From owner-freebsd-jail@FreeBSD.ORG Mon Mar 4 11:06:44 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id B62FFEB0 for ; Mon, 4 Mar 2013 11:06:44 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id A6053E50 for ; Mon, 4 Mar 2013 11:06:44 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r24B6ipq038796 for ; Mon, 4 Mar 2013 11:06:44 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r24B6iab038794 for freebsd-jail@FreeBSD.org; Mon, 4 Mar 2013 11:06:44 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 4 Mar 2013 11:06:44 GMT Message-Id: <201303041106.r24B6iab038794@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Mar 2013 11:06:44 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/176482 jail [jail] Jails not unmounting devfs on exit o kern/176112 jail [jail] [panic] kernel panic when starting jails o kern/176092 jail [jail] [panic] Starting a jail on my releng/9.1 kernel o kern/174902 jail [jail] jail should provide validator for jail names o kern/174436 jail [jail] Jails with numbers as names don't work o bin/173469 jail [jail] regression: security.jail.sysvipc_allowed=1 no o kern/169751 jail [jail] reading routing information does not work in ja o bin/167911 jail new jail(8) problem with removal, ifconfg -alias and k o kern/159918 jail [jail] inter-jail communication failure o kern/156111 jail [jail] procstat -b not supported in jail o misc/155765 jail [patch] `buildworld' does not honors WITHOUT_JAIL o conf/154246 jail [jail] [patch] Bad symlink created if devfs mount poin o conf/149050 jail [jail] rcorder ``nojail'' too coarse for Jail+VNET s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid 18 problems total. From owner-freebsd-jail@FreeBSD.ORG Wed Mar 6 19:25:38 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 4A65EC1F for ; Wed, 6 Mar 2013 19:25:38 +0000 (UTC) (envelope-from yoann.gini@gmail.com) Received: from mail-we0-x22e.google.com (mail-we0-x22e.google.com [IPv6:2a00:1450:400c:c03::22e]) by mx1.freebsd.org (Postfix) with ESMTP id DA6FBFD for ; Wed, 6 Mar 2013 19:25:37 +0000 (UTC) Received: by mail-we0-f174.google.com with SMTP id r6so8605429wey.5 for ; Wed, 06 Mar 2013 11:25:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:from:content-type:content-transfer-encoding:subject :message-id:date:to:mime-version:x-mailer; bh=kKYDhqn1xms85mHmTS663z0q0yNgXix46VDYLZWcQFk=; b=CdT1v1nqPH7n1RxJAyC3KPCLYQU1sTORKce7i2elyvVgrISie6UhIYrUtM/NMUAthp MefkbqERAgwDyv23OjbTLmp45PCetvdjLCgLSqnoEXvcTO4K/wW49IxXnSitbrfWzGsW QDCPM/76SiflHeedwaQn2iyTEsWeJjbe7B2MpLGqfW37+V14amOvq9XooeqPKQyYDgjO hDXjksgHacVktlv2doGCfVw4yqhfk2b2FzvfPKW2EQ8Kkx4sI6fYmi/YZnJSNkjt6RDZ bj0VRHzm/bbN2CHSuCMwGX0aYdzAfrSfucLzTzyhkAOU/Nzo0BO7dxZyZWZNggQyBJp4 161w== X-Received: by 10.194.62.170 with SMTP id z10mr49448252wjr.34.1362597936999; Wed, 06 Mar 2013 11:25:36 -0800 (PST) Received: from ?IPv6:2a01:e35:8b17:35b0:80c9:a6b2:8928:573a? ([2a01:e35:8b17:35b0:80c9:a6b2:8928:573a]) by mx.google.com with ESMTPS id t7sm8731140wij.2.2013.03.06.11.25.35 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 06 Mar 2013 11:25:36 -0800 (PST) From: Yoann Gini Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Subject: =?windows-1252?Q?IPv4_addresses_clash_/_jails_not_working_after_?= =?windows-1252?Q?reboot=85?= Message-Id: Date: Wed, 6 Mar 2013 20:25:33 +0100 To: freebsd-jail@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\)) X-Mailer: Apple Mail (2.1499) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Mar 2013 19:25:38 -0000 Hi, I=92m Yoann. It=92s my first message here so a little brief about me. = I=92m a OS X Server System Administrator and Trainer, actually working = on a FreeBSD based setup for a simple service provider infrastructure. On a server, I=92ve three jails to provide public services, private = services and VPN to access to the private services. I=92ve setup the network part of my server with two interfaces, one real = with one IPv4 and 4 IPv6 and a lo1 with 4 IPv4. As a beginner on this, I=92ve start with ezjail to create my jails, I=92ve= create and configure my 4 jails without any problems, I=92ve been able = to start and stop them without difficulties, installing some services, = everything went right. At the end, I=92ve hit a reboot and here, all goes down=85 When my server come back, only one on the three jails start, the other = fails and a sh -x end whit this this : + eval '_x=3D"$jail_front0_public_example_com_ip_multi0"' + _x=3D'' + break + echo ' cannot start jail "front0_public_example_com": ' cannot start jail "front0_public_example_com":=20 + tail +2 /tmp/jail.4n2kxXqu/jail.5037 jail: IPv4 addresses clash + rm -f /tmp/jail.4n2kxXqu/jail.5037 + rmdir /tmp/jail.4n2kxXqu + echo . Here is my network setup : em0:=20 inet IPv4Prefix.184 netmask 0xffffff00 broadcast IPv4Prefix.255 inet6 IPv6Prefix::1 prefixlen 64=20 inet6 IPv6Prefix::2 prefixlen 64=20 inet6 IPv6Prefix::3 prefixlen 64=20 lo1:=20 inet 10.42.0.1 netmask 0xffffff00=20 inet 10.42.0.2 netmask 0xffffff00=20 inet 10.42.0.3 netmask 0xffffff00=20 inet 10.42.0.4 netmask 0xffffff00=20 I can=92t find a lot of resources on this error=85 So if someone can = give me a clue about what happening, it could be nice :-) Cheers Yoann= From owner-freebsd-jail@FreeBSD.ORG Thu Mar 7 01:40:42 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 72ADBAF2 for ; Thu, 7 Mar 2013 01:40:42 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from cosmo.uchicago.edu (cosmo.uchicago.edu [128.135.52.97]) by mx1.freebsd.org (Postfix) with ESMTP id 3710E822 for ; Thu, 7 Mar 2013 01:40:42 +0000 (UTC) Received: by cosmo.uchicago.edu (Postfix, from userid 48) id 5B600CB8C5A; Wed, 6 Mar 2013 19:23:05 -0600 (CST) Received: from 68.255.104.38 (SquirrelMail authenticated user valeri) by cosmo.uchicago.edu with HTTP; Wed, 6 Mar 2013 19:23:05 -0600 (CST) Message-ID: <55865.68.255.104.38.1362619385.squirrel@cosmo.uchicago.edu> In-Reply-To: References: Date: Wed, 6 Mar 2013 19:23:05 -0600 (CST) Subject: Re: IPv4 addresses clash / jails not working after =?iso-8859-1?Q?reboot=85?