From owner-freebsd-jail@FreeBSD.ORG Sun Aug 25 02:27:05 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 68D9DDE9 for ; Sun, 25 Aug 2013 02:27:05 +0000 (UTC) (envelope-from miguelmclara@gmail.com) Received: from mail-we0-x229.google.com (mail-we0-x229.google.com [IPv6:2a00:1450:400c:c03::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 0008E2194 for ; Sun, 25 Aug 2013 02:27:04 +0000 (UTC) Received: by mail-we0-f169.google.com with SMTP id t61so1751602wes.28 for ; Sat, 24 Aug 2013 19:27:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=0fnDElkKK1INjsVvm86Y17t1UA11ub/DGgnOp+VLpEw=; b=df7LcJXs1i19BStg3IALghos8qgDxV/l+xFqjMauCkS+/m0c1JwFcjLElEGfHjaOeK Df3XfF5eL8n1hqW3WYMApDHU4jXuKDSSkesK/YogHyEQiAbzlstEFKo5w8JJUE92beR7 OiZtanEnGLHB0Gh/rl81BQEiOfAc/1QXBJov/GoeHvyDPm9sI21wNxmwX3TrJVSg8p6P NIV7BmQCMGaeM2xIitUSErGv2elNk+ImeAgqACKPKipgagx0wadYFTsNvIhUphh7AI4F YbaqzedKAL4n7SyDgruN7kMaK+9fKLIaeM3gwSGivQeb8RfmtgJ/4ey9wK8dPQnklvtt XTLQ== X-Received: by 10.194.250.6 with SMTP id yy6mr5053016wjc.13.1377397623400; Sat, 24 Aug 2013 19:27:03 -0700 (PDT) Received: from [10.10.50.70] (84.106.136.95.rev.vodafone.pt. [95.136.106.84]) by mx.google.com with ESMTPSA id pn7sm2867113wic.6.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 24 Aug 2013 19:27:02 -0700 (PDT) Message-ID: <52197976.3020405@gmail.com> Date: Sun, 25 Aug 2013 03:26:46 +0000 From: "Mike C." User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130813 Thunderbird/17.0.8 MIME-Version: 1.0 To: freebsd-jail@freebsd.org Subject: Re: connect -1 errno 1 Operation not permitted with specific user (nagios) X-Enigmail-Version: 1.5.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Aug 2013 02:27:05 -0000 This host is Freebsd 8, and the config "per" jail doesn't work! However, I friend of mine confirmed me it does work on FreeBSD 9 hosts! -- Melhores Cumprimentos // Best Regards ------------------------------------------------------------------------ Miguel Clara *nix Sys Admin Freelance http://www.linkedin.com/in/miguelmclara/ http://about.me/miguelmclara ------------------------------------------------------------------------ From owner-freebsd-jail@FreeBSD.ORG Sun Aug 25 04:07:43 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 6ECA091D for ; Sun, 25 Aug 2013 04:07:43 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from cosmo.uchicago.edu (cosmo.uchicago.edu [128.135.52.97]) by mx1.freebsd.org (Postfix) with ESMTP id 4B60725E9 for ; Sun, 25 Aug 2013 04:07:43 +0000 (UTC) Received: by cosmo.uchicago.edu (Postfix, from userid 48) id 6E3B3CB8C8B; Sat, 24 Aug 2013 23:07:42 -0500 (CDT) Received: from 68.255.103.36 (SquirrelMail authenticated user valeri) by cosmo.uchicago.edu with HTTP; Sat, 24 Aug 2013 23:07:42 -0500 (CDT) Message-ID: <58331.68.255.103.36.1377403662.squirrel@cosmo.uchicago.edu> Date: Sat, 24 Aug 2013 23:07:42 -0500 (CDT) Subject: Re: connect -1 errno 1 Operation not permitted with specific user (nagios) From: "Valeri Galtsev" To: "Mike C." User-Agent: SquirrelMail/1.4.8-5.el5.centos.7 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal References: <52197976.3020405@gmail.com> In-Reply-To: <52197976.3020405@gmail.com> Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: galtsev@kicp.uchicago.edu List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Aug 2013 04:07:43 -0000 Mine was FreeBSD 9.1, amd64, and "per jail" config didn't work for me. I configure jails in /etc/rc.conf and start them on boot by enabling them in /etc/rc.conf (jail_enable="YES"), or start, stop, restart using /etc/rc.d/jail [start|stop|restart] For those who