From owner-freebsd-jail@FreeBSD.ORG Mon Jun 28 11:06:55 2010 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C928210656D4 for ; Mon, 28 Jun 2010 11:06:55 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B7A938FC0A for ; Mon, 28 Jun 2010 11:06:55 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o5SB6tqQ086558 for ; Mon, 28 Jun 2010 11:06:55 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o5SB6tYT086556 for freebsd-jail@FreeBSD.org; Mon, 28 Jun 2010 11:06:55 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 28 Jun 2010 11:06:55 GMT Message-Id: <201006281106.o5SB6tYT086556@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jun 2010 11:06:55 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/147162 jail [jail] [panic] Page Fault / Kernel panic when jail sta s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 7 problems total. From owner-freebsd-jail@FreeBSD.ORG Mon Jun 28 14:24:35 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 085B2106566C; Mon, 28 Jun 2010 14:24:35 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from mail.ebusiness-leidinger.de (mail.ebusiness-leidinger.de [217.11.53.44]) by mx1.freebsd.org (Postfix) with ESMTP id A168F8FC22; Mon, 28 Jun 2010 14:24:34 +0000 (UTC) Received: from outgoing.leidinger.net (pD9E2CB8E.dip.t-dialin.net [217.226.203.142]) by mail.ebusiness-leidinger.de (Postfix) with ESMTPSA id 3534184405D; Mon, 28 Jun 2010 16:24:31 +0200 (CEST) Received: from webmail.leidinger.net (webmail.leidinger.net [192.168.1.102]) by outgoing.leidinger.net (Postfix) with ESMTP id 7676F5961; Mon, 28 Jun 2010 16:24:27 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=Leidinger.net; s=outgoing-alex; t=1277735067; bh=dpT6j1pR7Yn9v1G9Q6XskDE6xbZ96FQl2O/yVSLvuXU=; h=Message-ID:Date:From:To:Cc:Subject:References:In-Reply-To: MIME-Version:Content-Type:Content-Transfer-Encoding; b=D/cOTjD+N6ElH+q9kTU+7EPVs+n+7x+Bd0b791RctOhSXs2Y8au0vIuFfI/iDIBeJ YYRazTafylpsEFEP2U5eIg2ZMp+FFw7wI9q5wReMGzXLXBrEaa/RyltMA3DclYUm17 zk2LXdIExKWM0NNYfASlw+PksFORqWiQbOAwu2pkzY3DccBU4S/p+ftf0FHgJeiDh3 pVwRVst/YNKt1MTZDNM4uZASah0fnClkmOEDJRlpBRbt28pIRDmAHpcpIFX9Z+188B +soMAzEN2Nce6GX7dv3D6jQFQ+OBOj4GMNoC8arLsO725dk+f2Gc374qiK7kFUXs82 wb6TepYLVufQg== Received: (from www@localhost) by webmail.leidinger.net (8.14.4/8.13.8/Submit) id o5SEORcC083931; Mon, 28 Jun 2010 16:24:27 +0200 (CEST) (envelope-from Alexander@Leidinger.net) Received: from pslux.ec.europa.eu (pslux.ec.europa.eu [158.169.9.14]) by webmail.leidinger.net (Horde Framework) with HTTP; Mon, 28 Jun 2010 16:24:26 +0200 Message-ID: <20100628162426.21226ds0q116ljks@webmail.leidinger.net> Date: Mon, 28 Jun 2010 16:24:26 +0200 From: Alexander Leidinger To: Jamie Gritton References: <4C22650C.40309@FreeBSD.org> <20100624144312.00003d9f@unknown> <4C238832.2050803@FreeBSD.org> In-Reply-To: <4C238832.2050803@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Dynamic Internet Messaging Program (DIMP) H3 (1.1.4) X-EBL-MailScanner-Information: Please contact the ISP for more information X-EBL-MailScanner-ID: 3534184405D.A7751 X-EBL-MailScanner: Found to be clean X-EBL-MailScanner-SpamCheck: not spam, spamhaus-ZEN, SpamAssassin (not cached, score=0.177, required 6, autolearn=disabled, ALL_TRUSTED -1.00, DKIM_SIGNED 0.10, DKIM_VALID -0.10, DKIM_VALID_AU -0.10, J_CHICKENPOX_46 0.60, J_CHICKENPOX_53 0.60, TW_ZJ 0.08) X-EBL-MailScanner-From: alexander@leidinger.net X-EBL-MailScanner-Watermark: 1278339872.31379@kyucgpD8i5kX+T9dAUdWZw X-EBL-Spam-Status: No Cc: freebsd-jail@FreeBSD.org Subject: Re: Thoughts on jail.config X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jun 2010 14:24:35 -0000 Quoting Jamie Gritton (from Thu, 24 Jun 2010 10:30:42 -0600): > On 06/24/10 06:43, Alexander Leidinger wrote: > >> On Wed, 23 Jun 2010 13:48:28 -0600 Jamie