From owner-freebsd-jail@FreeBSD.ORG Sun Mar 17 12:06:34 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 36DDDDAC for ; Sun, 17 Mar 2013 12:06:34 +0000 (UTC) (envelope-from nbari@inbox.im) Received: from ca2.route.mx (ca2.route.mx [72.55.175.69]) by mx1.freebsd.org (Postfix) with ESMTP id 016FEE21 for ; Sun, 17 Mar 2013 12:06:33 +0000 (UTC) Received: (route-mx 78738 invoked from network); 17 Mar 2013 11:59:50 -0000 Received: from unknown (HELO [192.168.1.102]) (nbari@inbox.im@route.mx) (envelope-sender ) by ca2.route.mx (route-mx) with AES128-SHA encrypted SMTP for ; 17 Mar 2013 11:59:50 -0000 From: Nicolas de Bari Embriz Garcia Rojas Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: jail.conf & cpuset.id Message-Id: <076B486D-A526-4945-BA38-DD7167365749@inbox.im> Date: Sun, 17 Mar 2013 11:59:46 +0000 To: freebsd-jail@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\)) X-Mailer: Apple Mail (2.1503) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Mar 2013 12:06:34 -0000 Hi, all, I am start using the jail.conf for running my jails, in = rc.local I have this line jail -c this to start my jails at boot time = (any better ideas) Now checking the man pages for the jail I found a option that cough my = attention, 'cpuset.id' any idea of how to use it ? I would like to found a way to prevent a root user within a jail to run = a 'fork-bum' and freeze the host server. regards From owner-freebsd-jail@FreeBSD.ORG Mon Mar 18 11:06:44 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id F131EA5F for ; Mon, 18 Mar 2013 11:06:44 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 5BA40AB0 for ; Mon, 18 Mar 2013 11:06:44 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r2IB6iPN002175 for ; Mon, 18 Mar 2013 11:06:44 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r2IB6hXd002173 for freebsd-jail@FreeBSD.org; Mon, 18 Mar 2013 11:06:43 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 18 Mar 2013 11:06:43 GMT Message-Id: <201303181106.r2IB6hXd002173@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Mar 2013 11:06:45 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/176482 jail [jail] Jails not unmounting devfs on exit o kern/176112 jail [jail] [panic] kernel panic when starting jails o kern/176092 jail [jail] [panic] Starting a jail on my releng/9.1 kernel o kern/174902 jail [jail] jail should provide validator for jail names o kern/174436 jail [jail] Jails with numbers as names don't work o bin/173469 jail [jail] regression: security.jail.sysvipc_allowed=1 no o kern/169751 jail [jail] reading routing information does not work in ja o bin/167911 jail new jail(8) problem with removal, ifconfg -alias and k o kern/159918 jail [jail] inter-jail communication failure o kern/156111 jail [jail] procstat -b not supported in jail o misc/155765 jail [patch] `buildworld' does not honors WITHOUT_JAIL o conf/154246 jail [jail] [patch] Bad symlink created if devfs mount poin o conf/149050 jail [jail] rcorder ``nojail'' too coarse for Jail+VNET s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid 18 problems total. From owner-freebsd-jail@FreeBSD.ORG Mon Mar 18 11:13:31 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 16BA3C8E; Mon, 18 Mar 2013 11:13:31 +0000 (UTC) (envelope-from thomas@gibfest.dk) Received: from mail.tyknet.dk (mail.tyknet.dk [IPv6:2a01:4f8:141:52a3:186::]) by mx1.freebsd.org (Postfix) with ESMTP id C5EBFDDA; Mon, 18 Mar 2013 11:13:30 +0000 (UTC) Received: from [10.10.1.100] (unknown [217.71.4.82]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail.tyknet.dk (Postfix) with ESMTPSA id 0923ED9E78; Mon, 18 Mar 2013 09:32:43 +0100 (CET) X-DKIM: OpenDKIM Filter v2.5.2 mail.tyknet.dk 0923ED9E78 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=gibfest.dk; s=default; t=1363595564; bh=+NaX97WLruCcyxnHNlZPCbXxRe0zgHxgUk3T7ATc8Pw=; h=Date:From:To:CC:Subject; b=bFlg8CH1LYyJmtNrd22sVmAGC6XdbnUMq4GL77v5VOghQH5lm0jPg4ZtbuEoa8Lkr OR9PdoErmm9Palmi82nED8gEdio23mVGnucXujshLsj6tZMRM7RTItFM+Kqklsoe7b m43tk6iZAy1huANzPpp0OEyGm9Nmqx3VWER8socs= Message-ID: <5146D126.8060306@gibfest.dk> Date: Mon, 18 Mar 2013 09:32:38 +0100 From: Thomas Steen Rasmussen User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130307 Thunderbird/17.0.4 MIME-Version: 1.0 To: freebsd-jail@FreeBSD.org Subject: private IPC for every jail X-Enigmail-Version: 1.5.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: pjd@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Mar 2013 11:13:31 -0000 Hello there, I noticed this old PR from 2003: http://bugs.freebsd.org/48471 This would solve a problem I currently have with zabbix2-agent, and it would make it easier for people running postgresql in jails and other stuff using IPC. Any chance of seeing it committed ? I've cc'ed the original author, who is now a committer himself :) Thanks in advance! /Thomas Steen Rasmussen From owner-freebsd-jail@FreeBSD.ORG Mon Mar 18 18:39:00 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 84D1DA60 for ; Mon, 18 Mar 2013 18:39:00 +0000 (UTC) (envelope-from fbsd8@a1poweruser.com) Received: from mail-03.name-services.com (mail-03.name-services.com [69.64.155.195]) by mx1.freebsd.org (Postfix) with ESMTP id 5C29FC2 for ; Mon, 18 Mar 2013 18:39:00 +0000 (UTC) Received: from [10.0.10.1] ([173.88.202.176]) by mail-03.name-services.com with Microsoft SMTPSVC(6.0.3790.4675); Mon, 18 Mar 2013 11:39:00 -0700 Message-ID: <51475F42.6000005@a1poweruser.com> Date: Mon, 18 Mar 2013 14:38:58 -0400 From: Fbsd8 User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: freebsd-jail@freebsd.org Subject: Handbook Jail Chapter rewrite available for critique Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 18 Mar 2013 18:39:00.0182 (UTC) FILETIME=[DB3BBF60:01CE2407] X-Sender: fbsd8@a1poweruser.com X-Authenticated-Sender: fbsd8@a1poweruser.com X-EchoSenderHash: [fbsd8]-[a1poweruser*com] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Mar 2013 18:39:00 -0000 To all interested parties; I have completed the final draft of the total rewrite of FreeBSD's handbook Chapter 16 on Jails. Before submitting my work for submission to the documentation group for insertion in the handbook I am looking for critique of the work to find errors in concept, wrong use of words, or anything to make it better. All feedback welcomed. Please email me directly so we keep the noise down on the mailing list. Use this URL to access it http://www.jails.a1poweruser.com/ Thank You. _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" From owner-freebsd-jail@FreeBSD.ORG Mon Mar 18 19:57:22 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 36F5D101 for ; Mon, 18 Mar 2013 19:57:22 +0000 (UTC) (envelope-from sib@tormail.org) Received: from outgoing.tormail.org (outgoing.tormail.org [82.221.96.22]) by mx1.freebsd.org (Postfix) with ESMTP id EB3B96DE for ; Mon, 18 Mar 2013 19:57:21 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=internal.tormail.org) by outgoing.tormail.org with esmtp (Exim 4.72) (envelope-from ) id 1UHfdN-0003oe-43; Mon, 18 Mar 2013 22:22:14 +0300 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=tormail.org; s=tm; h=Message-Id:X-TorMail-User:Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:To:From:Subject:Date; bh=L3ti8iS/nPcIoMAE6DYupcGJa+qdc4qBjW7C8uARQ6g=; b=BmrlFQX94/1R17LpJHqt/l77sf4FherSYWi5BVUc5csyMIlRjDBVm1NHOHJ1e/C1z5XHAr447MQErDMFOxGbddirammuFF3QMRXbAaFVSL78hO1+fThpbNIg/3pBmDPPbSbKHxGzv/y+8sgQOqvZeJq773D4LdgJPosW7XlzhPs=; Received: from sib by internal.tormail.org with local (Exim 4.63) (envelope-from ) id 1UHfYF-000LVV-4Y; Mon, 18 Mar 2013 19:16:55 +0000 Date: Mon, 18 Mar 2013 19:16:55 -0000 Subject: Handbook Jail Chapter rewrite available for critique From: sib@tormail.org To: fbsd8@a1poweruser.com MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit Importance: Normal X-TorMail-User: sib Message-Id: <1UHfYF-000LVV-4Y@internal.tormail.org> Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Mar 2013 19:57:22 -0000 On Mon, Mar 18, 2013 at 2:38 PM, Fbsd8 wrote: > To all interested parties; > > I have completed the final draft of the total rewrite of FreeBSD's > handbook Chapter 16 on Jails. > > Before submitting my work for submission to the documentation group for > insertion in the handbook I am looking for critique of the work to find > errors in concept, wrong use of words, or anything to make it better. > > All feedback welcomed. Please email me directly so we keep the noise down on the mailing list. > > Use this URL to access it http://www.jails.a1poweruser.com/ > > > Thank You. Hi. Has the documentation team approved any of this already? I've noticed a few mistakes ("Then about RELEASE 5.4," "from malice actions on a Local Are Network," spelling/grammar mistakes, many others) so I'm assuming not. I also see you're pushing the sysutils/qjail port for users who don't want to configure things themselves. In my experience, ezjail is a much better solution. I also see that you are the maintainer/author of qjail and like to shovel your opinion as the only solution, both in this "rewrite" and all over the FreeBSD forums. Do we even need an updated version? I trust the documentation team to write one much more than a biased port maintainer with a poor grasp of English. It's not my native language either, but this needs some serious work. >Please email me directly so we keep the noise down on the mailing list. This is funny. From owner-freebsd-jail@FreeBSD.ORG Mon Mar 18 20:02:07 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 17F0F20D for ; Mon, 18 Mar 2013 20:02:07 +0000 (UTC) (envelope-from nbari@inbox.im) Received: from ca2.route.mx (ca2.route.mx [72.55.175.69]) by mx1.freebsd.org (Postfix) with ESMTP id C1FE7732 for ; Mon, 18 Mar 2013 20:02:06 +0000 (UTC) Received: (route-mx 76459 invoked from network); 18 Mar 2013 20:02:00 -0000 Received: from unknown (HELO nbari-z200.diz.la) (nbari@inbox.im@route.mx) (envelope-sender ) by ca2.route.mx (route-mx) with SMTP for ; 18 Mar 2013 20:01:59 -0000 Message-ID: <514772B6.1000605@inbox.im> Date: Mon, 18 Mar 2013 20:01:58 +0000 From: Nicolas de Bari Embriz Garcia Rojas User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130314 Thunderbird/17.0.4 MIME-Version: 1.0 To: freebsd-jail@freebsd.org, Fbsd8 Subject: Re: Handbook Jail Chapter rewrite available for critique References: <51475F42.6000005@a1poweruser.com> In-Reply-To: <51475F42.6000005@a1poweruser.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Mar 2013 20:02:07 -0000 Hi, nice document, related to the use of jail.con maybe the use of sysutils/jail2 could be mention since I think makes things a little more easy. related to this: During the development of the jail.conf file method documented here, a few bugs came to light with the jail(8) program which the author has fixed, but which are not included in the 9.1-RELEASE. You can wait for the publishing of 9.2-RELEASE which will contain the updated version of jail(8) or you can download just the source for jail(8) and compile it to use on 9.1-RELEASE. Can you please explain what are the bugs or any reference with more info ? also any idea/example of how to use the cpuset.id would be appreciated. regards On 03/18/2013 18:38, Fbsd8 wrote: > To all interested parties; > > I have completed the final draft of the total rewrite of FreeBSD's > handbook Chapter 16 on Jails. > > Before submitting my work for submission to the documentation group for > insertion in the handbook I am looking for critique of the work to find > errors in concept, wrong use of words, or anything to make it better. > > All feedback welcomed. Please email me directly so we keep the noise > down on the mailing list. > > Use this URL to access it http://www.jails.a1poweruser.com/ > > > Thank You. > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > > > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" From owner-freebsd-jail@FreeBSD.ORG Mon Mar 18 20:44:04 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 9E250F1C for ; Mon, 18 Mar 2013 20:44:04 +0000 (UTC) (envelope-from fbsd8@a1poweruser.com) Received: from mail-03.name-services.com (mail-03.name-services.com [69.64.155.195]) by mx1.freebsd.org (Postfix) with ESMTP id 2F70799B for ; Mon, 18 Mar 2013 20:44:03 +0000 (UTC) Received: from [10.0.10.1] ([173.88.202.176]) by mail-03.name-services.com with Microsoft SMTPSVC(6.0.3790.4675); Mon, 18 Mar 2013 13:44:04 -0700 Message-ID: <51477C93.8080303@a1poweruser.com> Date: Mon, 18 Mar 2013 16:44:03 -0400 From: Fbsd8 User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: Nicolas de Bari Embriz Garcia Rojas Subject: Re: Handbook Jail Chapter rewrite available for critique References: <51475F42.6000005@a1poweruser.com> <514772B6.1000605@inbox.im> In-Reply-To: <514772B6.1000605@inbox.im> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 18 Mar 2013 20:44:05.0097 (UTC) FILETIME=[5482E590:01CE2419] X-Sender: fbsd8@a1poweruser.com X-Authenticated-Sender: fbsd8@a1poweruser.com X-EchoSenderHash: [fbsd8]-[a1poweruser*com] Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Mar 2013 20:44:04 -0000 Nicolas de Bari Embriz Garcia Rojas wrote: > Hi, nice document, related to the use of jail.con maybe the use of > sysutils/jail2 could be mention since I think makes things a little more > easy. I don't know what you mean by "jail.con", But I have reviewed sysutils/jail2 which tries to work with the new /ect/jail.conf file and the jail(8) program. Whats provided with the new handbook jail chapter surpasses what it does in my opinion. > > related to this: > During the development of the jail.conf file method documented here, a > few bugs came to light with the jail(8) program which the author has > fixed, but which are not included in the 9.1-RELEASE. You can wait for > the publishing of 9.2-RELEASE which will contain the updated version of > jail(8) or you can download just the source for jail(8) and compile it > to use on 9.1-RELEASE. > > Can you please explain what are the bugs are or any reference with more info? There are no pr's on the bugs I have been working with Jamia Gritton on. He's the author of the jail(8) program. I don't see the need to list them here. But I can say downloading the jail(8) source and doing a make on it this morning has resolved many problems I was experiencing. One of the problems was fixed in the kernel source so downloading a fresh copy and recompiling your kernel will put you ahead of my testing bed. hahaha > > also any idea/example of how to use the cpuset.id would be appreciated. As I read it, processes running on the host pretty much share all the cpu's across all tasks as they call for service. cupset is all ready available at the host level if I remember correctly. cpuset.id provides a way to give a jail a larger slice of the time slice resources at a cpu level. In simple terms make that jail run faster. On the other side of that same coin it could be used to limit what the jail would normally be getting. All depends how you code the parameter and how many jail definitions it's used in. You may want to give this a try, it's already in 9.1 http://forums.freebsd.org/showthread.php?t=28871 Let me know if you have any success using it on jails. Also if you have time, download those handbook scripts and play around and see it you like what they build for you. > > regards > > From owner-freebsd-jail@FreeBSD.ORG Mon Mar 18 21:19:25 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id EF71FBE for ; Mon, 18 Mar 2013 21:19:25 +0000 (UTC) (envelope-from sib@tormail.org) Received: from outgoing.tormail.org (outgoing.tormail.org [82.221.96.22]) by mx1.freebsd.org (Postfix) with ESMTP id AC280B5D for ; Mon, 18 Mar 2013 21:19:21 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=internal.tormail.org) by