From owner-freebsd-jail@FreeBSD.ORG Mon Sep 28 11:06:58 2009 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6995A106568F for ; Mon, 28 Sep 2009 11:06:58 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 568DF8FC23 for ; Mon, 28 Sep 2009 11:06:58 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n8SB6wa6064068 for ; Mon, 28 Sep 2009 11:06:58 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n8SB6vfL064064 for freebsd-jail@FreeBSD.org; Mon, 28 Sep 2009 11:06:57 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 28 Sep 2009 11:06:57 GMT Message-Id: <200909281106.n8SB6vfL064064@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Sep 2009 11:06:58 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 4 problems total. From owner-freebsd-jail@FreeBSD.ORG Mon Sep 28 12:31:18 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 968F71065672 for ; Mon, 28 Sep 2009 12:31:17 +0000 (UTC) (envelope-from edwin.shao@gmail.com) Received: from mail-yw0-f187.google.com (mail-yw0-f187.google.com [209.85.211.187]) by mx1.freebsd.org (Postfix) with ESMTP id 414E58FC19 for ; Mon, 28 Sep 2009 12:31:17 +0000 (UTC) Received: by ywh17 with SMTP id 17so5050572ywh.3 for ; Mon, 28 Sep 2009 05:31:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:from:date:message-id :subject:to:content-type; bh=BI24mtqt6cqkU0eiufEPv0pKtaUiHbKySgL8/g9niI8=; b=FcOIiOr1qtDxu1DfSeZr+FLJupHJKUtYPN5Mo5f8hd+y9v5d5BbTJx67Bcv1MkOjbL Fqhur9+Rc9NNVoYaxutsvu6aWynRgLMRLLUo6e+HfXYiTfAlPjnMVSr9aPgXrH5PPxo3 wpAoUwlI3GNyoYUZcoHVT0qaak8AwBnbRQb8o= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type; b=xHym13SNuugWn8cxhO6JBLEu28tkf1mjawSU44pvufqPKidhTrVnAu8CfRU4lj/nPv 8VeDcVXqRFGGxzC4kA4dDhqXu/z3ZCnVHdreN3SVMGvU970C4pwPvYF71utV/MvK0m/B 4ejVPQVO+3Za//iOeeYpheC/iuloNI2DNLNww= MIME-Version: 1.0 Received: by 10.100.51.4 with SMTP id y4mr2819309any.191.1254139589640; Mon, 28 Sep 2009 05:06:29 -0700 (PDT) From: Edwin Shao Date: Mon, 28 Sep 2009 15:06:09 +0300 Message-ID: To: freebsd-jail@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Tutorial for Hierarchical Jails? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Sep 2009 12:31:18 -0000 Hello, Does anyone have a walkthrough for how to get hierarchical jails to work? I've been playing around with it for a couple of days and it simply is not working. I would like to know if anyone has gotten it to work, and if so, how? The error I tend to get within a jail (starting another child jail) is: hyper# ./jail start Configuring jails:. Starting jails: cannot start jail "neko": I'm using very basic steps as outlined in < http://www.freebsd.org/doc/en/books/handbook/jails-intro.html> and I am easily getting the jails to work in the non-jailed highest level system. What I have done to troubleshoot so far: * Installed from scratch 8.0-RC1 ISO, make buildworld from scratch 8.0-RC1 /usr/src. * Created very liberal sysctls. * Tried different combinations of disabling/enabling mounted systems such as devfs, procfs, etc. * Tried modifying different module fs to enable the "jail" flag. This is under a clean install of 8.0-RC1. I'd be happy to provide additional information for troubleshooting, but I'm not even sure what's going wrong. It'd probably be more helpful for you to just let me know what you did to get it wroking. Thanks, Edwin From owner-freebsd-jail@FreeBSD.ORG Mon Sep 28 16:35:56 2009 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EBF1C1065676 for ; Mon, 28 Sep 2009 16:35:56 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from gritton.org (gritton.org [161.58.222.4]) by mx1.freebsd.org (Postfix) with ESMTP id B58548FC22 for ; Mon, 28 Sep 2009 16:35:56 +0000 (UTC) Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net [198.65.168.24]) (authenticated bits=0) by gritton.org (8.13.6.20060614/8.13.6) with ESMTP id n8SGZtQc065503; Mon, 28 Sep 2009 10:35:55 -0600 (MDT) Message-ID: <4AC0E5E6.1010700@FreeBSD.org> Date: Mon, 28 Sep 2009 10:35:50 -0600 From: Jamie Gritton User-Agent: Thunderbird 2.0.0.19 (X11/20090109) MIME-Version: 1.0 To: Edwin Shao References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@FreeBSD.org Subject: Re: Tutorial for Hierarchical Jails? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Sep 2009 16:35:57 -0000 Edwin Shao wrote: > Hello, > Does anyone have a walkthrough for how to get hierarchical jails to work? > I've been playing around with it for a couple of days and it simply is not > working. I would like to know if anyone has gotten it to work, and if so, > how? > > The error I tend to get within a jail (starting another child jail) is: > hyper# ./jail start > Configuring jails:. > Starting jails: cannot start jail "neko": > > I'm using very basic steps as outlined in < > http://www.freebsd.org/doc/en/books/handbook/jails-intro.html> and I am > easily getting the jails to work in the non-jailed highest level system. > > What I have done to troubleshoot so far: > * Installed from scratch 8.0-RC1 ISO, make buildworld from scratch 8.0-RC1 > /usr/src. > * Created very liberal sysctls. > * Tried different combinations of disabling/enabling mounted systems such as > devfs, procfs, etc. > * Tried modifying different