didn't see previous discussion, it was about suggested by one of real experts elegant per jail enabling access to raw sockets which should work if one does this >> > Putting this in /etc/rc.conf: >> > >> > jail_${JailName}_parameters="allow.raw_sockets=1" For me it didn't work, so I have to enable raw sockets this way: sysctl security.jail.allow_raw_sockets=1 and restart jail or by adding into /etc/sysctl.conf security.jail.allow_raw_sockets=1 downside: raw sockets enabled in all jails. Thanks. Valeri On Sat, August 24, 2013 10:26 pm, Mike C. wrote: > This host is Freebsd 8, and the config "per" jail doesn't work! > > However, I friend of mine confirmed me it does work on FreeBSD 9 hosts! > > > -- > Melhores Cumprimentos // Best Regards > ------------------------------------------------------------------------ Miguel Clara > *nix Sys Admin Freelance > > > http://www.linkedin.com/in/miguelmclara/ > http://about.me/miguelmclara > ------------------------------------------------------------------------ _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++ From owner-freebsd-jail@FreeBSD.ORG Sun Aug 25 12:43:39 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 787A715F for ; Sun, 25 Aug 2013 12:43:39 +0000 (UTC) (envelope-from miguelmclara@gmail.com) Received: from mail-we0-x22b.google.com (mail-we0-x22b.google.com [IPv6:2a00:1450:400c:c03::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 0C3A22BEA for ; Sun, 25 Aug 2013 12:43:38 +0000 (UTC) Received: by mail-we0-f171.google.com with SMTP id p57so1891574wes.16 for ; Sun, 25 Aug 2013 05:43:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=user-agent:in-reply-to:references:mime-version:content-type :content-transfer-encoding:subject:from:date:to:cc:message-id; bh=2pVh+DYULVqsDamhpT8YHYixmhW/zCaiHk88wZKl7V8=; b=hYw2hsdfo3oW3Q0UCkWZcpOnuGH8Xj4ERRDL6Bzq88pVs+2nMdg54v1OEyOmIHqTCC 667m3iFWb2qMaBdzd7nbMJ9GIj80dt5OTg9D2mTPDGvmT9hcKfTXMD1NzvD4mUPudyxl fC4AfIDVvA3BpzWMnRfW9tx7mgWm7pFcSnxqv6AYnRfZ/znmnTE9kTb1JDtwVQ9Yq5EI zcFEcNtxbFqXuX1RUr+1JscGXwycANETIG+YLHTzOGPl0gy5EEYFnjDTGslkS/JEDPCZ MIe5s5Ju5HOSn/Jg4oWaaAdtyzDBhrCkwqTyczBGHxUGuQHkfgQCGdEuXC8oYKNj+xKy Cx4Q== X-Received: by 10.180.97.101 with SMTP id dz5mr4276041wib.11.1377434617254; Sun, 25 Aug 2013 05:43:37 -0700 (PDT) Received: from [10.63.142.106] (157.59.103.87.rev.vodafone.pt. [87.103.59.157]) by mx.google.com with ESMTPSA id dr11sm692016wid.3.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 25 Aug 2013 05:43:36 -0700 (PDT) User-Agent: K-9 Mail for Android In-Reply-To: <58331.68.255.103.36.1377403662.squirrel@cosmo.uchicago.edu> References: <52197976.3020405@gmail.com> <58331.68.255.103.36.1377403662.squirrel@cosmo.uchicago.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Subject: Re: connect -1 errno 1 Operation not permitted with specific user (nagios) From: "Miguel C." Date: Sun, 25 Aug 2013 13:43:28 +0100 To: galtsev@kicp.uchicago.edu,Valeri Galtsev Message-ID: <8c5f6574-5a12-4e39-b097-0d696671cfee@email.android.com> Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Aug 2013 12:43:39 -0000 Sorry I should have mentioned he did this with ezjails. I have a FreeBSD 9.1 at home with ezjails but I can only test this tomorrow. Valeri Galtsev wrote: >Mine was FreeBSD 9.1, amd64, and "per jail" config didn't work for me. >I >configure jails in /etc/rc.conf and start them on boot by enabling them >in >/etc/rc.conf (jail_enable="YES"), or start, stop, restart using > >/etc/rc.d/jail [start|stop|restart] > >For those who didn't see previous discussion, it was about suggested by >one of real experts elegant