Id: <201304221106.r3MB6kjo089142@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Apr 2013 11:06:46 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/176112 jail [jail] [panic] kernel panic when starting jails o kern/176092 jail [jail] [panic] Starting a jail on my releng/9.1 kernel o kern/174902 jail [jail] jail should provide validator for jail names o kern/174436 jail [jail] Jails with numbers as names don't work o bin/173469 jail [jail] regression: security.jail.sysvipc_allowed=1 no o kern/169751 jail [jail] reading routing information does not work in ja o bin/167911 jail new jail(8) problem with removal, ifconfg -alias and k o kern/159918 jail [jail] inter-jail communication failure o kern/156111 jail [jail] procstat -b not supported in jail o misc/155765 jail [patch] `buildworld' does not honors WITHOUT_JAIL o conf/154246 jail [jail] [patch] Bad symlink created if devfs mount poin o conf/149050 jail [jail] rcorder ``nojail'' too coarse for Jail+VNET s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid 17 problems total. From owner-freebsd-jail@FreeBSD.ORG Mon Apr 22 15:14:26 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 6E92FDFF for ; Mon, 22 Apr 2013 15:14:26 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from m2.gritton.org (gritton.org [199.192.164.235]) by mx1.freebsd.org (Postfix) with ESMTP id 54DDF10F0 for ; Mon, 22 Apr 2013 15:14:25 +0000 (UTC) Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net [198.65.168.24]) (authenticated bits=0) by m2.gritton.org (8.14.5/8.14.5) with ESMTP id r3MFDvqq088956; Mon, 22 Apr 2013 09:13:57 -0600 (MDT) (envelope-from jamie@FreeBSD.org) Message-ID: <517553B0.6010602@FreeBSD.org> Date: Mon, 22 Apr 2013 09:13:52 -0600 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:9.0) Gecko/20120126 Thunderbird/9.0 MIME-Version: 1.0 To: Mateusz Guzik Subject: Re: automatic garbage collection of stuff mounted (etc.) by jailed root References: <20130422091711.GA3115@dft-labs.eu> In-Reply-To: <20130422091711.GA3115@dft-labs.eu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Apr 2013 15:14:26 -0000 On 04/22/13 03:17, Mateusz Guzik wrote: > Hello, > > This is something that imho could be done by GSoC student. > > It is possible to allow jailed root to mount various filesystems. But > once all processes are dead, mounts done by jailed root that he didn't > clean up are still hanging around. > > As time passes and more stuff gets jailable we should expect problems > like this in different subsystems. > > So I propose that someone(tm) implements a solution which cleans this > stuff during jail destruction. > > One idea how to do it: implement a list with clean up operations. Using > mount example: you add a filesystem to be cleaned up after it is > mounted, you delete it after it is unmounted. When the jail is going to > die you just traverse the list backwareds and call cleaning functions, > in this case unmounting filesystems. Maybe this is is a bad idea in the > first place and it is better to take a look at mount tree and traverse > that, I don't know, you should investigate. :) Note that the code has to > be robust in case of errors (e.g. given fs may not be unmountable > because someone from prison0 is inside). > > Again, the goal is to have jails clean up automatically after anything > jailed root was permitted to do. > > Thoughts? This already happens when jails are created using a jail.conf file. Any mounts there are unmounted as part of the jail removal process. Just recently I fixed it to properly do this unmounting in reverse order. - Jamie From owner-freebsd-jail@FreeBSD.ORG Mon Apr 22 17:48:56 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 34FA420C; Mon, 22 Apr 2013 17:48:56 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) by mx1.freebsd.org (Postfix) with ESMTP id E971A193E; Mon, 22 Apr 2013 17:48:55 +0000 (UTC) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 971BE28426; Mon, 22 Apr 2013 19:39:14 +0200 (CEST) Received: from [192.168.1.2] (ip-89-177-49-222.net.upcbroadband.cz [89.177.49.222]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id E92B828423; Mon, 22 Apr 2013 19:39:12 +0200 (CEST) Message-ID: <517575BF.8020305@quip.cz> Date: Mon, 22 Apr 2013 19:39:11 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.1.19) Gecko/20110420 Lightning/1.0b1 SeaMonkey/2.0.14 MIME-Version: 1.0 To: Jamie Gritton Subject: Re: automatic garbage collection of stuff mounted (etc.) by jailed root References: <20130422091711.GA3115@dft-labs.eu> <517553B0.6010602@FreeBSD.org> In-Reply-To: <517553B0.6010602@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Apr 2013 17:48:56 -0000 Jamie Gritton wrote: > On 04/22/13 03:17, Mateusz Guzik wrote: [...] >> Again, the goal is to have jails clean up automatically after anything >> jailed root was permitted to do. >> >> Thoughts? > > This already happens when jails are created using a jail.conf file. Any > mounts there are unmounted as part of the jail removal process. Just > recently I fixed it to properly do this unmounting in reverse order. Do you mean mounts defined in jail.conf or all mounts manually done by root user in jail? Miroslav Lachman From owner-freebsd-jail@FreeBSD.ORG Mon Apr 22 18:29:45 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 467204F7 for ; Mon, 22 Apr 2013 18:29:45 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from m2.gritton.org (gritton.org [199.192.164.235]) by mx1.freebsd.org (Postfix) with ESMTP id 2BFC21C7E for ; Mon, 22 Apr 2013 18:29:44 +0000 (UTC) Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net [198.65.168.24]) (authenticated bits=0) by m2.gritton.org (8.14.5/8.14.5) with ESMTP id r3MIThkK095832; Mon, 22 Apr 2013 12:29:43 -0600 (MDT) (envelope-from jamie@FreeBSD.org) Message-ID: <51758192.2050300@FreeBSD.org> Date: Mon, 22 Apr 2013 12:29:38 -0600 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:9.0) Gecko/20120126 Thunderbird/9.0 MIME-Version: 1.0 To: Miroslav Lachman <000.fbsd@quip.cz> Subject: Re: automatic garbage collection of stuff mounted (etc.) by jailed root References: <20130422091711.GA3115@dft-labs.eu> <517553B0.6010602@FreeBSD.org> <517575BF.8020305@quip.cz> In-Reply-To: <517575BF.8020305@quip.cz> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Apr 2013 18:29:45 -0000 On 04/22/13 11:39, Miroslav Lachman wrote: > Jamie Gritton wrote: >> On 04/22/13 03:17, Mateusz Guzik wrote: > > [...] > >>> Again, the goal is to have jails clean up automatically after anything >>> jailed root was permitted to do. >>> >>> Thoughts? >> >> This already happens when jails are created using a jail.conf file. Any >> mounts there are unmounted as part of the jail removal process. Just >> recently I fixed it to properly do this unmounting in reverse order. > > Do you mean mounts defined in jail.conf or all mounts manually done by > root user in jail? > > Miroslav Lachman Ah, I see the difference. Yes, that's only for mounts in the jail.conf. For mounts done by the jail itself, I guess we would go off the mount record's credential. So is this something you expect to be happening entirely in the kernel? - Jamie From owner-freebsd-jail@FreeBSD.ORG Mon Apr 22 19:37:35 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 9261CF8D; Mon, 22 Apr 2013 19:37:35 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) by mx1.freebsd.org (Postfix) with ESMTP id 550681062; Mon, 22 Apr 2013 19:37:34 +0000 (UTC) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 8ACBF28453; Mon, 22 Apr 2013 21:37:33 +0200 (CEST) Received: from [192.168.1.2] (ip-89-177-49-222.net.upcbroadband.cz [89.177.49.222]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 9725328438; Mon, 22 Apr 2013 21:37:32 +0200 (CEST) Message-ID: <5175917B.4010504@quip.cz> Date: Mon, 22 Apr 2013 21:37:31 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.1.19) Gecko/20110420 Lightning/1.0b1 SeaMonkey/2.0.14 MIME-Version: 1.0 To: Jamie Gritton Subject: Re: automatic garbage collection of stuff mounted (etc.) by jailed root References: <20130422091711.GA3115@dft-labs.eu> <517553B0.6010602@FreeBSD.org> <517575BF.8020305@quip.cz> <51758192.2050300@FreeBSD.org> In-Reply-To: <51758192.2050300@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Apr 2013 19:37:35 -0000 Jamie Gritton wrote: > On 04/22/13 11:39, Miroslav Lachman wrote: >> Jamie Gritton wrote: >>> On 04/22/13 03:17, Mateusz Guzik wrote: >> >> [...] >> >>>> Again, the goal is to have jails clean up automatically after anything >>>> jailed root was permitted to do. >>>> >>>> Thoughts? >>> >>> This already happens when jails are created using a jail.conf file. Any >>> mounts there are unmounted as part of the jail removal process. Just >>> recently I fixed it to properly do this unmounting in reverse order. >> >> Do you mean mounts defined in jail.conf or all mounts manually done by >> root user in jail? >> >> Miroslav Lachman > > Ah, I see the difference. Yes, that's only for mounts in the jail.conf. > For mounts done by the jail itself, I guess we would go off the mount > record's credential. So is this something you expect to be happening > entirely in the kernel? I don't know what's the right place for this, but I am sure there should be something to clear these mounts made inside jails. Otherwise there will be unwanted leftovers after a jail restart / destroy. Miroslav Lachman From owner-freebsd-jail@FreeBSD.ORG Tue Apr 23 13:14:25 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id D22BD8A5 for ; Tue, 23 Apr 2013 13:14:25 +0000 (UTC) (envelope-from fbsd8@a1poweruser.com) Received: from mail-03.name-services.com (mail-03.name-services.com [69.64.155.195]) by mx1.freebsd.org (Postfix) with ESMTP id C20D51122 for ; Tue, 23 Apr 2013 13:14:25 +0000 (UTC) Received: from [10.0.10.1] ([173.88.202.176]) by mail-03.name-services.com with Microsoft SMTPSVC(6.0.3790.4675); Tue, 23 Apr 2013 06:14:26 -0700 Message-ID: <5176892F.8050802@a1poweruser.com> Date: Tue, 23 Apr 2013 09:14:23 -0400 From: Joe User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: freebsd-jail@freebsd.org Subject: jail(8) vimage epair bridge Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 23 Apr 2013 13:14:26.0825 (UTC) FILETIME=[7B144790:01CE4024] X-Sender: fbsd8@a1poweruser.com X-Authenticated-Sender: fbsd8@a1poweruser.com X-EchoSenderHash: [fbsd8]-[a1poweruser*com] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Apr 2013 13:14:25 -0000 Hello list I am using jail(8) trying to get a functional vimage environment on my 9.1-RELEASE system. My PC only has a single real NIC facing the public internet. My goal is to be able to have multiple vimage jails, each with their own epairXa epairXb and bridgeX where the "X" is the jails JID number all having their traffic passing through the single rl0 real interface. The vnet.start script shown below handles this nicely. The problem is after the first vimage jail is started the rl0 interface gets marked as busy when the second vimage jail is started. How do I get all vnet jails to pass through the real rl0 interface? Thanks for you help # /root >cat /etc/jail.conf vimage33 { host.hostname = "vimage33"; path = "/usr/jails/vimage33"; mount.fstab = "/usr/local/etc/fstab/vimage33"; exec.start = "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc.shutdown"; exec.consolelog = "/var/log/vimage33.console.log"; devfs_ruleset = "4"; allow.mount.devfs; vnet; exec.poststart="vnet.start vimage33 rl0"; exec.prestop="vnet.stop vimage33"; } # /root >cat /usr/local/bin/vnet.start #!/bin/sh jailname=$1 nicname=$2 jid=`jls -j ${jailname} jid` if [ "${jid}" -gt "100" ]; then echo " " echo "The JID value is greater then 100." echo "You must shutdown the host and reboot" echo "to zero out the JID counter and recover" echo "the lost memory from stopping vimage jails." echo " " exit 2 fi ifconfig bridge${jid} create > /dev/null 2> /dev/null ifconfig bridge${jid} 10.${jid}.0.1 ifconfig bridge${jid} up ifconfig epair${jid} create > /dev/null 2> /dev/null ifconfig bridge${jid} addm ${nicname} addm epair${jid}a ifconfig epair${jid}a up ifconfig epair${jid}b vnet ${jid} jexec ${jailname} ifconfig epair${jid}b 10.${jid}.0.2 jexec ${jailname} route add default 10.${jid}.0.1 > /dev/null 2> /dev/null jexec ${jailname} ifconfig lo0 127.0.0.1 # Display the hosts network view before starting any vnet jails # /root >ifconfig rl0: flags=8843 metric 0 mtu options=2008 ether 00:0c:6e:09:8b:74 inet 10.0.10.5 netmask 0xfffffff8 broadcast 10.0.10.7 nd6 options=29 media: Ethernet autoselect (100baseTX ) status: active lo0: flags=8049 metric 0 mtu 16384 options=600003 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 inet 127.0.0.1 netmask 0xff000000 nd6 options=21 # Start the first vnet jail # /root >jail -f /etc/jail.conf -c vimage33 vimage33: created bridge1: Ethernet address: 02:8f:94:84:0c:02 epair1a: Ethernet address: 02:c0:a4:00:0b:0a epair1b: Ethernet address: 02:c0:a4:00:0c:0b # /root >jls JID IP Address Hostname Path 1 - vimage33 /usr/jails/vimage33 # Lets display the hosts network after the first vnet jail has started # /root >ifconfig rl0: flags=8943 metric options=2008 ether 00:0c:6e:09:8b:74 inet 10.0.10.5 netmask 0xfffffff8 broadcast 10.0.10.7 nd6 options=29 media: Ethernet autoselect (100baseTX ) status: active lo0: flags=8049 metric 0 mtu 16384 options=600003 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 inet 127.0.0.1 netmask 0xff000000 nd6 options=21 bridge1: flags=8843 metric ether 02:8f:94:84:0c:01 inet 10.1.0.1 netmask 0xff000000 broadcast 10.255.255.255 nd6 options=21 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: epair1a flags=143 ifmaxaddr 0 port 9 priority 128 path cost 14183 member: rl0 flags=143 ifmaxaddr 0 port 5 priority 128 path cost 200000 epair1a: flags=8943 options=8 ether 02:c0:a4:00:09:0a inet6 fe80::c0:a4ff:fe00:90a%epair1a prefixlen 64 scopeid 0x9 nd6 options=21 media: Ethernet 10Gbase-T (10Gbase-T ) status: active # Login to the vnet jail and display the jails view of the network # /root >jexec vimage33 tcsh vimage33 / >ifconfig lo0: flags=8049 metric 0 mtu 16384 options=600003 inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 nd6 options=21 epair1b: flags=8843 metric 0 options=8 ether 02:c0:a4:00:0a:0b inet 10.1.0.2 netmask 0xff000000 broadcast 10.255.255.255 inet6 fe80::c0:a4ff:fe00:a0b%epair1b prefixlen 64 scopeid 0x2 nd6 options=21 media: Ethernet 10Gbase-T (10Gbase-T ) status: active # Yes the vnet jail can reach the public network vimage33 / >ping -c 4 