From owner-freebsd-jail@FreeBSD.ORG Mon Aug 4 23:13:13 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 24DB5927; Mon, 4 Aug 2014 23:13:13 +0000 (UTC) Received: from wonkity.com (wonkity.com [67.158.26.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "wonkity.com", Issuer "wonkity.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id CDBA029A2; Mon, 4 Aug 2014 23:13:12 +0000 (UTC) Received: from wonkity.com (localhost [127.0.0.1]) by wonkity.com (8.14.9/8.14.9) with ESMTP id s74NDAnl061498 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 4 Aug 2014 17:13:10 -0600 (MDT) (envelope-from wblock@wonkity.com) Received: from localhost (wblock@localhost) by wonkity.com (8.14.9/8.14.9/Submit) with ESMTP id s74NDARM061495; Mon, 4 Aug 2014 17:13:10 -0600 (MDT) (envelope-from wblock@wonkity.com) Date: Mon, 4 Aug 2014 17:13:10 -0600 (MDT) From: Warren Block To: Allan Jude Subject: Re: ezjail and mergemaster In-Reply-To: <53D81D43.6070503@freebsd.org> Message-ID: References: <53D81D43.6070503@freebsd.org> User-Agent: Alpine 2.11 (BSF 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (wonkity.com [127.0.0.1]); Mon, 04 Aug 2014 17:13:11 -0600 (MDT) Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Aug 2014 23:13:13 -0000 On Tue, 29 Jul 2014, Allan Jude wrote: > On 2014-07-29 17:44, Warren Block wrote: >> >> What process for running mergemaster should I suggest? Maybe different >> ones for trusted and untrusted jails? > > This will mount /usr/src into the basejail read-only: > > mount -t nullfs -o ro /usr/src /usr/jails/basejail/usr/src Thank you. I took the easy way out, by showing how to mount the source in the jails and just mentioning mergemaster. Draft version: http://www.wonkity.com/~wblock/jails/jails-ezjail.html From owner-freebsd-jail@FreeBSD.ORG Tue Aug 5 07:41:17 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 38CED1B6 for ; Tue, 5 Aug 2014 07:41:17 +0000 (UTC) Received: from smtpout100.ehv.onlinespamfilter.nl (smtpout100.ehv.onlinespamfilter.nl [IPv6:2001:4cb8:1:1620:217:21:240:168]) (using TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E41F72F97 for ; Tue, 5 Aug 2014 07:41:16 +0000 (UTC) Received: from smtp.onlinespamfilter.nl (localhost [127.0.0.1]) by smtp.onlinespamfilter.nl (Postfix) with ESMTP id 3hS7Dt3VDKz2y for ; Tue, 5 Aug 2014 09:41:02 +0200 (CEST) Received: from smtp.debank.tv (145-158-ftth.on.nl [88.159.158.145]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.onlinespamfilter.nl (Postfix) with ESMTPS for ; Tue, 5 Aug 2014 09:41:02 +0200 (CEST) Received: from smtp.debank.tv (smtp.debank.tv [172.16.143.25]) by smtp.debank.tv (Postfix) with ESMTP id 134A439A87A for ; Tue, 5 Aug 2014 09:41:02 +0200 (CEST) Received: from tui.debank.tv (134.198.69.111.dynamic.snap.net.nz [111.69.198.134]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: rob@debank.tv) by smtp.debank.tv (Postfix) with ESMTPSA id CDDB939A879 for ; Tue, 5 Aug 2014 09:41:00 +0200 (CEST) Message-ID: <53E08A88.1030007@debank.tv> Date: Tue, 05 Aug 2014 19:40:56 +1200 From: mailinglists User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: freebsd-jail@freebsd.org Subject: Re: ezjail and mergemaster References: <53D81D43.6070503@freebsd.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP @ debank.tv X-OSF-Virus: CLEAN X-OSF-Outgoing: Innocent X-OSF-Account: 1327 X-OSF-SUM: 33322ad6fee9d4208050cd2dfc6f16da X-OSF-Info: Checked for spam and viruses X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2014 07:41:17 -0000 On 5/08/14 11:13 am, Warren Block wrote: > On Tue, 29 Jul 2014, Allan Jude wrote: > >> On 2014-07-29 17:44, Warren Block wrote: >>> >>> What process for running mergemaster should I suggest? Maybe different >>> ones for trusted and untrusted jails? >> >> This will mount /usr/src into the basejail read-only: >> >> mount -t nullfs -o ro /usr/src /usr/jails/basejail/usr/src > > Thank you. I took the easy way out, by showing how to mount the > source in the jails and just mentioning mergemaster. > > Draft version: > http://www.wonkity.com/~wblock/jails/jails-ezjail.html > _______________________________________________ Would it be an idea to list the files that can be excluded from mergemaster updates, a lot of the rc scripts are a no-op inside a jail, if one has to update a large number of ports this can make a real difference. I guess ideally mergemaster itself could be extended to include a flag to indicate it's run inside (or targeted at) a jail and remove/ignore rc scripts that will never be used but that's probably outside the scope of this discussion. Rob Evers From owner-freebsd-jail@FreeBSD.ORG Tue Aug 5 12:50:00 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 07BB8453 for ; Tue, 5 Aug 2014 12:50:00 +0000 (UTC) Received: from wonkity.com (wonkity.com [67.158.26.