From owner-freebsd-jail@FreeBSD.ORG Sun Aug 10 00:53:18 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 02097BE1 for ; Sun, 10 Aug 2014 00:53:18 +0000 (UTC) Received: from wonkity.com (wonkity.com [67.158.26.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "wonkity.com", Issuer "wonkity.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 8A4DE2E2E for ; Sun, 10 Aug 2014 00:53:17 +0000 (UTC) Received: from wonkity.com (localhost [127.0.0.1]) by wonkity.com (8.14.9/8.14.9) with ESMTP id s7A0r9PB039422 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Sat, 9 Aug 2014 18:53:09 -0600 (MDT) (envelope-from wblock@wonkity.com) Received: from localhost (wblock@localhost) by wonkity.com (8.14.9/8.14.9/Submit) with ESMTP id s7A0r9SF039419 for ; Sat, 9 Aug 2014 18:53:09 -0600 (MDT) (envelope-from wblock@wonkity.com) Date: Sat, 9 Aug 2014 18:53:09 -0600 (MDT) From: Warren Block To: freebsd-jail@FreeBSD.org Subject: How early can jails be started? Message-ID: User-Agent: Alpine 2.11 (BSF 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (wonkity.com [127.0.0.1]); Sat, 09 Aug 2014 18:53:09 -0600 (MDT) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Aug 2014 00:53:18 -0000 Is it technically possible to start a jail much earlier in the boot order? The reason is that a jailed DNS server could be used by the host if it was started before any of the host's network services needed DNS. After /etc/rc.d/netwait, say. There may be other jailed services that would also benefit from an early start, but DNS is something of a special case and the only one that comes to mind. From owner-freebsd-jail@FreeBSD.ORG Sun Aug 10 04:34:58 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6DC2BEBB for ; Sun, 10 Aug 2014 04:34:58 +0000 (UTC) Received: from m2.gritton.org (gritton.org [63.246.134.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3C0BA2269 for ; Sun, 10 Aug 2014 04:34:57 +0000 (UTC) Received: œ(authenticated bits=0) by m2.gritton.org (8.14.9/8.14.9) with ESMTP id s7A4YmGx036855; Sun, 10 Aug 2014 00:34:49 -0400 (EDT) (envelope-from jamie@freebsd.org) Message-ID: <53E6F664.10702@freebsd.org> Date: Sat, 09 Aug 2014 22:34:44 -0600 From: James Gritton User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: freebsd-jail@FreeBSD.org Subject: Re: How early can jails be started? References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Aug 2014 04:34:58 -0000 On 8/9/2014 6:53 PM, Warren Block wrote: > Is it technically possible to start a jail much earlier in the boot > order? > > The reason is that a jailed DNS server could be used by the host if it > was started before any of the host's network services needed DNS. > After /etc/rc.d/netwait, say. > > There may be other jailed services that would also benefit from an > early start, but DNS is something of a special case and the only one > that comes to mind. Sure - jails can go quite early. Technically, very near the beginning. You'll want local filesystems, assuming you want your jail chrooted somewhere (you do for normal-use jails, but it's not as obviously true for single-purpose jails). In the same situation, you'd want to depend on devfs so you can mount a devfs with the proper ruleset. If you want to add IP address aliases, you'll need networking set up, but if you just want to restrict to already existing addresses or run in an unrestricted IP setup, you don't even need that. Except ... Other than that, the only restriction is what you want to do with the jail. So for the DNS server example, it's whatever an unjailed DNS server would require. So yeah, something like netwait. - Jamie From owner-freebsd-jail@FreeBSD.ORG Tue Aug 12 06:44:02 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 278D1325 for ; Tue, 12 Aug 2014 06:44:02 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0E81A2E59 for ; Tue, 12 Aug 2014 06:44:02 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.8/8.14.8) with ESMTP id s7C6i1Ja084965 for ; Tue, 12 Aug 2014 06:44:01 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 181650] [jail] [patch] /etc/rc.d/jail fails if a kernel built without INET6 Date: Tue, 12 Aug 2014 06:44:02 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: conf X-Bugzilla-Version: 8.4-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: redrat@mail.ru X-Bugzilla-Status: Issue Resolved X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-jail@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_status resolution Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Aug 2014 06:44:02 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=181650 Alexey Markov changed: What |Removed |Added ---------------------------------------------------------------------------- Status|In Discussion |Issue Resolved Resolution|--- |FIXED --- Comment #2 from Alexey Markov --- This bug was fixed in the 8.4-RELEASE-p14 [EN-14:09] and can be closed. -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-jail@FreeBSD.ORG Thu Aug 14 01:08:14 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7BADDD00; Thu, 14 Aug 2014 01:08:14 +0000 (UTC) Received: from wonkity.com (wonkity.com [67.158.26.