per jail enabling access to raw sockets >which >should work if one does this > >>> > Putting this in /etc/rc.conf: >>> > >>> > jail_${JailName}_parameters="allow.raw_sockets=1" > >For me it didn't work, so I have to enable raw sockets this way: > >sysctl security.jail.allow_raw_sockets=1 > >and restart jail > >or by adding into /etc/sysctl.conf > >security.jail.allow_raw_sockets=1 > >downside: raw sockets enabled in all jails. > >Thanks. >Valeri > >On Sat, August 24, 2013 10:26 pm, Mike C. wrote: >> This host is Freebsd 8, and the config "per" jail doesn't work! >> >> However, I friend of mine confirmed me it does work on FreeBSD 9 >hosts! >> >> >> -- >> Melhores Cumprimentos // Best Regards >> >------------------------------------------------------------------------ >Miguel Clara >> *nix Sys Admin Freelance >> >> >> http://www.linkedin.com/in/miguelmclara/ >> http://about.me/miguelmclara >> >------------------------------------------------------------------------ >_______________________________________________ >> freebsd-jail@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-jail >> To unsubscribe, send any mail to >"freebsd-jail-unsubscribe@freebsd.org" >> > > >++++++++++++++++++++++++++++++++++++++++ >Valeri Galtsev >Sr System Administrator >Department of Astronomy and Astrophysics >Kavli Institute for Cosmological Physics >University of Chicago >Phone: 773-702-4247 >++++++++++++++++++++++++++++++++++++++++ -- Sent from my Android device with K-9 Mail. Please excuse my brevity. From owner-freebsd-jail@FreeBSD.ORG Mon Aug 26 11:06:46 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id BA9B2155 for ; Mon, 26 Aug 2013 11:06:46 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id A73DA2862 for ; Mon, 26 Aug 2013 11:06:46 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id r7QB6k2Y065976 for ; Mon, 26 Aug 2013 11:06:46 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id r7QB6kBU065974 for freebsd-jail@FreeBSD.org; Mon, 26 Aug 2013 11:06:46 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 26 Aug 2013 11:06:46 GMT Message-Id: <201308261106.r7QB6kBU065974@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Aug 2013 11:06:46 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/180916 jail [jail] [regression] jail startup is broken for 8.4 wit o kern/180067 jail [jail] [patch] fix multicast support within jails o bin/178302 jail jail(8): unknown parameter: ip6.addr when kernel compi o kern/176112 jail [jail] [panic] kernel panic when starting jails o kern/176092 jail [jail] [panic] Starting a jail on my releng/9.1 kernel o kern/174902 jail [jail] jail should provide validator for jail names o bin/173469 jail [jail] regression: security.jail.sysvipc_allowed=1 no o kern/169751 jail [jail] reading routing information does not work in ja o bin/167911 jail new jail(8) problem with removal, ifconfg -alias and k o kern/159918 jail [jail] inter-jail communication failure o kern/156111 jail [jail] procstat -b not supported in jail o misc/155765 jail [patch] `buildworld' does not honors WITHOUT_JAIL o conf/154246 jail [jail] [patch] Bad symlink created if devfs mount poin s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid 18 problems total. From owner-freebsd-jail@FreeBSD.ORG Wed Aug 28 16:57:49 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 56CA6C8B for ; Wed, 28 Aug 2013 16:57:49 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from cosmo.uchicago.edu (cosmo.uchicago.edu [128.135.52.97]) by mx1.freebsd.org (Postfix) with ESMTP id 1F98A27C4 for ; Wed, 28 Aug 2013 16:57:48 +0000 (UTC) Received: by cosmo.uchicago.edu (Postfix, from userid 48) id AFE76CB8CBD; Wed, 28 Aug 2013 11:57:42 -0500 (CDT) Received: from 128.135.70.2 (SquirrelMail authenticated user valeri) by cosmo.uchicago.edu with HTTP; Wed, 28 Aug 2013 11:57:42 -0500 (CDT) Message-ID: <65400.128.135.70.2.1377709062.squirrel@cosmo.uchicago.edu> In-Reply-To: <20130824211734.GT4972@kib.kiev.ua> References: <19176.128.135.70.2.1377267872.squirrel@cosmo.uchicago.edu> <20130823160549.GD4972@kib.kiev.ua> <17536.128.135.70.2.1377281124.squirrel@cosmo.uchicago.edu> <20130823182356.GH4972@kib.kiev.ua> <37112.128.135.70.2.1377283759.squirrel@cosmo.uchicago.edu> <20130824150831.GO4972@kib.kiev.ua> <55726.68.255.103.36.1377376501.squirrel@cosmo.uchicago.edu> <20130824211734.GT4972@kib.kiev.ua> Date: Wed, 28 Aug 2013 11:57:42 -0500 (CDT) Subject: Re: per user quotas inside jail? From: "Valeri Galtsev" To: "Konstantin Belousov" User-Agent: SquirrelMail/1.4.8-5.el5.centos.7 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: galtsev@kicp.uchicago.edu List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Aug 2013 16:57:49 -0000 On Sat, August 24, 2013 4:17 pm, Konstantin Belousov wrote: > On Sat, Aug 24, 2013 at 03:35:01PM -0500, Valeri Galtsev wrote: >> >> On Sat, August 24, 2013 10:08 am, Konstantin Belousov wrote: >> > >> > I decided that I have no desire to try to understand all the layers of >> > indirections which are only relevant to you anyway. Instead, I >> demostrate >> > you what I mean by working quotas. Below is the transcript of the >> simple >> > test. >> > >> > sandy% mount -v /mnt >> > ~ >> > mount: /dev/ada1p4: Operation not permitted >> > /dev/ada1p4 on /mnt (ufs, local, with quotas, soft-updates, writes: >> sync 2 >> > async 37, reads: sync 7 async 0) >> > sandy% sudo repquota -uah | grep kostik >> > ~ >> > kostik -- 14G 0 0 - >> 461057 >> > 0 0 - >> > sandy% sudo jail -u kostik / test1 127.0.0.1 /bin/sh >> > ~ >> > $ dd if=/dev/zero bs=1m of=/mnt/1/dddd count=1024 >> > 1024+0 records in >> > 1024+0 records out >> > 1073741824 bytes transferred in 10.765265 secs (99741328 bytes/sec) >> > $ ^D% >> > sandy% sudo repquota -uah | grep kostik >> > ~ >> > kostik -- 15G 0 0 - >> 461058 >> > 0 0 - >> > >> > You could see that the accounted space and inodes are properly >> increased >> > after the dd. >> > >> > IMO, you should make sure that the users operate on the filesystem >> which >> > has quotas enabled. Or, you should provide a simple to reproduce test >> > case, among the lines of the script I pasted above, for me to recreate >> > the issue locally. >> > >> >> Thanks again for helping me! I guess, I understand now what the >> difference >> is. Apparently, you are much better expert, so correct me if I'm wrong. >> >> You run your jail with root of jail filesystems (/) the same as root >> filesystem of host (/). Therefore, inside your jail you have access to >> all >> host's /etc/fstab; /dev, ... I'll try to run jail the same way and will >> see if in that case quotas will work for me. If yes, then I at least I >> will know that my problem is not on the kernel level, but in the >> environment accessible inside jail. > After the quotas are configured and running, it is purely kernel-side > code which handles the limits and accounting. You do not need usermode > access to fstab or quota files. > > The same experiment as was done above, but now I copied /bin/dd and > ld-elf.so+libc.so into jail root, to convince you that access to the > full host environment does not matter: > > sandy% ls -la /mnt/1/fsx > ~ > -rw-r--r-- 1 kostik kostik 1032128299 