8.8.178.135 PING 8.8.178.135 (8.8.178.135): 56 data bytes 64 bytes from 8.8.178.135: icmp_seq=0 ttl=51 time=84.645 ms 64 bytes from 8.8.178.135: icmp_seq=1 ttl=51 time=86.950 ms 64 bytes from 8.8.178.135: icmp_seq=2 ttl=51 time=83.274 ms 64 bytes from 8.8.178.135: icmp_seq=3 ttl=51 time=82.660 ms --- 8.8.178.135 ping statistics --- 4 packets transmitted, 4 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 82.660/84.382/86.950/1.647 ms vimage33 / >exit exit # Lets start the second vnet jail # /root >cat /etc/jail.conf.22 vimage22 { host.hostname = "vimage22"; path = "/usr/jails/vimage22"; mount.fstab = "/usr/local/etc/fstab/vimage22"; exec.start = "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc.shutdown"; exec.consolelog = "/var/log/vimage22.console.log"; devfs_ruleset = "4"; allow.mount.devfs; vnet; exec.poststart="vnet.start vimage22 rl0"; exec.prestop="vnet.stop vimage22"; } # /root >jail -f /etc/jail.conf.22 -c vimage22 vimage22: created # Notice this message about rl0 ifconfig: BRDGADD rl0: Device busy bridge2: Ethernet address: 02:8f:94:84:0c:02 epair2a: Ethernet address: 02:c0:a4:00:0b:0a epair2b: Ethernet address: 02:c0:a4:00:0c:0b # Lets check the hosts view of the network - no rl0 on bridge2 # /root >ifconfig rl0: flags=8943 options=2008 ether 00:0c:6e:09:8b:74 inet 10.0.10.5 netmask 0xfffffff8 broadcast 10.0.10.7 nd6 options=29 media: Ethernet autoselect (100baseTX ) status: active lo0: flags=8049 metric 0 mtu 16384 options=600003 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 inet 127.0.0.1 netmask 0xff000000 nd6 options=21 bridge1: flags=8843 metric 0 ether 02:8f:94:84:0c:01 inet 10.1.0.1 netmask 0xff000000 broadcast 10.255.255.255 nd6 options=21 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: epair1a flags=143 ifmaxaddr 0 port 9 priority 128 path cost 14183 member: rl0 flags=143 ifmaxaddr 0 port 5 priority 128 path cost 200000 epair1a: flags=8943 options=8 ether 02:c0:a4:00:09:0a inet6 fe80::c0:a4ff:fe00:90a%epair1a prefixlen 64 scopeid 0x9 nd6 options=21 media: Ethernet 10Gbase-T (10Gbase-T ) status: active bridge2: flags=8843 metric 0 ether 02:8f:94:84:0c:02 inet 10.2.0.1 netmask 0xff000000 broadcast 10.255.255.255 nd6 options=21 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 epair2a: flags=8843 metric 0 options=8 ether 02:c0:a4:00:0b:0a inet6 fe80::c0:a4ff:fe00:b0a%epair2a prefixlen 64 scopeid 0xb nd6 options=21 media: Ethernet 10Gbase-T (10Gbase-T ) status: active # /root >jls JID IP Address Hostname Path 1 - vimage33 /usr/jails/vimage33 2 - vimage22 /usr/jails/vimage22 # login to second vnet jail and see if it has public internet connection # /root >jexec vimage22 tcsh vimage22 / >ifconfig lo0: flags=8049 metric 0 mtu 16384 options=600003 inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 nd6 options=21 epair2b: flags=8843 metric 0 options=8 ether 02:c0:a4:00:0c:0b inet 10.2.0.2 netmask 0xff000000 broadcast 10.255.255.255 inet6 fe80::c0:a4ff:fe00:c0b%epair2b prefixlen 64 scopeid 0x2 nd6 options=21 media: Ethernet 10Gbase-T (10Gbase-T ) status: active vimage22 / >ping -c 4 8.8.178.135 PING 8.8.178.135 (8.8.178.135): 56 data bytes --- 8.8.178.135 ping statistics --- 4 packets transmitted, 0 packets received, 100.0% packet loss vimage22 / >exit exit # Stop the second vnet jail # /root >jail -f /etc/jail.conf.22 -r vimage22 vimage22: removed Freed UMA keg was not empty (30 items). Lost 2 pages of memory. Freed UMA keg was not empty (203 items). Lost 1 pages of memory. Freed UMA keg was not empty (30 items). Lost 2 pages of memory. Freed UMA keg was not empty (10 items). Lost 2 pages of memory. Freed UMA keg was not empty (30 items). Lost 2 pages of memory. hhook_vnet_uninit: hhook_head type=1, id=1 cleanup required hhook_vnet_uninit: hhook_head type=1, id=0 cleanup required # Stop the first vnet jail # /root >jail -f /etc/jail.conf -r vimage33 vimage33: removed Freed UMA keg was not empty (30 items). Lost 2 pages of memory. Freed UMA keg was not empty (203 items). Lost 1 pages of memory. Freed UMA keg was not empty (30 items). Lost 2 pages of memory. Freed UMA keg was not empty (10 items). Lost 2 pages of memory. Freed UMA keg was not empty (30 items). Lost 2 pages of memory. hhook_vnet_uninit: hhook_head type=1, id=1 cleanup required hhook_vnet_uninit: hhook_head type=1, id=0 cleanup required From owner-freebsd-jail@FreeBSD.ORG Wed Apr 24 05:38:31 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 08E1E31C for ; Wed, 24 Apr 2013 05:38:31 +0000 (UTC) (envelope-from anders.hagman@netplex.se) Received: from smtp-out12.han.skanova.net (smtp-out12.han.skanova.net [195.67.226.212]) by mx1.freebsd.org (Postfix) with ESMTP id 613E41FC2 for ; Wed, 24 Apr 2013 05:38:29 +0000 (UTC) Received: from [10.0.11.233] (78.64.100.19) by smtp-out12.han.skanova.net (8.5.133) (authenticated as u48002568) id 516D09F900239051 for freebsd-jail@freebsd.org; Wed, 24 Apr 2013 07:37:27 +0200 Subject: Re: jail(8) vimage epair bridge References: <5176892F.8050802@a1poweruser.com> From: Anders Hagman Content-Type: text/plain; charset=us-ascii X-Mailer: iPhone Mail (10B329) In-Reply-To: <5176892F.8050802@a1poweruser.com> Message-Id: <77E31AD0-ABE2-44FA-AB19-CF557038DEBE@netplex.se> Date: Wed, 24 Apr 2013 07:37:25 +0200 To: "freebsd-jail@freebsd.org" Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (1.0) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Apr 2013 05:38:31 -0000 Hi 23 apr 2013 kl. 15:14 skrev Joe : > Hello list >=20 > I am using jail(8) trying to get a functional vimage environment on my > 9.1-RELEASE system. My PC only has a single real NIC facing the public > internet. >=20 > My goal is to be able to have multiple vimage jails, each with > their own epairXa epairXb and bridgeX where the "X" is the jails JID > number all having their traffic passing through the single rl0 real > interface. The vnet.start script shown below handles this nicely. >=20 > The problem is after the first vimage jail is started the rl0 interface > gets marked as busy when the second vimage jail is started. >=20 You don't need more the one bridge. Connect all epairXa and the rl0 interface to the bridge. Put the epairXb in t= he right jail. If you whant separation. Create vlan interfaces. Connect them to rl0 and put= them inside the jail. > How do I get all vnet jails to pass through the real rl0 interface? >=20 > Thanks for you help >=20 >=20 >=20 > # /root >cat /etc/jail.conf > vimage33 { > host.hostname =3D "vimage33"; > path =3D "/usr/jails/vimage33"; > mount.fstab =3D "/usr/local/etc/fstab/vimage33"; > exec.start =3D "/bin/sh /etc/rc"; > exec.stop =3D "/bin/sh /etc/rc.shutdown"; > exec.consolelog =3D "/var/log/vimage33.console.log"; > devfs_ruleset =3D "4"; > allow.mount.devfs; > vnet; > exec.poststart=3D"vnet.start vimage33 rl0"; > exec.prestop=3D"vnet.stop vimage33"; > } >=20 > # /root >cat /usr/local/bin/vnet.start > #!/bin/sh > jailname=3D$1 > nicname=3D$2 >=20 > jid=3D`jls -j ${jailname} jid` >=20 > if [ "${jid}" -gt "100" ]; then > echo " " > echo "The JID value is greater then 100." > echo "You must shutdown the host and reboot" > echo "to zero out the JID counter and recover" > echo "the lost memory from stopping vimage jails." > echo " " > exit 2 > fi >=20 > ifconfig bridge${jid} create > /dev/null 2> /dev/null > ifconfig bridge${jid} 10.${jid}.0.1 > ifconfig bridge${jid} up > ifconfig epair${jid} create > /dev/null 2> /dev/null > ifconfig bridge${jid} addm ${nicname} addm epair${jid}a > ifconfig epair${jid}a up > ifconfig epair${jid}b vnet ${jid} >=20 > jexec ${jailname} ifconfig epair${jid}b 10.${jid}.0.2 > jexec ${jailname} route add default 10.${jid}.0.1 > /dev/null 2> /dev/null= > jexec ${jailname} ifconfig lo0 127.0.0.1 >=20 >=20 > # Display the hosts network view before starting any vnet jails > # /root >ifconfig > rl0: flags=3D8843 metric 0 mtu > options=3D2008 > ether 00:0c:6e:09:8b:74 > inet 10.0.10.5 netmask 0xfffffff8 broadcast 10.0.10.7 > nd6 options=3D29 > media: Ethernet autoselect (100baseTX ) > status: active > lo0: flags=3D8049 metric 0 mtu 16384 > options=3D600003 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 > inet 127.0.0.1 netmask 0xff000000 > nd6 options=3D21 >=20 > # Start the first vnet jail > # /root >jail -f /etc/jail.conf -c vimage33 > vimage33: created > bridge1: Ethernet address: 02:8f:94:84:0c:02 > epair1a: Ethernet address: 02:c0:a4:00:0b:0a > epair1b: Ethernet address: 02:c0:a4:00:0c:0b >=20 >=20 > # /root >jls > JID IP Address Hostname Path > 1 - vimage33 /usr/jails/vimage33 >=20 >=20 > # Lets display the hosts network after the first vnet jail has started > # /root >ifconfig > rl0: flags=3D8943 metric > options=3D2008 > ether 00:0c:6e:09:8b:74 > inet 10.0.10.5 netmask 0xfffffff8 broadcast 10.0.10.7 > nd6 options=3D29 > media: Ethernet autoselect (100baseTX ) > status: active >=20 > lo0: flags=3D8049 metric 0 mtu 16384 > options=3D600003 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 > inet 127.0.0.1 netmask 0xff000000 > nd6 options=3D21 > bridge1: flags=3D8843 metric > ether 02:8f:94:84:0c:01 > inet 10.1.0.1 netmask 0xff000000 broadcast 10.255.255.255 > nd6 options=3D21 > id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 > maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 > root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 > member: epair1a flags=3D143 > ifmaxaddr 0 port 9 priority 128 path cost 14183 > member: rl0 flags=3D143 > ifmaxaddr 0 port 5 priority 128 path cost 200000 > epair1a: flags=3D8943 > options=3D8 > ether 02:c0:a4:00:09:0a > inet6 fe80::c0:a4ff:fe00:90a%epair1a prefixlen 64 scopeid 0x9 > nd6 options=3D21 > media: Ethernet 10Gbase-T (10Gbase-T ) > status: active >=20 >=20 > # Login to the vnet jail and display the jails view of the network > # /root >jexec vimage33 tcsh > vimage33 / >ifconfig > lo0: flags=3D8049 metric 0 mtu 16384 > options=3D600003 > inet 127.0.0.1 netmask 0xff000000 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 > nd6 options=3D21 > epair1b: flags=3D8843 metric 0 > options=3D8 > ether 02:c0:a4:00:0a:0b > inet 10.1.0.2 netmask 0xff000000 broadcast 10.255.255.255 > inet6 fe80::c0:a4ff:fe00:a0b%epair1b prefixlen 64 scopeid 0x2 > nd6 options=3D21 > media: Ethernet 10Gbase-T (10Gbase-T ) > status: active >=20 >=20 > # Yes the vnet jail can reach the public network > vimage33 / >ping -c 4 8.8.178.135 > PING 8.8.178.135 (8.8.178.135): 56 data bytes > 64 bytes from 8.8.178.135: icmp_seq=3D0 ttl=3D51 time=3D84.645 ms > 64 bytes from 8.8.178.135: icmp_seq=3D1 ttl=3D51 time=3D86.950 ms > 64 bytes from 8.8.178.135: icmp_seq=3D2 ttl=3D51 time=3D83.274 ms > 64 bytes from 8.8.178.135: icmp_seq=3D3 ttl=3D51 time=3D82.660 ms >=20 > --- 8.8.178.135 ping statistics --- > 4 packets transmitted, 4 packets received, 0.0% packet loss > round-trip min/avg/max/stddev =3D 82.660/84.382/86.950/1.647 ms >=20 > vimage33 / >exit > exit >=20 >=20 > # Lets start the second vnet jail > # /root >cat /etc/jail.conf.22 > vimage22 { > host.hostname =3D "vimage22"; > path =3D "/usr/jails/vimage22"; > mount.fstab =3D "/usr/local/etc/fstab/vimage22"; > exec.start =3D "/bin/sh /etc/rc"; > exec.stop =3D "/bin/sh /etc/rc.shutdown"; > exec.consolelog =3D "/var/log/vimage22.console.log"; > devfs_ruleset =3D "4"; > allow.mount.devfs; > vnet; > exec.poststart=3D"vnet.start vimage22 rl0"; > exec.prestop=3D"vnet.stop vimage22"; > } >=20 >=20 > # /root >jail -f /etc/jail.conf.22 -c vimage22 > vimage22: created >=20 > # Notice this message about rl0 > ifconfig: BRDGADD rl0: Device busy >=20 > bridge2: Ethernet address: 02:8f:94:84:0c:02 > epair2a: Ethernet address: 02:c0:a4:00:0b:0a > epair2b: Ethernet address: 02:c0:a4:00:0c:0b >=20 >=20 >=20 > # Lets check the hosts view of the network - no rl0 on bridge2 > # /root >ifconfig > rl0: flags=3D8943 > options=3D2008 > ether 00:0c:6e:09:8b:74 > inet 10.0.10.5 netmask 0xfffffff8 broadcast 10.0.10.7 > nd6 options=3D29 > media: Ethernet autoselect (100baseTX ) > status: active > lo0: flags=3D8049 metric 0 mtu 16384 > options=3D600003 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 > inet 127.0.0.1 netmask 0xff000000 > nd6 options=3D21 > bridge1: flags=3D8843 metric 0 > ether 02:8f:94:84:0c:01 > inet 10.1.0.1 netmask 0xff000000 broadcast 10.255.255.255 > nd6 options=3D21 > id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 > maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 > root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 > member: epair1a flags=3D143 > ifmaxaddr 0 port 9 priority 128 path cost 14183 > member: rl0 flags=3D143 > ifmaxaddr 0 port 5 priority 128 path cost 200000 > epair1a: flags=3D8943 > options=3D8 > ether 02:c0:a4:00:09:0a > inet6 fe80::c0:a4ff:fe00:90a%epair1a prefixlen 64 scopeid 0x9 > nd6 options=3D21 > media: Ethernet 10Gbase-T (10Gbase-T ) > status: active > bridge2: flags=3D8843 metric 0 > ether 02:8f:94:84:0c:02 > inet 10.2.0.1 netmask 0xff000000 broadcast 10.255.255.255 > nd6 options=3D21 > id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 > maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 > root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 > epair2a: flags=3D8843 metric 0 > options=3D8 > ether 02:c0:a4:00:0b:0a > inet6 fe80::c0:a4ff:fe00:b0a%epair2a prefixlen 64 scopeid 0xb > nd6 options=3D21 > media: Ethernet 10Gbase-T (10Gbase-T ) > status: active >=20 >=20 > # /root >jls > JID IP Address Hostname Path > 1 - vimage33 /usr/jails/vimage33 > 2 - vimage22 /usr/jails/vimage22 >=20 > # login to second vnet jail and see if it has public internet connection > # /root >jexec vimage22 tcsh > vimage22 / >ifconfig > lo0: flags=3D8049 metric 0 mtu 16384 > options=3D600003 > inet 127.0.0.1 netmask 0xff000000 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 > nd6 options=3D21 > epair2b: flags=3D8843 metric 0 > options=3D8 > ether 02:c0:a4:00:0c:0b > inet 10.2.0.2 netmask 0xff000000 broadcast 10.255.255.255 > inet6 fe80::c0:a4ff:fe00:c0b%epair2b prefixlen 64 scopeid 0x2 > nd6 options=3D21 > media: Ethernet 10Gbase-T (10Gbase-T ) > status: active >=20 > vimage22 / >ping -c 4 8.8.178.135 > PING 8.8.178.135 (8.8.178.135): 56 data bytes >=20 > --- 8.8.178.135 ping statistics --- > 4 packets transmitted, 0 packets received, 100.0% packet loss > vimage22 / >exit > exit >=20 >=20 >=20 > # Stop the second vnet jail > # /root >jail -f /etc/jail.conf.22 -r vimage22 > vimage22: removed > Freed UMA keg was not empty (30 items). Lost 2 pages of memory. > Freed UMA keg was not empty (203 items). Lost 1 