outgoing.tormail.org with esmtp (Exim 4.72) (envelope-from ) id 1UHhSg-0004Jl-TD; Tue, 19 Mar 2013 00:19:19 +0300 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=tormail.org; s=tm; h=Message-Id:X-TorMail-User:Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:To:From:Subject:Date:References:In-Reply-To; bh=9sJiLZW1gZo+eO/ul5cliS4XHgxSx1/cous5BW0pb3w=; b=XY+5GVTSRhdDU2wyc4HCFr2Kti8QyRDuyA6NolxxLe5iTGVhUua8wYDtMoi5nbVpXu222yAn8P4D0Cl/wiIYXDC7DgdOgEZ0Vi+wW3Y8K7fd/aQdaJOq7em6chiBEpL7Lm0yBRGrLW8nN9xInY8IViqda/YPI9w156jr6Sl2Dg0=; Received: from sib by internal.tormail.org with local (Exim 4.63) (envelope-from ) id 1UHhQ1-000OHW-B4; Mon, 18 Mar 2013 21:16:33 +0000 In-Reply-To: <514771BD.8010709@a1poweruser.com> References: <1UHfYF-000LVV-4Y@internal.tormail.org> <514771BD.8010709@a1poweruser.com> Date: Mon, 18 Mar 2013 21:16:33 -0000 Subject: Re: Handbook Jail Chapter rewrite available for critique From: sib@tormail.org To: fbsd8@a1poweruser.com MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit Importance: High X-TorMail-User: sib Message-Id: <1UHhQ1-000OHW-B4@internal.tormail.org> Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Mar 2013 21:19:26 -0000 >"Fbsd8" wrote: > This is my first public exposure. The Doc gang is seeing it for the > first time just like you. Gotcha. >> I also see you're pushing the sysutils/qjail port for users who don't >> want >> to configure things themselves. In my experience, ezjail is a much >> better >> solution. I also see that you are the maintainer/author of qjail and >> like >> to shovel your opinion as the only solution, both in this "rewrite" and >> all over the FreeBSD forums. > > Maybe if you gave qjail a try you would have a different opinion of it. > Every ezjail user who tries qjail stays with qjail. Maybe if you have > read the online version of the handbook jail chapter you would see the > doc team has no problem with recommending qjail. The Ports section of the handbook mentions portmaster, portupgrade and maybe even some others. If you include more options than only the one you care about, maybe it could work. I have tried qjail, as have others I know. I'm just saying ezjail has been a lot better for my use case at a webhosting company, where we run many jails per server. You can say "everyone who tries it stays with it" but there's nothing backing that up... at all. I think the userbase is about as inflated as your ego as the author. I don't recommend things based on their author's views (else I wouldn't run OpenBSD firewalls :)) but the constant pushing of qjail as the way and the true light you do really turns me off from it. >> Do we even need an updated version? I trust the documentation team to >> write one much more than a biased port maintainer with a poor grasp of >> English. > You must be making a joke to think what is in the handbook jail chapter > don't need to be redone. It may need some additions with the recent improvements, but I doubt it needs a complete rewrite. > It's not my native language either, but this needs some serious >> work. > > Hay dud you going into the un-professional area with comments like that. > The FreeBSD team has very high standards for the handbook and documentation in general. You're going into "the unprofessional area" by submitting poorly-written documentation to the project and sending your replies off-list. >>> Please email me directly so we keep the noise down on the mailing list. >> >> This is funny. >> > The only thing funny is your post. > Be constructive or I will ignore you. It's only constructive if people agree with you, right? From owner-freebsd-jail@FreeBSD.ORG Mon Mar 18 21:51:28 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id CE8EE34F for ; Mon, 18 Mar 2013 21:51:28 +0000 (UTC) (envelope-from fbsd8@a1poweruser.com) Received: from mail-03.name-services.com (mail-03.name-services.com [69.64.155.195]) by mx1.freebsd.org (Postfix) with ESMTP id BC76FEFF for ; Mon, 18 Mar 2013 21:51:28 +0000 (UTC) Received: from [10.0.10.1] ([173.88.202.176]) by mail-03.name-services.com with Microsoft SMTPSVC(6.0.3790.4675); Mon, 18 Mar 2013 14:51:29 -0700 Message-ID: <51478C5F.4060708@a1poweruser.com> Date: Mon, 18 Mar 2013 17:51:27 -0400 From: Fbsd8 User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: sib@tormail.org Subject: Re: Handbook Jail Chapter rewrite available for critique References: <1UHfYF-000LVV-4Y@internal.tormail.org> <514771BD.8010709@a1poweruser.com> <1UHhQ1-000OHW-B4@internal.tormail.org> In-Reply-To: <1UHhQ1-000OHW-B4@internal.tormail.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 18 Mar 2013 21:51:29.0751 (UTC) FILETIME=[BF501E70:01CE2422] X-Sender: fbsd8@a1poweruser.com X-Authenticated-Sender: fbsd8@a1poweruser.com X-EchoSenderHash: [fbsd8]-[a1poweruser*com] Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Mar 2013 21:51:28 -0000 sib@tormail.org wrote: >> "Fbsd8" wrote: >> This is my first public exposure. The Doc gang is seeing it for the >> first time just like you. > > Gotcha. > >>> I also see you're pushing the sysutils/qjail port for users who don't >>> want >>> to configure things themselves. In my experience, ezjail is a much >>> better >>> solution. I also see that you are the maintainer/author of qjail and >>> like >>> to shovel your opinion as the only solution, both in this "rewrite" and >>> all over the FreeBSD forums. >> Maybe if you gave qjail a try you would have a different opinion of it. >> Every ezjail user who tries qjail stays with qjail. Maybe if you have >> read the online version of the handbook jail chapter you would see the >> doc team has no problem with recommending qjail. > > The Ports section of the handbook mentions portmaster, portupgrade and > maybe even some others. If you include more options than only the one you > care about, maybe it could work. I have tried qjail, as have others I > know. I'm just saying ezjail has been a lot better for my use case at a > webhosting company, where we run many jails per server. You can say > "everyone who tries it stays with it" but there's nothing backing that > up... at all. I think the userbase is about as inflated as your ego as the > author. I don't recommend things based on their author's views (else I > wouldn't run OpenBSD firewalls :)) but the constant pushing of qjail as > the way and the true light you do really turns me off from it. > >>> Do we even need an updated version? I trust the documentation team to >>> write one much more than a biased port maintainer with a poor grasp of >>> English. >> You must be making a joke to think what is in the handbook jail chapter >> don't need to be redone. > > It may need some additions with the recent improvements, but I doubt it > needs a complete rewrite. > >> It's not my native language either, but this needs some serious >>> work. >> Hay dud you going into the un-professional area with comments like that. >> > > The FreeBSD team has very high standards for the handbook and > documentation in general. You're going into "the unprofessional area" by > submitting poorly-written documentation to the project and sending your > replies off-list. At no time have I said I have submitted this to the doc guys, I fact the opposite is turn. You even asked me to email you off list. Are you having old age short time memory lost? Don't you read what you write before you re-post My sending you a reply off list was just trying to be considerate of your obvious bad manners. Maybe other readers of this list accept your bad manners but I don't. You are not going to start a flame war with me. As far as I am concerned you are a flamer and have nothing of value to add. I am not going to feed you. You are here by terminated from this thread and as such will be here with ignored by me. Your the one why posted this to the list, now the whole list will be exposed to you failed attempt at a flame war. > >>>> Please email me directly so we keep the noise down on the mailing list. >>> This is funny. >>> >> The only thing funny is your post. >> Be constructive or I will ignore you. > > It's only constructive if people agree with you, right? > > > From owner-freebsd-jail@FreeBSD.ORG Mon Mar 18 23:21:13 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 6DED2D0C for ; Mon, 18 Mar 2013 23:21:13 +0000 (UTC) (envelope-from fbsd8@a1poweruser.com) Received: from mail-03.name-services.com (mail-03.name-services.com [69.64.155.195]) by mx1.freebsd.org (Postfix) with ESMTP id 467B932E for ; Mon, 18 Mar 2013 23:21:12 +0000 (UTC) Received: from [10.0.10.1] ([173.88.202.176]) by mail-03.name-services.com with Microsoft SMTPSVC(6.0.3790.4675); Mon, 18 Mar 2013 16:21:13 -0700 Message-ID: <5147A168.50408@a1poweruser.com> Date: Mon, 18 Mar 2013 19:21:12 -0400 From: Fbsd8 User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: freebsd-jail@freebsd.org Subject: Re: Handbook Jail Chapter rewrite available for critique References: <51474796.1030808@a1poweruser.com> <1363627802-7836632.18463322.fr2IHTIkR030230@rs149.luxsci.com> <20807.21192.655076.142290@jerusalem.litteratus.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 18 Mar 2013 23:21:13.0913 (UTC) FILETIME=[48860A90:01CE242F] X-Sender: fbsd8@a1poweruser.com X-Authenticated-Sender: fbsd8@a1poweruser.com X-EchoSenderHash: [fbsd8]-[a1poweruser*com] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Mar 2013 23:21:13 -0000 Andreas Nilsson wrote: > Great! There really was a need to modernize the handbook with regards to > jails. Since I'm not a native English speaker I'll leave grammar and > spelling for those who are ;) > > My first impressions are along the lines: > To much scripts, to few examples/scenarios. Our users are smart, show them > what can be accomplished with "high-level" config, leave minutiae to some > part of the appendix. The complexities of a a third generation jail system is imposable to explain from the command line. This is already stated in the document. Scripts are a more modern way to cover the over all subject without getting bogged down entering command line commands that the operater can make mistakes and typos and have to start from the begining just to continue. > > Also the exclusion of zfs and vnet is surprising, as those really make > jails shine, imo ( although jails really need to be thought about the > "gray" area visa-vi networking in rc-scripts that vnet provides ). How > about the resource control, which further makes jails really spiffy. Well lets start with what the documents says about vnet. Its "experimental". I tried to compile it into my test bed 9.1 kernel and the system panicked on first boot. Now really, lets get serious here. Why would I include something that is so obvious not ready for prime time?. There is no way it should be used in a production jail system securing processes exposed to the public internet. It's a use at your own risk application. Maybe down the road when it grows up I will consider adding a sub-chapter about it. But for now its a dead subject. ZFS, Here is another software application just newly introduced as experimental a few years ago. I admit it has come a long way in a short time and is now included in the base system. But its a very big animal and the handbook zfs chapter needs a lot more usage information first. The jail chapter is not the place to be documenting how to utilize zfs. Lets clear up some mis-conceptions. Jails can run on any host that has part or all of it's hard drive space under zfs control. It has no effect on the jail filesystems, matter of fact the jail system is totally un-aware it's on a zfs system. Mounting zfs spaces to the jail filesystem can be done from the host right now. The new jail.conf definition statements has the allow.mount.zfs parameter which allows the running jail to mount zfs space already defined within the running filesystem. It's my understanding it does not allow mounting zfs space from outside of the jailed filesystem. jail.conf does have some exec.* parameters for issuing commands to the host during the jail start process. zfs users have used these to automate mounting zfs data space to a jail's filesystem before the jail really comes to life. It's all in the jail(8) man page. I leave it up to the jail administrator to manage zfs for jail systems. Again it's not the jails job to manage zfs. > > I would have preferred top-level separation of the different methods, ie > after the introduction there was one "track" manual, one for old-school > rc-, one for new-school rc- and one for jail.conf-style jails. > > > More specifically I agree with Isaac Levy's, especially in regards to the > "jail cell" terminology: > > "16.1 Synopsis": the term jail cell is used, long before being defined. > > "16.2 Introduction": Mentioning jail cells in a historic contest is imho a > "blatant" lie ( they were never known as such ). As far as I know, no > official documentation has called them cells, either. That does not mean > that it's not an appropriate term, though. As a contrast there is Solaris > vocabulary of zones ( "cells" ) and global zone ( "jail system" ). In this > regard I prefer the solaris one. > Most importantly, a large chunk of 16.2 would imo fit much better as a > "history"-appendix. Current and new users don't need to know and consider > the limitations of earlier implementations. The "generations" talked about > could perhaps be quantified with a release version :) Read this section again. it's not meant to be a history lesson. it's meant to expose the reader to the progress of the chroot and how the jail filesystem of that time affected performance and ease of use, leading up to the third generation jail filesystem documented in the new jail chapter. > > There are, as stated by Isaac Levy, many (good) utils for managing jails. > Why the focus on qjail? I also think that most of the strong points of > jails are rendered moot without, in order, zfs and vimage. Linux jails > might also interest quite a few people. For real, Linux jails documented in the FreeBSD handbook? You have to be joking. Give qjail a ride and you will see that it's light years ahead of any of those ports you speak of. > You really have to take time and digest what you read. It has to be read as a whole not as some limited selection of parts. It will all make sense after a few reads. Thanks for the feedback. Joe From owner-freebsd-jail@FreeBSD.ORG Tue Mar 19 16:53:39 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 192D3DB6 for ; Tue, 19 Mar 2013 16:53:39 +0000 (UTC) (envelope-from erdgeist@erdgeist.org) Received: from elektropost.org (elektropost.org [217.13.206.130]) by mx1.freebsd.org (Postfix) with ESMTP id 695A8644 for ; Tue, 19 Mar 2013 16:53:37 +0000 (UTC) Received: (qmail 64859 invoked from network); 19 Mar 2013 16:53:30 -0000 Received: from elektropost.org (HELO elektropost.org) (erdgeist@erdgeist.org) by elektropost.org with CAMELLIA256-SHA encrypted SMTP; 19 Mar 2013 16:53:30 -0000 Message-ID: <5148980A.1070408@erdgeist.org> Date: Tue, 19 Mar 2013 17:53:30 +0100 From: Dirk Engling User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130307 Thunderbird/17.0.4 MIME-Version: 1.0 To: sib@tormail.org Subject: Re: Handbook Jail Chapter rewrite available for critique References: <1UHfYF-000LVV-4Y@internal.tormail.org> In-Reply-To: <1UHfYF-000LVV-4Y@internal.tormail.org> X-Enigmail-Version: 1.5.