= From: "Valeri Galtsev" To: "Yoann Gini" User-Agent: SquirrelMail/1.4.8-5.el5.centos.7 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: galtsev@kicp.uchicago.edu List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Mar 2013 01:40:42 -0000 Hi Yoann, I must say I'm not an expert if the first place, and I never used ezjail, I'm creating jails manually... Still. Try to make all jails configured each with one single IP. To the best of my knowledge jail implementation doesn't support multiple IPs. I have the box similar to yours, that has 3 different IPs. I have a bunch of services in individual jails. With that restriction in jail implementation I have to have three different jails (one per IP) for each of the services. Someone can correct me if I'm wrong about something. Thanks. Valeri On Wed, March 6, 2013 1:25 pm, Yoann Gini wrote: > Hi, > > Im Yoann. Its my first message here so a little brief about me. Im a OS > X Server System Administrator and Trainer, actually working on a FreeBSD > based setup for a simple service provider infrastructure. > > On a server, Ive three jails to provide public services, private services > and VPN to access to the private services. > > Ive setup the network part of my server with two interfaces, one real > with one IPv4 and 4 IPv6 and a lo1 with 4 IPv4. > > As a beginner on this, Ive start with ezjail to create my jails, Ive > create and configure my 4 jails without any problems, Ive been able to > start and stop them without difficulties, installing some services, > everything went right. > > At the end, Ive hit a reboot and here, all goes down > > When my server come back, only one on the three jails start, the other > fails and a sh -x end whit this this : > > + eval '_x="$jail_front0_public_example_com_ip_multi0"' > + _x='' > + break > + echo ' cannot start jail "front0_public_example_com": ' > cannot start jail "front0_public_example_com": > + tail +2 /tmp/jail.4n2kxXqu/jail.5037 > jail: IPv4 addresses clash > + rm -f /tmp/jail.4n2kxXqu/jail.5037 > + rmdir /tmp/jail.4n2kxXqu > + echo . > > Here is my network setup : > > em0: > inet IPv4Prefix.184 netmask 0xffffff00 broadcast IPv4Prefix.255 > inet6 IPv6Prefix::1 prefixlen 64 > inet6 IPv6Prefix::2 prefixlen 64 > inet6 IPv6Prefix::3 prefixlen 64 > lo1: > inet 10.42.0.1 netmask 0xffffff00 > inet 10.42.0.2 netmask 0xffffff00 > inet 10.42.0.3 netmask 0xffffff00 > inet 10.42.0.4 netmask 0xffffff00 > > I cant find a lot of resources on this error So if someone can give me a > clue about what happening, it could be nice :-) > > Cheers > Yoann > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++ From owner-freebsd-jail@FreeBSD.ORG Thu Mar 7 08:48:51 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 4E5CA745 for ; Thu, 7 Mar 2013 08:48:51 +0000 (UTC) (envelope-from yoann.gini@gmail.com) Received: from mail-wg0-f46.google.com (mail-wg0-f46.google.com [74.125.82.46]) by mx1.freebsd.org (Postfix) with ESMTP id B01E6B75 for ; Thu, 7 Mar 2013 08:48:50 +0000 (UTC) Received: by mail-wg0-f46.google.com with SMTP id fg15so263461wgb.25 for ; Thu, 07 Mar 2013 00:48:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:subject:mime-version:content-type:from:x-priority :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to:x-mailer; bh=LQFCPlCew2Wkh0A3EzWpaw6DEyfHMA6froxvdznWQbk=; b=1AYSa2Q6V7uzLWKdzw746lM7gcz6e4QkOlu2GUW0WqU5tkjQTvi5J+22v64J/xB/Tl zFvJgQnP7kGYdelcOhtdX4SRTZnSMdl6TXuY/Csnmn9GxfIJBrqwH3kNhfH5ftgt8dt+ opc1vnd6z3ym/1ibs2OCpJwOL/cwho5ADDKDy8ovcMNVD9Y8IvuUwNMOyUOpyyf/mneg 9Kw3jyTU8yEgK3Xgv5eKc8HmVhBMYIyfcAFeHcouqMj3IFBHXr5sSvC1dVnw5GHt/IwD BuKClZcfo73TUzv6eEZAJ7KfYgM8vA+QldUiHquO6+KJp/o6tdU8640DNRnAkx1MO0zJ 8btA== X-Received: by 10.194.10.202 with SMTP id k10mr52292043wjb.53.1362646123945; Thu, 07 Mar 2013 00:48:43 -0800 (PST) Received: from ?IPv6:2a01:e35:8b17:35b0:80c9:a6b2:8928:573a? ([2a01:e35:8b17:35b0:80c9:a6b2:8928:573a]) by mx.google.com with ESMTPS id er3sm31773060wib.1.2013.03.07.00.48.42 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 07 Mar 2013 00:48:43 -0800 (PST) Subject: =?windows-1252?Q?Re=3A_IPv4_addresses_clash_/_jails_not_working_?= =?windows-1252?Q?after_reboot=85?= Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\)) Content-Type: text/plain; charset=windows-1252 From: Yoann Gini X-Priority: 3 (Normal) In-Reply-To: <55865.68.255.104.38.1362619385.squirrel@cosmo.uchicago.edu> Date: Thu, 7 Mar 2013 09:48:41 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <6C130E1F-6CDC-4328-A300-5B483B8B4940@gmail.com> References: <55865.68.255.104.38.1362619385.squirrel@cosmo.uchicago.edu> To: galtsev@kicp.uchicago.edu X-Mailer: Apple Mail (2.1499) Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Mar 2013 08:48:51 -0000 Hi Valeri, Thank for your answer Le 7 mars 2013 =E0 02:23, Valeri Galtsev a = =E9crit : > I must say I'm not an expert if the first place, and I never used = ezjail, > I'm creating jails manually... >=20 > Still. Try to make all jails configured each with one single IP. To = the > best of my knowledge jail implementation doesn't support multiple IPs. >=20 > I have the box similar to yours, that