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "wonkity.com", Issuer "wonkity.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4273C2885; Thu, 14 Aug 2014 01:08:14 +0000 (UTC) Received: from wonkity.com (localhost [127.0.0.1]) by wonkity.com (8.14.9/8.14.9) with ESMTP id s7E18Cam008555 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 13 Aug 2014 19:08:12 -0600 (MDT) (envelope-from wblock@wonkity.com) Received: from localhost (wblock@localhost) by wonkity.com (8.14.9/8.14.9/Submit) with ESMTP id s7E18CPa008552; Wed, 13 Aug 2014 19:08:12 -0600 (MDT) (envelope-from wblock@wonkity.com) Date: Wed, 13 Aug 2014 19:08:12 -0600 (MDT) From: Warren Block To: James Gritton Subject: Re: How early can jails be started? In-Reply-To: <53E6F664.10702@freebsd.org> Message-ID: References: <53E6F664.10702@freebsd.org> User-Agent: Alpine 2.11 (BSF 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (wonkity.com [127.0.0.1]); Wed, 13 Aug 2014 19:08:12 -0600 (MDT) Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Aug 2014 01:08:14 -0000 On Sat, 9 Aug 2014, James Gritton wrote: > On 8/9/2014 6:53 PM, Warren Block wrote: >> Is it technically possible to start a jail much earlier in the boot order? >> >> The reason is that a jailed DNS server could be used by the host if it was >> started before any of the host's network services needed DNS. After >> /etc/rc.d/netwait, say. >> >> There may be other jailed services that would also benefit from an early >> start, but DNS is something of a special case and the only one that comes >> to mind. > > Sure - jails can go quite early. Technically, very near the beginning. > > You'll want local filesystems, assuming you want your jail chrooted somewhere > (you do for normal-use jails, but it's not as obviously true for > single-purpose jails). In the same situation, you'd want to depend on devfs > so you can mount a devfs with the proper ruleset. > > If you want to add IP address aliases, you'll need networking set up, but if > you just want to restrict to already existing addresses or run in an > unrestricted IP setup, you don't even need that. Except ... > > Other than that, the only restriction is what you want to do with the jail. > So for the DNS server example, it's whatever an unjailed DNS server would > require. So yeah, something like netwait. (Sorry for multiposting--I put this on the ezjail list also. But it's generally applicable to ordinary jails too.) It works... mostly. This file is /etc/rc.d/earlyjail: #!/bin/sh # PROVIDE: earlyjail # REQUIRE: netwait # KEYWORD: # BEFORE: mountcritremote /usr/local/etc/rc.d/ezjail start dns1 That was a quick hack, not expected to work, but it did. However... /usr/local/etc/rc.d/ezjail When /etc/rc.d/jail runs much later in the startup, it tries to start that jail again, and gets an error because of it. Seeing the error, it deletes /var/run/jail_dns1.id. ezjail uses those jail_*.id files to detect which jails are running, and is sure that dns1 is not running. jls does show things correctly. I'm not sure if there is a workaround short of modifying /etc/rc.d/jail. The second problem might be simpler to solve. With sendmail_enable="NO" in the dns1 jail (so it can send status email), sendmail on the host is blocked: sm-mta[679]: daemon Daemon0: problem creating SMTP socket sm-mta[679]: NOQUEUE: SYSERR(root): opendaemonsocket: daemon Daemon0: cannot bind: Can't assign requested address If the host sendmail is killed and restarted, it works. And of course it also works when sendmail is started on the host first and the jails use sendmail_enable="NO". I'm not really sure what's going on there. From owner-freebsd-jail@FreeBSD.ORG Thu Aug 14 01:21:04 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 21E8AF3F for ; Thu, 14 Aug 2014 01:21:04 +0000 (UTC) Received: from mx1.scaleengine.net (beauharnois2.bhs1.scaleengine.net [142.4.218.15]) by mx1.freebsd.org (Postfix) with ESMTP id D4E0729AC for ; Thu, 14 Aug 2014 01:21:03 +0000 (UTC) Received: from [192.168.1.2] (senat1-01.HML3.ScaleEngine.net [209.51.186.5]) (Authenticated sender: allanjude.freebsd@scaleengine.com) by mx1.scaleengine.net (Postfix) with ESMTPSA id 8D6C221A12 for ; Thu, 14 Aug 2014 01:20:55 +0000 (UTC) Message-ID: <53EC0F1D.70802@freebsd.org> Date: Wed, 13 Aug 2014 21:21:33 -0400 From: Allan Jude User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: freebsd-jail@freebsd.org Subject: Re: How early can jails be started? References: <53E6F664.10702@freebsd.org> In-Reply-To: X-Enigmail-Version: 1.6 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="u9gav1a3GL43aBO4nM8toh06AxSdLG5wr" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Aug 2014 01:21:04 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --u9gav1a3GL43aBO4nM8toh06AxSdLG5wr Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 2014-08-13 21:08, Warren Block wrote: > On Sat, 9 Aug 2014, James Gritton wrote: >=20 >> On 8/9/2014 6:53 PM, Warren Block wrote: >>> Is it technically possible to start a jail much earlier in the boot >>> order? >>> >>> The reason is that a jailed DNS server could be used by the host if >>> it was started before any of the host's