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Mar 2013 16:53:39 -0000 On 18.03.13 20:16, sib@tormail.org wrote: > to configure things themselves. In my experience, ezjail is a much better > solution. I also see that you are the maintainer/author of qjail and like > to shovel your opinion as the only solution, both in this "rewrite" and > all over the FreeBSD forums. Taking a look at the qjail code I can not help to notice several odd similarities with the ezjail-admin script, down to the very basic bail out routines. I would not go so far to claim it was just a global search/replace job but to me the code looks familiar enough to find the # Copyright 2010, Qjail project. All rights reserved. offensive. I am usually quite open with the license of my software, beerware is as permissive as it gets. I just can not take some script kiddie right out copying my code verbatim and selling it as his, not even acknowledging me as the original author. Anyone here with suggestions how to properly react to this kind of "fork"? erdgeist From owner-freebsd-jail@FreeBSD.ORG Thu Mar 21 01:33:01 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 8C53AA30 for ; Thu, 21 Mar 2013 01:33:01 +0000 (UTC) (envelope-from nbari@inbox.im) Received: from us3.route.mx (us3.route.mx [107.21.107.127]) by mx1.freebsd.org (Postfix) with ESMTP id 47358F71 for ; Thu, 21 Mar 2013 01:33:01 +0000 (UTC) Received: (route-mx 68763 invoked from network); 21 Mar 2013 01:26:19 -0000 Received: from unknown (HELO [192.168.1.100]) (nbari@route.mx@route.mx) (envelope-sender ) by us3.route.mx (route-mx) with AES128-SHA encrypted SMTP for ; 21 Mar 2013 01:26:19 -0000 From: Nicolas de Bari Embriz Garcia Rojas Content-Type: multipart/signed; boundary="Apple-Mail=_6442BF74-2D76-49FE-9F25-2B97C5BFFD4B"; protocol="application/pgp-signature"; micalg=pgp-sha512 Subject: how to measure bandwidth per jail Date: Thu, 21 Mar 2013 01:26:13 +0000 Message-Id: <6C05923E-61FE-46BF-B006-DB078AAAFAA4@inbox.im> To: freebsd-jail@freebsd.org Mime-Version: 1.0 (Apple Message framework v1283) X-Mailer: Apple Mail (2.1283) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Mar 2013 01:33:01 -0000 --Apple-Mail=_6442BF74-2D76-49FE-9F25-2B97C5BFFD4B Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Hi, any tool, idea or method for measuring the bandwidth consumed per = jail ? (or by IP) What about using pflow ( pseudo-device pflow) any advice ? thanks in advance. regards. -- > nbari --Apple-Mail=_6442BF74-2D76-49FE-9F25-2B97C5BFFD4B Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) iQIcBAEBCgAGBQJRSmG2AAoJEHmadlLOisyrN0QP/RJqoj0ulD3caMMg6WEvUNWm i+vJtmu8bHqpdWMbiOh4iWMteo9CRN3q7iLLeIkpcRmGfTGXGGLmfGjELs70idi1 somTGebSMfHLZQeP3QV2sAnWTl/bjC6c7LVo74D9dBcraT75mx+Mq4XsKJcI2b/l bRNYvRmDveQopzUluiHcDqSI3YJJ55g0QuEjnBzQZu1et2+lfFLHGfSSJT03bRUW hSGaqer6xhZ6RMFl2kwzMz9RpldIKeL3F61QCjob0TdIJmeT6GIt2rwMyJ10ZIu8 Bn0+sVgoh5XJzjvpmRcQQX/82jDeMrgM8GztDeMgCBXoKnWBvL6DE1m3HYNzGEz1 2sRkdLjdxfP/nThirmMcdj18IlD6Dii4g7mhLHHNovx4/+FN2ee08AOIhPuY/sRe V+QHzp6BPIa4gZPepPp0lTFEu2/FJjBN3bDfeg9w/rQynsE5dgIsd44DEC2xM6HB ZGeEvgB+6/PjAuI++zxSP9apOxqVvz5KqqY87UonC5g2E9PzEjbGr22fOfB5mqf2 fWFLHAOB0nYfwuL5SziDjERqx2oJ4j5i1LCwvZD7P8Dqnw5U0tAW2TU7jFfH4j+z CEh0Eic4RB6tcEdR4IH1IdO9TY2MHe/Lv+YVzrypin+5PbH8ACiQ1eLEJOTJ8FH2 2BCjQ5gBThd8tU5BTkju =/PdS -----END PGP SIGNATURE----- --Apple-Mail=_6442BF74-2D76-49FE-9F25-2B97C5BFFD4B-- From owner-freebsd-jail@FreeBSD.ORG Thu Mar 21 07:35:37 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 902F5DB7; Thu, 21 Mar 2013 07:35:37 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id D5B61E69; Thu, 21 Mar 2013 07:35:36 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id r2L7ZMKm042037; Thu, 21 Mar 2013 18:35:22 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Thu, 21 Mar 2013 18:35:22 +1100 (EST) From: Ian Smith To: Dirk Engling Subject: Re: Handbook Jail Chapter rewrite available for critique In-Reply-To: <5148980A.1070408@erdgeist.org> Message-ID: <20130321170556.Q32142@sola.nimnet.asn.au> References: <1UHfYF-000LVV-4Y@internal.tormail.org> <5148980A.1070408@erdgeist.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-jail@freebsd.org, freebsd-questions@freebsd.org, sib@tormail.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Mar 2013 07:35:37 -0000 On Tue, 19 Mar 2013 17:53:30 +0100, Dirk Engling wrote: > On 18.03.13 20:16, sib@tormail.org wrote: > > > to configure things themselves. In my experience, ezjail is a much better > > solution. I also see that you are the maintainer/author of qjail and like > > to shovel your opinion as the only solution, both in this "rewrite" and > > all over the FreeBSD forums. > > Taking a look at the qjail code I can not help to notice several odd > similarities with the ezjail-admin script, down to the very basic bail > out routines. I would not go so far to claim it was just a global > search/replace job but to me the code looks familiar enough to find the > > # Copyright 2010, Qjail project. All rights reserved. > > offensive. I am usually quite open with the license of my software, > beerware is as permissive as it gets. I just can not take some script > kiddie right out copying my code verbatim and selling it as his, not > even acknowledging me as the original author. > > Anyone here with suggestions how to properly react to this kind of "fork"? Yes. Publicity. Making sure the FreeBSD community gets to finds out. You may be polite and un-selfserving enough to not go so far Dirk, but I will. Huge swathes of qjail are direct copies of your code, in most cases only with the names of the variables changed from ezjail_* to qjail_*. I found it cute renaming 'flavour' to the American spelling. Anyone looking at bin/qjail from qjail-2.1.tbz alongside the latest ezjail-admin (mine downloaded from your cvsweb) cannot fail to notice within the first couple of screens. Sure there are changes, additions and deletions, but to fail to acknowledge the original authorship of this code, and the implication that Joe Barbish (aka 'Qjail project') is its original author is entirely outrageous; not ethical, even if legal. To that end I'm cross-posting this to -questions, where Mr Barbish has also posted about his proposed "rewrite" of Chapter 16 of the Handbook, which is nothing but a huge and poorly written manual for 'the qjail way', with its peculiar assumptions and unique "jailcell" terminology. "Fourth Generation", no less! The idea that the "doc gang" would entertain the idea of removing all of the worthy content of the present Chapter 16 - even if it does need some updating - and replace it with this effort is laughable, yet stranger things have happened if there's any disconnect between developers and documenters .. witness the Handbook firewalls section, by Joe Barbish. cheers, Ian From owner-freebsd-jail@FreeBSD.ORG Thu Mar 21 13:32:45 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id EF1637F9 for ; Thu, 21 Mar 2013 13:32:45 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from m2.gritton.org (gritton.org [199.192.164.235]) by mx1.freebsd.org (Postfix) with ESMTP id A0C6D911 for ; Thu, 21 Mar 2013 13:32:45 +0000 (UTC) Received: from glorfindel.gritton.org (c-174-52-130-157.hsd1.ut.comcast.net [174.52.130.157]) (authenticated bits=0) by m2.gritton.org (8.14.5/8.14.5) with ESMTP id r2LDN0hn024332; Thu, 21 Mar 2013 07:23:01 -0600 (MDT) (envelope-from jamie@FreeBSD.org) Message-ID: <514B09B2.70607@FreeBSD.org> Date: Thu, 21 Mar 2013 07:22:58 -0600 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.2.24) Gecko/20120129 Thunderbird/3.1.16 MIME-Version: 1.0 To: Nicolas de Bari Embriz Garcia Rojas Subject: Re: jail.conf & cpuset.id References: <076B486D-A526-4945-BA38-DD7167365749@inbox.im> In-Reply-To: <076B486D-A526-4945-BA38-DD7167365749@inbox.im> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: FreeBSD-Jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Mar 2013 13:32:46 -0000 On 03/17/13 05:59, Nicolas de Bari Embriz Garcia Rojas wrote: > Hi, all, I am start using the jail.conf for running my jails, in rc.local I have this line jail -c this to start my jails at boot time (any better ideas) > > Now checking the man pages for the jail I found a option that cough my attention, 'cpuset.id' any idea of how to use it ? > > I would like to found a way to prevent a root user within a jail to run a 'fork-bum' and freeze the host server. Take a look at cpuset(1). You use that utility (in the host environment) to change the CPUs available to a jail. Don't worry about the cpuset.id parameter itself - you don't need it. Just use cpuset's "-j" flag to specify the jail itself (by jid only). When you're starting jails in rc, add the appropriate cpuset commands an exec_poststart option. Such as: jail_backtest_poststart0="cpuset -c -l1,3-7 -j`cat /var/run/jail_backtest.id`" - Jamie From owner-freebsd-jail@FreeBSD.ORG Thu Mar 21 15:21:32 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id ADBEF79E for ; Thu, 21 Mar 2013 15:21:32 +0000 (UTC) (envelope-from aimass@yabarana.com) Received: from mail-wg0-f48.google.com (mail-wg0-f48.google.com [74.125.82.48]) by mx1.freebsd.org (Postfix) with ESMTP id 4C939164 for ; Thu, 21 Mar 2013 15:21:30 +0000 (UTC) Received: by mail-wg0-f48.google.com with SMTP id 16so584361wgi.27 for ; Thu, 21 Mar 2013 08:21:30 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:x-gm-message-state; bh=j1G0t5w1jsYnPALj8V538G862XVEuqPHdg9uF22f8cg=; b=FGHzkQ7HeXupVpoHEcMwrCiE3nLfhclmsN4E4vBZVC9Nmn7lsqumWYax9DvbMNBffu EJGVNi85w2r7xBx4qARemzUwZbpuObaSLuMpevDaVGxbP70yH4uVOS7/zuW2yVYgOnup cN3c2wj8TSER5ENDpoCfoDqqAxhPTuaU31v5/upbRy8864Y7j+2qGY7iaRkTOimtz2N0 ocGP4U3flLGH1/fABih+HCW+uaGK7ybL0vo7VrjcWKblr5dT+eL1RowyXEhLCp4U+ozS zi68IYThsvvY+DMnDk3ssoP+MfZLRB0u+DgRLoeR6zE6Z/5e2wiBu0DfOeu212MDH2kc 1SDQ== MIME-Version: 1.0 X-Received: by 10.194.58.202 with SMTP id t10mr18186298wjq.4.1363879290028; Thu, 21 Mar 2013 08:21:30 -0700 (PDT) Received: by 10.216.115.135 with HTTP; Thu, 21 Mar 2013 08:21:29 -0700 (PDT) In-Reply-To: <20130321170556.Q32142@sola.nimnet.asn.au> References: <1UHfYF-000LVV-4Y@internal.tormail.org> <5148980A.1070408@erdgeist.org> <20130321170556.Q32142@sola.nimnet.asn.au> Date: Thu, 21 Mar 2013 11:21:29 -0400 Message-ID: Subject: Re: Handbook Jail Chapter rewrite available for critique From: Alejandro Imass To: Ian Smith Content-Type: text/plain; charset=ISO-8859-1 X-Gm-Message-State: ALoCoQl3NRepCSJlcVlJdWDepbi0gNXrtimyk+PfaKewtZvI3TCeeEU6FInDT6mDFhH8txBy0fCL Cc: freebsd-jail@freebsd.org, FreeBSD Questions , sib@tormail.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Mar 2013 15:21:32 -0000 On Thu, Mar 21, 2013 at 3:35 AM, Ian Smith wrote: > On Tue, 19 Mar 2013 17:53:30 +0100, Dirk Engling wrote: > > On 18.03.13 20:16, sib@tormail.org wrote: > > > > > to configure things themselves. In my experience, ezjail is a much better > > > solution. I also see that you are the maintainer/author of qjail and like > > > to shovel your opinion as the only solution, both in this "rewrite" and > > > all over the FreeBSD forums. [...] > > > > # Copyright 2010, Qjail project. All rights reserved. > > > > offensive. I am usually quite open with the license of my software, > > beerware is as permissive as it gets. I just can not take some script > > kiddie right out copying my code verbatim and selling it as his, not > > even acknowledging me as the original author. > > > > Anyone here with suggestions how to properly react to this kind of "fork"? > > Yes. Publicity. Making sure the FreeBSD community gets to finds out. > [...] > To that end I'm cross-posting this to -questions, where Mr Barbish has > also posted about his proposed "rewrite" of Chapter 16 of the Handbook, > which is nothing but a huge and poorly written manual for 'the qjail > way', with its peculiar assumptions and unique "jailcell" terminology. > "Fourth Generation", no less! > +1 Thank you Ian for cross-posting here. The first thing I did when I got the new chapter for review was search for the work EzJail and I was curious as to why EzJail is not mentioned anywhere in this new proposal and why it isn't mentioned in the current handbook either under in section "16.5.2 High-Level Administrative Tools in the FreeBSD Ports Collection". If there is __any__ tool that should be mentioned in the jails chapter it is EzJail because it's really easy to use and does a damn good job. We've been using it in production __extensively__ since about 2010 and the one and only issue we've had was probably related to some sort of border-line bug with nullfs which has never happened since. We currently run half a dozen servers with anywhere from 12 to 24 jails each and we've only had a single isolated incident and it wasn't even related directly to EzJail. We use flavours extensively and constantly derive jails from others and move jails between servers, much like if we were using VMWare; it's that easy, or easier, and works every time. NOW some things start to make sense to me, when I posted a problem with EzJail here last year that very few people, if any, knew what I was talking about. An how could they? if it's not mentioned anywhere in the handbook or that jail man page(s). In fact, looking back at this thread[1] I can see that great deal of misunderstanding an unnecessary confusion could have been that the term "EzJail" meant nothing to most people commenting on the thread. When I commented the problem to Dirk he immediately recognized that it could have been a problem with nullfs and so did "jb"[2], who not only immediately thought of nulls, but actually found some bugs that were very similar to my situation[3], and which is BTW still open AFAICT. Anyway, the point I'm trying to make is that it seems quite odd that EzJail is not very publicized and I would like to see it prominently mentioned in the handbook and man pages as a great tool for Jail administration. Thanks, -- Alejandro Imass [1] http://lists.freebsd.org/pipermail/freebsd-questions/2012-April/240468.html http://lists.freebsd.org/pipermail/freebsd-questions/2012-April/240501.html http://lists.freebsd.org/pipermail/freebsd-questions/2012-April/240551.html [2] http://lists.freebsd.org/pipermail/freebsd-questions/2012-April/240566.html http://lists.freebsd.org/pipermail/freebsd-questions/2012-April/240569.html [3] PR#147420 http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/147420 From owner-freebsd-jail@FreeBSD.ORG Thu Mar 21 18:19:05 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id DA03DAA1 for ; Thu, 21 Mar 2013 18:19:05 +0000 (UTC) (envelope-from lambert@lambertfam.org) Received: from www.jail.lambertfam.org (atom1.lambertfam.org [69.153.112.46]) by mx1.freebsd.org (Postfix) with ESMTP id BE9761EE for ; Thu, 21 Mar 2013 18:19:05 +0000 (UTC) Received: by www.jail.lambertfam.org (Postfix, from userid 999) id 350A712883; Thu, 21 Mar 2013 13:12:01 -0500 (CDT) Date: Thu, 21 Mar 2013 13:12:00 -0500 From: Scott Lambert To: freebsd-jail@freebsd.org Subject: Re: how to measure bandwidth per jail Message-ID: <20130321181200.GG94452@www.jail.lambertfam.org> Mail-Followup-To: freebsd-jail@freebsd.org References: <6C05923E-61FE-46BF-B006-DB078AAAFAA4@inbox.im> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6C05923E-61FE-46BF-B006-DB078AAAFAA4@inbox.im> User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Mar 2013 18:19:05 -0000 On Thu, Mar 21, 2013 at 01:26:13AM +0000, Nicolas de Bari Embriz Garcia Rojas wrote: > Hi, any tool, idea or method for measuring the bandwidth consumed per > jail ? (or by IP) > > What about using pflow ( pseudo-device pflow) any advice ? I found a thread about this topic yesterday via Google. It was on the FreeBSD-ISP@frebbsd.org mailing list sometime in 2005 if I remember correctly. They came up with a few options netflow, counting rules in IPFW/pf/ipf netstat -rni ( which gets you packet counts, -rnbi gives you in-bytes and out-bytes) bandwidthd (in ports I believe) I suppose ntop could do similar things. My favorite option was netstat -rnbi | awk '{print $8,$11}' and feeding that to MRTG. I have not gotten it implemented yet. One consideration is that on FreeBSD 8 and older, you don't get out traffic per IP address with netstat, as far as I can tell. We're moving to FreeBSD 9 pretty quickly anyway. -- Scott Lambert KC5MLE Unix SysAdmin lambert@lambertfam.org From owner-freebsd-jail@FreeBSD.ORG Thu Mar 21 18:27:30 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 8E945E0D for ; Thu, 21 Mar 2013 18:27:30 +0000 (UTC) (envelope-from nbari@inbox.im) Received: from us3.route.mx (us3.route.mx [107.21.107.127]) by mx1.freebsd.org (Postfix) with ESMTP id 4BCDE246 for ; Thu, 21 Mar 2013 18:27:30 +0000 (UTC) Received: (route-mx 77403 invoked from network); 21 Mar 2013 18:27:29 -0000 Received: from unknown (HELO nbari-z200.diz.la) (nbari@inbox.im@route.mx) (envelope-sender ) by us3.route.mx (route-mx) with SMTP for ; 21 Mar 2013 18:27:29 -0000 Message-ID: <514B510F.90702@inbox.im> Date: Thu, 21 Mar 2013 18:27:27 +0000 From: Nicolas de Bari Embriz Garcia Rojas User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130314 Thunderbird/17.0.4 MIME-Version: 1.0 To: freebsd-jail@freebsd.org Subject: Re: how to measure bandwidth per jail References: <6C05923E-61FE-46BF-B006-DB078AAAFAA4@inbox.im> <20130321181200.GG94452@www.jail.lambertfam.org> In-Reply-To: <20130321181200.GG94452@www.jail.lambertfam.