has 3 different IPs. I have a = bunch > of services in individual jails. With that restriction in jail > implementation I have to have three different jails (one per IP) for = each > of the services. >=20 > Someone can correct me if I'm wrong about something. For what I see here, https://wiki.freebsd.org/Jails, since 2008 the = mutliple IP feature has been committed in the base system. And until my = reboot, it was working=85 However, I=92ve try to remove my shared IPv4 from my jails and indeed, = it works=85 That=92s a surprising behavior, on the first run, when I=92ve = create and configure my jails, I=92ve made many jails start and stop = with the shared IP without any problems=85 I need to share this IP, I=92ve only one and I would like to avoid = playing with NAT=85 If someone have a idea=85 Cheers, Yoann= From owner-freebsd-jail@FreeBSD.ORG Thu Mar 7 09:58:48 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id E68883F3 for ; Thu, 7 Mar 2013 09:58:48 +0000 (UTC) (envelope-from bsam@passap.ru) Received: from forward11.mail.yandex.net (forward11.mail.yandex.net [IPv6:2a02:6b8:0:801::1]) by mx1.freebsd.org (Postfix) with ESMTP id 81A23E9A for ; Thu, 7 Mar 2013 09:58:48 +0000 (UTC) Received: from smtp13.mail.yandex.net (smtp13.mail.yandex.net [95.108.130.68]) by forward11.mail.yandex.net (Yandex) with ESMTP id 6B149E819F8 for ; Thu, 7 Mar 2013 13:58:46 +0400 (MSK) Received: from smtp13.mail.yandex.net (localhost [127.0.0.1]) by smtp13.mail.yandex.net (Yandex) with ESMTP id 51E1CE40408 for ; Thu, 7 Mar 2013 13:58:46 +0400 (MSK) Received: from 87.249.28.58.tel.ru (87.249.28.58.tel.ru [87.249.28.58]) by smtp13.mail.yandex.net (nwsmtp/Yandex) with ESMTP id wk4m56b9-wk4OKEh5; Thu, 7 Mar 2013 13:58:46 +0400 Message-ID: <513864D5.1070900@passap.ru> Date: Thu, 07 Mar 2013 13:58:45 +0400 From: Boris Samorodov User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130113 Thunderbird/17.0.2 MIME-Version: 1.0 To: freebsd-jail@freebsd.org Subject: =?UTF-8?B?UmU6IElQdjQgYWRkcmVzc2VzIGNsYXNoIC8gamFpbHMgbm90IHdvcms=?= =?UTF-8?B?aW5nIGFmdGVyIHJlYm9vdOKApg==?= References: <55865.68.255.104.38.1362619385.squirrel@cosmo.uchicago.edu> <6C130E1F-6CDC-4328-A300-5B483B8B4940@gmail.com> In-Reply-To: <6C130E1F-6CDC-4328-A300-5B483B8B4940@gmail.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Mar 2013 09:58:49 -0000 07.03.2013 12:48, Yoann Gini пишет: > I need to share this IP, I’ve only one and I would like to avoid playing with NAT… One IP may be shared but for different services (ports). > If someone have a idea… Give some more information: 1. OS version, OS arch. 2. Jail configuration (at least one) from /etc and LOCALBASE/etc/ezjail. 3. What do you want to achieve. -- WBR, Boris Samorodov (bsam) FreeBSD Committer, http://www.FreeBSD.org The Power To Serve From owner-freebsd-jail@FreeBSD.ORG Thu Mar 7 12:29:48 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 879DDD81 for ; Thu, 7 Mar 2013 12:29:48 +0000 (UTC) (envelope-from yoann.gini@gmail.com) Received: from mail-wg0-x22a.google.com (mail-wg0-x22a.google.com [IPv6:2a00:1450:400c:c00::22a]) by mx1.freebsd.org (Postfix) with ESMTP id EFFD3743 for ; Thu, 7 Mar 2013 12:29:47 +0000 (UTC) Received: by mail-wg0-f42.google.com with SMTP id 12so6507535wgh.5 for ; Thu, 07 Mar 2013 04:29:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:content-transfer-encoding:message-id:references:to:x-mailer; bh=eMelc5IKSSRMm7SiUV02y4kWojA1ha7mULGtrvOw6SE=; b=u2m0DpjmJkGHcjHfbaR3xl6MKIVtMcYr/wx0+HmWWayBFFMwDZaX0iSZWCpG+XYDgH 8R0IrLtw5ofMuDY3bnAOkMdMnNXPgNEQaTUITqKPlnyTSrP9DH72Okox2gaVExs7IXLU C6ufVJDS7+HXlBQk6ygWDzdeWHKB1xz9qKl7j2w0mymq7hDiT/WWtUqugr9TZGBpHg1W SFkBr7g7re3UM3bqvnPFpa/QQcX7suoo2XIS/+pPHHhRkJ8VexhBZk+A+LMiND2I/Fpx LGloOqXCS0YPAzrbVz9CZQoA7km5lIYJh8VFqg+/qZ5Y04dznQh4yrNFp64poNUouYe9 0ADA== X-Received: by 10.194.121.6 with SMTP id lg6mr40845690wjb.22.1362659387129; Thu, 07 Mar 2013 04:29:47 -0800 (PST) Received: from ?IPv6:2a01:e35:8b17:35b0:80c9:a6b2:8928:573a? ([2a01:e35:8b17:35b0:80c9:a6b2:8928:573a]) by mx.google.com with ESMTPS id fx5sm2493590wib.11.2013.03.07.04.29.45 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 07 Mar 2013 04:29:46 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\)) Subject: =?utf-8?Q?Re=3A_IPv4_addresses_clash_/_jails_not_working_after_r?= =?utf-8?Q?eboot=E2=80=A6?= From: Yoann Gini In-Reply-To: <513864D5.1070900@passap.ru> Date: Thu, 7 Mar 2013 13:29:44 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: References: <55865.68.255.104.38.1362619385.squirrel@cosmo.uchicago.edu> <6C130E1F-6CDC-4328-A300-5B483B8B4940@gmail.com> <513864D5.1070900@passap.ru> To: Boris Samorodov X-Mailer: Apple Mail (2.1499) Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Mar 2013 12:29:48 -0000 Le 7 mars 2013 =C3=A0 10:58, Boris Samorodov a =C3=A9crit= : > 07.03.2013 12:48, Yoann Gini =D0=BF=D0=B8=D1=88=D0=B5=D1=82: >=20 >> I need to share this IP, I=E2=80=99ve only one and I would like to = avoid playing with NAT=E2=80=A6 >=20 > One IP may be shared but for different services (ports). That what I=E2=80=99ve understand and what I=E2=80=99ve planned. >> If someone have a idea=E2=80=A6 >=20 > Give some more information: > 1. OS version, OS arch. FreeBSD srv0.public.example.com 9.1-RELEASE FreeBSD 9.1-RELEASE #0 = r243825: Tue Dec 4 09:23:10 UTC 2012 = root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 > 2. Jail configuration (at least one) from /etc and = LOCALBASE/etc/ezjail. What do you want in /etc ? Except the fstab, I don=E2=80=99t see any = config here, the fstab look like that: /home/jails/basejail /home/jails/front0.public.example.com/basejail = nullfs ro 0 0 /usr/ports /home/jails/front0.public.example.com/usr/ports = nullfs ro 0 0 And here is the ezjail config export = jail_front0_public_example_com_hostname=3D"front0.public.example.com" export jail_front0_public_example_com_ip=3D=C2=AB = IPv6Prefix::80,SharedIPv4,10.42.0.2" export = jail_front0_public_example_com_rootdir=3D"/home/jails/front0.public.exampl= e.com" export jail_front0_public_example_com_exec_start=3D"/bin/sh /etc/rc" export jail_front0_public_example_com_exec_stop=3D"" export jail_front0_public_example_com_mount_enable=3D"YES" export jail_front0_public_example_com_devfs_enable=3D"YES" export jail_front0_public_example_com_devfs_ruleset=3D"devfsrules_jail" export jail_front0_public_example_com_procfs_enable=3D"YES" export jail_front0_public_example_com_fdescfs_enable=3D"YES" export jail_front0_public_example_com_image=3D"" export jail_front0_public_example_com_imagetype=3D"" export jail_front0_public_example_com_attachparams=3D"" export jail_front0_public_example_com_attachblocking=3D"" export jail_front0_public_example_com_forceblocking=3D"" export jail_front0_public_example_com_zfs_datasets=3D"" export jail_front0_public_example_com_cpuset=3D"" export jail_front0_public_example_com_fib=3D"" > 3. What do you want to achieve. I want a setup with: =E2=80=94 srv0 listen only for SSH on a alternate port for supervision = on public IPv4/6 ; =E2=80=94 front0 to handle any public services (web, DNS, e-mail) on = public IPv4/6 ; =E2=80=94 service0 to handle internal services (git, redmine, AFP = sharepoints=E2=80=A6) on private IP and SSH on a other alternate port on = public IPv4/6 ; =E2=80=94 gateway0 to act as a VPN server and webproxy to secure access = to private services on service0 and act as a secure gateway to encrypt = network traffic for road-warriors on public network. In the end, I will dispatch those services on different server but for = now I only access to one system, so I would like to prepare the setup to = be dispatched on different hardware when the budget come. Actually, if I remove the SharedIPv4 from the jails, it works. I=E2=80=99ve investigate more on the open socket area and I think the = problem come from Apache who still lisent on *:* even if I=E2=80=99ve = set a Listen directive=E2=80=A6= From owner-freebsd-jail@FreeBSD.ORG Thu Mar 7 12:43:00 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id C45F3126 for ; Thu, 7 Mar 2013 12:43:00 +0000 (UTC) (envelope-from yoann.gini@gmail.com) Received: from mail-bk0-x230.google.com (mail-bk0-x230.google.com [IPv6:2a00:1450:4008:c01::230]) by mx1.freebsd.org (Postfix) with ESMTP id 44D657CB for ; Thu, 7 Mar 2013 12:43:00 +0000 (UTC) Received: by mail-bk0-f48.google.com with SMTP id jf20so201464bkc.35 for ; Thu, 07 Mar 2013 04:42:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:content-transfer-encoding:message-id:references:to:x-mailer; bh=XGF0s5/CFYd852fZMLeqzXmINPSkPa2vLiK52ufvIfw=; b=Q9tp47vO2D7/JQ6cz17p7cOKAzZGEt9jPpRp/MeevMFVqY/XQeJCdGbwTCkKC4lW4m A/ahJ8nLVdO9rwf2LO/FGdZgGQ3DFFHUbafdmI6yqhDOSkmK7avk2DDRAwIGYFYfLf7c CVhr+HNRHrsJkduCzvf9mGOVzB9IZY2gtDZY17GxBTk639LFenPirj3YOSX5W75ZflLd HqPdRPa2h7cykxR+ubFWN5cK4K2UScMvqssfylU3iPTh4LnQxcZ1Acu2YOvJvzDDS4Gy UMnjs1gTjN3qiPIgY/gPUGh6HylF01uO2yk+4X6e6TMXKLBFvpPEx6qRTFwqRWWt/hr2 ppwQ== X-Received: by 10.204.147.145 with SMTP id l17mr12969502bkv.100.1362660179448; Thu, 07 Mar 2013 04:42:59 -0800 (PST) Received: from ?IPv6:2a01:e35:8b17:35b0:80c9:a6b2:8928:573a? ([2a01:e35:8b17:35b0:80c9:a6b2:8928:573a]) by mx.google.com with ESMTPS id s10sm596605bkt.10.2013.03.07.04.42.58 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 07 Mar 2013 04:42:58 -0800 (PST) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\)) Subject: =?windows-1252?Q?Re=3A_IPv4_addresses_clash_/_jails_not_working_?= =?windows-1252?Q?after_reboot=85?= From: Yoann Gini In-Reply-To: Date: Thu, 7 Mar 2013 13:42:57 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <5DFAD8B3-C310-4699-9B54-CFE999661970@gmail.com> References: <55865.68.255.104.38.1362619385.squirrel@cosmo.uchicago.edu> <6C130E1F-6CDC-4328-A300-5B483B8B4940@gmail.com> <513864D5.1070900@passap.ru> To: Boris Samorodov X-Mailer: Apple Mail (2.1499) Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Mar 2013 12:43:00 -0000 Le 7 mars 2013 =E0 13:29, Yoann Gini a =E9crit : > Actually, if I remove the SharedIPv4 from the jails, it works. >=20 > I=92ve investigate more on the open socket area and I think the = problem come from Apache who still lisent on *:* even if I=92ve set a = Listen directive=85 No, it=92s not linked, I=92ve let Apache only on one jails and still not = working after a reboot=85 Is it possible to have a verbose debug system on jail startup ?= From owner-freebsd-jail@FreeBSD.ORG Thu Mar 7 14:23:05 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id C6B414B9 for ; Thu, 7 Mar 2013 14:23:05 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from cosmo.uchicago.edu (cosmo.uchicago.edu [128.135.52.97]) by mx1.freebsd.org (Postfix) with ESMTP id A59E9D9B for ; Thu, 7 Mar 2013 14:23:05 +0000 (UTC) Received: by cosmo.uchicago.edu (Postfix, from userid 48) id 6F135CB8C2D; Thu, 7 Mar 2013 08:23:04 -0600 (CST) Received: from 68.255.104.38 (SquirrelMail authenticated user valeri) by cosmo.uchicago.edu with HTTP; Thu, 7 Mar 2013 08:23:04 -0600 (CST) Message-ID: <61459.68.255.104.38.1362666184.squirrel@cosmo.uchicago.edu> In-Reply-To: <513864D5.1070900@passap.ru> References: <55865.68.255.104.38.1362619385.squirrel@cosmo.uchicago.edu> <6C130E1F-6CDC-4328-A300-5B483B8B4940@gmail.com> <513864D5.1070900@passap.ru> Date: Thu, 7 Mar 2013 08:23:04 -0600 (CST) Subject: Re: IPv4 addresses clash / jails not working after =?iso-8859-1?Q?reboot=E2=80=A6?