network services needed DNS. = >>> After /etc/rc.d/netwait, say. >>> >>> There may be other jailed services that would also benefit from an >>> early start, but DNS is something of a special case and the only one >>> that comes to mind. >> >> Sure - jails can go quite early. Technically, very near the beginning= =2E >> >> You'll want local filesystems, assuming you want your jail chrooted >> somewhere (you do for normal-use jails, but it's not as obviously true= >> for single-purpose jails). In the same situation, you'd want to >> depend on devfs so you can mount a devfs with the proper ruleset. >> >> If you want to add IP address aliases, you'll need networking set up, >> but if you just want to restrict to already existing addresses or run >> in an unrestricted IP setup, you don't even need that. Except ... >> >> Other than that, the only restriction is what you want to do with the >> jail. So for the DNS server example, it's whatever an unjailed DNS >> server would require. So yeah, something like netwait. >=20 > (Sorry for multiposting--I put this on the ezjail list also. But it's > generally applicable to ordinary jails too.) >=20 > It works... mostly. This file is /etc/rc.d/earlyjail: >=20 > #!/bin/sh > # PROVIDE: earlyjail > # REQUIRE: netwait > # KEYWORD: > # BEFORE: mountcritremote > /usr/local/etc/rc.d/ezjail start dns1 >=20 > That was a quick hack, not expected to work, but it did. However... >=20 > /usr/local/etc/rc.d/ezjail >=20 > When /etc/rc.d/jail runs much later in the startup, it tries to start > that jail again, and gets an error because of it. Seeing the error, it= > deletes /var/run/jail_dns1.id. ezjail uses those jail_*.id files to > detect which jails are running, and is sure that dns1 is not running. > jls does show things correctly. I'm not sure if there is a workaround > short of modifying /etc/rc.d/jail. >=20 > The second problem might be simpler to solve. With sendmail_enable=3D"= NO" > in the dns1 jail (so it can send status email), sendmail on the host is= > blocked: >=20 > sm-mta[679]: daemon Daemon0: problem creating SMTP socket > sm-mta[679]: NOQUEUE: SYSERR(root): opendaemonsocket: daemon Daemon0: > cannot bind: Can't assign requested address >=20 > If the host sendmail is killed and restarted, it works. And of course > it also works when sendmail is started on the host first and the jails > use sendmail_enable=3D"NO". I'm not really sure what's going on there.= > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"= Sendmail still starts with sendmail_enable=3D"NO" try sendmail_enable=3D"NONE" --=20 Allan Jude --u9gav1a3GL43aBO4nM8toh06AxSdLG5wr Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJT7A8gAAoJEJrBFpNRJZKfOW4P/RPnc7onvesm5IKy2kwY8mcL 79XMOTottnBsLFi2IGtUK/oeNKjAj4xX0RIhMkYUyGhuMzBrko8ul7SZvTdh60rI c7882/wwRgk8xNttq/4tziphUwRhJAxAzaAfX5VAFs77hB3AFK4wRnUhSd0/T8yZ bqNnu32rkDat6pUq65CctH8H8mBPiS7B7A8y3V7PyeN8AU6zmRIjtio1Acjn8DgJ i8Oi23ZXY0mxnrQIkVrbIs92BipJEy7prvOitkGFMoHVQ+uGLN4oaIh8LJ0jjsnf exDbayEudJfTBSXmQzu6cojuaoHhoazE83VlN0NKj0GNcORnkz5QYtJhZlGiNTcu KF2/HDb4/sGFTZYDFLkGOXW/Aehlnd73GWLq+fj1r2+3pb3O0CfG6tbjT2BwskCE J94YxZQaHCNC3ho+MQbHmpSnvThw32I0SffESop+GOskqYm4JX6rlpoMSO0kVWqj efKD9uKSZhifr2BOcLcAlSVbSmRdAoeUSk6tMZNC1meYD6fWAPadBc4mcrLjRcoO fkIeguLVXixlU0znNf+g1NEQfdrCIAoO54MGYDQ/6kxPwdp5s2JHt5EmjZqw7gJ9 Da6l21+AtdyzuQkHdfIvCGGVPgHwdhhHMd8TvjljKuSx56FjA/GSsh+BuifMlls2 CIwIMxwNNyuKqrUe2sP9 =f0JJ -----END PGP SIGNATURE----- --u9gav1a3GL43aBO4nM8toh06AxSdLG5wr-- From owner-freebsd-jail@FreeBSD.ORG Thu Aug 14 02:40:04 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3941886D; Thu, 14 Aug 2014 02:40:04 +0000 (UTC) Received: from wonkity.com (wonkity.com [67.158.26.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "wonkity.com", Issuer "wonkity.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id DE34D217C; Thu, 14 Aug 2014 02:40:03 +0000 (UTC) Received: from wonkity.com (localhost [127.0.0.1]) by wonkity.com (8.14.9/8.14.9) with ESMTP id s7E2e13e031202 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 13 Aug 2014 20:40:01 -0600 (MDT) (envelope-from wblock@wonkity.com) Received: from localhost (wblock@localhost) by wonkity.com (8.14.9/8.14.9/Submit) with ESMTP id s7E2e10S031199; Wed, 13 Aug 2014 20:40:01 -0600 (MDT) (envelope-from wblock@wonkity.com) Date: Wed, 13 Aug 2014 20:40:01 -0600 (MDT) From: Warren Block To: Allan Jude Subject: Re: How early can jails be started? In-Reply-To: <53EC0F1D.70802@freebsd.org> Message-ID: References: <53E6F664.10702@freebsd.org> <53EC0F1D.70802@freebsd.org> User-Agent: Alpine 2.11 (BSF 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (wonkity.com [127.0.0.1]); Wed, 13 Aug 2014 20:40:01 -0600 (MDT) Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Aug 2014 02:40:04 -0000 On Wed, 13 Aug 2014, Allan Jude wrote: >> The second problem might be simpler to solve. With sendmail_enable="NO" >> in the dns1 jail (so it can send status email), sendmail on the host is >> blocked: >> >> sm-mta[679]: daemon Daemon0: problem creating SMTP socket >> sm-mta[679]: NOQUEUE: SYSERR(root): opendaemonsocket: daemon Daemon0: >> cannot bind: Can't assign requested address >> >> If the host sendmail is killed and restarted, it works. And of course >> it also works when sendmail is started on the host first and the jails >> use sendmail_enable="NO". I'm not really sure what's going on there. > > Sendmail still starts with sendmail_enable="NO" > try sendmail_enable="NONE" Yes, but that misses the point. The desired configuration: host: sendmail_enable="YES" jails: sendmail_enable="NO" That works fine when jails are started normally, and allows the jails to send daily status email. Without changing the configuration, starting a jail early prevents sendmail from starting normally on the host. It's not so much requiring the status emails as trying to figure out what is different when the jail starts early. From owner-freebsd-jail@FreeBSD.ORG Thu Aug 14 06:53:57 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7DD67F98 for ; Thu, 14 Aug 2014 06:53:57 +0000 (UTC) Received: from hub.org (hub.org [200.46.208.146]) by mx1.freebsd.org (Postfix) with ESMTP id 490872A92 for ; Thu, 14 Aug 2014 06:53:57 +0000 (UTC) Received: from maia.hub.org (unknown [200.46.151.188]) by hub.org (Postfix) with ESMTP id DD10F1502E06 for ; Thu, 14 Aug 2014 03:47:56 -0300 (ADT) Received: from hub.org ([200.46.208.146]) by maia.hub.org (mx1.hub.org [200.46.151.188]) (amavisd-maia, port 10024) with ESMTP id 72380-06 for ; Thu, 14 Aug 2014 06:47:56 +0000 (UTC) Received: from [192.168.1.2] (S01067cb21b2ff4ca.gv.shawcable.net [24.108.26.71]) by hub.org (Postfix) with ESMTPA id 514EB1502E05 for ; Thu, 14 Aug 2014 03:47:56 -0300 (ADT) From: Marc Fournier Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Subject: FreeBSD 10 + unbound + jail == nothing resolves Message-Id: Date: Wed, 13 Aug 2014 23:48:28 -0700 To: freebsd-jail@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) X-Mailer: Apple Mail (2.1878.6) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Aug 2014 06:53:57 -0000 Before I give up and just install bind (which I=92d really like to avoid = doing, but it did work out of the box) =85 has anyone gotten this to = run? I=92ve searched Google, and can find next to nothing =85 but I have to = be missing something obvious, else I would expect to find loads =85 or = nobody is acutally doing this =85 I tried the simple:=20 add local_unbound_enable=3D=93YES=94 to rc.conf start up the service it modifies my /etc/resolv.conf, starts up, but when I try to =91drill=92= a domain, I get nothing back =85 checked /var/log/messages, only thing = I see is what appears to be the start up: Aug 14 07:19:02 97381 unbound: [44840:0] notice: init module 0: = validator Aug 14 07:19:02 97381 unbound: [44840:0] notice: init module 1: iterator I=92ve even tried running from the command line with =91-d -vv=92, and = all I get is: /var/unbound # /usr/sbin/unbound -c/var/unbound/unbound.conf -d -vv [1407997717] unbound[45554:0] notice: Start of unbound 1.4.20. [1407997717] unbound[45554:0] debug: switching log to syslog I have it running on the host server, and it responsed perfectly well =85 = I=92ve tried changing the =91namserver=92 setting in /etc/resolv.conf to = be the IP of the jail, vs localhost =85 as well as setting =91interfaces=92= in /var/unbound/unbound.conf =85 no difference =85 Help? From owner-freebsd-jail@FreeBSD.ORG Thu Aug 14 10:31:33 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1D979E5F for ; Thu, 14 Aug 2014 10:31:33 +0000 (UTC) Received: from joe.nabble.com (216-139-250-139.aus.us.siteprotect.com [216.139.250.139]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 01CC12240 for ; Thu, 14 Aug 2014 10:31:31 +0000 (UTC) Received: from sam.nabble.com ([192.168.236.26]) by joe.nabble.com with esmtp (Exim 4.72) (envelope-from ) id 1XHsJP-0007lr-Bp for freebsd-jail@freebsd.org; Thu, 14 Aug 2014 03:31:15 -0700 Date: Thu, 14 Aug 2014 03:31:00 -0700 (PDT) From: Beeblebrox To: freebsd-jail@freebsd.org Message-ID: <1408012260325-5938163.post@n5.nabble.com> Subject: Allow jail to see source IP of incoming traffic MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Aug 2014 10:31:33 -0000 I have placed mldonkey's mlnet inside a jail. The problem now is that the allowed_ips control feature of mlnet has effectively become disabled since all traffic to mlnet appears to flow from jail's IP. mlnet's allowed_ips feature permits control of "who has permission to access mlnet through gui/web-server, etc." What setting could I relax for the jail so that mlnet is able to see the source IP of incoming requests? I would assume that jailed web servers are able to see client IP's in order to do geo-filtering? Regards. ----- FreeBSD-11-current_amd64_root-on-zfs_RadeonKMS -- View this message in context: http://freebsd.1045724.n5.nabble.com/Allow-jail-to-see-source-IP-of-incoming-traffic-tp5938163.html Sent from the freebsd-jail mailing list archive at Nabble.com. From owner-freebsd-jail@FreeBSD.ORG Thu Aug 14 15:17:21 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id AF326A09 for ; Thu, 14 Aug 2014 15:17:21 +0000 (UTC) Received: from erg.verweg.com (erg.verweg.com [IPv6:2a02:898:96::5e8e:f508]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "erg.verweg.com", Issuer "Verweg Dot Com CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 415FF2428 for ; Thu, 14 Aug 2014 15:17:20 +0000 (UTC) Received: from [IPv6:2001:980:4ffa:1:454:1d22:2ac2:90f3] ([IPv6:2001:980:4ffa:1:454:1d22:2ac2:90f3]) (authenticated bits=0) by erg.verweg.com (8.14.9/8.14.8) with ESMTP id s7EFHFBn030571 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Thu, 14 Aug 2014 15:17:16 GMT (envelope-from ruben@verweg.com) Content-Type: multipart/signed; boundary="Apple-Mail=_0356D966-550B-411A-BC42-3D5BBF954582"; protocol="application/pgp-signature"; micalg=pgp-sha1 Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) Subject: Re: FreeBSD 10 + unbound + jail == nothing resolves From: Ruben van Staveren In-Reply-To: Date: Thu, 14 Aug 2014 17:17:12 +0200 Message-Id: <78D774FA-EE8E-4A67-A600-504E5B47BB12@verweg.com> References: To: Marc Fournier X-Mailer: Apple Mail (2.1878.6) X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3 (erg.verweg.com [IPv6:2a02:898:96::5e8e:f508]); Thu, 14 Aug 2014 15:17:16 +0000 (UTC) Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Aug 2014 15:17:21 -0000 --Apple-Mail=_0356D966-550B-411A-BC42-3D5BBF954582 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 Marc, can you try to disable DNSSEC?=20 http://www.unbound.net/documentation/howto_turnoff_dnssec.html (and add val-log-level: 2) it might be that your upstream nameserver botches DNSSEC reply. To keep = DNSSEC, uncomment inclusion of the generated forwarder configuration and = have unbound query the root nameservers itself. Cheers, Ruben =20 On 14 Aug 2014, at 8:48, Marc Fournier wrote: >=20 > Before I give up and just install bind (which I=92d really like to = avoid doing, but it did work out of the box) =85 has anyone gotten this = to run? >=20 > I=92ve searched Google, and can find next to nothing =85 but I have = to be missing something obvious, else I would expect to find loads =85 = or nobody is acutally doing this =85 >=20 > I tried the simple:=20 >=20 > add local_unbound_enable=3D=93YES=94 to rc.conf > start up the service >=20 > it modifies my /etc/resolv.conf, starts up, but when I try to =91drill=92= a domain, I get nothing back =85 checked /var/log/messages, only thing = I see is what appears to be the start up: >=20 > Aug 14 07:19:02 97381 unbound: [44840:0] notice: init module 0: = validator > Aug 14 07:19:02 97381 unbound: [44840:0] notice: init module 1: = iterator >=20 >=20 > I=92ve even tried running from the command line with =91-d -vv=92, and = all I get is: >=20 > /var/unbound # /usr/sbin/unbound -c/var/unbound/unbound.conf -d -vv > [1407997717] unbound[45554:0] notice: Start of unbound 1.4.20. > [1407997717] unbound[45554:0] debug: switching log to syslog >=20 > I have it running on the host server, and it responsed perfectly well = =85 I=92ve tried changing the =91namserver=92 setting in = /etc/resolv.conf to be the IP of the jail, vs localhost =85 as well as = setting =91interfaces=92 in /var/unbound/unbound.conf =85 no difference = =85 >=20 > Help? >=20 >=20 >=20 > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to = "freebsd-jail-unsubscribe@freebsd.org" >=20 --Apple-Mail=_0356D966-550B-411A-BC42-3D5BBF954582 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAlPs0vgACgkQZ88+mcQxRw2jxgCgg+7gIHlGMJQgqAZjZKkc+ePN x6gAn3qutDLC6swd+ws4eml7Ad0gbl18 =xbQN -----END PGP SIGNATURE----- --Apple-Mail=_0356D966-550B-411A-BC42-3D5BBF954582-- From owner-freebsd-jail@FreeBSD.ORG Thu Aug 14 16:25:04 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 737E143C for ; Thu, 14 Aug 2014 16:25:04 +0000 (UTC) Received: from mx1.scaleengine.net (beauharnois2.bhs1.scaleengine.net [142.4.218.15]) by mx1.freebsd.org (Postfix) with ESMTP id 4D8362CEE for ; Thu, 14 Aug 2014 16:25:04 +0000 (UTC) Received: from [192.168.1.2] (senat1-01.HML3.ScaleEngine.net [209.51.186.5]) (Authenticated sender: allanjude.freebsd@scaleengine.com) by mx1.scaleengine.net (Postfix) with ESMTPSA id 012E725F21 for ; Thu, 14 Aug 2014 16:25:02 +0000 (UTC) Message-ID: <53ECE309.5040302@freebsd.org> Date: Thu, 14 Aug 2014 12:25:45 -0400 From: Allan Jude User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: freebsd-jail@freebsd.org Subject: Re: Allow jail to see source IP of incoming traffic References: <1408012260325-5938163.post@n5.nabble.com> In-Reply-To: <1408012260325-5938163.post@n5.nabble.com> X-Enigmail-Version: 1.6 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="nvuknvo8rhcjRnxUPn2iRSw2n7vthfTPB" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Aug 2014 16:25:04 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --nvuknvo8rhcjRnxUPn2iRSw2n7vthfTPB Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 2014-08-14 06:31, Beeblebrox wrote: > I have placed mldonkey's mlnet inside a jail. The problem now is that t= he > allowed_ips control feature of mlnet has effectively become disabled si= nce > all traffic to mlnet appears to flow from jail's IP. >=20 > mlnet's allowed_ips feature permits control of "who has permission to a= ccess > mlnet through gui/web-server, etc." >=20 > What setting could I relax for the jail so that mlnet is able