module fs to enable the "jail" flag. > > This is under a clean install of 8.0-RC1. I'd be happy to provide additional > information for troubleshooting, but I'm not even sure what's going wrong. > It'd probably be more helpful for you to just let me know what you did to > get it wroking. The main thing you need to do is to set the first-level jail's children.max parameter. It defaults to zero, which doesn't allow a jail to create any child jails (the non-hierarchical default). It sounds like you have everything else you need. - Jamie From owner-freebsd-jail@FreeBSD.ORG Mon Sep 28 17:46:12 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4F4B1106568D for ; Mon, 28 Sep 2009 17:46:12 +0000 (UTC) (envelope-from edwin.shao@gmail.com) Received: from mail-yx0-f171.google.com (mail-yx0-f171.google.com [209.85.210.171]) by mx1.freebsd.org (Postfix) with ESMTP id 091408FC16 for ; Mon, 28 Sep 2009 17:46:11 +0000 (UTC) Received: by yxe1 with SMTP id 1so5495913yxe.3 for ; Mon, 28 Sep 2009 10:46:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type; bh=ZZmbhwT+X+IIKbM8tmQlyxw1VIHcEo57U/fbsEbTzvs=; b=izoU7p9yNPBPOLmdWSBD2IhQOo0ShVjE3wDrLfd5wM90R4HjWxvNSZwYhe05O3K0MJ ypTfrvAez3PxsOvU8lxFOmRWjKQ3RHIihJNIor9p4cOtRIiq1xaarZQKSE93hxjiYUOS yrKTPm7d62rwezrsyupKqLUSKY7SezO8SfGfg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=vhBUaDp5L97yZdK8xrqdKLbexBqYriS+iQRyRKUAQ8l5C9WAGrPLCucym8Keyu3rtx e4m3UM9/+CE42JB9+tJ1EVbdtyok000EN8+GDEerQv0DCUc0I1vRdnX67+JB4wnaQ5I0 0CnGzInqLLtKZq1lIke9hOCWf+q6ny75I7Eak= MIME-Version: 1.0 Received: by 10.101.146.33 with SMTP id y33mr3264992ann.194.1254159971126; Mon, 28 Sep 2009 10:46:11 -0700 (PDT) In-Reply-To: <4AC0E5E6.1010700@FreeBSD.org> References: <4AC0E5E6.1010700@FreeBSD.org> From: Edwin Shao Date: Mon, 28 Sep 2009 20:45:51 +0300 Message-ID: To: Jamie Gritton Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-jail@freebsd.org Subject: Re: Tutorial for Hierarchical Jails? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Sep 2009 17:46:12 -0000 Hi Jamie, When I try to change the parameter, nothing happens: rescue /etc> sudo sysctl security.jail.param.children.max=1 security.jail.param.children.max: 0 -> 0 rescue /etc> sudo sysctl security.jail.param.children.max security.jail.param.children.max: 0 Am I doing this incorrectly? Thanks, Edwin On Mon, Sep 28, 2009 at 7:35 PM, Jamie Gritton wrote: > Edwin Shao wrote: > >> Hello, >> Does anyone have a walkthrough for how to get hierarchical jails to work? >> I've been playing around with it for a couple of days and it simply is not >> working. I would like to know if anyone has gotten it to work, and if so, >> how? >> >> The error I tend to get within a jail (starting another child jail) is: >> hyper# ./jail start >> Configuring jails:. >> Starting jails: cannot start jail "neko": >> >> I'm using very basic steps as outlined in < >> http://www.freebsd.org/doc/en/books/handbook/jails-intro.html> and I am >> easily getting the jails to work in the non-jailed highest level system. >> >> What I have done to troubleshoot so far: >> * Installed from scratch 8.0-RC1 ISO, make buildworld from scratch 8.0-RC1 >> /usr/src. >> * Created very liberal sysctls. >> * Tried different combinations of disabling/enabling mounted systems such >> as >> devfs, procfs, etc. >> * Tried modifying different module fs to enable the "jail" flag. >> >> This is under a clean install of 8.0-RC1. I'd be happy to provide >> additional >> information for troubleshooting, but I'm not even sure what's going wrong. >> It'd probably be more helpful for you to just let me know what you did to >> get it wroking. >> > > The main thing you need to do is to set the first-level jail's > children.max parameter. It defaults to zero, which doesn't allow a jail > to create any child jails (the non-hierarchical default). It sounds > like you have everything else you need. > > - Jamie > From owner-freebsd-jail@FreeBSD.ORG Mon Sep 28 18:13:16 2009 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 38F47106566B for ; Mon, 28 Sep 2009 18:13:16 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from gritton.org (gritton.org [161.58.222.4]) by mx1.freebsd.org (Postfix) with ESMTP id 049AA8FC12 for ; Mon, 28 Sep 2009 18:13:15 +0000 (UTC) Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net [198.65.168.24]) (authenticated bits=0) by gritton.org (8.13.6.20060614/8.13.6) with ESMTP id n8SIDERE079298; Mon, 28 Sep 2009 12:13:15 -0600 (MDT) Message-ID: <4AC0FCB5.2050009@FreeBSD.org> Date: Mon, 28 Sep 2009 12:13:09 -0600 From: Jamie Gritton User-Agent: Thunderbird 2.0.0.19 (X11/20090109) MIME-Version: 1.0 To: Edwin Shao References: <4AC0E5E6.1010700@FreeBSD.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@FreeBSD.org Subject: Re: Tutorial for Hierarchical Jails? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Sep 2009 18:13:16 -0000 Edwin Shao wrote: > When I try to change the parameter, nothing happens: > rescue /etc> sudo sysctl security.jail.param.children.max=1 > security.jail.param.children.max: 0 -> 0 > > rescue /etc> sudo sysctl security.jail.param.children.max > security.jail.param.children.max: 0 > > Am I doing this incorrectly? Yes. Use jail(8) to set the parameters, not sysctl. The security.jail.param.