From owner-freebsd-jail@FreeBSD.ORG Mon Mar 10 11:07:05 2008 Return-Path: Delivered-To: freebsd-jail@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7EA3B106573C for ; Mon, 10 Mar 2008 11:07:05 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 845308FC26 for ; Mon, 10 Mar 2008 11:07:05 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m2AB758g086597 for ; Mon, 10 Mar 2008 11:07:05 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m2AB74CO086593 for freebsd-jail@FreeBSD.org; Mon, 10 Mar 2008 11:07:04 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 10 Mar 2008 11:07:04 GMT Message-Id: <200803101107.m2AB74CO086593@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Mar 2008 11:07:05 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- s kern/89528 jail [jail] [patch] impossible to kill a jail o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail 2 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with o kern/68192 jail [quotas] [jail] Cannot use quotas on jailed systems o kern/72498 jail [libc] [jail] timestamp code on jailed SMP machine gen o kern/74314 jail [resolver] [jail] DNS resolver broken under certain ja o kern/84215 jail [jail] [patch] wildcard ip (INADDR_ANY) should not bin o kern/89989 jail [jail] [patch] Add option -I (ASCII 73) PID to specif o kern/97071 jail [jail] [patch] add security.jail.jid sysctl o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/119305 jail [jail] [patch] jexec(8): jexec -n prisonname: selectio o kern/120753 jail [jail] Zombie jails (jailed child process exits while 10 problems total. From owner-freebsd-jail@FreeBSD.ORG Mon Mar 10 11:30:04 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 965FD1065676 for ; Mon, 10 Mar 2008 11:30:04 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from redbull.bpaserver.net (redbullneu.bpaserver.net [213.198.78.217]) by mx1.freebsd.org (Postfix) with ESMTP id 404108FC15 for ; Mon, 10 Mar 2008 11:30:04 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from outgoing.leidinger.net (p54A54F51.dip.t-dialin.net [84.165.79.81]) by redbull.bpaserver.net (Postfix) with ESMTP id 0A1602E0D7 for ; Mon, 10 Mar 2008 12:29:55 +0100 (CET) Received: from webmail.leidinger.net (webmail.leidinger.net [192.168.1.102]) by outgoing.leidinger.net (Postfix) with ESMTP id 657C093626 for ; Mon, 10 Mar 2008 12:28:29 +0100 (CET) Received: (from www@localhost) by webmail.leidinger.net (8.14.2/8.13.8/Submit) id m2ABSTxE052081 for freebsd-jail@freebsd.org; Mon, 10 Mar 2008 12:28:29 +0100 (CET) (envelope-from Alexander@Leidinger.net) Received: from pslux.cec.eu.int (pslux.cec.eu.int [158.169.9.14]) by webmail.leidinger.net (Horde MIME library) with HTTP; Mon, 10 Mar 2008 12:28:29 +0100 Message-ID: <20080310122829.4egaxtbe3z0gwgw8@webmail.leidinger.net> X-Priority: 3 (Normal) Date: Mon, 10 Mar 2008 12:28:29 +0100 From: Alexander Leidinger To: freebsd-jail@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.1.5) / FreeBSD-8.0 X-BPAnet-MailScanner-Information: Please contact the ISP for more information X-BPAnet-MailScanner: Found to be clean X-BPAnet-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-13.427, required 6, BAYES_00 -15.00, MIME_QP_LONG_LINE 1.40, RDNS_DYNAMIC 0.10, TW_SN 0.08) X-BPAnet-MailScanner-From: alexander@leidinger.net X-Spam-Status: No Subject: X.org in a jail, testers wanted X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Mar 2008 11:30:04 -0000 Hi, at http://www.Leidinger.net/FreeBSD/current-patches/jail.diff I have =20 some changes which should apply to RELENG_7(_0) and HEAD which allow =20 access to /dev/io (if configured appropriately, see the included =20 man-page change). This is needed to run a X server in a jail. You may =20 also need to load manually (or via the loader) the kernel module which =20 is normally loaded by the X server (in my case (a Radeon card) this =20 means to have radeon_load=3D"YES" in loader.conf). AFAIR the X server =20 works without this, but probably without some acceleration. I haven't =20 tested any 3D stuff. You also need to setup /etc/devfs.rules (this is a copy of my one, it =20 contains more than is needed to run the X server, so you can trim this =20 if you want): ---snip--- [devfsrules_unhide_audio=3D5] add path 'audio*' unhide add path 'dsp*' unhide add path midistat unhide add path 'mixer*' unhide add path 'music*' unhide add path 'sequencer*' unhide add path sndstat unhide add path speaker unhide [devfsrules_unhide_printers=3D6] add path 'lpt*' unhide add path 'ulpt*' unhide add path 'unlpt*' unhide [devfsrules_unhide_input=3D7] add path 'atkbd*' unhide add path 'kbd*' unhide add path 'joy*' unhide add path 'psm*' unhide add path sysmouse unhide add path 'ukbd*' unhide add path 'ums*' unhide [devfsrules_unhide_xorg=3D8] add path agpgart unhide #add path console unhide add path dri unhide add path 'dri*' unhide add path io unhide add path mem unhide #add path pci unhide add path tty unhide add path ttyv0 unhide add path ttyv1 unhide add path ttyv8 unhide [devfsrules_unhide_cam=3D9] add path 'da*' unhide add path 'cd*' unhide [devfsrules_unhide_kmem=3D10] add path kmem unhide # # This allows to run a desktop system in a jail. Think about what you want = to # achieve before you use this, it opens up the entire machine to access from # this jail to any sophisticated program. # [devfsrules_jail_desktop=3D11] add include $devfsrules_hide_all add include $devfsrules_unhide_basic add include $devfsrules_unhide_login add include $devfsrules_unhide_audio add include $devfsrules_unhide_input add include $devfsrules_unhide_xorg add include $devfsrules_unhide_cam add include $devfsrules_unhide_kmem ---snip--- You also need to make sure those rules are applied to your jail =20 (jail__devfs_ruleset=3D"devfsrules_jail_desktop"). I'm running with security.jail.dev_io_access_allowed=3D1 since several =20 months. Today I took the time to add =20 security.jail.dev_io_access_allowed_hostname (WARNING: only =20 compile-tested!) and the man-page. I would like to get some reviews of the patch and some success/failure =20 reports for the security.jail.dev_io_access_allowed_hostname sysctl. Bye, Alexander. --=20 Too cool to calypso, Too tough to tango, Too weird to watusi =09=09-- The Only Ones http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137 From owner-freebsd-jail@FreeBSD.ORG Tue Mar 11 21:36:29 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C163E106566C for ; Tue, 11 Mar 2008 21:36:29 +0000 (UTC) (envelope-from tataz@tataz.chchile.org) Received: from postfix1-g20.free.fr (postfix1-g20.free.fr [212.27.60.42]) by mx1.freebsd.org (Postfix) with ESMTP id 7AC398FC25 for ; Tue, 11 Mar 2008 21:36:29 +0000 (UTC) (envelope-from tataz@tataz.chchile.org) Received: from smtp5-g19.free.fr (smtp5-g19.free.fr [212.27.42.35]) by postfix1-g20.free.fr (Postfix) with ESMTP id 23B3923B9721 for ; Tue, 11 Mar 2008 22:03:03 +0100 (CET) Received: from smtp5-g19.free.fr (localhost.localdomain [127.0.0.1]) by smtp5-g19.free.fr (Postfix) with ESMTP id 40B763F6166; Tue, 11 Mar 2008 22:03:02 +0100 (CET) Received: from tatooine.tataz.chchile.org (tataz.chchile.org [82.233.239.98]) by smtp5-g19.free.fr (Postfix) with ESMTP id 0BFAF3F61B1; Tue, 11 Mar 2008 22:03:01 +0100 (CET) Received: from obiwan.tataz.chchile.org (unknown [192.168.1.25]) by tatooine.tataz.chchile.org (Postfix) with ESMTP id DABF19BF12; Tue, 11 Mar 2008 21:02:16 +0000 (UTC) Received: by obiwan.tataz.chchile.org (Postfix, from userid 1000) id C8174405B; Tue, 11 Mar 2008 22:02:16 +0100 (CET) Date: Tue, 11 Mar 2008 22:02:16 +0100 From: Jeremie Le Hen To: Alexander Leidinger Message-ID: <20080311210216.GI39998@obiwan.tataz.chchile.org> References: <20080310122829.4egaxtbe3z0gwgw8@webmail.leidinger.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080310122829.4egaxtbe3z0gwgw8@webmail.leidinger.net> User-Agent: Mutt/1.5.15 (2007-04-06) Cc: freebsd-jail@freebsd.org Subject: Re: X.org in a jail, testers wanted X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Mar 2008 21:36:29 -0000 Hi Alexander, On Mon, Mar 10, 2008 at 12:28:29PM +0100, Alexander Leidinger wrote: > at http://www.Leidinger.net/FreeBSD/current-patches/jail.diff I have some > changes which should apply to RELENG_7(_0) and HEAD which allow access to > /dev/io (if configured appropriately, see the included man-page change). > This is needed to run a X server in a jail. You may also need to load > manually (or via the loader) the kernel module which is normally loaded by the X server (in my case (a Radeon card) this means to have > radeon_load="YES" in loader.conf). AFAIR the X server works without this, > but probably without some acceleration. I haven't tested any 3D stuff. Thank you very much for providing your work in this area. I would really like to test your patch, but I currently have very little spare time left by my job. So I will only cheer you