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Mar 2013 18:27:30 -0000 Hi, one strange behavior I notice (freeBSD 9.1) is that I don't see the Obytes per IP only for the bce0 interface, but I do for the cloned interface lo1: here is a link with the output of netstat -ib http://pastebin.com/arrRsM78 any ideas ? regards. On 03/21/2013 18:12, Scott Lambert wrote: > On Thu, Mar 21, 2013 at 01:26:13AM +0000, Nicolas de Bari Embriz Garcia Rojas wrote: >> Hi, any tool, idea or method for measuring the bandwidth consumed per >> jail ? (or by IP) >> >> What about using pflow ( pseudo-device pflow) any advice ? > I found a thread about this topic yesterday via Google. It was on > the FreeBSD-ISP@frebbsd.org mailing list sometime in 2005 if I > remember correctly. > > They came up with a few options > > netflow, > > counting rules in IPFW/pf/ipf > > netstat -rni ( which gets you packet counts, > -rnbi gives you in-bytes and out-bytes) > > bandwidthd (in ports I believe) > > I suppose ntop could do similar things. > > My favorite option was netstat -rnbi | awk '{print $8,$11}' and > feeding that to MRTG. I have not gotten it implemented yet. > > One consideration is that on FreeBSD 8 and older, you don't get out > traffic per IP address with netstat, as far as I can tell. We're > moving to FreeBSD 9 pretty quickly anyway. > From owner-freebsd-jail@FreeBSD.ORG Thu Mar 21 18:48:47 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id CFAB0424 for ; Thu, 21 Mar 2013 18:48:47 +0000 (UTC) (envelope-from sodynet1@gmail.com) Received: from mail-pb0-f54.google.com (mail-pb0-f54.google.com [209.85.160.54]) by mx1.freebsd.org (Postfix) with ESMTP id AE84B32D for ; Thu, 21 Mar 2013 18:48:47 +0000 (UTC) Received: by mail-pb0-f54.google.com with SMTP id rr4so2441933pbb.41 for ; Thu, 21 Mar 2013 11:48:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=WWw1GZkmdEQjh4426f9C05tsMKEWov1kOPxOXTCheYU=; b=aOyvjTRmntACtBkla6iL7/nAaxSu75ddqmpu6HAcZV9I1ulo9nG5VaV6Cilv7bhwOF AFV91eUUJyRItuxzQwCm2l5y6O+K+mxdWWUSvI6ycfSFO9RQFjKYKKsHSjZEQ8XSHOzS /KjneoDLOlR/G72RTnYM1W5/tigVjX0rNcYdXIT82WyAeX02Pl/wEgWNQNjVU8RZlQlN KYfsfm+ombg/O1ysV2fW+SnTNS780zdUQZd4k1AxOizrk9n/OLH04HuPSM5nJJj/8TiV tFjYvplOR7MtMZYVDoVqcEl9nf6c/OK28LyqPnfJhwLtdcutYFvqDSHOUCsJW7+7vJMR 6nTg== MIME-Version: 1.0 X-Received: by 10.66.179.238 with SMTP id dj14mr16672692pac.68.1363891721263; Thu, 21 Mar 2013 11:48:41 -0700 (PDT) Received: by 10.70.34.103 with HTTP; Thu, 21 Mar 2013 11:48:41 -0700 (PDT) Received: by 10.70.34.103 with HTTP; Thu, 21 Mar 2013 11:48:41 -0700 (PDT) In-Reply-To: <514B510F.90702@inbox.im> References: <6C05923E-61FE-46BF-B006-DB078AAAFAA4@inbox.im> <20130321181200.GG94452@www.jail.lambertfam.org> <514B510F.90702@inbox.im> Date: Thu, 21 Mar 2013 20:48:41 +0200 Message-ID: Subject: Re: how to measure bandwidth per jail From: Sami Halabi To: Nicolas de Bari Embriz Garcia Rojas Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Mar 2013 18:48:47 -0000 Hi Try jnettop from ports... exactly what your looking at. However its old, so the counters are 32 bit rather than 64 which means its pretty effective on 100mbit links plus its cpu consumer by design Sami On Mar 21, 2013 8:27 PM, "Nicolas de Bari Embriz Garcia Rojas" < nbari@inbox.im> wrote: > Hi, one strange behavior I notice (freeBSD 9.1) is that I don't see the > Obytes per IP only for the bce0 interface, but I do for the cloned > interface lo1: > > here is a link with the output of netstat -ib http://pastebin.com/arrRsM78 > > any ideas ? > > regards. > > On 03/21/2013 18:12, Scott Lambert wrote: > > On Thu, Mar 21, 2013 at 01:26:13AM +0000, Nicolas de Bari Embriz Garcia > Rojas wrote: > >> Hi, any tool, idea or method for measuring the bandwidth consumed per > >> jail ? (or by IP) > >> > >> What about using pflow ( pseudo-device pflow) any advice ? > > I found a thread about this topic yesterday via Google. It was on > > the FreeBSD-ISP@frebbsd.org mailing list sometime in 2005 if I > > remember correctly. > > > > They came up with a few options > > > > netflow, > > > > counting rules in IPFW/pf/ipf > > > > netstat -rni ( which gets you packet counts, > > -rnbi gives you in-bytes and out-bytes) > > > > bandwidthd (in ports I believe) > > > > I suppose ntop could do similar things. > > > > My favorite option was netstat -rnbi | awk '{print $8,$11}' and > > feeding that to MRTG. I have not gotten it implemented yet. > > > > One consideration is that on FreeBSD 8 and older, you don't get out > > traffic per IP address with netstat, as far as I can tell. We're > > moving to FreeBSD 9 pretty quickly anyway. > > > > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > From owner-freebsd-jail@FreeBSD.ORG Thu Mar 21 18:49:25 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id CE74544A for ; Thu, 21 Mar 2013 18:49:25 +0000 (UTC) (envelope-from lambert@lambertfam.org) Received: from www.jail.lambertfam.org (atom1.lambertfam.org [69.153.112.46]) by mx1.freebsd.org (Postfix) with ESMTP id B08FC331 for ; Thu, 21 Mar 2013 18:49:25 +0000 (UTC) Received: by www.jail.lambertfam.org (Postfix, from userid 999) id 0749512BC0; Thu, 21 Mar 2013 13:49:24 -0500 (CDT) Date: Thu, 21 Mar 2013 13:49:24 -0500 From: Scott Lambert To: freebsd-jail@freebsd.org Subject: Re: how to measure bandwidth per jail Message-ID: <20130321184924.GH94452@www.jail.lambertfam.org> Mail-Followup-To: freebsd-jail@freebsd.org References: <6C05923E-61FE-46BF-B006-DB078AAAFAA4@inbox.im> <20130321181200.GG94452@www.jail.lambertfam.org> <514B510F.90702@inbox.im> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <514B510F.90702@inbox.im> User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Mar 2013 18:49:25 -0000 On Thu, Mar 21, 2013 at 06:27:27PM +0000, Nicolas de Bari Embriz Garcia Rojas wrote: > Hi, one strange behavior I notice (freeBSD 9.1) is that I don't see the > Obytes per IP only for the bce0 interface, but I do for the cloned > interface lo1: > > here is a link with the output of netstat -ib http://pastebin.com/arrRsM78 > > any ideas ? Most of my jail host IPs are on lo0. Maybe you don't get out accounting if the IP is in the same subnet on the same interface with your gateway? Just a guess. I don't have any insight into how it works. I see the sambe behavior as you for IPs in the subnet with the default gateway, even if specified with: ifconfig alias ip/32. On the older boxes I have, all of the IPs were defined in the interface's main subnet. I may have been seeing the same behaviour but incorrectly ascribing it to the FreeBSD rev rather than how the IPs were specified. I cannot test it today. > On 03/21/2013 18:12, Scott Lambert wrote: > > On Thu, Mar 21, 2013 at 01:26:13AM +0000, Nicolas de Bari Embriz Garcia Rojas wrote: > >> Hi, any tool, idea or method for measuring the bandwidth consumed per > >> jail ? (or by IP) > >> > >> What about using pflow ( pseudo-device pflow) any advice ? > > I found a thread about this topic yesterday via Google. It was on > > the FreeBSD-ISP@frebbsd.org mailing list sometime in 2005 if I > > remember correctly. > > > > They came up with a few options > > > > netflow, > > > > counting rules in IPFW/pf/ipf > > > > netstat -rni ( which gets you packet counts, > > -rnbi gives you in-bytes and out-bytes) > > > > bandwidthd (in ports I believe) > > > > I suppose ntop could do similar things. > > > > My favorite option was netstat -rnbi | awk '{print $8,$11}' and > > feeding that to MRTG. I have not gotten it implemented yet. > > > > One consideration is that on FreeBSD 8 and older, you don't get out > > traffic per IP address with netstat, as far as I can tell. We're > > moving to FreeBSD 9 pretty quickly anyway. > > -- Scott Lambert KC5MLE Unix SysAdmin lambert@lambertfam.org From owner-freebsd-jail@FreeBSD.ORG Fri Mar 22 00:06:43 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 86A3B150; Fri, 22 Mar 2013 00:06:43 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) by mx1.freebsd.org (Postfix) with ESMTP id D81CB2B4; Fri, 22 Mar 2013 00:06:42 +0000 (UTC) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id E1C3828428; Fri, 22 Mar 2013 00:59:53 +0100 (CET) Received: from [192.168.1.2] (unknown [89.177.49.222]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 5152E28422; Fri, 22 Mar 2013 00:59:51 +0100 (CET) Message-ID: <514B9EF6.3000607@quip.cz> Date: Fri, 22 Mar 2013 00:59:50 +0100 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.1.19) Gecko/20110420 Lightning/1.0b1 SeaMonkey/2.0.14 MIME-Version: 1.0 To: Harald Schmalzbauer , Jamie Gritton , freebsd-jail@freebsd.org, freebsd-stable@freebsd.org Subject: Re: new jail(8) ignoring devfs_ruleset? References: <511E61F5.1000805@omnilan.de> <511EC759.4060704@FreeBSD.org> <5121EC52.5040502@omnilan.de> <20130219212430.GA92116@felucia.tataz.chchile.org> In-Reply-To: <20130219212430.GA92116@felucia.tataz.chchile.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Mar 2013 00:06:43 -0000 Jeremie Le Hen wrote: > On Mon, Feb 18, 2013 at 09:54:42AM +0100, Harald Schmalzbauer wrote: >> schrieb Jamie Gritton am 16.02.2013 00:40 (localtime): >>> On 02/15/13 09:27, Harald Schmalzbauer wrote: >>>> Hello, >>>> >>>> like already posted, on 9.1-R, I highly appreciate the new jail(8) and >>>> jail.conf capabilities. Thanks for that extension! >>>> >>>> Accidentally I saw that "devfs_ruleset" seems to be ignored. >>>> If I list /dev/ I see all the hosts disk devices etc. >>>> I set "devfs_ruleset = 4;" and "enforce_statfs = 1;" in jail.conf. >>>> Inside the jail, >>>> sysctl security.jail.devfs_ruleset returnes "1". >>>> But like mentioned, I can access all devices... >>>> >>>> Thanks for any help, >>>> >>>> -Harry >>> >>> devfs_ruleset is only used along with mount.devfs - do you also have >>> that set in jail.conf? >> >> Thanks for your response. >> >> Yes, I have mount.devfs; set. >> Otherwise I wouldn't have any device inside my jail. Verified - and like >> intended, right? >> Another notable discrepancy: The man page tells that devfs_rulset is "4" >> by default. >> But when I don't set devfs_rulset in jail.conf at all, inside the jail, >> 'sysctl security.jail.devfs_ruleset': 0 >> When set, like mentioned above, it returns the corresponding value, but >> it doesn't have any effect. >> How gets devfs_rulset handled? Does jail(8) do the whole job? I'd like >> to help finding the source, but have missed the whole new jail evolution... >> Inside my jails, I don't have a fstab, outside I have them defined and >> enabled with "mount" - and noticed the non-reverted umounting. > > Look at what's in /dev from you jail. There should a few pseudo > devices (see below), but no real devices: > > $ ls /dev > crypto log ptmx random stdin urandom zfs > fd null pts stderr stdout zero I can confirm mentioned problem on my FreeBSD 9.1-RELEASE amd64 GENERIC I am now testing new jail.conf possibilities and I am seeing all devices in /dev in jail. Even if I set all this in my jail.conf exec.start = "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc.shutdown"; exec.clean; mount.devfs; devfs_ruleset = 4; allow.set_hostname = false; path = "/vol0/jail/$name"; exec.consolelog = "/var/log/jail/$name.console"; mount.fstab = "/etc/fstab.$name"; ## Jail bali bali { host.hostname = "bali.XXXXXXX.YY; ip4.addr = xx.xx.xx.xx; devfs_ruleset = 4; } # jexec 4 tcsh root@bali:/ # ls -l /dev/ total 4 crw-r--r-- 1 root wheel 0, 35 Mar 1 19:39 acpi lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 ad10 -> ada3 lrwxr-xr-x 1 root wheel 6 Mar 22 00:46 ad10s1 -> ada3s1 lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s1a -> ada3s1a lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s1b -> ada3s1b lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s1d -> ada3s1d lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s1e -> ada3s1e lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s1f -> ada3s1f lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s1g -> ada3s1g lrwxr-xr-x 1 root wheel 6 Mar 22 00:46 ad10s2 -> ada3s2 lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s2a -> ada3s2a lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s2b -> ada3s2b lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s2d -> ada3s2d lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s2e -> ada3s2e lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 ad4 -> ada0 lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 ad6 -> ada1 lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 ad8 -> ada2 lrwxr-xr-x 1 root wheel 6 Mar 22 00:46 ad8s1 -> ada2s1 lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s1a -> ada2s1a lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s1b -> ada2s1b lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s1d -> ada2s1d lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s1e -> ada2s1e lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s1f -> ada2s1f lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s1g -> ada2s1g lrwxr-xr-x 1 root wheel 6 Mar 22 00:46 ad8s2 -> ada2s2 lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s2a -> ada2s2a lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s2b -> ada2s2b lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s2d -> ada2s2d lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s2e -> ada2s2e crw-r----- 1 root operator 0, 106 Mar 1 19:39 ada0 crw-r----- 1 root operator 0, 108 Mar 1 19:39 ada1 crw-r----- 1 root operator 0, 114 Mar 1 19:39 ada2 crw-r----- 1 root operator 0, 120 Mar 1 19:39 ada2s1 crw-r----- 1 root operator 0, 130 Mar 1 19:39 ada2s1a crw-r----- 1 root operator 0, 132 Mar 1 19:39 ada2s1b crw-r----- 1 root operator 0, 134 Mar 1 19:39 ada2s1d crw-r----- 1 root operator 0, 136 Mar 1 19:39 ada2s1e crw-r----- 1 root operator 0, 138 Mar 1 19:39 ada2s1f crw-r----- 1 root operator 0, 140 Mar 1 19:39 ada2s1g crw-r----- 1 root operator 0, 122 Mar 1 19:39 ada2s2 crw-r----- 1 root operator 0, 142 Mar 1 19:39 ada2s2a crw-r----- 1 root operator 0, 144 Mar 1 19:39 ada2s2b crw-r----- 1 root operator 0, 146 Mar 1 19:39 ada2s2d crw-r----- 1 root operator 0, 148 Mar 1 19:39 ada2s2e crw-r----- 1 root operator 0, 116 Mar 1 19:39 ada3 crw-r----- 1 root operator 0, 124 Mar 1 19:39 ada3s1 crw-r----- 1 root operator 0, 150 Mar 1 19:39 ada3s1a crw-r----- 1 root operator 0, 154 Mar 1 19:39 ada3s1b crw-r----- 1 root operator 0, 156 Mar 1 19:39 ada3s1d crw-r----- 1 root operator 0, 161 Mar 1 19:39 ada3s1e