pages of memory. > Freed UMA keg was not empty (30 items). Lost 2 pages of memory. > Freed UMA keg was not empty (10 items). Lost 2 pages of memory. > Freed UMA keg was not empty (30 items). Lost 2 pages of memory. > hhook_vnet_uninit: hhook_head type=3D1, id=3D1 cleanup required > hhook_vnet_uninit: hhook_head type=3D1, id=3D0 cleanup required >=20 >=20 > # Stop the first vnet jail > # /root >jail -f /etc/jail.conf -r vimage33 > vimage33: removed > Freed UMA keg was not empty (30 items). Lost 2 pages of memory. > Freed UMA keg was not empty (203 items). Lost 1 pages of memory. > Freed UMA keg was not empty (30 items). Lost 2 pages of memory. > Freed UMA keg was not empty (10 items). Lost 2 pages of memory. > Freed UMA keg was not empty (30 items). Lost 2 pages of memory. > hhook_vnet_uninit: hhook_head type=3D1, id=3D1 cleanup required > hhook_vnet_uninit: hhook_head type=3D1, id=3D0 cleanup required >=20 >=20 >=20 > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" From owner-freebsd-jail@FreeBSD.ORG Wed Apr 24 10:19:10 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 839DBC02 for ; Wed, 24 Apr 2013 10:19:10 +0000 (UTC) (envelope-from l.alebarde@free.fr) Received: from smtp1-g21.free.fr (smtp1-g21.free.fr [IPv6:2a01:e0c:1:1599::10]) by mx1.freebsd.org (Postfix) with ESMTP id 365221C0C for ; Wed, 24 Apr 2013 10:19:08 +0000 (UTC) Received: from [IPv6:2a01:e35:8b59:cce0::10] (unknown [IPv6:2a01:e35:8b59:cce0::10]) by smtp1-g21.free.fr (Postfix) with ESMTP id 62F8F940162 for ; Wed, 24 Apr 2013 12:19:04 +0200 (CEST) Message-ID: <5177B1A4.6060502@free.fr> Date: Wed, 24 Apr 2013 12:19:16 +0200 From: Laurent Alebarde User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.11) Gecko/20130116 Thunderbird/10.0.11 MIME-Version: 1.0 To: freebsd-jail@freebsd.org Subject: state of the art ? References: <5177AE9C.1020300@free.fr> In-Reply-To: <5177AE9C.1020300@free.fr> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Apr 2013 10:19:10 -0000 Hi all, I am a FreeBSD/Jail/vnet newbbie. I read a lot of posts and tutorials, mainly : * http://wiki.polymorf.fr/index.php/Howto:FreeBSD_jail_vnet * http://archive.0xfeedface.org/blog/2011-11-21/lattera/freebsd-vnet-jail-admin-project I have some questions please : 1. Are they still up-to-date ? 2. Is the jail rc script still have to be patched to be able to use pf instead of IPFW ? 3. What are the best up-to-date links for tutorials to setup ZFS ipv4/ipv6 vnet jails ? 4. Can it be put in production safely or is it still considered experimental ? Cheers, Laurent. From owner-freebsd-jail@FreeBSD.ORG Wed Apr 24 13:22:10 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 78F697C1 for ; Wed, 24 Apr 2013 13:22:10 +0000 (UTC) (envelope-from fbsd8@a1poweruser.com) Received: from mail-03.name-services.com (mail-03.name-services.com [69.64.155.195]) by mx1.freebsd.org (Postfix) with ESMTP id 5540014E4 for ; Wed, 24 Apr 2013 13:22:10 +0000 (UTC) Received: from [10.0.10.1] ([173.88.202.176]) by mail-03.name-services.com with Microsoft SMTPSVC(6.0.3790.4675); Wed, 24 Apr 2013 06:22:06 -0700 Message-ID: <5177DC7A.5060500@a1poweruser.com> Date: Wed, 24 Apr 2013 09:22:02 -0400 From: Joe User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: Laurent Alebarde Subject: Re: state of the art ? References: <5177AE9C.1020300@free.fr> <5177B1A4.6060502@free.fr> In-Reply-To: <5177B1A4.6060502@free.fr> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 24 Apr 2013 13:22:06.0579 (UTC) FILETIME=[B786EC30:01CE40EE] X-Sender: fbsd8@a1poweruser.com X-Authenticated-Sender: fbsd8@a1poweruser.com X-EchoSenderHash: [fbsd8]-[a1poweruser*com] Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Apr 2013 13:22:10 -0000 Laurent Alebarde wrote: > Hi all, > > I am a FreeBSD/Jail/vnet newbbie. I read a lot of posts and tutorials, > mainly : > > * http://wiki.polymorf.fr/index.php/Howto:FreeBSD_jail_vnet > * > http://archive.0xfeedface.org/blog/2011-11-21/lattera/freebsd-vnet-jail-admin-project > > > I have some questions please : > > 1. Are they still up-to-date ? > 2. Is the jail rc script still have to be patched to be able to use pf > instead of IPFW ? > 3. What are the best up-to-date links for tutorials to setup ZFS > ipv4/ipv6 vnet jails ? > 4. Can it be put in production safely or is it still considered > experimental ? > > Cheers, > > > Laurent. > In my opinion vimage is a very long way from being production safe. The biggest show stopper is the lose of memory pages when a vnet jail is stopped. See the year old PR http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/164763 Besides the the memory lose problem there is the problem of no support for SCTP. So YES vimage is still experimental. Use at your own risk. About vimage and firewalls, ipfw and pf in 9.1-RELEASE are vimage aware. That means when you boot your host and the hosts /etc/rc.conf file has ipfw_enable="YES" or pf_enable="YES" statements in it the system will come up without a page fault or panic. This does not necessary mean that you can get one of those firewalls started inside of a vnet jail. Now that ipfilter has a maintainer it should be vimage aware in 10.0-RELEASE when it's published for general public use. The short coming of both of those links is getting the vnet jail access to the public internet. Playing with vimage on 9.1 is a great learning experience, but stick with regular jails for your production world for the maximum jail security. zfs is a separate subject for vimage jails and normal jails. zfs is a very large and complicated subject. You need to become experienced using zfs on you host first before trying to combine zfs with jails. From owner-freebsd-jail@FreeBSD.ORG Wed Apr 24 13:50:05 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 618DC3E5 for ; Wed, 24 Apr 2013 13:50:05 +0000 (UTC) (envelope-from gofj-freebsd-jail@m.gmane.org) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) by mx1.freebsd.org (Postfix) with ESMTP id 225A11653 for ; Wed, 24 Apr 2013 13:50:04 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1UV05D-0002jC-A6 for freebsd-jail@freebsd.org; Wed, 24 Apr 2013 15:50:03 +0200 Received: from lfg31-1-88-181-156-206.fbx.proxad.net ([88.181.156.206]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 24 Apr 2013 15:50:03 +0200 Received: from l.alebarde by lfg31-1-88-181-156-206.fbx.proxad.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 24 Apr 2013 15:50:03 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-jail@freebsd.org From: Laurent Alebarde Subject: Re: state of the art ? Date: Wed, 24 Apr 2013 13:47:15 +0000 (UTC) Lines: 1 Message-ID: References: <5177AE9C.1020300@free.fr> <5177B1A4.6060502@free.fr> <5177DC7A.5060500@a1poweruser.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: sea.gmane.org User-Agent: Loom/3.14 (http://gmane.org/) X-Loom-IP: 88.181.156.206 (Mozilla/5.0 (X11; Linux x86_64; rv:10.0.11) Gecko/20100101 Firefox/10.0.11) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Apr 2013 13:50:05 -0000 Thank you very much Joe for your detailed answer. From owner-freebsd-jail@FreeBSD.ORG Wed Apr 24 15:42:28 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 34D39AA2 for ; Wed, 24 Apr 2013 15:42:28 +0000 (UTC) (envelope-from fbsd8@a1poweruser.com) Received: from mail-03.name-services.com (mail-03.name-services.com [69.64.155.195]) by mx1.freebsd.org (Postfix) with ESMTP id 1BFD91CA8 for ; Wed, 24 Apr 2013 15:42:27 +0000 (UTC) Received: from [10.0.10.1] ([173.88.202.176]) by mail-03.name-services.com with Microsoft SMTPSVC(6.0.3790.4675); Wed, 24 Apr 2013 08:42:28 -0700 Message-ID: <5177FD62.4080107@a1poweruser.com> Date: Wed, 24 Apr 2013 11:42:26 -0400 From: Joe User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: Anders Hagman Subject: Re: jail(8) vimage epair bridge References: <5176892F.8050802@a1poweruser.com> <77E31AD0-ABE2-44FA-AB19-CF557038DEBE@netplex.se> In-Reply-To: <77E31AD0-ABE2-44FA-AB19-CF557038DEBE@netplex.se> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 24 Apr 2013 15:42:28.0606 (UTC) FILETIME=[537241E0:01CE4102] X-Sender: fbsd8@a1poweruser.com X-Authenticated-Sender: fbsd8@a1poweruser.com X-EchoSenderHash: [fbsd8]-[a1poweruser*com] Cc: "freebsd-jail@freebsd.org" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Apr 2013 15:42:28 -0000 Anders Hagman wrote: > Hi > >> Hello list >> >> I am using jail(8) trying to get a functional vimage environment on my >> 9.1-RELEASE system. My PC only has a single real NIC facing the public >> internet. >> >> My goal is to be able to have multiple vimage jails, each with >> their own epairXa epairXb and bridgeX where the "X" is the jails JID >> number all having their traffic passing through the single rl0 real >> interface. The vnet.start script shown below handles this nicely. >> >> The problem is after the first vimage jail is started the rl0 interface >> gets marked as busy when the second vimage jail is started. >> >> How do I get all vnet jails to pass through the real rl0 interface? >> >> Thanks for you help >> >> >> >> # /root >cat /etc/jail.conf >> vimage33 { >> host.hostname = "vimage33"; >> path = "/usr/jails/vimage33"; >> mount.fstab = "/usr/local/etc/fstab/vimage33"; >> exec.start = "/bin/sh /etc/rc"; >> exec.stop = "/bin/sh /etc/rc.shutdown"; >> exec.consolelog = "/var/log/vimage33.console.log"; >> devfs_ruleset = "4"; >> allow.mount.devfs; >> vnet; >> exec.poststart="vnet.start vimage33 rl0"; >> exec.prestop="vnet.stop vimage33"; >> } >> >> # /root >cat /usr/local/bin/vnet.start >> #!/bin/sh >> jailname=$1 >> nicname=$2 >> >> jid=`jls -j ${jailname} jid` >> >> if [ "${jid}" -gt "100" ]; then >> echo " " >> echo "The JID value is greater then 100." >> echo "You must shutdown the host and reboot" >> echo "to zero out the JID counter and recover" >> echo "the lost memory from stopping vimage jails." >> echo " " >> exit 2 >> fi >> >> ifconfig bridge${jid} create > /dev/null 2> /dev/null >> ifconfig bridge${jid} 10.${jid}.0.1 >> ifconfig bridge${jid} up >> ifconfig epair${jid} create > /dev/null 2> /dev/null >> ifconfig bridge${jid} addm ${nicname} addm epair${jid}a >> ifconfig epair${jid}a up >> ifconfig epair${jid}b vnet ${jid} >> >> jexec ${jailname} ifconfig epair${jid}b 10.${jid}.0.2 >> jexec ${jailname} route add default 10.${jid}.0.1 > /dev/null 2> /dev/null >> jexec ${jailname} ifconfig lo0 127.0.0.1 >> >> >> # Display the hosts network view before starting any vnet jails >> # /root >ifconfig >> rl0: flags=8843 metric 0 mtu >> options=2008 >> ether 00:0c:6e:09:8b:74 >> inet 10.0.10.5 netmask 0xfffffff8 broadcast 10.0.10.7 >> nd6 options=29 >> media: Ethernet autoselect (100baseTX ) >> status: active >> lo0: flags=8049 metric 0 mtu 16384 >> options=600003 >> inet6 ::1 prefixlen 128 >> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 >> inet 127.0.0.1 netmask 0xff000000 >> nd6 options=21 >> >> # Start the first vnet jail >> # /root >jail -f /etc/jail.conf -c vimage33 >> vimage33: created >> bridge1: Ethernet address: 02:8f:94:84:0c:02 >> epair1a: Ethernet address: 02:c0:a4:00:0b:0a >> epair1b: Ethernet address: 02:c0:a4:00:0c:0b >> >> >> # /root >jls >> JID IP Address Hostname Path >> 1 - vimage33 /usr/jails/vimage33 >> >> >> # Lets display the hosts network after the first vnet jail has started >> # /root >ifconfig >> rl0: flags=8943 metric >> options=2008 >> ether 00:0c:6e:09:8b:74 >> inet 10.0.10.5 netmask 0xfffffff8 broadcast 10.0.10.7 >> nd6 options=29 >> media: Ethernet autoselect (100baseTX ) >> status: active >> >> lo0: flags=8049 metric 0 mtu 16384 >> options=600003 >> inet6 ::1 prefixlen 128 >> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 >> inet 127.0.0.1 netmask 0xff000000 >> nd6 options=21 >> bridge1: flags=8843 metric >> ether 02:8f:94:84:0c:01 >> inet 10.1.0.1 netmask 0xff000000 broadcast 10.255.255.255 >> nd6 options=21 >> id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 >> maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 >> root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 >> member: epair1a flags=143 >> ifmaxaddr 0 port 9 priority 128 path cost 14183 >> member: rl0 flags=143 >> ifmaxaddr 0 port 5 priority 128 path cost 200000 >> epair1a: flags=8943 >> options=8 >> ether 02:c0:a4:00:09:0a >> inet6 fe80::c0:a4ff:fe00:90a%epair1a prefixlen 64 scopeid 0x9 >> nd6 options=21 >> media: Ethernet 10Gbase-T (10Gbase-T ) >> status: active >> >> >> # Login to the vnet jail and display the jails view of the network >> # /root >jexec vimage33 tcsh >> vimage33 / >ifconfig >> lo0: flags=8049 metric 0 mtu 16384 >> options=600003 >> inet 127.0.0.1 netmask 0xff000000 >> inet6 ::1 prefixlen 128 >> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 >> nd6 options=21 >> epair1b: flags=8843 metric 0 >> options=8 >> ether 02:c0:a4:00:0a:0b >> inet 10.1.0.2 netmask 0xff000000 broadcast 10.255.255.255 >> inet6 fe80::c0:a4ff:fe00:a0b%epair1b prefixlen 64 scopeid 0x2 >> nd6 options=21 >> media: Ethernet 10Gbase-T (10Gbase-T ) >> status: active >> >> >> # Yes the vnet jail can reach the public network >> vimage33 / >ping -c 4 8.8.178.135 >> PING 8.8.178.135 (8.8.178.135): 56 data bytes >> 64 bytes from 8.8.178.135: icmp_seq=0 ttl=51 time=84.645 ms >> 64 bytes from 8.8.178.135: icmp_seq=1 ttl=51 time=86.950 ms >> 64 bytes from 8.8.178.135: icmp_seq=2 ttl=51 time=83.274 ms >> 64 bytes from 8.8.178.135: icmp_seq=3 ttl=51 time=82.660 ms >> >> --- 8.8.178.135 ping statistics --- >> 4 packets transmitted, 4 packets received, 0.0% packet loss >> round-trip min/avg/max/stddev = 82.660/84.382/86.950/1.647 ms >> >> vimage33 / >exit >> exit >> >> >> # Lets start the second vnet jail >> # /root >cat /etc/jail.conf.22 >> vimage22 { >> host.hostname = "vimage22"; >> path = "/usr/jails/vimage22"; >> mount.fstab = "/usr/local/etc/fstab/vimage22"; >> exec.start = "/bin/sh /etc/rc"; >> exec.stop = "/bin/sh /etc/rc.shutdown"; >> exec.consolelog = "/var/log/vimage22.console.log"; >> devfs_ruleset = "4"; >> allow.mount.devfs; >> vnet; >> exec.poststart="vnet.start vimage22 rl0"; >> exec.prestop="vnet.stop vimage22"; >> } >> >> >> # /root >jail -f /etc/jail.conf.22 -c vimage22 >> vimage22: created >> >> # Notice this message about rl0 >> ifconfig: BRDGADD rl0: Device busy >> >> bridge2: Ethernet address: 02:8f:94:84:0c:02 >> epair2a: Ethernet address: 02:c0:a4:00:0b:0a >> epair2b: Ethernet address: 02:c0:a4:00:0c:0b >> >> >> >> # Lets check the hosts view of the network - no rl0 on bridge2 >> # /root >ifconfig >> rl0: flags=8943 >> options=2008 >> ether 