From owner-freebsd-jail@FreeBSD.ORG Mon Oct 5 11:06:55 2009 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A4CE710656A4 for ; Mon, 5 Oct 2009 11:06:55 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 927288FC1B for ; Mon, 5 Oct 2009 11:06:55 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n95B6tl2088722 for ; Mon, 5 Oct 2009 11:06:55 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n95B6t2J088719 for freebsd-jail@FreeBSD.org; Mon, 5 Oct 2009 11:06:55 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 5 Oct 2009 11:06:55 GMT Message-Id: <200910051106.n95B6t2J088719@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Oct 2009 11:06:55 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 4 problems total. From owner-freebsd-jail@FreeBSD.ORG Tue Oct 6 10:50:08 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 951BB1065670; Tue, 6 Oct 2009 10:50:08 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [195.88.108.3]) by mx1.freebsd.org (Postfix) with ESMTP id 214DD8FC08; Tue, 6 Oct 2009 10:50:08 +0000 (UTC) Received: from localhost (amavis.fra.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id D5DFD41C6A1; Tue, 6 Oct 2009 12:50:06 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([195.88.108.3]) by localhost (amavis.fra.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id Zyxxf0TrUv+O; Tue, 6 Oct 2009 12:50:06 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id 3B51741C69F; Tue, 6 Oct 2009 12:50:06 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 5D55A4448E6; Tue, 6 Oct 2009 10:45:55 +0000 (UTC) Date: Tue, 6 Oct 2009 10:45:55 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Julian Elischer In-Reply-To: <4ACA5704.2070404@elischer.org> Message-ID: <20091006104529.B5956@maildrop.int.zabbadoz.net> References: <4ACA0549.7030404@tomjudge.com> <4ACA2E0F.5010800@elischer.org> <4ACA3146.9090402@tomjudge.com> <6201873e0910051142q58e7563fqc7735261ea9ab3c6@mail.gmail.com> <4ACA4216.9060008@tomjudge.com> <4ACA5704.2070404@elischer.org> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Adam Vande More , FreeBSD virtualization mailing list , freebsd-current@freebsd.org, Jamie Gritton , Tom Judge , freebsd-jail@FreeBSD.org Subject: Re: Per Jail Memory Limits X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Oct 2009 10:50:08 -0000 On Mon, 5 Oct 2009, Julian Elischer wrote: > Tom Judge wrote: >> Adam Vande More wrote: >>> On Mon, Oct 5, 2009 at 12:47 PM, Tom Judge >> > wrote: >>> >>> Julian Elischer wrote: >>> >>> Tom Judge wrote: >>> >>> Hi, >>> >>> Does anyone know of a patch that will add per jail memory >>> limits so that a jail can't swallow the resources of the >>> entire box? >>> >>> >>> Thanks >>> >>> Tom >>> >>> not yet.. >>> >>> >>> I started to port this to 7.1 today: >>> >>> http://wiki.freebsd.org/JailResourceLimits >>> >>> >>> What are the peoples opinions on this patch? >>> >>> >>> Tom >>> >>> >>> If you're soliciting opinions if this will be used and is needed, I would >>> love to see this functionality. This is the main reason I've had to chose >>> XEN over jails. If you need some help testing, let me know. >>> >>> -- >>> Adam Vande More >> Hi Adam, >> >> I have a patch against 7.1 here: >> http://svn.tomjudge.com/freebsd/patches/jail-resource-limits/jail-limits.patch > > > > probably the person who should work with this in -current is james (CC'd) Probably the person who should be contacted is trasz who worked on hierachical resource limit per .., jail in p4. Though this is slightly different. I think it's ok if people need those things to update the pathes but I doubt any will probably ever make it into FreeBSD as those things are kind of contrary to the V_ plans. BTW, I think the patch referenced is not the latest I had seen and I thought that we also had one for 7.x or even for 8 already floating around. Maybe some investigation on list archives etc. might be helpful before starting to hack things. Maybe also check the links on http://wiki.freebsd.org/Jails >> >> >> I will try to bring the patch up to current when I get a chance but I have >> no real need to do this as we use 7.1 in production. >> >> Notes: >> >> * CPU limiting is not support is not supported unless you use >> shecd_4bsd. >> * I have not tested this on any system yet, just compile tested, I am >> putting it though its paces right now. >> >> Tom -- Bjoern A. Zeeb It will not break if you know what you are doing. From owner-freebsd-jail@FreeBSD.ORG Wed Oct 7 09:35:48 2009 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4BAD1106566B; Wed, 7 Oct 2009 09:35:48 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) by mx1.freebsd.org (Postfix) with ESMTP id 0A7138FC19; Wed, 7 Oct 2009 09:35:47 +0000 (UTC) Received: from localhost (localhost.codelab.cz [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 1F48A19E027; Wed, 7 Oct 2009 11:35:46 +0200 (CEST) Received: from [192.168.1.2] (r5bb235.net.upc.cz [86.49.61.235]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 7FE1A19E023; Wed, 7 Oct 2009 11:35:43 +0200 (CEST) Message-ID: <4ACC60EF.50104@quip.cz> Date: Wed, 07 Oct 2009 11:35:43 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: cz, cs, en, en-us MIME-Version: 1.0 To: Tom Judge References: <4ACA0549.7030404@tomjudge.com> <4ACBF147.1030002@tomjudge.com> In-Reply-To: <4ACBF147.1030002@tomjudge.