From owner-freebsd-jail@FreeBSD.ORG Mon Dec 1 09:45:09 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1CA831065670; Mon, 1 Dec 2008 09:45:09 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id 8BCAA8FC08; Mon, 1 Dec 2008 09:45:08 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 9EFB141C65F; Mon, 1 Dec 2008 10:45:06 +0100 (CET) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id o4NBjlNclj60; Mon, 1 Dec 2008 10:45:06 +0100 (CET) Received: by mail.cksoft.de (Postfix, from userid 66) id 01C8141C65E; Mon, 1 Dec 2008 10:45:06 +0100 (CET) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id C75A54448D5; Mon, 1 Dec 2008 09:41:47 +0000 (UTC) Date: Mon, 1 Dec 2008 09:41:46 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: freebsd-jail@freebsd.org Message-ID: <20081201085229.D80401@maildrop.int.zabbadoz.net> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-current@freebsd.org, FreeBSD virtualization mailing list Subject: HEADS UP: r185435 multi-IPv4/v6/no-IP jails in HEAD X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-jail@freebsd.org List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Dec 2008 09:45:09 -0000 Hi, as you may have already noticed multi-IPv4/v6/no-IP jails have hit HEAD. See commit message attached. The bad news first: expect an update on the rc script to make the more obscure rc features like configuring IPs on interfaces when starting jails and giving a possible netmask work with multiple IPs and IPv6. The good news: In case you do not use those features or still only use one IP per jail everything should just work fine and there are no changes needed. More news: In case you want to use multiple IPs or a mix of v4 and v6 addresses you just give them as a comma separated list on both the command line or in rc.conf like: jail / example 192.0.2.250,2001:db8::75,2001:db8::99,2001:db8::55,2001:db8::14,192.0.2.254 /bin/sh or: jail_example_ip="192.0.2.2,2001:db8::2,2001:db8::1,2001:db8::4,2001:db8::13,192.0.2.3" In case you do want to start a jail without any IP, give an empty argument on command line: jail / noip.example.net "" /bin/sh Additionally you can give a jail a name now using the -n option: jail -n "bz's private noip jail" / noip.example.net "" /bin/sh You may not want to use special characters or whitespace but it is just a string, so you can. There are no restrictions and even 10 jails could have the same name. The jail (inside) cannot change the name. It's set upon jail creation and unchangeable from then on. What else is new: the -h option to jail makes it resolve the hostname to IP addresses and will merge those to the jail IPs. Note: that this can give you unexpected results on the primary jail IP. See jail(8) for more information. jls tries to be as backward compatible as possible. That means it will only show one IPv4 if called as `jls`; obviously this won't work well for no-IP or IPv6-only jails. This was done to try to not confuse scripts people have in their classic setups. jls -v will give you the full information, including: - state: usually ACTIVE. - in case you also give '-a' you will also see jails in other states, for example jails hanging around waiting for a socket to timeout but with no processes left after it was stopped; it will say DYING. - Every jail gets its own cpuset inherited from the process that started the jail. You can list, etc the mask by jail id: cpuset -g -j 8 or by set id: cpuset -g -s 5 Or even change it if you want. Threads within jails should be able to further restrict themselves even within the jail but nothing outside their scope. See the cpuset manpages for further information. The IPs will be listed in the following order: the primary IP per AF which is the first IP of that AF given to the jail command and then they should be sorted in ascending order. jexec now takes the optional jail name to attach to a jail but will refuse to do anything if the jail cannot be uniquely identifed. In case you use the jail name you have to give an empty argument for the jail id like: jexec -n "bz's private noip jail" "" /bin/sh You can also give both jail name and jail ID and both will have to match, else it will complain. Obviously only giving the jail id still works. The -h hostname option is gone again. You should use the jail name for management purposes now. A sample full jls output (admittedly a bit ugly this way): sun$ jls -av JID Hostname Path Name State CPUSetID IP Address(es) 21 sun / hangtest DYING 6 192.0.2.99 8 noip.example.net / bz's private noip jail ALIVE 5 3 j3.sunny.example.net /local/jails/j1 ALIVE 4 2001:db8::5 2 j2.sunny.example.net /local/jails/j1 ALIVE 3 192.0.2.1 1 j1.sunny.example.net /local/jails/j1 ALIVE 2 192.0.2.2 192.0.2.3 2001:db8::2 2001:db8::1 2001:db8::4 2001:db8::13 In case you have more questions the man pages do not address, or problem, etc. please follow-up to freebsd-jail@ . Regards, Bjoern PS: the MFC question was answered in the commit message so do not ask. -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. ---------- Forwarded message ---------- Date: Sat, 29 Nov 2008 14:32:14 +0000 (UTC) Subject: svn commit: r185435 - in head: lib/libc/sys lib/libkvm share/man/man4 sys/compat/freebsd32 sys/kern sys/net sys/netinet sys/netinet6 sys/security/mac_bsdextended sys/sys usr.bin/cpuset usr.sbin/jai... Author: bz Date: Sat Nov 29 14:32:14 2008 New Revision: 185435 URL: http://svn.freebsd.org/changeset/base/185435 Log: MFp4: Bring in updated jail support from bz_jail branch. This enhances the current jail implementation to permit multiple addresses per jail. In addtion to IPv4, IPv6 is supported as well. Due to updated checks it is even possible to have jails without an IP address at all, which basically gives one a chroot with restricted process view, no networking,.. SCTP support was updated and supports IPv6 in jails as well. Cpuset support permits jails to be bound to specific processor sets after creation. Jails can have an unrestricted (no duplicate protection, etc.) name in addition to the hostname. The jail name cannot be changed from within a jail and is considered to be used for management purposes or as audit-token in the future. DDB 'show jails' command was added to aid debugging. Proper compat support permits 32bit jail binaries to be used on 64bit systems to manage jails. Also backward compatibility was preserved where possible: for jail v1 syscalls, as well as with user space management utilities. Both jail as well as prison version were updated for the new features. A gap was intentionally left as the intermediate versions had been used by various patches floating around the last years. Bump __FreeBSD_version for the afore mentioned and in kernel changes. Special thanks to: - Pawel Jakub Dawidek (pjd) for his multi-IPv4 patches and Olivier Houchard (cognet) for initial single-IPv6 patches. - Jeff Roberson (jeff) and Randall Stewart (rrs) for their help, ideas and review on cpuset and SCTP support. - Robert Watson (rwatson) for lots and lots of help, discussions, suggestions and review of most of the patch at various stages. - John Baldwin (jhb) for his help. - Simon L. Nielsen (simon) as early adopter testing changes on cluster machines as well as all the testers and people who provided feedback the last months on freebsd-jail and other channels. - My employer, CK Software GmbH, for the support so I could work on this. Reviewed by: (see above) MFC after: 3 months (this is just so that I get the mail) X-MFC Before: 7.2-RELEASE if possible