= From: "Valeri Galtsev" To: "Boris Samorodov" User-Agent: SquirrelMail/1.4.8-5.el5.centos.7 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: galtsev@kicp.uchicago.edu List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Mar 2013 14:23:05 -0000 Hi Boris, On Thu, March 7, 2013 3:58 am, Boris Samorodov wrote: > 07.03.2013 12:48, Yoann Gini пишет: > >> I need to share this IP, I’ve only one and I would like to avoid >> playing with NAT… > > One IP may be shared but for different services (ports). Thanks. Now that you mentioned that I realize I might have confused someone by saying I use one jail per service - which is not the restriction but just what we need service jails for - to isolate as many things from each other as we can... Thanks. Valeri > >> If someone have a idea… > > Give some more information: > 1. OS version, OS arch. > 2. Jail configuration (at least one) from /etc and LOCALBASE/etc/ezjail. > 3. What do you want to achieve. > > -- > WBR, Boris Samorodov (bsam) > FreeBSD Committer, http://www.FreeBSD.org The Power To Serve > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++ From owner-freebsd-jail@FreeBSD.ORG Thu Mar 7 16:39:52 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id C7BDFE23 for ; Thu, 7 Mar 2013 16:39:52 +0000 (UTC) (envelope-from bsam@passap.ru) Received: from forward13.mail.yandex.net (forward13.mail.yandex.net [IPv6:2a02:6b8:0:801::3]) by mx1.freebsd.org (Postfix) with ESMTP id 4184263A for ; Thu, 7 Mar 2013 16:39:52 +0000 (UTC) Received: from smtp13.mail.yandex.net (smtp13.mail.yandex.net [95.108.130.68]) by forward13.mail.yandex.net (Yandex) with ESMTP id 582AD1414B5; Thu, 7 Mar 2013 20:39:48 +0400 (MSK) Received: from smtp13.mail.yandex.net (localhost [127.0.0.1]) by smtp13.mail.yandex.net (Yandex) with ESMTP id 2A810E4057C; Thu, 7 Mar 2013 20:39:48 +0400 (MSK) Received: from 87.249.28.58.tel.ru (87.249.28.58.tel.ru [87.249.28.58]) by smtp13.mail.yandex.net (nwsmtp/Yandex) with ESMTP id dl4a8CBY-dl4OptAm; Thu, 7 Mar 2013 20:39:47 +0400 Message-ID: <5138C2D3.5080505@passap.ru> Date: Thu, 07 Mar 2013 20:39:47 +0400 From: Boris Samorodov User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130113 Thunderbird/17.0.2 MIME-Version: 1.0 To: Yoann Gini Subject: =?UTF-8?B?UmU6IElQdjQgYWRkcmVzc2VzIGNsYXNoIC8gamFpbHMgbm90IHdvcms=?= =?UTF-8?B?aW5nIGFmdGVyIHJlYm9vdOKApg==?= References: <55865.68.255.104.38.1362619385.squirrel@cosmo.uchicago.edu> <6C130E1F-6CDC-4328-A300-5B483B8B4940@gmail.com> <513864D5.1070900@passap.ru> In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Mar 2013 16:39:52 -0000 07.03.2013 16:29, Yoann Gini пишет: > > Le 7 mars 2013 à 10:58, Boris Samorodov a écrit : > >> 07.03.2013 12:48, Yoann Gini пишет: >> >>> I need to share this IP, I’ve only one and I would like to avoid playing with NAT… >> >> One IP may be shared but for different services (ports). > > That what I’ve understand and what I’ve planned. > >>> If someone have a idea… >> >> Give some more information: >> 1. OS version, OS arch. > > FreeBSD srv0.public.example.com 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243825: Tue Dec 4 09:23:10 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 > >> 2. Jail configuration (at least one) from /etc and LOCALBASE/etc/ezjail. > > What do you want in /etc ? Except the fstab, I don’t see any config here, the fstab look like that: > > /home/jails/basejail /home/jails/front0.public.example.com/basejail nullfs ro 0 0 > /usr/ports /home/jails/front0.public.example.com/usr/ports nullfs ro 0 0 > > And here is the ezjail config > > export jail_front0_public_example_com_hostname="front0.public.example.com" > export jail_front0_public_example_com_ip=« IPv6Prefix::80,SharedIPv4,10.42.0.2" > export jail_front0_public_example_com_rootdir="/home/jails/front0.public.example.com" > export jail_front0_public_example_com_exec_start="/bin/sh /etc/rc" > export jail_front0_public_example_com_exec_stop="" > export jail_front0_public_example_com_mount_enable="YES" > export jail_front0_public_example_com_devfs_enable="YES" > export jail_front0_public_example_com_devfs_ruleset="devfsrules_jail" > export jail_front0_public_example_com_procfs_enable="YES" > export jail_front0_public_example_com_fdescfs_enable="YES" > export jail_front0_public_example_com_image="" > export jail_front0_public_example_com_imagetype="" > export jail_front0_public_example_com_attachparams="" > export jail_front0_public_example_com_attachblocking="" > export jail_front0_public_example_com_forceblocking="" > export jail_front0_public_example_com_zfs_datasets="" > export jail_front0_public_example_com_cpuset="" > export jail_front0_public_example_com_fib="" > >> 3. What do you want to achieve. > > I want a setup with: > — srv0 listen only for SSH on a alternate port for supervision on public IPv4/6 ; > — front0 to handle any public services (web, DNS, e-mail) on public IPv4/6 ; > — service0 to handle internal services (git, redmine, AFP sharepoints…) on private IP and SSH on a other alternate port on public IPv4/6 ; > — gateway0 to act as a VPN server and webproxy to secure access to private services on service0 and act as a secure gateway to encrypt network traffic for road-warriors on public network. > > In the end, I will dispatch those services on different server but for now I only access to one system, so I would like to prepare the setup to