From owner-freebsd-jail@FreeBSD.ORG Sun Feb 23 07:11:49 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9DE58FF8 for ; Sun, 23 Feb 2014 07:11:49 +0000 (UTC) Received: from mail-ea0-x22d.google.com (mail-ea0-x22d.google.com [IPv6:2a00:1450:4013:c01::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 32C27112B for ; Sun, 23 Feb 2014 07:11:49 +0000 (UTC) Received: by mail-ea0-f173.google.com with SMTP id n15so1255991ead.18 for ; Sat, 22 Feb 2014 23:11:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:reply-to:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=IssLAxoHJSDGSk4UU/H2SXf5DEGYujKgXMW1jp91fD8=; b=qqNtnfE53iNlq1v3/vEudCIooRtBPGec/6DiTvi3XApyY/zrXtHXe60E+2zaKs7jA9 VOrWvVE3Dd6YhKphfJbYRe7xQ8DVSoaUjwjI/wIA2teqc6bBpwmVF+v5OdNqdcTTDw3w BxJHBVnu2ziqg8GYfoPuwhoiXnRXLRXPBlptQOQccvyYUsBlfeiZUVOfB+IcyTNCRJlW EjKHtHiZKnLfbUbbgzMxO1kkcCWWB3kkJCEpbU9azO931W+mC3JoTyau5zzCY7OIRxdu x9BkpohYk6gac3QdD1fIkeHTLcJ5zTu9eG+Z3j4ZqoxUsf8TVnQSOYOcW5nUjAy913hO MWEw== X-Received: by 10.14.209.3 with SMTP id r3mr11974090eeo.85.1393139506308; Sat, 22 Feb 2014 23:11:46 -0800 (PST) Received: from [127.0.0.1] ([79.115.170.29]) by mx.google.com with ESMTPSA id m9sm47748840eeh.3.2014.02.22.23.11.44 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 22 Feb 2014 23:11:45 -0800 (PST) Message-ID: <53099F2F.5030508@gmail.com> Date: Sun, 23 Feb 2014 09:11:43 +0200 From: Folder User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: freebsd-jail@freebsd.org Subject: devfs_ruleset not working in the new jail.conf (FreeBSD 10.0-RELEASE) Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: Folder.Trash@gmail.com List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Feb 2014 07:11:49 -0000 Hi, I have used freeb up to 9 release by now. I now installed FreeBSD 10.0-RELEASE and I am very disappointed with the new jail setup. One of the reasons is that using devfs_ruleset has no effect in jail.conf. example: DDNS { host.hostname = "DDNS"; ip4.addr = "192.168.5.10"; ip4 = "inherit"; path = "/usr/local/JAIL/DDCLIENT/"; exec.start = "/bin/ddstart.sh &"; exec.consolelog = "/var/log/jail.DDNS.console.log"; devfs_ruleset = "5"; mount.devfs; } and devfs.rules: [devfsrules_jailddns=5] add hide add path random unhide add path urandom unhide The result is mounting the hole jail tree in the jail... So much for security in this release. Even using the old jail setup in rc.conf , the /etc/rc.d/jail fails to hide dev and mounts dev tree untouched under the jail: jail_DDNS_rootdir="/usr/local/JAIL/DDCLIENT/" jail_DDNS_hostname="DDNS" jail_DDNS_ip="192.168.5.10" jail_DDNS_exec_start="/bin/ddstart.sh &" jail_DDNS_devfs_enable="YES" jail_DDNS_devfs_ruleset="5" From owner-freebsd-jail@FreeBSD.ORG Sun Feb 23 10:45:10 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B95DC133 for ; Sun, 23 Feb 2014 10:45:10 +0000 (UTC) Received: from owm.eumx.net (eumx.net [91.82.101.43]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 6CB231FEC for ; Sun, 23 Feb 2014 10:45:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=eumx.net; h=date :message-id:from:to:subject:in-reply-to:references:mime-version :content-type; s=default; bh=eZJsUA5Q2o1Ap8y2r2uL++3mUmc=; b=Ks0 jueo+L06/GrUXXhuvVj8I1MPo7o/fTgTtS+g5diUUOvbExzuEueyupWruKn5+yfK XL2avb0TBK1ky/UBDOJ7+oo8KegWwG9QA5EiJnCIcsBi5cj+Lc4LAbQqRB7iz042 cr+Vx+yur805vKW0RhJXBYMlzOZdzOXf87FnQoyA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=eumx.net; h=date:message-id :from:to:subject:in-reply-to:references:mime-version :content-type; q=dns; s=default; b=UDI6CpoE10m9yNOe5HWPlCvXRHGHF oh803WVcL/mZrniti+YvRmfTmQXOjWYm4cbWa06GHFQzzSDv/Kza0vz3CSuxp86j NJgoVqHb5b9JwDr7dtfgnIpD0es1Kdcb+wjqehRSvAejoYYy6RJBk8GELpOgCCoH Y8/wkJaMOnQ0SY= Date: Sun, 23 Feb 2014 11:45:05 +0100 Message-ID: <86zjliumz2.wl%hskuhra@eumx.net> From: "Herbert J. Skuhra" To: freebsd-jail@freebsd.org Subject: Re: devfs_ruleset not working in the new jail.conf (FreeBSD 10.0-RELEASE) In-Reply-To: <53099F2F.5030508@gmail.com> References: <53099F2F.5030508@gmail.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM/1.14.9 (=?ISO-8859-4?Q?Goj=F2?=) APEL/10.8 EasyPG/1.0.0 Emacs/24.3.50 (i386-pc-freebsd10.0) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Feb 2014 10:45:10 -0000 On Sun, 23 Feb 2014 09:11:43 +0200 Folder wrote: > Hi, > > I have used freeb up to 9 release by now. I now installed > FreeBSD 10.0-RELEASE and I am very disappointed with the new jail > setup. > One of the reasons is that using devfs_ruleset has no effect > in jail.conf. You obviously have to add devfs_load_rulesets="YES" to /etc/rc.conf and restart devfs. -- Herbert From owner-freebsd-jail@FreeBSD.ORG Mon Feb 24 11:06:51 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A7351A9D for ; Mon, 24 Feb 2014 11:06:51 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 92B6A1620 for ; Mon, 24 Feb 2014 11:06:51 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id s1OB6pQN027574 for ; Mon, 24 Feb 2014 11:06:51 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s1OB6pNC027572 for freebsd-jail@FreeBSD.org; Mon, 24 Feb 2014 11:06:51 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 24 Feb 2014 11:06:51 GMT Message-Id: <201402241106.s1OB6pNC027572@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Feb 2014 11:06:51 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/184719 jail [jail] Starting jails: cannot start jail "domain_com": o conf/181650 jail [jail] [patch] /etc/rc.d/jail fails if a kernel built o kern/180916 jail [jail] [regression] jail startup is broken for 8.4 wit o kern/180067 jail [jail] [patch] fix multicast support within jails o bin/178302 jail jail(8): unknown parameter: ip6.addr when kernel compi o kern/176112 jail [jail] [panic] kernel panic when starting jails o kern/174902 jail [jail] jail should provide validator for jail names o bin/173469 jail [jail] regression: security.jail.sysvipc_allowed=1 no o kern/169751 jail [jail] reading routing information does not work in ja o bin/167911 jail new jail(8) problem with removal, ifconfg -alias and k o kern/159918 jail [jail] inter-jail communication failure o kern/156111 jail [jail] procstat -b not supported in jail o misc/155765 jail [patch] `buildworld' does not honors WITHOUT_JAIL o conf/154246 jail [jail] [patch] Bad symlink created if devfs mount poin s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid 19 problems total. From owner-freebsd-jail@FreeBSD.ORG Mon Mar 3 11:06:47 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3260AE24 for ; Mon, 3 Mar 2014 11:06:47 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 1F386944 for ; Mon, 3 Mar 2014 11:06:47 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s23B6k1h008543 for ; Mon, 3 Mar 2014 11:06:46 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s23B6kUS008541 for freebsd-jail@FreeBSD.org; Mon, 3 Mar 2014 11:06:46 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 3 Mar 2014 11:06:46 GMT Message-Id: <201403031106.s23B6kUS008541@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Mar 2014 11:06:47 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/184719 jail [jail] Starting jails: cannot start jail "domain_com": o conf/181650 jail [jail] [patch] /etc/rc.d/jail fails if a kernel built o kern/180916 jail [jail] [regression] jail startup is broken for 8.4 wit o kern/180067 jail [jail] [patch] fix multicast support within jails o bin/178302 jail jail(8): unknown parameter: ip6.addr when kernel compi o kern/176112 jail [jail] [panic] kernel panic when starting jails o kern/174902 jail [jail] jail should provide validator for jail names o bin/173469 jail [jail] regression: security.jail.sysvipc_allowed=1 no o kern/169751 jail [jail] reading routing information does not work in ja o bin/167911 jail new jail(8) problem with removal, ifconfg -alias and k o kern/159918 jail [jail] inter-jail communication failure o kern/156111 jail [jail] procstat -b not supported in jail o misc/155765 jail [patch] `buildworld' does not honors WITHOUT_JAIL o conf/154246 jail [jail] [patch] Bad symlink created if devfs mount poin s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid 19 problems total. From owner-freebsd-jail@FreeBSD.ORG Sun Mar 9 15:42:09 2014 Return-Path: Delivered-To: freebsd-jail@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 667CE147; Sun, 9 Mar 2014 15:42:09 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 39E2D7E8; Sun, 9 Mar 2014 15:42:09 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s29Fg9H1058958; Sun, 9 Mar 2014 15:42:09 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s29Fg91e058957; Sun, 9 Mar 2014 15:42:09 GMT (envelope-from linimon) Date: Sun, 9 Mar 2014 15:42:09 GMT Message-Id: <201403091542.s29Fg91e058957@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-jail@FreeBSD.org From: linimon@FreeBSD.org Subject: Re: kern/187079: [jail] devfs_load_rulesets has to be enabled for mount.devfs to behave like expected X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Mar 2014 15:42:09 -0000 Old Synopsis: devfs_load_rulesets has to be enabled for mount.devfs to behave like expected New Synopsis: [jail] devfs_load_rulesets has to be enabled for mount.devfs to behave like expected Responsible-Changed-From-To: freebsd-bugs->freebsd-jail Responsible-Changed-By: linimon Responsible-Changed-When: Sun Mar 9 15:41:47 UTC 2014 Responsible-Changed-Why: reclassify. http://www.freebsd.org/cgi/query-pr.cgi?pr=187079 From owner-freebsd-jail@FreeBSD.ORG Mon Mar 10 11:06:47 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B0674182 for ; Mon, 10 Mar 2014 11:06:47 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 9E17A80C for ; Mon, 10 Mar 2014 11:06:47 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s2AB6l5F043241 for ; Mon, 10 Mar 2014 11:06:47 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s2AB6lN8043239 for freebsd-jail@FreeBSD.org; Mon, 10 Mar 2014 11:06:47 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 10 Mar 2014 11:06:47 GMT Message-Id: <201403101106.s2AB6lN8043239@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Mar 2014 11:06:47 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/187079 jail [jail] devfs_load_rulesets has to be enabled for mount o kern/184719 jail [jail] Starting jails: cannot start jail "domain_com": o conf/181650 jail [jail] [patch] /etc/rc.d/jail fails if a kernel built o kern/180916 jail [jail] [regression] jail startup is broken for 8.4 wit o kern/180067 jail [jail] [patch] fix multicast support within jails o bin/178302 jail jail(8): unknown parameter: ip6.addr when kernel compi o kern/176112 jail [jail] [panic] kernel panic when starting jails o kern/174902 jail [jail] jail should provide validator for jail names o bin/173469 jail [jail] regression: security.jail.sysvipc_allowed=1 no o kern/169751 jail [jail] reading routing information does not work in ja o bin/167911 jail new jail(8) problem with removal, ifconfg -alias and k o kern/159918 jail [jail] inter-jail communication failure o kern/156111 jail [jail] procstat -b not supported in jail o misc/155765 jail [patch] `buildworld' does not honors WITHOUT_JAIL o conf/154246 jail [jail] [patch] Bad symlink created if devfs mount poin s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid 20 problems total. From owner-freebsd-jail@FreeBSD.ORG Mon Mar 17 11:06:47 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 695399F7 for ; Mon, 17 Mar 2014 11:06:47 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 55E87296 for ; Mon, 17 Mar 2014 11:06:47 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s2HB6lA6011284 for ; Mon, 17 Mar 2014 11:06:47 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s2HB6kOP011282 for freebsd-jail@FreeBSD.org; Mon, 17 Mar 2014 11:06:46 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 17 Mar 2014 11:06:46 GMT Message-Id: <201403171106.s2HB6kOP011282@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Mar 2014 11:06:47 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/187079 jail [jail] devfs_load_rulesets has to be enabled for mount o kern/184719 jail [jail] Starting jails: cannot start jail "domain_com": o conf/181650 jail [jail] [patch] /etc/rc.d/jail fails if a kernel built o kern/180916 jail [jail] [regression] jail startup is broken for 8.4 wit o kern/180067 jail [jail] [patch] fix multicast support within jails o bin/178302 jail jail(8): unknown parameter: ip6.addr when kernel compi o kern/176112 jail [jail] [panic] kernel panic when starting jails o kern/174902 jail [jail] jail should provide validator for jail names o bin/173469 jail [jail] regression: security.jail.sysvipc_allowed=1 no o kern/169751 jail [jail] reading routing information does not work in ja o bin/167911 jail new jail(8) problem with removal, ifconfg -alias and k o kern/159918 jail [jail] inter-jail communication failure o kern/156111 jail [jail] procstat -b not supported in jail o misc/155765 jail [patch] `buildworld' does not honors WITHOUT_JAIL o conf/154246 jail [jail] [patch] Bad symlink created if devfs mount poin s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid 20 problems total. From owner-freebsd-jail@FreeBSD.ORG Fri Mar 21 19:33:59 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2A851F6C for ; Fri, 21 Mar 2014 19:33:59 +0000 (UTC) Received: from chkenon.earlham.edu (chkenon.earlham.edu [159.28.1.87]) by mx1.freebsd.org (Postfix) with ESMTP id ECBF38FF for ; Fri, 21 Mar 2014 19:33:58 +0000 (UTC) X-ASG-Debug-ID: 1395429418-079a1f4fe3c9aa0001-dVRlEP Received: from sunstone.earlham.edu (sunstone.earlham.edu [159.28.3.91]) by chkenon.earlham.edu with ESMTP id zAJv3X2nUxsTW0P5 for ; Fri, 21 Mar 2014 15:16:58 -0400 (EDT) X-Barracuda-Envelope-From: schulra@earlham.edu X-Barracuda-Apparent-Source-IP: 159.28.3.91 Received: from tdream.lly.earlham.edu (tdream.lly.earlham.edu [159.28.7.241]) by sunstone.earlham.edu (Postfix) with ESMTP id 5D908171D53E for ; Fri, 21 Mar 2014 15:16:58 -0400 (EDT) Date: Fri, 21 Mar 2014 15:16:58 -0400 (EDT) From: Randy Schultz X-X-Sender: schulra@localhost To: freebsd-jail@freebsd.org Subject: jails and X forwarding Message-ID: X-ASG-Orig-Subj: jails and X forwarding User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-Barracuda-Connect: sunstone.earlham.edu[159.28.3.91] X-Barracuda-Start-Time: 1395429418 X-Barracuda-URL: http://159.28.1.87:8000/cgi-mod/mark.cgi X-Virus-Scanned: by bsmtpd at earlham.edu X-Barracuda-BRTS-Status: 1 X-Barracuda-Spam-Score: 0.00 X-Barracuda-Spam-Status: No, SCORE=0.00 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=1000.0 tests= X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.4128 Rule breakdown below pts rule name description ---- ---------------------- -------------------------------------------------- X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Mar 2014 19:33:59 -0000 Hiya, I am trying to allow a jail to do X forwarding ala ssh -Y, but seem to be missing something. I have narrowed it down to something with the jail, having successfully done this with non-jails. IOW, sshd_config has "X11Forwarding yes" etc. The system is fbsd 9.2-STABLE. The jail is set up using ezjail. I have tweaked various jail sysctl settings in case there was something there I was missing. I disabled the firewall rules to removed potential interference from that angle. All to no avail. I keep getting ye olde xclock X11 connection rejected because of wrong authentication. Error: Can't open display: localhost:10.0 What am I missing? -- Randy (schulra@earlham.edu) 765.983.1283 <*> Hatred does not cease by hatred, but only by love; this is the eternal rule. - Siddhartha Gautama From owner-freebsd-jail@FreeBSD.ORG Fri Mar 21 19:51:50 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8B149806; Fri, 21 Mar 2014 19:51:50 +0000 (UTC) Received: from mx1.fisglobal.com (mx1.fisglobal.com [199.200.24.190]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 5761DB08; Fri, 21 Mar 2014 19:51:50 +0000 (UTC) Received: from smarthost.fisglobal.com ([10.132.206.191]) by ltcfislmsgpa04.fnfis.com (8.14.5/8.14.5) with ESMTP id s2LJpfe0015172 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Fri, 21 Mar 2014 14:51:41 -0500 Received: from THEMADHATTER (10.242.181.54) by smarthost.fisglobal.com (10.132.206.191) with Microsoft SMTP Server id 14.3.174.1; Fri, 21 Mar 2014 14:51:40 -0500 From: Sender: Devin Teske To: "'Randy Schultz'" , References: In-Reply-To: Subject: RE: jails and X forwarding Date: Fri, 21 Mar 2014 12:51:26 -0700 Message-ID: <008e01cf453e$f31d0d10$d9572730$@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 15.0 Thread-Index: AQJGrH9nTyXn+835lHae6SCs1d/utpn9IbxA Content-Language: en-us X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87, 1.0.14, 0.0.0000 definitions=2014-03-21_06:2014-03-21,2014-03-21,1970-01-01 signatures=0 Cc: 'Devin Teske' X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Mar 2014 19:51:50 -0000 > -----Original Message----- > From: Randy Schultz [mailto:schulra@earlham.edu] > Sent: Friday, March 21, 2014 12:17 PM > To: freebsd-jail@freebsd.org > Subject: jails and X forwarding > > Hiya, > > I am trying to allow a jail to do X forwarding ala ssh -Y, but seem to be missing > something. I have narrowed it down to something with the jail, having > successfully done this with non-jails. IOW, sshd_config has "X11Forwarding > yes" etc. The system is fbsd 9.2-STABLE. The jail is set up using ezjail. I have > tweaked various jail sysctl settings in case there was something there I was > missing. I disabled the firewall rules to removed potential interference from > that angle. All to no avail. I keep getting ye olde > > xclock > X11 connection rejected because of wrong authentication. > Error: Can't open display: localhost:10.0 > > What am I missing? > [Devin Teske] Try installing xauth. -- Devin _____________ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. From owner-freebsd-jail@FreeBSD.ORG Sat Mar 22 01:01:53 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6DF8A248 for ; Sat, 22 Mar 2014 01:01:53 +0000 (UTC) Received: from chibanda.earlham.edu (chibanda.earlham.edu [159.28.1.168]) by mx1.freebsd.org (Postfix) with ESMTP id 3CEFCB2A for ; Sat, 22 Mar 2014 01:01:52 +0000 (UTC) X-ASG-Debug-ID: 1395449188-06e52b16d0eca10001-dVRlEP Received: from sunstone.earlham.edu (sunstone.earlham.edu [159.28.3.91]) by chibanda.earlham.edu with ESMTP id rv1pohjImobHmJzn; Fri, 21 Mar 2014 20:46:28 -0400 (EDT) X-Barracuda-Envelope-From: schulra@earlham.edu X-Barracuda-Apparent-Source-IP: 159.28.3.91 Received: from tdream.lly.earlham.edu (tdream.lly.earlham.edu [159.28.7.241]) by sunstone.earlham.edu (Postfix) with ESMTP id 84339171D540; Fri, 21 Mar 2014 20:46:28 -0400 (EDT) Date: Fri, 21 Mar 2014 20:46:28 -0400 (EDT) From: Randy Schultz X-X-Sender: schulra@localhost To: 'Devin Teske' Subject: RE: jails and X forwarding In-Reply-To: <008e01cf453e$f31d0d10$d9572730$@FreeBSD.org> X-ASG-Orig-Subj: RE: jails and X forwarding Message-ID: References: <008e01cf453e$f31d0d10$d9572730$@FreeBSD.org> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Barracuda-Connect: sunstone.earlham.edu[159.28.3.91] X-Barracuda-Start-Time: 1395449188 X-Barracuda-URL: http://159.28.1.168:8000/cgi-mod/mark.cgi X-Virus-Scanned: by bsmtpd at earlham.edu X-Barracuda-BRTS-Status: 1 X-Barracuda-Spam-Score: -1002.00 X-Barracuda-Spam-Status: No, SCORE=-1002.00 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=1000.0 Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Mar 2014 01:01:53 -0000 On Fri, 21 Mar 2014, dteske@FreeBSD.org wrote: -} -}> I am trying to allow a jail to do X forwarding ala ssh -Y, but seem to be -}missing -}> something. I have narrowed it down to something with the jail, having -}> successfully done this with non-jails. IOW, sshd_config has -}"X11Forwarding -}> yes" etc. The system is fbsd 9.2-STABLE. The jail is set up using -}ezjail. I have -}> tweaked various jail sysctl settings in case there was something there I -}was -}> missing. I disabled the firewall rules to removed potential interference -}from -}> that angle. All to no avail. I keep getting ye olde -}> -}> xclock -}> X11 connection rejected because of wrong authentication. -}> Error: Can't open display: localhost:10.0 -}> -}> What am I missing? -}> -}[Devin Teske] -} -}Try installing xauth. Ah, I had already done that: Dude ? pkg_info|egrep xauth xauth-1.0.8 X authority file utility -- Randy (schulra@earlham.edu) 765.983.1283 <*> Hatred does not cease by hatred, but only by love; this is the eternal rule. - Siddhartha Gautama From owner-freebsd-jail@FreeBSD.ORG Sat Mar 22 01:30:10 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9833F462; Sat, 22 Mar 2014 01:30:10 +0000 (UTC) Received: from mx1.fisglobal.com (mx1.fisglobal.com [199.200.24.190]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 639C3D36; Sat, 22 Mar 2014 01:30:10 +0000 (UTC) Received: from smarthost.fisglobal.com ([10.132.206.191]) by ltcfislmsgpa05.fnfis.com (8.14.5/8.14.5) with ESMTP id s2M1U7pP030425 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Fri, 21 Mar 2014 20:30:07 -0500 Received: from THEMADHATTER (10.242.181.54) by smarthost.fisglobal.com (10.132.206.191) with Microsoft SMTP Server id 14.3.174.1; Fri, 21 Mar 2014 20:30:06 -0500 From: Sender: Devin Teske To: "'Randy Schultz'" , "'Devin Teske'" References: <008e01cf453e$f31d0d10$d9572730$@FreeBSD.org> In-Reply-To: Subject: RE: jails and X forwarding Date: Fri, 21 Mar 2014 18:29:52 -0700 Message-ID: <00e301cf456e$39fdfee0$adf9fca0$@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 15.0 Thread-Index: AQJGrH9nTyXn+835lHae6SCs1d/utgGBtqxEAa12kHCZ5AmUYA== Content-Language: en-us X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87, 1.0.14, 0.0.0000 definitions=2014-03-21_07:2014-03-21,2014-03-21,1970-01-01 signatures=0 Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Mar 2014 01:30:10 -0000 > -----Original Message----- > From: Randy Schultz [mailto:schulra@earlham.edu] > Sent: Friday, March 21, 2014 5:46 PM > To: 'Devin Teske' > Cc: freebsd-jail@freebsd.org > Subject: RE: jails and X forwarding > > On Fri, 21 Mar 2014, dteske@FreeBSD.org wrote: > > -} > -}> I am trying to allow a jail to do X forwarding ala ssh -Y, but seem to be - > }missing -}> something. I have narrowed it down to something with the jail, > having -}> successfully done this with non-jails. IOW, sshd_config has - > }"X11Forwarding -}> yes" etc. The system is fbsd 9.2-STABLE. The jail is set > up using -}ezjail. I have -}> tweaked various jail sysctl settings in case there > was something there I -}was -}> missing. I disabled the firewall rules to > removed potential interference -}from -}> that angle. All to no avail. I keep > getting ye olde -}> > -}> xclock > -}> X11 connection rejected because of wrong authentication. > -}> Error: Can't open display: localhost:10.0 > -}> > -}> What am I missing? > -}> > -}[Devin Teske] > -} > -}Try installing xauth. > > Ah, I had already done that: > > Dude ? pkg_info|egrep xauth > xauth-1.0.8 X authority file utility > Dunno what to say. Sounds like a regression because I'm X11 forwarding off of jails every day. Admittedly, the jails I'm using are FreeBSD-8. Some of these FreeBSD-8 jails are running under a FreeBSD-9 host. I'm using both Xming on Windows and Xserver on Mac OS X. -- Devin _____________ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. From owner-freebsd-jail@FreeBSD.ORG Mon Mar 24 11:06:47 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7B59CFCD for ; Mon, 24 Mar 2014 11:06:47 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 67EC4171 for ; Mon, 24 Mar 2014 11:06:47 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s2OB6lfd013891 for ; Mon, 24 Mar 2014 11:06:47 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s2OB6kYo013889 for freebsd-jail@FreeBSD.org; Mon, 24 Mar 2014 11:06:46 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 24 Mar 2014 11:06:46 GMT Message-Id: <201403241106.s2OB6kYo013889@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Mar 2014 11:06:47 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/187079 jail [jail] devfs_load_rulesets has to be enabled for mount o kern/184719 jail [jail] Starting jails: cannot start jail "domain_com": o conf/181650 jail [jail] [patch] /etc/rc.d/jail fails if a kernel built o kern/180916 jail [jail] [regression] jail startup is broken for 8.4 wit o kern/180067 jail [jail] [patch] fix multicast support within jails o bin/178302 jail jail(8): unknown parameter: ip6.addr when kernel compi o kern/176112 jail [jail] [panic] kernel panic when starting jails o kern/174902 jail [jail] jail should provide validator for jail names o bin/173469 jail [jail] regression: security.jail.sysvipc_allowed=1 no o kern/169751 jail [jail] reading routing information does not work in ja o bin/167911 jail new jail(8) problem with removal, ifconfg -alias and k o kern/159918 jail [jail] inter-jail communication failure o kern/156111 jail [jail] procstat -b not supported in jail o misc/155765 jail [patch] `buildworld' does not honors WITHOUT_JAIL o conf/154246 jail [jail] [patch] Bad symlink created if devfs mount poin s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid 20 problems total. From owner-freebsd-jail@FreeBSD.ORG Mon Mar 24 17:26:28 2014 Return-Path: Delivered-To: jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 01F59127 for ; Mon, 24 Mar 2014 17:26:28 +0000 (UTC) Received: from system.jails.se (system.jails.se [IPv6:2001:16d8:cc1e:1::1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 4133FF93 for ; Mon, 24 Mar 2014 17:26:23 +0000 (UTC) Received: from localhost (system.jails.se [91.205.63.85]) by system.jails.se (Postfix) with SMTP id 9F4404BC685 for ; Mon, 24 Mar 2014 18:26:19 +0100 (CET) Received: from mobius.uppmax.uu.se (h148n9-u-a31.ias.bredband.telia.com [213.67.100.148]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by system.jails.se (Postfix) with ESMTPSA id 18A6E4BC681 for ; Mon, 24 Mar 2014 18:26:19 +0100 (CET) Message-ID: <53306ABD.7010105@pean.org> Date: Mon, 24 Mar 2014 18:26:21 +0100 From: =?ISO-8859-1?Q?Peter_Ankerst=E5l?= User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: jail@freebsd.org Subject: Problem running bsnmpd inside jail. Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms000005010803020805020909" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Mar 2014 17:26:28 -0000 This is a cryptographically signed message in MIME format. --------------ms000005010803020805020909 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable (previously posted to stable) Hi! Im running a few jails on FreeBSD 10.0-RELEASE (amd64) but I cant get=20 bsnmpd to work inside a jail. It has worked in the past but that was FreeBSD 9. its a standard bsnmpd config without any large changes to the config.=20 The exact same configs works fine when run outside a jail. # /usr/sbin/bsnmpd -d -p /var/run/snmpd.pid snmpd[38890]: disk_OS_get_disks: adding device 'cd0' to device list snmpd[38890]: disk_OS_get_disks: adding device 'da2' to device list snmpd[38890]: disk_OS_get_disks: adding device 'da1' to device list snmpd[38890]: disk_OS_get_disks: adding device 'da0' to device list snmpd[38890]: Failed to connect socket for /var/run/devd.pipe: No such=20 file or directory snmpd[38890]: sendmsg: Invalid argument # I get these when i try = to snmpwalk. snmpd[38890]: sendmsg: Invalid argument snmpd[38890]: sendmsg: Invalid argument truss says: select(14,{4 12 13},{},{},{0.999936 }) =3D 0 (0x0) gettimeofday({1395507232.011776 },0x0) =3D 0 (0x0) gettimeofday({1395507232.011836 },0x0) =3D 0 (0x0) select(14,{4 12 13},{},{},{0.999940 }) =3D 0 (0x0) gettimeofday({1395507233.012739 },0x0) =3D 0 (0x0) gettimeofday({1395507233.012801 },0x0) =3D 0 (0x0) select(14,{4 12 13},{},{},{0.999938 }) =3D 1 (0x1) recvmsg(0xc,0x7fffffffac40,0x0,0x7fffffffaca0,0x801c23010,0x2) =3D 43 (0x= 2b) sigprocmask(SIG_BLOCK,0x0,0x0) =3D 0 (0x0) open("/etc/hosts.allow",O_RDONLY,0666) =3D 14 (0xe) fstat(14,{ mode=3D-rw-r--r-- ,inode=3D3849888,size=3D18,blksize=3D4096 })= =3D 0 (0x0) read(14,"ALL : ALL : allow\n",4096) =3D 18 (0x12) close(14) =3D 0 (0x0) sigprocmask(SIG_SETMASK,0x0,0x0) =3D 0 (0x0) gettimeofday({1395507233.562291 },0x0) =3D 0 (0x0) sendmsg(0xc,0x7ffffffe1120,0x0,0x5cea9fbe35c62e6e,0x3,0x2) ERR#22=20 'Invalid argument' clock_gettime(13,{1395507233.000000000 }) =3D 0 (0x0) getpid() =3D 38997 (0x9855) snmpd[38997]: sendmsg: Invalid argument writev(0x2,0x7ffffffe0320,0x2,0xffffffffffffffec,0x14,0x800f98370) =3D 40= =20 (0x28) sendto(8,"<11>Mar 22 17:53:53 snmpd[38997]"...,59,0x0,NULL,0x0) =3D 59 (0= x3b) gettimeofday({1395507233.562815 },0x0) =3D 0 (0x0) gettimeofday({1395507233.562869 },0x0) =3D 0 (0x0) select(14,{4 12 13},{},{},{0.449870 }) =3D 0 (0x0) gettimeofday({1395507234.041473 },0x0) =3D 0 (0x0) gettimeofday({1395507234.041535 },0x0) =3D 0 (0x0) select(14,{4 12 13},{},{},{0.948960 }) =3D 1 (0x1) recvmsg(0xc,0x7fffffffac40,0x0,0x7fffffffaca0,0x64,0x0) =3D 43 (0x2b) sigprocmask(SIG_BLOCK,0x0,0x0) =3D 0 (0x0) open("/etc/hosts.allow",O_RDONLY,0666) =3D 14 (0xe) fstat(14,{ mode=3D-rw-r--r-- ,inode=3D3849888,size=3D18,blksize=3D4096 })= =3D 0 (0x0) read(14,"ALL : ALL : allow\n",4096) =3D 18 (0x12) close(14) =3D 0 (0x0) sigprocmask(SIG_SETMASK,0x0,0x0) =3D 0 (0x0) gettimeofday({1395507234.567052 },0x0) =3D 0 (0x0) sendmsg(0xc,0x7ffffffe1120,0x0,0x5cea9fbe35c62e6e,0x3,0x2) ERR#22=20 'Invalid argument' clock_gettime(13,{1395507234.000000000 }) =3D 0 (0x0) getpid() snmpd[38997]: sendmsg: Invalid argument writev(0x2,0x7ffffffe0320,0x2,0xffffffffffffffec,0x14,0x800f98370) =3D 40= =20 (0x28) sendto(8,"<11>Mar 22 17:53:54 snmpd[38997]"...,59,0x0,NULL,0x0) =3D 59 (0= x3b) gettimeofday({1395507234.567457 },0x0) =3D 0 (0x0) gettimeofday({1395507234.567512 },0x0) =3D 0 (0x0) select(14,{4 12 13},{},{},{0.422983 }) =3D 0 (0x0) gettimeofday({1395507235.010734 },0x0) =3D 0 (0x0) __sysctl(0x7fffffffafc0,0x2,0x7fffffffb000,0x7fffffffaff8,0x8030855ea,0x1= 7)=20 =3D 0 (0x0) __sysctl(0x7fffffffb000,0x4,0x7fffffffb0d8,0x7fffffffb0a8,0x0,0x0) =3D 0 = (0x0) __sysctl(0x7fffffffafc0,0x2,0x7fffffffb000,0x7fffffffaff8,0x803085602,0x1= 8)=20 =3D 0 (0x0) __sysctl(0x7fffffffb000,0x4,0x7fffffffb0d8,0x7fffffffb0a8,0x0,0x0) =3D 0 = (0x0) __sysctl(0x7fffffffafc0,0x2,0x7fffffffb000,0x7fffffffaff8,0x80308561b,0x1= 3)=20 =3D 0 (0x0) __sysctl(0x7fffffffb000,0x4,0x7fffffffb0d8,0x7fffffffb0a8,0x0,0x0) =3D 0 = (0x0) __sysctl(0x7fffffffafc0,0x2,0x7fffffffb000,0x7fffffffaff8,0x80308562f,0x1= 4)=20 =3D 0 (0x0) __sysctl(0x7fffffffb000,0x4,0x7fffffffb0d8,0x7fffffffb0a8,0x0,0x0) =3D 0 = (0x0) __sysctl(0x7fffffffafe0,0x2,0x7fffffffb020,0x7fffffffb018,0x803085644,0xc= )=20 =3D 0 (0x0) __sysctl(0x7fffffffb020,0x2,0x803294a00,0x7fffffffb0e0,0x0,0x0) =3D 0 (0x= 0) gettimeofday({1395507235.011369 },0x0) =3D 0 (0x0) clock_gettime(4,{335225.177478505 }) =3D 0 (0x0) __sysctl(0x7fffffffac20,0x2,0x7fffffffac60,0x7fffffffac58,0x803c03cf3,0x1= 4)=20 =3D 0 (0x0) __sysctl(0x7fffffffac60,0x3,0x7fffffffad04,0x7fffffffad08,0x0,0x0) =3D 0 = (0x0) __sysctl(0x7fffffffac80,0x2,0x7fffffffacc0,0x7fffffffacb8,0x803c03efb,0x1= 0)=20 =3D 0 (0x0) __sysctl(0x7fffffffacc0,0x3,0x801c99600,0x7fffffffad98,0x0,0x0) =3D 0 (0x= 0) __sysctl(0x7fffffffac20,0x2,0x7fffffffac60,0x7fffffffac58,0x803c03cf3,0x1= 4)=20 =3D 0 (0x0) __sysctl(0x7fffffffac60,0x3,0x7fffffffad04,0x7fffffffad08,0x0,0x0) =3D 0 = (0x0) gettimeofday({1395507235.011811 },0x0) =3D 0 (0x0) gettimeofday({1395507235.011868 },0x0) =3D 0 (0x0) gettimeofday({1395507235.011915 },0x0) =3D 0 (0x0) gettimeofday({1395507235.011959 },0x0) =3D 0 (0x0) open("/dev/null",O_CLOEXEC,00) =3D 14 (0xe) fstat(14,{ mode=3Dcrw-rw-rw- ,inode=3D20,size=3D0,blksize=3D4096 }) =3D 0= (0x0) open("/dev/null",O_CLOEXEC,00) =3D 15 (0xf) __sysctl(0x7fffffffa880,0x3,0x0,0x7fffffffa870,0x0,0x0) =3D 0 (0x0) __sysctl(0x7fffffffa880,0x3,0x801d92000,0x7fffffffa870,0x0,0x0) =3D 0 (0x= 0) close(14) =3D 0 (0x0) close(15) =3D 0 (0x0) gettimeofday({1395507235.015009 },0x0) =3D 0 (0x0) gettimeofday({1395507235.015057 },0x0) =3D 0 (0x0) gettimeofday({1395507235.015106 },0x0) =3D 0 (0x0) select(14,{4 12 13},{},{},{0.026367 }) =3D 0 (0x0) gettimeofday({1395507235.043455 },0x0) =3D 0 (0x0) gettimeofday({1395507235.043505 },0x0) =3D 0 (0x0) select(14,{4 12 13},{},{},{0.999950 }) =3D 0 (0x0) gettimeofday({1395507236.062471 },0x0) =3D 0 (0x0) gettimeofday({1395507236.062525 },0x0) =3D 0 (0x0) select(14,{4 12 13},{},{},{0.999946 }) =3D 0 (0x0) gettimeofday({1395507237.065759 },0x0) =3D 0 (0x0) gettimeofday({1395507237.065819 },0x0) =3D 0 (0x0) ^Cselect(14,{4 12 13},{},{},{0.999940 }) ERR#4=20 'Interrupted system call' SIGNAL 2 (SIGINT) unlink("/var/run/snmpd.pid") =3D 0 (0x0) lstat("/var/run/snmpd.sock",{ mode=3Dsrw-rw-rw-=20 ,inode=3D4965221,size=3D0,blksize=3D131072 }) =3D 0 (0x0) unlink("/var/run/snmpd.sock") =3D 0 (0x0) --------------ms000005010803020805020909 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIMbzCC BjMwggUboAMCAQICAwiyiDANBgkqhkiG9w0BAQUFADCBjDELMAkGA1UEBhMCSUwxFjAUBgNV BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRl IFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlh dGUgQ2xpZW50IENBMB4XDTE0MDEyMDA3NTIzOFoXDTE1MDEyMTA4NTkyMVowUzEZMBcGA1UE DRMQMWlGRkxHbTV3RmVTWjZ6OTEXMBUGA1UEAwwOcGV0ZXJAcGVhbi5vcmcxHTAbBgkqhkiG 9w0BCQEWDnBldGVyQHBlYW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA zoKHiOE9vdQgax/GZyTaqtNvfjGIHwG1tsMOXZELs49KJY66oD//szW3yoIl8nQapUBn+hZq s3QT5PxqfElXxljYszYE6yk3kWR7EVtlIEfT7Pf24XlFw4uzoZzEjaxPJBt4+BWwb1MpqBmw TNZwZGYI9SO6JW23G9o+e+hPmlXFTovW9B36J0M2Qu0+IE6MsDIG0y5CwuiXMqNz+vEBiIBv def3CIidRn3/K7DQYBYn9gj/UNB1yf1GRhsNDO124T9+9bhlplov0srt7pqQjaSiiqVOCCWd pxvM/eF0LFBkEFATy45RKtl2vk9zM1wmI+sU29vodHoDDuf8t4bTtQIDAQABo4IC1DCCAtAw CQYDVR0TBAIwADALBgNVHQ8EBAMCBLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwME MB0GA1UdDgQWBBSAhVDjVwheLV39/7XFsz9rQP0sVDAfBgNVHSMEGDAWgBRTcu2SnODaywFc fH6WNU7y1LhRgjAZBgNVHREEEjAQgQ5wZXRlckBwZWFuLm9yZzCCAUwGA1UdIASCAUMwggE/ MIIBOwYLKwYBBAGBtTcBAgMwggEqMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3Ns LmNvbS9wb2xpY3kucGRmMIH3BggrBgEFBQcCAjCB6jAnFiBTdGFydENvbSBDZXJ0aWZpY2F0 aW9uIEF1dGhvcml0eTADAgEBGoG+VGhpcyBjZXJ0aWZpY2F0ZSB3YXMgaXNzdWVkIGFjY29y ZGluZyB0byB0aGUgQ2xhc3MgMSBWYWxpZGF0aW9uIHJlcXVpcmVtZW50cyBvZiB0aGUgU3Rh cnRDb20gQ0EgcG9saWN5LCByZWxpYW5jZSBvbmx5IGZvciB0aGUgaW50ZW5kZWQgcHVycG9z ZSBpbiBjb21wbGlhbmNlIG9mIHRoZSByZWx5aW5nIHBhcnR5IG9ibGlnYXRpb25zLjA2BgNV HR8ELzAtMCugKaAnhiVodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9jcnR1MS1jcmwuY3JsMIGO BggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8vb2NzcC5zdGFydHNzbC5jb20v c3ViL2NsYXNzMS9jbGllbnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6Ly9haWEuc3RhcnRzc2wu Y29tL2NlcnRzL3N1Yi5jbGFzczEuY2xpZW50LmNhLmNydDAjBgNVHRIEHDAahhhodHRwOi8v d3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQADggEBAFiVjpZEkQoHYAtb0E6MVJgz o1K6d6eEjLsCNbaw833a0jws4Rh0KG/MjqjJzUwa2G6mVZb/JaodRK8VENnpxJ8WhjWqyQL8 /lKnGa88XYMtl+i4ICur08IfQLG7zNFnyG/kOAiMNkgF4H6lZx/ezup9fowUOt0hxERXMcqo 4p+RzPShx35EGRv+5gZNQ7XW4s2rzFzt9CHaDar8SyAGHK3oFapKpHsVSUYik0QCLwnGcaHE HNUkCp1YMsjKwvmxVtQQs/2WfsqQlult8UYe0bTrnwDyLbgJDbvp9R5mZDrkUcXYlgP+mAmz TOrT1JhHbyYQjbbxJAmqkAIDcwVyDRAwggY0MIIEHKADAgECAgEeMA0GCSqGSIb3DQEBBQUA MH0xCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1 cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYDVQQDEyBTdGFydENvbSBDZXJ0 aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNzEwMjQyMTAxNTVaFw0xNzEwMjQyMTAxNTVaMIGM MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJl IERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg MSBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQDHCYPMzi3YGrEppC4Tq5a+ijKDjKaIQZZVR63UbxIP6uq/I0fhCu+cQhoU fE6ERKKnu8zPf1Jwuk0tsvVCk6U9b+0UjM0dLep3ZdE1gblK/1FwYT5Pipsu2yOMluLqwvsu z9/9f1+1PKHG/FaR/wpbfuIqu54qzHDYeqiUfsYzoVflR80DAC7hmJ+SmZnNTWyUGHJbBpA8 Q89lGxahNvuryGaC/o2/ceD2uYDX9U8Eg5DpIpGQdcbQeGarV04WgAUjjXX5r/2dabmtxWMZ whZna//jdiSyrrSMTGKkDiXm6/3/4ebfeZuCYKzN2P8O2F/Xe2AC/Y7zeEsnR7FOp+uXAgMB AAGjggGtMIIBqTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU U3Ltkpzg2ssBXHx+ljVO8tS4UYIwHwYDVR0jBBgwFoAUTgvvGqRAW6UXaYcwyjRoQ9BBrvIw ZgYIKwYBBQUHAQEEWjBYMCcGCCsGAQUFBzABhhtodHRwOi8vb2NzcC5zdGFydHNzbC5jb20v Y2EwLQYIKwYBBQUHMAKGIWh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNydDBbBgNV HR8EVDBSMCegJaAjhiFodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9zZnNjYS5jcmwwJ6AloCOG IWh0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDCBgAYDVR0gBHkwdzB1BgsrBgEE AYG1NwECATBmMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3ku