Gritton >> wrote: >> >>> The rc system is becoming increasingly unable to handle the newer jail >>> features. We've held off patching /etc/rc.d/jail for new parameters, >>> with the promise of something better. Here's my outline of what I >>> hope will be in fact better than what we have now. >> >> I'm not sure from your explanation if your new setup allows ezjail to >> mangage jails as easy as it is now. If the new jail command will have >> an option to specify a config file, and the jail command only operates >> on the jails of this config file and ignores other jails which are >> already running (e.g. on a shutdown request), your new system looks >> like it is easy to use with ezjail. > > Yes, you'll be able to specify a config file via the command line, with > a default of /etc/jail.conf. Great. > Jails that exist outside of the config file's knowledge are a tricky > point, and the problems are really only on a shutdown request. While I > haven't coded this part of things yet, I've considered that I'll need > two different kinds of blanket shutdowns: one for all the jails in the > config file, and another for all jails in the system. The latter would > be the most sensible to use during system shutdown, when it doesn't make > sense to leave any jails running. But orderly shutdown is part of the > config spec (e.g. running "/bin/sh /etc/rc.shutdown"), and it may be > best to assume that if the jails were created outside of the rc system, > they'll be removed in the same way. There are two additional sides: 1) For jails which are created by example via ezjail I agree that it is within the responsability of the ezjail to shut them down. 2) For jails which are created/started by hand from a custom config file for testing purposes, I think a "shutdown all remeaining jails even if there is not entry in the config file" would be good. The problem with this is, that you need to make assumptions how to do a shutdown, or record this info in the kernel on creation time (and use this only if no config with appropriate info is available). > So in short, I think it will be compatible with ezjail. > >> Another point which interests me is how your new way of doing things >> will handle things like allow.raw_sockets. Assume I have some kernel >> modification which adds allow.XXX, do I need to modify the parsing of >> the jail command to handle this, or will this work transparently >> without userland modifications? > > That will work transparently, as does the current jail(8) command line. > The only time you'd need to modify userland tools for a new jail > parameter is if that parameter has a data type the tools don't > understand. Most parameters operate on numbers or strings, but for > example IP addresses are passed in binary and userland needs to know how > to convert them to/from strings. That's easy enough for my purposes. :) Bye, Alexander. -- Hitchcock's Staple Principle: The stapler runs out of staples only while you are trying to staple something. http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137 From owner-freebsd-jail@FreeBSD.ORG Mon Jun 28 14:41:23 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CC4DD1065670 for ; Mon, 28 Jun 2010 14:41:23 +0000 (UTC) (envelope-from mosconi@mosconi.mat.br) Received: from mail-vw0-f54.google.com (mail-vw0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id 89CAC8FC14 for ; Mon, 28 Jun 2010 14:41:23 +0000 (UTC) Received: by vws13 with SMTP id 13so7717954vws.13 for ; Mon, 28 Jun 2010 07:41:20 -0700 (PDT) MIME-Version: 1.0 Received: by 10.224.35.150 with SMTP id p22mr3368684qad.251.1277736079860; Mon, 28 Jun 2010 07:41:19 -0700 (PDT) Sender: mosconi@mosconi.mat.br Received: by 10.229.34.147 with HTTP; Mon, 28 Jun 2010 07:41:19 -0700 (PDT) In-Reply-To: <20100628162426.21226ds0q116ljks@webmail.leidinger.net> References: <4C22650C.40309@FreeBSD.org> <20100624144312.00003d9f@unknown> <4C238832.2050803@FreeBSD.org> <20100628162426.21226ds0q116ljks@webmail.leidinger.net> Date: Mon, 28 Jun 2010 11:41:19 -0300 X-Google-Sender-Auth: OlUpwnyFZU_UwUIzaeLa2z4KpkY Message-ID: From: Rodrigo Mosconi To: freebsd-jail@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: Thoughts on jail.config X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jun 2010 14:41:24 -0000 2010/6/28 Alexander Leidinger : > Quoting Jamie Gritton (from Thu, 24 Jun 2010 10:30:42 > -0600): > >> On 06/24/10 06:43, Alexander Leidinger wrote: >> >>> On Wed, 23 Jun 2010 13:48:28 -0600 Jamie Gritton >>> wrote: >>> >>>> The rc system is becoming increasingly unable to handle the newer jail >>>> features. =A0We've held off patching /etc/rc.d/jail for new parameters= , >>>> with the promise of something better. =A0Here's my outline of what I >>>> hope will be in fact better than what we have now. >>> >>> I'm not sure from your explanation if your new setup allows ezjail to >>> mangage jails as easy as it is now. If the new jail command will have >>> an option to specify a config file, and the jail command only operates >>> on the jails of this config file and ignores other jails which are >>> already running (e.g. on a shutdown request), your new system looks >>> like it is easy to use with ezjail. >> >> Yes, you'll be able to specify a config file via the command line, with >> a default of /etc/jail.conf. > > Great. > >> Jails that exist outside of the config file's knowledge are a tricky >> point, and the problems are really only on a shutdown request. While I >> haven't coded this part of things yet, I've considered that I'll need >> two different kinds of blanket shutdowns: one for all the jails in the >> config file, and another for all jails in the system. The latter would >> be the most sensible to use during system shutdown, when it doesn't make >> sense to leave any jails running. But orderly shutdown is part of the >> config spec (e.g. running "/bin/sh /etc/rc.shutdown"), and it may be >> best to assume that if the jails were created outside of the rc system, >> they'll be removed in the same way. > > There are two additional sides: > 1) For jails which are created by example via ezjail I agree that it is > within the responsability of the ezjail to shut them down. > 2) For jails which are created/started by hand from a custom config file = for > testing purposes, I think a "shutdown all remeaining jails even if there = is > not entry in the config file" would be good. The problem with this is, th= at > you need to make assumptions how to do a shutdown, or record this info in > the kernel on creation time (and use this only if no config with appropri= ate > info is available). > >> So in short, I think it will be compatible with ezjail. >> >>> Another point which interests me is how your new way of doing things >>> will handle things like allow.raw_sockets. Assume I have some kernel >>> modification which adds allow.XXX, do I need to modify the parsing of >>> the jail command to handle this, or will this work transparently >>> without userland modifications? >> >> That will work transparently, as does the current jail(8) command line. >> The only time you'd need to modify userland tools for a new jail >> parameter is if that parameter has a data type the tools don't >> understand. Most parameters operate on numbers or strings, but for >> example IP addresses are passed in binary and userland needs to know how >> to convert them to/from strings. > > That's easy enough for my purposes. :) > > Bye, > Alexander. > An idea: if it works like a "jaild"? A daemon management the start-up, shutdown, console redirection? All the