be dispatched on different hardware when the budget come. That's all seems reasonable... > Actually, if I remove the SharedIPv4 from the jails, it works. Did you configure any sysctl parameters for jails? -- WBR, Boris Samorodov (bsam) FreeBSD Committer, http://www.FreeBSD.org The Power To Serve From owner-freebsd-jail@FreeBSD.ORG Thu Mar 7 21:51:04 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 2AAE4B88 for ; Thu, 7 Mar 2013 21:51:04 +0000 (UTC) (envelope-from yoann.gini@gmail.com) Received: from mail-we0-x22e.google.com (mail-we0-x22e.google.com [IPv6:2a00:1450:400c:c03::22e]) by mx1.freebsd.org (Postfix) with ESMTP id A8D436BD for ; Thu, 7 Mar 2013 21:51:03 +0000 (UTC) Received: by mail-we0-f174.google.com with SMTP id r6so231769wey.5 for ; Thu, 07 Mar 2013 13:51:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:content-transfer-encoding:message-id:references:to:x-mailer; bh=D51MknZNsZfXPKhKhMmtAs6kKmMy8sSLkHL0yt9PINw=; b=h8KUFRFLg/HieAtp+DYYB0Ws/XLtyO4enIh86pH4MD5DNFPiv/azXbFjCFHsh6J47r t/5u2YhBWSBomYkqrvaKnqCae1CxYH2luDMH00pZfcowwAmJiFnY8RqJ5GSbC+vRNAea jrqxIBRfl21uizSWBDgX2WLkzS46Qf+AT1ZbB20bDHYKEVs2z9EAQ40Z/SEha4lt7c93 sVwp6hYvRfwNaDKCnGsj25aTg6GUA7oMjKwjpwdPSoKVnPtN9FzNgwk2zOnAnxSyXCoB nfmNWihMD4lu8jXfRR3f71cR0TkZrh/h59GxKphH8L5ueSTsOz6sbcBJwzQfRLUg247r EKdg== X-Received: by 10.180.94.69 with SMTP id da5mr36484397wib.30.1362693062863; Thu, 07 Mar 2013 13:51:02 -0800 (PST) Received: from macpro.office.inig-services.com (office.inig-services.com. [88.177.115.91]) by mx.google.com with ESMTPS id eo1sm35902673wib.8.2013.03.07.13.51.01 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 07 Mar 2013 13:51:02 -0800 (PST) Content-Type: text/plain; charset=iso-8859-1 Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\)) Subject: =?windows-1252?Q?Re=3A_IPv4_addresses_clash_/_jails_not_working_?= =?windows-1252?Q?after_reboot=85?= From: Yoann Gini In-Reply-To: <5138C2D3.5080505@passap.ru> Date: Thu, 7 Mar 2013 22:51:00 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <03BF7864-47D6-42EE-B1A0-9E3A4E6B9AC7@gmail.com> References: <55865.68.255.104.38.1362619385.squirrel@cosmo.uchicago.edu> <6C130E1F-6CDC-4328-A300-5B483B8B4940@gmail.com> <513864D5.1070900@passap.ru> <5138C2D3.5080505@passap.ru> To: Boris Samorodov X-Mailer: Apple Mail (2.1499) Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Mar 2013 21:51:04 -0000 Le 7 mars 2013 =E0 17:39, Boris Samorodov a =E9crit : >> Actually, if I remove the SharedIPv4 from the jails, it works. >=20 > Did you configure any sysctl parameters for jails? Only security.jail.allow_raw_sockets=3D1 to allow me to ping from inside = a jail. From owner-freebsd-jail@FreeBSD.ORG Thu Mar 7 23:32:45 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 4C9EFD86 for ; Thu, 7 Mar 2013 23:32:45 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from m2.gritton.org (gritton.org [199.192.164.235]) by mx1.freebsd.org (Postfix) with ESMTP id 09811A95 for ; Thu, 7 Mar 2013 23:32:44 +0000 (UTC) Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net [198.65.168.24]) (authenticated bits=0) by m2.gritton.org (8.14.5/8.14.5) with ESMTP id r27NM6S3041246; Thu, 7 Mar 2013 16:22:07 -0700 (MST) (envelope-from jamie@FreeBSD.org) Message-ID: <51392119.2090502@FreeBSD.org> Date: Thu, 07 Mar 2013 16:22:01 -0700 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:9.0) Gecko/20120126 Thunderbird/9.0 MIME-Version: 1.0 To: Yoann Gini Subject: =?UTF-8?B?UmU6IElQdjQgYWRkcmVzc2VzIGNsYXNoIC8gamFpbHMgbm90IHdvcms=?= =?UTF-8?B?aW5nIGFmdGVyIHJlYm9vdOKApg==?= References: <55865.68.255.104.38.1362619385.squirrel@cosmo.uchicago.edu> <6C130E1F-6CDC-4328-A300-5B483B8B4940@gmail.com> <513864D5.1070900@passap.ru> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Mar 2013 23:32:45 -0000 On 03/07/13 05:29, Yoann Gini wrote: > > Le 7 mars 2013 à 10:58, Boris Samorodov a écrit : > >> 07.03.2013 12:48, Yoann Gini пишет: >> >>> I need to share this IP, I’ve only one and I would like to avoid playing with NAT… >> >> One IP may be shared but for different services (ports). > > That what I’ve understand and what I’ve planned. > >>> If someone have a idea… >> >> Give some more information: >> 1. OS version, OS arch. > > FreeBSD srv0.public.example.com 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243825: Tue Dec 4 09:23:10 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 > >> 2. Jail configuration (at least one) from /etc and LOCALBASE/etc/ezjail. > > What do you want in /etc ? Except the fstab, I don’t see any config here, the fstab look like that: > > /home/jails/basejail /home/jails/front0.public.example.com/basejail nullfs ro 0 0 > /usr/ports /home/jails/front0.public.example.com/usr/ports nullfs ro 0 0 > > And here is the ezjail config > > export jail_front0_public_example_com_hostname="front0.public.example.com" > export jail_front0_public_example_com_ip=« IPv6Prefix::80,SharedIPv4,10.42.0.2" > export jail_front0_public_example_com_rootdir="/home/jails/front0.public.example.com" > export jail_front0_public_example_com_exec_start="/bin/sh /etc/rc" > export jail_front0_public_example_com_exec_stop="" > export jail_front0_public_example_com_mount_enable="YES" > export jail_front0_public_example_com_devfs_enable="YES" > export jail_front0_public_example_com_devfs_ruleset="devfsrules_jail" > export jail_front0_public_example_com_procfs_enable="YES" > export jail_front0_public_example_com_fdescfs_enable="YES" > export jail_front0_public_example_com_image="" > export jail_front0_public_example_com_imagetype="" > export jail_front0_public_example_com_attachparams="" > export