crw-r----- 1 root operator 0, 165 Mar 1 19:39 ada3s1f crw-r----- 1 root operator 0, 167 Mar 1 19:39 ada3s1g crw-r----- 1 root operator 0, 126 Mar 1 19:39 ada3s2 crw-r----- 1 root operator 0, 170 Mar 1 19:39 ada3s2a crw-r----- 1 root operator 0, 173 Mar 1 19:39 ada3s2b crw-r----- 1 root operator 0, 175 Mar 1 19:39 ada3s2d crw-r----- 1 root operator 0, 177 Mar 1 19:39 ada3s2e crw------- 1 root kmem 0, 19 Mar 1 19:39 audit crw------- 1 root wheel 0, 11 Mar 1 19:39 bpf lrwxr-xr-x 1 root wheel 3 Mar 22 00:46 bpf0 -> bpf dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 cam crw-r----- 1 root operator 0, 118 Mar 1 19:39 cd0 crw-r----- 1 root operator 0, 208 Mar 1 19:39 cd1 crw------- 1 root wheel 0, 5 Mar 22 00:43 console crw------- 1 root wheel 0, 60 Mar 1 19:39 consolectl crw-rw-rw- 1 root wheel 0, 10 Mar 1 19:39 ctty crw-rw---- 1 uucp dialer 0, 41 Mar 1 19:39 cuau0 crw-rw---- 1 uucp dialer 0, 42 Mar 1 19:39 cuau0.init crw-rw---- 1 uucp dialer 0, 43 Mar 1 19:39 cuau0.lock crw-rw---- 1 uucp dialer 0, 64 Mar 1 19:39 cuau1 crw-rw---- 1 uucp dialer 0, 65 Mar 1 19:39 cuau1.init crw-rw---- 1 uucp dialer 0, 66 Mar 1 19:39 cuau1.lock crw-r----- 1 root operator 0, 209 Mar 1 19:39 da0 crw-r----- 1 root operator 0, 210 Mar 1 19:39 da1 crw------- 1 root wheel 0, 20 Mar 1 19:39 dcons crw------- 1 root wheel 0, 4 Mar 1 19:39 devctl cr-------- 1 root wheel 0, 100 Mar 1 19:39 devstat crw------- 1 root wheel 0, 21 Mar 1 19:39 dgdb dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 fd crw------- 1 root wheel 0, 15 Mar 1 19:39 fido crw-r----- 1 root operator 0, 3 Mar 1 19:39 geom.ctl crw------- 1 root wheel 0, 28 Mar 1 19:39 io lrwxr-xr-x 1 root wheel 5 Mar 22 00:46 kbd0 -> ukbd0 lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 kbd1 -> kbdmux0 crw------- 1 root wheel 0, 13 Mar 1 19:39 kbdmux0 crw------- 1 root wheel 0, 9 Mar 1 19:39 klog crw-r----- 1 root kmem 0, 17 Mar 1 19:39 kmem dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 led crw------- 1 root wheel 0, 72 Mar 1 19:39 mdctl crw-r----- 1 root kmem 0, 16 Mar 1 19:39 mem crw-rw-rw- 1 root wheel 0, 7 Mar 1 19:39 midistat dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 mirror crw------- 1 root kmem 0, 18 Mar 1 19:39 nfslock crw-rw-rw- 1 root wheel 0, 22 Mar 22 00:55 null crw------- 1 root operator 0, 101 Mar 1 19:39 pass0 crw------- 1 root operator 0, 102 Mar 1 19:39 pass1 crw------- 1 root operator 0, 103 Mar 1 19:39 pass2 crw------- 1 root operator 0, 104 Mar 1 19:39 pass3 crw------- 1 root operator 0, 105 Mar 1 19:39 pass4 crw------- 1 root operator 0, 185 Mar 1 19:39 pass5 crw------- 1 root operator 0, 206 Mar 1 19:39 pass6 crw------- 1 root operator 0, 207 Mar 1 19:39 pass7 crw-r--r-- 1 root wheel 0, 24 Mar 1 19:39 pci crw------- 1 root wheel 0, 194 Mar 1 19:40 pf crw-rw-rw- 1 root wheel 0, 25 Mar 1 19:39 ptmx dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 pts crw-rw-rw- 1 root wheel 0, 26 Mar 1 20:40 random cr--r--r-- 1 root wheel 0, 6 Mar 1 19:39 sndstat lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 stderr -> fd/2 lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 stdin -> fd/0 lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 stdout -> fd/1 crw------- 1 root wheel 0, 8 Mar 1 19:39 sysmouse crw------- 1 root wheel 0, 38 Mar 1 19:39 ttyu0 crw------- 1 root wheel 0, 39 Mar 1 19:39 ttyu0.init crw------- 1 root wheel 0, 40 Mar 1 19:39 ttyu0.lock crw------- 1 root wheel 0, 61 Mar 1 19:39 ttyu1 crw------- 1 root wheel 0, 62 Mar 1 19:39 ttyu1.init crw------- 1 root wheel 0, 63 Mar 1 19:39 ttyu1.lock crw------- 1 root wheel 0, 44 Mar 1 19:40 ttyv0 crw------- 1 root wheel 0, 45 Mar 1 19:40 ttyv1 crw------- 1 root wheel 0, 46 Mar 1 19:40 ttyv2 crw------- 1 root wheel 0, 47 Mar 1 19:40 ttyv3 crw------- 1 root wheel 0, 48 Mar 1 19:40 ttyv4 crw------- 1 root wheel 0, 49 Mar 1 19:40 ttyv5 crw------- 1 root wheel 0, 50 Mar 1 19:40 ttyv6 crw------- 1 root wheel 0, 51 Mar 1 19:40 ttyv7 crw------- 1 root wheel 0, 52 Mar 1 19:39 ttyv8 crw------- 1 root wheel 0, 53 Mar 1 19:39 ttyv9 crw------- 1 root wheel 0, 54 Mar 1 19:39 ttyva crw------- 1 root wheel 0, 55 Mar 1 19:39 ttyvb crw------- 1 root wheel 0, 56 Mar 1 19:39 ttyvc crw------- 1 root wheel 0, 57 Mar 1 19:39 ttyvd crw------- 1 root wheel 0, 58 Mar 1 19:39 ttyve crw------- 1 root wheel 0, 59 Mar 1 19:39 ttyvf dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 ufs dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 ufsid lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen0.1 -> usb/0.1.0 lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen1.1 -> usb/1.1.0 lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen1.2 -> usb/1.2.0 lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen2.1 -> usb/2.1.0 lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen3.1 -> usb/3.1.0 lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen3.2 -> usb/3.2.0 lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen4.1 -> usb/4.1.0 lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen5.1 -> usb/5.1.0 lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen6.1 -> usb/6.1.0 lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen7.1 -> usb/7.1.0 lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen7.2 -> usb/7.2.0 crw------- 1 root wheel 0, 163 Mar 1 19:39 ukbd0 crw-r--r-- 1 root operator 0, 169 Mar 1 19:39 ums0 crw-r--r-- 1 root operator 0, 172 Mar 1 19:39 ums1 lrwxr-xr-x 1 root wheel 6 Mar 22 00:46 urandom -> random dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 usb crw-r--r-- 1 root operator 0, 70 Mar 1 19:39 usbctl crw------- 1 root wheel 0, 69 Mar 1 19:39 vboxdrv crw------- 1 root wheel 0, 196 Mar 1 19:40 vboxnetctl crw------- 1 root operator 0, 71 Mar 1 19:39 xpt0 crw-rw-rw- 1 root wheel 0, 23 Mar 1 19:39 zero Is it a problem in my understanding of manpage / configuration, or is it a bug in jail command on 9.1-RELEASE? Miroslav Lachman From owner-freebsd-jail@FreeBSD.ORG Fri Mar 22 00:09:55 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 1554429B; Fri, 22 Mar 2013 00:09:55 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from m2.gritton.org (gritton.org [199.192.164.235]) by mx1.freebsd.org (Postfix) with ESMTP id EC0E42D5; Fri, 22 Mar 2013 00:09:54 +0000 (UTC) Received: from glorfindel.gritton.org (c-174-52-130-157.hsd1.ut.comcast.net [174.52.130.157]) (authenticated bits=0) by m2.gritton.org (8.14.5/8.14.5) with ESMTP id r2M09qW6033575; Thu, 21 Mar 2013 18:09:53 -0600 (MDT) (envelope-from jamie@FreeBSD.org) Message-ID: <514BA14F.3090609@FreeBSD.org> Date: Thu, 21 Mar 2013 18:09:51 -0600 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.2.24) Gecko/20120129 Thunderbird/3.1.16 MIME-Version: 1.0 To: Miroslav Lachman <000.fbsd@quip.cz> Subject: Re: new jail(8) ignoring devfs_ruleset? References: <511E61F5.1000805@omnilan.de> <511EC759.4060704@FreeBSD.org> <5121EC52.5040502@omnilan.de> <20130219212430.GA92116@felucia.tataz.chchile.org> <514B9EF6.3000607@quip.cz> In-Reply-To: <514B9EF6.3000607@quip.cz> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Harald Schmalzbauer , freebsd-jail@FreeBSD.org, freebsd-stable@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Mar 2013 00:09:55 -0000 On 03/21/13 17:59, Miroslav Lachman wrote: > Jeremie Le Hen wrote: >> On Mon, Feb 18, 2013 at 09:54:42AM +0100, Harald Schmalzbauer wrote: >>> schrieb Jamie Gritton am 16.02.2013 00:40 (localtime): >>>> On 02/15/13 09:27, Harald Schmalzbauer wrote: >>>>> Hello, >>>>> >>>>> like already posted, on 9.1-R, I highly appreciate the new jail(8) and >>>>> jail.conf capabilities. Thanks for that extension! >>>>> >>>>> Accidentally I saw that "devfs_ruleset" seems to be ignored. >>>>> If I list /dev/ I see all the hosts disk devices etc. >>>>> I set "devfs_ruleset = 4;" and "enforce_statfs = 1;" in jail.conf. >>>>> Inside the jail, >>>>> sysctl security.jail.devfs_ruleset returnes "1". >>>>> But like mentioned, I can access all devices... >>>>> >>>>> Thanks for any help, >>>>> >>>>> -Harry >>>> >>>> devfs_ruleset is only used along with mount.devfs - do you also have >>>> that set in jail.conf? >>> >>> Thanks for your response. >>> >>> Yes, I have mount.devfs; set. >>> Otherwise I wouldn't have any device inside my jail. Verified - and like >>> intended, right? >>> Another notable discrepancy: The man page tells that devfs_rulset is "4" >>> by default. >>> But when I don't set devfs_rulset in jail.conf at all, inside the jail, >>> 'sysctl security.jail.devfs_ruleset': 0 >>> When set, like mentioned above, it returns the corresponding value, but >>> it doesn't have any effect. >>> How gets devfs_rulset handled? Does jail(8) do the whole job? I'd like >>> to help finding the source, but have missed the whole new jail >>> evolution... >>> Inside my jails, I don't have a fstab, outside I have them defined and >>> enabled with "mount" - and noticed the non-reverted umounting. >> >> Look at what's in /dev from you jail. There should a few pseudo >> devices (see below), but no real devices: >> >> $ ls /dev >> crypto log ptmx random stdin urandom zfs >> fd null pts stderr stdout zero > > I can confirm mentioned problem on my FreeBSD 9.1-RELEASE amd64 GENERIC > > I am now testing new jail.conf possibilities and I am seeing all devices > in /dev in jail. > > Even if I set all this in my jail.conf > > exec.start = "/bin/sh /etc/rc"; > exec.stop = "/bin/sh /etc/rc.shutdown"; > exec.clean; > mount.devfs; > devfs_ruleset = 4; > allow.set_hostname = false; > > path = "/vol0/jail/$name"; > exec.consolelog = "/var/log/jail/$name.console"; > mount.fstab = "/etc/fstab.$name"; > > ## Jail bali > bali { > host.hostname = "bali.XXXXXXX.YY; > ip4.addr = xx.xx.xx.xx; > devfs_ruleset = 4; > } > > > > > > # jexec 4 tcsh > > root@bali:/ # ls -l /dev/ > total 4 > crw-r--r-- 1 root wheel 0, 35 Mar 1 19:39 acpi > lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 ad10 -> ada3 > lrwxr-xr-x 1 root wheel 6 Mar 22 00:46 ad10s1 -> ada3s1 > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s1a -> ada3s1a > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s1b -> ada3s1b > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s1d -> ada3s1d > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s1e -> ada3s1e > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s1f -> ada3s1f > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s1g -> ada3s1g > lrwxr-xr-x 1 root wheel 6 Mar 22 00:46 ad10s2 -> ada3s2 > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s2a -> ada3s2a > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s2b -> ada3s2b > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s2d -> ada3s2d > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad10s2e -> ada3s2e > lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 ad4 -> ada0 > lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 ad6 -> ada1 > lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 ad8 -> ada2 > lrwxr-xr-x 1 root wheel 6 Mar 22 00:46 ad8s1 -> ada2s1 > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s1a -> ada2s1a > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s1b -> ada2s1b > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s1d -> ada2s1d > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s1e -> ada2s1e > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s1f -> ada2s1f > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s1g -> ada2s1g > lrwxr-xr-x 1 root wheel 6 Mar 22 00:46 ad8s2 -> ada2s2 > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s2a -> ada2s2a > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s2b -> ada2s2b > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s2d -> ada2s2d > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 ad8s2e -> ada2s2e > crw-r----- 1 root operator 0, 106 Mar 1 19:39 ada0 > crw-r----- 1 root operator 0, 108 Mar 1 19:39 ada1 > crw-r----- 1 root operator 0, 114 Mar 1 19:39 ada2 > crw-r----- 1 root operator 0, 120 Mar 1 19:39 ada2s1 > crw-r----- 1 root operator 0, 130 Mar 1 19:39 ada2s1a > crw-r----- 1 root operator 0, 132 Mar 1 19:39 ada2s1b > crw-r----- 1 root operator 0, 134 Mar 1 19:39 ada2s1d > crw-r----- 1 root operator 0, 136 Mar 1 19:39 ada2s1e > crw-r----- 1 root operator 0, 138 Mar 1 19:39 ada2s1f > crw-r----- 1 root operator 0, 140 Mar 1 19:39 ada2s1g > crw-r----- 1 root operator 0, 122 Mar 1 19:39 ada2s2 > crw-r----- 1 root operator 0, 142 Mar 1 19:39 ada2s2a > crw-r----- 1 root operator 0, 144 Mar 1 19:39 ada2s2b > crw-r----- 1 root operator 0, 146 Mar 1 19:39 ada2s2d > crw-r----- 1 root operator 0, 148 Mar 1 19:39 ada2s2e > crw-r----- 1 root operator 0, 116 Mar 1 19:39 ada3 > crw-r----- 1 root operator 0, 124 Mar 1 19:39 ada3s1 > crw-r----- 1 root operator 0, 150 Mar 1 19:39 ada3s1a > crw-r----- 1 root operator 0, 154 Mar 1 19:39 ada3s1b > crw-r----- 1 root operator 0, 156 Mar 1 19:39 ada3s1d > crw-r----- 1 root operator 0, 161 Mar 1 19:39 ada3s1e > crw-r----- 1 root operator 0, 165 Mar 1 19:39 ada3s1f > crw-r----- 1 root operator 0, 167 Mar 1 19:39 ada3s1g > crw-r----- 1 root operator 0, 126 Mar 1 19:39 ada3s2 > crw-r----- 1 root operator 0, 170 Mar 1 19:39 ada3s2a > crw-r----- 1 root operator 0, 173 Mar 1 19:39 ada3s2b > crw-r----- 1 root operator 0, 175 Mar 1 19:39 ada3s2d > crw-r----- 1 root operator 0, 177 Mar 1 19:39 ada3s2e > crw------- 1 root kmem 0, 19 Mar 1 19:39 audit > crw------- 1 root wheel 0, 11 Mar 1 19:39 bpf > lrwxr-xr-x 1 root wheel 3 Mar 22 00:46 bpf0 -> bpf > dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 cam > crw-r----- 1 root operator 0, 118 Mar 1 19:39 cd0 > crw-r----- 1 root operator 0, 208 Mar 1 19:39 cd1 > crw------- 1 root wheel 0, 5 Mar 22 00:43 console > crw------- 1 root wheel 0, 60 Mar 1 19:39 consolectl > crw-rw-rw- 1 root wheel 0, 10 Mar 1 19:39 ctty > crw-rw---- 1 uucp dialer 0, 41 Mar 1 19:39 cuau0 > crw-rw---- 1 uucp dialer 0, 42 Mar 1 19:39 cuau0.init > crw-rw---- 1 uucp dialer 0, 43 Mar 1 19:39 cuau0.lock > crw-rw---- 1 uucp dialer 0, 64 Mar 1 19:39 cuau1 > crw-rw---- 1 uucp dialer 0, 65 Mar 1 19:39 cuau1.init > crw-rw---- 1 uucp dialer 0, 66 Mar 1 19:39 cuau1.lock > crw-r----- 1 root operator 0, 209 Mar 1 19:39 da0 > crw-r----- 1 root operator 0, 210 Mar 1 19:39 da1 > crw------- 1 root wheel 0, 20 Mar 1 19:39 dcons > crw------- 1 root wheel 0, 4 Mar 1 19:39 devctl > cr-------- 1 root wheel 0, 100 Mar 1 19:39 devstat > crw------- 1 root wheel 0, 21 Mar 1 19:39 dgdb > dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 fd > crw------- 1 root wheel 0, 15 Mar 1 19:39 fido > crw-r----- 1 root operator 0, 3 Mar 1 19:39 geom.ctl > crw------- 1 root wheel 0, 28 Mar 1 19:39 io > lrwxr-xr-x 1 root wheel 5 Mar 22 00:46 kbd0 -> ukbd0 > lrwxr-xr-x 1 root wheel 7 Mar 22 00:46 kbd1 -> kbdmux0 > crw------- 1 root wheel 0, 13 Mar 1 19:39 kbdmux0 > crw------- 1 root wheel 0, 9 Mar 1 19:39 klog > crw-r----- 1 root kmem 0, 17 Mar 1 19:39 kmem > dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 led > crw------- 1 root wheel 0, 72 Mar 1 19:39 mdctl > crw-r----- 1 root kmem 0, 16 Mar 1 19:39 mem > crw-rw-rw- 1 root wheel 0, 7 Mar 1 19:39 midistat > dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 mirror > crw------- 1 root kmem 0, 18 Mar 1 19:39 nfslock > crw-rw-rw- 1 root wheel 0, 22 Mar 22 00:55 null > crw------- 1 root operator 0, 101 Mar 1 19:39 pass0 > crw------- 1 root operator 0, 102 Mar 1 19:39 pass1 > crw------- 1 root operator 0, 103 Mar 1 19:39 pass2 > crw------- 1 root operator 0, 104 Mar 1 19:39 pass3 > crw------- 1 root operator 0, 105 Mar 1 19:39 pass4 > crw------- 1 root operator 0, 185 Mar 1 19:39 pass5 > crw------- 1 root operator 0, 206 Mar 1 19:39 pass6 > crw------- 1 root operator 0, 207 Mar 1 19:39 pass7 > crw-r--r-- 1 root wheel 0, 24 Mar 1 19:39 pci > crw------- 1 root wheel 0, 194 Mar 1 19:40 