Dec 21 2012 /mnt/1/fsx > sandy% sudo repquota -uah | grep kostik > ~ > kostik -- 15G 0 0 - 461064 > 0 0 - > sandy% sudo jail -u kostik /mnt/1 test1 127.0.0.1 ./dd if=fsx of=xsf bs=1m > ~ > 984+1 records in > 984+1 records out > 1032128299 bytes transferred in 10.262390 secs (100573871 bytes/sec) > sandy% sudo repquota -uah | grep kostik > ~ > kostik -- 16G 0 0 - 461065 > 0 0 - > >> >> I have all jails set up so that one when in jail is not able to access >> filesystem outside jail's own root, which is something like >> /jail/{$jailname}... therefore host's /etc /dev are not visible for one >> inside jail; what they see inside jail as / is /jail/{$jailname} on >> host. > > Let me repeat, verify that the actions which are supposed to be limited > by quotas happen on the filesystem which has quotas configured. > > Or provide me with the minimal example in style I posted so that I can > reproduce the issue locally (I very much doubt that this is the case, and > not a misconfiguration). > Hi Konstantin, as you said, my problem is in misconfiguration. The main trouble came from the configuration not done "by the book": http://www.freebsd.org/doc/en/books/handbook/quotas.html which says to add into /etc/rc.conf the line: quota_enable="YES" but for whatever reason I stupidly had: enable_quotas="YES" (which I must have lifted from some text relevant to older branch...) Thanks again for all your help! Sincerely yours, Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++ From owner-freebsd-jail@FreeBSD.ORG Fri Aug 30 03:25:58 2013 Return-Path: Delivered-To: freebsd-jail@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id A23085D3; Fri, 30 Aug 2013 03:25:58 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 7696E2EEB; Fri, 30 Aug 2013 03:25:58 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id r7U3PwQr004565; Fri, 30 Aug 2013 03:25:58 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id r7U3Pwop004564; Fri, 30 Aug 2013 03:25:58 GMT (envelope-from linimon) Date: Fri, 30 Aug 2013 03:25:58 GMT Message-Id: <201308300325.r7U3Pwop004564@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-jail@FreeBSD.org From: linimon@FreeBSD.org Subject: Re: conf/181650: [jail] [patch] /etc/rc.d/jail fails if a kernel built without INET6 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Aug 2013 03:25:58 -0000 Old Synopsis: /etc/rc.d/jail fails if a kernel built without INET6 New Synopsis: [jail] [patch] /etc/rc.d/jail fails if a kernel built without INET6 Responsible-Changed-From-To: freebsd-bugs->freebsd-jail Responsible-Changed-By: linimon Responsible-Changed-When: Fri Aug 30 03:25:29 UTC 2013 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=181650 From owner-freebsd-jail@FreeBSD.ORG Sat Aug 31 16:00:01 2013 Return-Path: Delivered-To: freebsd-jail@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id C81BD6B2 for ; Sat, 31 Aug 2013 16:00:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 9D53A28A9 for ; Sat, 31 Aug 2013 16:00:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id r7VG01ef064950 for ; Sat, 31 Aug 2013 16:00:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id r7VG01JZ064949; Sat, 31 Aug 2013 16:00:01 GMT (envelope-from gnats) Date: Sat, 31 Aug 2013 16:00:01 GMT Message-Id: <201308311600.r7VG01JZ064949@freefall.freebsd.org> To: freebsd-jail@FreeBSD.org Cc: From: Moritz Wilhelmy Subject: Re: kern/176092: Starting a jail on my releng/9.1 kernel with pf and VIMAGE enabled crashes the kernel X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Moritz Wilhelmy List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Aug 