jail_front0_public_example_com_attachblocking="" > export jail_front0_public_example_com_forceblocking="" > export jail_front0_public_example_com_zfs_datasets="" > export jail_front0_public_example_com_cpuset="" > export jail_front0_public_example_com_fib="" > >> 3. What do you want to achieve. > > I want a setup with: > — srv0 listen only for SSH on a alternate port for supervision on public IPv4/6 ; > — front0 to handle any public services (web, DNS, e-mail) on public IPv4/6 ; > — service0 to handle internal services (git, redmine, AFP sharepoints…) on private IP and SSH on a other alternate port on public IPv4/6 ; > — gateway0 to act as a VPN server and webproxy to secure access to private services on service0 and act as a secure gateway to encrypt network traffic for road-warriors on public network. > > In the end, I will dispatch those services on different server but for now I only access to one system, so I would like to prepare the setup to be dispatched on different hardware when the budget come. > > Actually, if I remove the SharedIPv4 from the jails, it works. > > I’ve investigate more on the open socket area and I think the problem come from Apache who still lisent on *:* even if I’ve set a Listen directive… You're allowed to have the same address in multiple jails, but only in the case of jails that have one address (i.e. one IPv4 address in this case). Jails with multiple IP addresses can't share any of those addresses with other jails. I don't know why it should work once and then not work later though. The jail config you show has only a single jail, so I also wonder what it's clashing with - a clash is defined as the same IP address between two different jails. Are there other jail configs you didn't show? Also, there's a chance a jail has been removed but is not yet gone (though I wouldn't expected that case in a reboot situation). Could you run "jls -dn" immediately after the failed jail start, and tell any output it gives? - Jamie From owner-freebsd-jail@FreeBSD.ORG Fri Mar 8 02:53:08 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id C9C5C376; Fri, 8 Mar 2013 02:53:08 +0000 (UTC) (envelope-from feld@feld.me) Received: from feld.me (unknown [IPv6:2607:f4e0:100:300::2]) by mx1.freebsd.org (Postfix) with ESMTP id A6BCE246; Fri, 8 Mar 2013 02:53:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=feld.me; s=blargle; h=In-Reply-To:Message-Id:From:Mime-Version:Date:References:Subject:Cc:To:Content-Type; bh=TmJaJ09ufYllpMLDSJLhXSPQBBtoPU1mMY4j1+CuiBQ=; b=pdQJOOkqZZk5IJiOY4fsaX/c4iGiR++m4bP5BfDVONiEER7RxetgMmPp8Le8F7Vf62/ThFlPH5u3vWVxDt2Kl5psLeEIAmtIlznrM8j4YwFqXQRCqXn7cZK3y3FZWlO/; Received: from localhost ([127.0.0.1] helo=mwi1.coffeenet.org) by feld.me with esmtp (Exim 4.80.1 (FreeBSD)) (envelope-from ) id 1UDnQg-000Bds-6b; Thu, 07 Mar 2013 20:53:06 -0600 Received: from feld@feld.me by mwi1.coffeenet.org (Archiveopteryx 3.1.4) with esmtpsa id 1362711180-92547-61116/5/1; Fri, 8 Mar 2013 02:53:00 +0000 Content-Type: text/plain; format=flowed; delsp=yes To: Yoann Gini , Jamie Gritton Subject: Re: IPv4 addresses clash / jails not working after =?UTF-8?q?reboot=E2=80=A6?= References: <55865.68.255.104.38.1362619385.squirrel@cosmo.uchicago.edu> <6C130E1F-6CDC-4328-A300-5B483B8B4940@gmail.com> <513864D5.1070900@passap.ru> <51392119.2090502@FreeBSD.org> Date: Thu, 7 Mar 2013 20:53:00 -0600 Mime-Version: 1.0 From: Mark Felder Message-Id: In-Reply-To: <51392119.2090502@FreeBSD.org> User-Agent: Opera Mail/12.14 (FreeBSD) X-SA-Report: ALL_TRUSTED=-1, KHOP_THREADED=-0.5 X-SA-Score: -1.5 Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Mar 2013 02:53:08 -0000 On Thu, 07 Mar 2013 17:22:01 -0600, Jamie Gritton wrote: > You're allowed to have the same address in multiple jails, but only in > the case of jails that have one address (i.e. one IPv4 address in this > case). Whoa, really? Why did I not know of those? I always thought each jail had to have its own IP! O_O From owner-freebsd-jail@FreeBSD.ORG Fri Mar 8 07:33:26 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id B214EB23; Fri, 8 Mar 2013 07:33:26 +0000 (UTC) (envelope-from yoann.gini@gmail.com) Received: from mail-we0-x22a.google.com (mail-we0-x22a.google.com [IPv6:2a00:1450:400c:c03::22a]) by mx1.freebsd.org (Postfix) with ESMTP id 0E993DDD; Fri, 8 Mar 2013 07:33:25 +0000 (UTC) Received: by mail-we0-f170.google.com with SMTP id z53so650972wey.1 for ; Thu, 07 Mar 2013 23:33:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:content-transfer-encoding:message-id:references:to:x-mailer; bh=EwdEOndH6aNIWkTBD6zSpRkun3S0gBPOO4z3UjUdfJs=; b=TWtArMBisjiEobzmFYrrAek8tsU/FdKS8p8hMDeK0yd+HXjBYQOEupA6MRfarBdnXy UpF5FfSpOaFV3N3H7bxYVgsaiqGBGUQBPzE2DAFtSTqe8rhjURDF4GMnB7AXHwJdnM7t gYDihB+xWrPR+sQE0MVwpV7htpAGfDE2g8TMO2rb49DHbm32c83TKosJmrB0iIKr5jx6 CLVqXeM2XXDUiZfRxxiPS+kxTPlkk7YwH3sTn1kbah8Fxj1Y/rchbgm24GH47r84qoFk 4f2Hb520yTP2lI7aZctn32NYlds+rkf3OPBNjXKwA+UPoPI2mXk7sdr6SenHprldqmOU tJBA== X-Received: by 10.194.110.69 with SMTP id hy5mr1916303wjb.1.1362728005232; Thu, 07 Mar 2013 23:33:25 -0800 (PST) Received: from [192.168.42.50] (office.inig-services.com. [88.177.115.91]) by mx.google.com with ESMTPS id fb8sm7602673wid.1.2013.03.07.23.33.23 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 07 Mar 2013 23:33:24 -0800 (PST) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\)) Subject: =?windows-1252?Q?Re=3A_IPv4_addresses_clash_/_jails_not_working_?= =?windows-1252?Q?after_reboot=85?