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@FreeBSD.org, freebsd-current@FreeBSD.org Subject: Re: Per Jail Memory Limits X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Oct 2009 09:35:48 -0000 Tom Judge wrote: > So I have worked up some thing usable fore us based on the 7.0 code from > the wiki. > > This patch is for 7.1 in implements both soft and hard memory limits. > > Details are here: > http://www.tomjudge.com/index.php/FreeBSD/Jails/MemoryLimits > > Changes that add supporting infrastructure for cpu limiting are in the > patch but changes to the schedulers have not been included. If you need > the scheduling support you will need to patch sched_4bsd with the code > from the original patch set here: > > http://lists.freebsd.org/pipermail/freebsd-jail/2008-June/000333.html > > Hope this is useful for some people. I added links to this thread and to your patch into wiki page http://wiki.freebsd.org/Jails. I hope it will help people to find your work. Do you plan to make it for 7.2 and other future releases? Miroslav Lachman From owner-freebsd-jail@FreeBSD.ORG Wed Oct 7 10:17:48 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 86FA410656A9 for ; Wed, 7 Oct 2009 10:17:48 +0000 (UTC) (envelope-from greenx@yartv.ru) Received: from mail.yartv.ru (ns4.yartelenet.ru [94.158.0.17]) by mx1.freebsd.org (Postfix) with ESMTP id 3CDD58FC2A for ; Wed, 7 Oct 2009 10:17:47 +0000 (UTC) Received: from greenx.yartelenet.ru (greenx.yartelenet.ru [94.158.0.2]) by mail.yartv.ru (Postfix) with ESMTP id 38CCC730CC for ; Wed, 7 Oct 2009 14:17:45 +0400 (MSD) Message-ID: <4ACC6ABE.9050107@yartv.ru> Date: Wed, 07 Oct 2009 14:17:34 +0400 From: Andrey Groshev User-Agent: Thunderbird 2.0.0.23 (X11/20091001) MIME-Version: 1.0 To: freebsd-jail@freebsd.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: how to make the jail safe for the parent system? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Oct 2009 10:17:48 -0000 Hi, All! I understand, what not absolutely normal question, but... There is I and my server. Also there is other person a server responsible for a web. Periodically he wants that I would instal some software, but in my representation, this software bad or unnecessary. I wish to make jail for its and its software. To give to this person complete access to it, let does all that wants. But, if in the jail create wrong start scripts, then the parent system too cannot be started up to the end. For example: in jail in /etc/rc.local write /bin/sh And that starts all after this prison will not receive handle. Question: how it to avoid? From owner-freebsd-jail@FreeBSD.ORG Wed Oct 7 10:30:58 2009 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 634CC1065670; Wed, 7 Oct 2009 10:30:58 +0000 (UTC) (envelope-from kostjn@peterhost.ru) Received: from fb0.z8.ru (fb0.z8.ru [80.93.58.95]) by mx1.freebsd.org (Postfix) with ESMTP id 1E3208FC16; Wed, 7 Oct 2009 10:30:58 +0000 (UTC) Received: from mail.z8.ru ([80.93.58.56]) by fb0.z8.ru with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MvTdD-000G7X-Rb; Wed, 07 Oct 2009 14:20:27 +0400 Received: from [85.235.196.139] (helo=kostjn.pht) by mail.z8.ru with esmtpa (Exim 4.67 (FreeBSD)) (envelope-from ) id 1MvTca-000DP1-Ll; Wed, 07 Oct 2009 14:19:48 +0400 Message-ID: <4ACC6C01.80106@peterhost.ru> Date: Wed, 07 Oct 2009 14:22:57 +0400 From: Menshikov Konstantin User-Agent: Thunderbird 2.0.0.21 (X11/20090423) MIME-Version: 1.0 To: Miroslav Lachman <000.fbsd@quip.cz> References: <4ACA0549.7030404@tomjudge.com> <4ACBF147.1030002@tomjudge.com> <4ACC60EF.50104@quip.cz> In-Reply-To: <4ACC60EF.50104@quip.cz> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Tom Judge , freebsd-current@FreeBSD.org, freebsd-jail@FreeBSD.org Subject: Re: Per Jail Memory Limits X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Oct 2009 10:30:58 -0000 Miroslav Lachman wrote: > Tom Judge wrote: > >> So I have worked up some thing usable fore us based on the 7.0 code >> from the wiki. >> >> This patch is for 7.1 in implements both soft and hard memory limits. >> >> Details are here: >> http://www.tomjudge.com/index.php/FreeBSD/Jails/MemoryLimits >> >> Changes that add supporting infrastructure for cpu limiting are in >> the patch but changes to the schedulers have not been included. If >> you need the scheduling support you will need to patch sched_4bsd >> with the code from the original patch set here: >> >> http://lists.freebsd.org/pipermail/freebsd-jail/2008-June/000333.html >> >> Hope this is useful for some people. > > I added links to this thread and to your patch into wiki page > http://wiki.freebsd.org/Jails. I hope it will help people to find your > work. > Do you plan to make it for 7.2 and other future releases? > > Miroslav Lachman > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > It is good that people work in this direction! At present there are some patches, however any of them is not finished. I suggest to discuss in details a problem. The most important questions. 1. It is necessary to limit what resources? 2. How resources should be limited? Soft and hard limits. 3. How to count memory occupied with group of processes? 4. How to limit memory use? Whether correctly to kill processes? 5. How to limit use of processor time at absence in ULE separate turns of performance for jails? 6. Whether limits should be inherited at creation jails? etc. -- Menshikov Konstantin From owner-freebsd-jail@FreeBSD.ORG Wed Oct 7 14:47:32 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5194A106566B for ; Wed, 7 Oct 2009 14:47:32 +0000 (UTC) (envelope-from kostjn@peterhost.ru) Received: from mail.z8.ru (mail.z8.ru [80.93.58.56]) by mx1.freebsd.org (Postfix) with ESMTP id 117D68FC12 for ; Wed, 7 Oct 2009 14:47:31 +0000 (UTC) Received: from [85.235.196.139] (helo=kostjn.pht) by mail.z8.ru with esmtpa (Exim 4.67 (FreeBSD)) (envelope-from ) id 1MvXnX-000EPP-Ss; Wed, 07 Oct 2009 18:47:23 +0400 Message-ID: <4ACCAAB7.8010507@peterhost.ru> Date: Wed, 07 Oct 2009 18:50:31 +0400 From: Menshikov Konstantin User-Agent: Thunderbird 2.0.0.21 (X11/20090423) MIME-Version: 1.0 To: Andrey Groshev References: <4ACC6ABE.9050107@yartv.ru> In-Reply-To: <4ACC6ABE.9050107@yartv.ru> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org Subject: Re: how to make the jail safe for the parent system? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Oct 2009 14:47:32 -0000 Andrey Groshev wrote: > Hi, All! > > I understand, what not absolutely normal question, but... > > There is I and my server. > Also there is other person a server responsible for a web. > Periodically he wants that I would instal some software, but in my > representation, this software bad or unnecessary. > I wish to make jail for its and its software. > To give to this person complete access to it, let does all that wants. > But, if in the jail create wrong start scripts, then the parent system > too cannot be started up to the end. > For example: in jail in /etc/rc.local write /bin/sh > And that starts all after this prison will not receive handle. > > Question: how it to avoid? > > Hi. I`m think, that this is bug in /etc/rc.d/jail script. You can fix /etc/rc.d/jail 626 run_rc_command "${cmd}" & 627 sleep 5 instead 626 run_rc_command "${cmd}" This work. From owner-freebsd-jail@FreeBSD.ORG Wed Oct 7 21:07:45 2009 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 441761065670 for ; Wed, 7 Oct 2009 21:07:45 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from tomjudge.vm.bytemark.co.uk (tomjudge.vm.bytemark.co.uk [80.68.91.100]) by mx1.freebsd.org (Postfix) with ESMTP id 071AA8FC0A for ; Wed, 7 Oct 2009 21:07:44 +0000 (UTC) Received: from localhost (localhost.localdomain [127.0.0.1]) by tomjudge.vm.bytemark.co.uk (Postfix) with ESMTP id E9FC2489D8; Wed, 7 Oct 2009 21:49:29 +0100 (BST) X-Virus-Scanned: Debian amavisd-new at tomjudge.vm.bytemark.co.uk Received: from tomjudge.vm.bytemark.co.uk ([127.0.0.1]) by localhost (tomjudge.vm.bytemark.co.uk [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OAe66dI-L4SZ; Wed, 7 Oct 2009 21:49:26 +0100 (BST) Received: from rita.nodomain (unknown [192.168.205.6]) by tomjudge.vm.bytemark.co.uk (Postfix) with ESMTP id 6A69F489D1; Wed, 7 Oct 2009 21:49:25 +0100 (BST) Message-ID: <4ACCFEB1.1010306@tomjudge.com> Date: Wed, 07 Oct 2009 20:48:49 +0000 From: Tom Judge User-Agent: Thunderbird 2.0.0.23 (X11/20090822) MIME-Version: 1.0 To: Miroslav Lachman <000.fbsd@quip.cz> References: <4ACA0549.7030404@tomjudge.com> <4ACBF147.1030002@tomjudge.com> <4ACC60EF.50104@quip.cz> In-Reply-To: <4ACC60EF.50104@quip.cz> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-current@FreeBSD.org, freebsd-jail@FreeBSD.org Subject: Re: Per Jail Memory Limits X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Oct 2009 21:07:45 -0000 Miroslav Lachman wrote: > Tom Judge wrote: > >> So I have worked up some thing usable fore us based on the 7.0 code >> from the wiki. >> >> This patch is for 7.1 in implements both soft and hard memory limits. >> >> Details are here: >> http://www.tomjudge.com/index.php/FreeBSD/Jails/MemoryLimits >> >> Changes that add supporting infrastructure for cpu limiting are in >> the patch but changes to the schedulers have not been included. If >> you need the scheduling support you will need to patch sched_4bsd >> with the code from the original patch set here: >> >> http://lists.freebsd.org/pipermail/freebsd-jail/2008-June/000333.html >> >> Hope this is useful for some people. > > I added links to this thread and to your patch into wiki page > http://wiki.freebsd.org/Jails. I hope it will help people to find your > work. > Do you plan to make it for 7.2 and other future releases? Thanks for adding it to the wiki. It should be simple to apply to 7.2, I can try to knock out a patch in my spare time for this. However at this time I have no plans to take this any further, it seems plenty of people are working on this problem. Maybe one day there will be an in tree solution. Tom From owner-freebsd-jail@FreeBSD.ORG Thu Oct 8 06:49:24 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 92D8D106566B for ; Thu, 8 Oct 2009 06:49:24 +0000 (UTC) (envelope-from greenx@yartv.ru) Received: from mail.yartv.ru (smtp.yartv.ru [94.158.0.17]) by mx1.freebsd.org (Postfix) with ESMTP id 4EE448FC15 for ; Thu, 8 Oct 2009 06:49:24 +0000 (UTC) Received: from greenx.yartelenet.ru (greenx.yartelenet.ru [94.158.0.2]) by mail.yartv.ru (Postfix) with ESMTP id D29C6730CC; Thu, 8 Oct 2009 10:49:22 +0400 (MSD) Message-ID: <4ACD8B66.5080508@yartv.ru> Date: Thu, 08 Oct 2009 10:49:10 +0400 From: Andrey Groshev User-Agent: Thunderbird 2.0.0.23 (X11/20091001) MIME-Version: 1.0 To: Menshikov Konstantin References: <4ACC6ABE.9050107@yartv.ru> <4ACCAAB7.8010507@peterhost.ru> In-Reply-To: <4ACCAAB7.8010507@peterhost.ru> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-jail@freebsd.org Subject: Re: how to make the jail safe for the parent system? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Oct 2009 06:49:24 -0000 Hi, About "&" I thought, where it to attach.:) Yes - so works correctly. This bug lies on a surface, PR too I can not find. How you think, can be to write it? Menshikov Konstantin пишет: > Andrey Groshev wrote: >> Hi, All! >> >> I understand, what not absolutely normal question, but... >> >> There is I and my server. >> Also there is other person a server responsible for a web. >> Periodically he wants that I would instal some software, but in my >> representation, this software bad or unnecessary. >> I wish to make jail for its and its software. >> To give to this person complete access to it, let does all that wants. >> But, if in the jail create wrong start scripts, then the parent >> system too cannot be started up to the end. >> For example: in jail in /etc/rc.local write /bin/sh >> And that starts all after this prison will not receive handle. >> >> Question: how it to avoid? >> >> > Hi. > I`m think, that this is bug in /etc/rc.d/jail script. > You can fix /etc/rc.d/jail > 626 run_rc_command "${cmd}" & > 627 sleep 5 > instead > 626 run_rc_command "${cmd}" > This work. > > From owner-freebsd-jail@FreeBSD.ORG Thu Oct 8 17:58:03 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0CF69106568B for ; Thu, 8 Oct 2009 17:58:03 +0000 (UTC) (envelope-from freebsd@optiksecurite.com) Received: from relais.videotron.ca (relais.videotron.ca [24.201.245.36]) by mx1.freebsd.org (Postfix) with ESMTP id C2DE88FC1B for ; Thu, 8 Oct 2009 17:58:02 +0000 (UTC) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; charset=ISO-8859-1; format=flowed Received: from [69.69.69.193] ([24.201.201.211]) by VL-MH-MR001.ip.videotron.ca (Sun Java(tm) System Messaging Server 6.3-4.01 (built Aug 3 2007; 32bit)) with ESMTP id <0KR700CJLJ8P2Q60@VL-MH-MR001.ip.videotron.ca> for freebsd-jail@freebsd.org; Thu, 08 Oct 2009 13:58:01 -0400 (EDT) Message-id: <4ACE2829.6030804@optiksecurite.com> Date: Thu, 08 Oct 2009 13:58:01 -0400 From: Martin Turgeon User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) To: freebsd-jail@freebsd.org Subject: Can't upgrade jails to 8.0 using freebsd-update X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Oct 2009 17:58:03 -0000 Hi everyone! I just upgraded a 7.2-REL to 8.0RC1 using freebsd-update. The upgrade went fine on the base system following the procedure written in the announcement email by Ken Smith. My problem is when I try to upgrade my jails, I get this message: # freebsd-update -b /usr/jail/mysql/ fetch install Looking up update.FreeBSD.org mirrors... 3 mirrors found. Fetching metadata signature for 8.0-RC1 from update5.FreeBSD.org... done. Fetching metadata index... done. Inspecting system... done. Preparing to download files... done. No updates needed to update system to 8.0-RC1-p0. No updates are available to install. Run '/usr/sbin/freebsd-update fetch' first. But, if I compare the dates of the files in the base system to the files in the jails, it's obvious that the jails are not up to date. It seems like freebsd-update doesn't care about the basedir I specified. Thanks a lot for your help, Martin From owner-freebsd-jail@FreeBSD.ORG Thu Oct 8 18:24:03 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0CA591065692 for ; Thu, 8 Oct 2009 18:24:03 +0000 (UTC) (envelope-from hulibyaka@gmail.com) Received: from mail-ew0-f218.google.com (mail-ew0-f218.google.com [209.85.219.218]) by mx1.freebsd.org (Postfix) with ESMTP id 672FA8FC08 for ; Thu, 8 Oct 2009 18:24:01 +0000 (UTC) Received: by ewy18 with SMTP id 18so363804ewy.43 for ; Thu, 08 Oct 2009 11:24:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=JTvmrE16DsW1BlVkK0aJJpzpNo6GWSTGgh9sE6no+WY=; b=fVEZv7QS1JzoW5KKHkJiDIl0P5I8JqHrp6OLFm4rqjM5VmKBhatJg3hCKUZ/VJldmo UXmCRA8pFhr5bFgFyVk93dgUkshPuAOS+gZUP9GzLkS+pQuLKBMG7rsdpkXXIx5vBu9K gY5Cwo/xiPi6DxWUzVBKTllGG1BPs6auQX8/Q= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=iEDUiOUE1fPN1/JbX1JTG//aapx8kuPzBov/TwEfeoKcobwFBy4Fq5fqq+q3V0yCeZ ejpYXuBm2K5Cq7mtfLw4cDp9miRjGqqyddDBnKWxUNO64O/5Vhaz+G0soSOjy1sAIqZz 7LVPqlx+ykZjXw91eu6iSidBmb0LMuB8TXA0o= MIME-Version: 1.0 Received: by 10.216.87.144 with SMTP id y16mr495213wee.95.1255024883975; Thu, 08 Oct 2009 11:01:23 -0700 (PDT) Date: Thu, 8 Oct 2009 22:01:23 +0400 Message-ID: From: hulibyaka hulibyaka To: freebsd-jail@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: xorg in jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Oct 2009 18:24:03 -0000 Hello maillist I've try to setup and run X environment in the jail (FreeBSD-9 Current). xinit with correct xorg.conf for my video card (radeon) get this message: --- (WW) xf86EnableIO: Failed to open /dev/io for extended I/O(EE) No devices detected. Fatal server error: no screens found --- But /dev/io and /dev/mem is exist in my dev for jail (i use this rules in /etc/devfs.rules, thanks to Alexander Leidinger ): --- [devfsrules_unhide_audio=5] add path 'audio*' unhide add path 'dsp*' unhide add path midistat unhide add path 'mixer*' unhide add path 'music*' unhide add path 'sequencer*' unhide add path sndstat unhide add path speaker unhide [devfsrules_unhide_printers=6] add path 'lpt*' unhide add path 'ulpt*' unhide add path 'unlpt*' unhide [devfsrules_unhide_input=7] add path 'atkbd*' unhide add path 'kbd*' unhide add path 'joy*' unhide add path 'psm*' unhide add path sysmouse unhide add path 'ukbd*' unhide add path 'ums*' unhide [devfsrules_unhide_xorg=8] add path agpgart unhide #add path console unhide add path dri unhide add path 'dri*' unhide add path io unhide add path mem unhide #add path pci unhide add path tty unhide add path ttyv0 unhide add path ttyv1 unhide add path ttyv8 unhide [devfsrules_unhide_cam=9] add path 'da*' unhide add path 'cd*' unhide [devfsrules_unhide_kmem=10] add path kmem unhide [devfsrules_jail_desktop=11] add include $devfsrules_hide_all add include $devfsrules_unhide_basic add include $devfsrules_unhide_login add include $devfsrules_unhide_audio add include $devfsrules_unhide_input add include $devfsrules_unhide_xorg add include $devfsrules_unhide_cam add include $devfsrules_unhide_kmem --- But X starting successfull when i make: chroot /jail/root_of_jail xinit from outside jail. What the difference for restriction on /dev/io between chroot and jail? How can i get all needed by xinit privileges on /dev/io within jail ? From owner-freebsd-jail@FreeBSD.ORG Thu Oct 8 18:37:42 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A69F7106568B for ; Thu, 8 Oct 2009 18:37:42 +0000 (UTC) (envelope-from ltning@anduin.net) Received: from mail.anduin.net (mail.anduin.net [213.225.74.249]) by mx1.freebsd.org (Postfix) with ESMTP id 67DB88FC19 for ; Thu, 8 Oct 2009 18:37:42 +0000 (UTC) Received: from [212.62.248.148] (helo=[192.168.2.172]) by mail.anduin.net with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1Mvxrw-0003dx-Uj; Thu, 08 Oct 2009 20:37:41 +0200 Mime-Version: 1.0 (Apple Message framework v1076) Content-Type: text/plain; charset=us-ascii; format=flowed; delsp=yes From: =?iso-8859-1?Q?Eirik_=D8verby?