to see th= e > source IP of incoming requests? I would assume that jailed web servers = are > able to see client IP's in order to do geo-filtering? >=20 > Regards. >=20 >=20 >=20 > ----- > FreeBSD-11-current_amd64_root-on-zfs_RadeonKMS > -- > View this message in context: http://freebsd.1045724.n5.nabble.com/Allo= w-jail-to-see-source-IP-of-incoming-traffic-tp5938163.html > Sent from the freebsd-jail mailing list archive at Nabble.com. > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"= >=20 Jails do see the real source IP address. Connections to localhost (127.0.0.1) from inside the jail are rerouted to the jails primary IP, since the jail does not have access to the loopback adapter. This can cause local connections to appear to be coming from the jails IP rather than loopback, but other than that, everyone should show the original source IP address. What address are you seeing the connections as coming from? Where are they actually coming from? --=20 Allan Jude --nvuknvo8rhcjRnxUPn2iRSw2n7vthfTPB Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJT7OMMAAoJEJrBFpNRJZKf+xoP/joIdUYYGzVCHEWZLSZNM2qO 3bIjNO8tNc5NC1LEfLXemE39UrdJsW2PyQCZGNYFYZ4E9NopLVT0i/6hcUSX9Z6O BEsDfJWOBMjaKsj5SaTGS5VgNkSOOS+ekIDa5u86Uzs2etcJmLykO8RFhRRKsGq7 HELriFDDyeMRwMHfrxXJhmsdlS1PXuwM1aYIYxoQgaEobN5z9Jrsuea6cnwRdkE8 B/Of+eGzidOtQKhkLMrCbg5U9I2JGnWmgAC5zU08xYNhKlEdm9MQaqjNMSVTikLd UaGK+WLpbn8NFMIFBVap2SU/Xyb2/UwoX5M6MoE7GJWFqGX7vDlROebGKgNuzVmT EIJVYTmklqTz1boqmM0eG4tJNX0DXywsUMyCXpk7RSdhY/ZM1+ApnYOnQjPdsed0 9UJ2LJ21sLM3ZWTDWpy3DTIeysFDvxrizKRBmqsjFDE3qtGkEgYz9FL6MXJ2ue7/ iZ6JLSNzSNPwxCJ0ljz60malf5zXt9V2bfSEtPBE0dBvdFO4OiA19ooFem4fa+ae UPzDxl20qHQ1c9/tFvkry5b0BvFkRtSD1wsrdNRzB4Be9GcgkFC1M1wikPTvbkZa I97JWYT4G/E+FNzNyUfgiYlLfwbFvqE2Ctt4GszMN7MbZUw40CxSlkSzPlfcHq8w Q5jc8iUX6TpXpyUCdV4a =QDvm -----END PGP SIGNATURE----- --nvuknvo8rhcjRnxUPn2iRSw2n7vthfTPB-- From owner-freebsd-jail@FreeBSD.ORG Thu Aug 14 16:35:14 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6BD0484C; Thu, 14 Aug 2014 16:35:14 +0000 (UTC) Received: from wonkity.com (wonkity.com [67.158.26.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "wonkity.com", Issuer "wonkity.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 1A3EC2E25; Thu, 14 Aug 2014 16:35:13 +0000 (UTC) Received: from wonkity.com (localhost [127.0.0.1]) by wonkity.com (8.14.9/8.14.9) with ESMTP id s7EGZC58039768 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 14 Aug 2014 10:35:12 -0600 (MDT) (envelope-from wblock@wonkity.com) Received: from localhost (wblock@localhost) by wonkity.com (8.14.9/8.14.9/Submit) with ESMTP id s7EGZCbF039765; Thu, 14 Aug 2014 10:35:12 -0600 (MDT) (envelope-from wblock@wonkity.com) Date: Thu, 14 Aug 2014 10:35:12 -0600 (MDT) From: Warren Block To: Allan Jude Subject: Re: How early can jails be started? In-Reply-To: Message-ID: References: <53E6F664.10702@freebsd.org> <53EC0F1D.70802@freebsd.org> User-Agent: Alpine 2.11 (BSF 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (wonkity.com [127.0.0.1]); Thu, 14 Aug 2014 10:35:12 -0600 (MDT) Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Aug 2014 16:35:14 -0000 On Wed, 13 Aug 2014, Warren Block wrote: > On Wed, 13 Aug 2014, Allan Jude wrote: > >>> sm-mta[679]: daemon Daemon0: problem creating SMTP socket >>> sm-mta[679]: NOQUEUE: SYSERR(root): opendaemonsocket: daemon Daemon0: >>> cannot bind: Can't assign requested address This was due to an incorrect loopback address, leftover from a bug discovery. With a valid loopback, it works. From owner-freebsd-jail@FreeBSD.ORG Thu Aug 14 16:52:20 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 21C6AECD for ; Thu, 14 Aug 2014 16:52:20 +0000 (UTC) Received: from hub.org (hub.org [200.46.208.146]) by mx1.freebsd.org (Postfix) with ESMTP id E4EE220B0 for ; Thu, 14 Aug 2014 16:52:19 +0000 (UTC) Received: from maia.hub.org (unknown [200.46.151.188]) by hub.org (Postfix) with ESMTP id 506661984A03; Thu, 14 Aug 2014 13:52:18 -0300 (ADT) Received: from hub.org ([200.46.208.146]) by maia.hub.org (mx1.hub.org [200.46.151.188]) (amavisd-maia, port 10024) with ESMTP id 86625-05; Thu, 14 Aug 2014 16:52:18 +0000 (UTC) Received: from [10.5.250.137] (remote.ilcs.sd63.bc.ca [142.31.148.2]) by hub.org (Postfix) with ESMTPA id A63C01984A02; Thu, 14 Aug 2014 13:52:17 -0300 (ADT) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) Subject: Re: FreeBSD 10 + unbound + jail == nothing resolves From: Marc Fournier In-Reply-To: <78D774FA-EE8E-4A67-A600-504E5B47BB12@verweg.com> Date: Thu, 14 Aug 2014 09:52:28 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: References: <78D774FA-EE8E-4A67-A600-504E5B47BB12@verweg.com> To: Ruben van Staveren X-Mailer: Apple Mail (2.1878.6) Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Aug 2014 16:52:20 -0000 Damn, missed the /var/log/debug.log file =85 had been monitoring = /var/log/messsages =85 in /var/log/debug.log, I get: Aug 14 17:45:36 97381 unbound: [98857:0] debug: refused query from ip4 = 200.46.208.99 port 61092 (len 16) Aug 14 17:45:36 97381 unbound: [98857:0] debug: refuse[53:0] = 124D0100000100000000000102363602373202333802353007696E2D616464720461727061= 00000C0001000029FFFF000000000000 before and after disabling DNSSEC =85 got it, had to add: access-control: 200.46.208.99/32 allow now it resolves fine =85=20 thx On Aug 14, 2014, at 08:17 , Ruben van Staveren wrote: >=20 > Marc, >=20 > can you try to disable DNSSEC?