cGRmMDQGCCsGAQUFBwIBFihodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9pbnRlcm1lZGlhdGUu cGRmMA0GCSqGSIb3DQEBBQUAA4ICAQAKgwh9eKssBly4Y4xerhy5I3dNoXHYfYa8PlVLL/qt XnkFgdtY1o95CfegFJTwqBBmf8pyTUnFsukDFUI22zF5bVHzuJ+GxhnSqN2sD1qetbYwBYK2 iyYA5Pg7Er1A+hKMIzEzcduRkIMmCeUTyMyikfbUFvIBivtvkR8ZFAk22BZy+pJfAoedO61H Tz4qSfQoCRcLN5A0t4DkuVhTMXIzuQ8CnykhExD6x4e6ebIbrjZLb7L+ocR0y4YjCl/Pd4MX U91y0vTipgr/O75CDUHDRHCCKBVmz/Rzkc/b970MEeHt5LC3NiWTgBSvrLEuVzBKM586YoRD 9Dy3OHQgWI270g+5MYA8GfgI/EPT5G7xPbCDz+zjdH89PeR3U4So4lSXur6H6vp+m9TQXPF3 a0LwZrp8MQ+Z77U1uL7TelWO5lApsbAonrqASfTpaprFVkL4nyGH+NHST2ZJPWIBk81i6Vw0 ny0qZW2Niy/QvVNKbb43A43ny076khXO7cNbBIRdJ/6qQNq9Bqb5C0Q5nEsFcj75oxQRqlKf 6TcvGbjxkJh8BYtv9ePsXklAxtm8J7GCUBthHSQgepbkOexhJ0wP8imUkyiPHQ0GvEnd8312 9fZjoEhdGwXV27ioRKbj/cIq7JRXun0NbeY+UdMYu9jGfIpDLtUUGSgsg2zMGs5R4jGCA90w ggPZAgEBMIGUMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkG A1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3Rh cnRDb20gQ2xhc3MgMSBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAwiyiDAJBgUr DgMCGgUAoIICHTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0x NDAzMjQxNzI2MjFaMCMGCSqGSIb3DQEJBDEWBBTP6DSSPVAgUFoU/SUwtSS7WbIgtjBsBgkq hkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYI KoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGl BgkrBgEEAYI3EAQxgZcwgZQwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBM dGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYD VQQDEy9TdGFydENvbSBDbGFzcyAxIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQQID CLKIMIGnBgsqhkiG9w0BCRACCzGBl6CBlDCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0 YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25p bmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xp ZW50IENBAgMIsogwDQYJKoZIhvcNAQEBBQAEggEAKWJE+veH6V0M28SArb9qItT44jrjB/n1 5uGIrtDkk/ErlXtXUk0rprFz0pR0z8lUtP6jUGxk07QRFt6gF0ASPJXnNFR2Tyqucy6WaL2c oeqpdeg8IqxgjbCpxp1fjeec97Etp6E1wk4q5lSvGgfTHOtGq7Fh05nyt1pkPhN6Woi7o5ww 6ksMj0soW7dQBFS6132QlnZ31cpogVAauLIk30PCNOGFHLfcULzno4Ruwiu+gqwCVQ7Dt38k gRMWs7IL0Ec5d7fZcNpwDDMzvACR4omUfAEbWhECZ310F8d1jWwWjChVV9XEpzlfVecVtN5q elUvy+bCxTCVsBlz6BxT8gAAAAAAAA== --------------ms000005010803020805020909-- From owner-freebsd-jail@FreeBSD.ORG Mon Mar 31 11:06:46 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6F0AF9CB for ; Mon, 31 Mar 2014 11:06:46 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5B33DB9D for ; Mon, 31 Mar 2014 11:06:46 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s2VB6k5Z058725 for ; Mon, 31 Mar 2014 11:06:46 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s2VB6jDV058723 for freebsd-jail@FreeBSD.org; Mon, 31 Mar 2014 11:06:45 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 31 Mar 2014 11:06:45 GMT Message-Id: <201403311106.s2VB6jDV058723@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2014 11:06:46 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/187079 jail [jail] devfs_load_rulesets has to be enabled for mount o kern/184719 jail [jail] Starting jails: cannot start jail "domain_com": o conf/181650 jail [jail] [patch] /etc/rc.d/jail fails if a kernel built o kern/180916 jail [jail] [regression] jail startup is broken for 8.4 wit o kern/180067 jail [jail] [patch] fix multicast support within jails o bin/178302 jail jail(8): unknown parameter: ip6.addr when kernel compi o kern/176112 jail [jail] [panic] kernel panic when starting jails o kern/174902 jail [jail] jail should provide validator for jail names o bin/173469 jail [jail] regression: security.jail.sysvipc_allowed=1 no o kern/169751 jail [jail] reading routing information does not work in ja o bin/167911 jail new jail(8) problem with removal, ifconfg -alias and k o kern/159918 jail [jail] inter-jail communication failure o kern/156111 jail [jail] procstat -b not supported in jail o misc/155765 jail [patch] `buildworld' does not honors WITHOUT_JAIL o conf/154246 jail [jail] [patch] Bad symlink created if devfs mount poin s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid 20 problems total. From owner-freebsd-jail@FreeBSD.ORG Mon Apr 7 11:06:46 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4C331A7B for ; Mon, 7 Apr 2014 11:06:46 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 35C52BF6 for ; Mon, 7 Apr 2014 11:06:46 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s37B6kCC071094 for ; Mon, 7 Apr 2014 11:06:46 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s37B6jJf071092 for freebsd-jail@FreeBSD.org; Mon, 7 Apr 2014 11:06:45 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 7 Apr 2014 11:06:45 GMT Message-Id: <201404071106.s37B6jJf071092@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2014 11:06:46 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/187079 jail [jail] devfs_load_rulesets has to be enabled for mount o kern/184719 jail [jail] Starting jails: cannot start jail "domain_com": o conf/181650 jail [jail] [patch] /etc/rc.d/jail fails if a kernel built o kern/180916 jail [jail] [regression] jail startup is broken for 8.4 wit o kern/180067 jail [jail] [patch] fix multicast support within jails o bin/178302 jail jail(8): unknown parameter: ip6.addr when kernel compi o kern/176112 jail [jail] [panic] kernel panic when starting jails o kern/174902 jail [jail] jail should provide validator for jail names o bin/173469 jail [jail] regression: security.jail.sysvipc_allowed=1 no o kern/169751 jail [jail] reading routing information does not work in ja o bin/167911 jail new jail(8) problem with removal, ifconfg -alias and k o kern/159918 jail [jail] inter-jail communication failure o kern/156111 jail [jail] procstat -b not supported in jail o misc/155765 jail [patch] `buildworld' does not honors WITHOUT_JAIL o conf/154246 jail [jail] [patch] Bad symlink created if devfs mount poin s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid 20 problems total. From owner-freebsd-jail@FreeBSD.ORG Mon Apr 14 11:06:47 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 54EC8FBA for ; Mon, 14 Apr 2014 11:06:47 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 41F44165E for ; Mon, 14 Apr 2014 11:06:47 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s3EB6lvx025914 for ; Mon, 14 Apr 2014 11:06:47 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s3EB6kbr025912 for freebsd-jail@FreeBSD.org; Mon, 14 Apr 2014 11:06:46 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 14 Apr 2014 11:06:46 GMT Message-Id: <201404141106.s3EB6kbr025912@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Apr 2014 11:06:47 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/187079 jail [jail] devfs_load_rulesets has to be enabled for mount o kern/184719 jail [jail] Starting jails: cannot start jail "domain_com": o conf/181650 jail [jail] [patch] /etc/rc.d/jail fails if a kernel built o kern/180916 jail [jail] [regression] jail startup is broken for 8.4 wit o kern/180067 jail [jail] [patch] fix multicast support within jails o bin/178302 jail jail(8): unknown parameter: ip6.addr when kernel compi o kern/176112 jail [jail] [panic] kernel panic when starting jails o kern/174902 jail [jail] jail should provide validator for jail names o bin/173469 jail [jail] regression: security.jail.sysvipc_allowed=1 no o kern/169751 jail [jail] reading routing information does not work in ja o bin/167911 jail new jail(8) problem with removal, ifconfg -alias and k o kern/159918 jail [jail] inter-jail communication failure o kern/156111 jail [jail] procstat -b not supported in jail o misc/155765 jail [patch] `buildworld' does not honors WITHOUT_JAIL o conf/154246 jail [jail] [patch] Bad symlink created if devfs mount poin s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid 20 problems total. From owner-freebsd-jail@FreeBSD.ORG Sun Apr 20 00:25:12 2014 Return-Path: Delivered-To: freebsd-jail@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6DF99AD; Sun, 20 Apr 2014 00:25:12 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 42A3011E8; Sun, 20 Apr 2014 00:25:12 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s3K0PCj0060110; Sun, 20 Apr 2014 00:25:12 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s3K0PCmC060109; Sun, 20 Apr 2014 00:25:12 GMT (envelope-from linimon) Date: Sun, 20 Apr 2014 00:25:12 GMT Message-Id: <201404200025.s3K0PCmC060109@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-jail@FreeBSD.org From: linimon@FreeBSD.org Subject: Re: kern/188753: [jail] mount devfs ruleset ignored X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Apr 2014 00:25:12 -0000 Old Synopsis: mount devfs ruleset ignored New Synopsis: [jail] mount devfs ruleset ignored Responsible-Changed-From-To: freebsd-bugs->freebsd-jail Responsible-Changed-By: linimon Responsible-Changed-When: Sun Apr 20 00:24:47 UTC 2014 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=188753 From owner-freebsd-jail@FreeBSD.ORG Sun Apr 20 00:38:19 2014 Return-Path: Delivered-To: freebsd-jail@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 17B6A2E4; Sun, 20 Apr 2014 00:38:19 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DFD1F12BC; Sun, 20 Apr 2014 00:38:18 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s3K0cI6Y063328; Sun, 20 Apr 2014 00:38:18 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s3K0cIUr063327; Sun, 20 Apr 2014 00:38:18 GMT (envelope-from linimon) Date: Sun, 20 Apr 2014 00:38:18 GMT Message-Id: <201404200038.s3K0cIUr063327@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-jail@FreeBSD.org From: linimon@FreeBSD.org Subject: Re: kern/188018: [jail] [vimage] Running pfctl -sr -v in Jail with VIMAGE crashes host X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Apr 2014 00:38:19 -0000 Old Synopsis: Running pfctl -sr -v in Jail with VIMAGE crashes host New Synopsis: [jail] [vimage] Running pfctl -sr -v in Jail with VIMAGE crashes host Responsible-Changed-From-To: freebsd-bugs->freebsd-jail Responsible-Changed-By: linimon Responsible-Changed-When: Sun Apr 20 00:37:33 UTC 2014 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=188018 From owner-freebsd-jail@FreeBSD.ORG Sun Apr 20 03:18:13 2014 Return-Path: Delivered-To: freebsd-jail@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CA3A34F9; Sun, 20 Apr 2014 03:18:13 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9E7AE10C2; Sun, 20 Apr 2014 03:18:13 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s3K3IDmX020407; Sun, 20 Apr 2014 03:18:13 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s3K3IDtR020406; Sun, 20 Apr 2014 03:18:13 GMT (envelope-from linimon) Date: Sun, 20 Apr 2014 03:18:13 GMT Message-Id: <201404200318.s3K3IDtR020406@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-jail@FreeBSD.org From: linimon@FreeBSD.org Subject: Re: kern/186360: [jail] jail using nullfs and unionfs doesn't mount devfs X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Apr 2014 03:18:13 -0000 Old Synopsis: jail using nullfs and unionfs doesn't mount devfs New Synopsis: [jail] jail using nullfs and unionfs doesn't mount devfs Responsible-Changed-From-To: freebsd-bugs->freebsd-jail Responsible-Changed-By: linimon Responsible-Changed-When: Sun Apr 20 03:17:50 UTC 2014 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=186360 From owner-freebsd-jail@FreeBSD.ORG Sun Apr 20 11:50:02 2014 Return-Path: Delivered-To: freebsd-jail@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id AF96887D for ; Sun, 20 Apr 2014 11:50:02 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9D29116EE for ; Sun, 20 Apr 2014 11:50:02 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s3KBo21g011318 for ; Sun, 20 Apr 2014 11:50:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s3KBo2um011317; Sun, 20 Apr 2014 11:50:02 GMT (envelope-from gnats) Date: Sun, 20 Apr 2014 11:50:02 GMT Message-Id: <201404201150.s3KBo2um011317@freefall.freebsd.org> To: freebsd-jail@FreeBSD.org Cc: From: "Herbert J. Skuhra" Subject: Re: kern/188753: [jail] mount devfs ruleset ignored X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: "Herbert J. Skuhra" List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Apr 2014 11:50:02 -0000 The following reply was made to PR kern/188753; it has been noted by GNATS. From: "Herbert J. Skuhra" To: bug-followup@FreeBSD.org, gizd@tortenboxer.de Cc: Subject: Re: kern/188753: [jail] mount devfs ruleset ignored Date: Sun, 20 Apr 2014 13:42:49 +0200 Hi, you can add the following line to your /etc/rc.conf devfs_load_rulesets="YES" and run '/etc/rc.d/devfs restart'. Or check /etc/defaults/rc.conf: devfs_rulesets="/etc/defaults/devfs.rules /etc/devfs.rules" # Files containing # devfs(8) rules. devfs_system_ruleset="" # The name (NOT number) of a ruleset to apply to /dev devfs_set_rulesets="" # A list of /mount/dev=ruleset_name settings to # apply (must be mounted already, i.e. fstab(5)) devfs_load_rulesets="NO" # Enable to always load the default rulesets -- Herbert From owner-freebsd-jail@FreeBSD.ORG Mon Apr 21 11:06:48 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E392EFB2 for ; Mon, 21 Apr 2014 11:06:48 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B6A8E195E for ; Mon, 21 Apr 2014 11:06:48 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s3LB6mvG085747 for ; Mon, 21 Apr 2014 11:06:48 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s3LB6mk3085745 for freebsd-jail@FreeBSD.org; Mon, 21 Apr 2014 11:06:48 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 21 Apr 2014 11:06:48 GMT Message-Id: <201404211106.s3LB6mk3085745@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Apr 2014 11:06:48 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/188753 jail [jail] mount devfs ruleset ignored o kern/188018 jail [jail] [vimage] Running pfctl -sr -v in Jail with VIMA o kern/187079 jail [jail] devfs_load_rulesets has to be enabled for mount o kern/186360 jail [jail] jail using nullfs and unionfs doesn't mount dev o kern/184719 jail [jail] Starting jails: cannot start jail "domain_com": o conf/181650 jail [jail] [patch] /etc/rc.d/jail fails if a kernel built o kern/180916 jail [jail] [regression] jail startup is broken for 8.4 wit o kern/180067 jail [jail] [patch] fix multicast support within jails o bin/178302 jail jail(8): unknown parameter: ip6.addr when kernel compi o kern/176112 jail [jail] [panic] kernel panic when starting jails o kern/174902 jail [jail] jail should provide validator for jail names o bin/173469 jail [jail] regression: security.jail.sysvipc_allowed=1 no o kern/169751 jail [jail] reading routing information does not work in ja o bin/167911 jail new jail(8) problem with removal, ifconfg -alias and k o kern/159918 jail [jail] inter-jail communication failure o kern/156111 jail [jail] procstat -b not supported in jail o misc/155765 jail [patch] `buildworld' does not honors WITHOUT_JAIL o conf/154246 jail [jail] [patch] Bad symlink created if devfs mount poin s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid 23 problems total. From owner-freebsd-jail@FreeBSD.ORG Mon Apr 28 11:06:49 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 64481463 for ; Mon, 28 Apr 2014 11:06:49 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 37E921AA7 for ; Mon, 28 Apr 2014 11:06:49 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s3SB6nRp086166 for ; Mon, 28 Apr 2014 11:06:49 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s3SB6mR1086164 for freebsd-jail@FreeBSD.org; Mon, 28 Apr 2014 11:06:48 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 28 Apr 2014 11:06:48 GMT Message-Id: <201404281106.s3SB6mR1086164@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2014 11:06:49 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/188753 jail [jail] mount devfs ruleset ignored o kern/188018 jail [jail] [vimage] Running pfctl -sr -v in Jail with VIMA o kern/187079 jail [jail] devfs_load_rulesets has to be enabled for mount o kern/186360 jail [jail] jail using nullfs and unionfs doesn't mount dev o kern/184719 jail [jail] Starting jails: cannot start jail "domain_com": o conf/181650 jail [jail] [patch] /etc/rc.d/jail fails if a kernel built o kern/180916 jail [jail] [regression] jail startup is broken for 8.4 wit o kern/180067 jail [jail] [patch] fix multicast support within jails o bin/178302 jail jail(8): unknown parameter: ip6.addr when kernel compi o kern/176112 jail [jail] [panic] kernel panic when starting jails o kern/174902 jail [jail] jail should provide validator for jail names o bin/173469 jail [jail] regression: security.jail.sysvipc_allowed=1 no o kern/169751 jail [jail] reading routing information does not work in ja o bin/167911 jail new jail(8) problem with removal, ifconfg -alias and k o kern/159918 jail [jail] inter-jail communication failure o kern/156111 jail [jail] procstat -b not supported in jail o misc/155765 jail [patch] `buildworld' does not honors WITHOUT_JAIL o conf/154246 jail [jail] [patch] Bad symlink created if devfs mount poin s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid 23 problems total. From owner-freebsd-jail@FreeBSD.ORG Wed Apr 30 08:20:01 2014 Return-Path: Delivered-To: freebsd-jail@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D6F6B819 for ; Wed, 30 Apr 2014 08:20:01 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A55E81066 for ; Wed, 30 Apr 2014 08:20:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s3U8K1Ff093852 for ; Wed, 30 Apr 2014 08:20:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s3U8K1Fh093851; Wed, 30 Apr 2014 08:20:01 GMT (envelope-from gnats) Date: Wed, 30 Apr 2014 08:20:01 GMT Message-Id: <201404300820.s3U8K1Fh093851@freefall.freebsd.org> To: freebsd-jail@FreeBSD.org Cc: From: Robert Schulze Subject: Re: kern/187079: devfs_load_rulesets has to be enabled for mount.devfs to behave like expected X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: Robert Schulze List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Apr 2014 08:20:01 -0000 The following reply was made to PR kern/187079; it has been noted by GNATS. From: Robert Schulze To: bug-followup@freebsd.org Cc: Subject: Re: kern/187079: devfs_load_rulesets has to be enabled for mount.devfs to behave like expected Date: Wed, 30 Apr 2014 10:12:18 +0200 This PR can be closed as of FreeBSD-SA-14:07.devfs From owner-freebsd-jail@FreeBSD.ORG Thu May 1 09:39:43 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 60D3F312 for ; Thu, 1 May 