= In-Reply-To: <4ACE2829.6030804@optiksecurite.com> Date: Thu, 8 Oct 2009 20:37:40 +0200 Content-Transfer-Encoding: 7bit Message-Id: <295A1256-A620-4DD1-8B7F-22BDB216D164@anduin.net> References: <4ACE2829.6030804@optiksecurite.com> To: Martin Turgeon X-Mailer: Apple Mail (2.1076) Cc: freebsd-jail@freebsd.org Subject: Re: Can't upgrade jails to 8.0 using freebsd-update X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Oct 2009 18:37:42 -0000 On 8. okt. 2009, at 19.58, Martin Turgeon wrote: > Hi everyone! > > I just upgraded a 7.2-REL to 8.0RC1 using freebsd-update. The upgrade > went fine on the base system following the procedure written in the > announcement email by Ken Smith. My problem is when I try to upgrade > my > jails, I get this message: > > # freebsd-update -b /usr/jail/mysql/ fetch install > Looking up update.FreeBSD.org mirrors... 3 mirrors found. > Fetching metadata signature for 8.0-RC1 from update5.FreeBSD.org... > done. > Fetching metadata index... done. > Inspecting system... done. > Preparing to download files... done. > > No updates needed to update system to 8.0-RC1-p0. > No updates are available to install. > Run '/usr/sbin/freebsd-update fetch' first. > > But, if I compare the dates of the files in the base system to the > files > in the jails, it's obvious that the jails are not up to date. > > It seems like freebsd-update doesn't care about the basedir I > specified. It does, but if you do a 'uname -a' - inside or outside the jail - you'll see that it reports the OS revision of the host. So you should have updated your jails first, then the host ... One way to get around it is to replace /usr/bin/uname with a shell script, which calls the original uname (which you have renamed) and pipes through something like sed to replace the revision with what you used to have: #!/bin/sh /usr/bin/uname.org $* | sed s/"8.0-RC1-p0"/"7.2-RELEASE_p3"/g And this is a seriously butt ugly hack. /Eirik > Thanks a lot for your help, > > Martin > > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail- > unsubscribe@freebsd.org" > From owner-freebsd-jail@FreeBSD.ORG Thu Oct 8 18:54:49 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 20A48106568B for ; Thu, 8 Oct 2009 18:54:49 +0000 (UTC) (envelope-from remodeler@alentogroup.org) Received: from courriel.marmotmail.com (courriel.marmotmail.com [85.17.36.172]) by mx1.freebsd.org (Postfix) with ESMTP id D7E638FC1A for ; Thu, 8 Oct 2009 18:54:48 +0000 (UTC) Received: from bruce.epifora.com (localhost.local [127.0.0.1]) by courriel.marmotmail.com (Postfix) with ESMTP id 9D14B2396B9 for ; Thu, 8 Oct 2009 21:52:44 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by bruce.epifora.com (Postfix) with ESMTP id 34D9B4761F9 for ; Thu, 8 Oct 2009 14:50:42 -0400 (EDT) Received: from bruce.epifora.com ([127.0.0.1]) by localhost (bruce.epifora.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 16632-02 for ; Thu, 8 Oct 2009 14:50:41 -0400 (EDT) Received: from alentogroup.org (localhost [127.0.0.1]) by bruce.epifora.com (Postfix) with ESMTP id ECB674761F8 for ; Thu, 8 Oct 2009 14:50:40 -0400 (EDT) From: "remodeler" To: freebsd-jail@freebsd.org Date: Thu, 8 Oct 2009 14:50:40 -0400 Message-Id: <20091008184515.M60887@alentogroup.org> X-OriginatingIP: 127.0.0.1 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Subject: Can't upgrade jails to 8.0 using freebsd-update X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Oct 2009 18:54:49 -0000 I don't think your /usr/jail/mysql/ root is really a basedir, the way freebsd-update thinks of it. The jail only has world files, not the kernel. There are a number of specialized jail admin tools in ports. Also, the handbook has good information on a manual method to maintain jails, using symlinks and nullfs mounts for security. It uses make installworld with a target to the jail directory. From owner-freebsd-jail@FreeBSD.ORG Thu Oct 8 19:04:55 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F369A1065670 for ; Thu, 8 Oct 2009 19:04:55 +0000 (UTC) (envelope-from freebsd@optiksecurite.com) Received: from relais.videotron.ca (relais.videotron.ca [24.201.245.36]) by mx1.freebsd.org (Postfix) with ESMTP id B18008FC12 for ; Thu, 8 Oct 2009 19:04:55 +0000 (UTC) MIME-version: 1.0 Content-transfer-encoding: 8BIT Content-type: text/plain; charset=ISO-8859-1; format=flowed Received: from [69.69.69.193] ([24.201.201.211]) by VL-MO-MR004.ip.videotron.ca (Sun Java(tm) System Messaging Server 6.3-4.01 (built Aug 3 2007; 32bit)) with ESMTP id <0KR7006GEMC6LD30@VL-MO-MR004.ip.videotron.ca> for freebsd-jail@freebsd.org; Thu, 08 Oct 2009 15:04:54 -0400 (EDT) Message-id: <4ACE37D6.9040908@optiksecurite.com> Date: Thu, 08 Oct 2009 15:04:54 -0400 From: Martin Turgeon User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) To: =?ISO-8859-1?Q?Eirik_=D8verby?= References: <4ACE2829.6030804@optiksecurite.com> <295A1256-A620-4DD1-8B7F-22BDB216D164@anduin.net> In-reply-to: <295A1256-A620-4DD1-8B7F-22BDB216D164@anduin.net> Cc: freebsd-jail@freebsd.org Subject: Re: Can't upgrade jails to 8.0 using freebsd-update X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Oct 2009 19:04:56 -0000 Eirik Øverby a écrit : > On 8. okt. 2009, at 19.58, Martin Turgeon wrote: > >> Hi everyone! >> >> I just upgraded a 7.2-REL to 8.0RC1 using freebsd-update. The upgrade >> went fine on the base system following the procedure written in the >> announcement email by Ken Smith. My problem is when I try to upgrade my >> jails, I get this message: >> >> # freebsd-update -b /usr/jail/mysql/ fetch install >> Looking up update.FreeBSD.org mirrors... 