= From: Yoann Gini In-Reply-To: <51392119.2090502@FreeBSD.org> Date: Fri, 8 Mar 2013 08:33:23 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <3A3AA496-E54D-4FEE-928C-C27B7EB3405F@gmail.com> References: <55865.68.255.104.38.1362619385.squirrel@cosmo.uchicago.edu> <6C130E1F-6CDC-4328-A300-5B483B8B4940@gmail.com> <513864D5.1070900@passap.ru> <51392119.2090502@FreeBSD.org> To: Jamie Gritton X-Mailer: Apple Mail (2.1499) Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Mar 2013 07:33:26 -0000 Hi Jamie, Le 8 mars 2013 =E0 00:22, Jamie Gritton a =E9crit : > You're allowed to have the same address in multiple jails, but only in > the case of jails that have one address (i.e. one IPv4 address in this > case). Jails with multiple IP addresses can't share any of those > addresses with other jails. I don't know why it should work once and > then not work later though. >=20 > The jail config you show has only a single jail, so I also wonder what > it's clashing with - a clash is defined as the same IP address between > two different jails. Are there other jail configs you didn't show? OK! That=92s the point, I=92ve shown only one of the config because all = other are of the same kind, I=92ve write about it before, sorry if I was = not clear. So when using multiple IP for jails, you can=92t share one=85 That = weird=85 But that=92s the answer of my problems, I need to use NAT to = solve that I imagine. > Also, there's a chance a jail has been removed but is not yet gone > (though I wouldn't expected that case in a reboot situation). Could = you > run "jls -dn" immediately after the failed jail start, and tell any > output it gives? Here the output : devfs_ruleset=3D0 nodying enforce_statfs=3D2 host=3Dnew ip4=3Dnew = ip6=3Dnew jid=3D2 linux=3Dnew name=3D2 parent=3D0 = path=3D/home/jails/front0.public.example.com nopersist securelevel=3D-1 = allow.nochflags allow.nomount allow.mount.nodevfs allow.mount.nonullfs = allow.mount.noprocfs allow.mount.nozfs allow.noquotas allow.raw_sockets = allow.set_hostname allow.nosocket_af allow.sysvipc children.cur=3D0 = children.max=3D0 cpuset.id=3D3 host.domainname=3D"" host.hostid=3D0 = host.hostname=3Dfront0.public.example.com = host.hostuuid=3D00000000-0000-0000-0000-000000000000 = ip4.addr=3DSharedIPv4,10.42.0.2 ip4.saddrsel ip6.addr=3DIPv6Prefix::80 = ip6.saddrsel linux.osname=3DLinux linux.osrelease=3D2.6.16 = linux.oss_version=3D198144 And here is the jails list : STA JID IP Hostname Root Directory --- ---- --------------- ------------------------------ = ------------------------ DS N/A IPv6Prefix::2220 service0.private.example.com = /home/jails/service0.private.example.com N/A 10.42.0.4 N/A SharedIPv4 DR 2 IPv6Prefix::80 front0.public.example.com = /home/jails/front0.public.example.com 2 SharedIPv4 2 10.42.0.2 I=92ve remove the gateway one to move VPN services on the host, what I = read about VPN on a jails seems too much complicated. Thanks for your help !!= From owner-freebsd-jail@FreeBSD.ORG Fri Mar 8 07:48:49 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 6753AD66; Fri, 8 Mar 2013 07:48:49 +0000 (UTC) (envelope-from bsam@passap.ru) Received: from forward4h.mail.yandex.net (forward4h.mail.yandex.net [IPv6:2a02:6b8:0:f05::4]) by mx1.freebsd.org (Postfix) with ESMTP id 0E266E63; Fri, 8 Mar 2013 07:48:49 +0000 (UTC) Received: from smtp2h.mail.yandex.net (smtp2h.mail.yandex.net [84.201.187.145]) by forward4h.mail.yandex.net (Yandex) with ESMTP id 65FCB1B221F9; Fri, 8 Mar 2013 11:48:46 +0400 (MSK) Received: from smtp2h.mail.yandex.net (localhost [127.0.0.1]) by smtp2h.mail.yandex.net (Yandex) with ESMTP id EDF76170050D; Fri, 8 Mar 2013 11:48:45 +0400 (MSK) Received: from 93.91.2.200.tel.ru (93.91.2.200.tel.ru [93.91.2.200]) by smtp2h.mail.yandex.net (nwsmtp/Yandex) with ESMTP id mjxesnWs-mjxSg5Mb; Fri, 8 Mar 2013 11:48:45 +0400 Message-ID: <513997DD.7010109@passap.ru> Date: Fri, 08 Mar 2013 11:48:45 +0400 From: Boris Samorodov Organization: =?UTF-8?B?0JfQkNCeICLQktCQ0KDQoiI=?= User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:17.0) Gecko/17.0 Thunderbird/17.0 MIME-Version: 1.0 To: Jamie Gritton Subject: =?UTF-8?B?UmU6IElQdjQgYWRkcmVzc2VzIGNsYXNoIC8gamFpbHMgbm90IHdvcms=?= =?UTF-8?B?aW5nIGFmdGVyIHJlYm9vdOKApg==?= References: <55865.68.255.104.38.1362619385.squirrel@cosmo.uchicago.edu> <6C130E1F-6CDC-4328-A300-5B483B8B4940@gmail.com> <513864D5.1070900@passap.ru> <51392119.2090502@FreeBSD.org> In-Reply-To: <51392119.2090502@FreeBSD.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Mar 2013 07:48:49 -0000 08.03.2013 03:22, Jamie Gritton пишет: > You're allowed to have the same address in multiple jails, but only in > the case of jails that have one address (i.e. one IPv4 address in this > case). Jails with multiple IP addresses can't share any of those > addresses with other jails. I don't know why it should work once and > then not work later though. >From JAIL(8): ----- Jails have a set a core parameters, and kernel modules can add their own jail parameters. The current set of available parameters can be retrieved via “sysctl -d security.jail.param”. Any parameters not set will be given default values, often based on the current environment. The core parameters are: [...] ip4.addr [...] It is only possible to start multiple jails with the same IP address, if none of the jails has more than this sin‐ gle overlapping IP address assigned to itself. ----- My interpratation of the mannual page is: this restrict is valid only when ip4.addr sysctl is used. Otherwise this restriction should be documented at other section (say, at DESCRIPTION). -- WBR, Boris Samorodov (bsam) FreeBSD Committer, http://www.FreeBSD.org The Power To Serve