2014 09:39:43 +0000 (UTC) Received: from mail-wi0-x22f.google.com (mail-wi0-x22f.google.com [IPv6:2a00:1450:400c:c05::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E61C214E5 for ; Thu, 1 May 2014 09:39:42 +0000 (UTC) Received: by mail-wi0-f175.google.com with SMTP id cc10so387704wib.2 for ; Thu, 01 May 2014 02:39:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=from:to:date:mime-version:subject:message-id:priority:in-reply-to :references:content-type:content-transfer-encoding :content-description; bh=Q/3PCZkJOENRUQeEfeJ6xhC9Xw4Kg9kq7UmZyp2KJRM=; b=ZAc2ApeAytfi7bpsUHDdi1gUllALZjTudEmMACwe14dZooWWPUQy5e17BDHUzuBv6e X8DHLFwQahDaf/TyrAYSzBZaQoJ96iTAXCK5LZXHvvipKf0khPkHmBubEI33OPXCdt/G wvIclGUZLnNLOSRXLdA1nzYapfqXFeV3I8Q6QcqMuyAxB3LlQRiN06jk2gFjc183nhA7 0RGTifX1+HQRVOJ6gdvKg6E3/0phrOnQUoWIiYw4KFDyo961JzN9AQqQqaCaxIPPhR69 xYIZjpzH+jaolPm6WL5seeUSvAaP26frAQdynaMRzrN5Aks4hZlS6eyrK/xsiKLWZkb3 7Fqw== X-Received: by 10.180.77.165 with SMTP id t5mr1495688wiw.38.1398937180957; Thu, 01 May 2014 02:39:40 -0700 (PDT) Received: from [192.168.16.70] ([217.41.35.220]) by mx.google.com with ESMTPSA id xm20sm2584930wib.19.2014.05.01.02.39.39 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Thu, 01 May 2014 02:39:40 -0700 (PDT) X-Google-Original-From: "Dave B" From: Dave B To: freebsd-jail@freebsd.org Date: Thu, 01 May 2014 10:39:38 +0100 MIME-Version: 1.0 Subject: Re: Advice/guidance requested. Message-ID: <5362165A.3144.1D910671@g8kbvdave.gmail.com> Priority: normal In-reply-to: <52D3C8E6.5030907@wasikowski.net> References: <52D1A7D5.32720.65E995@g8kbvdave.gmail.com>, <1389516744.523477025.przufqea@frv34.ukr.net>, <52D3C8E6.5030907@wasikowski.net> X-mailer: Pegasus Mail for Windows (4.62) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 May 2014 09:39:43 -0000 Try QJail. http://qjail.sourceforge.net/ There is a good "howto" section listed here. http://qjail.sourceforge.net/Qjail-howto.html If I can manage it, anyone can.. (I'm running on F'BSD 9.2) Yes, like ezJail, the base jail takes up a bit of space, but others built on that take up a lot less, unless you load them up with stuff of course. Updating is not that dificult either. Regards. Dave B. > W dniu 2014-01-12 10:09, wishmaster pisze: > > >> I would also recommend ezjails. Using fat jails is often completely > >> unnecessary. > > > > Do you think using ezjail you will obtain "thin" jails? You are > > wrong. Setup 5...10 jails for applications: one jail for > > web-applications on php, one for java and so on. And you will see > > how your jails will be FAT! And now imagine update system and > > software procedure. So, if you need a lot of "light" isolation > > containers, ezjail is not your way. I use self written scripts > > which creates one base system with all needed packages and a lot of > > "containers" with vnet supports and with "security in mind". > > Upgrading is very easy, just one jail. > > Sounds nice, maybe write some blog post or even a more detailed mail > to this list with some how-to? I'm sure many people would find this > very interesting. > > -- > best regards, > Lukasz Wasikowski > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to > "freebsd-jail-unsubscribe@freebsd.org" From owner-freebsd-jail@FreeBSD.ORG Thu May 1 11:21:00 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E5250D14 for ; Thu, 1 May 2014 11:21:00 +0000 (UTC) Received: from mail.wasikowski.net (unknown [IPv6:2001:6a0:1cb::b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9A6791D8E for ; Thu, 1 May 2014 11:21:00 +0000 (UTC) Received: from mail.wasikowski.net (mail.wasikowski.net [IPv6:2001:6a0:1cb::b]) by mail.wasikowski.net (Postfix) with ESMTP id C628C9D8; Thu, 1 May 2014 13:20:55 +0200 (CEST) X-Virus-Scanned: amavisd-new at wasikowski.net Received: from mail.wasikowski.net ([91.204.91.44]) by mail.wasikowski.net (scan.wasikowski.net [91.204.91.44]) (amavisd-new, port 10026) with ESMTP id hur1yK1KQjWM; Thu, 1 May 2014 13:20:55 +0200 (CEST) Received: from [192.168.168.1] (89-71-136-148.dynamic.chello.pl [89.71.136.148]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mail.wasikowski.net (Postfix) with ESMTPSA id 212F49D5; Thu, 1 May 2014 13:20:55 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=wasikowski.net; s=default; t=1398943255; bh=KLvxzfseInt2t4y9AOtfkZkK3UkkbsqLmVEB/SjY9lI=; h=Date:From:To:References:In-Reply-To; b=Y7Ll/QshTh0DM4/ve6762VTYmFPxjtWlVXGTEfQDd7BCWz/iinn60u9SRRVlu5s4o 6KL+58rbyxGm7dWT/7zHZKf5zC8W1fynYI1aVMqS5taj1ZQFcWkKQ6jQZqRMsxuWCq YNB4SW6SHZ/SjR5qZUIIY0n/k1c9eafMiw3wTeklXJrcpVZL0Wn+BnZ3tp3KAfRBcQ 3PFIsQ71EfP+DmNRKcDvIwrO6HqAGlSkMu0gsmsD46agrgHeZRZ2K+mOaYvX8zr5pY HHuOWxkCVfYcNDh4Wqjh53+CtjdXHWWJ8EaqfmxDPvwYuN/BiaisYm7xL16jeAQtc7 n+N84Pv2aYa4A== Message-ID: <53622E18.4070804@wasikowski.net> Date: Thu, 01 May 2014 13:20:56 +0200 From: =?UTF-8?B?xYF1a2FzeiBXxIVzaWtvd3NraQ==?= User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: Dave B , freebsd-jail@freebsd.org Subject: Re: Advice/guidance requested. References: <52D1A7D5.32720.65E995@g8kbvdave.gmail.com>, <1389516744.523477025.przufqea@frv34.ukr.net>, <52D3C8E6.5030907@wasikowski.net> <5362165A.3144.1D910671@g8kbvdave.gmail.com> In-Reply-To: <5362165A.3144.1D910671@g8kbvdave.gmail.com> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 May 2014 11:21:01 -0000 W dniu 2014-05-01 11:39, Dave B pisze: > Try QJail. > http://qjail.sourceforge.net/ > > There is a good "howto" section listed here. > http://qjail.sourceforge.net/Qjail-howto.html > > If I can manage it, anyone can.. > (I'm running on F'BSD 9.2) > > Yes, like ezJail, the base jail takes up a bit of space, but others built on that take > up a lot less, unless you load them up with stuff of course. > > Updating is not that dificult either. I don't want to use qjail, especially after reading all this thread: http://lists.freebsd.org/pipermail/freebsd-jail//2013-March/002147.html BTW: Please, don't top post. -- best regards, Lukasz Wasikowski From owner-freebsd-jail@FreeBSD.ORG Sun May 4 02:54:06 2014 Return-Path: Delivered-To: freebsd-jail@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5716A8FF; Sun, 4 May 2014 02:54:06 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2A4961268; Sun, 4 May 2014 02:54:06 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s442s6gm037952; Sun, 4 May 2014 02:54:06 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s442s59G037951; Sun, 4 May 2014 02:54:05 GMT (envelope-from linimon) Date: Sun, 4 May 2014 02:54:05 GMT Message-Id: <201405040254.s442s59G037951@freefall.freebsd.org> To: rs@bytecamp.net, linimon@FreeBSD.org, freebsd-jail@FreeBSD.org From: linimon@FreeBSD.org Subject: Re: kern/187079: [jail] devfs_load_rulesets has to be enabled for mount.devfs to behave like expected X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 May 2014 02:54:06 -0000 Synopsis: [jail] devfs_load_rulesets has to be enabled for mount.devfs to behave like expected State-Changed-From-To: open->closed State-Changed-By: linimon State-Changed-When: Sun May 4 02:53:09 UTC 2014 State-Changed-Why: >From submitter: This PR can be closed as of FreeBSD-SA-14:07.devfs . http://www.freebsd.org/cgi/query-pr.cgi?pr=187079 From owner-freebsd-jail@FreeBSD.ORG Sun May 4 02:54:45 2014 Return-Path: Delivered-To: freebsd-jail@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6A7E5926; Sun, 4 May 2014 02:54:45 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3F48A1271; Sun, 4 May 2014 02:54:45 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s442sjOq038061; Sun, 4 May 2014 02:54:45 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s442sjtI038060; Sun, 4 May 2014 02:54:45 GMT (envelope-from linimon) Date: Sun, 4 May 2014 02:54:45 GMT Message-Id: <201405040254.s442sjtI038060@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-jail@FreeBSD.org From: linimon@FreeBSD.org Subject: Re: bin/189139: [patch] fix bug in jail(8) variable substitution X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 May 2014 02:54:45 -0000 Synopsis: [patch] fix bug in jail(8) variable substitution Responsible-Changed-From-To: freebsd-bugs->freebsd-jail Responsible-Changed-By: linimon Responsible-Changed-When: Sun May 4 02:54:32 UTC 2014 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=189139 From owner-freebsd-jail@FreeBSD.ORG Sun May 4 05:30:06 2014 Return-Path: Delivered-To: freebsd-jail@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2C108117; Sun, 4 May 2014 05:30:06 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 018B61FF5; Sun, 4 May 2014 05:30:06 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s445U5m9098199; Sun, 4 May 2014 05:30:05 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s445U5FT098198; Sun, 4 May 2014 05:30:05 GMT (envelope-from linimon) Date: Sun, 4 May 2014 05:30:05 GMT Message-Id: <201405040530.s445U5FT098198@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-jail@FreeBSD.org From: linimon@FreeBSD.org Subject: Re: bin/181794: jexec(8) runs commands in Jails without taking into account of the Jail's FIB X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 May 2014 05:30:06 -0000 Old Synopsis: jexec runs commands in Jails without taking into account of the Jail's FIB New Synopsis: jexec(8) runs commands in Jails without taking into account of the Jail's FIB Responsible-Changed-From-To: freebsd-bugs->freebsd-jail Responsible-Changed-By: linimon Responsible-Changed-When: Sun May 4 05:29:38 UTC 2014 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=181794 From owner-freebsd-jail@FreeBSD.ORG Mon May 5 03:11:35 2014 Return-Path: Delivered-To: freebsd-jail@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 62A944EA; Mon, 5 May 2014 03:11:35 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 38400155B; Mon, 5 May 2014 03:11:35 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s453BYY2096841; Mon, 5 May 2014 03:11:34 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s453BY0Q096840; Mon, 5 May 2014 03:11:34 GMT (envelope-from linimon) Date: Mon, 5 May 2014 03:11:34 GMT Message-Id: <201405050311.s453BY0Q096840@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-jail@FreeBSD.org From: linimon@FreeBSD.org Subject: Re: kern/188495: [jail] /etc/rc.d/jail, ezjail and Linux jails don't work with FreeBSD 10.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 May 2014 03:11:35 -0000 Old Synopsis: /etc/rc.d/jail, ezjail and Linux jails don't work with FreeBSD 10.0 New Synopsis: [jail] /etc/rc.d/jail, ezjail and Linux jails don't work with FreeBSD 10.0 Responsible-Changed-From-To: freebsd-bugs->freebsd-jail Responsible-Changed-By: linimon Responsible-Changed-When: Mon May 5 03:09:42 UTC 2014 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=188495 From owner-freebsd-jail@FreeBSD.ORG Mon May 5 11:06:46 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2AF53DF9 for ; Mon, 5 May 2014 11:06:46 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id F3D741CED for ; Mon, 5 May 2014 11:06:45 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s45B6jYU083150 for ; Mon, 5 May 2014 11:06:45 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s45B6jQU083148 for freebsd-jail@FreeBSD.org; Mon, 5 May 2014 11:06:45 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 5 May 2014 11:06:45 GMT Message-Id: <201405051106.s45B6jQU083148@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 May 2014 11:06:46 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o bin/189139 jail [patch] fix bug in jail(8) variable substitution o kern/188753 jail [jail] mount devfs ruleset ignored o kern/188495 jail [jail] /etc/rc.d/jail, ezjail and Linux jails don't wo o kern/188018 jail [jail] [vimage] Running pfctl -sr -v in Jail with VIMA o kern/186360 jail [jail] jail using nullfs and unionfs doesn't mount dev o kern/184719 jail [jail] Starting jails: cannot start jail "domain_com": o bin/181794 jail jexec(8) runs commands in Jails without taking into ac o conf/181650 jail [jail] [patch] /etc/rc.d/jail fails if a kernel built o kern/180916 jail [jail] [regression] jail startup is broken for 8.4 wit o kern/180067 jail [jail] [patch] fix multicast support within jails o bin/178302 jail jail(8): unknown parameter: ip6.addr when kernel compi o kern/176112 jail [jail] [panic] kernel panic when starting jails o kern/174902 jail [jail] jail should provide validator for jail names o bin/173469 jail [jail] regression: security.jail.sysvipc_allowed=1 no o kern/169751 jail [jail] reading routing information does not work in ja o bin/167911 jail new jail(8) problem with removal, ifconfg -alias and k o kern/159918 jail [jail] inter-jail communication failure o kern/156111 jail [jail] procstat -b not supported in jail o misc/155765 jail [patch] `buildworld' does not honors WITHOUT_JAIL o conf/154246 jail [jail] [patch] Bad symlink created if devfs mount poin s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid 25 problems total. From owner-freebsd-jail@FreeBSD.ORG Mon May 5 11:58:58 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D73F8DF4 for ; Mon, 5 May 2014 11:58:58 +0000 (UTC) Received: from alogt.com (alogt.com [69.36.191.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B1F6714FC for ; Mon, 5 May 2014 11:58:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=alogt.com; s=default; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID:Subject:To:From:Date; bh=dOsybuKTFFvVY1/FrEz9jkJFUGtKKvAf/JNhCdU+WJg=; b=Pm/epVanbcPLg86ptBjdCjLnGNY1LPLPAHLg72NabakiVFu/4Ba85eytrCtpDqPITzaR9ZW50DUj4OXWNd8FAcI1OFSbbjiSNYYA15ky1QBoST+EUmXzhzV388EcKw98mh98T9PEA++tK1eq44QioBmL7wlQ42wFTbtvZKuA8vU=; Received: from [182.10.137.14] (port=37208 helo=X220.alogt.com) by sl-508-2.slc.westdc.net with esmtpsa (SSLv3:DHE-RSA-AES128-SHA:128) (Exim 4.82) (envelope-from ) id 1WhHXt-002RQZ-86 for freebsd-jail@freebsd.org; Mon, 05 May 2014 05:58:57 -0600 Date: Mon, 5 May 2014 19:58:52 +0800 From: Erich Dollansky To: freebsd-jail@freebsd.org Subject: Can Firefox break out of a jail Message-ID: <20140505195852.140ddb1b@X220.alogt.com> X-Mailer: Claws Mail 3.9.3 (GTK+ 2.24.22; amd64-portbld-freebsd10.0) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - sl-508-2.slc.westdc.net X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - alogt.com X-Get-Message-Sender-Via: sl-508-2.slc.westdc.net: authenticated_id: erichsfreebsdlist@alogt.com X-Source: X-Source-Args: X-Source-Dir: X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 May 2014 11:58:58 -0000 Hi, I do some experimenting with jails at the moment on a FreeBSD 10.0 machine. The jails are all setup manually according to the handbook and man jail. Each jail gets a name and an IP address. Individual ports are then installed via the ports tree. X is running on the host system. Telnet is used to connect to the jails. When I install now firefox in a jail and also in the host system, I get the following behaviour. Scene A Firefox runs already on the host system. I start then firefox inside the jail firefox. It all seems fine as long as I do not use the history or want to save the visited page. The jailed firefox sees then the history of the firefox running on the host. Scene B Firefox is first started inside the jail firefox. When then the host system also starts a firefox, this firefox sees now the history and the filesystem of the jailed firefox. Is it X that allows the jailed firefox to communicate directly with firefox running directly on the host? Is there then a way to secure the system? I have tried then programs like gedit or kate and saw only the behaviour I expected. Both programs either saw only resources from inside the jail or from outside but never resources from the other side of the fence. Erich From owner-freebsd-jail@FreeBSD.ORG Mon May 5 12:22:52 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E5FFB7E5 for ; Mon, 5 May 2014 12:22:52 +0000 (UTC) Received: from relay.mailchannels.net (si-002-i152.relay.mailchannels.net [108.178.49.164]) by mx1.freebsd.org (Postfix) with ESMTP id 453CD178D for ; Mon, 5 May 2014 12:22:51 +0000 (UTC) X-Sender-Id: _forwarded-from|107.201.34.133 Received: from mail-24.name-services.com (ip-10-237-3-9.us-west-2.compute.internal [10.237.3.9]) by relay.mailchannels.net (Postfix) with ESMTPA id 35EA16055D; Mon, 5 May 2014 12:22:44 +0000 (UTC) X-Sender-Id: _forwarded-from|107.201.34.133 Received: from mail-24.name-services.com (mail-24.name-services.com [10.235.16.137]) (using TLSv1 with cipher AES128-SHA) by 0.0.0.0:2500 (trex/5.1.2); Mon, 05 May 2014 12:22:44 GMT X-MC-Relay: Forwarding X-MailChannels-SenderId: _forwarded-from%7C107.201.34.133 X-MailChannels-Auth-Id: demandmedia Received: from [10.0.10.1] (107-201-34-133.lightspeed.bcvloh.sbcglobal.net [107.201.34.133]) by mail-24.name-services.com with SMTP; Mon, 5 May 2014 05:22:36 -0700 Message-ID: <5367828D.8080506@a1poweruser.com> Date: Mon, 05 May 2014 08:22:37 -0400 From: Fbsd8 User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: Erich Dollansky Subject: Re: Can Firefox break out of a jail References: <20140505195852.140ddb1b@X220.alogt.com> In-Reply-To: <20140505195852.140ddb1b@X220.alogt.