up :). > You also need to setup /etc/devfs.rules (this is a copy of my one, it > contains more than is needed to run the X server, so you can trim this if > you want): > ---snip--- > [...] > ---snip--- > > You also need to make sure those rules are applied to your jail > (jail__devfs_ruleset="devfsrules_jail_desktop"). Do you plan to document this else where, maybe in the jail chapter of the handbook? Otherwise I will merely bookmark your mail. Regards. Thanks, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-jail@FreeBSD.ORG Wed Mar 12 06:49:15 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0996A1065671 for ; Wed, 12 Mar 2008 06:49:15 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from redbull.bpaserver.net (redbullneu.bpaserver.net [213.198.78.217]) by mx1.freebsd.org (Postfix) with ESMTP id A91368FC1B for ; Wed, 12 Mar 2008 06:49:14 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from outgoing.leidinger.net (p54A5695A.dip.t-dialin.net [84.165.105.90]) by redbull.bpaserver.net (Postfix) with ESMTP id 47A232E0F5; Wed, 12 Mar 2008 07:49:07 +0100 (CET) Received: from webmail.leidinger.net (webmail.leidinger.net [192.168.1.102]) by outgoing.leidinger.net (Postfix) with ESMTP id 6087E67053; Wed, 12 Mar 2008 07:47:01 +0100 (CET) Received: (from www@localhost) by webmail.leidinger.net (8.14.2/8.13.8/Submit) id m2C6l0W8099408; Wed, 12 Mar 2008 07:47:00 +0100 (CET) (envelope-from Alexander@Leidinger.net) Received: from pslux.cec.eu.int (pslux.cec.eu.int [158.169.9.14]) by webmail.leidinger.net (Horde MIME library) with HTTP; Wed, 12 Mar 2008 07:47:00 +0100 Message-ID: <20080312074700.mdwjv95t0cg00w0g@webmail.leidinger.net> X-Priority: 3 (Normal) Date: Wed, 12 Mar 2008 07:47:00 +0100 From: Alexander Leidinger To: Jeremie Le Hen References: <20080310122829.4egaxtbe3z0gwgw8@webmail.leidinger.net> <20080311210216.GI39998@obiwan.tataz.chchile.org> In-Reply-To: <20080311210216.GI39998@obiwan.tataz.chchile.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.1.5) / FreeBSD-8.0 X-BPAnet-MailScanner-Information: Please contact the ISP for more information X-BPAnet-MailScanner: Found to be clean X-BPAnet-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-14.004, required 6, BAYES_00 -15.00, MIME_QP_LONG_LINE 1.40, RDNS_DYNAMIC 0.10, SMILEY -0.50) X-BPAnet-MailScanner-From: alexander@leidinger.net X-Spam-Status: No Cc: FreeBSD-Jail Subject: Re: X.org in a jail, testers wanted X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Mar 2008 06:49:15 -0000 Quoting Jeremie Le Hen (from Tue, 11 Mar 2008 =20 22:02:16 +0100): > Hi Alexander, > > On Mon, Mar 10, 2008 at 12:28:29PM +0100, Alexander Leidinger wrote: >> at http://www.Leidinger.net/FreeBSD/current-patches/jail.diff I have som= e >> changes which should apply to RELENG_7(_0) and HEAD which allow access t= o >> /dev/io (if configured appropriately, see the included man-page change). >> This is needed to run a X server in a jail. You may also need to load >> manually (or via the loader) the kernel module which is normally loaded = by > the X server (in my case (a Radeon card) this means to have >> radeon_load=3D"YES" in loader.conf). AFAIR the X server works without th= is, >> but probably without some acceleration. I haven't tested any 3D stuff. > > Thank you very much for providing your work in this area. I would > really like to test your patch, but I currently have very little spare > time left by my job. So I will only cheer you up :). Thanks. :) >> You also need to setup /etc/devfs.rules (this is a copy of my one, it >> contains more than is needed to run the X server, so you can trim this i= f >> you want): >> ---snip--- >> [...] >> ---snip--- >> >> You also need to make sure those rules are applied to your jail >> (jail__devfs_ruleset=3D"devfsrules_jail_desktop"). > > Do you plan to document this else where, maybe in the jail chapter of > the handbook? Otherwise I will merely bookmark your mail. What you need or not depends upon your usage scenario. I don't think =20 this belongs into the man page. If I document this in the handbook or =20 not, I haven't thought about (somehow I think I will not have the time =20 to do it). If someone takes my mail (after the code is committed), =20 adds some sentences and wants to commit this into the handbook, I =20 happily review the text. Bye, Alexander. --=20 Dr. Jekyll had something to Hyde. http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137