3 mirrors found. >> Fetching metadata signature for 8.0-RC1 from update5.FreeBSD.org... >> done. >> Fetching metadata index... done. >> Inspecting system... done. >> Preparing to download files... done. >> >> No updates needed to update system to 8.0-RC1-p0. >> No updates are available to install. >> Run '/usr/sbin/freebsd-update fetch' first. >> >> But, if I compare the dates of the files in the base system to the files >> in the jails, it's obvious that the jails are not up to date. >> >> It seems like freebsd-update doesn't care about the basedir I specified. > > It does, but if you do a 'uname -a' - inside or outside the jail - > you'll see that it reports the OS revision of the host. So you should > have updated your jails first, then the host ... > Ok but if I update in the process of upgrading the first jail, the new kernel will be installed and asked to reboot. After that, I will have the same problem when upgrading the other jails and the base system, right? There must be something I don't understand well. Thanks a lot for your answer. Martin > One way to get around it is to replace /usr/bin/uname with a shell > script, which calls the original uname (which you have renamed) and > pipes through something like sed to replace the revision with what you > used to have: > > #!/bin/sh > /usr/bin/uname.org $* | sed s/"8.0-RC1-p0"/"7.2-RELEASE_p3"/g > > And this is a seriously butt ugly hack. > > /Eirik > >> Thanks a lot for your help, >> >> Martin >> >> _______________________________________________ >> freebsd-jail@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-jail >> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" >> > From owner-freebsd-jail@FreeBSD.ORG Thu Oct 8 19:06:22 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9F15E1065672 for ; Thu, 8 Oct 2009 19:06:22 +0000 (UTC) (envelope-from ltning@anduin.net) Received: from mail.anduin.net (mail.anduin.net [213.225.74.249]) by mx1.freebsd.org (Postfix) with ESMTP id 5EFD38FC0C for ; Thu, 8 Oct 2009 19:06:22 +0000 (UTC) Received: from [212.62.248.148] (helo=[192.168.2.172]) by mail.anduin.net with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MvyJh-00064K-4o; Thu, 08 Oct 2009 21:06:21 +0200 Mime-Version: 1.0 (Apple Message framework v1076) Content-Type: text/plain; charset=iso-8859-1; format=flowed; delsp=yes From: =?iso-8859-1?Q?Eirik_=D8verby?= In-Reply-To: <4ACE37D6.9040908@optiksecurite.com> Date: Thu, 8 Oct 2009 21:06:20 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: References: <4ACE2829.6030804@optiksecurite.com> <295A1256-A620-4DD1-8B7F-22BDB216D164@anduin.net> <4ACE37D6.9040908@optiksecurite.com> To: Martin Turgeon X-Mailer: Apple Mail (2.1076) Cc: freebsd-jail@freebsd.org Subject: Re: Can't upgrade jails to 8.0 using freebsd-update X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Oct 2009 19:06:22 -0000 On 8. okt. 2009, at 21.04, Martin Turgeon wrote: > Eirik =D8verby a =E9crit : >> On 8. okt. 2009, at 19.58, Martin Turgeon wrote: >> >>> Hi everyone! >>> >>> I just upgraded a 7.2-REL to 8.0RC1 using freebsd-update. The =20 >>> upgrade >>> went fine on the base system following the procedure written in the >>> announcement email by Ken Smith. My problem is when I try to =20 >>> upgrade my >>> jails, I get this message: >>> >>> # freebsd-update -b /usr/jail/mysql/ fetch install >>> Looking up update.FreeBSD.org mirrors... 3 mirrors found. >>> Fetching metadata signature for 8.0-RC1 from =20 >>> update5.FreeBSD.org... done. >>> Fetching metadata index... done. >>> Inspecting system... done. >>> Preparing to download files... done. >>> >>> No updates needed to update system to 8.0-RC1-p0. >>> No updates are available to install. >>> Run '/usr/sbin/freebsd-update fetch' first. >>> >>> But, if I compare the dates of the files in the base system to the =20= >>> files >>> in the jails, it's obvious that the jails are not up to date. >>> >>> It seems like freebsd-update doesn't care about the basedir I =20 >>> specified. >> >> It does, but if you do a 'uname -a' - inside or outside the jail - =20= >> you'll see that it reports the OS revision of the host. So you =20 >> should have updated your jails first, then the host ... >> > Ok but if I update in the process of upgrading the first jail, the =20 > new kernel will be installed and asked to reboot. After that, I will =20= > have the same problem when upgrading the other jails and the base =20 > system, right? There must be something I don't understand well. =20 > Thanks a lot for your answer. The kernel will be installed inside the jail, and the message about =20 rebooting can be safely ignored. Just run the install command once =20 more, and you're done and can move on to the next jail. :) /Eirik > Martin >> One way to get around it is to replace /usr/bin/uname with a shell =20= >> script, which calls the original uname (which you have renamed) and =20= >> pipes through something like sed to replace the revision with what =20= >> you used to have: >> >> #!