* sysctls are for reference only and have no useful values to get or set. Set it with: jail -m jid= children.max=1 Run this on the base system, i.e. not inside the jail in question. - Jamie From owner-freebsd-jail@FreeBSD.ORG Mon Sep 28 18:13:32 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4A4361065670; Mon, 28 Sep 2009 18:13:32 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [195.88.108.3]) by mx1.freebsd.org (Postfix) with ESMTP id 03BA08FC1B; Mon, 28 Sep 2009 18:13:31 +0000 (UTC) Received: from localhost (amavis.fra.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 52BC741C736; Mon, 28 Sep 2009 20:13:31 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([195.88.108.3]) by localhost (amavis.fra.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id JvYU0Z8dv9jz; Mon, 28 Sep 2009 20:13:17 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id 4EBD941C6F2; Mon, 28 Sep 2009 20:13:17 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 957E14448E6; Mon, 28 Sep 2009 18:11:31 +0000 (UTC) Date: Mon, 28 Sep 2009 18:11:31 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Edwin Shao In-Reply-To: Message-ID: <20090928180731.M68375@maildrop.int.zabbadoz.net> References: <4AC0E5E6.1010700@FreeBSD.org> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-jail@freebsd.org, Jamie Gritton Subject: Re: Tutorial for Hierarchical Jails? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Sep 2009 18:13:32 -0000 On Mon, 28 Sep 2009, Edwin Shao wrote: > Hi Jamie, > When I try to change the parameter, nothing happens: > rescue /etc> sudo sysctl security.jail.param.children.max=1 > security.jail.param.children.max: 0 -> 0 > > rescue /etc> sudo sysctl security.jail.param.children.max > security.jail.param.children.max: 0 > > Am I doing this incorrectly? Yes. It's a parameter to jail(8). The security.jail.param sysctls can be seen as a list of possible options valid to jail(8). See man 8 jail for the exact details. /bz -- Bjoern A. Zeeb What was I talking about and who are you again? From owner-freebsd-jail@FreeBSD.ORG Mon Sep 28 20:26:21 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 218881065672; Mon, 28 Sep 2009 20:26:21 +0000 (UTC) (envelope-from edwin.shao@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.251]) by mx1.freebsd.org (Postfix) with ESMTP id BA95F8FC16; Mon, 28 Sep 2009 20:26:20 +0000 (UTC) Received: by an-out-0708.google.com with SMTP id d14so1678732and.13 for ; Mon, 28 Sep 2009 13:26:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type; bh=vSRupCf7LG9KQqk9zHJgpg3MEmzN7kfh7Yg8XLGDjkQ=; b=WUnzPZnSRANcp/J7lBftgM54g+c27ZZ6yBbgX2sRSBziW+ZzDqzT10RSJk2BePMiRx qYWWzVbg7WpErw74kms6wjJTFRSQHJ3+QiJHuz68Zj+mZYWXxSDMk9rY2iQv2H5D2p62 IGl8PHkMsJPNR6fOUSM0aBvU41DBG+8fPwiRw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=N3w5YX0DdKibg4TUS5+LZI4zJVTww2Z9RxT8HGGAtbidg6adIvO+Rv059rxkGIMPf3 /gvgjh4lyjd1Edi9GNAgHvtex3vcnFNwaQSUCWrSD3bMh74dVliQtFxWSMmKxSUnKctz qkmYpPPf/GnFs3QAAhW9rPbEZlIvp5PbI0LjE= MIME-Version: 1.0 Received: by 10.100.51.4 with SMTP id y4mr3423424any.191.1254169580179; Mon, 28 Sep 2009 13:26:20 -0700 (PDT) In-Reply-To: <20090928180731.M68375@maildrop.int.zabbadoz.net> References: <4AC0E5E6.1010700@FreeBSD.org> <20090928180731.M68375@maildrop.int.zabbadoz.net> From: Edwin Shao Date: Mon, 28 Sep 2009 23:26:00 +0300 Message-ID: To: "Bjoern A. Zeeb" Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-jail@freebsd.org, Jamie Gritton Subject: Re: Tutorial for Hierarchical Jails? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Sep 2009 20:26:21 -0000 Thanks, that worked for me. * Using jail to change children.max on the parent does not affect `sysctl security.jail.param.children.max` in the child. Also security.jail.param.children.cur never changes either. Not sure if that's intended behavior. * Is there any way to persist the security.jail.param.children.max parameter without entering the jail command every time? * I get the following output when I create a jail inside a jail: hyper ~> ezjail-admin start neko Configuring jails:. Starting jails:devfs rule: ioctl DEVFSIO_RGETNEXT: Operation not permitted devfs rule: ioctl DEVFSIO_RGETNEXT: Operation not permitted /etc/rc.d/jail: WARNING: devfs_set_ruleset: you must specify a ruleset number devfs rule: ioctl DEVFSIO_SAPPLY: Operation not permitted ln: log: Operation not permitted mount: proc : Operation not permitted neko. I'm using the same configuration values as in the parent's jail, which work. Everything seems to work alright inside the jail, so I assume the errors are safe to ignore? Thanks again! - Edwin On Mon, Sep 28, 2009 at 9:11 PM, Bjoern A. Zeeb < bzeeb-lists@lists.zabbadoz.net> wrote: > On Mon, 28 Sep 2009, Edwin Shao wrote: > > Hi Jamie, >> When I try to change the parameter, nothing happens: >> rescue /etc> sudo sysctl security.jail.param.children.max=1 >> security.jail.param.children.max: 0 -> 0 >> >> rescue /etc> sudo sysctl security.jail.param.children.max >> security.jail.param.children.max: 0 >> >> Am I doing this incorrectly? >> > > Yes. It's a parameter to jail(8). The