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 May 2014 12:22:53 -0000 Erich Dollansky wrote: > Hi, > > I do some experimenting with jails at the moment on a FreeBSD 10.0 > machine. The jails are all setup manually according to the handbook and > man jail. Each jail gets a name and an IP address. Individual ports are > then installed via the ports tree. > > X is running on the host system. Telnet is used to connect to the jails. > > When I install now firefox in a jail and also in the host system, I get > the following behaviour. > > Scene A > > Firefox runs already on the host system. I start then firefox inside > the jail firefox. It all seems fine as long as I do not use the history > or want to save the visited page. The jailed firefox sees then the > history of the firefox running on the host. > > Scene B > > Firefox is first started inside the jail firefox. When then the host > system also starts a firefox, this firefox sees now the history and the > filesystem of the jailed firefox. > > Is it X that allows the jailed firefox to communicate directly with > firefox running directly on the host? > > Is there then a way to secure the system? > > I have tried then programs like gedit or kate and saw only the > behaviour I expected. Both programs either saw only resources from > inside the jail or from outside but never resources from the other side > of the fence. > firefox has to be installed where you have xorg and your desktop installed. Installing firefox in a jail be it self does nothing. What you think you are seeing is wrong. ssh into jail having firefox is not running firefox. ssh into the host where xorg and desktop and firefox is the only to have firefox work to the best of my knowledge. From owner-freebsd-jail@FreeBSD.ORG Mon May 5 12:27:24 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BF54B952 for ; Mon, 5 May 2014 12:27:24 +0000 (UTC) Received: from mail-ob0-x233.google.com (mail-ob0-x233.google.com [IPv6:2607:f8b0:4003:c01::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8960817C5 for ; Mon, 5 May 2014 12:27:24 +0000 (UTC) Received: by mail-ob0-f179.google.com with SMTP id gq1so651289obb.38 for ; Mon, 05 May 2014 05:27:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=krTm321d2NjoMhBsy2F+EwAol6A2r/WPyJBU8L1RSUs=; b=b0Bw8m0+hWTwszCazxc2Nl+ZuMbLc5c9bA3CM6ECC5NsWMBbpwC6zZmQcvJs/Nrgsf fXCxnkwXUONi6miztPeg5xKC5tlxeDzAtzXgbO40gzO4ogGlBx6x4f1/Y6L5+Tx0Jat3 WluOKTJhuDCUi4h9vHO33c1m4YTqiThmp60heFOj1UX/SDzOGk1BRNRN3HE31bSda2Xf x4mEDmxKvbHM4+q5FtR8eJttvLhwLqggT0stHsMBKEPcS0uckpMyAIODUWXxPBEoyVwh 0n5pgkIKNNh3kWOrTXVp41cbmcc392kHYbCpEMoxkc5hVKyPHcR8nI26D9hcDRLeWsfU IEBQ== MIME-Version: 1.0 X-Received: by 10.60.132.236 with SMTP id ox12mr1366514oeb.81.1399292843735; Mon, 05 May 2014 05:27:23 -0700 (PDT) Received: by 10.76.173.229 with HTTP; Mon, 5 May 2014 05:27:23 -0700 (PDT) In-Reply-To: <20140505195852.140ddb1b@X220.alogt.com> References: <20140505195852.140ddb1b@X220.alogt.com> Date: Mon, 5 May 2014 14:27:23 +0200 Message-ID: Subject: Re: Can Firefox break out of a jail From: Andreas Nilsson To: Erich Dollansky Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18 Cc: Mailinglists FreeBSD X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 May 2014 12:27:24 -0000 On Mon, May 5, 2014 at 1:58 PM, Erich Dollansky wrote: > Hi, > > I do some experimenting with jails at the moment on a FreeBSD 10.0 > machine. The jails are all setup manually according to the handbook and > man jail. Each jail gets a name and an IP address. Individual ports are > then installed via the ports tree. > > X is running on the host system. Telnet is used to connect to the jails. > > When I install now firefox in a jail and also in the host system, I get > the following behaviour. > > Scene A > > Firefox runs already on the host system. I start then firefox inside > the jail firefox. It all seems fine as long as I do not use the history > or want to save the visited page. The jailed firefox sees then the > history of the firefox running on the host. > > Scene B > > Firefox is first started inside the jail firefox. When then the host > system also starts a firefox, this firefox sees now the history and the > filesystem of the jailed firefox. > > Is it X that allows the jailed firefox to communicate directly with > firefox running directly on the host? > > Is there then a way to secure the system? > > I have tried then programs like gedit or kate and saw only the > behaviour I expected. Both programs either saw only resources from > inside the jail or from outside but never resources from the other side > of the fence. > > Erich > Firefox is a strange beast in regarads to running it on a remote host. It needs to be started as firefox --no-remote to not find "local running" instance and connect to it. How that happens I don't know... Best regards Andreas From owner-freebsd-jail@FreeBSD.ORG Mon May 5 12:35:31 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 53F90A4E for ; Mon, 5 May 2014 12:35:31 +0000 (UTC) Received: from alogt.com (alogt.com [69.36.191.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2E87518A2 for ; Mon, 5 May 2014 12:35:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=alogt.com; s=default; h=Content-Transfer-Encoding:Content-Type:MIME-Version:References:In-Reply-To:Message-ID:Subject:Cc:To:From:Date; bh=HGdyKkLaSFNI9G0YDzpICgUHgiX7zWU+Bpj/h+hcGDQ=; b=tPRN7QFSz2FtMmtrXPKJbDFQoekxts2lnTNWr8qpAH2Z2l+FuckRb63KX6aKe0LhPBylEMQ2nR5GTk/Xibdvvzk9jrRZMJdy3LYRhH71kjsgioHOW0i7v5JW9AiBszm63QLfraK9FGKTVn+jo/wzIRBg5HF0IvivY5HU2sEKQrY=; Received: from [182.10.137.14] (port=49138 helo=X220.alogt.com) by sl-508-2.slc.westdc.net with esmtpsa (SSLv3:DHE-RSA-AES128-SHA:128) (Exim 4.82) (envelope-from ) id 1WhI7F-002jw8-Fa; Mon, 05 May 2014 06:35:30 -0600 Date: Mon, 5 May 2014 20:35:25 +0800 From: Erich Dollansky To: Fbsd8 Subject: Re: Can Firefox break out of a jail Message-ID: <20140505203525.6f2ddfb3@X220.alogt.com> In-Reply-To: <5367828D.8080506@a1poweruser.com> References: <20140505195852.140ddb1b@X220.alogt.com> <5367828D.8080506@a1poweruser.com> X-Mailer: Claws Mail 3.9.3 (GTK+ 2.24.22; amd64-portbld-freebsd10.0) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - sl-508-2.slc.westdc.net X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - alogt.com X-Get-Message-Sender-Via: sl-508-2.slc.westdc.net: authenticated_id: erichsfreebsdlist@alogt.com X-Source: X-Source-Args: X-Source-Dir: Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 May 2014 12:35:31 -0000 Hi, On Mon, 05 May 2014 08:22:37 -0400 Fbsd8 wrote: > Erich Dollansky wrote: > > Hi, > > > > I do some experimenting with jails at the moment on a FreeBSD 10.0 > > machine. The jails are all setup manually according to the handbook > > and man jail. Each jail gets a name and an IP address. Individual > > ports are then installed via the ports tree. > > > > X is running on the host system. Telnet is used to connect to the > > jails. > > > > When I install now firefox in a jail and also in the host system, I > > get the following behaviour. > > > > Scene A > > > > Firefox runs already on the host system. I start then firefox inside > > the jail firefox. It all seems fine as long as I do not use the > > history or want to save the visited page. The jailed firefox sees > > then the history of the firefox running on the host. > > > > Scene B > > > > Firefox is first started inside the jail firefox. When then the host > > system also starts a firefox, this firefox sees now the history and > > the filesystem of the jailed firefox. > > > > Is it X that allows the jailed firefox to communicate directly with > > firefox running directly on the host? > > > > Is there then a way to secure the system? > > > > I have tried then programs like gedit or kate and saw only the > > behaviour I expected. Both programs either saw only resources from > > inside the jail or from outside but never resources from the other > > side of the fence. > > > > firefox has to be installed where you have xorg and your desktop > installed. Installing firefox in a jail be it self does nothing. > What you think you are seeing is wrong. ssh into jail having firefox > is not running firefox. ssh into the host where xorg and desktop and > firefox is the only to have firefox work to the best of my knowledge. > as you can see, I have realised my mistake with the mailing list. Ok, why is this so? How can firefox started inside a jail see the firefox from outside. As I am travelling most of my time, I only have my notebook. If I remember right, I used to have in the office a small FreeBSD server which was running as an application server. When I started firefox there via telnet on the other machine, it worked as expected. The remote firefox saw only the 'remote' machine and the local firefox saw only the local machine. Shouldn't it be the same with a jailed firefox? Erich From owner-freebsd-jail@FreeBSD.ORG Mon May 5 12:52:55 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 36266D92 for ; Mon, 5 May 2014 12:52:55 +0000 (UTC) Received: from alogt.com (alogt.com [69.36.191.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1006B1A2C for ; Mon, 5 May 2014 12:52:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=alogt.com; s=default; h=Content-Transfer-Encoding:Content-Type:MIME-Version:References:In-Reply-To:Message-ID:Subject:Cc:To:From:Date; bh=7UeDQXDn254yEU2cQ0bcEqv+4CY/+cdCoB8IlKpbQsM=; b=U8/kYuhZbX6pr/pWbsyTdWjN3upkrtbMJgqoS+oDK92Oz5f6EXT0BlwaYjsdsSjcUIm1Q8QLmoBGqVPYJz7ZQG9B6pq31OJCoeutaAox7dNvaoDrIydlxUwXzsTNSbXLfcvxd/6lTwLYRik1Afg9Y962dXFbNMMlGSbVCxGryDw=; Received: from [182.10.137.14] (port=48529 helo=X220.alogt.com) by sl-508-2.slc.westdc.net with esmtpsa (SSLv3:DHE-RSA-AES128-SHA:128) (Exim 4.82) (envelope-from ) id 1WhIO5-002sX1-SW; Mon, 05 May 2014 06:52:54 -0600 Date: Mon, 5 May 2014 20:52:45 +0800 From: Erich Dollansky To: Andreas Nilsson Subject: Re: Can Firefox break out of a jail Message-ID: <20140505205245.09452e54@X220.alogt.com> In-Reply-To: References: <20140505195852.140ddb1b@X220.alogt.com> X-Mailer: Claws Mail 3.9.3 (GTK+ 2.24.22; amd64-portbld-freebsd10.0) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - sl-508-2.slc.westdc.net X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - alogt.com X-Get-Message-Sender-Via: sl-508-2.slc.westdc.net: authenticated_id: erichsfreebsdlist@alogt.com X-Source: X-Source-Args: X-Source-Dir: Cc: Mailinglists FreeBSD X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 May 2014 12:52:55 -0000 Hi, On Mon, 5 May 2014 14:27:23 +0200 Andreas Nilsson wrote: > On Mon, May 5, 2014 at 1:58 PM, Erich Dollansky > > wrote: > > > Firefox is a strange beast in regarads to running it on a remote host. > > It needs to be started as firefox --no-remote to not find "local > running" instance and connect to it. How that happens I don't know... > thanks, that is the solution. It seems that I used this before but forgot about it. Erich From owner-freebsd-jail@FreeBSD.ORG Mon May 12 11:06:46 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 493E0B0B for ; Mon, 12 May 2014 11:06:46 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1DBF826C8 for ; Mon, 12 May 2014 11:06:46 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s4CB6jkg067850 for ; Mon, 12 May 2014 11:06:45 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s4CB6jIZ067848 for freebsd-jail@FreeBSD.org; Mon, 12 May 2014 11:06:45 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 12 May 2014 11:06:45 GMT Message-Id: <201405121106.s4CB6jIZ067848@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 May 2014 11:06:46 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o bin/189139 jail [patch] fix bug in jail(8) variable substitution o kern/188753 jail [jail] mount devfs ruleset ignored o kern/188495 jail [jail] /etc/rc.d/jail, ezjail and Linux jails don't wo o kern/188018 jail [jail] [vimage] Running pfctl -sr -v in Jail with VIMA o kern/186360 jail [jail] jail using nullfs and unionfs doesn't mount dev o kern/184719 jail [jail] Starting jails: cannot start jail "domain_com": o bin/181794 jail jexec(8) runs commands in Jails without taking into ac o conf/181650 jail [jail] [patch] /etc/rc.d/jail fails if a kernel built o kern/180916 jail [jail] [regression] jail startup is broken for 8.4 wit o kern/180067 jail [jail] [patch] fix multicast support within jails o bin/178302 jail jail(8): unknown parameter: ip6.addr when kernel compi o kern/176112 jail [jail] [panic] kernel panic when starting jails o kern/174902 jail [jail] jail should provide validator for jail names o bin/173469 jail [jail] regression: security.jail.sysvipc_allowed=1 no o kern/169751 jail [jail] reading routing information does not work in ja o bin/167911 jail new jail(8) problem with removal, ifconfg -alias and k o kern/159918 jail [jail] inter-jail communication failure o kern/156111 jail [jail] procstat -b not supported in jail o misc/155765 jail [patch] `buildworld' does not honors WITHOUT_JAIL o conf/154246 jail [jail] [patch] Bad symlink created if devfs mount poin s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid 25 problems total. From owner-freebsd-jail@FreeBSD.ORG Tue May 13 05:18:15 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BB680823 for ; Tue, 13 May 2014 05:18:15 +0000 (UTC) Received: from mail.dachev.info (mail.dachev.info [78.90.170.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6855F2C17 for ; Tue, 13 May 2014 05:18:15 +0000 (UTC) Received: from [10.10.10.100] (helo=dachev.info) by mail.dachev.info with esmtp (Exim 4.82 (FreeBSD)) (envelope-from ) id 1WjwwD-000PSs-Vi for freebsd-jail@freebsd.org; Mon, 12 May 2014 20:35:10 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Date: Mon, 12 May 2014 23:35:04 +0300 From: freebsd_jail@dachev.info To: freebsd-jail@freebsd.org Subject: new jail framework with vnet, zfs and jail.conf support Message-ID: <640993be45d72e4dac19181ae6644d27@dachev.info> X-Sender: freebsd_jail@dachev.info User-Agent: Roundcube Webmail/0.9.5 X-Spam-Score: -1.0 (-) X-Spam-Report: Spam detection software, running on the system "www.dachev.info", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see The administrator of that system for details. Content preview: Hi, I'm currently in process of development of new tool for easy jail administration with zfs and vimage/vnet(bridge epair interface) support The idea is to have a single application (python script) without any other confg files and customization This tool is written on Python, also work only with vnet, zfs and FreeBSD 10 (probably will work on FreeBSD 9.1 but i never test it) JADM work only with native /etc/jail.conf When is started for first time jadm generate new /etc/jail.conf in special format developed by me. jail.conf file can be used and without JADM. [...] Content analysis details: (-1.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 May 2014 05:18:15 -0000 Hi, I'm currently in process of development of new tool for easy jail administration with zfs and vimage/vnet(bridge epair interface) support The idea is to have a single application (python script) without any other confg files and customization This tool is written on Python, also work only with vnet, zfs and FreeBSD 10 (probably will work on FreeBSD 9.1 but i never test it) JADM work only with native /etc/jail.conf When is started for first time jadm generate new /etc/jail.conf in special format developed by me. jail.conf file can be used and without JADM. for more information please contact me or visit: https://github.com/NikolayDachev/jadm JADM is in development status more of functions work normal (with bugs but work :)). Unfortunately i don't have a lot of time for it so i need test users. At the moment last function for JADM is to support skeleton jail model (similar to ezjail with base jail and etc.) This function is still in progress meanwhile, if someone have a time to test all other functions and to report any issue, bug or ideas From owner-freebsd-jail@FreeBSD.ORG Tue May 13 06:36:33 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 88896CF6 for ; Tue, 13 May 2014 06:36:33 +0000 (UTC) Received: from frv189.fwdcdn.com (frv189.fwdcdn.com [212.42.77.189]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 42C0921C2 for ; Tue, 13 May 2014 06:36:32 +0000 (UTC) Received: from [10.10.1.30] (helo=frv196.fwdcdn.com) by frv189.fwdcdn.com with esmtp ID 1Wk5yY-000I9s-Su for freebsd-jail@freebsd.org; Tue, 13 May 2014 09:14:06 +0300 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ukr.net; s=ffe; h=Content-Transfer-Encoding:Content-Type:MIME-Version:References:In-Reply-To:Message-Id:Cc:To:Subject:From:Date; bh=ocqIk6OmJ+ZlnxNct1dtdU1urGjatmxdroM4hm+aJ4Y=; b=LN9W+0KdV99jj1Sdts2HeqejUL8vw92u2lI6pE31S5cn4hnzdbsdj92Po8IZ81BmBOZc+pS364stcQjN/wJ5vM6MCrjBTzjjrvrIHponXaIW2fQTV6b8sVcsOlgdjjtYNNcNQHFUjrICYSNuvnthQoMS01ZamuGrvgxEVqiF3SM=; Received: from [10.10.10.34] (helo=frv34.fwdcdn.com) by frv196.fwdcdn.com with smtp ID 1Wk5yN-000HI4-Da for freebsd-jail@freebsd.org; Tue, 13 May 2014 09:13:55 +0300 Date: Tue, 13 May 2014 09:13:54 +0300 From: wishmaster Subject: Re: new jail framework with vnet, zfs and jail.conf support To: freebsd_jail@dachev.info X-Mailer: mail.ukr.net 5.0 Message-Id: <1399961067.719314394.ydipku70@frv34.fwdcdn.com> In-Reply-To: <640993be45d72e4dac19181ae6644d27@dachev.info> References: <640993be45d72e4dac19181ae6644d27@dachev.info> MIME-Version: 1.0 Received: from artemrts@ukr.net by frv34.fwdcdn.com; Tue, 13 May 2014 09:13:55 +0300 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: binary Content-Disposition: inline Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 May 2014 06:36:33 -0000 --- Original message --- From: freebsd_jail@dachev.info Date: 13 May 2014, 08:18:21 > Hi, > > I'm currently in process of development of new tool for easy jail > administration with zfs and vimage/vnet(bridge epair interface) support > The idea is to have a single application (python script) without any > other confg files and customization > This tool is written on Python, also work only with vnet, zfs and > FreeBSD 10 (probably will work on FreeBSD 9.1 but i never test it) > JADM work only with native /etc/jail.conf > When is started for first time jadm generate new /etc/jail.conf in > special format developed by me. > jail.conf file can be used and without JADM. > > for more information please contact me or visit: > https://github.com/NikolayDachev/jadm > > JADM is in development status more of functions work normal (with bugs > but work :)). > > Unfortunately i don't have a lot of time for it so i need test users. > At the moment last function for JADM is to support skeleton jail model > (similar to ezjail with base jail and etc.) > This function is still in progress meanwhile, if someone have a time to > test all other functions and to report any issue, bug or ideas > This is good idea. But.. Skeleton mode is fine, but model implemented in ezjail is awful. You must install software in each jail. Therefore if I have 2 or more jails, I must install/upgrade/test software in each jail! Oh my God. IMHO, true 'lite' jail model is: have one basejail with installed soft and the rest jails - with own /var, /tmp and so on. I use this model. Cheers, Vit From owner-freebsd-jail@FreeBSD.ORG Tue May 13 06:50:41 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B33449F for ; Tue, 13 May 2014 06:50:41 +0000 (UTC) Received: from mail.freebsd.systems (unknown [IPv6:2001:6a0:1cb::b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6859822D2 for ; Tue, 13 May 2014 06:50:41 +0000 (UTC) Received: from mail.freebsd.systems (mail.freebsd.systems [IPv6:2001:6a0:1cb::b]) by mail.freebsd.systems (Postfix) with ESMTP id 874BF9C4; Tue, 13 May 2014 08:50:36 +0200 (CEST) X-Virus-Scanned: amavisd-new at freebsd.systems Received: from mail.freebsd.systems ([91.204.91.44]) by mail.freebsd.systems (scan.freebsd.systems [91.204.91.44]) (amavisd-new, port 10026) with ESMTP id 2V9Jfs_SK0QZ; Tue, 13 May 2014 08:50:36 +0200 (CEST) Received: from [192.168.168.1] (89-71-136-148.dynamic.chello.pl [89.71.136.148]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mail.freebsd.systems (Postfix) with ESMTPSA id AF0A39C1; Tue, 13 May 2014 08:50:35 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=wasikowski.net; s=default; t=1399963835; bh=Y3AGMVeW+Gul1teP9jjr5XB6yFsorVIhdnIAbvWVWTU=; h=Date:From:To:CC:References:In-Reply-To; b=CUOEZV+whcdu+yvFwfCpY5KACznaz9oX3Xh2FOkpOqHp/AEsAt5/6gqWmtydf7XSQ lUqqtFmbq4vkxGTij95uHTIX5dp5Q2gy0y1tPrr0ZIPyypJlUgH31AFwbVciEwGfW9 9tmX1efCEtfB0IRcReTakWJdLYoQSkS7T7Ii8YLFB/p3p2xA/ek72uL+YUNNg10gLH uyuBRzk2SviCYockEx8iSzDLcLqN2/z5w48g89u4A3DGAu2ZbZvX6iRD1SJY7xo/vB GJakV2jlv4aeGDjI9m8XBaOquTuFK8d2dPwzGUVcE+ntnbPH0DETxb8KQGFo7DTcry M7vHu1pzKpSKA== Message-ID: <5371C0BB.9000003@wasikowski.net> Date: Tue, 13 May 2014 08:50:35 +0200 From: =?UTF-8?B?xYF1a2FzeiBXxIVzaWtvd3NraQ==?