pf > crw-rw-rw- 1 root wheel 0, 25 Mar 1 19:39 ptmx > dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 pts > crw-rw-rw- 1 root wheel 0, 26 Mar 1 20:40 random > cr--r--r-- 1 root wheel 0, 6 Mar 1 19:39 sndstat > lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 stderr -> fd/2 > lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 stdin -> fd/0 > lrwxr-xr-x 1 root wheel 4 Mar 22 00:46 stdout -> fd/1 > crw------- 1 root wheel 0, 8 Mar 1 19:39 sysmouse > crw------- 1 root wheel 0, 38 Mar 1 19:39 ttyu0 > crw------- 1 root wheel 0, 39 Mar 1 19:39 ttyu0.init > crw------- 1 root wheel 0, 40 Mar 1 19:39 ttyu0.lock > crw------- 1 root wheel 0, 61 Mar 1 19:39 ttyu1 > crw------- 1 root wheel 0, 62 Mar 1 19:39 ttyu1.init > crw------- 1 root wheel 0, 63 Mar 1 19:39 ttyu1.lock > crw------- 1 root wheel 0, 44 Mar 1 19:40 ttyv0 > crw------- 1 root wheel 0, 45 Mar 1 19:40 ttyv1 > crw------- 1 root wheel 0, 46 Mar 1 19:40 ttyv2 > crw------- 1 root wheel 0, 47 Mar 1 19:40 ttyv3 > crw------- 1 root wheel 0, 48 Mar 1 19:40 ttyv4 > crw------- 1 root wheel 0, 49 Mar 1 19:40 ttyv5 > crw------- 1 root wheel 0, 50 Mar 1 19:40 ttyv6 > crw------- 1 root wheel 0, 51 Mar 1 19:40 ttyv7 > crw------- 1 root wheel 0, 52 Mar 1 19:39 ttyv8 > crw------- 1 root wheel 0, 53 Mar 1 19:39 ttyv9 > crw------- 1 root wheel 0, 54 Mar 1 19:39 ttyva > crw------- 1 root wheel 0, 55 Mar 1 19:39 ttyvb > crw------- 1 root wheel 0, 56 Mar 1 19:39 ttyvc > crw------- 1 root wheel 0, 57 Mar 1 19:39 ttyvd > crw------- 1 root wheel 0, 58 Mar 1 19:39 ttyve > crw------- 1 root wheel 0, 59 Mar 1 19:39 ttyvf > dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 ufs > dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 ufsid > lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen0.1 -> usb/0.1.0 > lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen1.1 -> usb/1.1.0 > lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen1.2 -> usb/1.2.0 > lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen2.1 -> usb/2.1.0 > lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen3.1 -> usb/3.1.0 > lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen3.2 -> usb/3.2.0 > lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen4.1 -> usb/4.1.0 > lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen5.1 -> usb/5.1.0 > lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen6.1 -> usb/6.1.0 > lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen7.1 -> usb/7.1.0 > lrwxr-xr-x 1 root wheel 9 Mar 22 00:46 ugen7.2 -> usb/7.2.0 > crw------- 1 root wheel 0, 163 Mar 1 19:39 ukbd0 > crw-r--r-- 1 root operator 0, 169 Mar 1 19:39 ums0 > crw-r--r-- 1 root operator 0, 172 Mar 1 19:39 ums1 > lrwxr-xr-x 1 root wheel 6 Mar 22 00:46 urandom -> random > dr-xr-xr-x 2 root wheel 512 Mar 22 00:46 usb > crw-r--r-- 1 root operator 0, 70 Mar 1 19:39 usbctl > crw------- 1 root wheel 0, 69 Mar 1 19:39 vboxdrv > crw------- 1 root wheel 0, 196 Mar 1 19:40 vboxnetctl > crw------- 1 root operator 0, 71 Mar 1 19:39 xpt0 > crw-rw-rw- 1 root wheel 0, 23 Mar 1 19:39 zero > > > > Is it a problem in my understanding of manpage / configuration, or is it > a bug in jail command on 9.1-RELEASE? > > Miroslav Lachman It's a bug (deficiency) in the jail command. - Jamie From owner-freebsd-jail@FreeBSD.ORG Fri Mar 22 00:20:44 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id AC5585D9; Fri, 22 Mar 2013 00:20:44 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) by mx1.freebsd.org (Postfix) with ESMTP id 6D97733E; Fri, 22 Mar 2013 00:20:44 +0000 (UTC) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id F07AB28422; Fri, 22 Mar 2013 01:20:42 +0100 (CET) Received: from [192.168.1.2] (unknown [89.177.49.222]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 02D1728429; Fri, 22 Mar 2013 01:20:41 +0100 (CET) Message-ID: <514BA3D9.5010901@quip.cz> Date: Fri, 22 Mar 2013 01:20:41 +0100 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.1.19) Gecko/20110420 Lightning/1.0b1 SeaMonkey/2.0.14 MIME-Version: 1.0 To: Jamie Gritton Subject: Re: new jail(8) ignoring devfs_ruleset? References: <511E61F5.1000805@omnilan.de> <511EC759.4060704@FreeBSD.org> <5121EC52.5040502@omnilan.de> <20130219212430.GA92116@felucia.tataz.chchile.org> <514B9EF6.3000607@quip.cz> <514BA14F.3090609@FreeBSD.org> In-Reply-To: <514BA14F.3090609@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Harald Schmalzbauer , freebsd-jail@FreeBSD.org, freebsd-stable@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Mar 2013 00:20:44 -0000 Jamie Gritton wrote: > On 03/21/13 17:59, Miroslav Lachman wrote: >> Jeremie Le Hen wrote: >>> On Mon, Feb 18, 2013 at 09:54:42AM +0100, Harald Schmalzbauer wrote: >>>> schrieb Jamie Gritton am 16.02.2013 00:40 (localtime): >>>>> On 02/15/13 09:27, Harald Schmalzbauer wrote: >>>>>> Hello, >>>>>> >>>>>> like already posted, on 9.1-R, I highly appreciate the new jail(8) >>>>>> and >>>>>> jail.conf capabilities. Thanks for that extension! >>>>>> >>>>>> Accidentally I saw that "devfs_ruleset" seems to be ignored. >>>>>> If I list /dev/ I see all the hosts disk devices etc. >>>>>> I set "devfs_ruleset = 4;" and "enforce_statfs = 1;" in jail.conf. >>>>>> Inside the jail, >>>>>> sysctl security.jail.devfs_ruleset returnes "1". >>>>>> But like mentioned, I can access all devices... [...] >> I can confirm mentioned problem on my FreeBSD 9.1-RELEASE amd64 GENERIC >> >> I am now testing new jail.conf possibilities and I am seeing all devices >> in /dev in jail. >> >> Even if I set all this in my jail.conf >> >> exec.start = "/bin/sh /etc/rc"; >> exec.stop = "/bin/sh /etc/rc.shutdown"; >> exec.clean; >> mount.devfs; >> devfs_ruleset = 4; >> allow.set_hostname = false; >> >> path = "/vol0/jail/$name"; >> exec.consolelog = "/var/log/jail/$name.console"; >> mount.fstab = "/etc/fstab.$name"; >> >> ## Jail bali >> bali { >> host.hostname = "bali.XXXXXXX.YY; >> ip4.addr = xx.xx.xx.xx; >> devfs_ruleset = 4; >> } [...] >> Is it a problem in my understanding of manpage / configuration, or is it >> a bug in jail command on 9.1-RELEASE? >> >> Miroslav Lachman > > It's a bug (deficiency) in the jail command. Is there a workaround or is it impossible to use jails with devfs on FreeBSD 9.1? Shouldn't it be mentioned in 9.1 errata? Is it fixed in stable/9? Thank you for your reply and your great work on new jails! Miroslav Lachman From owner-freebsd-jail@FreeBSD.ORG Fri Mar 22 00:46:59 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id ACEBE9A2; Fri, 22 Mar 2013 00:46:59 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from m2.gritton.org (gritton.org [199.192.164.235]) by mx1.freebsd.org (Postfix) with ESMTP id 6D07D3FF; Fri, 22 Mar 2013 00:46:59 +0000 (UTC) Received: from glorfindel.gritton.org (c-174-52-130-157.hsd1.ut.comcast.net [174.52.130.157]) (authenticated bits=0) by m2.gritton.org (8.14.5/8.14.5) with ESMTP id r2M0kvMm034059; Thu, 21 Mar 2013 18:46:58 -0600 (MDT) (envelope-from jamie@FreeBSD.org) Message-ID: <514BAA01.20402@FreeBSD.org> Date: Thu, 21 Mar 2013 18:46:57 -0600 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.2.24) Gecko/20120129 Thunderbird/3.1.16 MIME-Version: 1.0 To: Miroslav Lachman <000.fbsd@quip.cz> Subject: Re: new jail(8) ignoring devfs_ruleset? References: <511E61F5.1000805@omnilan.de> <511EC759.4060704@FreeBSD.org> <5121EC52.5040502@omnilan.de> <20130219212430.GA92116@felucia.tataz.chchile.org> <514B9EF6.3000607@quip.cz> <514BA14F.3090609@FreeBSD.org> <514BA3D9.5010901@quip.cz> In-Reply-To: <514BA3D9.5010901@quip.cz> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Harald Schmalzbauer , freebsd-jail@FreeBSD.org, freebsd-stable@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Mar 2013 00:46:59 -0000 On 03/21/13 18:20, Miroslav Lachman wrote: > Jamie Gritton wrote: >> On 03/21/13 17:59, Miroslav Lachman wrote: >>> Jeremie Le Hen wrote: >>>> On Mon, Feb 18, 2013 at 09:54:42AM +0100, Harald Schmalzbauer wrote: >>>>> schrieb Jamie Gritton am 16.02.2013 00:40 (localtime): >>>>>> On 02/15/13 09:27, Harald Schmalzbauer wrote: >>>>>>> Hello, >>>>>>> >>>>>>> like already posted, on 9.1-R, I highly appreciate the new jail(8) >>>>>>> and >>>>>>> jail.conf capabilities. Thanks for that extension! >>>>>>> >>>>>>> Accidentally I saw that "devfs_ruleset" seems to be ignored. >>>>>>> If I list /dev/ I see all the hosts disk devices etc. >>>>>>> I set "devfs_ruleset = 4;" and "enforce_statfs = 1;" in jail.conf. >>>>>>> Inside the jail, >>>>>>> sysctl security.jail.devfs_ruleset returnes "1". >>>>>>> But like mentioned, I can access all devices... > > [...] > >>> I can confirm mentioned problem on my FreeBSD 9.1-RELEASE amd64 GENERIC >>> >>> I am now testing new jail.conf possibilities and I am seeing all devices >>> in /dev in jail. >>> >>> Even if I set all this in my jail.conf >>> >>> exec.start = "/bin/sh /etc/rc"; >>> exec.stop = "/bin/sh /etc/rc.shutdown"; >>> exec.clean; >>> mount.devfs; >>> devfs_ruleset = 4; >>> allow.set_hostname = false; >>> >>> path = "/vol0/jail/$name"; >>> exec.consolelog = "/var/log/jail/$name.console"; >>> mount.fstab = "/etc/fstab.$name"; >>> >>> ## Jail bali >>> bali { >>> host.hostname = "bali.XXXXXXX.YY; >>> ip4.addr = xx.xx.xx.xx; >>> devfs_ruleset = 4; >>> } > > [...] > >>> Is it a problem in my understanding of manpage / configuration, or is it >>> a bug in jail command on 9.1-RELEASE? >> >> It's a bug (deficiency) in the jail command. > > Is there a workaround or is it impossible to use jails with devfs on > FreeBSD 9.1? > Shouldn't it be mentioned in 9.1 errata? > > Is it fixed in stable/9? > > Thank you for your reply and your great work on new jails! It's not fixed anywhere yet - it sometimes works in current, and sometimes doesn't. I've been meaning to patch it up, but it the problem is what I think it is, the patching up is a pretty big operation. It doesn't mean you can't use jails with devfs in 9.1, just that you can't use them with jail.conf. The old jail rc file that's all shell-based is still the official jail startup method, and that one still works. So existing systems will still work as expected, hence no errata. - Jamie From owner-freebsd-jail@FreeBSD.ORG Fri Mar 22 11:25:56 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 49FE8149 for ; Fri, 22 Mar 2013 11:25:56 +0000 (UTC) (envelope-from nbari@inbox.im) Received: from ca2.route.mx (ca2.route.mx [72.55.175.69]) by mx1.freebsd.org (Postfix) with ESMTP id 13C28E21 for ; Fri, 22 Mar 2013 11:25:55 +0000 (UTC) Received: (route-mx 70124 invoked from network); 22 Mar 2013 11:25:46 -0000 Received: from unknown (HELO nbari-z200.diz.la) (nbari@inbox.im@route.mx) (envelope-sender ) by ca2.route.mx (route-mx) with SMTP for ; 22 Mar 2013 11:25:46 -0000 Message-ID: <514C3FB8.1090906@inbox.im> Date: Fri, 22 Mar 2013 11:25:44 +0000 From: Nicolas de Bari Embriz Garcia Rojas User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130314 Thunderbird/17.0.4 MIME-Version: 1.0 To: freebsd-jail@freebsd.org Subject: numeric jail name in jail.conf Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Mar 2013 11:25:56 -0000 Hi, when using a numeric names for a jails something like: 10 { exec.start = "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc.shutdown"; .... } 20 { exec.start = "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc.shutdown"; .... } the name (numeric) becomes the jail ID when, therefore when I type a jls command i see the 10,and 20 as the jails ID's, My question is, is this the proper way to explicitly set the id when using jail.conf ? For me, this as been working fine and I can match the jail ids to use rctl on every reboot, but just want to be sure if this is the correct way of doing it. thanks in advance. From owner-freebsd-jail@FreeBSD.ORG Fri Mar 22 13:04:06 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 234353FC; Fri, 22 Mar 2013 13:04:06 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 62B2F837; Fri, 22 Mar 2013 13:04:04 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id r2MD3nx0003177; Sat, 23 Mar 2013 00:03:50 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sat, 23 Mar 2013 00:03:49 +1100 (EST) From: Ian Smith To: Alejandro Imass Subject: Re: Handbook Jail Chapter rewrite available for critique In-Reply-To: Message-ID: <20130322220317.A32142@sola.nimnet.asn.au> References: <1UHfYF-000LVV-4Y@internal.tormail.org> <5148980A.1070408@erdgeist.org> <20130321170556.Q32142@sola.nimnet.asn.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-jail@freebsd.org, FreeBSD Questions , sib@tormail.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Mar 2013 13:04:06 -0000 On Thu, 21 Mar 2013 11:21:29 -0400, Alejandro Imass wrote: > On Thu, Mar 21, 2013 at 3:35 AM, Ian Smith wrote: > > On Tue, 19 Mar 2013 17:53:30 +0100, Dirk Engling wrote: [.. also chopping mercilessly ..] > > > # Copyright 2010, Qjail project. All rights reserved. > > > > > > offensive. I am usually quite open with the license of my software, > > > beerware is as permissive as it gets. I just can not take some script > > > kiddie right out copying my code verbatim and selling it as his, not > > > even acknowledging me as the original author. > > > > > > Anyone here with suggestions how to properly react to this kind of "fork"? > > > > Yes. Publicity. Making sure the FreeBSD community gets to finds out. > > > > [...] > > > To that end I'm cross-posting this to -questions, where Mr Barbish has > > also posted about his proposed "rewrite" of Chapter 16 of the Handbook, > > which is nothing but a huge and poorly written manual for 'the qjail > > way', with its peculiar assumptions and unique "jailcell" terminology. > > "Fourth Generation", no less! > > > > +1 > > Thank you Ian for cross-posting here. > > The first thing I did when I got the new chapter for review was search > for the work EzJail and I was curious as to why EzJail is not > mentioned anywhere in this new proposal and why it isn't mentioned in > the current handbook either under in section "16.5.2 High-Level > Administrative Tools in the FreeBSD Ports Collection". If there is > __any__ tool that should be mentioned in the jails chapter it is > EzJail because it's really easy to use and does a damn good job. Actually, ezjail has been explicitly mentioned in '16.6 Application of Jails' http://www.freebsd.org/doc/handbook/jails-application.html since revision 30226 by danger, Mon May 28 20:02:46 2007 UTC, which section was just 6 weeks ago updated with a (preceding) similar port reference to qjail: http://svnweb.freebsd.org/doc?view=revision&revision=40900 [..] > NOW some things start to make sense to me, when I posted a problem > with EzJail here last year that very few people, if any, knew what I > was talking about. An how could they? if it's not mentioned anywhere > in the handbook or that jail man page(s). man pages aren't an appropriate place to recommend particular ports; there are others, and there will be more. The above are mentioned in the handbook page in the context of simpler alternatives to following the more detailed procedures presented to actually teach one how jail technology may be implemented, which - in my view - is the Good Stuff. There have been about 20 messages in freebsd-jail@ referring to ezjail this year so far before this thread, as in previous years; try browsing the archives from http://lists.freebsd.org/pipermail/freebsd-jail/ OTOH, I've seen no prior posts in jail@ about qjail before this thread. cheers, Ian From owner-freebsd-jail@FreeBSD.ORG Fri Mar 22 13:15:41 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 75DC79A3 for ; Fri, 22 Mar 2013 13:15:41 +0000 (UTC) (envelope-from aimass@yabarana.com) Received: from mail-wg0-x229.google.com (mail-wg0-x229.google.com [IPv6:2a00:1450:400c:c00::229]) by mx1.freebsd.org (Postfix) with ESMTP id 15E17931 for ; Fri, 22 Mar 2013 13:15:40 +0000 (UTC) Received: by mail-wg0-f41.google.com with SMTP id ds1so2766818wgb.4 for ; Fri, 22 Mar 2013 06:15:40 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:x-gm-message-state; bh=ca6qDYPL7Zfk0jQW0ybvuuBX0Z4XQEHx8NTqXoW+dCQ=; b=hUlGKYDa5i4RbU2/iJq9pNRLzoUABJDLeQUSV9JFz/DUcOCDonY/R4VjTlfJdjXFLY tDJ0RrOy6hkyGf1yzi1InrM2+tZgYrAAS1flJQLA+e5EazqxiFC3Vw2SEEfU8Ri8u1BZ LsMNWF325tTmgcIUkgI4lMo6o/7DICQw6PF8GaqRaDLeefxDSqJ6EFHoNX3fILSpe6gP 61Bu/sr2ZW4v0Vu+heFcWuFKI/wlaYpgBGIqYMuWqqUyVvHAW+ryGZB7EO3rUqJAHwFP UJNIkoNusuRj2q4oby7SZsBPq9ifAQ/xR4lXHU8ecu9gdyOfq0yz97bpyRrHpi6KO/j6 cdgA== MIME-Version: 1.0 X-Received: by 10.180.80.35 with SMTP id o3mr11422865wix.9.1363958140180; Fri, 22 Mar 2013 06:15:40 -0700 (PDT) Received: by 10.216.115.135 with HTTP; Fri, 22 Mar 2013 06:15:40 -0700 (PDT) In-Reply-To: <20130322220317.A32142@sola.nimnet.asn.au> References: <1UHfYF-000LVV-4Y@internal.tormail.org> <5148980A.1070408@erdgeist.org> <20130321170556.Q32142@sola.nimnet.asn.au> <20130322220317.A32142@sola.nimnet.asn.au> Date: Fri, 22 Mar 2013 09:15:40 -0400 Message-ID: Subject: Re: Handbook Jail Chapter rewrite available for critique From: Alejandro Imass To: Ian Smith Content-Type: text/plain; charset=ISO-8859-1 X-Gm-Message-State: ALoCoQkHVPk6CrUqgCwa62Lx8QLHZc7sO06cQky5shD6DnJT6uX1/rtHID0TF8DemREp65Acbbnn Cc: freebsd-jail@freebsd.org, FreeBSD Questions , sib@tormail.