security.jail.param sysctls can > be seen as a list of possible options valid to jail(8). See man 8 jail > for the exact details. > > /bz > > -- > Bjoern A. Zeeb What was I talking about and who are you again? > From owner-freebsd-jail@FreeBSD.ORG Mon Sep 28 21:16:15 2009 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BFC0110656C1 for ; Mon, 28 Sep 2009 21:16:15 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from gritton.org (gritton.org [161.58.222.4]) by mx1.freebsd.org (Postfix) with ESMTP id 6E7B68FC0C for ; Mon, 28 Sep 2009 21:16:15 +0000 (UTC) Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net [198.65.168.24]) (authenticated bits=0) by gritton.org (8.13.6.20060614/8.13.6) with ESMTP id n8SLGDHd005625; Mon, 28 Sep 2009 15:16:14 -0600 (MDT) Message-ID: <4AC12798.8070308@FreeBSD.org> Date: Mon, 28 Sep 2009 15:16:08 -0600 From: Jamie Gritton User-Agent: Thunderbird 2.0.0.19 (X11/20090109) MIME-Version: 1.0 To: Edwin Shao References: <4AC0E5E6.1010700@FreeBSD.org> <20090928180731.M68375@maildrop.int.zabbadoz.net> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "Bjoern A. Zeeb" , freebsd-jail@FreeBSD.org Subject: Re: Tutorial for Hierarchical Jails? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Sep 2009 21:16:15 -0000 The sysctls not only don't get written to, they don't have any useful information to read either. They only describe the existence and format of the various jail parameters. Sorry, but there;s no way to set a default children.max parameter or inherit it from the parent. We've decided to set the default to the most secure/restrictive in many cases. Once we've come up with a new jail configuration interface, this won't be such a hassle. The devfs errors are probably something that will have to be addressed in a later revision - I haven't looked in the devfs direction so I'm not sure about that. The mount error may be related to the first jail's allow.mount parameter (whose default comes from security.jail.mount_allowed). - Jamie Edwin Shao wrote: > Thanks, that worked for me. > > * Using jail to change children.max on the parent does not affect > `sysctl security.jail.param.children.max` in the child. Also > security.jail.param.children.cur never changes either. Not sure if > that's intended behavior. > * Is there any way to persist the security.jail.param.children.max > parameter without entering the jail command every time? > * I get the following output when I create a jail inside a jail: > > hyper ~> ezjail-admin start neko > Configuring jails:. > Starting jails:devfs rule: ioctl DEVFSIO_RGETNEXT: Operation not permitted > devfs rule: ioctl DEVFSIO_RGETNEXT: Operation not permitted > /etc/rc.d/jail: WARNING: devfs_set_ruleset: you must specify a ruleset > number > devfs rule: ioctl DEVFSIO_SAPPLY: Operation not permitted > ln: log: Operation not permitted > mount: proc : Operation not permitted > neko. > > I'm using the same configuration values as in the parent's jail, which > work. Everything seems to work alright inside the jail, so I assume the > errors are safe to ignore? > > Thanks again! > - Edwin > > On Mon, Sep 28, 2009 at 9:11 PM, Bjoern A. Zeeb > > > wrote: > > On Mon, 28 Sep 2009, Edwin Shao wrote: > > Hi Jamie, > When I try to change the parameter, nothing happens: > rescue /etc> sudo sysctl security.jail.param.children.max=1 > security.jail.param.children.max: 0 -> 0 > > rescue /etc> sudo sysctl security.jail.param.children.max > security.jail.param.children.max: 0 > > Am I doing this incorrectly? > > > Yes. It's a parameter to jail(8). The security.jail.param sysctls can > be seen as a list of possible options valid to jail(8). See man 8 jail > for the exact details. > > /bz > > -- > Bjoern A. Zeeb What was I talking about and who are you again? > > From owner-freebsd-jail@FreeBSD.ORG Tue Sep 29 00:07:55 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B4E27106568B; Tue, 29 Sep 2009 00:07:55 +0000 (UTC) (envelope-from edwin.shao@gmail.com) Received: from mail-yx0-f171.google.com (mail-yx0-f171.google.com [209.85.210.171]) by mx1.freebsd.org (Postfix) with ESMTP id 561298FC20; Tue, 29 Sep 2009 00:07:54 +0000 (UTC) Received: by yxe1 with SMTP id 1so5783370yxe.3 for ; Mon, 28 Sep 2009 17:07:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type; bh=ukwVEk/ZMYngNQQGujR7Ir8s2zAP4Wg3sgZ4anDFYHo=; b=gP812pnzUoDVd/sYozN8h8LRd+eaKCK0P+D/fsLX339X2tiQb5jYYAtFVAJ3P6WCLd qn6x+uxFI+Coigy4oWqFesfcDDTPVyrpMdqrje1tZSHUvYVv7oyjMVi1UohQO4RQw9Xo 9pmH70iTGFhe86JVVBSmVcalhGWiDSkC3/CPE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=efg4RR95grntN4B4SYr0uMANd+J10mo+wVyLFwQ81IcAUtNbGnsWpQT/qDR+q9EAy4 FgiNp/8+yHKxNBy5jEIHRJjkEaH7/KzchFTlGjJaAyipLgqYj4unOjK/VsXM2pO5zPRH rTllObkCi0AzMWFfnmPyyWqTlbHfteZFshNk8= MIME-Version: 1.0 Received: by 10.101.79.13 with SMTP id g13mr3801767anl.40.1254182872090; Mon, 28 Sep 2009 17:07:52 -0700 (PDT) In-Reply-To: <4AC12798.8070308@FreeBSD.org> References: <4AC0E5E6.1010700@FreeBSD.org> <20090928180731.M68375@maildrop.int.zabbadoz.net> <4AC12798.8070308@FreeBSD.org> From: Edwin Shao Date: Tue, 29 Sep 2009 03:07:32 +0300 Message-ID: To: Jamie Gritton Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: "Bjoern A. Zeeb" , freebsd-jail@freebsd.org Subject: Re: Tutorial for Hierarchical Jails? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Sep 2009 00:07:55 -0000 One other thing that is odd: hierarchical jails don't seem to inherit some sysctls such as allow_raw_socket. In the host (jail), rc.conf has jail_set_allow_raw_sockets="YES" and sysctl.conf has "security.jail.allow_raw_sockets=1", but no child jail can ping out: neko# ping google.com ping: socket: Operation not permitted What is happening in this case? Thank you for your time again. On Tue, Sep 29, 2009 at 12:16 AM, Jamie Gritton wrote: > The sysctls not only don't get written to, they don't have any useful > information to read either. They only describe the existence and format > of the various jail parameters. Sorry, but there;s no way to set a > default children.max parameter or inherit it from the parent. We've > decided to set the default to the most secure/restrictive in many cases. > Once we've come up with a new jail configuration interface, this won't > be such a hassle. > > The devfs errors are probably something that will have to be addressed > in a later revision - I haven't looked in the devfs direction so I'm not > sure about that. The mount error may be related to the first jail's > allow.mount parameter (whose default comes from > security.jail.mount_allowed). > > - Jamie > > Edwin Shao wrote: > >> Thanks, that worked for me. >> >> * Using jail to change children.max on the parent does not affect `sysctl >> security.jail.param.children.max` in the child. Also >> security.jail.param.children.cur never changes either. Not sure if that's >> intended behavior. >> * Is there any way to persist the security.jail.param.children.max >> parameter without entering the jail command every time? * I get the >> following output when I create a jail inside a jail: >> >> hyper ~> ezjail-admin start neko >> Configuring jails:. >> Starting jails:devfs rule: ioctl DEVFSIO_RGETNEXT: Operation not permitted >> devfs rule: ioctl DEVFSIO_RGETNEXT: Operation not permitted >> /etc/rc.d/jail: WARNING: devfs_set_ruleset: you must specify a ruleset >> number >> devfs rule: ioctl DEVFSIO_SAPPLY: Operation not permitted >> ln: log: Operation not permitted >> mount: proc : Operation not permitted >> neko. >> >> I'm using the same configuration values as in the parent's jail, which >> work. Everything seems to work alright inside the jail, so I assume the >> errors are safe to ignore? >> >> Thanks again! >> - Edwin >> >> On Mon, Sep 28, 2009 at 9:11 PM, Bjoern A. Zeeb < >> bzeeb-lists@lists.zabbadoz.net > >> wrote: >> >> On Mon, 28 Sep 2009, Edwin Shao wrote: >> >> Hi Jamie, >> When I try to change the parameter, nothing happens: >> rescue /etc> sudo sysctl security.jail.param.children.max=1 >> security.jail.param.children.max: 0 -> 0 >> >> rescue /etc> sudo sysctl security.jail.param.children.max >> security.jail.param.children.max: 0 >> >> Am I doing this incorrectly? >> >> >> Yes. It's a parameter to jail(8). The security.jail.param sysctls can >> be seen as a list of possible options valid to jail(8). See man 8 jail >> for the exact details. >> >> /bz >> >> -- Bjoern A. Zeeb What was I talking about and who are you >> again? >> >> >> From owner-freebsd-jail@FreeBSD.ORG Tue Sep 29 04:08:07 2009 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5E1461065670 for ; Tue, 29 Sep 2009 04:08:07 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from gritton.org (gritton.org [161.58.222.4]) by mx1.freebsd.org (Postfix) with ESMTP id EA0E58FC18 for ; Tue, 29 Sep 2009 04:08:06 +0000 (UTC) Received: from glorfindel.gritton.org (c-76-27-95-47.hsd1.ut.comcast.net [76.27.95.47]) (authenticated bits=0) by gritton.org (8.13.6.20060614/8.13.6) with ESMTP id n8T484Sr059424; Mon, 28 Sep 2009 22:08:05 -0600 (MDT) Message-ID: <4AC18822.7020705@FreeBSD.org> Date: Mon, 28 Sep 2009 22:08:02 -0600 From: Jamie Gritton User-Agent: Thunderbird 2.0.0.19 (X11/20090220) MIME-Version: 1.0 To: Edwin Shao References: <4AC0E5E6.1010700@FreeBSD.org> <20090928180731.M68375@maildrop.int.zabbadoz.net> <4AC12798.8070308@FreeBSD.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "Bjoern A. Zeeb" , freebsd-jail@FreeBSD.org Subject: Re: Tutorial for Hierarchical Jails? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Sep 2009 04:08:07 -0000 Does the base system have security.jail.allow_raw_sockets=1? You need to have that, or set the jail's allow.raw_sockets. You can't set the jail's permissions from within the jail itself. If you have multiple jail levels, then both jails need to allow raw sockets - a jail can't allow a child jail to do what it can't do itself. - Jamie Edwin Shao wrote: > One other thing that is odd: hierarchical jails don't seem to inherit > some sysctls such as allow_raw_socket. > > In the host (jail), rc.conf has jail_set_allow_raw_sockets="YES" and > sysctl.conf has "security.jail.allow_raw_sockets=1", but no child jail > can ping out: > neko# ping google.com > ping: socket: Operation not permitted > > What is happening in this case? > > Thank you for your time again. > > > On Tue, Sep 29, 2009 at 12:16 AM, Jamie