= User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: wishmaster , freebsd_jail@dachev.info Subject: Re: new jail framework with vnet, zfs and jail.conf support References: <640993be45d72e4dac19181ae6644d27@dachev.info> <1399961067.719314394.ydipku70@frv34.fwdcdn.com> In-Reply-To: <1399961067.719314394.ydipku70@frv34.fwdcdn.com> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 May 2014 06:50:41 -0000 W dniu 2014-05-13 08:13, wishmaster pisze: > --- Original message --- > From: freebsd_jail@dachev.info > Date: 13 May 2014, 08:18:21 >> I'm currently in process of development of new tool for easy jail >> administration with zfs and vimage/vnet(bridge epair interface) support >> The idea is to have a single application (python script) without any >> other confg files and customization >> This tool is written on Python, also work only with vnet, zfs and >> FreeBSD 10 (probably will work on FreeBSD 9.1 but i never test it) >> JADM work only with native /etc/jail.conf >> When is started for first time jadm generate new /etc/jail.conf in >> special format developed by me. >> jail.conf file can be used and without JADM. >> >> for more information please contact me or visit: >> https://github.com/NikolayDachev/jadm >> >> JADM is in development status more of functions work normal (with bugs >> but work :)). >> >> Unfortunately i don't have a lot of time for it so i need test users. >> At the moment last function for JADM is to support skeleton jail model >> (similar to ezjail with base jail and etc.) >> This function is still in progress meanwhile, if someone have a time to >> test all other functions and to report any issue, bug or ideas > This is good idea. But.. > Skeleton mode is fine, but model implemented in ezjail is awful. You must install software in each jail. Therefore if I have 2 or more jails, I must install/upgrade/test software in each jail! Oh my God. > IMHO, true 'lite' jail model is: have one basejail with installed soft and the rest jails - with own /var, /tmp and so on. > I use this model. It all depends on what you really need. There are a bunch of us who need "thin" jails - just like you describe it. And there are people who need customized jails (which ezjail or jadm can provide). With pkg(8) upgrading bunch of jails is an easy task, just go with: jls jid | xargs -oI% pkg -j % upgrade -- best regards, Lukasz Wasikowski From owner-freebsd-jail@FreeBSD.ORG Tue May 13 12:12:10 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6CE73EB4 for ; Tue, 13 May 2014 12:12:10 +0000 (UTC) Received: from relay.mailchannels.net (si-002-i86.relay.mailchannels.net [173.236.122.36]) by mx1.freebsd.org (Postfix) with ESMTP id AE28C2FD2 for ; Tue, 13 May 2014 12:12:08 +0000 (UTC) X-Sender-Id: _forwarded-from|107.201.34.133 Received: from mail-24.name-services.com (unknown [10.237.3.9]) by relay.mailchannels.net (Postfix) with ESMTPA id 9BCBD60242; Tue, 13 May 2014 12:12:06 +0000 (UTC) X-Sender-Id: _forwarded-from|107.201.34.133 Received: from mail-24.name-services.com (mail-24.name-services.com [10.235.16.137]) (using TLSv1 with cipher AES128-SHA) by 0.0.0.0:2500 (trex/5.1.2); Tue, 13 May 2014 12:12:07 GMT X-MC-Relay: Forwarding X-MailChannels-SenderId: _forwarded-from%7C107.201.34.133 X-MailChannels-Auth-Id: demandmedia Received: from [10.0.10.1] (107-201-34-133.lightspeed.bcvloh.sbcglobal.net [107.201.34.133]) by mail-24.name-services.com with SMTP; Tue, 13 May 2014 05:12:00 -0700 Message-ID: <53720C0F.9010707@a1poweruser.com> Date: Tue, 13 May 2014 08:11:59 -0400 From: Fbsd8 User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: freebsd_jail@dachev.info Subject: Re: new jail framework with vnet, zfs and jail.conf support References: <640993be45d72e4dac19181ae6644d27@dachev.info> In-Reply-To: <640993be45d72e4dac19181ae6644d27@dachev.info> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 May 2014 12:12:10 -0000 freebsd_jail@dachev.info wrote: > Hi, > > I'm currently in process of development of new tool for easy jail > administration with zfs and vimage/vnet(bridge epair interface) support > The idea is to have a single application (python script) without any > other confg files and customization > This tool is written on Python, also work only with vnet, zfs and > FreeBSD 10 (probably will work on FreeBSD 9.1 but i never test it) > JADM work only with native /etc/jail.conf > When is started for first time jadm generate new /etc/jail.conf in > special format developed by me. > jail.conf file can be used and without JADM. > > for more information please contact me or visit: > https://github.com/NikolayDachev/jadm > > JADM is in development status more of functions work normal (with bugs > but work :)). > > Unfortunately i don't have a lot of time for it so i need test users. > At the moment last function for JADM is to support skeleton jail model > (similar to ezjail with base jail and etc.) > This function is still in progress meanwhile, if someone have a time to > test all other functions and to report any issue, bug or ideas > > > I think you have made some poor basic design choices. 1. Requiring python as a dependent. Thats a lot of overhead just for a script. Not a show stopper, but a csh script would have been better. 2. Using the highly experimental "vimage" as the cornerstone of the over all design. Vimage has many long standing PRs, does not work with any of the firewalls, has NO maintainer, requires a custom kernel to enable. This is a major show stopper. Can not risk a production jail environment on highly experimental software. Even if vimage gets a maintainer, all the firewalls need to be updated to play nice in an vimage environment, and there are existing PRs to that effect which the firewall maintainers are reluctant to address because of vimage's status as highly experimental. What your trying to do may never bare fruit due to things totally out of your control. 3. Should use the allow_zfs option of jail(8) instead of embedded native zfs commands. With surgery JADM could become a ZFS admin script, there is a need for that and one does not exist that I know of. From owner-freebsd-jail@FreeBSD.ORG Tue May 13 12:19:26 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A09CCF59 for ; Tue, 13 May 2014 12:19:26 +0000 (UTC) Received: from mail.feld.me (mail.feld.me [66.170.3.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.feld.me", Issuer "Gandi Standard SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5D3EB201C for ; Tue, 13 May 2014 12:19:26 +0000 (UTC) Received: from mail.feld.me (mail.feld.me [66.170.3.6]); by mail.feld.me (OpenSMTPD) with ESMTP id eeaff6af; for ; Tue, 13 May 2014 07:19:22 -0500 (CDT) Received: from feld@feld.me by mail.feld.me (Archiveopteryx 3.2.0) with esmtpa id 1399983561-4153-4150/5/4; Tue, 13 May 2014 12:19:21 +0000 Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Date: Tue, 13 May 2014 07:19:20 -0500 From: Mark Felder To: freebsd-jail@freebsd.org Subject: Re: new jail framework with vnet, zfs and jail.conf support In-Reply-To: <53720C0F.9010707@a1poweruser.com> References: <640993be45d72e4dac19181ae6644d27@dachev.info> <53720C0F.9010707@a1poweruser.com> Message-Id: <2f171efc50e58d003930369af9e0e544@mail.feld.me> X-Sender: feld@FreeBSD.org User-Agent: Roundcube Webmail/0.9.5 Sender: feld@feld.me X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 May 2014 12:19:26 -0000 On 2014-05-13 07:11, fbsd8@a1poweruser.com wrote: > > I think you have made some poor basic design choices. > Let him scratch his itch. Maybe it solves a problem you haven't encountered yet? > 1. Requiring python as a dependent. Thats a lot of overhead just for a > script. Not a show stopper, but a csh script would have been better. > csh is a horrible scripting language. I think you mean POSIX sh. But either way, Python is slowly becoming the language of choice for utilities... From owner-freebsd-jail@FreeBSD.ORG Tue May 13 12:56:51 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 92CCD12D for ; Tue, 13 May 2014 12:56:51 +0000 (UTC) Received: from mail-oa0-x230.google.com (mail-oa0-x230.google.com [IPv6:2607:f8b0:4003:c02::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5A1A22394 for ; Tue, 13 May 2014 12:56:51 +0000 (UTC) Received: by mail-oa0-f48.google.com with SMTP id i4so315477oah.35 for ; Tue, 13 May 2014 05:56:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=fc38v73vIErLxxfs8FfimZT7FtuvRf1gVgbn+uWmvlM=; b=M2pG7oKnyDZeg7b+yiNYjljQ0ZPd1H8kihqQngtyzIPfJ3ENrvelw4mqpm+wJYJqvy IYAYtNsLgjMj7L5CX6FGlOshKlBELDB43PtN8DQQtMebeC5GJEqjOFrLTCxihImxAEMF jY8EFxevQMYveWyrrSLRSTjds40N759lfVDEdQi/ktwe+zRI03wWV+j95/5r4sq4kjam aIye1BOfC5RhT0TUpYNtvSkMhhKVKgJgGMOh/ELrQwIICB2sWoauBR4dQaJ9LetXJvxM mK+QOZgOQCk5BR5ecE3NlKu14GKOWV9GGhq7Uc3YGYDud/xRMtuSb61SL4hDSXtXbrHA Pt8Q== MIME-Version: 1.0 X-Received: by 10.182.29.225 with SMTP id n1mr41854974obh.2.1399985810665; Tue, 13 May 2014 05:56:50 -0700 (PDT) Received: by 10.76.170.39 with HTTP; Tue, 13 May 2014 05:56:50 -0700 (PDT) In-Reply-To: <537212B7.8080909@a1poweruser.com> References: <640993be45d72e4dac19181ae6644d27@dachev.info> <53720C0F.9010707@a1poweruser.com> <537212B7.8080909@a1poweruser.com> Date: Tue, 13 May 2014 14:56:50 +0200 Message-ID: Subject: Re: new jail framework with vnet, zfs and jail.conf support From: Andreas Nilsson To: Fbsd8 , Mailinglists FreeBSD Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 May 2014 12:56:51 -0000 On Tue, May 13, 2014 at 2:40 PM, Fbsd8 wrote: > Andreas Nilsson wrote: > >> >> >> >> On Tue, May 13, 2014 at 2:11 PM, Fbsd8 > fbsd8@a1poweruser.com>> wrote: >> >> >> freebsd_jail@dachev.info wrote: >> >> Hi, >> >> I'm currently in process of development of new tool for easy >> jail administration with zfs and vimage/vnet(bridge epair >> interface) support >> The idea is to have a single application (python script) without >> any other confg files and customization >> This tool is written on Python, also work only with vnet, zfs >> and FreeBSD 10 (probably will work on FreeBSD 9.1 but i never >> test it) >> JADM work only with native /etc/jail.conf >> When is started for first time jadm generate new /etc/jail.conf >> in special format developed by me. >> jail.conf file can be used and without JADM. >> >> for more information please contact me or visit: >> https://github.com/__NikolayDachev/jadm >> >> >> >> JADM is in development status more of functions work normal >> (with bugs but work :)). >> >> Unfortunately i don't have a lot of time for it so i need test >> users. >> At the moment last function for JADM is to support skeleton jail >> model (similar to ezjail with base jail and etc.) >> This function is still in progress meanwhile, if someone have a >> time to test all other functions and to report any issue, bug or >> ideas >> >> >> >> >> I think you have made some poor basic design choices. >> >> 1. Requiring python as a dependent. Thats a lot of overhead just for >> a script. Not a show stopper, but a csh script would have been better. >> >> Why is csh better than sh? >> >> 2. Using the highly experimental "vimage" as the cornerstone of the >> over all design. Vimage has many long standing PRs, does not work >> with any of the firewalls, has NO maintainer, requires a custom >> kernel to enable. >> This is a major show stopper. Can not risk a production jail >> environment on highly experimental software. Even if vimage gets a >> maintainer, all the firewalls need to be updated to play nice in an >> vimage environment, and there are existing PRs to that effect which >> the firewall maintainers are reluctant to address because of >> vimage's status as highly experimental. What your trying to do may >> never bare fruit due to things totally out of your control. >> >> What do you mean by "not work with any of the firewalls"? >> > > When enabled with a kernel that has vimage they hang the system on boot, > page fault, or in the case of ipfw, Nat page faults. Just check the > outstanding pr list for the gory details. And that is a gross overstatement. I run vimage-kernel and ipfw on a number of machines. Not one kernel panic. > > >> And for people who require separate networking, vimage is the answer. I >> say it is a shame vimage is not in generic yet. >> >> > I agree with you. But its out of our control. If I remember correctly, the > vimage author completed his dissertation which was based on his writing > vimage, graduated college and moved on with his life. > > That would be very sad. Maybe the foundation could sponsor him and/or someone else to have another go at it. It's not like pf and ipfilter are the most well-maintained things either. I however long for the day when FreeBSD catches up with illumos in terms of light-weight virtualization with separate networking (seeing as jails were the model for zones). But maybe netmap+vale-switches with vimage could be made to play better together. But I guess we each want different things. Best regards Andreas From owner-freebsd-jail@FreeBSD.ORG Tue May 13 18:00:03 2014 Return-Path: Delivered-To: freebsd-jail@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 231002F2 for ; Tue, 13 May 2014 18:00:03 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 10B532FA0 for ; Tue, 13 May 2014 18:00:03 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s4DI02kS002555 for ; Tue, 13 May 2014 18:00:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s4DI02sn002554; Tue, 13 May 2014 18:00:02 GMT (envelope-from gnats) Date: Tue, 13 May 2014 18:00:02 GMT Message-Id: <201405131800.s4DI02sn002554@freefall.freebsd.org> To: freebsd-jail@FreeBSD.org Cc: From: Mark Linimon Subject: Re: kern/176112: [jail] [panic] kernel panic when starting jails Reply-To: Mark Linimon X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 May 2014 18:00:03 -0000 The following reply was made to PR kern/176112; it has been noted by GNATS. From: Mark Linimon To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/176112: [jail] [panic] kernel panic when starting jails Date: Tue, 13 May 2014 12:53:58 -0500 ----- Forwarded message from Dustin Wenz ----- Date: Tue, 13 May 2014 10:35:18 -0500 From: Dustin Wenz To: bugbusters@FreeBSD.org Subject: Update request: kernel panic when starting jails X-Mailer: Apple Mail (2.1874) I would like to update PR: kern/176112: [jail] [panic] kernel panic when starting jails This problem is still present in FreeBSD 10.0-STABLE #0 r265159, when built for amd64. Is there any way this PR could be bumped up in priority? The current description of the bug appears adequate, even if it's over a year old. Please let me know if any more information would be helpful. Thanks, - .Dustin Wenz ----- End forwarded message ----- From owner-freebsd-jail@FreeBSD.ORG Mon May 19 11:06:47 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id AD2483A9 for ; Mon, 19 May 2014 11:06:47 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 815F02DB2 for ; Mon, 19 May 2014 11:06:47 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s4JB6lRo080054 for ; Mon, 19 May 2014 11:06:47 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s4JB6lhB080051 for freebsd-jail@FreeBSD.org; Mon, 19 May 2014 11:06:47 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 19 May 2014 11:06:47 GMT Message-Id: <201405191106.s4JB6lhB080051@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 May 2014 11:06:47 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o bin/189139 jail [patch] fix bug in jail(8) variable substitution o kern/188753 jail [jail] mount devfs ruleset ignored o kern/188495 jail [jail] /etc/rc.d/jail, ezjail and Linux jails don't wo o kern/188018 jail [jail] [vimage] Running pfctl -sr -v in Jail with VIMA o kern/186360 jail [jail] jail using nullfs and unionfs doesn't mount dev o kern/184719 jail [jail] Starting jails: cannot start jail "domain_com": o bin/181794 jail jexec(8) runs commands in Jails without taking into ac o conf/181650 jail [jail] [patch] /etc/rc.d/jail fails if a kernel built o kern/180916 jail [jail] [regression] jail startup is broken for 8.4 wit o kern/180067 jail [jail] [patch] fix multicast support within jails o bin/178302 jail jail(8): unknown parameter: ip6.addr when kernel compi o kern/176112 jail [jail] [panic] kernel panic when starting jails o kern/174902 jail [jail] jail should provide validator for jail names o bin/173469 jail [jail] regression: security.jail.sysvipc_allowed=1 no o kern/169751 jail [jail] reading routing information does not work in ja o bin/167911 jail new jail(8) problem with removal, ifconfg -alias and k o kern/159918 jail [jail] inter-jail communication failure o kern/156111 jail [jail] procstat -b not supported in jail o misc/155765 jail [patch] `buildworld' does not honors WITHOUT_JAIL o conf/154246 jail [jail] [patch] Bad symlink created if devfs mount poin