00:0c:6e:09:8b:74 >> inet 10.0.10.5 netmask 0xfffffff8 broadcast 10.0.10.7 >> nd6 options=29 >> media: Ethernet autoselect (100baseTX ) >> status: active >> lo0: flags=8049 metric 0 mtu 16384 >> options=600003 >> inet6 ::1 prefixlen 128 >> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 >> inet 127.0.0.1 netmask 0xff000000 >> nd6 options=21 >> bridge1: flags=8843 metric 0 >> ether 02:8f:94:84:0c:01 >> inet 10.1.0.1 netmask 0xff000000 broadcast 10.255.255.255 >> nd6 options=21 >> id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 >> maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 >> root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 >> member: epair1a flags=143 >> ifmaxaddr 0 port 9 priority 128 path cost 14183 >> member: rl0 flags=143 >> ifmaxaddr 0 port 5 priority 128 path cost 200000 >> epair1a: flags=8943 >> options=8 >> ether 02:c0:a4:00:09:0a >> inet6 fe80::c0:a4ff:fe00:90a%epair1a prefixlen 64 scopeid 0x9 >> nd6 options=21 >> media: Ethernet 10Gbase-T (10Gbase-T ) >> status: active >> bridge2: flags=8843 metric 0 >> ether 02:8f:94:84:0c:02 >> inet 10.2.0.1 netmask 0xff000000 broadcast 10.255.255.255 >> nd6 options=21 >> id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 >> maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 >> root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 >> epair2a: flags=8843 metric 0 >> options=8 >> ether 02:c0:a4:00:0b:0a >> inet6 fe80::c0:a4ff:fe00:b0a%epair2a prefixlen 64 scopeid 0xb >> nd6 options=21 >> media: Ethernet 10Gbase-T (10Gbase-T ) >> status: active >> >> >> # /root >jls >> JID IP Address Hostname Path >> 1 - vimage33 /usr/jails/vimage33 >> 2 - vimage22 /usr/jails/vimage22 >> >> # login to second vnet jail and see if it has public internet connection >> # /root >jexec vimage22 tcsh >> vimage22 / >ifconfig >> lo0: flags=8049 metric 0 mtu 16384 >> options=600003 >> inet 127.0.0.1 netmask 0xff000000 >> inet6 ::1 prefixlen 128 >> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 >> nd6 options=21 >> epair2b: flags=8843 metric 0 >> options=8 >> ether 02:c0:a4:00:0c:0b >> inet 10.2.0.2 netmask 0xff000000 broadcast 10.255.255.255 >> inet6 fe80::c0:a4ff:fe00:c0b%epair2b prefixlen 64 scopeid 0x2 >> nd6 options=21 >> media: Ethernet 10Gbase-T (10Gbase-T ) >> status: active >> >> vimage22 / >ping -c 4 8.8.178.135 >> PING 8.8.178.135 (8.8.178.135): 56 data bytes >> >> --- 8.8.178.135 ping statistics --- >> 4 packets transmitted, 0 packets received, 100.0% packet loss >> vimage22 / >exit >> exit >> >> >> >> # Stop the second vnet jail >> # /root >jail -f /etc/jail.conf.22 -r vimage22 >> vimage22: removed >> Freed UMA keg was not empty (30 items). Lost 2 pages of memory. >> Freed UMA keg was not empty (203 items). Lost 1 pages of memory. >> Freed UMA keg was not empty (30 items). Lost 2 pages of memory. >> Freed UMA keg was not empty (10 items). Lost 2 pages of memory. >> Freed UMA keg was not empty (30 items). Lost 2 pages of memory. >> hhook_vnet_uninit: hhook_head type=1, id=1 cleanup required >> hhook_vnet_uninit: hhook_head type=1, id=0 cleanup required >> >> >> # Stop the first vnet jail >> # /root >jail -f /etc/jail.conf -r vimage33 >> vimage33: removed >> Freed UMA keg was not empty (30 items). Lost 2 pages of memory. >> Freed UMA keg was not empty (203 items). Lost 1 pages of memory. >> Freed UMA keg was not empty (30 items). Lost 2 pages of memory. >> Freed UMA keg was not empty (10 items). Lost 2 pages of memory. >> Freed UMA keg was not empty (30 items). Lost 2 pages of memory. >> hhook_vnet_uninit: hhook_head type=1, id=1 cleanup required >> hhook_vnet_uninit: hhook_head type=1, id=0 cleanup required >> >> >> > > > You don't need more than one bridge. > Only connect the rl0 interface to the bridge one time. > Connect each jails epairXa to the bridge. > Create alias for each jails ip to bridge. > Put the epairXb in the right jail. > > If you want separation. Create vlan interfaces. > Connect them to rl0 and put them inside the jail. > > > Thank you Anders, I was able to figure out the solution which I am posting here for the archives. #!/bin/sh jailname=$1 nicname=$2 jid=`jls -j ${jailname} jid` if [ "${jid}" -gt "100" ]; then echo " " echo "The JID value is greater then 100." echo "You must shutdown the host and reboot" echo "to zero out the JID counter and recover" echo "the lost memory from stopping vimage jails." echo " " exit 2 fi bridge=`ifconfig | grep -m 1 bridge | cut -f 1 -d :` if [ -z ${bridge} ]; then ifconfig bridge0 create > /dev/null 2> /dev/null ifconfig bridge0 addm ${nicname} ifconfig bridge0 up fi ifconfig bridge0 alias 10.${jid}.0.1 ifconfig epair${jid} create > /dev/null 2> /dev/null ifconfig bridge0 addm epair${jid}a ifconfig epair${jid}a up ifconfig epair${jid}b vnet ${jid} jexec ${jailname} ifconfig epair${jid}b 10.${jid}.0.2 jexec ${jailname} route add default 10.${jid}.0.1 > /dev/null 2> /dev/null jexec ${jailname} ifconfig lo0 127.0.0.1 From owner-freebsd-jail@FreeBSD.ORG Wed Apr 24 17:13:59 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id E5DEF31B for ; Wed, 24 Apr 2013 17:13:59 +0000 (UTC) (envelope-from fbsd8@a1poweruser.com) Received: from mail-03.name-services.com (mail-03.name-services.com [69.64.155.195]) by mx1.freebsd.org (Postfix) with ESMTP id D085E1170 for ; Wed, 24 Apr 2013 17:13:59 +0000 (UTC) Received: from [10.0.10.1] ([173.88.202.176]) by mail-03.name-services.com with Microsoft SMTPSVC(6.0.3790.4675); Wed, 24 Apr 2013 10:14:00 -0700 Message-ID: <517812D4.2010304@a1poweruser.com> Date: Wed, 24 Apr 2013 13:13:56 -0400 From: Joe User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: "freebsd-jail@freebsd.org" Subject: How to start a firewall in a vimage jail Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 24 Apr 2013 17:14:00.0679 (UTC) FILETIME=[1CFA1770:01CE410F] X-Sender: fbsd8@a1poweruser.com X-Authenticated-Sender: fbsd8@a1poweruser.com X-EchoSenderHash: [fbsd8]-[a1poweruser*com] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Apr 2013 17:14:00 -0000 Hello I am having a very difficult time getting pf firewall to start in a vimage jail on 9.1-RELEASE. Is this at all possible? If this can be done, would you please share the details on how it's done? Thanks From owner-freebsd-jail@FreeBSD.ORG Wed Apr 24 17:33:26 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 9B596BD8 for ; Wed, 24 Apr 2013 17:33:26 +0000 (UTC) (envelope-from Dave.Robison@fisglobal.com) Received: from mx1.fisglobal.com (mx1.fisglobal.com [199.200.24.190]) by mx1.freebsd.org (Postfix) with ESMTP id 6E5591246 for ; Wed, 24 Apr 2013 17:33:26 +0000 (UTC) Received: from smtp.fisglobal.com ([10.132.206.31]) by ltcfislmsgpa03.fnfis.com (8.14.5/8.14.5) with ESMTP id r3OHXIpR010903 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT) for ; Wed, 24 Apr 2013 12:33:18 -0500 Received: from lefty.vicor.com (10.242.182.122) by smtp.fisglobal.com (10.132.206.31) with Microsoft SMTP Server (TLS) id 14.2.309.2; Wed, 24 Apr 2013 12:33:18 -0500 Message-ID: <5178175E.5020604@fisglobal.com> Date: Wed, 24 Apr 2013 10:33:18 -0700 From: "Robison, Dave" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130407 Thunderbird/17.0.5 MIME-Version: 1.0 To: Subject: Re: How to start a firewall in a vimage jail References: <517812D4.2010304@a1poweruser.com> In-Reply-To: <517812D4.2010304@a1poweruser.com> X-Enigmail-Version: 1.5.1 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit X-Originating-IP: [10.242.182.122] X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.10.8626, 1.0.431, 0.0.0000 definitions=2013-04-24_07:2013-04-24,2013-04-24,1970-01-01 signatures=0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: david.robison@fisglobal.com List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Apr 2013 17:33:26 -0000 On 04/24/2013 10:13, Joe wrote: > Hello > > I am having a very difficult time getting pf firewall to start in a vimage jail on 9.1-RELEASE. > > Is this at all possible? > > If this can be done, would you please share the details on how it's done? > > Thanks > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > > Vimage doesn't yet support PF. IPFW works, however. -- Dave Robison Sales Solution Architect II FIS Banking Solutions 510/621-2089 (w) 530/518-5194 (c) 510/621-2020 (f) daver@vicor.com david.robison@fisglobal.com _____________ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. From owner-freebsd-jail@FreeBSD.ORG Wed Apr 24 17:40:27 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 4EEABF82 for ; Wed, 24 Apr 2013 17:40:27 +0000 (UTC) (envelope-from Dave.Robison@fisglobal.com) Received: from mx1.fisglobal.com (mx1.fisglobal.com [199.200.24.190]) by mx1.freebsd.org (Postfix) with ESMTP id 2135B129F for ; Wed, 24 Apr 2013 17:40:26 +0000 (UTC) Received: from smtp.fisglobal.com ([10.132.206.16]) by ltcfislmsgpa07.fnfis.com (8.14.5/8.14.5) with ESMTP id r3OHeQvg032139 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT) for ; Wed, 24 Apr 2013 12:40:26 -0500 Received: from lefty.vicor.com (10.242.182.122) by smtp.fisglobal.com (10.132.206.16) with Microsoft SMTP Server (TLS) id 14.2.309.2; Wed, 24 Apr 2013 12:40:25 -0500 Message-ID: <51781908.8070806@fisglobal.com> Date: Wed, 24 Apr 2013 10:40:24 -0700 From: "Robison, Dave" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130407 Thunderbird/17.0.5 MIME-Version: 1.0 To: Subject: Re: state of the art ? References: <5177AE9C.1020300@free.fr> <5177B1A4.6060502@free.fr> <5177DC7A.5060500@a1poweruser.com> In-Reply-To: X-Enigmail-Version: 1.5.1 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit X-Originating-IP: [10.242.182.122] X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.10.8626, 1.0.431, 0.0.0000 definitions=2013-04-24_07:2013-04-24,2013-04-24,1970-01-01 signatures=0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: david.robison@fisglobal.com List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Apr 2013 17:40:27 -0000 On 04/24/2013 06:47, Laurent Alebarde wrote: > Thank you very much Joe for your detailed answer. > > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > > We use vimages pretty extensively. Is use them both at work and on my personal sites. Devin wrote up a pretty good page about them. http://devinteske.com/vimage-jails-on-freebsd-8 HTH -- Dave Robison Sales Solution Architect II FIS Banking Solutions 510/621-2089 (w) 530/518-5194 (c) 510/621-2020 (f) daver@vicor.com david.robison@fisglobal.com _____________ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. From owner-freebsd-jail@FreeBSD.ORG Wed Apr 24 17:54:49 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 3D4774E8 for ; Wed, 24 Apr 2013 17:54:49 +0000 (UTC) (envelope-from Devin.Teske@fisglobal.com) Received: from mx1.fisglobal.com (mx1.fisglobal.com [199.200.24.190]) by mx1.freebsd.org (Postfix) with ESMTP id 0D3DC131F for ; Wed, 24 Apr 2013 17:54:48 +0000 (UTC) Received: from smtp.fisglobal.com ([10.132.206.16]) by ltcfislmsgpa01.fnfis.com (8.14.5/8.14.5) with ESMTP id r3OHsmr1007455 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT) for ; Wed, 24 Apr 2013 12:54:48 -0500 Received: from LTCFISWMSGMB21.FNFIS.com ([10.132.99.23]) by LTCFISWMSGHT05.FNFIS.com ([10.132.206.16]) with mapi id 14.02.0309.002; Wed, 24 Apr 2013 12:54:47 -0500 From: "Teske, Devin" To: "Robison, Dave" Subject: Re: How to start a firewall in a vimage jail Thread-Topic: How to start a firewall in a vimage jail Thread-Index: AQHOQQ8gtidaEiIMHUG8bUA48G/K9pjl9VEAgAAGAIA= Date: Wed, 24 Apr 2013 17:54:47 +0000 Message-ID: <13CA24D6AB415D428143D44749F57D7201F1DE32@ltcfiswmsgmb21> References: <517812D4.2010304@a1poweruser.com> <5178175E.5020604@fisglobal.com> In-Reply-To: <5178175E.5020604@fisglobal.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.132.253.126] Content-Type: text/plain; charset="us-ascii" Content-ID: <87045D10558C2843A897914572405BB6@fisglobal.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.10.8626, 1.0.431, 0.0.0000 definitions=2013-04-24_07:2013-04-24,2013-04-24,1970-01-01 signatures=0 Cc: " Jail" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Apr 2013 17:54:49 -0000 On Apr 24, 2013, at 10:33 AM, Robison, Dave wrote: > On 04/24/2013 10:13, Joe wrote: >> Hello >>=20 >> I am having a very difficult time getting pf firewall to start in a vima= ge jail on 9.1-RELEASE. >>=20 >> Is this at all possible? >>=20 >> If this can be done, would you please share the details on how it's done? >>=20 >> Thanks >> _______________________________________________ >> freebsd-jail@freebsd.org mailing list >> https://urldefense.proofpoint.com/v1/url?u=3Dhttp://lists.freebsd.org/ma= ilman/listinfo/freebsd-jail&k=3D%2FbkpAUdJWZuiTILCq%2FFnQg%3D%3D%0A&r=3DLTz= UWWrRnz2iN3PtHDubWRSAh9itVJ%2BMUcNBCQ4tyeo%3D%0A&m=3DC%2FNtPOiMS1MDnvEsxdWt= LnuOvaAqSHCxjciQ4EbMTBs%3D%0A&s=3D8baced3c49e32d315284bbcd4172014b4b14c4489= 3c7cf3458b8433afa3c2f1f >> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" >>=20 >>=20 >=20 > Vimage doesn't yet support PF. IPFW works, however. >=20 Although one can successfully compile a kernel that has both the VIMAGE opt= ion and "device pf" enabled, I've never tried pf inside a vimage. Maybe someone with some good pf experience can give it a go. I know ipfw works all the way. And as we (Joe and I) explored already, a kernel with IPFILTER option (for = ipf) will not work with VIMAGE (kernel panic at boot). --=20 Devin _____________ The information contained in this message is proprietary and/or confidentia= l. If you are not the intended recipient, please: (i) delete the message an= d all copies; (ii) do not disclose, distribute or use the message in any ma= nner; and (iii) notify the sender immediately. In addition, please be aware= that any message addressed to our domain is subject to archiving and revie= w by persons other than the intended recipient. Thank you. From owner-freebsd-jail@FreeBSD.ORG Wed Apr 24 19:54:27 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 0B794AC0 for ; Wed, 24 Apr 2013 19:54:27 +0000 (UTC) (envelope-from fbsd8@a1poweruser.com) Received: from mail-03.name-services.com (mail-03.name-services.com [69.64.155.195]) by mx1.freebsd.org (Postfix) with ESMTP id E84551B3B for ; Wed, 24 Apr 2013 19:54:26 +0000 (UTC) Received: from [10.0.10.1] ([173.88.202.176]) by mail-03.name-services.com with Microsoft SMTPSVC(6.0.3790.4675); Wed, 24 Apr 2013 12:54:27 -0700 Message-ID: <5178386C.8010502@a1poweruser.com> Date: Wed, 24 Apr 2013 15:54:20 -0400 From: Joe