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Mar 2013 13:15:41 -0000 On Fri, Mar 22, 2013 at 9:03 AM, Ian Smith wrote: > On Thu, 21 Mar 2013 11:21:29 -0400, Alejandro Imass wrote: > > On Thu, Mar 21, 2013 at 3:35 AM, Ian Smith wrote: > > > On Tue, 19 Mar 2013 17:53:30 +0100, Dirk Engling wrote: > [...] >> mentioned anywhere in this new proposal and why it isn't mentioned in >> the current handbook either under in section "16.5.2 High-Level >> Administrative Tools in the FreeBSD Ports Collection". If there is >> __any__ tool that should be mentioned in the jails chapter it is [..] > Actually, ezjail has been explicitly mentioned in '16.6 Application of > Jails' http://www.freebsd.org/doc/handbook/jails-application.html since > revision 30226 by danger, Mon May 28 20:02:46 2007 UTC, which section > was just 6 weeks ago updated with a (preceding) similar port reference > to qjail: http://svnweb.freebsd.org/doc?view=revision&revision=40900 > Never seen it before. First time I read about service jails it wasn't there. Further to my point doesn't it make more sense to mention them under "16.5.2 High-Level Administrative Tools in the FreeBSD Ports Collection" or in both places? [...] > > There have been about 20 messages in freebsd-jail@ referring to ezjail > this year so far before this thread, as in previous years; try browsing > the archives from http://lists.freebsd.org/pipermail/freebsd-jail/ > I posted on the wrong list then ;-) Subscribing today, thanks! -- Alejandro Imass From owner-freebsd-jail@FreeBSD.ORG Fri Mar 22 14:23:47 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 856F8DE4 for ; Fri, 22 Mar 2013 14:23:47 +0000 (UTC) (envelope-from sodynet1@gmail.com) Received: from mail-pd0-f171.google.com (mail-pd0-f171.google.com [209.85.192.171]) by mx1.freebsd.org (Postfix) with ESMTP id 61B12EDF for ; Fri, 22 Mar 2013 14:23:47 +0000 (UTC) Received: by mail-pd0-f171.google.com with SMTP id 10so1635519pdc.30 for ; Fri, 22 Mar 2013 07:23:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=i7Guq2NZUIfa86guskzOKklCw2dm3pTw/63x9AmcL5k=; b=h1ePeB2Fp6CTeXcCWiaFeTcZ9cOWgxZIhhU5XVazzjx+yQ0m70RzC5cSQ09v2XAwIb 98cCcQ3sjq2suoeAxCQZu1WfXqjUFljsaNfIUKVIDijp+tqgKe3trVHr/qIbEOtUMxtU eFsa7RR+VPNTqjiKzd/sJ6KfbZT6xQhM5CZDf92Ba6RGt+J+3n7fhu8EdSfMHc1zYxa+ OIL0zBOtyHM8LdoT1M/gQaOnyClBbuiFC03vy/tGcuOqN3iaSq+7BTc1dIJDcoSuiwIp YeRM1UvdeigdPWNZ7Xjr0jhSY7KQlp+SjcUcQTjd3YfDhOhA8NdcyM1T13hzszjSB37n H4LQ== MIME-Version: 1.0 X-Received: by 10.68.225.138 with SMTP id rk10mr2878666pbc.146.1363962226783; Fri, 22 Mar 2013 07:23:46 -0700 (PDT) Received: by 10.70.34.103 with HTTP; Fri, 22 Mar 2013 07:23:46 -0700 (PDT) Received: by 10.70.34.103 with HTTP; Fri, 22 Mar 2013 07:23:46 -0700 (PDT) In-Reply-To: <514C3B05.8060402@inbox.im> References: <6C05923E-61FE-46BF-B006-DB078AAAFAA4@inbox.im> <20130321181200.GG94452@www.jail.lambertfam.org> <514B510F.90702@inbox.im> <514C3B05.8060402@inbox.im> Date: Fri, 22 Mar 2013 16:23:46 +0200 Message-ID: Subject: Re: how to measure bandwidth per jail From: Sami Halabi To: Nicolas de Bari Embriz Garcia Rojas Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Mar 2013 14:23:47 -0000 Jnettop has the ability to: Measure bandwidth/packets in partecular intergace. Simply use: 0,1..9 to switch between interfaces. p to switch between packets/bandwidth b to measure in bytes/bits You better define your local ips in the .jnettop file, once that done your measurs would be more accurate specially when you aggregate traffic (in local/remote) by ip/protocol... Additional option is content filter mainly in web traffic. You can also add custom ips to measure using .jnettoo file. Sami On Mar 22, 2013 1:05 PM, "Nicolas de Bari Embriz Garcia Rojas" < nbari@inbox.im> wrote: > Hi, I tried jnettop but is something like 'trafshow', I am searching > something like vnstat, that could help me measure the rx/tx & total > consumed bandwidth. > > any ideas? > > > > On 03/21/2013 18:48, Sami Halabi wrote: > > Hi > Try jnettop from ports... exactly what your looking at. > > However its old, so the counters are 32 bit rather than 64 which means its > pretty effective on 100mbit links > plus its cpu consumer by design > Sami > On Mar 21, 2013 8:27 PM, "Nicolas de Bari Embriz Garcia Rojas" < > nbari@inbox.im> wrote: > >> Hi, one strange behavior I notice (freeBSD 9.1) is that I don't see the >> Obytes per IP only for the bce0 interface, but I do for the cloned >> interface lo1: >> >> here is a link with the output of netstat -ib >> http://pastebin.com/arrRsM78 >> >> any ideas ? >> >> regards. >> >> On 03/21/2013 18:12, Scott Lambert wrote: >> > On Thu, Mar 21, 2013 at 01:26:13AM +0000, Nicolas de Bari Embriz >> Garcia Rojas wrote: >> >> Hi, any tool, idea or method for measuring the bandwidth consumed per >> >> jail ? (or by IP) >> >> >> >> What about using pflow ( pseudo-device pflow) any advice ? >> > I found a thread about this topic yesterday via Google. It was on >> > the FreeBSD-ISP@frebbsd.org mailing list sometime in 2005 if I >> > remember correctly. >> > >> > They came up with a few options >> > >> > netflow, >> > >> > counting rules in IPFW/pf/ipf >> > >> > netstat -rni ( which gets you packet counts, >> > -rnbi gives you in-bytes and out-bytes) >> > >> > bandwidthd (in ports I believe) >> > >> > I suppose ntop could do similar things. >> > >> > My favorite option was netstat -rnbi | awk '{print $8,$11}' and >> > feeding that to MRTG. I have not gotten it implemented yet. >> > >> > One consideration is that on FreeBSD 8 and older, you don't get out >> > traffic per IP address with netstat, as far as I can tell. We're >> > moving to FreeBSD 9 pretty quickly anyway. >> > >> >> _______________________________________________ >> freebsd-jail@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-jail >> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" >> > > From owner-freebsd-jail@FreeBSD.ORG Fri Mar 22 22:12:20 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 6035219D for ; Fri, 22 Mar 2013 22:12:20 +0000 (UTC) (envelope-from fbsd8@a1poweruser.com) Received: from mail-03.name-services.com (mail-03.name-services.com [69.64.155.195]) by mx1.freebsd.org (Postfix) with ESMTP id 4CF7FFA3 for ; Fri, 22 Mar 2013 22:12:20 +0000 (UTC) Received: from [10.0.10.1] ([173.88.202.176]) by mail-03.name-services.com with Microsoft SMTPSVC(6.0.3790.4675); Fri, 22 Mar 2013 15:12:20 -0700 Message-ID: <514CD742.7030207@a1poweruser.com> Date: Fri, 22 Mar 2013 18:12:18 -0400 From: Fbsd8 User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: freebsd-jail@freebsd.org Subject: Re: Handbook Jail Chapter rewrite available for critique References: <1UHfYF-000LVV-4Y@internal.tormail.org> <5148980A.1070408@erdgeist.org> <20130321170556.Q32142@sola.nimnet.asn.au> In-Reply-To: <20130321170556.Q32142@sola.nimnet.asn.au> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 22 Mar 2013 22:12:21.0067 (UTC) FILETIME=[52CEC9B0:01CE274A] X-Sender: fbsd8@a1poweruser.com X-Authenticated-Sender: fbsd8@a1poweruser.com X-EchoSenderHash: [fbsd8]-[a1poweruser*com] Cc: Ian Smith X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Mar 2013 22:12:20 -0000 Ian Smith wrote: > On Tue, 19 Mar 2013 17:53:30 +0100, Dirk Engling wrote: > > On 18.03.13 20:16, sib@tormail.org wrote: > > > > > to configure things themselves. In my experience, ezjail is a much better > > > solution. I also see that you are the maintainer/author of qjail and like > > > to shovel your opinion as the only solution, both in this "rewrite" and > > > all over the FreeBSD forums. > > > > Taking a look at the qjail code I can not help to notice several odd > > similarities with the ezjail-admin script, down to the very basic bail > > out routines. I would not go so far to claim it was just a global > > search/replace job but to me the code looks familiar enough to find the > > > > # Copyright 2010, Qjail project. All rights reserved. > > > > offensive. I am usually quite open with the license of my software, > > beerware is as permissive as it gets. I just can not take some script > > kiddie right out copying my code verbatim and selling it as his, not > > even acknowledging me as the original author. > > > > Anyone here with suggestions how to properly react to this kind of "fork"? > > Yes. Publicity. Making sure the FreeBSD community gets to finds out. > > You may be polite and un-selfserving enough to not go so far Dirk, but > I will. Huge swathes of qjail are direct copies of your code, in most > cases only with the names of the variables changed from ezjail_* to > qjail_*. I found it cute renaming 'flavour' to the American spelling. > > Anyone looking at bin/qjail from qjail-2.1.tbz alongside the latest > ezjail-admin (mine downloaded from your cvsweb) cannot fail to notice > within the first couple of screens. Sure there are changes, additions > and deletions, but to fail to acknowledge the original authorship of > this code, and the implication that Joe Barbish (aka 'Qjail project') is > its original author is entirely outrageous; not ethical, even if legal. > > To that end I'm cross-posting this to -questions, where Mr Barbish has > also posted about his proposed "rewrite" of Chapter 16 of the Handbook, > which is nothing but a huge and poorly written manual for 'the qjail > way', with its peculiar assumptions and unique "jailcell" terminology. > "Fourth Generation", no less! > > The idea that the "doc gang" would entertain the idea of removing all of > the worthy content of the present Chapter 16 - even if it does need some > updating - and replace it with this effort is laughable, yet stranger > things have happened if there's any disconnect between developers and > documenters .. witness the Handbook firewalls section, by Joe Barbish. > > cheers, Ian > Boy this simple critique request sure has gotten out of hand. So lets set the record straight. On the subject ezjail not being referenced in the document like it is in the current version of the online handbook is just a writing content error. The document being critiqued is the first public draft. Pointing out over sights like not included ezjail in that section is the type of constructive feedback that is desired. Any inference it was done on purpose is just crazy. When it comes to the question of the handbook jail chapter needing updating, A member of the document team has already offered to partner up with me to get it added to the handbook as fast as possible. To me that means the document team is already aware the current handbook jail chapter is outdated and has just been waiting for someone to write a update which is just what I did. If you people have a beef with that, take it up with the document team not me. If any of you think you can do a better job then NOW is the time to step up or shut up. On the subject of qjail being a fork of ezjail, of course it is. Qjail was developed by the qjail project team who are a group of FreeBSD users who live around Angeles City, Philippines. Of the seven members 2 are foreigners living in the area, one American and one British. Our British member concluded that the author of ezjail must be British based solely on the spelling of the flavour directory. He also convinced us that his Beerware license was British humor, a joke, and should not be taken serous. In our review of other jail ports we did not see this Beerware license again or for that matter, see it in any of the 5000+ ports we looked at or use. So the group coincided to the British members view point as sound advice. If you inspect the qjail source, you should recognize the comments at the beginning as a copy of what is included in every FreeBSD config file. It was inserted in the front like they have. We though that was how you make software opensource which was the intention. There are no formal copyright documents; it's just a extrapolation from the FreeBSD comments. Maybe our local view of worldly subjects like this is not correct, so please forgive us and help use learn what the accepted viewpoint should be. I was chosen the project leader and public voice only because my English was the best among us. If the Freebsd comments section is not appropriate to include qjail under Freebsd opensource type of license, then we can change the comments to say "totally free to do as you wish as opensource" and leave it at that. If something else is needed, please inform what that is by private email. To continue this this subject in public is not appropriate. Please respect our wish in this matter. This is to Ian Smith, your tone and uncalled for content is very un-professional and borders on slander. In some circles it would label you as a flame war inciter and get you banned from the list. Best you read what you write before posting it so you can reconsider the tone of what you have written. Please present a more professional manner in your list post content. Thank you Ian for your attention to this matter in future posts to this list and any other Freebsd lists you may belong to. Joe From owner-freebsd-jail@FreeBSD.ORG Fri Mar 22 22:35:17 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 9DF0383C for ; Fri, 22 Mar 2013 22:35:17 +0000 (UTC) (envelope-from sib@tormail.org) Received: from outgoing.tormail.org (outgoing.tormail.org [82.221.96.22]) by mx1.freebsd.org (Postfix) with ESMTP id 60BCA1C2 for ; Fri, 22 Mar 2013 22:35:16 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=internal.tormail.org) by outgoing.tormail.org with esmtp (Exim 4.72) (envelope-from ) id 1UJAYF-0001PD-OE; Sat, 23 Mar 2013 01:35:08 +0300 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=tormail.org; s=tm; h=Message-Id:X-TorMail-User:Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:To:From:Subject:Date; bh=sI1nmspgfnngvHRWrWnNlfhvW7bFs579cmylpa/FUgI=; b=gZ2wE1fi2oaTusXWr+iAfzxiyC1CbLmxXnCYV7xXl6UYhe3ysAOUIQUl55QrYdGV12acnVNsmzU2GWnUMBgsoVlD6UDHsO0bbeCtb/lPWyLDazwFERoYF8+OtLh9GX2fbOy7BPq9Vw8l3gflJn+6FWiuvXMkFb5yzaYy3e1k17c=; Received: from sib by internal.tormail.org with local (Exim 4.63) (envelope-from ) id 1UJAVb-000I81-FX; Fri, 22 Mar 2013 22:32:23 +0000 Date: Fri, 22 Mar 2013 22:32:23 -0000 Subject: From: sib@tormail.org To: fbsd8@a1poweruser.com MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit Importance: High X-TorMail-User: sib Message-Id: <1UJAVb-000I81-FX@internal.tormail.org> Cc: freebsd-jail@freebsd.org, smithi@nimnet.asn.au X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Mar 2013 22:35:17 -0000 On Fri, Mar 22, 2013 at 6:12 PM, Fbsd8 wrote: > Boy this simple critique request sure has gotten out of hand. So lets set the record straight. You got exactly what you asked for. > On the subject ezjail not being referenced in the document like it is in the current version of the online handbook is just a writing content error. With all the spam you've put on the forums and mailing list(s) about qjail, I wonder how true it is that you just "whoops, forgot to mention ezjail" in your propaganda rewrite. > When it comes to the question of the handbook jail chapter needing > updating, A member of the document team has already offered to partner up > with me to get it added to the handbook as fast as possible. The documentation team will never accept such poorly-written stuff that's laced with "use qjail use qjail use qjail - it's the only way!" I'll believe it when I see it. > On the subject of qjail being a fork of ezjail, of course it is. Forks don't completely overwrite the copyright of a project and claim it as their own, while just changing variable names and renaming the tool something else. This is not a fork, it's a complete rip-off that gives no credit to the original author (who did MUCH more of the work). > Qjail was developed by the qjail project team No it wasn't. It was developed by the ezjail author, and you just made small changes and called it your own. >Our British member concluded that the author of ezjail must be British based solely on the spelling of the flavour directory. He also convinced us that his Beerware license was British humor, a joke, and should not be taken serous. I think the GPL is a joke, but people still take it seriously. You can't just decide a license should be completely ignored. >I was chosen the project leader and public voice only because my English was the best among us. It gives me a headache trying to read some of the stuff you write. You've got an American guy and a British guy and neither of their native English is better than yours? From owner-freebsd-jail@FreeBSD.ORG Fri Mar 22 22:49:48 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id AC901ED6 for ; Fri, 22 Mar 2013 22:49:48 +0000 (UTC) (envelope-from nbari@inbox.im) Received: from eu.route.mx (eu.route.mx [46.137.95.40]) by mx1.freebsd.org (Postfix) with ESMTP id 2342A2F4 for ; Fri, 22 Mar 2013 22:49:47 +0000 (UTC) Received: (route-mx 45610 invoked from network); 22 Mar 2013 22:49:40 -0000 Received: from unknown (HELO nbari-z200.diz.la) (nbari@inbox.im@[194.65.5.235]) (envelope-sender ) by eu.route.mx (route-mx) with SMTP for ; 22 Mar 2013 22:49:40 -0000 Message-ID: <514CE002.8030408@inbox.im> Date: Fri, 22 Mar 2013 22:49:38 +0000 From: Nicolas de Bari Embriz Garcia Rojas User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130314 Thunderbird/17.0.4 MIME-Version: 1.0 To: freebsd-jail@freebsd.org Subject: Re: References: <1UJAVb-000I81-FX@internal.tormail.org> In-Reply-To: <1UJAVb-000I81-FX@internal.tormail.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Mar 2013 22:49:48 -0000 Guys, please don't take me bad, but better stop this "@%!" and use your talent to help me found a way to properly measure bandwidth per jails in a long period. I am using sysutils/jail2 port to start/stop jails, My working configuration so far is this: I use the jid so that later I can use in /etc/rctl.conf with something like: jail:30:maxproc:deny=100 jail:30:memoryuse:deny=512M jail:30:swapuse:deny=1G my jail.conf looks like 8<---------- * { exec.start = "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc.shutdown"; exec.clean; mount.devfs; allow.raw_sockets; securelevel = 3; } www { jid = 10; name = www; host.hostname = $name.localbox.org; ip4.addr = 174.143.193.60; path = /jails/www; mount.fstab="/etc/fstab.$name"; } vpn { jid = 20; name = vpn; host.hostname = $name.localbox.org; ip4.addr = 174.143.193.57, 10.216.28.77; path = /jails/vpn; mount.fstab="/etc/fstab.$name"; } guest { jid = 30; name = guest; host.hostname = $name.localbox.org; ip4.addr = 174.143.193.61; path = /jails/guest; mount.fstab="/etc/fstab.$name"; } 8<---------- On 03/22/2013 22:32, sib@tormail.org wrote: > On Fri, Mar 22, 2013 at 6:12 PM, Fbsd8 wrote: >> Boy this simple critique request sure has gotten out of hand. So lets > set the record straight. > > You got exactly what you asked for. > >> On the subject ezjail not being referenced in the document like it is in > the current version of the online handbook is just a writing content > error. > > With all the spam you've put on the forums and mailing list(s) about > qjail, I wonder how true it is that you just "whoops, forgot to mention > ezjail" in your propaganda rewrite. > >> When it comes to the question of the handbook jail chapter needing >> updating, A member of the document team has already offered to partner up >> with me to get it added to the handbook as fast as possible. > The documentation team will never accept such poorly-written stuff that's > laced with "use qjail use qjail use qjail - it's the only way!" I'll > believe it when I see it. > >> On the subject of qjail being a fork of ezjail, of course it is. > Forks don't completely overwrite the copyright of a project and claim it > as their own, while just changing variable names and renaming the tool > something else. This is not a fork, it's a complete rip-off that gives no > credit to the original author (who did MUCH more of the work). > >> Qjail was developed by the qjail project team > No it wasn't. It was developed by the ezjail author, and you just made > small changes and called it your own. > >> Our British member concluded that the author of ezjail must be British > based solely on the spelling of the flavour directory. He also convinced > us that his Beerware license was British humor, a joke, and should not be > taken serous. > > I think the GPL is a joke, but people still take it seriously. You can't > just decide a license should be completely ignored. > >> I was chosen the project leader and public voice only because my English > was the best among us. > > It gives me a headache trying to read some of the stuff you write. You've > got an American guy and a British guy and neither of their native English > is better than yours? > > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" From owner-freebsd-jail@FreeBSD.ORG Sat Mar 23 00:39:40 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 380FCB81 for ; Sat, 23 Mar 2013 00:39:40 +0000 (UTC) (envelope-from fbsd8@a1poweruser.com) Received: from mail-03.name-services.com (mail-03.name-services.com [69.64.155.195]) by mx1.freebsd.org (Postfix) with ESMTP id 262F4FBD for ; Sat, 23 Mar 2013 00:39:39 +0000 (UTC) Received: from [10.0.10.1] ([173.88.202.176]) by mail-03.name-services.com with Microsoft SMTPSVC(6.0.3790.4675); Fri, 22 Mar 2013 17:39:40 -0700 Message-ID: <514CF9C9.2060701@a1poweruser.com> Date: Fri, 22 Mar 2013 20:39:37 -0400 From: Fbsd8 User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: sib@tormail.org Subject: Re: Handbook Jail Chapter rewrite available for critique References: <1UJAVb-000I81-FX@internal.tormail.org> In-Reply-To: <1UJAVb-000I81-FX@internal.tormail.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 23 Mar 2013 00:39:40.0867 (UTC) FILETIME=[E7BD3930:01CE275E] X-Sender: fbsd8@a1poweruser.com X-Authenticated-Sender: fbsd8@a1poweruser.com X-EchoSenderHash: [fbsd8]-[a1poweruser*com] Cc: freebsd-jail@freebsd.org, smithi@nimnet.asn.au X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Mar 2013 00:39:40 -0000 sib@tormail.org wrote: > On Fri, Mar 22, 2013 at 6:12 PM, Fbsd8 wrote: >> Boy this simple critique request sure has gotten out of hand. So lets > set the record straight. > > You got exactly what you asked for. > >> On the subject ezjail not being referenced in the document like it is in > the current version of the online handbook is just a writing content > error. > > With all the spam you've put on the forums and mailing list(s) about > qjail, I wonder how true it is that you just "whoops, forgot to mention > ezjail" in your propaganda rewrite. > >> When it comes to the question of the handbook jail chapter needing >> updating, A member of the document team has already offered to partner up >> with me to get it added to the handbook as fast as possible. > > The documentation team will never accept such poorly-written stuff that's > laced with "use qjail use qjail use qjail - it's the only way!" I'll > believe it when I see it. > >> On the subject of qjail being a fork of ezjail, of course it is. > > Forks don't completely overwrite the copyright of a project and claim it > as their own, while just changing variable names and renaming the tool > something else. This is not a fork, it's a complete rip-off that gives no > credit to the original author (who did MUCH more of the work). > >> Qjail was developed by the qjail project team > > No it wasn't. It was developed by the ezjail author, and you just made > small changes and called it your own. > >> Our British member concluded that the author of ezjail must be British > based solely on the spelling of the flavour directory. He also convinced > us that his Beerware license was British humor, a joke, and should not be > taken serous. > > I think the GPL is a joke, but people still take it seriously. You can't > just decide a license should be completely ignored. > >> I was chosen the project leader and public voice only because my English > was the best among us. > > It gives me a headache trying to read some of the stuff you write. You've > got an American guy and a British guy and neither of their native English > is better than yours? > > > Sib your unfounded ranting and raving only demonstrates you are off your medication for your anti social behavior mental condition. Sending the above post to the list after removing the subject line to hide from your fellow list subscribers only confirms your mental condition. I have re-applied the correct subject line so the list readers can see how sick you really are. Your post is un-professional and borders on slander. In some circles it would label you as a flame war inciter and get you banned from the list. Best you read what you write before posting it so you can reconsider the tone of what you have written. Please present a more professional manner in your list post content. Thank you in advance for your attention to this matter in future posts to this list and any other Freebsd lists you may belong to. If you are unable to control your anti social impulses I suggest you seek medical treatment immediately before you do bodily harm to your self or to someone who loves you. I am only expressing my concern for you physical and mental health well being. If you contuine to pursue this nonsense your actions will force me to contact the list administrator to have you banned. This is your only warning. From owner-freebsd-jail@FreeBSD.ORG Sat Mar 23 05:43:20 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 2E7A443C for ; Sat, 23 Mar 2013 05:43:20 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from m2.gritton.org (gritton.org [199.192.164.235]) by mx1.freebsd.org (Postfix) with ESMTP id 1011B209 for ; Sat, 23 Mar 2013 05:43:19 +0000 (UTC) Received: from glorfindel.gritton.org (c-174-52-130-157.hsd1.ut.comcast.net [174.52.130.157]) (authenticated bits=0) by m2.gritton.org (8.14.5/8.14.5) with ESMTP id r2N5hBWX061170; Fri, 22 Mar 2013 23:43:11 -0600 (MDT) (envelope-from jamie@FreeBSD.org) Message-ID: <514D40ED.6060809@FreeBSD.org> Date: Fri, 22 Mar 2013 23:43:09 -0600 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.2.24) Gecko/20120129 Thunderbird/3.1.16 MIME-Version: 1.0 To: freebsd-jail@FreeBSD.org Subject: Re: numeric jail name in jail.conf References: <514C3FB8.1090906@inbox.im> In-Reply-To: <514C3FB8.1090906@inbox.im> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Mar 2013 05:43:20 -0000 On 03/22/13 05:25, Nicolas de Bari Embriz Garcia Rojas wrote: > Hi, when using a numeric names for a jails something like: > > 10 { > exec.start = "/bin/sh /etc/rc"; > exec.stop = "/bin/sh /etc/rc.shutdown"; > .... > } > > 20 { > exec.start = "/bin/sh /etc/rc"; > exec.stop = "/bin/sh /etc/rc.shutdown"; > .... > } > > the name (numeric) becomes the jail ID when, therefore when I type a jls > command i see the 10,and 20 as the jails ID's, > > My question is, is this the proper way to explicitly set the id when > using jail.conf ? > > For me, this as been working fine and I can match the jail ids to use > rctl on every reboot, but just want to be sure if this is the correct > way of doing it. > > thanks in advance. That's a fine and proper way to do it. You can also set it in the body of the jail definition with e.g. "jid = 10". For that matter, these two definitions are nearly equivalent: 10 { name = "foo"; ... } foo { jid = 10; ... } I say "nearly" because while they'll create the same jail, you would use 10 or foo respectively on the command line if you were operating on one of them. For example, if you wanted to start only one jail in a conf file, "jail -c foo" would work only for the second definition. - Jamie From owner-freebsd-jail@FreeBSD.ORG Sat Mar 23 21:09:35 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 7278F5F5 for ; Sat, 23 Mar 2013 21:09:35 +0000 (UTC) (envelope-from nbari@inbox.im) Received: from us3.route.mx (us3.route.mx [107.21.107.127]) by mx1.freebsd.org (Postfix) with ESMTP id 39D78864 for ; Sat, 23 Mar 2013 21:09:34 +0000 (UTC) Received: (route-mx 18858 invoked from network); 23 Mar 2013 21:09:28 -0000 Received: from unknown (HELO [192.168.1.100]) (nbari@route.mx@route.mx) (envelope-sender ) by us3.route.mx (route-mx) with AES128-SHA encrypted SMTP for ; 23 Mar 2013 21:09:27 -0000 From: Nicolas de Bari Embriz Garcia Rojas Content-Type: multipart/signed; boundary="Apple-Mail=_E6A56524-8D1F-4B68-A748-7B95F1D2319F"; protocol="application/pgp-signature"; micalg=pgp-sha512 Subject: zfs quota per user Date: Sat, 23 Mar 2013 21:09:21 +0000 Message-Id: To: freebsd-jail@freebsd.org Mime-Version: 1.0 (Apple Message framework v1283) X-Mailer: Apple Mail (2.1283) X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Mar 2013 21:09:35 -0000 --Apple-Mail=_E6A56524-8D1F-4B68-A748-7B95F1D2319F Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Hi, it is possible to have quotas per user inside a jail using zfs? I don't want to create a zfs file system for each user I just want to = apply, let's say a quota of 100M per account. (like UFS quotas) but = within a jail any ideas ? -- > nbari --Apple-Mail=_E6A56524-8D1F-4B68-A748-7B95F1D2319F Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) iQIcBAEBCgAGBQJRThoCAAoJEHmadlLOisyrd4QP/Av2iH6fh8I7vKoWFnIsLEXZ 0ub/2ykEpKwByIwsE0HFoAg6HJ3SswOnYfdsBe7/CubShPySmATjEajtxF/AajYH R8sNCuEbEKkil7WIw7v8vXOmK7i/2DCLGpZIJcA+v8BkYenNiwIQRqesgjSbmkkj R7jnxpMpJPstLM2aahvQWCFBEWb85xMIacJIPaSPTEJiLgUaIno9U58wzlcVvEma qNawc3DJII4PBXpnJVhzJWjqB+lSGF2gX7u9OmEiPP4CdkGqCTFZhEu0AsTSZv9w LhUHg9dH2+/AgmJgMswx/+pwUB/BBn5HUVvxXgO/5rMyr6TdnbTDPppudjo6/V2x IJNfullZFaOzruIITi5IIpCAzNlpKqR7txcV9uGHH9g1eyQWdGkm3xTpEnbfj3Z/ hYLiCbS7Q++PNIhgBI7w9JONwCE6fu9ghBRO0CJk2+Ez3RNOWmCbLp1A+8pqhfQz CJA+lDUSR1bBGEbKaB2icFIb8hzE+QgzGEngPKc/SIrduuoi+6VmvB4YP+WlNp+w 6BeszDm4BZ6fL01Dx/bUFMVCLglbsU04Or/pvje1MIkoZXLVU3r7630y/3c1ehXN OQrTZUx5vkVOecY61arsNAiMlu2z46DtfpDFbrAl3ORX9HcGmVrqRpRsHHiQgZHg IAipioOhzll4kTyPK8C9 =hkh+ -----END PGP SIGNATURE----- --Apple-Mail=_E6A56524-8D1F-4B68-A748-7B95F1D2319F--