Gritton > wrote: > > The sysctls not only don't get written to, they don't have any useful > information to read either. They only describe the existence and format > of the various jail parameters. Sorry, but there;s no way to set a > default children.max parameter or inherit it from the parent. We've > decided to set the default to the most secure/restrictive in many cases. > Once we've come up with a new jail configuration interface, this won't > be such a hassle. > > The devfs errors are probably something that will have to be addressed > in a later revision - I haven't looked in the devfs direction so I'm not > sure about that. The mount error may be related to the first jail's > allow.mount parameter (whose default comes from > security.jail.mount_allowed). > > - Jamie > > Edwin Shao wrote: > > Thanks, that worked for me. > > * Using jail to change children.max on the parent does not > affect `sysctl security.jail.param.children.max` in the child. > Also security.jail.param.children.cur never changes either. Not > sure if that's intended behavior. > * Is there any way to persist the > security.jail.param.children.max parameter without entering the > jail command every time? * I get the following output when I > create a jail inside a jail: > > hyper ~> ezjail-admin start neko > Configuring jails:. > Starting jails:devfs rule: ioctl DEVFSIO_RGETNEXT: Operation not > permitted > devfs rule: ioctl DEVFSIO_RGETNEXT: Operation not permitted > /etc/rc.d/jail: WARNING: devfs_set_ruleset: you must specify a > ruleset number > devfs rule: ioctl DEVFSIO_SAPPLY: Operation not permitted > ln: log: Operation not permitted > mount: proc : Operation not permitted > neko. > > I'm using the same configuration values as in the parent's jail, > which work. Everything seems to work alright inside the jail, so > I assume the errors are safe to ignore? > > Thanks again! > - Edwin > > On Mon, Sep 28, 2009 at 9:11 PM, Bjoern A. Zeeb > > >> wrote: > > On Mon, 28 Sep 2009, Edwin Shao wrote: > > Hi Jamie, > When I try to change the parameter, nothing happens: > rescue /etc> sudo sysctl security.jail.param.children.max=1 > security.jail.param.children.max: 0 -> 0 > > rescue /etc> sudo sysctl security.jail.param.children.max > security.jail.param.children.max: 0 > > Am I doing this incorrectly? > > > Yes. It's a parameter to jail(8). The security.jail.param > sysctls can > be seen as a list of possible options valid to jail(8). See > man 8 jail > for the exact details. > > /bz > > -- Bjoern A. Zeeb What was I talking about and > who are you again? > > > From owner-freebsd-jail@FreeBSD.ORG Wed Sep 30 16:35:47 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F2212106568B for ; Wed, 30 Sep 2009 16:35:47 +0000 (UTC) (envelope-from freebsd@optiksecurite.com) Received: from relais.videotron.ca (relais.videotron.ca [24.201.245.36]) by mx1.freebsd.org (Postfix) with ESMTP id CDAC88FC3A for ; Wed, 30 Sep 2009 16:35:47 +0000 (UTC) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; charset=ISO-8859-1; format=flowed Received: from [69.69.69.193] ([24.201.201.211]) by VL-MH-MR002.ip.videotron.ca (Sun Java(tm) System Messaging Server 6.3-4.01 (built Aug 3 2007; 32bit)) with ESMTP id <0KQS00BJRJBL5X00@VL-MH-MR002.ip.videotron.ca> for freebsd-jail@freebsd.org; Wed, 30 Sep 2009 11:35:47 -0400 (EDT) Message-id: <4AC37ACC.4090201@optiksecurite.com> Date: Wed, 30 Sep 2009 11:35:40 -0400 From: Martin Turgeon User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) To: freebsd-jail@freebsd.org Subject: Can't upgrade jails to 8.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Sep 2009 16:35:48 -0000 Hi everyone! I just upgraded a 7.2-REL to 8.0RC1 using freebsd-update. The upgrade went fine on the base system following the procedure written in the announcement email by Ken Smith. My problem is when I try to upgrade my jails, I get this message: # freebsd-update -b /usr/jail/mysql/ fetch install Looking up update.FreeBSD.org mirrors... 3 mirrors found. Fetching metadata signature for 8.0-RC1 from update5.FreeBSD.org... done. Fetching metadata index... done. Inspecting system... done. Preparing to download files... done. No updates needed to update system to 8.0-RC1-p0. No updates are available to install. Run '/usr/sbin/freebsd-update fetch' first. But, if I compare the dates of the files in the base system to the files in the jails, it's obvious that the jails are not up to date. It seems like freebsd-update doesn't care about the basedir I specified. Thanks a lot for your help, Martin From owner-freebsd-jail@FreeBSD.ORG Thu Oct 1 18:42:42 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E8B1D10656B2; Thu, 1 Oct 2009 18:42:41 +0000 (UTC) (envelope-from edwin.shao@gmail.com) Received: from mail-yx0-f171.google.com (mail-yx0-f171.google.com [209.85.210.171]) by mx1.freebsd.org (Postfix) with ESMTP id 7D8CD8FC16; Thu, 1 Oct 2009 18:42:41 +0000 (UTC) Received: by yxe1 with SMTP id 1so408416yxe.3 for ; Thu, 01 Oct 2009 11:42:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type; bh=oka4EKeF3tl6XtXH17ORaw9lnijnOJH9OpzvLEU8Z+w=; b=d803FAvT8WG+mTwi4bzbxRg4l7E26Udp1p4FFwOoI8FyOSjslzpJbVTAU0uN7LGnmw