User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: "Teske, Devin" Subject: Re: How to start a firewall in a vimage jail References: <517812D4.2010304@a1poweruser.com> <5178175E.5020604@fisglobal.com> <13CA24D6AB415D428143D44749F57D7201F1DE32@ltcfiswmsgmb21> In-Reply-To: <13CA24D6AB415D428143D44749F57D7201F1DE32@ltcfiswmsgmb21> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 24 Apr 2013 19:54:27.0634 (UTC) FILETIME=[8716D920:01CE4125] X-Sender: fbsd8@a1poweruser.com X-Authenticated-Sender: fbsd8@a1poweruser.com X-EchoSenderHash: [fbsd8]-[a1poweruser*com] Cc: " Jail" , "Robison, Dave" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Apr 2013 19:54:27 -0000 Teske, Devin wrote: > On Apr 24, 2013, at 10:33 AM, Robison, Dave wrote: > >> On 04/24/2013 10:13, Joe wrote: >>> Hello >>> >>> I am having a very difficult time getting pf firewall to start in a vimage jail on 9.1-RELEASE. >>> >>> Is this at all possible? >>> >>> If this can be done, would you please share the details on how it's done? >>> >>> Thanks >>> >> Vimage doesn't yet support PF. IPFW works, however. >> > > Although one can successfully compile a kernel that has both the VIMAGE option and > "device pf" enabled, I've never tried pf inside a vimage. > > Maybe someone with some good pf experience can give it a go. > > I know ipfw works all the way. > > And as we (Joe and I) explored already, a kernel with IPFILTER option (for ipf) > will not work with VIMAGE (kernel panic at boot). ok lets change the question from setting up pf inside of a vimage jail to how to set up ipfw to run from inside of a vimage jail. From owner-freebsd-jail@FreeBSD.ORG Wed Apr 24 20:07:38 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 43B99FE4 for ; Wed, 24 Apr 2013 20:07:38 +0000 (UTC) (envelope-from fbsd8@a1poweruser.com) Received: from mail-03.name-services.com (mail-03.name-services.com [69.64.155.195]) by mx1.freebsd.org (Postfix) with ESMTP id 32FB81C19 for ; Wed, 24 Apr 2013 20:07:37 +0000 (UTC) Received: from [10.0.10.1] ([173.88.202.176]) by mail-03.name-services.com with Microsoft SMTPSVC(6.0.3790.4675); Wed, 24 Apr 2013 13:07:39 -0700 Message-ID: <51783B89.9080701@a1poweruser.com> Date: Wed, 24 Apr 2013 16:07:37 -0400 From: Joe User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: Anders Hagman Subject: Re: jail(8) vimage epair bridge References: <5176892F.8050802@a1poweruser.com> <77E31AD0-ABE2-44FA-AB19-CF557038DEBE@netplex.se> In-Reply-To: <77E31AD0-ABE2-44FA-AB19-CF557038DEBE@netplex.se> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 24 Apr 2013 20:07:39.0494 (UTC) FILETIME=[5F131860:01CE4127] X-Sender: fbsd8@a1poweruser.com X-Authenticated-Sender: fbsd8@a1poweruser.com X-EchoSenderHash: [fbsd8]-[a1poweruser*com] Cc: "freebsd-jail@freebsd.org" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Apr 2013 20:07:38 -0000 Anders Hagman wrote: > Hi > > 23 apr 2013 kl. 15:14 skrev Joe : > >> Hello list >> >> I am using jail(8) trying to get a functional vimage environment on my >> 9.1-RELEASE system. My PC only has a single real NIC facing the public >> internet. >> >> My goal is to be able to have multiple vimage jails, each with >> their own epairXa epairXb and bridgeX where the "X" is the jails JID >> number all having their traffic passing through the single rl0 real >> interface. The vnet.start script shown below handles this nicely. >> >> The problem is after the first vimage jail is started the rl0 interface >> gets marked as busy when the second vimage jail is started. >> > You don't need more the one bridge. > Connect all epairXa and the rl0 interface to the bridge. Put the epairXb in the right jail. > > If you want separation. Create vlan interfaces. > Connect them to rl0 and put them inside the jail. > Hello Anders; Now that I have an bridge, epair solution, I would like to learn the vlan method you spoke about. Would you please provide some details about how it could be done. I have never used vlan before. Thanks for your help. From owner-freebsd-jail@FreeBSD.ORG Thu Apr 25 01:22:42 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 805F2853; Thu, 25 Apr 2013 01:22:42 +0000 (UTC) (envelope-from mjguzik@gmail.com) Received: from mail-we0-x230.google.com (mail-we0-x230.google.com [IPv6:2a00:1450:400c:c03::230]) by mx1.freebsd.org (Postfix) with ESMTP id E77901780; Thu, 25 Apr 2013 01:22:41 +0000 (UTC) Received: by mail-we0-f176.google.com with SMTP id s10so2177456wey.35 for ; Wed, 24 Apr 2013 18:22:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:date:from:to:cc:subject:message-id:references :mime-version:content-type:content-disposition:in-reply-to :user-agent; bh=6Ts3SIA2TK+PZMupQ7qvVMJNZ+Wc9ruBrcVzNLtrYhU=; b=QTwftxpVy7hOq6XV61EGm2fy9/iLQQ2Nk7yDPVr432EOoCeJ1xzoi1dU5egdQFjlmU fbikrTGOaAoUPBjcCxdMWLSIkFC+bz90ln1Mov4oLO/UAIKvZQ0UWiKdXWrimE6v/His Dnw9mSZx4GIrgnFqTdim1dmTp6xxECGbrhE/praoIqFzDwq3Ojcp96vZXohj23BuYQ+u bn6zu10/Gs6Lghxszq9jON11701Z+/lOBhdsB9hqAb/HY92mmyU0/JImK9Ll22jx2Cq8 iohxHkvpQY+Ag+nC3YBroeNSH8lccpJoe7Bd7seiGMJjW65tGhihdaLMMIiD/BPz03qA G3nA== X-Received: by 10.194.5.196 with SMTP id u4mr72199217wju.54.1366852960303; Wed, 24 Apr 2013 18:22:40 -0700 (PDT) Received: from dft-labs.eu (n1x0n-1-pt.tunnel.tserv5.lon1.ipv6.he.net. [2001:470:1f08:1f7::2]) by mx.google.com with ESMTPSA id q20sm7588432wiv.7.2013.04.24.18.22.38 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 24 Apr 2013 18:22:38 -0700 (PDT) Date: Thu, 25 Apr 2013 03:22:36 +0200 From: Mateusz Guzik To: Jamie Gritton Subject: Re: automatic garbage collection of stuff mounted (etc.) by jailed root Message-ID: <20130425012236.GB23151@dft-labs.eu> References: <20130422091711.GA3115@dft-labs.eu> <517553B0.6010602@FreeBSD.org> <517575BF.8020305@quip.cz> <51758192.2050300@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <51758192.2050300@FreeBSD.org> User-Agent: Mutt/1.5.20 (2009-06-14) Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Apr 2013 01:22:42 -0000 On Mon, Apr 22, 2013 at 12:29:38PM -0600, Jamie Gritton wrote: > On 04/22/13 11:39, Miroslav Lachman wrote: > >>This already happens when jails are created using a jail.conf file. Any > >>mounts there are unmounted as part of the jail removal process. Just > >>recently I fixed it to properly do this unmounting in reverse order. > > > >Do you mean mounts defined in jail.conf or all mounts manually done by > >root user in jail? > > > > Ah, I see the difference. Yes, that's only for mounts in the jail.conf. > For mounts done by the jail itself, I guess we would go off the mount > record's credential. So is this something you expect to be happening > entirely in the kernel? > If we want to clean this up from userspace, we need to teach the kernel how to export vnet and mount table of a jail and then it would be nice to teach jls how to print it (or maybe create a separate tool - jstat?), and of course jail(8) how to use this information to clean things up. Bonus points if jail(8) -r is able to clean up the jail without looking at config file. I would prefer if the jail would be able to just die if no problems were encountered and that is easly done with a kernel-only implementation, but this still would benefit from features described above (the difference would be that if someone wants to kill the jail, jail(8) would only call jail_remove). If jail could not die because some clean up operations failed, jls (or jstat) would show what resources are remaining along with error message (say, fs could not be unmounted because it was busy). And then the user can fix the problem and do jail(8) -r to re-run kernel clean up or clean on his own (say, unmount filesystems), which effectively should kill the jail. Thoughts? -- Mateusz Guzik From owner-freebsd-jail@FreeBSD.ORG Thu Apr 25 01:40:30 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id DD66AA27 for ; Thu, 25 Apr 2013 01:40:30 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from m2.gritton.org (gritton.org [199.192.164.235]) by mx1.freebsd.org (Postfix) with ESMTP id B25AF17DA for ; Thu, 25 Apr 2013 01:40:30 +0000 (UTC) Received: from glorfindel.gritton.org (c-24-10-224-248.hsd1.ut.comcast.net [24.10.224.248]) (authenticated bits=0) by m2.gritton.org (8.14.5/8.14.5) with ESMTP id r3P1eNWE054097; Wed, 24 Apr 2013 19:40:23 -0600 (MDT) (envelope-from jamie@FreeBSD.org) Message-ID: <51788985.7080406@FreeBSD.org> Date: Wed, 24 Apr 2013 19:40:21 -0600 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.2.24) Gecko/20120129 Thunderbird/3.1.16 MIME-Version: 1.0 To: Mateusz Guzik Subject: Re: automatic garbage collection of stuff mounted (etc.) by jailed root References: <20130422091711.GA3115@dft-labs.eu> <517553B0.6010602@FreeBSD.org> <517575BF.8020305@quip.cz> <51758192.2050300@FreeBSD.org> <20130425012236.GB23151@dft-labs.eu> In-Reply-To: <20130425012236.GB23151@dft-labs.eu> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Apr 2013 01:40:30 -0000 On 04/24/13 19:22, Mateusz Guzik wrote: > On Mon, Apr 22, 2013 at 12:29:38PM -0600, Jamie Gritton wrote: >> On 04/22/13 11:39, Miroslav Lachman wrote: >>>> This already happens when jails are created using a jail.conf file. Any >>>> mounts there are unmounted as part of the jail removal process. Just >>>> recently I fixed it to properly do this unmounting in reverse order. >>> >>> Do you mean mounts defined in jail.conf or all mounts manually done by >>> root user in jail? >>> >> >> Ah, I see the difference. Yes, that's only for mounts in the jail.conf. >> For mounts done by the jail itself, I guess we would go off the mount >> record's credential. So is this something you expect to be happening >> entirely in the kernel? >> > > If we want to clean this up from userspace, we need to teach the kernel how > to export vnet and mount table of a jail and then it would be nice to teach > jls how to print it (or maybe create a separate tool - jstat?), and of > course jail(8) how to use this information to clean things up. > > Bonus points if jail(8) -r is able to clean up the jail without looking at > config file. > > I would prefer if the jail would be able to just die if no problems were > encountered and that is easly done with a kernel-only implementation, > but this still would benefit from features described above (the > difference would be that if someone wants to kill the jail, jail(8) > would only call jail_remove). If jail could not die because some clean > up operations failed, jls (or jstat) would show what resources are > remaining along with error message (say, fs could not be unmounted > because it was busy). And then the user can fix the problem and do > jail(8) -r to re-run kernel clean up or clean on his own (say, unmount > filesystems), which effectively should kill the jail. > > Thoughts? If the kernel was able to export vnet and mounts, I would want jls to be the tool to show it. At least I wouldn't want to add another tool; a "-j jailname" option to df and ifconfig is an intriguing option. If jail(8) can get this information, then I would definitely want jail -r to clean it up; it doesn't matter whether or not there's a config file, since we're talking about things that are done outside the config file anyway. Vnet's little tricky because there are two kinds of interfaces in a vnet jail: those that were imported into the jail, and those that the jail has created itself. I don't know if the kernel knows anything about the difference between them, but it would make sense for the former to be returned to the host (which is the case) and the latter to be delete (which I have no idea about). I still prefer that this be done in the kernel. For example, mount points have a credential attached, and that means that a removed jail will stick around as a zombie until it's unmounted. - Jamie From owner-freebsd-jail@FreeBSD.ORG Thu Apr 25 05:49:04 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id BF93C981 for ; Thu, 25 Apr 2013 05:49:04 +0000 (UTC) (envelope-from zulu@openvps.biz) Received: from mgw.cellcontainer.com (mgw.cellcontainer.com [87.229.77.135]) by mx1.freebsd.org (Postfix) with ESMTP id 329731060 for ; Thu, 25 Apr 2013 05:49:03 +0000 (UTC) Received: from mgw.cellcontainer.com (unknown [192.168.1.10]) by mgw.cellcontainer.com (Postfix) with ESMTP id D535FAE11 for ; Thu, 25 Apr 2013 05:40:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=openvps.biz; h=message-id :date:subject:from:to:mime-version:content-type:in-reply-to :references; s=selector1; bh=RXNCZ2FYxshRJNq7u66+Au3D9dM=; b=OW3 KCEe0qROPmcRU4m+X4EwCBBC+k7WYEHa98tkl4eACmbOyve/czXmK9+TwHhLytql VkDIBwxLa08+QpQ+rqIPomVbuAtCKWSuMgS3eVec1xifhrbeH6gK0sYY1D/g3HkW JnvDoehVtdSQqduPBX7/OlHon8X1DTS3S8Q+P1KM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=openvps.biz; h=message-id :date:subject:from:to:mime-version:content-type:in-reply-to :references; q=dns; s=selector1; b=sODA8+l/+JYaUb3GQaKLbm9bUYGAH KM/Eb4uqm/Yg3SSjK9CkufrVzpcEReJpJLWlNQFjNX6pqmjG8C/s3Buzv86EuumK BVy5m+UkerjVoRF2Ay8WVgI8vhybTamiBNYvxzG/mndLUAefLJfrn21DppXCOJUK 6RltvUMc7ujhDk= Received: from gpo.cellcontainer.com (unknown [192.168.1.15]) by mgw.cellcontainer.com (Postfix) with ESMTP id C0317AE10 for ; Thu, 25 Apr 2013 05:40:50 +0000 (UTC) Received: by gpo.cellcontainer.com (Postfix, from userid 58) id A6BFB798E0; Thu, 25 Apr 2013 05:40:50 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on gpo.cellcontainer.com X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00, HTML_MESSAGE autolearn=unavailable version=3.3.2 Received: from gpo.cellcontainer.com (gpo.cellcontainer.com [192.168.1.15]) by gpo.cellcontainer.com (Postfix) with ESMTP id 4DE1C798C0; Thu, 25 Apr 2013 05:40:48 +0000 (UTC) Message-ID: <1366868448.5178c1e04043f@gpo.cellcontainer.com> Date: Thu, 25 Apr 2013 17:40:48 +1200 Subject: Re: state of the art ? From: zulu To: Laurent Alebarde , "freebsd-jail@freebsd.org" MIME-Version: 1.0 X-MimeOLE: Produced by Group-Office 3.7.41 In-Reply-To: <5177B1A4.6060502@free.fr> X-Priority: 3 (Normal) References: <5177B1A4.6060502@free.fr> X-Mailer: Group-Office 3.7.41 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Apr 2013 05:49:04 -0000 Maybe this is what you need http://sourceforge.net/projects/zj= ails/ , doesn't require any advanced ZFS or VNET knowledge (just a wo= rking ZFS pool and VIMAGE kernel). VNET is supported and= there is a "soft" jail restart option which prevents the "kern/1647= 63: Memory leak in VNET" issue from appearing. You can also run = non VNET ZFS jails - you can turn on or off VNET by simply executing = "zjail set vnet=3Doff/on myjailname" then restarting the jail with "zj= ail restart -c myjailname". On FreeBSD 9.1 amd64, pf inside a= jail will cause an immediate kernel panic once you run pfctl in the= jail - IPFW works as already stated by others. You can h= ave pf enabled on the host however and have IPFW firewall in jai= ls. Cheers, Peter On Wednesday, 24-04-20= 13 on 22:19 Laurent Alebarde wrote: Hi all, =C2=A0= I am a FreeBSD/Jail/vnet newbbie. I read a lot of posts and tutorials= , mainly : =C2=A0=C2=A0* http://wiki.polymorf.fr/index.php= /Howto:FreeBSD_jail_vnet =C2=A0=C2=A0* http://archive.0xfeedfa= ce.org/blog/2011-11-21/lattera/freebsd-vnet-jail-admin-project I= have some questions please : 1. Are they still up-to-date = ? 