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "wonkity.com", Issuer "wonkity.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id AF74D25A0 for ; Tue, 5 Aug 2014 12:49:59 +0000 (UTC) Received: from wonkity.com (localhost [127.0.0.1]) by wonkity.com (8.14.9/8.14.9) with ESMTP id s75Cnt6c066872 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 5 Aug 2014 06:49:55 -0600 (MDT) (envelope-from wblock@wonkity.com) Received: from localhost (wblock@localhost) by wonkity.com (8.14.9/8.14.9/Submit) with ESMTP id s75CntRD066869; Tue, 5 Aug 2014 06:49:55 -0600 (MDT) (envelope-from wblock@wonkity.com) Date: Tue, 5 Aug 2014 06:49:55 -0600 (MDT) From: Warren Block To: mailinglists Subject: Re: ezjail and mergemaster In-Reply-To: <53E08A88.1030007@debank.tv> Message-ID: References: <53D81D43.6070503@freebsd.org> <53E08A88.1030007@debank.tv> User-Agent: Alpine 2.11 (BSF 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (wonkity.com [127.0.0.1]); Tue, 05 Aug 2014 06:49:55 -0600 (MDT) Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2014 12:50:00 -0000 On Tue, 5 Aug 2014, mailinglists wrote: > On 5/08/14 11:13 am, Warren Block wrote: >> On Tue, 29 Jul 2014, Allan Jude wrote: >> >>> On 2014-07-29 17:44, Warren Block wrote: >>>> >>>> What process for running mergemaster should I suggest? Maybe different >>>> ones for trusted and untrusted jails? >>> >>> This will mount /usr/src into the basejail read-only: >>> >>> mount -t nullfs -o ro /usr/src /usr/jails/basejail/usr/src >> >> Thank you. I took the easy way out, by showing how to mount the >> source in the jails and just mentioning mergemaster. >> >> Draft version: >> http://www.wonkity.com/~wblock/jails/jails-ezjail.html >> _______________________________________________ > > Would it be an idea to list the files that can be excluded from > mergemaster updates, a lot of the rc scripts are a no-op inside a jail, > if one has to update a large number of ports this can make a real > difference. > > I guess ideally mergemaster itself could be extended to include a flag > to indicate it's run inside (or targeted at) a jail and remove/ignore rc > scripts that will never be used but that's probably outside the scope of > this discussion. A more predictable and possibly safer way is to manually add a standard list of ignorable jail files to IGNORE_FILES in /etc/mergemaster.rc. However, now I find that just null-mounting the source on the basejail is not enough. /usr/src is still empty inside the jails. There is a configuration option or something for this, I think, I just can't recall it. From owner-freebsd-jail@FreeBSD.ORG Tue Aug 5 16:52:25 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7AAECCC5 for ; Tue, 5 Aug 2014 16:52:25 +0000 (UTC) Received: from mail-we0-x22f.google.com (mail-we0-x22f.google.com [IPv6:2a00:1450:400c:c03::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 18ED7279A for ; Tue, 5 Aug 2014 16:52:24 +0000 (UTC) Received: by mail-we0-f175.google.com with SMTP id t60so1342417wes.34 for ; Tue, 05 Aug 2014 09:52:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type; bh=YI9YPkbswH7XOGk/5Fu21cVDBojmzaGnaIDbKaVe4tI=; b=f/6ZTRlL2ynnosp9iIhYXkQABj2aox2pIGjknqMVutfwRNodjiICrzSgdnV+Vc48tO fZVuqbO7udR4+RzKkMtJd7azxMRH7pXIRpPslSW6qjHNXSSO9inzPInLV+bk5gaEgcb8 2YOj56oavVdKGwHGY8RSTmVeRH3LUkq6LEmLW8dATjoaiJIMbLGajIIhIQ0YITtMdcx6 MvcZBg0y5htFxYEGfLwhqIc+zhc/wmRBs4PIFDHaHCcGeD2N+nby6zn3lPHn62lqo4EJ W7BFZgLBGi2BLUTYtUOuMuZyWX44ZU/Dvi/sf03Zo+Rk7Xwe2AlQuS7PCXnGU7yJ6Clq T16g== X-Received: by 10.194.78.100 with SMTP id a4mr3357976wjx.106.1407257542150; Tue, 05 Aug 2014 09:52:22 -0700 (PDT) MIME-Version: 1.0 Received: by 10.194.219.42 with HTTP; Tue, 5 Aug 2014 09:51:52 -0700 (PDT) From: Goran Tepshic Date: Tue, 5 Aug 2014 18:51:52 +0200 Message-ID: Subject: Jailed apache24 and mod_rewrite/proxy issue To: freebsd-jail@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2014 16:52:25 -0000 Just set up the jail to run httpd from and I'm seeing critical erros in logs when mod_rewrite and mod_proxy are enabled. *mod_rewrite *error: [rewrite:crit] [pid 43447] (13)Permission denied: AH00666: mod_rewrite: > could not init rewrite_mapr_lock_acquire in child *mod_proxy *error: [proxy:crit] [pid 43447] (13)Permission denied: AH02479: could not init > proxy_mutex in child Not sure permissions of what are being denied as html in document root is being served just fine when these modules are disabled. I tried googling but found nothing but rubbish. Someone at ServerFault suggested enabling SysV IPC to jails but that kinda defeats the purpose of having services jailed, isn't? Could anyone shed some light on this? Thanks