2013 16:00:01 -0000 The following reply was made to PR kern/176092; it has been noted by GNATS. From: Moritz Wilhelmy To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/176092: Starting a jail on my releng/9.1 kernel with pf and VIMAGE enabled crashes the kernel Date: Sat, 31 Aug 2013 17:57:44 +0200 Hello, I think this can be closed as duplicate of kern/176112. I had trouble with my mail setup at that time, if I recall correctly. Sorry about that. Moritz From owner-freebsd-jail@FreeBSD.ORG Sat Aug 31 19:24:23 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id C6F7B24F; Sat, 31 Aug 2013 19:24:23 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 81BEB20C3; Sat, 31 Aug 2013 19:24:23 +0000 (UTC) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 4C44128423; Sat, 31 Aug 2013 21:14:18 +0200 (CEST) Received: from [192.168.1.2] (ip-89-177-49-222.net.upcbroadband.cz [89.177.49.222]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 4141828422; Sat, 31 Aug 2013 21:14:17 +0200 (CEST) Message-ID: <52224088.6040508@quip.cz> Date: Sat, 31 Aug 2013 21:14:16 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.1.19) Gecko/20110420 Lightning/1.0b1 SeaMonkey/2.0.14 MIME-Version: 1.0 To: Jamie Gritton Subject: Re: jail.conf & cpuset.id References: <076B486D-A526-4945-BA38-DD7167365749@inbox.im> <514B09B2.70607@FreeBSD.org> In-Reply-To: <514B09B2.70607@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: FreeBSD-Jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Aug 2013 19:24:23 -0000 Jamie Gritton wrote: > On 03/17/13 05:59, Nicolas de Bari Embriz Garcia Rojas wrote: >> Hi, all, I am start using the jail.conf for running my jails, in >> rc.local I have this line jail -c this to start my jails at boot time >> (any better ideas) >> >> Now checking the man pages for the jail I found a option that cough my >> attention, 'cpuset.id' any idea of how to use it ? >> >> I would like to found a way to prevent a root user within a jail to >> run a 'fork-bum' and freeze the host server. > > Take a look at cpuset(1). You use that utility (in the host environment) > to change the CPUs available to a jail. Don't worry about the cpuset.id > parameter itself - you don't need it. Just use cpuset's "-j" flag to > specify the jail itself (by jid only). When you're starting jails in rc, > add the appropriate cpuset commands an exec_poststart option. Such as: > > jail_backtest_poststart0="cpuset -c -l1,3-7 -j`cat > /var/run/jail_backtest.id`" Hi Jamie, I tried your suggestion with exec_poststart for setting the cpuset. It doesn't work. I don't know if it worked for you with any older version of FreeBSD. I tried it on FreeBSD 9.1-RELESE. I have this in rc.conf jail_fox_exec_poststart0="cpuset -c -l 5-6 -j `cat /var/run/jail_fox.id`" With rc_debug="YES", I get this error # service jail start fox cat: /var/run/jail_fox.id: No such file or directory cat: /var/run/jail_fox.id: No such file or directory [snip] /etc/rc.d/jail: DEBUG: fox exec post-start #1: cpuset -c -l 5-6 -j [snip] fox.example.comcpuset: option requires an argument -- j usage: cpuset [-l cpu-list] [-s setid] cmd ... cpuset [-l cpu-list] [-s setid] -p pid cpuset [-c] [-l cpu-list] -C -p pid cpuset [-cr] [-l cpu-list] [-j jailid | -p pid | -t tid | -s setid | -x irq] cpuset [-cgir] [-j jailid | -p pid | -t tid | -s setid | -x irq] I think the problem is, that the command is evaluated befor the jail is started. Or am I doing something wrong? I also tried following with no luck: jail_fox_exec_poststart0="cpuset -c -l 5-6 -j `jls -j fox jid`" Miroslav Lachman