ygQkAPd6H1u495G6KEdACbOHI4WFXp32eXD0Dhq3K4Hzy5yvgw887GM6ax9JIAEhAxKx 6eyq/tlupPU48rMh38zBqH5B3kG0QQimJeZEA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=W9sljyUravhD6jrq0tbDVuqtYcU+OXS0VPzz6bVqvnYHiNYmw6N1VjMGBSxqV3r4aJ 4oHyFnVf7fnyuYk/RANXpB9UzaM6H1zUz7xKF3ceoTFDU1ZeYttOhlFLrGOU2nedxsQt cGquQd8wnXWn9ml4m7eqBEm3rrttFD+4ttzAQ= MIME-Version: 1.0 Received: by 10.101.55.7 with SMTP id h7mr1449032ank.116.1254422560762; Thu, 01 Oct 2009 11:42:40 -0700 (PDT) In-Reply-To: <4AC18822.7020705@FreeBSD.org> References: <4AC0E5E6.1010700@FreeBSD.org> <20090928180731.M68375@maildrop.int.zabbadoz.net> <4AC12798.8070308@FreeBSD.org> <4AC18822.7020705@FreeBSD.org> From: Edwin Shao Date: Thu, 1 Oct 2009 21:42:20 +0300 Message-ID: To: Jamie Gritton Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: "Bjoern A. Zeeb" , freebsd-jail@freebsd.org Subject: Re: Tutorial for Hierarchical Jails? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Oct 2009 18:42:42 -0000 The base system has allow_raw_sockets, the first level jail also has allow_raw_sockets and has the exact same configuration as the base system (I use puppet to manage config files.) I can't set allow_raw_sockets anyway for the second-level jail without manually invoking the jail command. On Tue, Sep 29, 2009 at 7:08 AM, Jamie Gritton wrote: > Does the base system have security.jail.allow_raw_sockets=1? You need to > have that, or set the jail's allow.raw_sockets. You can't set the jail's > permissions from within the jail itself. If you have multiple jail > levels, then both jails need to allow raw sockets - a jail can't allow a > child jail to do what it can't do itself. > > - Jamie > > > Edwin Shao wrote: > >> One other thing that is odd: hierarchical jails don't seem to inherit some >> sysctls such as allow_raw_socket. >> >> In the host (jail), rc.conf has jail_set_allow_raw_sockets="YES" and >> sysctl.conf has "security.jail.allow_raw_sockets=1", but no child jail can >> ping out: >> neko# ping google.com >> ping: socket: Operation not permitted >> >> What is happening in this case? >> Thank you for your time again. >> >> >> On Tue, Sep 29, 2009 at 12:16 AM, Jamie Gritton > jamie@freebsd.org>> wrote: >> >> The sysctls not only don't get written to, they don't have any useful >> information to read either. They only describe the existence and format >> of the various jail parameters. Sorry, but there;s no way to set a >> default children.max parameter or inherit it from the parent. We've >> decided to set the default to the most secure/restrictive in many >> cases. >> Once we've come up with a new jail configuration interface, this won't >> be such a hassle. >> >> The devfs errors are probably something that will have to be addressed >> in a later revision - I haven't looked in the devfs direction so I'm >> not >> sure about that. The mount error may be related to the first jail's >> allow.mount parameter (whose default comes from >> security.jail.mount_allowed). >> >> - Jamie >> >> Edwin Shao wrote: >> >> Thanks, that worked for me. >> >> * Using jail to change children.max on the parent does not >> affect `sysctl security.jail.param.children.max` in the child. >> Also security.jail.param.children.cur never changes either. Not >> sure if that's intended behavior. >> * Is there any way to persist the >> security.jail.param.children.max parameter without entering the >> jail command every time? * I get the following output when I >> create a jail inside a jail: >> >> hyper ~> ezjail-admin start neko >> Configuring jails:. >> Starting jails:devfs rule: ioctl DEVFSIO_RGETNEXT: Operation not >> permitted >> devfs rule: ioctl DEVFSIO_RGETNEXT: Operation not permitted >> /etc/rc.d/jail: WARNING: devfs_set_ruleset: you must specify a >> ruleset number >> devfs rule: ioctl DEVFSIO_SAPPLY: Operation not permitted >> ln: log: Operation not permitted >> mount: proc : Operation not permitted >> neko. >> >> I'm using the same configuration values as in the parent's jail, >> which work. Everything seems to work alright inside the jail, so >> I assume the errors are safe to ignore? >> >> Thanks again! >> - Edwin >> >> On Mon, Sep 28, 2009 at 9:11 PM, Bjoern A. Zeeb >> > >> > >> wrote: >> >> On Mon, 28 Sep 2009, Edwin Shao wrote: >> >> Hi Jamie, >> When I try to change the parameter, nothing happens: >> rescue /etc> sudo sysctl security.jail.param.children.max=1 >> security.jail.param.children.max: 0 -> 0 >> >> rescue /etc> sudo sysctl security.jail.param.children.max >> security.jail.param.children.max: 0 >> >> Am I doing this incorrectly? >> >> >> Yes. It's a parameter to jail(8). The security.jail.param >> sysctls can >> be seen as a list of possible options valid to jail(8). See >> man 8 jail >> for the exact details. >> >> /bz >> >> -- Bjoern A. Zeeb What was I talking about and >> who are you again? >> >> >> >> From owner-freebsd-jail@FreeBSD.ORG Fri Oct 2 18:46:21 2009 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ECA1E1065695 for ; Fri, 2 Oct 2009 18:46:21 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from gritton.org (gritton.org [161.58.222.4]) by mx1.freebsd.org (Postfix) with ESMTP id AB4758FC2C for ; Fri, 2 Oct 2009 18:46:21 +0000 (UTC) Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net [198.65.168.24]) (authenticated bits=0) by gritton.org (8.13.6.20060614/8.13.6) with ESMTP id n92IkKp4012504; Fri, 2 Oct 2009 12:46:20 -0600 (MDT) Message-ID: <4AC64A73.7010305@FreeBSD.org> Date: Fri, 02 Oct 2009 12:46:11 -0600 From: Jamie Gritton User-Agent: Thunderbird 2.0.0.19 (X11/20090109) MIME-Version: 1.0 To: Edwin Shao References: <4AC0E5E6.1010700@FreeBSD.org> <20090928180731.M68375@maildrop.int.zabbadoz.net> <4AC12798.8070308@FreeBSD.org> <4AC18822.7020705@FreeBSD.