s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid 25 problems total. From owner-freebsd-jail@FreeBSD.ORG Wed May 21 14:53:27 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B018AC9D for ; Wed, 21 May 2014 14:53:27 +0000 (UTC) Received: from mail-pb0-f52.google.com (mail-pb0-f52.google.com [209.85.160.52]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 867602EA2 for ; Wed, 21 May 2014 14:53:27 +0000 (UTC) Received: by mail-pb0-f52.google.com with SMTP id rr13so1480129pbb.25 for ; Wed, 21 May 2014 07:53:26 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:content-type:content-transfer-encoding; bh=RIZk50aO0dNApTIpmEENsjkEWibAhnk6konvLDr2BBI=; b=igFpLdqgSUNp8zIAlDI4/URg+IjyDz2g6CaRo4MA9qgHVrLjea3LL9c8Uwemdvz/z9 FbmJDETCuLb+hp20ndrrikwjyqOUkY5HN9P7Rln70tZQGaPw/ibtSCdzjpS5rqOkJScW VUco1w9ZO/FbZEU8JocUDJ304iLpoi6yHCKYeb8zZQpsKGyeHemj8rezCitIY+vilhKR d8BoY5BewIZHEsoyZoVXIOIYvKZwPoGOBzqCEc16O6xkBoXhSdPPw8/Q0VEL4T2DF2Rd C0NvwnpP8wQidziRrh2EUXATpUsN30FWFx8x1cfXI8gPT3qXGqOcXRjyBWtNDYU55Ngk dKDg== X-Gm-Message-State: ALoCoQlU3Wz9NNEeigkrUHuANsfrNPMiEgEfwYlQXuDC2V393rgSistNS+WvHFqGgotjDa0m9JiH X-Received: by 10.66.141.144 with SMTP id ro16mr58718701pab.131.1400684006183; Wed, 21 May 2014 07:53:26 -0700 (PDT) Received: from blackbox.krakensys.lokal ([121.54.58.145]) by mx.google.com with ESMTPSA id qv9sm8523603pbc.71.2014.05.21.07.53.24 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 21 May 2014 07:53:25 -0700 (PDT) Message-ID: <537CBDDE.5080008@anarchy.in.the.ph> Date: Wed, 21 May 2014 22:53:18 +0800 From: "Mars G. Miro" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: freebsd-jail@freebsd.org Subject: 9.2X installworld on fresh jail bsdconfig fix Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 May 2014 14:53:27 -0000 Hi I've been hitting this snag on installworld on a fresh jail: ... install: /usr/jails/turkb2/usr/libexec/bsdconfig/050.diskmgmt/diskmgmt: No such file or directory *** [_SCRIPTSINS_diskmgmt] Error code 71 install -o root -g wheel -m 444 INDEX USAGE /usr/jails/turkb2/usr/libexec/bsdconfig/050.diskmgmt 1 error ... Happens on my fast box everytime. Seems that it's caused by this race on bsdconfig directories installed, w/c got fixed by this http://lists.freebsd.org/pipermail/svn-src-head/2013-August/051090.html http://svnweb.freebsd.org/base/stable/9/etc/mtree/BSD.usr.dist?revision=256129&view=co&pathrev=256129 Anyways, grabbing the mtree above and doing # mtree -eU -f BSD.usr.dist.92X -p /path/to/jail's/usr/ and then installing the world on the fresh jail fixes it. Sending this on the list, to propagate my notes ;-) -- Reporter, n.: A writer who guesses his way to the truth and dispels it with a tempest of words. -- Ambrose Bierce, "The Devil's Dictionary" From owner-freebsd-jail@FreeBSD.ORG Mon May 26 11:06:48 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3385DE2C for ; Mon, 26 May 2014 11:06:48 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0611B24DE for ; Mon, 26 May 2014 11:06:48 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s4QB6lrg032058 for ; Mon, 26 May 2014 11:06:47 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s4QB6lPb032056 for freebsd-jail@FreeBSD.org; Mon, 26 May 2014 11:06:47 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 26 May 2014 11:06:47 GMT Message-Id: <201405261106.s4QB6lPb032056@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 May 2014 11:06:48 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o bin/189139 jail [patch] fix bug in jail(8) variable substitution o kern/188753 jail [jail] mount devfs ruleset ignored o kern/188495 jail [jail] /etc/rc.d/jail, ezjail and Linux jails don't wo o kern/188018 jail [jail] [vimage] Running pfctl -sr -v in Jail with VIMA o kern/186360 jail [jail] jail using nullfs and unionfs doesn't mount dev o kern/184719 jail [jail] Starting jails: cannot start jail "domain_com": o bin/181794 jail jexec(8) runs commands in Jails without taking into ac o conf/181650 jail [jail] [patch] /etc/rc.d/jail fails if a kernel built o kern/180916 jail [jail] [regression] jail startup is broken for 8.4 wit o kern/180067 jail [jail] [patch] fix multicast support within jails o bin/178302 jail jail(8): unknown parameter: ip6.addr when kernel compi o kern/176112 jail [jail] [panic] kernel panic when starting jails o kern/174902 jail [jail] jail should provide validator for jail names o bin/173469 jail [jail] regression: security.jail.sysvipc_allowed=1 no o kern/169751 jail [jail] reading routing information does not work in ja o bin/167911 jail new jail(8) problem with removal, ifconfg -alias and k o kern/159918 jail [jail] inter-jail communication failure o kern/156111 jail [jail] procstat -b not supported in jail o misc/155765 jail [patch] `buildworld' does not honors WITHOUT_JAIL o conf/154246 jail [jail] [patch] Bad symlink created if devfs mount poin s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid 25 problems total. From owner-freebsd-jail@FreeBSD.ORG Mon May 26 19:20:01 2014 Return-Path: Delivered-To: freebsd-jail@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 813D25C5 for ; Mon, 26 May 2014 19:20:01 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 52B8422B8 for ; Mon, 26 May 2014 19:20:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s4QJK0qb052181 for ; Mon, 26 May 2014 19:20:00 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s4QJK0Ke052180; Mon, 26 May 2014 19:20:00 GMT (envelope-from gnats) Date: Mon, 26 May 2014 19:20:00 GMT Message-Id: <201405261920.s4QJK0Ke052180@freefall.freebsd.org> To: freebsd-jail@FreeBSD.org Cc: From: Scott Robbins Subject: Re: kern/186360: jail using nullfs and unionfs doesn't mount devfs Reply-To: Scott Robbins X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 May 2014 19:20:01 -0000 The following reply was made to PR kern/186360; it has been noted by GNATS. From: Scott Robbins To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/186360: jail using nullfs and unionfs doesn't mount devfs Date: Mon, 26 May 2014 15:14:02 -0400 Just an additional note--the roadrunner page listed will be defunct after May 31, 2014. However, the page is available at http://www.srobb.net/nullfsjail.html -- Scott Robbins PGP keyID EB3467D6 ( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 ) gpg --keyserver pgp.mit.edu --recv-keys EB3467D6 From owner-freebsd-jail@FreeBSD.ORG Mon May 26 23:10:02 2014 Return-Path: Delivered-To: freebsd-jail@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E9D91254 for ; Mon, 26 May 2014 23:10:02 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D76E424D6 for ; Mon, 26 May 2014 23:10:02 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s4QNA2Eo029086 for ; Mon, 26 May 2014 23:10:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s4QNA2Nt029085; Mon, 26 May 2014 23:10:02 GMT (envelope-from gnats) Date: Mon, 26 May 2014 23:10:02 GMT Message-Id: <201405262310.s4QNA2Nt029085@freefall.freebsd.org> To: freebsd-jail@FreeBSD.org Cc: From: "joeb1" Subject: Re: kern/186360: [jail] jail using nullfs and unionfs doesn' t mount devfs Reply-To: "joeb1" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 May 2014 23:10:03 -0000 The following reply was made to PR kern/186360; it has been noted by GNATS. From: "joeb1" To: , Cc: Subject: Re: kern/186360: [jail] jail using nullfs and unionfs doesn't mount devfs Date: Mon, 26 May 2014 18:56:31 -0400 jail(8) became available in 9.1-RELEASE and was very buggy. Some things got fixed in 9.2 but not the mount devfs function. Even in 10.0-RELEASE the mount devfs function was still broken. It finally got fixed in 10.0-RELEASE-p1 The legacy rc.conf rc.d jail method is deprecated in 10.0 and scheduled for removal in 11.0. Suggest you test your jails using jail(8) method on 10.0-RELEASE-p1 to verify your pr problem is still in effect. The sysutils/qjail utility uses the same jail config as your now building by hand. From owner-freebsd-jail@FreeBSD.ORG Wed May 28 01:10:01 2014 Return-Path: Delivered-To: freebsd-jail@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C13F8D6C for ; Wed, 28 May 2014 01:10:01 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AE45A295A for ; Wed, 28 May 2014 01:10:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s4S1A16J029654 for ; Wed, 28 May 2014 01:10:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s4S1A1Io029653; Wed, 28 May 2014 01:10:01 GMT (envelope-from gnats) Date: Wed, 28 May 2014 01:10:01 GMT Message-Id: <201405280110.s4S1A1Io029653@freefall.freebsd.org> To: freebsd-jail@FreeBSD.org Cc: From: Scott Robbins Subject: Re: kern/186360: [jail] jail using nullfs and unionfs doesn't mount devfs Reply-To: Scott Robbins X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2014 01:10:01 -0000 The following reply was made to PR kern/186360; it has been noted by GNATS. From: Scott Robbins To: joeb1 Cc: bug-followup@FreeBSD.org Subject: Re: kern/186360: [jail] jail using nullfs and unionfs doesn't mount devfs Date: Tue, 27 May 2014 21:05:18 -0400 On Mon, May 26, 2014 at 06:56:31PM -0400, joeb1 wrote: > jail(8) became available in 9.1-RELEASE and was very buggy. > Some things got fixed in 9.2 but not the mount devfs function. > Even in 10.0-RELEASE the mount devfs function was still broken. > > It finally got fixed in 10.0-RELEASE-p1 I am still having the issue with 10.0-RELEASE-p1 -- Scott Robbins PGP keyID EB3467D6 ( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 ) gpg --keyserver pgp.mit.edu --recv-keys EB3467D6 From owner-freebsd-jail@FreeBSD.ORG Sat May 31 06:43:16 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A2B2BDC3 for ; Sat, 31 May 2014 06:43:16 +0000 (UTC) Received: from mail-wg0-x231.google.com (mail-wg0-x231.google.com [IPv6:2a00:1450:400c:c00::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 390F12C11 for ; Sat, 31 May 2014 06:43:16 +0000 (UTC) Received: by mail-wg0-f49.google.com with SMTP id m15so2913004wgh.20 for ; Fri, 30 May 2014 23:43:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:message-id:from:to:cc:subject:in-reply-to:references :user-agent:mime-version:content-type; bh=3RAmhPHR3kqszy/221Jv3BA9cilV1rxg4spVQtGo48o=; b=UEZIy7+SDUrwiLfgHKhxx/47RYJ/ZI+k4O1I/uH1FGsq7UwwRcfUstR6hfvjtuJXIp 6yWIKJBSTzuVVhZkH1gEFc2RCLy5VPByi6aJSdrOfR3Wl/xOpjoku3Z1dmHh4WOjM/eP aWzi5cbLtXvPyEFk0d/KYzIwliOIsTXOC5yqEAU9PMgY/cIdyCVJfnoSIBVvURlaRC90 op9BL0e98D3ZC/nm4XC9DeULfW0pjYwCa0tc5OQ09zkoQTs4P6f7I3s3eEh3b/nDueDl NvBbdD8ZyrPI7apqFl/wY6kuCjo++yOIEQCsuUPXmoW+gx8ibGEA7eZk/F4WdUWq09cp ZWNA== X-Received: by 10.194.157.226 with SMTP id wp2mr28808849wjb.58.1401518594503; Fri, 30 May 2014 23:43:14 -0700 (PDT) Received: from oslo.ath.cx ([2001:470:1f0b:11bc:ad3c:2d0a:e16a:d4cc]) by mx.google.com with ESMTPSA id m1sm12184699wib.20.2014.05.30.23.43.13 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 30 May 2014 23:43:13 -0700 (PDT) Date: Sat, 31 May 2014 08:43:12 +0200 Message-ID: <86vbsmv473.wl%h.skuhra@gmail.com> From: "Herbert J. Skuhra" To: Scott Robbins Subject: Re: kern/186360: [jail] jail using nullfs and unionfs doesn' t mount devfs In-Reply-To: <201405280110.s4S1A1Io029653@freefall.freebsd.org> References: <201405280110.s4S1A1Io029653@freefall.freebsd.org> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM/1.14.9 (=?ISO-8859-4?Q?Goj=F2?=) APEL/10.8 EasyPG/1.0.0 Emacs/24.4.50 (i386-pc-freebsd10.0) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 May 2014 06:43:16 -0000 On Wed, 28 May 2014 01:10:01 GMT Scott Robbins wrote: > The following reply was made to PR kern/186360; it has been noted by GNATS. > > From: Scott Robbins > To: joeb1 > Cc: bug-followup@FreeBSD.org > Subject: Re: kern/186360: [jail] jail using nullfs and unionfs doesn't > mount devfs > Date: Tue, 27 May 2014 21:05:18 -0400 > > On Mon, May 26, 2014 at 06:56:31PM -0400, joeb1 wrote: > > jail(8) became available in 9.1-RELEASE and was very buggy. > > Some things got fixed in 9.2 but not the mount devfs function. > > Even in 10.0-RELEASE the mount devfs function was still broken. > > > > It finally got fixed in 10.0-RELEASE-p1 > > I am still having the issue with 10.0-RELEASE-p1 It has been fixed in 10.0-RELEASE-p2. Make sure that you have devfs_load_rulesets="YES" # Enable to always load the default rulesets instead of devfs_load_rulesets="NO" # Enable to always load the default rulesets in /etc/defaults/rc.conf. http://svnweb.freebsd.org/base?view=revision&revision=265124 http://svnweb.freebsd.org/base/releng/10.0/etc/defaults/rc.conf?r1=265124&r2=265123&pathrev=265124 -- Herbert From owner-freebsd-jail@FreeBSD.ORG Sat May 31 16:02:30 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9A84938F for ; Sat, 31 May 2014 16:02:30 +0000 (UTC) Received: from cdptpa-oedge-vip.email.rr.com (cdptpa-outbound-snat.email.rr.com [107.14.166.228]) by mx1.freebsd.org (Postfix) with ESMTP id 5F093246D for ; Sat, 31 May 2014 16:02:26 +0000 (UTC) Received: from [74.73.41.31] ([74.73.41.31:33563] helo=localhost) by cdptpa-oedge03 (envelope-from ) (ecelerity 3.5.0.35861 r(Momo-dev:tip)) with ESMTP id DA/E6-25046-C0DF9835; Sat, 31 May 2014 16:02:20 +0000 Date: Sat, 31 May 2014 12:02:19 -0400 From: Scott Robbins To: "Herbert J. Skuhra" Subject: Re: kern/186360: [jail] jail using nullfs and unionfs doesn't mount devfs Message-ID: <20140531160219.GB14608@scott1.scottro.net> Mail-Followup-To: "Herbert J. Skuhra" , freebsd-jail@FreeBSD.org References: <201405280110.s4S1A1Io029653@freefall.freebsd.org> <86vbsmv473.wl%h.skuhra@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <86vbsmv473.wl%h.skuhra@gmail.com> User-Agent: Mutt/1.5.20 (2009-12-10) X-RR-Connecting-IP: 107.14.168.142:25 X-Cloudmark-Score: 0 Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 May 2014 16:02:30 -0000 On Sat, May 31, 2014 at 08:43:12AM +0200, Herbert J. Skuhra wrote: > On Wed, 28 May 2014 01:10:01 GMT > Scott Robbins wrote: > > > The following reply was made to PR kern/186360; it has been noted by GNATS. > > > > From: Scott Robbins > > To: joeb1 > > Cc: bug-followup@FreeBSD.org > > Subject: Re: kern/186360: [jail] jail using nullfs and unionfs doesn't > > mount devfs > > Date: Tue, 27 May 2014 21:05:18 -0400 > > > > On Mon, May 26, 2014 at 06:56:31PM -0400, joeb1 wrote: > > > jail(8) became available in 9.1-RELEASE and was very buggy. > > > Some things got fixed in 9.2 but not the mount devfs function. > > > Even in 10.0-RELEASE the mount devfs function was still broken. > > > > > > It finally got fixed in 10.0-RELEASE-p1 > > > > I am still having the issue with 10.0-RELEASE-p1 > > It has been fixed in 10.0-RELEASE-p2. > > Make sure that you have > > devfs_load_rulesets="YES" # Enable to always load the default rulesets > > instead of I tried this on 10.0-RELEASE-p3. The problem wasn't that a ruleset wasn't applied, the problem is that there is nothing mounted on /dev. It's still not working for me, however, I've only tried it on one machine, and probably won't have a chance to try on others for a few days. -- Scott Robbins PGP keyID EB3467D6 ( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 ) gpg --keyserver pgp.mit.edu --recv-keys EB3467D6 From owner-freebsd-jail@FreeBSD.ORG Sun Jun 1 00:23:11 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B699B880 for ; Sun, 1 Jun 2014 00:23:11 +0000 (UTC) Received: from outbound.mailhostbox.com (outbound.mailhostbox.com [162.222.225.28]) by mx1.freebsd.org (Postfix) with ESMTP id 7DAAE2B43 for ; Sun, 1 Jun 2014 00:23:11 +0000 (UTC) Received: from [0.0.0.0] (bolobolo1.torservers.net [96.47.226.20]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: s7r@sky-ip.org) by outbound.mailhostbox.com (Postfix) with ESMTPSA id 11C88868AFC for ; Sun, 1 Jun 2014 00:14:22 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sky-ip.org; s=20110108; t=1401581664; bh=6elF7P5iNpvgGCf1Tuy26nbKLua/XA+lQ5LXXu1sMso=; h=Message-ID:Date:From:Reply-To:MIME-Version:To:Subject: Content-Type:Content-Transfer-Encoding; b=B8Bw4pTAgV8KKD7IfQqWav6Hdww7N0jiWS8npp8htBDZCp1x1SzeznWV6pHWyQ93g v6eoSEQHB0NBeT5yfosRaE6rZ3LZ+wd6mI1w52R43LJyERExEanpm7nJHBBAodDcNh kmcFThKc79iZp2qfJalHd8MHfehm7N6K70IGaoR8= Message-ID: <538A7059.7070500@sky-ip.org> Date: Sun, 01 Jun 2014 03:14:17 +0300 From: s7r Reply-To: s7r@sky-ip.org User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: freebsd-jail@freebsd.org Subject: cannot access internet from jail, help needed please X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-CTCH-RefID: str=0001.0A020204.538A705E.008A, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0 X-CTCH-VOD: Unknown X-CTCH-Spam: Unknown X-CTCH-Score: 0.000 X-CTCH-Rules: X-CTCH-Flags: 0 X-CTCH-ScoreCust: 0.000 X-CTCH-SenderID: s7r@sky-ip.org X-CTCH-SenderID-TotalMessages: 1 X-CTCH-SenderID-TotalSpam: 0 X-CTCH-SenderID-TotalSuspected: 0 X-CTCH-SenderID-TotalBulk: 0 X-CTCH-SenderID-TotalConfirmed: 0 X-CTCH-SenderID-TotalRecipients: 0 X-CTCH-SenderID-TotalVirus: 0 X-CTCH-SenderID-BlueWhiteFlag: 0 X-Scanned-By: MIMEDefang 2.72 on 172.18.214.93 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Jun 2014 00:23:11 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I am trying to build a jail on FreeBSD 10.0 amd64 and it cannot access the internet. Here are the steps I followed: 1. install ezjail from ports and enable it in rc.conf 2. My server has 3 public IPv4 addresses. Add one of them as an alias (for the jail): # ifconfig em0 alias netmask 255.255.255.255 # echo 'ifconfig_em0_alias0="inet netmask 255.255.255.255"' >> /etc/rc.conf 3. enable ip forwarding # sysctl net.inet.ip.forwarding=1 4. create the jail with the dedicated IP added as an alias 5. provide a name resolver in jail's /etc/resolv.conf 6. start the jail # service ezjail start 7. console into the jail # ezjail-admin console 8. cannot access the internet. cannot use ports, cannot do anything. The public IP address assigned to the jail is PINGable from the outside (another server) and also PINGable from the host. What is wrong here? I have searched the forums and everywhere on the internet and saw no mistake or no steps missed. - -- s7r PGP Fingerprint: 7C36 9232 5ABD FB0B 3021 03F1 837F A52C 8126 5B11 PGP Pubkey: http://www.sky-ip.org/s7r@sky-ip.org.