2. Is the jail rc script still have to be patched to be able to us= e pf =C2=A0=C2=A0=C2=A0=C2=A0instead of IPFW ? 3. What are the b= est up-to-date links for tutorials to setup ZFS =C2=A0= =C2=A0=C2=A0=C2=A0ipv4/ipv6 vnet jails ? 4. Can it be put in produc= tion safely or is it still considered =C2=A0=C2=A0=C2=A0=C2=A0experi= mental ? Cheers, Laurent. _____________= __________________________________ freebsd-jail@freebsd.org mailing = list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To un= subscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org= " From owner-freebsd-jail@FreeBSD.ORG Thu Apr 25 09:11:18 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 3FE05FAA for ; Thu, 25 Apr 2013 09:11:18 +0000 (UTC) (envelope-from l.alebarde@free.fr) Received: from smtp1-g21.free.fr (smtp1-g21.free.fr [IPv6:2a01:e0c:1:1599::10]) by mx1.freebsd.org (Postfix) with ESMTP id CAA3B173F for ; Thu, 25 Apr 2013 09:11:16 +0000 (UTC) Received: from [IPv6:2a01:e35:8b59:cce0::10] (unknown [IPv6:2a01:e35:8b59:cce0::10]) by smtp1-g21.free.fr (Postfix) with ESMTP id F1B82940209; Thu, 25 Apr 2013 11:11:06 +0200 (CEST) Message-ID: <5178F328.6040408@free.fr> Date: Thu, 25 Apr 2013 11:11:04 +0200 From: Laurent Alebarde User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.11) Gecko/20130116 Thunderbird/10.0.11 MIME-Version: 1.0 To: zulu Subject: Re: state of the art ? References: <5177B1A4.6060502@free.fr> <1366868448.5178c1e04043f@gpo.cellcontainer.com> In-Reply-To: <1366868448.5178c1e04043f@gpo.cellcontainer.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-jail@freebsd.org" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Apr 2013 09:11:18 -0000 Thanks very much zulu. It looks great but there are very few downloads and reading the README, it requires some patches. So I won't take the risk to put it in production. If I was an expert, I think I would give it a try, but I am not and I cannot. From owner-freebsd-jail@FreeBSD.ORG Thu Apr 25 10:01:31 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id BCA7DAEE for ; Thu, 25 Apr 2013 10:01:31 +0000 (UTC) (envelope-from zulu@openvps.biz) Received: from mgw.cellcontainer.com (mgw.cellcontainer.com [87.229.77.135]) by mx1.freebsd.org (Postfix) with ESMTP id 4528E1ADE for ; Thu, 25 Apr 2013 10:01:30 +0000 (UTC) Received: from mgw.cellcontainer.com (unknown [192.168.1.10]) by mgw.cellcontainer.com (Postfix) with ESMTP id 27095AF54 for ; Thu, 25 Apr 2013 10:01:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=openvps.biz; h=message-id :date:subject:from:to:cc:mime-version:content-type:in-reply-to :references; s=selector1; bh=CC0scuF8Yvxb6e0FLp2TZtJiYrc=; b=qLj UDi2amccW7mAHsYdegp3+6sxWlYwC9ruI2w1Ly6eEcy8EAM+VSzi6jpY2u6m4JZe vuGnROSE7kyF7e9I5PBb15BtNJl9eQLZuzk3KF5ObgtyFAqEfHEyv5TLL8LaiWP1 GwDsX0LZAxrbQ0sLfEAH3j8OwWfAOtINJdXHwsUQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=openvps.biz; h=message-id :date:subject:from:to:cc:mime-version:content-type:in-reply-to :references; q=dns; s=selector1; b=w6ihPgCsjNguGpAS8SAtO1QAJfxPf G+pLVnL6W8AaVO2XF0ZdU9Yd7RwWmabuGgKtbKzhn7u50XdAaAawm5LKzXPSUHPT 8J3Tg7smg9PqUayYIDAnY2HSgVucfTbcURrto44Ofnp9desG4pM3M+/N5Zcp8KgG p8JBgY2YwldP4w= Received: from gpo.cellcontainer.com (unknown [192.168.1.15]) by mgw.cellcontainer.com (Postfix) with ESMTP id 18006AF52 for ; Thu, 25 Apr 2013 10:01:29 +0000 (UTC) Received: by gpo.cellcontainer.com (Postfix, from userid 58) id 0853F79496; Thu, 25 Apr 2013 10:01:29 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on gpo.cellcontainer.com X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00, HTML_MESSAGE autolearn=ham version=3.3.2 Received: from gpo.cellcontainer.com (gpo.cellcontainer.com [192.168.1.15]) by gpo.cellcontainer.com (Postfix) with ESMTP id 08BC37947E for ; Thu, 25 Apr 2013 10:01:27 +0000 (UTC) Message-ID: <1366884086.5178fef6d6e73@gpo.cellcontainer.com> Date: Thu, 25 Apr 2013 22:01:26 +1200 Subject: Re: state of the art ? From: zulu To: Laurent Alebarde MIME-Version: 1.0 X-MimeOLE: Produced by Group-Office 3.7.41 In-Reply-To: <5178F328.6040408@free.fr> References: <5178F328.6040408@free.fr> X-Mailer: Group-Office 3.7.41 X-Priority: 3 (Normal) Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-jail@freebsd.org" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Apr 2013 10:01:31 -0000 No patches are mentioned in the README, there was a simple cha= nge required for=C2=A0 /etc/rc.d/devfs on 9.0 which is not needed anym= ore with 9.1. The rest of the optional changes (not required) are re= lated to VNET and ZFS management inside the jail - if needed= .. VNET is not officially production ready, this is relative tho= ugh, as some folks are already using it in production environments. T= o use ZFS and Jails (or even VNET) you will need to become an expert= to some degree anyway :). =C2=A0 Cheers= , Peter On Thursday, 25-04-2013 on 21:11 Laurent A= lebarde wrote: Thanks very much zulu. It looks great but there = are very few downloads and reading the README, it requires some patc= hes. So I won't take the risk to put it in production. If I was an ex= pert, I think I would give it a try, but I am not and I canno= t.=20 From owner-freebsd-jail@FreeBSD.ORG Thu Apr 25 10:28:31 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 65CDBD0C for ; Thu, 25 Apr 2013 10:28:31 +0000 (UTC) (envelope-from gofj-freebsd-jail@m.gmane.org) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) by mx1.freebsd.org (Postfix) with ESMTP id 24D991BCC for ; Thu, 25 Apr 2013 10:28:30 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1UVJPc-0004bJ-KH for freebsd-jail@freebsd.org; Thu, 25 Apr 2013 12:28:24 +0200 Received: from lfg31-1-88-181-156-206.fbx.proxad.net ([88.181.156.206]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 25 Apr 2013 12:28:24 +0200 Received: from l.alebarde by lfg31-1-88-181-156-206.fbx.proxad.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 25 Apr 2013 12:28:24 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-jail@freebsd.org From: Laurent Alebarde Subject: Re: state of the art ? Date: Thu, 25 Apr 2013 10:28:13 +0000 (UTC) Lines: 4 Message-ID: References: <5177AE9C.1020300@free.fr> <5177B1A4.6060502@free.fr> <5177DC7A.5060500@a1poweruser.com> <51781908.8070806@fisglobal.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: sea.gmane.org User-Agent: Loom/3.14 (http://gmane.org/) X-Loom-IP: 88.181.156.206 (Mozilla/5.0 (X11; Linux x86_64; rv:10.0.11) Gecko/20100101 Firefox/10.0.11) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Apr 2013 10:28:31 -0000 Thank you Dave, I have posted some questions on the author's site. Can you manage thin jails with it ? What about ZFS ? From owner-freebsd-jail@FreeBSD.ORG Thu Apr 25 10:42:08 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 7DABFE16 for ; Thu, 25 Apr 2013 10:42:08 +0000 (UTC) (envelope-from gofj-freebsd-jail@m.gmane.org) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) by mx1.freebsd.org (Postfix) with ESMTP id 3E14B1C37 for ; Thu, 25 Apr 2013 10:42:08 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1UVJcp-0000HP-S0 for freebsd-jail@freebsd.org; Thu, 25 Apr 2013 12:42:03 +0200 Received: from lfg31-1-88-181-156-206.fbx.proxad.net ([88.181.156.206]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 25 Apr 2013 12:42:03 +0200 Received: from l.alebarde by lfg31-1-88-181-156-206.fbx.proxad.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 25 Apr 2013 12:42:03 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-jail@freebsd.org From: Laurent Alebarde Subject: Re: state of the art ? Date: Thu, 25 Apr 2013 10:41:53 +0000 (UTC) Lines: 23 Message-ID: References: <5178F328.6040408@free.fr> <1366884086.5178fef6d6e73@gpo.cellcontainer.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: sea.gmane.org User-Agent: Loom/3.14 (http://gmane.org/) X-Loom-IP: 88.181.156.206 (Mozilla/5.0 (X11; Linux x86_64; rv:10.0.11) Gecko/20100101 Firefox/10.0.11) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Apr 2013 10:42:08 -0000 zulu writes: > > > No patches are mentioned in the README, there was a simple change > required for  /etc/rc.d/devfs on 9.0 which is not needed anymore with > 9.1. Thanks for the precision and update. > VNET is not officially production ready, this is relative though, as > some folks are already using it in production environments. Nice to ear. > To use ZFS and Jails (or even VNET) you will need to become an expert > to some degree anyway :). To some extent yes with a compromize with productivity. Thanks a lot. From owner-freebsd-jail@FreeBSD.ORG Thu Apr 25 12:13:58 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 072689B4 for ; Thu, 25 Apr 2013 12:13:58 +0000 (UTC) (envelope-from nvass@gmx.com) Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) by mx1.freebsd.org (Postfix) with ESMTP id 9C4131100 for ; Thu, 25 Apr 2013 12:13:57 +0000 (UTC) Received: from mailout-eu.gmx.com ([10.1.101.211]) by mrigmx.server.lan (mrigmx001) with ESMTP (Nemesis) id 0LmQuq-1V5E2W1iBm-00a0hX for ; Thu, 25 Apr 2013 14:13:50 +0200 Received: (qmail invoked by alias); 25 Apr 2013 12:13:50 -0000 Received: from unknown (EHLO [192.168.44.80]) [5.135.71.96] by mail.gmx.com (mp-eu011) with SMTP; 25 Apr 2013 14:13:50 +0200 X-Authenticated: #46156728 X-Provags-ID: V01U2FsdGVkX1+yQJUCdeSy2Orb0J/JGpPOVmiqq6RLvQa/eASh7X N/VKuG1M+Dg/4B Message-ID: <51791DFD.3040209@gmx.com> Date: Thu, 25 Apr 2013 14:13:49 +0200 From: Nikos Vassiliadis User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130329 Thunderbird/17.0.5 MIME-Version: 1.0 To: zulu Subject: Re: state of the art ? References: <5177B1A4.6060502@free.fr> <1366868448.5178c1e04043f@gpo.cellcontainer.com> In-Reply-To: <1366868448.5178c1e04043f@gpo.cellcontainer.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Cc: Laurent Alebarde , "freebsd-jail@freebsd.org" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Apr 2013 12:13:58 -0000 On 04/25/2013 07:40 AM, zulu wrote: > VNET is supported and there is a "soft" jail restart option which > prevents the "kern/164763: Memory leak in VNET" issue from appearing. This is a really interesting workaround! Yes, ipfw is vnet-capable since a long time and it works as good as the non-virtualized version. Well... except for dummynet which isn't virtualized yet. My point is, VIMAGE is really stable except for: 1) tearing-down a vnet 2) running non-vnet-ready code (pf, dummynet, lagg, ipf etc) Number one is trigged by destroying a jail. Number two is usually triggered *immediately* after trying to use a non-vnet-ready driver. You can avoid these two and if you avoid them it is perfectly stable... Also, I have to say that i like vimage very much so i might be biased:) Just my 2 cents, Nikos From owner-freebsd-jail@FreeBSD.ORG Thu Apr 25 12:50:03 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id E160F1DC for ; Thu, 25 Apr 2013 12:50:03 +0000 (UTC) (envelope-from l.alebarde@free.fr) Received: from smtp1-g21.free.fr (smtp1-g21.free.fr [IPv6:2a01:e0c:1:1599::10]) by mx1.freebsd.org (Postfix) with ESMTP id 742391260 for ; Thu, 25 Apr 2013 12:50:01 +0000 (UTC) Received: from [IPv6:2a01:e35:8b59:cce0::10] (unknown [IPv6:2a01:e35:8b59:cce0::10]) by smtp1-g21.free.fr (Postfix) with ESMTP id 9D8AE940089; Thu, 25 Apr 2013 14:49:53 +0200 (CEST) Message-ID: <51792670.8050105@free.fr> Date: Thu, 25 Apr 2013 14:49:52 +0200 From: Laurent Alebarde User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.11) Gecko/20130116 Thunderbird/10.0.11 MIME-Version: 1.0 To: Nikos Vassiliadis Subject: Re: state of the art ? References: <5177B1A4.6060502@free.fr> <1366868448.5178c1e04043f@gpo.cellcontainer.com> <51791DFD.3040209@gmx.com> In-Reply-To: <51791DFD.3040209@gmx.