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@FreeBSD.org Subject: Re: Tutorial for Hierarchical Jails? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Oct 2009 18:46:22 -0000 Without going into the current rc system, which isn't up to the task of hierarchical jails, here's a minimal set of parameters/commands to create hierarchical jails that can still ping: # jail -c name=foo host.hostname=foo allow.raw_sockets children.max=99 ip4.addr=10.20.12.68 persist # jexec foo /bin/csh foo# jail -c name=bar host.hostname=bar allow.raw_sockets ip4.addr=10.20.12.68 persist foo# jexec bar /bin/csh bar# ping gritton.org PING gritton.org (161.58.222.4): 56 data bytes 64 bytes from 161.58.222.4: icmp_seq=0 ttl=54 time=78.344 ms - Jamie Edwin Shao wrote: > The base system has allow_raw_sockets, the first level jail also has > allow_raw_sockets and has the exact same configuration as the base > system (I use puppet to manage config files.) I can't set > allow_raw_sockets anyway for the second-level jail without manually > invoking the jail command. > > On Tue, Sep 29, 2009 at 7:08 AM, Jamie Gritton > wrote: > > Does the base system have security.jail.allow_raw_sockets=1? You need to > have that, or set the jail's allow.raw_sockets. You can't set the jail's > permissions from within the jail itself. If you have multiple jail > levels, then both jails need to allow raw sockets - a jail can't allow a > child jail to do what it can't do itself. > > - Jamie > > > Edwin Shao wrote: > > One other thing that is odd: hierarchical jails don't seem to > inherit some sysctls such as allow_raw_socket. > > In the host (jail), rc.conf has jail_set_allow_raw_sockets="YES" > and sysctl.conf has "security.jail.allow_raw_sockets=1", but no > child jail can ping out: > neko# ping google.com > > ping: socket: Operation not permitted > > What is happening in this case? > Thank you for your time again. > > > On Tue, Sep 29, 2009 at 12:16 AM, Jamie Gritton > > >> wrote: > > The sysctls not only don't get written to, they don't have > any useful > information to read either. They only describe the existence > and format > of the various jail parameters. Sorry, but there;s no way to > set a > default children.max parameter or inherit it from the parent. > We've > decided to set the default to the most secure/restrictive in > many cases. > Once we've come up with a new jail configuration interface, > this won't > be such a hassle. > > The devfs errors are probably something that will have to be > addressed > in a later revision - I haven't looked in the devfs direction > so I'm not > sure about that. The mount error may be related to the first > jail's > allow.mount parameter (whose default comes from > security.jail.mount_allowed). > > - Jamie > > Edwin Shao wrote: > > Thanks, that worked for me. > > * Using jail to change children.max on the parent does not > affect `sysctl security.jail.param.children.max` in the > child. > Also security.jail.param.children.cur never changes > either. Not > sure if that's intended behavior. > * Is there any way to persist the > security.jail.param.children.max parameter without > entering the > jail command every time? * I get the following output when I > create a jail inside a jail: > > hyper ~> ezjail-admin start neko > Configuring jails:. > Starting jails:devfs rule: ioctl DEVFSIO_RGETNEXT: > Operation not > permitted > devfs rule: ioctl DEVFSIO_RGETNEXT: Operation not permitted > /etc/rc.d/jail: WARNING: devfs_set_ruleset: you must > specify a > ruleset number > devfs rule: ioctl DEVFSIO_SAPPLY: Operation not permitted > ln: log: Operation not permitted > mount: proc : Operation not permitted > neko. > > I'm using the same configuration values as in the > parent's jail, > which work. Everything seems to work alright inside the > jail, so > I assume the errors are safe to ignore? > > Thanks again! > - Edwin > > On Mon, Sep 28, 2009 at 9:11 PM, Bjoern A. Zeeb > > > > > >>> wrote: > > On Mon, 28 Sep 2009, Edwin Shao wrote: > > Hi Jamie, > When I try to change the parameter, nothing happens: > rescue /etc> sudo sysctl > security.jail.param.children.max=1 > security.jail.param.children.max: 0 -> 0 > > rescue /etc> sudo sysctl > security.jail.param.children.max > security.jail.param.children.max: 0 > > Am I doing this incorrectly? > > > Yes. It's a parameter to jail(8). The security.jail.param > sysctls can > be seen as a list of possible options valid to > jail(8). See > man 8 jail > for the exact details. > > /bz > > -- Bjoern A. Zeeb What was I talking > about and > who are you again? > > > >