admins task could be done by a "jailctl"? Just a comments From owner-freebsd-jail@FreeBSD.ORG Mon Jun 28 15:18:41 2010 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DE9D8106566C for ; Mon, 28 Jun 2010 15:18:41 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from gritton.org (gritton.org [208.92.232.93]) by mx1.freebsd.org (Postfix) with ESMTP id 8C4738FC15 for ; Mon, 28 Jun 2010 15:18:41 +0000 (UTC) Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net [198.65.168.24]) (authenticated bits=0) by gritton.org (8.14.3/8.14.3) with ESMTP id o5SFIdI2086916; Mon, 28 Jun 2010 09:18:40 -0600 (MDT) (envelope-from jamie@FreeBSD.org) Message-ID: <4C28BCBB.70601@FreeBSD.org> Date: Mon, 28 Jun 2010 09:16:11 -0600 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.9.1.5) Gecko/20100103 Thunderbird/3.0 MIME-Version: 1.0 To: Alexander Leidinger , freebsd-jail@FreeBSD.org References: <4C22650C.40309@FreeBSD.org> <20100624144312.00003d9f@unknown> <4C238832.2050803@FreeBSD.org> <20100628162426.21226ds0q116ljks@webmail.leidinger.net> In-Reply-To: <20100628162426.21226ds0q116ljks@webmail.leidinger.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: Thoughts on jail.config X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jun 2010 15:18:42 -0000 On 06/28/10 08:24, Alexander Leidinger wrote: > Quoting Jamie Gritton (from Thu, 24 Jun 2010 > 10:30:42 -0600): >> On 06/24/10 06:43, Alexander Leidinger wrote: >> >> Jails that exist outside of the config file's knowledge are a tricky >> point, and the problems are really only on a shutdown request. While I >> haven't coded this part of things yet, I've considered that I'll need >> two different kinds of blanket shutdowns: one for all the jails in the >> config file, and another for all jails in the system. The latter would >> be the most sensible to use during system shutdown, when it doesn't make >> sense to leave any jails running. But orderly shutdown is part of the >> config spec (e.g. running "/bin/sh /etc/rc.shutdown"), and it may be >> best to assume that if the jails were created outside of the rc system, >> they'll be removed in the same way. > > There are two additional sides: > 1) For jails which are created by example via ezjail I agree that it is > within the responsability of the ezjail to shut them down. > 2) For jails which are created/started by hand from a custom config file > for testing purposes, I think a "shutdown all remeaining jails even if > there is not entry in the config file" would be good. The problem with > this is, that you need to make assumptions how to do a shutdown, or > record this info in the kernel on creation time (and use this only if no > config with appropriate info is available). If any jails are left on shutdown by the time rc.d/jail gets to them, they would have to be summarily killed. I wouldn't want to make assumptions about scripts and the like in the absence of the config lines, since I assume there's a reason they weren't started withing the jail.conf system. When you remove a jail via jail_remove(2), it sends a SIGKILL to every process inside it. I could at least first send them a SIGTERM and give them a little while to clean up first. But I still wouldn't to run a script that wasn't specified by the jail creator, which is at this point necessarily unknown. So yes, I'd have a "shutdown all jails" option for this. - Jamie From owner-freebsd-jail@FreeBSD.ORG Mon Jun 28 15:40:37 2010 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 306151065678 for ; Mon, 28 Jun 2010 15:40:37 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from gritton.org (gritton.org [208.92.232.93]) by mx1.freebsd.org (Postfix) with ESMTP id D067D8FC33 for ; Mon, 28 Jun 2010 15:40:36 +0000 (UTC) Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net [198.65.168.24]) (authenticated bits=0) by gritton.org (8.14.3/8.14.3) with ESMTP id o5SFeYO3087247; Mon, 28 Jun 2010 09:40:35 -0600 (MDT) (envelope-from jamie@FreeBSD.org) Message-ID: <4C28C1DD.2020001@FreeBSD.org> Date: Mon, 28 Jun 2010 09:38:05 -0600 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.9.1.5) Gecko/20100103 Thunderbird/3.0 MIME-Version: 1.0 To: Rodrigo Mosconi , freebsd-jail@FreeBSD.org References: <4C22650C.40309@FreeBSD.org> <20100624144312.00003d9f@unknown> <4C238832.2050803@FreeBSD.org> <20100628162426.21226ds0q116ljks@webmail.leidinger.net> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: Thoughts on jail.config X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jun 2010 15:40:37 -0000 On 06/28/10 08:41, Rodrigo Mosconi wrote: > An idea: if it works like a "jaild"? A daemon management the start-up, > shutdown, console redirection? All the admins task could be done by a > "jailctl"? I don't know what work a daemon would have to do. I only see it running tasks on startup, and then waiting until something tells it on shutdown to wake up and stop the jails. That "something" would have to be that jailctl you mention. If there's a jail program running anyway, might as well keep all functionality in that one program. - Jamie From owner-freebsd-jail@FreeBSD.ORG Mon Jun 28 22:58:07 2010 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D112B106564A; Mon, 28 Jun 2010 22:58:07 +0000 (UTC) (envelope-from james@netinertia.co.uk) Received: from mantaray.netinertia.co.uk (unknown [IPv6:2a01:348:0:6:4d4b:6996:0:1]) by mx1.freebsd.org (Postfix) with ESMTP id 6A76D8FC0C; Mon, 28 Jun 2010 22:58:07 +0000 (UTC) Received: from mantaray.netinertia.co.uk (localhost [127.0.0.1]) by mantaray.netinertia.co.uk (Postfix) with ESMTP id CD8F85A9; Mon, 28 Jun 2010 23:40:23 +0100 (BST) X-Virus-Scanned: amavisd-new at netinertia.co.uk Received: from mantaray.netinertia.co.uk ([127.0.0.1]) by mantaray.netinertia.co.uk (mantaray.netinertia.co.uk [127.0.0.1]) (amavisd-new, port 10024) with LMTP id KUiftAKhUANK; Mon, 28 Jun 2010 23:40:21 +0100 (BST) Received: from jmac.waterloo.netinertia.co.uk (waterloo.netinertia.co.uk [82.69.247.45]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mantaray.netinertia.co.uk (Postfix) with ESMTPSA id C03D05A1; Mon, 28 Jun 2010 23:40:21 +0100 (BST) Mime-Version: 1.0 (Apple Message framework v1081) Content-Type: text/plain; charset=us-ascii From: James O'Gorman In-Reply-To: <4C28C1DD.2020001@FreeBSD.org> Date: Mon, 28 Jun 2010 23:40:21 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: References: <4C22650C.40309@FreeBSD.org> <20100624144312.00003d9f@unknown> <4C238832.2050803@FreeBSD.org> <20100628162426.21226ds0q116ljks@webmail.leidinger.net> <4C28C1DD.2020001@FreeBSD.org> To: Jamie Gritton X-Mailer: Apple Mail (2.1081) Cc: freebsd-jail@FreeBSD.org Subject: Re: Thoughts on jail.config X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jun 2010 22:58:07 -0000 On 28 Jun 2010, at 16:38, Jamie Gritton wrote: > On 06/28/10 08:41, Rodrigo Mosconi wrote: >=20 >> An idea: if it works like a "jaild"? A daemon management the = start-up, >> shutdown, console redirection? All the admins task could be done by = a >> "jailctl"? >=20 > I don't know what work a daemon would have to do. I only see it = running > tasks on startup, and then waiting until something tells it on = shutdown > to wake up and stop the jails. That "something" would have to be that > jailctl you mention. If there's a jail program running anyway, might = as > well keep all functionality in that one program. Perhaps it's worth looking at Solaris Zones here, as that runs a daemon = in both the global zone and each container. I can't recall exactly what = it does off-hand as I don't have a Solaris box to hand but