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-jail@freebsd.org" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Apr 2013 12:50:03 -0000 I am afraid you have convinced me with zulu to go on..... Though not being able to use dummynet nor altq is a real drawback. But if I don't abuse myself, I read contradictory things. So I raise the question : Is pf/altq usable in the host when you have vnet jails ? Same question with dummynet ? From owner-freebsd-jail@FreeBSD.ORG Thu Apr 25 14:58:32 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 4160BE5; Thu, 25 Apr 2013 14:58:32 +0000 (UTC) (envelope-from mjguzik@gmail.com) Received: from mail-wi0-x22c.google.com (mail-wi0-x22c.google.com [IPv6:2a00:1450:400c:c05::22c]) by mx1.freebsd.org (Postfix) with ESMTP id A63921919; Thu, 25 Apr 2013 14:58:31 +0000 (UTC) Received: by mail-wi0-f172.google.com with SMTP id hm14so5594384wib.17 for ; Thu, 25 Apr 2013 07:58:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:date:from:to:cc:subject:message-id:references :mime-version:content-type:content-disposition:in-reply-to :user-agent; bh=NmFFv/rYIsH0M9Siky629PQF8zFi4mK8mxL8Nz3qOo0=; b=UVLyHl2QdtT9SKYtoKl9JFVV6NRaM04SJtnpHTVzgwiu238TLbxKB6mfflH3ZrpzGl MCn7kysTcHiZ+4lh8kO5qLzeaAoOowQ7Gh/+L6MsSakA+YLbyu32zwic/rkK+cJJaxRR DA1FMzH6Li3Ga8bVt0tQtM+jNs9u7on9/AuDnua+DESK4MnooCmkmWYXNBYVbkgkgvw2 dvxqJ0nHU++4u23gbkwhgsdXgF+loJ1bNn6jvJLXX3SCnbaFV7CNcXlS5+lB5txVy0WP 3oVPDBoId7miCXgcDAg203Notsy+4Xk/y8lyHD5WnK3/VlnlsICUxtP2LfDHjipldi+/ ah3Q== X-Received: by 10.180.183.210 with SMTP id eo18mr37997600wic.17.1366901910846; Thu, 25 Apr 2013 07:58:30 -0700 (PDT) Received: from dft-labs.eu (n1x0n-1-pt.tunnel.tserv5.lon1.ipv6.he.net. [2001:470:1f08:1f7::2]) by mx.google.com with ESMTPSA id q13sm11431217wie.8.2013.04.25.07.58.28 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Thu, 25 Apr 2013 07:58:29 -0700 (PDT) Date: Thu, 25 Apr 2013 16:58:26 +0200 From: Mateusz Guzik To: Jamie Gritton Subject: Re: automatic garbage collection of stuff mounted (etc.) by jailed root Message-ID: <20130425145826.GA593@dft-labs.eu> References: <20130422091711.GA3115@dft-labs.eu> <517553B0.6010602@FreeBSD.org> <517575BF.8020305@quip.cz> <51758192.2050300@FreeBSD.org> <20130425012236.GB23151@dft-labs.eu> <51788985.7080406@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <51788985.7080406@FreeBSD.org> User-Agent: Mutt/1.5.20 (2009-06-14) Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Apr 2013 14:58:32 -0000 On Wed, Apr 24, 2013 at 07:40:21PM -0600, Jamie Gritton wrote: > On 04/24/13 19:22, Mateusz Guzik wrote: > >On Mon, Apr 22, 2013 at 12:29:38PM -0600, Jamie Gritton wrote: > >>On 04/22/13 11:39, Miroslav Lachman wrote: > >>>>This already happens when jails are created using a jail.conf file. Any > >>>>mounts there are unmounted as part of the jail removal process. Just > >>>>recently I fixed it to properly do this unmounting in reverse order. > >>> > >>>Do you mean mounts defined in jail.conf or all mounts manually done by > >>>root user in jail? > >>> > >> > >>Ah, I see the difference. Yes, that's only for mounts in the jail.conf. > >>For mounts done by the jail itself, I guess we would go off the mount > >>record's credential. So is this something you expect to be happening > >>entirely in the kernel? > >> > > > >If we want to clean this up from userspace, we need to teach the kernel how > >to export vnet and mount table of a jail and then it would be nice to teach > >jls how to print it (or maybe create a separate tool - jstat?), and of > >course jail(8) how to use this information to clean things up. > > > >Bonus points if jail(8) -r is able to clean up the jail without looking at > >config file. > > > >I would prefer if the jail would be able to just die if no problems were > >encountered and that is easly done with a kernel-only implementation, > >but this still would benefit from features described above (the > >difference would be that if someone wants to kill the jail, jail(8) > >would only call jail_remove). If jail could not die because some clean > >up operations failed, jls (or jstat) would show what resources are > >remaining along with error message (say, fs could not be unmounted > >because it was busy). And then the user can fix the problem and do > >jail(8) -r to re-run kernel clean up or clean on his own (say, unmount > >filesystems), which effectively should kill the jail. > > > >Thoughts? > > If the kernel was able to export vnet and mounts, I would want jls to be > the tool to show it. At least I wouldn't want to add another tool; a "-j > jailname" option to df and ifconfig is an intriguing option. If jail(8) > can get this information, then I would definitely want jail -r to clean > it up; it doesn't matter whether or not there's a config file, since > we're talking about things that are done outside the config file anyway. > Lack of precision here, my bad. Clearly, if we just started a jail there is no problem making it record everything it did. With bonus points I was thinking about a jail started with, say, mount.devfs. IIRC jail(8) just mounts devfs but this is not stored anywhere and when such jail dies, we have an old mount noone knows about. So bonus points for making a jail able to clean this up as well. I'm fine with either jls or jstat. > Vnet's little tricky because there are two kinds of interfaces in a vnet > jail: those that were imported into the jail, and those that the jail > has created itself. I don't know if the kernel knows anything about the > difference between them, but it would make sense for the former to be > returned to the host (which is the case) and the latter to be delete > (which I have no idea about). > That's for project taker to invesitage then. > I still prefer that this be done in the kernel. For example, mount > points have a credential attached, and that means that a removed jail > will stick around as a zombie until it's unmounted. > I prefer kernel implementation as well. Since we seem to have an agreement of usefulness of the project, would you be willing to add it to IdeasPage as a proposed GSoC project and mentor a student (if any) who wants to work on this? I'm no fit for mentoring. Details of actual implementation can be worked on later. -- Mateusz Guzik From owner-freebsd-jail@FreeBSD.ORG Thu Apr 25 15:04:10 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 4D888398 for ; Thu, 25 Apr 2013 15:04:10 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from m2.gritton.org (gritton.org [199.192.164.235]) by mx1.freebsd.org (Postfix) with ESMTP id 36A521A57 for ; Thu, 25 Apr 2013 15:04:09 +0000 (UTC) Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net [198.65.168.24]) (authenticated bits=0) by m2.gritton.org (8.14.5/8.14.5) with ESMTP id r3PF48FX064183; Thu, 25 Apr 2013 09:04:08 -0600 (MDT) (envelope-from jamie@FreeBSD.org) Message-ID: <517945E3.4040701@FreeBSD.org> Date: Thu, 25 Apr 2013 09:04:03 -0600 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:9.0) Gecko/20120126 Thunderbird/9.0 MIME-Version: 1.0 To: Mateusz Guzik Subject: Re: automatic garbage collection of stuff mounted (etc.) by jailed root References: <20130422091711.GA3115@dft-labs.eu> <517553B0.6010602@FreeBSD.org> <517575BF.8020305@quip.cz> <51758192.2050300@FreeBSD.org> <20130425012236.GB23151@dft-labs.eu> <51788985.7080406@FreeBSD.org> <20130425145826.GA593@dft-labs.eu> In-Reply-To: <20130425145826.GA593@dft-labs.eu> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Apr 2013 15:04:10 -0000 On 04/25/13 08:58, Mateusz Guzik wrote: > On Wed, Apr 24, 2013 at 07:40:21PM -0600, Jamie Gritton wrote: >> On 04/24/13 19:22, Mateusz Guzik wrote: >>> On Mon, Apr 22, 2013 at 12:29:38PM -0600, Jamie Gritton wrote: >>>> On 04/22/13 11:39, Miroslav Lachman wrote: >>>>>> This already happens when jails are created using a jail.conf file. Any >>>>>> mounts there are unmounted as part of the jail removal process. Just >>>>>> recently I fixed it to properly do this unmounting in reverse order. >>>>> >>>>> Do you mean mounts defined in jail.conf or all mounts manually done by >>>>> root user in jail? >>>>> >>>> >>>> Ah, I see the difference. Yes, that's only for mounts in the jail.conf. >>>> For mounts done by the jail itself, I guess we would go off the mount >>>> record's credential. So is this something you expect to be happening >>>> entirely in the kernel? >>>> >>> >>> If we want to clean this up from userspace, we need to teach the kernel how >>> to export vnet and mount table of a jail and then it would be nice to teach >>> jls how to print it (or maybe create a separate tool - jstat?), and of >>> course jail(8) how to use this information to clean things up. >>> >>> Bonus points if jail(8) -r is able to clean up the jail without looking at >>> config file. >>> >>> I would prefer if the jail would be able to just die if no problems were >>> encountered and that is easly done with a kernel-only implementation, >>> but this still would benefit from features described above (the >>> difference would be that if someone wants to kill the jail, jail(8) >>> would only call jail_remove). If jail could not die because some clean >>> up operations failed, jls (or jstat) would show what resources are >>> remaining along with error message (say, fs could not be unmounted >>> because it was busy). And then the user can fix the problem and do >>> jail(8) -r to re-run kernel clean up or clean on his own (say, unmount >>> filesystems), which effectively should kill the jail. >>> >>> Thoughts? >> >> If the kernel was able to export vnet and mounts, I would want jls to be >> the tool to show it. At least I wouldn't want to add another tool; a "-j >> jailname" option to df and ifconfig is an intriguing option. If jail(8) >> can get this information, then I would definitely want jail -r to clean >> it up; it doesn't matter whether or not there's a config file, since >> we're talking about things that are done outside the config file anyway. >> > > Lack of precision here, my bad. Clearly, if we just started a jail there > is no problem making it record everything it did. > > With bonus points I was thinking about a jail started with, say, > mount.devfs. IIRC jail(8) just mounts devfs but this is not stored anywhere > and when such jail dies, we have an old mount noone knows about. So > bonus points for making a jail able to clean this up as well. No, jail(8) will properly unmount anything *it* mounts, including devfs. The only issue is when a jail is started with allow.mount (and perhaps any allow.mount.foofs), and then mounts its own filesystems. > I'm fine with either jls or jstat. > >> Vnet's little tricky because there are two kinds of interfaces in a vnet >> jail: those that were imported into the jail, and those that the jail >> has created itself. I don't know if the kernel knows anything about the >> difference between them, but it would make sense for the former to be >> returned to the host (which is the case) and the latter to be delete >> (which I have no idea about). >> > > That's for project taker to invesitage then. > >> I still prefer that this be done in the kernel. For example, mount >> points have a credential attached, and that means that a removed jail >> will stick around as a zombie until it's unmounted. >> > > I prefer kernel implementation as well. > > Since we seem to have an agreement of usefulness of the project, would > you be willing to add it to IdeasPage as a proposed GSoC project and > mentor a student (if any) who wants to work on this? I'm no fit for > mentoring. > > Details of actual implementation can be worked on later. I'm trying to think if there are cases where this isn't the desired outcome, where someone might want to purposefully create a jail that leaves things mounted and then goes away. I can't come up with anything offhand, but then I sometimes get surprised by how people want to use jails. - Jamie From owner-freebsd-jail@FreeBSD.ORG Thu Apr 25 15:19:56 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id CFBA358C for ; Thu, 25 Apr 2013 15:19:56 +0000 (UTC) (envelope-from nvass@gmx.com) Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) by mx1.freebsd.org (Postfix) with ESMTP id 714191AF5 for ; Thu, 25 Apr 2013 15:19:56 +0000 (UTC) Received: from [192.168.44.80] ([5.135.71.96]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0MCOdh-1UMLQ52RJh-0095vp; Thu, 25 Apr 2013 17:19:49 +0200 Message-ID: <5179498E.9080305@gmx.com> Date: Thu, 25 Apr 2013 17:19:42 +0200 From: Nikos Vassiliadis User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130329 Thunderbird/17.0.5 MIME-Version: 1.0 To: Laurent Alebarde Subject: Re: state of the art ? References: <5177B1A4.6060502@free.fr> <1366868448.5178c1e04043f@gpo.cellcontainer.com> <51791DFD.3040209@gmx.com> <51792670.8050105@free.fr> In-Reply-To: <51792670.8050105@free.fr> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K0:P55FL55JD3A9nWANBZF1rG2maa5YPVEPUCy2Qnesn0V9SGf9oo8 6Cr9qsrrTQvkPWauwiWfBcgr4pylPwjMrAzAVVdyevBUjLcNrGoU71rms/UKbalmaG7G6hc gl+m71OymjiUrcqyjwBvgkQFyIaosqmdrvjJbnhcZsoxUlLcXuppC7rD5q8oJ4zhinkbDTs a7sq3MzSxGFLk0RdvwMJQ== Cc: "freebsd-jail@freebsd.org" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Apr 2013 15:19:56 -0000 On 04/25/2013 02:49 PM, Laurent Alebarde wrote: > I am afraid you have convinced me with zulu to go on..... oh I see:) > Though not being able to use dummynet nor altq is a real drawback. > > But if I don't abuse myself, I read contradictory things. So I raise the > question : Is pf/altq usable in the host when you have vnet jails ? Same I don't know about the current state of pf in 9. It has been a while since i tested pf, VIMAGE n 9... > question with dummynet ? dummynet is usable from the host. Nikos From owner-freebsd-jail@FreeBSD.ORG Thu Apr 25 15:59:34 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 9C880EEE for ; Thu, 25 Apr 2013 15:59:34 +0000 (UTC) (envelope-from l.alebarde@free.fr) Received: from smtp1-g21.free.fr (smtp1-g21.free.fr [IPv6:2a01:e0c:1:1599::10]) by mx1.freebsd.org (Postfix) with ESMTP id 2CBFB1CE0 for ; Thu, 25 Apr 2013 15:59:32 +0000 (UTC) Received: from [IPv6:2a01:e35:8b59:cce0::10] (unknown [IPv6:2a01:e35:8b59:cce0::10]) by smtp1-g21.free.fr (Postfix) with ESMTP id 473859400E3; Thu, 25 Apr 2013 17:59:24 +0200 (CEST) Message-ID: <517952DB.8080603@free.fr> Date: Thu, 25 Apr 2013 17:59:23 +0200 From: Laurent Alebarde User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.11) Gecko/20130116 Thunderbird/10.0.11 MIME-Version: 1.0 To: Nikos Vassiliadis Subject: Re: state of the art ? References: <5177B1A4.6060502@free.fr> <1366868448.5178c1e04043f@gpo.cellcontainer.com> <51791DFD.3040209@gmx.com> <51792670.8050105@free.fr> <5179498E.9080305@gmx.com> In-Reply-To: <5179498E.9080305@gmx.