/bin/sh >> /usr/bin/uname.org $* | sed s/"8.0-RC1-p0"/"7.2-RELEASE_p3"/g >> >> And this is a seriously butt ugly hack. >> >> /Eirik >> >>> Thanks a lot for your help, >>> >>> Martin >>> >>> _______________________________________________ >>> freebsd-jail@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-jail >>> To unsubscribe, send any mail to = "freebsd-jail-unsubscribe@freebsd.org=20 >>> " >>> >> > > > From owner-freebsd-jail@FreeBSD.ORG Fri Oct 9 08:45:37 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4D75E1065672 for ; Fri, 9 Oct 2009 08:45:37 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from mail.ebusiness-leidinger.de (mail.ebusiness-leidinger.de [217.11.53.44]) by mx1.freebsd.org (Postfix) with ESMTP id E99958FC25 for ; Fri, 9 Oct 2009 08:45:36 +0000 (UTC) Received: from outgoing.leidinger.net (pD9E2D366.dip.t-dialin.net [217.226.211.102]) by mail.ebusiness-leidinger.de (Postfix) with ESMTPSA id B4AC8844021; Fri, 9 Oct 2009 10:45:30 +0200 (CEST) Received: from webmail.leidinger.net (webmail.leidinger.net [192.168.1.102]) by outgoing.leidinger.net (Postfix) with ESMTP id 8114C89F49; Fri, 9 Oct 2009 10:45:27 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=Leidinger.net; s=outgoing-alex; t=1255077927; bh=CpXj45Pf9MU0fnzL0u0jcGVvqrsbCLuLYysj9Mwb4sM=; h=Message-ID:Date:From:To:Cc:Subject:References:In-Reply-To: MIME-Version:Content-Type:Content-Transfer-Encoding; b=b5/HIwoIPJWuRI3lV7o3O5p3FSGkifbb2zwa5KACsFLDfNdmtNt7Y68nsUxCMkcfZ RRRtEE5jusqn2PuEK3BqjjL+wlfyj+FA4lpfqpRLfjI2dt39C3WhdzeLe3mbBnxYeS pMb+vIcJ/a6dlXep8Hp+Zu/MkxRb368067weEYOSeYJbHx1tDGchGJXw0+k148nrvC cRn9Mcvvwfkh+l70N2OArnmGyp9GFyzVHpkaMSEN7nJRzpxKzxw1U4GLFUGUREZ/An TpfYnpY75wFkh30F9W268yfudrto3EkcvtOFKYXSN7AoXOnXjLRzPFwzVubeNX8VHl bE1VcgJkErZvQ== Received: (from www@localhost) by webmail.leidinger.net (8.14.3/8.13.8/Submit) id n998jRo8048353; Fri, 9 Oct 2009 10:45:27 +0200 (CEST) (envelope-from Alexander@Leidinger.net) Received: from pslux.cec.eu.int (pslux.cec.eu.int [158.169.9.14]) by webmail.leidinger.net (Horde Framework) with HTTP; Fri, 09 Oct 2009 10:45:26 +0200 Message-ID: <20091009104526.12875uad5sybsao0@webmail.leidinger.net> X-Priority: 3 (Normal) Date: Fri, 09 Oct 2009 10:45:26 +0200 From: Alexander Leidinger To: hulibyaka hulibyaka References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.3.5) / FreeBSD-8.0 X-EBL-MailScanner-Information: Please contact the ISP for more information X-EBL-MailScanner-ID: B4AC8844021.8C487 X-EBL-MailScanner: Found to be clean X-EBL-MailScanner-SpamCheck: not spam, spamhaus-ZEN, SpamAssassin (not cached, score=-1.44, required 6, autolearn=disabled, ALL_TRUSTED -1.44, DKIM_SIGNED 0.00, DKIM_VERIFIED -0.00) X-EBL-MailScanner-From: alexander@leidinger.net X-EBL-MailScanner-Watermark: 1255682731.2381@/5ASa5A7bD4l1zCae9XCaA X-EBL-Spam-Status: No Cc: freebsd-jail@freebsd.org Subject: Re: xorg in jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Oct 2009 08:45:37 -0000 Quoting hulibyaka hulibyaka (from Thu, 8 Oct 2009 22:01:23 +0400): > What the difference for restriction on /dev/io between chroot and > jail? How can i get all needed by xinit privileges on /dev/io within > jail ? There are additional access restrictions in the kernel when run in a jail. You need http://www.leidinger.net/FreeBSD/current-patches/jail.diff and you need to rebuild the kernel and the world. After that you need to add jail_JAILID_startparams="allow.dev_io_access" for your jail startup. Bye, Alexander. -- Pie are not square. Pie are round. Cornbread are square. http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137 From owner-freebsd-jail@FreeBSD.ORG Fri Oct 9 19:44:34 2009 Return-Path: Delivered-To: freebsd-jail@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E1D901065695; Fri, 9 Oct 2009 19:44:34 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B9B948FC13; Fri, 9 Oct 2009 19:44:34 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n99JiY60032486; Fri, 9 Oct 2009 19:44:34 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n99JiYSC032482; Fri, 9 Oct 2009 19:44:34 GMT (envelope-from linimon) Date: Fri, 9 Oct 2009 19:44:34 GMT Message-Id: <200910091944.n99JiYSC032482@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-jail@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/139454: [jail] traceroute does not work inside jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Oct 2009 19:44:35 -0000 Old Synopsis: traceroute does not work inside jail New Synopsis: [jail] traceroute does not work inside jail Responsible-Changed-From-To: freebsd-bugs->freebsd-jail Responsible-Changed-By: linimon Responsible-Changed-When: Fri Oct 9 19:44:09 UTC 2009 Responsible-Changed-Why: reassign. http://www.freebsd.org/cgi/query-pr.cgi?pr=139454 From owner-freebsd-jail@FreeBSD.ORG Fri Oct 9 21:00:14 2009 Return-Path: Delivered-To: freebsd-jail@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B4D68106566B for ; Fri, 9 Oct 2009 21:00:14 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 7E72D8FC12 for ; Fri, 9 Oct 2009 21:00:14 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n99L0EDO092475 for ; Fri, 9 Oct 2009 21:00:14 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n99L0EIf092474; Fri, 9 Oct 2009 21:00:14 GMT (envelope-from gnats) Date: Fri, 9 Oct 2009 21:00:14 GMT Message-Id: <200910092100.n99L0EIf092474@freefall.freebsd.org> To: freebsd-jail@FreeBSD.org From: Frank Steinborn Cc: Subject: Re: misc/139454: traceroute does not work inside jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Frank Steinborn List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Oct 2009 21:00:14 -0000 The following reply was made to PR kern/139454; it has been noted by GNATS. From: Frank Steinborn To: FreeBSD-gnats-submit@FreeBSD.org, freebsd-bugs@FreeBSD.org Cc: Subject: Re: misc/139454: traceroute does not work inside jail Date: Fri, 9 Oct 2009 22:28:09 +0200 BTW, it works when enumerating the source address with -s. A friend told me that he's seeing the same issue on 7.1 - 6.4 will be tested later tonight and i will follow up with the results (I'm pretty sure it worked there, though). From owner-freebsd-jail@FreeBSD.ORG Fri Oct 9 21:10:15 2009 Return-Path: Delivered-To: freebsd-jail@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1736F1065692 