=20 >=20 > http://www.unbound.net/documentation/howto_turnoff_dnssec.html >=20 > (and add val-log-level: 2) >=20 > it might be that your upstream nameserver botches DNSSEC reply. To = keep DNSSEC, uncomment inclusion of the generated forwarder = configuration and have unbound query the root nameservers itself. >=20 > Cheers, > Ruben >=20 >=20 > On 14 Aug 2014, at 8:48, Marc Fournier wrote: >=20 >>=20 >> Before I give up and just install bind (which I=92d really like to = avoid doing, but it did work out of the box) =85 has anyone gotten this = to run? >>=20 >> I=92ve searched Google, and can find next to nothing =85 but I have = to be missing something obvious, else I would expect to find loads =85 = or nobody is acutally doing this =85 >>=20 >> I tried the simple:=20 >>=20 >> add local_unbound_enable=3D=93YES=94 to rc.conf >> start up the service >>=20 >> it modifies my /etc/resolv.conf, starts up, but when I try to = =91drill=92 a domain, I get nothing back =85 checked /var/log/messages, = only thing I see is what appears to be the start up: >>=20 >> Aug 14 07:19:02 97381 unbound: [44840:0] notice: init module 0: = validator >> Aug 14 07:19:02 97381 unbound: [44840:0] notice: init module 1: = iterator >>=20 >>=20 >> I=92ve even tried running from the command line with =91-d -vv=92, = and all I get is: >>=20 >> /var/unbound # /usr/sbin/unbound -c/var/unbound/unbound.conf -d -vv >> [1407997717] unbound[45554:0] notice: Start of unbound 1.4.20. >> [1407997717] unbound[45554:0] debug: switching log to syslog >>=20 >> I have it running on the host server, and it responsed perfectly well = =85 I=92ve tried changing the =91namserver=92 setting in = /etc/resolv.conf to be the IP of the jail, vs localhost =85 as well as = setting =91interfaces=92 in /var/unbound/unbound.conf =85 no difference = =85 >>=20 >> Help? >>=20 >>=20 >>=20 >> _______________________________________________ >> freebsd-jail@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-jail >> To unsubscribe, send any mail to = "freebsd-jail-unsubscribe@freebsd.org" >>=20 >=20 From owner-freebsd-jail@FreeBSD.ORG Thu Aug 14 18:08:33 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BC8AB5D6 for ; Thu, 14 Aug 2014 18:08:33 +0000 (UTC) Received: from joe.nabble.com (216-139-250-139.aus.us.siteprotect.com [216.139.250.139]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8F74E28ED for ; Thu, 14 Aug 2014 18:08:33 +0000 (UTC) Received: from sam.nabble.com ([192.168.236.26]) by joe.nabble.com with esmtp (Exim 4.72) (envelope-from ) id 1XHzRg-0008KL-IV for freebsd-jail@freebsd.org; Thu, 14 Aug 2014 11:08:16 -0700 Date: Thu, 14 Aug 2014 11:08:01 -0700 (PDT) From: Beeblebrox To: freebsd-jail@freebsd.org Message-ID: <20140814210726.30e38251@rsbsd.rsb> In-Reply-To: <53ECE309.5040302@freebsd.org> References: <1408012260325-5938163.post@n5.nabble.com> <53ECE309.5040302@freebsd.org> Subject: Re: Allow jail to see source IP of incoming traffic MIME-Version: 1.0 X-Mailman-Approved-At: Thu, 14 Aug 2014 18:17:05 +0000 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Aug 2014 18:08:33 -0000 > Connections to localhost > (127.0.0.1) from inside the jail are rerouted to the jails primary IP, > since the jail does not have access to the loopback adapter. That's what I was attempting to describe in my awkward manner, except that if jail iface is an alias of loopback, one gets a similar result when sending traffic from host. > This can cause local connections to appear to be coming from the jails IP > rather than loopback, but other than that, everyone should show the > original source IP address. What happened, was that connecting to the jailed mlnet sesion from host resulted in being refused and adding to allowed_ips was the only possible solution. My jails run on an alias of lo: /etc/rc.conf: cloned_interfaces="lo2" /etc/jail.conf: interface = lo2; \ ip4.addr = 192.168.2.xxx/32; > What address are you seeing the connections as coming from? Where are > they actually coming from? I didn't run tcpdump or anything (booo!) The only flag I reacted to was "allowed_ips" for gui not permitting host, and once I relaxed that, I needed to clarify before I proceeded any further (no attempts to download anything as yet, so no incoming external traffic) Under this configuration I tried to describe mean that only members of host/localhost will be able to connect to the mlnet daemon? Thank you. ----- FreeBSD-11-current_amd64_root-on-zfs_RadeonKMS -- View this message in context: http://freebsd.1045724.n5.nabble.com/Allow-jail-to-see-source-IP-of-incoming-traffic-tp5938163p5938334.html Sent from the freebsd-jail mailing list archive at Nabble.com. From owner-freebsd-jail@FreeBSD.ORG Thu Aug 14 18:25:36 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E5044C8E for ; Thu, 14 Aug 2014 18:25:36 +0000 (UTC) Received: from joe.nabble.com (216-139-250-139.aus.us.siteprotect.com [216.139.250.139]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C55092B5A for ; Thu, 14 Aug 2014 18:25:36 +0000 (UTC) Received: from sam.nabble.com ([192.168.236.26]) by joe.nabble.com with esmtp (Exim 4.72) (envelope-from ) id 1XHziC-0000Ql-TB for freebsd-jail@freebsd.org; Thu, 14 Aug 2014 11:25:20 -0700 Date: Thu, 14 Aug 2014 11:25:05 -0700 (PDT) From: Beeblebrox To: freebsd-jail@freebsd.org Message-ID: <20140814212432.5ba83a6f@rsbsd.rsb> In-Reply-To: <53ECE309.5040302@freebsd.org> References: <1408012260325-5938163.post@n5.nabble.com> <53ECE309.5040302@freebsd.org> Subject: Re: Allow jail to see source IP of incoming traffic MIME-Version: 1.0 X-Mailman-Approved-At: Thu, 14 Aug 2014 18:35:36 +0000 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Aug 2014 18:25:37 -0000 >> Under this configuration I tried to describe mean that only members >> of host/localhost will be able to connect to the mlnet daemon? correction: Under the configuration I have tried to describe; does it mean that only members of host/localhost will be able to connect to the mlnet daemon? ----- FreeBSD-11-current_amd64_root-on-zfs_RadeonKMS -- View this message in context: http://freebsd.1045724.n5.nabble.com/Allow-jail-to-see-source-IP-of-incoming-traffic-tp5938163p5938339.html Sent from the freebsd-jail mailing list archive at Nabble.com. From owner-freebsd-jail@FreeBSD.ORG Thu Aug 14 23:13:35 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D2710AD8; Thu, 14 Aug 2014 23:13:35 +0000 (UTC) Received: from wonkity.com (wonkity.com [67.158.26.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "wonkity.com", Issuer "wonkity.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 7214B4F14; Thu, 14 Aug 2014 23:13:35 +0000 (UTC) Received: from wonkity.com (localhost [127.0.0.1]) by wonkity.com (8.14.9/8.14.9) with ESMTP id s7ENDXOP049152 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 14 Aug 2014 17:13:33 -0600 (MDT) (envelope-from wblock@wonkity.com) Received: from localhost (wblock@localhost) by wonkity.com (8.14.9/8.14.9/Submit) with ESMTP id s7ENDXMA049149; Thu, 14 Aug 2014 17:13:33 -0600 (MDT) (envelope-from wblock@wonkity.com) Date: Thu, 14 Aug 2014 17:13:33 -0600 (MDT) From: Warren Block To: James Gritton Subject: Re: How early can jails be started? In-Reply-To: Message-ID: References: <53E6F664.10702@freebsd.org> User-Agent: Alpine 2.11 (BSF 23 2013-08-11) MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="3512871622-132103126-1408058013=:46108" X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (wonkity.com [127.0.0.1]); Thu, 14 Aug 2014 17:13:33 -0600 (MDT) Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Aug 2014 23:13:36 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --3512871622-132103126-1408058013=:46108 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed On Wed, 13 Aug 2014, Warren Block wrote: > It works... mostly. This file is /etc/rc.d/earlyjail: > > #!/bin/sh > # PROVIDE: earlyjail > # REQUIRE: netwait > # KEYWORD: > # BEFORE: mountcritremote > /usr/local/etc/rc.d/ezjail start dns1 > > When /etc/rc.d/jail runs much later in the startup, it tries to start that > jail again, and gets an error because of it. Seeing the error, it deletes > /var/run/jail_dns1.id. ezjail uses those jail_*.id files to detect which > jails are running, and is sure that dns1 is not running. jls does show things > correctly. I'm not sure if there is a workaround short of modifying > /etc/rc.d/jail. A small patch to /etc/rc.d/jail checks whether a jail is already running and leaves the /var/run/jail_jailname.id file in place. With this, ezjail works fine with the early-started jail. There might be security or other implications that should be considered. Only superficially tested so far. It's conceivable that someone might want to start all jails early, but I have not modified that branch of the code. --- /usr/src/etc/rc.d/jail 2014-07-03 19:10:00.000000000 -0600 +++ /etc/rc.d/jail 2014-08-14 16:59:23.000000000 -0600 @@ -488,6 +488,12 @@ eval rc_flags=\${jail_${_j}_flags:-$jail_flags} eval command=\${jail_${_j}_program:-$jail_program} command_args="-i -f $_conf -c $_j" + + if jls name | grep -x -q "$_j" ;then + echo " $_j already started" + continue + fi + _tmp=`mktemp -t jail` || exit 3 if $command $rc_flags $command_args \ >> $_tmp 2>&1 Content-Description: Content-Disposition: attachment; filename=rc.d-jail.diff LS0tIC91c3Ivc3JjL2V0Yy9yYy5kL2phaWwJMjAxNC0wNy0wMyAxOToxMDow MC4wMDAwMDAwMDAgLTA2MDANCisrKyAvZXRjL3JjLmQvamFpbAkyMDE0LTA4 LTE0IDE2OjU5OjIzLjAwMDAwMDAwMCAtMDYwMA0KQEAgLTQ4OCw2ICs0ODgs MTIgQEANCiAJCQlldmFsIHJjX2ZsYWdzPVwke2phaWxfJHtfan1fZmxhZ3M6 LSRqYWlsX2ZsYWdzfQ0KIAkJCWV2YWwgY29tbWFuZD1cJHtqYWlsXyR7X2p9 X3Byb2dyYW06LSRqYWlsX3Byb2dyYW19DQogCQkJY29tbWFuZF9hcmdzPSIt aSAtZiAkX2NvbmYgLWMgJF9qIg0KKw0KKwkJCWlmIGpscyBuYW1lIHwgZ3Jl cCAteCAtcSAiJF9qIiA7dGhlbg0KKwkJCQllY2hvICIgJF9qIGFscmVhZHkg c3RhcnRlZCINCisJCQkJY29udGludWUNCisJCQlmaQ0KKw0KIAkJCV90bXA9 YG1rdGVtcCAtdCBqYWlsYCB8fCBleGl0IDMNCiAJCQlpZiAkY29tbWFuZCAk cmNfZmxhZ3MgJGNvbW1hbmRfYXJncyBcDQogCQkJICAgID4+ICRfdG1wIDI+ JjEgPC9kZXYvbnVsbDsgdGhlbg0K --3512871622-132103126-1408058013=:46108--