it's probably = similar to what you're talking about. I'm pretty sure zoneadm talks to = zoneadmd to start/stop/configure each zone in the kernel. James= From owner-freebsd-jail@FreeBSD.ORG Tue Jun 29 10:12:36 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 75B641065674; Tue, 29 Jun 2010 10:12:36 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from mail.ebusiness-leidinger.de (mail.ebusiness-leidinger.de [217.11.53.44]) by mx1.freebsd.org (Postfix) with ESMTP id 02E888FC0C; Tue, 29 Jun 2010 10:12:35 +0000 (UTC) Received: from outgoing.leidinger.net (pD9E2FC20.dip.t-dialin.net [217.226.252.32]) by mail.ebusiness-leidinger.de (Postfix) with ESMTPSA id 926F184405D; Tue, 29 Jun 2010 12:12:30 +0200 (CEST) Received: from webmail.leidinger.net (webmail.leidinger.net [192.168.1.102]) by outgoing.leidinger.net (Postfix) with ESMTP id 69E8A5A13; Tue, 29 Jun 2010 12:12:27 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=Leidinger.net; s=outgoing-alex; t=1277806347; bh=lUPjtGdnovCkvniYOppz4qkwlWrIBr5+9NuG6UZksok=; h=Message-ID:Date:From:To:Cc:Subject:References:In-Reply-To: MIME-Version:Content-Type:Content-Transfer-Encoding; b=2SaLDeB5Al5JI4fLJ1lrIKRNtfwJLfKY5f26vKWGQDKl30a9jB4n9NN5C3ChdlA38 LeEUtQMt/mdWKuay657IV6hJ5hEBM3js9cHGBnN7aJKMt78M8jTaCwmpQ4s9lWy0kW 4KyGuxF2Q0fAYr3UITAU4YjtP6Z5p0BcSoDRw27GkxsSUPavnGlESEoYASB0CqoBKk eK5xVsxDD/r3d37pbnJ6guN9L6Oh66Q4d3OKYm+KVUz5DqzjCpcAgdEqiOPHWnFErs Tklck9dW35q+U4pbtBUkyuCbXjAfQq+Um/eOVpJKl+8Oqmf5flMyT0BLtWgUtt0sjJ j05z2HbpXD83g== Received: (from www@localhost) by webmail.leidinger.net (8.14.4/8.13.8/Submit) id o5TACRew061800; Tue, 29 Jun 2010 12:12:27 +0200 (CEST) (envelope-from Alexander@Leidinger.net) Received: from pslux.ec.europa.eu (pslux.ec.europa.eu [158.169.9.14]) by webmail.leidinger.net (Horde Framework) with HTTP; Tue, 29 Jun 2010 12:12:26 +0200 Message-ID: <20100629121226.17056remx4tvmhs0@webmail.leidinger.net> Date: Tue, 29 Jun 2010 12:12:26 +0200 From: Alexander Leidinger To: "James O'Gorman" References: <4C22650C.40309@FreeBSD.org> <20100624144312.00003d9f@unknown> <4C238832.2050803@FreeBSD.org> <20100628162426.21226ds0q116ljks@webmail.leidinger.net> <4C28C1DD.2020001@FreeBSD.org> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Dynamic Internet Messaging Program (DIMP) H3 (1.1.4) X-EBL-MailScanner-Information: Please contact the ISP for more information X-EBL-MailScanner-ID: 926F184405D.A6D44 X-EBL-MailScanner: Found to be clean X-EBL-MailScanner-SpamCheck: not spam, spamhaus-ZEN, SpamAssassin (not cached, score=-0.5, required 6, autolearn=disabled, ALL_TRUSTED -1.00, DKIM_SIGNED 0.10, DKIM_VALID -0.10, DKIM_VALID_AU -0.10, J_CHICKENPOX_46 0.60) X-EBL-MailScanner-From: alexander@leidinger.net X-EBL-MailScanner-Watermark: 1278411153.23442@V1977K+euTFVQVOqxRjeWA X-EBL-Spam-Status: No Cc: freebsd-jail@FreeBSD.org, Jamie Gritton Subject: Re: Thoughts on jail.config X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jun 2010 10:12:36 -0000 Quoting James O'Gorman (from Mon, 28 Jun 2010 23:40:21 +0100): > On 28 Jun 2010, at 16:38, Jamie Gritton wrote: > >> On 06/28/10 08:41, Rodrigo Mosconi wrote: >> >>> An idea: if it works like a "jaild"? A daemon management the start-up, >>> shutdown, console redirection? All the admins task could be done by a >>> "jailctl"? >> >> I don't know what work a daemon would have to do. I only see it running >> tasks on startup, and then waiting until something tells it on shutdown >> to wake up and stop the jails. That "something" would have to be that >> jailctl you mention. If there's a jail program running anyway, might as >> well keep all functionality in that one program. > > Perhaps it's worth looking at Solaris Zones here, as that runs a > daemon in both the global zone and each container. I can't recall > exactly what