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-jail@freebsd.org" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Apr 2013 15:59:34 -0000 Thanks Nikos. I am waiting now for someone to complete your answer regarding pf/altq in the host. From owner-freebsd-jail@FreeBSD.ORG Fri Apr 26 14:45:53 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 05891FBE for ; Fri, 26 Apr 2013 14:45:53 +0000 (UTC) (envelope-from anders.hagman@netplex.se) Received: from smtp-out11.han.skanova.net (smtp-out11.han.skanova.net [195.67.226.200]) by mx1.freebsd.org (Postfix) with ESMTP id 96EC81D5B for ; Fri, 26 Apr 2013 14:45:51 +0000 (UTC) Received: from [90.233.134.178] (90.233.134.178) by smtp-out11.han.skanova.net (8.5.133) (authenticated as u48002568) id 516D088C004A9EBB; Fri, 26 Apr 2013 16:44:23 +0200 Subject: Re: jail(8) vimage epair bridge References: <5176892F.8050802@a1poweruser.com> <77E31AD0-ABE2-44FA-AB19-CF557038DEBE@netplex.se> <51783B89.9080701@a1poweruser.com> From: Anders Hagman Content-Type: text/plain; charset=us-ascii X-Mailer: iPhone Mail (10B329) In-Reply-To: <51783B89.9080701@a1poweruser.com> Message-Id: <2ED09B04-6888-46CE-B34C-CAC70EB51F96@netplex.se> Date: Fri, 26 Apr 2013 16:44:05 +0200 To: Joe , "freebsd-jail@freebsd.org" Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (1.0) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Apr 2013 14:45:53 -0000 Hi 24 apr 2013 kl. 22:07 skrev Joe : > Anders Hagman wrote: >> Hi >> 23 apr 2013 kl. 15:14 skrev Joe : >>> Hello list >>>=20 >>> I am using jail(8) trying to get a functional vimage environment on my >>> 9.1-RELEASE system. My PC only has a single real NIC facing the public >>> internet. >>>=20 >>> My goal is to be able to have multiple vimage jails, each with >>> their own epairXa epairXb and bridgeX where the "X" is the jails JID >>> number all having their traffic passing through the single rl0 real >>> interface. The vnet.start script shown below handles this nicely. >>>=20 >>> The problem is after the first vimage jail is started the rl0 interface >>> gets marked as busy when the second vimage jail is started. >> You don't need more the one bridge. >> Connect all epairXa and the rl0 interface to the bridge. Put the epairXb i= n the right jail. >> If you want separation. Create vlan interfaces. > > Connect them to rl0 and put them inside the jail. >=20 > Hello Anders; >=20 > Now that I have an bridge, epair solution, > I would like to learn the vlan method you spoke about. > Would you please provide some details about how it could be done. > I have never used vlan before. You need a vlan switch and a trunk connection between your server and the sw= itch. You need a router/firewall that handles vlans. m0n0wall. In your server create vlan interfaces: Ifconfig vlan101 create vlan 101 vlandev rl0 Move the interface to a started jail Ifconfig vlan101 vnet jailX Connect to jail, config and test Br Anders= From owner-freebsd-jail@FreeBSD.ORG Fri Apr 26 16:07:38 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 6CD8EE90 for ; Fri, 26 Apr 2013 16:07:38 +0000 (UTC) (envelope-from gofj-freebsd-jail@m.gmane.org) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) by mx1.freebsd.org (Postfix) with ESMTP id 2BEB510B2 for ; Fri, 26 Apr 2013 16:07:37 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1UVlBH-000838-SO for freebsd-jail@freebsd.org; Fri, 26 Apr 2013 18:07:27 +0200 Received: from lfg31-1-88-181-156-206.fbx.proxad.net ([88.181.156.206]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 26 Apr 2013 18:07:27 +0200 Received: from l.alebarde by lfg31-1-88-181-156-206.fbx.proxad.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 26 Apr 2013 18:07:27 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-jail@freebsd.org From: Laurent Alebarde Subject: Re: state of the art ? Date: Fri, 26 Apr 2013 16:07:16 +0000 (UTC) Lines: 10 Message-ID: References: <5177B1A4.6060502@free.fr> <1366868448.5178c1e04043f@gpo.cellcontainer.com> <51791DFD.3040209@gmx.com> <51792670.8050105@free.fr> <5179498E.9080305@gmx.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: sea.gmane.org User-Agent: Loom/3.14 (http://gmane.org/) X-Loom-IP: 88.181.156.206 (Mozilla/5.0 (X11; Linux x86_64; rv:10.0.11) Gecko/20100101 Firefox/10.0.11) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Apr 2013 16:07:38 -0000 Ok, so I gave it a try, even adding the patch for devfs, and I have a wonderfull core dump when I activate vnet in the jail : http://pastebin.com/KB80YzJE It seems it is related to a memory page access violation. I followed exactly what is documented with zjail. Any clue please ? From owner-freebsd-jail@FreeBSD.ORG Fri Apr 26 16:17:06 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id BB79744C for ; Fri, 26 Apr 2013 16:17:06 +0000 (UTC) (envelope-from fbsd8@a1poweruser.com) Received: from mail-03.name-services.com (mail-03.name-services.com [69.64.155.195]) by mx1.freebsd.org (Postfix) with ESMTP id A7A87110F for ; Fri, 26 Apr 2013 16:17:06 +0000 (UTC) Received: from [10.0.10.1] ([173.88.202.176]) by mail-03.name-services.com with Microsoft SMTPSVC(6.0.3790.4675); Fri, 26 Apr 2013 09:17:02 -0700 Message-ID: <517AA87C.2050008@a1poweruser.com> Date: Fri, 26 Apr 2013 12:17:00 -0400 From: Joe User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: Anders Hagman Subject: Re: jail(8) vimage epair bridge References: <5176892F.8050802@a1poweruser.com> <77E31AD0-ABE2-44FA-AB19-CF557038DEBE@netplex.se> <51783B89.9080701@a1poweruser.com> <2ED09B04-6888-46CE-B34C-CAC70EB51F96@netplex.se> In-Reply-To: <2ED09B04-6888-46CE-B34C-CAC70EB51F96@netplex.se> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 26 Apr 2013 16:17:02.0374 (UTC) FILETIME=[7C55A460:01CE4299] X-Sender: fbsd8@a1poweruser.com X-Authenticated-Sender: fbsd8@a1poweruser.com X-EchoSenderHash: [fbsd8]-[a1poweruser*com] Cc: "freebsd-jail@freebsd.org" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Apr 2013 16:17:06 -0000 Anders Hagman wrote: > Hi > > 24 apr 2013 kl. 22:07 skrev Joe : > >> Anders Hagman wrote: >>> Hi >>> 23 apr 2013 kl. 15:14 skrev Joe : >>>> Hello list >>>> >>>> I am using jail(8) trying to get a functional vimage environment on my >>>> 9.1-RELEASE system. My PC only has a single real NIC facing the public >>>> internet. >>>> >>>> My goal is to be able to have multiple vimage jails, each with >>>> their own epairXa epairXb and bridgeX where the "X" is the jails JID >>>> number all having their traffic passing through the single rl0 real >>>> interface. The vnet.start script shown below handles this nicely. >>>> >>>> The problem is after the first vimage jail is started the rl0 interface >>>> gets marked as busy when the second vimage jail is started. >>> You don't need more the one bridge. >>> Connect all epairXa and the rl0 interface to the bridge. Put the epairXb in the right jail. >>> If you want separation. Create vlan interfaces. >>> Connect them to rl0 and put them inside the jail. >> Hello Anders; >> >> Now that I have an bridge, epair solution, >> I would like to learn the vlan method you spoke about. >> Would you please provide some details about how it could be done. >> I have never used vlan before. > > You need a vlan switch and a trunk connection between your server and the switch. > You need a router/firewall that handles vlans. m0n0wall. What is your definition of a switch? Do you mean a hardware switch in the network cabling? Are you saying ipfw, pf, and ipfilter DON'T handle vlans? > > In your server create vlan interfaces: > > Ifconfig vlan101 create vlan 101 vlandev rl0 > > Move the interface to a started jail > > Ifconfig vlan101 vnet jailX > > Connect to jail, config and test What do you mean by config the jail? Are there vlan commands that need to be run from inside of the jail? For a second vimage jail would I do Ifconfig vlan102 create vlan 102 vlandev rl0 From owner-freebsd-jail@FreeBSD.ORG Fri Apr 26 19:46:28 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 254A61AD for ; Fri, 26 Apr 2013 19:46:28 +0000 (UTC) (envelope-from zulu@openvps.biz) Received: from mgw.cellcontainer.com (mgw.cellcontainer.com [87.229.77.135]) by mx1.freebsd.org (Postfix) with ESMTP id A232A1B00 for ; Fri, 26 Apr 2013 19:46:27 +0000 (UTC) Received: from mgw.cellcontainer.com (unknown [192.168.1.10]) by mgw.cellcontainer.com (Postfix) with ESMTP id A9090AA2A for ; Fri, 26 Apr 2013 19:46:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=openvps.biz; h=message-id :date:subject:from:to:mime-version:content-type:in-reply-to :references; s=selector1; bh=Z9Vs1mLjBjk9bpNxDL8TUpjRCSs=; b=blW 7PehubheQBQJ+ImiPY+E4fW7rY3CJCrQ4Tq1tF49vYRblNh4Rn3zIArRAAxw/mbu TOL+XkS4ybBo5RTHfuFDiPkTkZiOKUnVHxw9lNjxnIZ0I+odXw34ucntMxkDw2D8 +i4Pds9U7jV4789w6MwpUayzUveq4eanJF1ZCkLs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=openvps.biz; h=message-id :date:subject:from:to:mime-version:content-type:in-reply-to :references; q=dns; s=selector1; b=oENpS3th23ard4c+eWPG92Yv3r+mg HDvQJkQB0ExnNGyWicrkjN/FqtJcOcF4IylQ8nbUY9ugOJhSm0WVHWhzJMOCP0gk SALPN+dt4GsWiAVFRDD1+NcsS81r46HPtXmcOJu55JenWy0mJi8CwmPqwBTcvDSb 3aDPGAUxi4AicY= Received: from gpo.cellcontainer.com (unknown [192.168.1.15]) by mgw.cellcontainer.com (Postfix) with ESMTP id 9E5F3AA28 for ; Fri, 26 Apr 2013 19:46:19 +0000 (UTC) Received: by gpo.cellcontainer.com (Postfix, from userid 58) id 8D196791D9; Fri, 26 Apr 2013 19:46:19 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on gpo.cellcontainer.com X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00, HTML_MESSAGE autolearn=ham version=3.3.2 Received: from gpo.cellcontainer.com (gpo.cellcontainer.com [192.168.1.15]) by gpo.cellcontainer.com (Postfix) with ESMTP id 370E1791BD; Fri, 26 Apr 2013 19:46:17 +0000 (UTC) Message-ID: <1367005577.517ad9892a0d4@gpo.cellcontainer.com> Date: Sat, 27 Apr 2013 07:46:17 +1200 Subject: Re: state of the art ? From: zulu To: Laurent Alebarde , "freebsd-jail@freebsd.org" MIME-Version: 1.0 X-MimeOLE: Produced by Group-Office 3.7.41 In-Reply-To: X-Priority: 3 (Normal) References: X-Mailer: Group-Office 3.7.41 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Apr 2013 19:46:28 -0000 Try and exclude altq and pf from kernel - make them a loadable modul= e instead (just to rule out these). On Saturday, 27-04-20= 13 on 4:07 Laurent Alebarde wrote: Ok, so I gave it a try, even = adding the patch for devfs, and I have a wonderfull core dump when I= activate vnet in the jail : http://pastebin.com/KB80Yz= JE It seems it is related to a memory page access violation. I f= ollowed exactly what is documented with zjail. Any c= lue please ? ______________________________________________= _ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/= mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "= freebsd-jail-unsubscribe@freebsd.org" From owner-freebsd-jail@FreeBSD.ORG Sat Apr 27 09:37:43 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 56391F85 for ; Sat, 27 Apr 2013 09:37:43 +0000 (UTC) (envelope-from gofj-freebsd-jail@m.gmane.org) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) by mx1.freebsd.org (Postfix) with ESMTP id 176031481 for ; Sat, 27 Apr 2013 09:37:42 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1UW1ZZ-0005J1-6d for freebsd-jail@freebsd.org; Sat, 27 Apr 2013 11:37:37 +0200 Received: from lfg31-1-88-181-156-206.fbx.proxad.net ([88.181.156.206]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sat, 27 Apr 2013 11:37:37 +0200 Received: from l.alebarde by lfg31-1-88-181-156-206.fbx.proxad.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sat, 27 Apr 2013 11:37:37 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-jail@freebsd.org From: Laurent Alebarde Subject: Re: state of the art ? Date: Sat, 27 Apr 2013 09:37:23 +0000 (UTC) Lines: 18 Message-ID: References: <1367005577.517ad9892a0d4@gpo.cellcontainer.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: sea.gmane.org User-Agent: Loom/3.14 (http://gmane.org/) X-Loom-IP: 88.181.156.206 (Mozilla/5.0 (X11; Linux x86_64; rv:10.0.11) Gecko/20100101 Firefox/10.0.11) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Apr 2013 09:37:43 -0000 zulu writes: > > Try and exclude altq and pf from kernel - make them a loadable module > instead (just to rule out these). > Thanks zulu, it works now. No crash, and I can ping my zjail. I think I am going to drop pf completely until it is officially compatible with VIMAGE, and use IPFW. Do you have a good link please for basic and elaborate (including dummynet) use of IPFW with zjails (I have not found very usefull things up to now) ? Cheers, Laurent. From owner-freebsd-jail@FreeBSD.ORG Sat Apr 27 10:16:23 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id B992AA78 for ; Sat, 27 Apr 2013 10:16:23 +0000 (UTC) (envelope-from zulu@openvps.biz) Received: from mgw.cellcontainer.com (mgw.cellcontainer.com [87.229.77.135]) by mx1.freebsd.org (Postfix) with ESMTP id 08D3215B9 for ; Sat, 27 Apr 2013 10:16:22 +0000 (UTC) Received: from mgw.cellcontainer.com (unknown [192.168.1.10]) by mgw.cellcontainer.com (Postfix) with ESMTP id 2ACF9A4EB for ; Sat, 27 Apr 2013 10:16:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=openvps.biz; h=message-id :date:subject:from:to:mime-version:content-type:in-reply-to :references; s=selector1; bh=M3mbNXLpwst1WuD3/Ft8iIzMceE=; b=WHT M3CYu4kN8um+qLlNumd+bJ8Q6uMntCR0R4kYDbH599n3cs0f4qmoATWE9vi7NWgI af8Cgq1aR2TBX2pp+8bkZbBToTHh4NhuDwb+Jx0DQ3YqMchIEtHgznw1E5TCZ/qK CDzrFkJAzNm8k6nBH5h2Q40iWQNopP5fI0JpbMtY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=openvps.biz; h=message-id :date:subject:from:to:mime-version:content-type:in-reply-to :references; q=dns; s=selector1; b=fios1aKpe0zeXi8FGR4lcG3eRifvw taBFcmIcuOLgv78ugCTwQRSR2S7/yVpYN2R2knSeYxL/n88Kep0I097E2z+Ud/aC WiRLV/N0zFYex2vlisf9bsTm47THvRAH7oHcXeMoV64tUvemo0v89uQYT0BvSp8w ZKA8N/vBz/Uu8U= Received: from gpo.cellcontainer.com (unknown [192.168.1.15]) by mgw.cellcontainer.com (Postfix) with ESMTP id 08E8CA4E9 for ; Sat, 27 Apr 2013 10:16:21 +0000 (UTC) Received: by gpo.cellcontainer.com (Postfix, from userid 58) id C8DAD7A434; Sat, 27 Apr 2013 10:16:20 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on gpo.cellcontainer.com X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00, HTML_MESSAGE autolearn=unavailable version=3.3.2 Received: from gpo.cellcontainer.com (gpo.cellcontainer.com [192.168.1.15]) by gpo.cellcontainer.com (Postfix) with ESMTP id 250D67A416; Sat, 27 Apr 2013 10:16:18 +0000 (UTC) Message-ID: <1367057778.517ba5720f37d@gpo.cellcontainer.com> Date: Sat, 27 Apr 2013 22:16:18 +1200 Subject: Re: state of the art ? From: zulu To: Laurent Alebarde , "freebsd-jail@freebsd.org" MIME-Version: 1.0 X-MimeOLE: Produced by Group-Office 3.7.41 In-Reply-To: X-Priority: 3 (Normal) References: X-Mailer: Group-Office 3.7.41 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Apr 2013 10:16:23 -0000 Have not used dummynet but a good starting point could be the = official IPFW Handbook section http://www.freebsd.org/doc/handbo= ok/firewalls-ipfw.html. Just treat your jails as you would a = physical host with firewall rules. One caveat to watch out for is tha= t after enabling IPFW on your host all jails will have a default den= y rule and each jail will need to have a rule added to allow traffic= in/out. Also make sure your bridge contains your real NIC if y= ou want to talk to hosts beyond your jail environment (standard netwo= rking things - man pages are your friends, ifconfig, bridge, route, = etc.).=C2=A0 Cheers, Peter=C2=A0 =C2=A0 O= n Saturday, 27-04-2013 on 21:37 Laurent Alebarde wrote: zulu = writes: >=20 > Try and exclude altq and pf from kernel - make them= a loadable module > instead (just to rule out these). > = Thanks zulu, it works now. No crash, and I can ping my zjail. = I think I am going to drop pf completely until it is officiall= y compatible with VIMAGE, and use IPFW.=20 Do you hav= e a good link please for basic and elaborate (including dummynet)= use of IPFW with zjails (I have not found very usefull things up to= now) ? Cheers, Laurent. _________= ______________________________________ freebsd-jail@freebsd.org mail= ing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail T= o unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org= "