for ; Fri, 9 Oct 2009 21:10:15 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B63778FC38 for ; Fri, 9 Oct 2009 21:10:14 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n99LA58n000631 for ; Fri, 9 Oct 2009 21:10:05 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n99LA5G6000630; Fri, 9 Oct 2009 21:10:05 GMT (envelope-from gnats) Date: Fri, 9 Oct 2009 21:10:05 GMT Message-Id: <200910092110.n99LA5G6000630@freefall.freebsd.org> To: freebsd-jail@FreeBSD.org From: Frank Steinborn Cc: Subject: Re: misc/139454: traceroute does not work inside jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Frank Steinborn List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Oct 2009 21:10:15 -0000 The following reply was made to PR kern/139454; it has been noted by GNATS. From: Frank Steinborn To: bug-followup@FreeBSD.org Cc: Subject: Re: misc/139454: traceroute does not work inside jail Date: Fri, 9 Oct 2009 22:34:53 +0200 BTW, it works when enumerating the source address with -s. A friend told me that he's seeing the same issue on 7.1 - 6.4 will be tested later tonight and i will follow up with the results (I'm pretty sure it worked there, though). From owner-freebsd-jail@FreeBSD.ORG Fri Oct 9 22:30:08 2009 Return-Path: Delivered-To: freebsd-jail@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AF1511065692 for ; Fri, 9 Oct 2009 22:30:08 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 848718FC18 for ; Fri, 9 Oct 2009 22:30:08 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n99MU7b4069246 for ; Fri, 9 Oct 2009 22:30:07 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n99MU7X7069243; Fri, 9 Oct 2009 22:30:07 GMT (envelope-from gnats) Date: Fri, 9 Oct 2009 22:30:07 GMT Message-Id: <200910092230.n99MU7X7069243@freefall.freebsd.org> To: freebsd-jail@FreeBSD.org From: Miroslav Lachman <000.fbsd@quip.cz> Cc: Subject: Re: kern/139454: [jail] traceroute does not work inside jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Miroslav Lachman <000.fbsd@quip.cz> List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Oct 2009 22:30:08 -0000 The following reply was made to PR kern/139454; it has been noted by GNATS. From: Miroslav Lachman <000.fbsd@quip.cz> To: bug-followup@FreeBSD.org, steinex@nognu.de Cc: Subject: Re: kern/139454: [jail] traceroute does not work inside jail Date: Sat, 10 Oct 2009 00:20:36 +0200 I can confirm that traceroute inside jail on 6.3 works, on 7.2 works only with traceroute -s Both machines have security.jail.allow_raw_sockets: 1 From owner-freebsd-jail@FreeBSD.ORG Sat Oct 10 08:44:29 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3CB04106566B for ; Sat, 10 Oct 2009 08:44:29 +0000 (UTC) (envelope-from kerbzo@gmail.com) Received: from mail-bw0-f223.google.com (mail-bw0-f223.google.com [209.85.218.223]) by mx1.freebsd.org (Postfix) with ESMTP id B680A8FC15 for ; Sat, 10 Oct 2009 08:44:28 +0000 (UTC) Received: by bwz23 with SMTP id 23so1080555bwz.43 for ; Sat, 10 Oct 2009 01:44:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:mime-version :content-type:from:x-priority:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; bh=kctyJcYP2Ij0uo4j9CXgfSc6TmIlyFrTRyy1KBW1QQQ=; b=JeiAb4afdYxpmIm3BbDj+LS+1wjBtWuRSGGW25Pp+bF9fNV49t/vHr0DiPTXfFyfft XbAuw0hc1R9CoRHFDMwOPMAhN+9rkHagb8sARZ6x12QZmFdV/NwhZOxJBhU0TfJKGMzC 9uWMcRCNdBSd5mcKLHNFgPDRXrBQzDGJTNv3I= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:x-priority:in-reply-to:date :cc:content-transfer-encoding:message-id:references:to:x-mailer; b=u44uaypK52Fq9kbBwJkJHrI2ay8g7gNSL+DvuYwMW9dPmNasEsgKn1AilcdPt+QrVS jr3f/FK3VU0aGP1epbTMyT+uFZoGBFASoNRy9iwxvckP47Rgy0uiixppe4vxC6dczIR1 YpZgbKTHJiOF+qU26x8joUDag8GyFKb4Ns2BM= Received: by 10.103.87.27 with SMTP id p27mr1464859mul.125.1255162485157; Sat, 10 Oct 2009 01:14:45 -0700 (PDT) Received: from ?192.168.2.59? ([95.238.203.243]) by mx.google.com with ESMTPS id s10sm1501477mue.22.2009.10.10.01.14.43 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sat, 10 Oct 2009 01:14:44 -0700 (PDT) Mime-Version: 1.0 (Apple Message framework v1076) Content-Type: text/plain; charset=us-ascii; format=flowed; delsp=yes From: Kevin Smith X-Priority: 3 (Normal) In-Reply-To: <20091009104526.12875uad5sybsao0@webmail.leidinger.net> Date: Sat, 10 Oct 2009 10:14:26 +0200 Content-Transfer-Encoding: 7bit Message-Id: <40670A70-FF15-4B7C-A7CB-5DE04E8EB358@gmail.com> References: <20091009104526.12875uad5sybsao0@webmail.leidinger.net> To: Alexander Leidinger X-Mailer: Apple Mail (2.1076) Cc: freebsd-jail@freebsd.org Subject: Re: xorg in jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Oct 2009 08:44:29 -0000 Does this patch fix vnc server start error also ? When I try to run tightvncserver in a jail it says: A VNC server is already running as :0 even if there is no vnc server running. Thank you, regards On Oct 9, 2009, at 10:45 AM, Alexander Leidinger wrote: > Quoting hulibyaka hulibyaka (from Thu, 8 Oct > 2009 22:01:23 +0400): > >> What the difference for restriction on /dev/io between chroot and >> jail? How can i get all needed by xinit privileges on /dev/io within >> jail ? > > There are additional access restrictions in the kernel when run in a > jail. You need > http://www.leidinger.net/FreeBSD/current-patches/jail.diff > and you need to rebuild the kernel and the world. > > After that you need to add > jail_JAILID_startparams="allow.dev_io_access" for your jail startup. > > Bye, > Alexander. > > -- > Pie are not square. Pie are round. Cornbread are square. > > http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = > B0063FE7 > http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = > 72077137 > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail- > unsubscribe@freebsd.org" -- Kevin