it does off-hand as I don't have a Solaris box to hand > but it's probably similar to what you're talking about. I'm pretty > sure zoneadm talks to zoneadmd to start/stop/configure each zone in > the kernel. Yes, but it also takes care about the zone console device (http://docs.sun.com/app/docs/doc/817-1592/z.inst.ov-12?l=en&a=view). This (and maybe some resource control stuff) is the only thing I see which may make sense to be handled by a daemon, everything else could be handled by zoneadm directly. I also see a security benefit of the daemon if you give the right to manage zones to an user/role != root. Both is not available in FreeBSD. There is also the zsched running per zone. This process is explained at http://docs.sun.com/app/docs/doc/817-1592/z.inst.ov-13?a=view Bye, Alexander. -- Never have so many understood so little about so much. -- James Burke http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137 From owner-freebsd-jail@FreeBSD.ORG Tue Jun 29 10:25:08 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 60F1E106566C; Tue, 29 Jun 2010 10:25:08 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [IPv6:2001:4068:10::3]) by mx1.freebsd.org (Postfix) with ESMTP id E7CB78FC17; Tue, 29 Jun 2010 10:25:07 +0000 (UTC) Received: from localhost (amavis.fra.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id C190B41C74D; Tue, 29 Jun 2010 12:25:06 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([192.168.74.103]) by localhost (amavis.fra.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id 9ReIUBJ1kbEF; Tue, 29 Jun 2010 12:25:06 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id 1692A41C752; Tue, 29 Jun 2010 12:25:06 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 0E7D94448EC; Tue, 29 Jun 2010 10:21:05 +0000 (UTC) Date: Tue, 29 Jun 2010 10:21:05 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Jamie Gritton In-Reply-To: <4C28C1DD.2020001@FreeBSD.org> Message-ID: <20100629101928.D26508@maildrop.int.zabbadoz.net> References: <4C22650C.40309@FreeBSD.org> <20100624144312.00003d9f@unknown> <4C238832.2050803@FreeBSD.org> <20100628162426.21226ds0q116ljks@webmail.leidinger.net> <4C28C1DD.2020001@FreeBSD.org> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-jail@FreeBSD.org Subject: Re: Thoughts on jail.config X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jun 2010 10:25:08 -0000 On Mon, 28 Jun 2010, Jamie Gritton wrote: Hi, > On 06/28/10 08:41, Rodrigo Mosconi wrote: > >> An idea: if it works like a "jaild"? A daemon management the start-up, >> shutdown, console redirection? All the admins task could be done by a >> "jailctl"? > > I don't know what work a daemon would have to do. I only see it running > tasks on startup, and then waiting until something tells it on shutdown > to wake up and stop the jails. That "something" would have to be that > jailctl you mention. If there's a jail program running anyway, might as > well keep all functionality in that one program. One functionality I forgot about but was asked for in the past was "jail reboot" so that an admin could "restart" a jail completly from within the jail. The question is whether we may want a "jailinit" (an init running inside the jail) for that or if we want to handle it from the outside. /bz -- Bjoern A. Zeeb From August on I will have a life. It's now up to you to do the maths and count to 64. -- Bondorf, Germany, 14th June 2010 From owner-freebsd-jail@FreeBSD.ORG Tue Jun 29 15:34:31 2010 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7C7E7106564A for ; Tue, 29 Jun 2010 15:34:31 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from gritton.org (gritton.org [208.92.232.93]) by mx1.freebsd.org (Postfix) with ESMTP id 3F37F8FC08 for ; Tue, 29 Jun 2010 15:34:30 +0000 (UTC) Received: from glorfindel.gritton.org (c-67-177-8-107.hsd1.ut.comcast.net [67.177.8.107]) (authenticated bits=0) by gritton.org (8.14.3/8.14.3) with ESMTP id o5TFYTSZ004006; Tue, 29 Jun 2010 09:34:30 -0600 (MDT) (envelope-from jamie@FreeBSD.org) Message-ID: <4C2A1283.1080606@FreeBSD.org> Date: Tue, 29 Jun 2010 09:34:27 -0600 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.10) Gecko/20100628 Thunderbird/3.0.5 MIME-Version: 1.0 To: "Bjoern A. Zeeb" , freebsd-jail@FreeBSD.org References: <4C22650C.40309@FreeBSD.org> <20100624144312.00003d9f@unknown> <4C238832.2050803@FreeBSD.org> <20100628162426.21226ds0q116ljks@webmail.leidinger.net> <4C28C1DD.2020001@FreeBSD.org> <20100629101928.D26508@maildrop.int.zabbadoz.net> In-Reply-To: <20100629101928.D26508@maildrop.int.zabbadoz.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: Thoughts on jail.config X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jun 2010 15:34:31 -0000 On 06/29/10 04:21, Bjoern A. Zeeb wrote: > One functionality I forgot about but was asked for in the past was > "jail reboot" so that an admin could "restart" a jail completly from > within the jail. The question is whether we may want a "jailinit" (an > init running inside the jail) for that or if we want to handle it from > the outside. I like the idea of a jailinit, and have had success running our own stuff that way. But in the meantime, I could do the restart via userspace - just run the shutdown, wait for the jail to go away, and then start up again. This is in fact something I was planning on. - Jamie From owner-freebsd-jail@FreeBSD.ORG Sat Jul 3 15:05:07 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 23013106564A; Sat, 3 Jul 2010 15:05:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [IPv6:2001:4068:10::3]) by mx1.freebsd.org (Postfix) with ESMTP id D249E8FC16; Sat, 3 Jul 2010 15:05:06 +0000 (UTC) Received: from localhost (amavis.fra.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 38D8741C74D; Sat, 3 Jul 2010 17:05:06 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([192.168.74.103]) by localhost (amavis.fra.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id Fo66ipqjIWuD; Sat, 3 Jul 2010 17:05:05 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id 6B4FB41C756; Sat, 3 Jul 2010 17:05:05 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 169034448EC; Sat, 3 Jul 2010 15:02:19 +0000 (UTC) Date: Sat, 3 Jul 2010 15:02:19 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Harald Schmalzbauer In-Reply-To: <4C2EF065.2020208@omnilan.de> Message-ID: <20100703145827.E14969@maildrop.int.zabbadoz.net> References: <4C2EEF3E.2010008@omnilan.de> <4C2EF065.2020208@omnilan.de> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-jail@FreeBSD.org, freebsd-stable Subject: Re: selective jail restriction controlling in rc.conf X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-jail@FreeBSD.org List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Jul 2010 15:05:07 -0000 On Sat, 3 Jul 2010, Harald Schmalzbauer wrote: Hallo Harald, > Harald Schmalzbauer schrieb am 03.07.2010 10:05 (localtime): > ... >> One have to seperatly define ip4 and ip6 addresses. The can be with or >> without mask, single oder comma seperated list, doesn't matter, thanks to >> the jail_handle_ips_option() coder, it just works :) > > I forgot to change that in defults/rc.conf. > Please find attached the corrected version. there is currently an ongoing discussion about jail configuration on the freebsd-jail@ mailing list: http://lists.freebsd.org/pipermail/freebsd-jail/2010-June/thread.html#1308 I think your comments (and patches) are better sent there, rather than to stable@. Gruesse, Bjern -- Bjoern A. Zeeb From August on I will have a life. It's now up to you to do the maths and count to 64. -- Bondorf, Germany, 14th June 2010