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJTinBZAAoJEIN/pSyBJlsRh/UIAJL0CHmlZ7xh2nAn/cbAWv67 zjIYpaubYOOAVfTm6d8LRL+8dtqpag+jE3VOB4oz9mfG3HRHyYxHFB7+bwTJajuS DXg8GnuG49OHO/FNBAEew0PzfVmjuNsMkztZcJJqWHxrHnQcwZYWth5eZj8WSSJ0 MgQi4lLbYwZerFmezozO4wgBRS7Ing1raOgwtHZOXTuiHIglf9t1LGgbkzu3AuPO BDeYJQn159un6tkI5luoT6DTX+2wF+at2f//31KEoFNNT70lBKV3G/jKk+k0/s92 5ZS6jalTCDQ+jrpJmjTYrrkU+jQbMOcjoe9UlPpgo26kQftp2Z/Cu/3mW0qIUYA= =2BuA -----END PGP SIGNATURE----- From owner-freebsd-jail@FreeBSD.ORG Sun Jun 1 00:31:04 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id EAB0F939 for ; Sun, 1 Jun 2014 00:31:04 +0000 (UTC) Received: from elektropost.org (elektropost.org [217.115.13.199]) by mx1.freebsd.org (Postfix) with ESMTP id 359252B67 for ; Sun, 1 Jun 2014 00:31:03 +0000 (UTC) Received: (qmail 58683 invoked from network); 1 Jun 2014 00:30:55 -0000 Received: from elektropost.org (HELO elektropost.org) (erdgeist@erdgeist.org) by elektropost.org with AES128-SHA encrypted SMTP; 1 Jun 2014 00:30:55 -0000 Message-ID: <538A743E.2030203@erdgeist.org> Date: Sun, 01 Jun 2014 02:30:54 +0200 From: Dirk Engling User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: s7r@sky-ip.org, freebsd-jail@freebsd.org Subject: Re: cannot access internet from jail, help needed please References: <538A7059.7070500@sky-ip.org> In-Reply-To: <538A7059.7070500@sky-ip.org> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Jun 2014 00:31:05 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01.06.14 02:14, s7r wrote: > 8. cannot access the internet. cannot use ports, cannot do > anything. > > The public IP address assigned to the jail is PINGable from the > outside (another server) and also PINGable from the host. If you run ifconfig em0 inside the jail, can you see the ip address configured? What exactly is the error message if your try something like connecting to google.com: telnet 173.194.32.243 80 I am currently working on a troubleshooting subcommand to ezjail that tries to identify all possible causes of head aches. So failing connections from jails to the outside world should be diagnosed and I hope I can include your (solved) case to the tests ;) erdgeist -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAlOKdD4ACgkQuN1wFypsMNOw4ACbBI0h5NkgJ3+6E47dOgjiJY6h 3tYAn2+m1cUtQugAQ23bekvUVVIFbgN+ =Rx5q -----END PGP SIGNATURE----- From owner-freebsd-jail@FreeBSD.ORG Sun Jun 1 00:33:35 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DEE38970 for ; Sun, 1 Jun 2014 00:33:35 +0000 (UTC) Received: from elektropost.org (elektropost.org [217.115.13.199]) by mx1.freebsd.org (Postfix) with ESMTP id 295422BE0 for ; Sun, 1 Jun 2014 00:33:34 +0000 (UTC) Received: (qmail 58921 invoked from network); 1 Jun 2014 00:33:33 -0000 Received: from elektropost.org (HELO elektropost.org) (erdgeist@erdgeist.org) by elektropost.org with AES128-SHA encrypted SMTP; 1 Jun 2014 00:33:33 -0000 Message-ID: <538A74D9.6050401@erdgeist.org> Date: Sun, 01 Jun 2014 02:33:29 +0200 From: Dirk Engling User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: s7r@sky-ip.org, freebsd-jail@freebsd.org Subject: Re: cannot access internet from jail, help needed please References: <538A7059.7070500@sky-ip.org> In-Reply-To: <538A7059.7070500@sky-ip.org> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Jun 2014 00:33:35 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01.06.14 02:14, s7r wrote: > 2. My server has 3 public IPv4 addresses. Add one of them as an > alias (for the jail): # ifconfig em0 alias netmask > 255.255.255.255 Also did you check that the jail's addresses are inside the net configured netblock and you do not have routing table entries that might divert or block traffic, i.e. is there a firewalls, if so what are its rules? erdgeist -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAlOKdNkACgkQuN1wFypsMNN1nwCeNoEbJkskow8Vw+Y/BfWCcyQt kgYAn0syfyunUNyiCzE8a+0jqSTrL+cr =fJZ6 -----END PGP SIGNATURE----- From owner-freebsd-jail@FreeBSD.ORG Sun Jun 1 00:38:52 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 652069E8 for ; Sun, 1 Jun 2014 00:38:52 +0000 (UTC) Received: from mail-ie0-x22a.google.com (mail-ie0-x22a.google.com [IPv6:2607:f8b0:4001:c03::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 20DA82BF4 for ; Sun, 1 Jun 2014 00:38:52 +0000 (UTC) Received: by mail-ie0-f170.google.com with SMTP id to1so1931731ieb.15 for ; Sat, 31 May 2014 17:38:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:from:subject:date:to; bh=4E91haZIwwilO6jOh6PbnPEQfRT9+9QLKsmhb8rCeDI=; b=ZlKf0nTiYgfK0Km1xMyOD4uEgbXAU15fhwd2teANzJUv9DlNksyOEO05eNX9l69gjY Nt0T08AzKAbwz1tTI9+KN6bWBMsmU1UMh30X1gzfGwF7JCtjlWo029OeoBEpjNV92GRy GUAOR5VrbQ1iMtsYxmsaD3IfR8BgVcErSvvnM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:from:subject:date:to; bh=4E91haZIwwilO6jOh6PbnPEQfRT9+9QLKsmhb8rCeDI=; b=aoRiehxk9cpermWn0NIgJpyIGxLCDaber111oW7Sv4Q6BhTi84RK0GurXzI68XgIp9 MNXw909etTUUp4ZayV2/wDx0Oo8viCeWMlKa8bY2JPC4HXTPHpIjstgUDji8LvqmtgnH H//W7N9CpzX30FnBxLjVwoGpnGOW6v0rFpTW+/2WcWkD36JHGAr1+c7khs80YqMEIiv0 WTGE4WaEn9UB6dvOVAV7QGhasz2WVI15tU2GPOkTzrcQky2r1FtiH3zgQIqvj8/0MhkU P44qRlIZ+MIOCW6zP7vC1OGhA4YRFvnGZgH3kllPAdZf8J7UZrgUZozl4Wu6Pee3Tn2e aMGw== X-Gm-Message-State: ALoCoQmVq0PCj6FDoUaD+lwTN9k3LLtbBsUBjNSYGI1bTFa6V8RjQ54+QKPm1CgHlPcvhp8ZvbLQ X-Received: by 10.50.62.40 with SMTP id v8mr8641855igr.21.1401583131431; Sat, 31 May 2014 17:38:51 -0700 (PDT) Received: from [172.31.35.2] (75-128-101-59.dhcp.sgnw.mi.charter.com. [75.128.101.59]) by mx.google.com with ESMTPSA id g2sm17045729igc.12.2014.05.31.17.38.50 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 31 May 2014 17:38:50 -0700 (PDT) References: <538A7059.7070500@sky-ip.org> <538A74D9.6050401@erdgeist.org> Mime-Version: 1.0 (1.0) In-Reply-To: <538A74D9.6050401@erdgeist.org> Content-Type: multipart/signed; micalg=sha1; boundary=Apple-Mail-AC5E9367-B0D2-4AE8-BE3E-7D34FEFF7929; protocol="application/pkcs7-signature" Content-Transfer-Encoding: 7bit Message-Id: X-Mailer: iPhone Mail (11B554a) From: Jason Hellenthal Subject: Re: cannot access internet from jail, help needed please Date: Sat, 31 May 2014 20:38:47 -0400 To: Dirk Engling X-Content-Filtered-By: Mailman/MimeDel 2.1.18 Cc: "freebsd-jail@freebsd.org" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Jun 2014 00:38:52 -0000 --Apple-Mail-AC5E9367-B0D2-4AE8-BE3E-7D34FEFF7929 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Also note . . . does the jail have a default route installed for the public= network . . .=20 --=20 Jason Hellenthal Voice: 95.30.17.6/616 JJH48-ARIN > On May 31, 2014, at 20:33, Dirk Engling wrote: >=20 > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 >=20 >> On 01.06.14 02:14, s7r wrote: >>=20 >> 2. My server has 3 public IPv4 addresses. Add one of them as an >> alias (for the jail): # ifconfig em0 alias netmask >> 255.255.255.255 >=20 > Also did you check that the jail's addresses are inside the net > configured netblock and you do not have routing table entries that > might divert or block traffic, i.e. is there a firewalls, if so what > are its rules? >=20 > erdgeist > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (Darwin) >=20 > iEYEARECAAYFAlOKdNkACgkQuN1wFypsMNN1nwCeNoEbJkskow8Vw+Y/BfWCcyQt > kgYAn0syfyunUNyiCzE8a+0jqSTrL+cr > =3DfJZ6 > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" --Apple-Mail-AC5E9367-B0D2-4AE8-BE3E-7D34FEFF7929 Content-Type: application/pkcs7-signature; name=smime.p7s Content-Disposition: attachment; filename=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIUOTCCBjAw ggUYoAMCAQICAwaijjANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0 YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcx ODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENB MB4XDTEzMDUxODA4NTA0OFoXDTE0MDUxOTIyMDk0N1owSDEfMB0GA1UEAwwWamhlbGxlbnRoYWxA ZGF0YWl4Lm5ldDElMCMGCSqGSIb3DQEJARYWamhlbGxlbnRoYWxAZGF0YWl4Lm5ldDCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBALgnYFS1bWZr3KhKBzWAdRwrY+En+RRV8nCaYubqrMG+ YJbuenaIKSbIuFiDWipW4RHYTpE28pKaSnaVTG9WtAZvsWj0gYN9g2fYCnCOUceES2Yvi3RavxpB hsuzKIfsHb8iNNSEuczLu6gn4mQyaHwE4x6xSUKmbK8njR+YoF522F60wjsnq5dlOJdTrhDfObE5 5P23279WbRp8azgZX1VRB66wdKRDuSI1vBts4Nsha2paXd6HUUduHrPACBQREJTGXN8XtEKVwo63 aKUhRgtUwHNEuSWck/xwVl7PBUWH2dORAWTCqHjNuCKNOQ1/0LMiyMj7FdsBjN4dgL4YZpsCAwEA AaOCAtwwggLYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggr BgEFBQcDBDAdBgNVHQ4EFgQU29qUrmZtgQ7ZVoDKogfpJOSfk+YwHwYDVR0jBBgwFoAUU3Ltkpzg 2ssBXHx+ljVO8tS4UYIwIQYDVR0RBBowGIEWamhlbGxlbnRoYWxAZGF0YWl4Lm5ldDCCAUwGA1Ud IASCAUMwggE/MIIBOwYLKwYBBAGBtTcBAgMwggEqMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0 YXJ0c3NsLmNvbS9wb2xpY3kucGRmMIH3BggrBgEFBQcCAjCB6jAnFiBTdGFydENvbSBDZXJ0aWZp Y2F0aW9uIEF1dGhvcml0eTADAgEBGoG+VGhpcyBjZXJ0aWZpY2F0ZSB3YXMgaXNzdWVkIGFjY29y ZGluZyB0byB0aGUgQ2xhc3MgMSBWYWxpZGF0aW9uIHJlcXVpcmVtZW50cyBvZiB0aGUgU3RhcnRD b20gQ0EgcG9saWN5LCByZWxpYW5jZSBvbmx5IGZvciB0aGUgaW50ZW5kZWQgcHVycG9zZSBpbiBj b21wbGlhbmNlIG9mIHRoZSByZWx5aW5nIHBhcnR5IG9ibGlnYXRpb25zLjA2BgNVHR8ELzAtMCug KaAnhiVodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9jcnR1MS1jcmwuY3JsMIGOBggrBgEFBQcBAQSB gTB/MDkGCCsGAQUFBzABhi1odHRwOi8vb2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMS9jbGll bnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFz czEuY2xpZW50LmNhLmNydDAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJ KoZIhvcNAQELBQADggEBAHsw8/Hw07gsNTKYnld74NBFtHnQOPkXYuccWx3j0PGQe9nqNxeingBf 2yvx+xBQzBoi4J1u84Jbrbe8Ii3+LLD/QMW9cN0SBIgRStPQLVee4STdjeabGmpXQa7omC02wYYO 83qh6CgJEIbmrsBSZH8ZSVrjkC4UmZS8wAQMS3qTWAPF0ZQGWx2+Gks2fXuacyt2LpNR+p9ogjAZ 1/rmUKjNhQZLswytaLRUdwAwSfQ3+TNs68h6Kv1LC3bNGBT3NEtr2q/nzzb5MzuFcDE6f9exroAC 4BHmokAprhna/vZdb6BrPjpXgRAlWAh3wEMxw75M9S/Nbzj/jNp+I+lvUJYwggY0MIIEHKADAgEC AgEeMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQu MSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYDVQQDEyBT dGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNzEwMjQyMTAxNTVaFw0xNzEwMjQy MTAxNTVaMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMi U2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xh c3MgMSBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQDHCYPMzi3YGrEppC4Tq5a+ijKDjKaIQZZVR63UbxIP6uq/I0fhCu+cQhoUfE6E RKKnu8zPf1Jwuk0tsvVCk6U9b+0UjM0dLep3ZdE1gblK/1FwYT5Pipsu2yOMluLqwvsuz9/9f1+1 PKHG/FaR/wpbfuIqu54qzHDYeqiUfsYzoVflR80DAC7hmJ+SmZnNTWyUGHJbBpA8Q89lGxahNvur yGaC/o2/ceD2uYDX9U8Eg5DpIpGQdcbQeGarV04WgAUjjXX5r/2dabmtxWMZwhZna//jdiSyrrSM TGKkDiXm6/3/4ebfeZuCYKzN2P8O2F/Xe2AC/Y7zeEsnR7FOp+uXAgMBAAGjggGtMIIBqTAPBgNV HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUU3Ltkpzg2ssBXHx+ljVO8tS4 UYIwHwYDVR0jBBgwFoAUTgvvGqRAW6UXaYcwyjRoQ9BBrvIwZgYIKwYBBQUHAQEEWjBYMCcGCCsG AQUFBzABhhtodHRwOi8vb2NzcC5zdGFydHNzbC5jb20vY2EwLQYIKwYBBQUHMAKGIWh0dHA6Ly93 d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNydDBbBgNVHR8EVDBSMCegJaAjhiFodHRwOi8vd3d3LnN0 YXJ0c3NsLmNvbS9zZnNjYS5jcmwwJ6AloCOGIWh0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3Nmc2Nh LmNybDCBgAYDVR0gBHkwdzB1BgsrBgEEAYG1NwECATBmMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3 LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRmMDQGCCsGAQUFBwIBFihodHRwOi8vd3d3LnN0YXJ0c3Ns LmNvbS9pbnRlcm1lZGlhdGUucGRmMA0GCSqGSIb3DQEBBQUAA4ICAQAKgwh9eKssBly4Y4xerhy5 I3dNoXHYfYa8PlVLL/qtXnkFgdtY1o95CfegFJTwqBBmf8pyTUnFsukDFUI22zF5bVHzuJ+GxhnS qN2sD1qetbYwBYK2iyYA5Pg7Er1A+hKMIzEzcduRkIMmCeUTyMyikfbUFvIBivtvkR8ZFAk22BZy +pJfAoedO61HTz4qSfQoCRcLN5A0t4DkuVhTMXIzuQ8CnykhExD6x4e6ebIbrjZLb7L+ocR0y4Yj Cl/Pd4MXU91y0vTipgr/O75CDUHDRHCCKBVmz/Rzkc/b970MEeHt5LC3NiWTgBSvrLEuVzBKM586 YoRD9Dy3OHQgWI270g+5MYA8GfgI/EPT5G7xPbCDz+zjdH89PeR3U4So4lSXur6H6vp+m9TQXPF3 a0LwZrp8MQ+Z77U1uL7TelWO5lApsbAonrqASfTpaprFVkL4nyGH+NHST2ZJPWIBk81i6Vw0ny0q ZW2Niy/QvVNKbb43A43ny076khXO7cNbBIRdJ/6qQNq9Bqb5C0Q5nEsFcj75oxQRqlKf6TcvGbjx kJh8BYtv9ePsXklAxtm8J7GCUBthHSQgepbkOexhJ0wP8imUkyiPHQ0GvEnd83129fZjoEhdGwXV 27ioRKbj/cIq7JRXun0NbeY+UdMYu9jGfIpDLtUUGSgsg2zMGs5R4jCCB8kwggWxoAMCAQICAQEw DQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzAp BgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0 Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA2MDkxNzE5NDYzNloXDTM2MDkxNzE5NDYz NlowfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3Vy ZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwYjbCbxsRnx4 n5V7tTOQ8nJi1sE2ICIkXs7pd/JDCqIGZKTMjjb4OOYj8G5tsTzdcqOFHKHTPbQzK9Mvr/7qsEFZ Z7bEBn0KnnSF1nlMgDd63zkFUln39BtGQ6TShYXSw3HzdWI0uiyKfx6P7u000BHHls1SPboz1t1N 3gs7SkufwiYv+rUWHHI1d8o8XebK4SaLGjZ2XAHbdBQl/u21oIgP3XjKLR8HlzABLXJ5+kbWEyqo uaarg0kd5fLv3eQBjhgKj2NTFoViqQ4ZOsy1ZqbCa3QH5Cvhdj60bdj2ROFzYh87xL6gU1YlbFEJ 96qryr92/W2b853bvz1mvAxWqq+YSJU6S9+nWFDZOHWpW+pDDAL/mevobE1wWyllnN2qXcyvATHs DOvSjejqnHvmbvcnZgwaSNduQuM/3iE+e+ENcPtjqqhsGlS0XCV6yaLJixamuyx+F14FTVhuEh0B 7hIQDcYyfxj//PT6zW6R6DZJvhpIaYvClk0aErJpF8EKkNb6eSJIv7p7afhwx/p6N9jYDdJ2T1f/ kLfjkdLd78Jgt2c63f6qnPDUi39yIs7Gn5e2+K+KoBCo2fsYxra1XFI8ibYZKnMBCg8DsxJg8nov gdujbv8mMJf1i92JV7atPbOvK8W3dgLwpdYrmoYUKnL24zOMXQlLE9+7jHQTUksCAwEAAaOCAlIw ggJOMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgGuMB0GA1UdDgQWBBROC+8apEBbpRdphzDKNGhD 0EGu8jBkBgNVHR8EXTBbMCygKqAohiZodHRwOi8vY2VydC5zdGFydGNvbS5vcmcvc2ZzY2EtY3Js LmNybDAroCmgJ4YlaHR0cDovL2NybC5zdGFydGNvbS5vcmcvc2ZzY2EtY3JsLmNybDCCAV0GA1Ud IASCAVQwggFQMIIBTAYLKwYBBAGBtTcBAQEwggE7MC8GCCsGAQUFBwIBFiNodHRwOi8vY2VydC5z dGFydGNvbS5vcmcvcG9saWN5LnBkZjA1BggrBgEFBQcCARYpaHR0cDovL2NlcnQuc3RhcnRjb20u b3JnL2ludGVybWVkaWF0ZS5wZGYwgdAGCCsGAQUFBwICMIHDMCcWIFN0YXJ0IENvbW1lcmNpYWwg KFN0YXJ0Q29tKSBMdGQuMAMCAQEagZdMaW1pdGVkIExpYWJpbGl0eSwgcmVhZCB0aGUgc2VjdGlv biAqTGVnYWwgTGltaXRhdGlvbnMqIG9mIHRoZSBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhv cml0eSBQb2xpY3kgYXZhaWxhYmxlIGF0IGh0dHA6Ly9jZXJ0LnN0YXJ0Y29tLm9yZy9wb2xpY3ku cGRmMBEGCWCGSAGG+EIBAQQEAwIABzA4BglghkgBhvhCAQ0EKxYpU3RhcnRDb20gRnJlZSBTU0wg Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkwDQYJKoZIhvcNAQEFBQADggIBABZsmfRmDDT10IVefQrs 2hBOOBxe36YlBUuRMsHoO/E93UQJWwdJiinLZgK3sZr3JZgJPI4b4d02hytLu2jTOWY9oCbH8jmR HVGrgnt+1c5a5OIDV3Bplwj5XlimCt+MBppFFhY4Cl5X9mLHegIF5rwetfKe9Kkpg/iyFONuKIdE w5Aa3jipPKxDTWRFzt0oqVzyc3sE+Bfoq7HzLlxkbnMxOhK4vLMR5H2PgVGaO42J9E2TZns8A+3T mh2a82VQ9aDQdZ8vr/DqgkOY+GmciXnEQ45GcuNkNhKv9yUeOImQd37Da2q5w8tES6x4kIvnxywe SxFEyDRSJ80KXZ+FwYnVGnjylRBTMt2AhGZ12bVoKPthLr6EqDjAmRKGpR5nZK0GLi+pcIXHlg98 iWX1jkNUDqvdpYA5lGDANMmWcCyjEvUfSHu9HH5rt52Q9CI7rvj8Ksr6glKg769LVZPrwbXwIous NE4mIgShhyx1SrflfRPXuAxkwDbSyS+GEowjCcEbgjtzSaNqV4eU5dZ4xZlDY+NN4Hct4WWZcmkE GkcJ5g8BViT7H78OealYLrnECQF+lbptAAY+supKEDnY0Cv1v+x1v5cCxQkbCNxVN+KB+zeEQ2Ig yudWS2Xq/mzBJJMkoTTrBf+aIq6bfT/xZVEKpjBqs/SIHIAN/HKK6INeMYIDbzCCA2sCAQEwgZQw gYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUg RGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAxIFBy aW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQQIDBqKOMAkGBSsOAwIaBQCgggGvMBgGCSqGSIb3 DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE0MDYwMTAwMzg0OVowIwYJKoZIhvcN AQkEMRYEFD/6yJuwmxi7r8FO/B1SDaCCpJFfMIGlBgkrBgEEAYI3EAQxgZcwgZQwgYwxCzAJBgNV BAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBD ZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAxIFByaW1hcnkgSW50 ZXJtZWRpYXRlIENsaWVudCBDQQIDBqKOMIGnBgsqhkiG9w0BCRACCzGBl6CBlDCBjDELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENl cnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRl cm1lZGlhdGUgQ2xpZW50IENBAgMGoo4wDQYJKoZIhvcNAQEBBQAEggEAOKorI09pAtRhUkrcWggf 7nSW8GXY1ODPxVgVnmT5xGEvOXp94bvf0njjN/derMoEz5YMCCA3C5Zra4Sh0IaLPbclnu/ONC5y EcTO6nIRVrnIMoS+ZZw1SJ5fc3gFB4Wv3ajD7wTUvypk9mQyf7zRepIqqMb/ZYGR8iulVvc2jnqd UFN02piFvF+3tOMrUB3L+gPls0BbzZeqkfK9syBKMvhkqMqIC3mObyaSRYHRM0LFHzWrkS0Sa6ic qOCx68jb4MLEIUSY5tVdDigWPVW4SbhqHWwHfuVAbWIOhm7K6qQcMo2WzvkcxBsM0wcZFRuKhBvy MsSGWM1TGKMAt1eJlQAAAAAAAA== --Apple-Mail-AC5E9367-B0D2-4AE8-BE3E-7D34FEFF7929-- From owner-freebsd-jail@FreeBSD.ORG Sun Jun 1 02:54:03 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B2ED1234 for ; Sun, 1 Jun 2014 02:54:03 +0000 (UTC) Received: from alogt.com (alogt.com [69.36.191.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8C4FB253F for ; Sun, 1 Jun 2014 02:54:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=alogt.com; s=default; h=Content-Transfer-Encoding:Content-Type:MIME-Version:References:In-Reply-To:Message-ID:Subject:Cc:To:From:Date; bh=C4e88tmFoc9G2Ld2oNnvARjHgtD120VQnvRHo+cUT5U=; b=ChueL0K02ykcAvEFD9RJ/GjRxxvs1BuGlQJuukGeKOIcbqM5ZEtoYDHMQIMhK2Is+VcD5lU4buR93PrIDxvVidwt9IKyktabgxVYWhpxsr+Ode2ap8XDIGFivlPmLvg6muu5k0jdM5G8EV2DEFKaxLnGqgI559xxZKmV1pTuoes=; Received: from [182.1.231.163] (port=25478 helo=X220.alogt.com) by sl-508-2.slc.westdc.net with esmtpsa (SSLv3:DHE-RSA-AES128-SHA:128) (Exim 4.82) (envelope-from ) id 1WqvuK-001YAm-Ox; Sat, 31 May 2014 20:54:01 -0600 Date: Sun, 1 Jun 2014 10:53:55 +0800 From: Erich Dollansky To: s7r@sky-ip.org Subject: Re: cannot access internet from jail, help needed please Message-ID: <20140601105355.46b87722@X220.alogt.com> In-Reply-To: <538A7059.7070500@sky-ip.org> References: <538A7059.7070500@sky-ip.org> X-Mailer: Claws Mail 3.9.3 (GTK+ 2.24.22; amd64-portbld-freebsd10.0) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - sl-508-2.slc.westdc.net X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - alogt.com X-Get-Message-Sender-Via: sl-508-2.slc.westdc.net: authenticated_id: erichsfreebsdlist@alogt.com X-Source: X-Source-Args: X-Source-Dir: Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Jun 2014 02:54:03 -0000 Hi, On Sun, 01 Jun 2014 03:14:17 +0300 s7r wrote: > > 2. My server has 3 public IPv4 addresses. Add one of them as an alias > (for the jail): > # ifconfig em0 alias netmask 255.255.255.255 > # echo 'ifconfig_em0_alias0="inet netmask 255.255.255.255"' >> > /etc/rc.conf > I always prepare the following files before I create a jail: group inetd.conf master.passwd rc.conf resolv.conf Do you have all of them inside the jail with the proper details of the jail? Erich From owner-freebsd-jail@FreeBSD.ORG Wed Jun 11 00:12:25 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5C69BC7C for ; Wed, 11 Jun 2014 00:12:25 +0000 (UTC) Received: from outbound.mailhostbox.com (outbound.mailhostbox.com [162.222.225.22]) by mx1.freebsd.org (Postfix) with ESMTP id 261C222DD for ; Wed, 11 Jun 2014 00:12:24 +0000 (UTC) Received: from [192.168.1.2] (unknown [109.99.157.72]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: s7r@sky-ip.org) by outbound.mailhostbox.com (Postfix) with ESMTPSA id E40EA6397C4 for ; Wed, 11 Jun 2014 00:07:02 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sky-ip.org; s=20110108; t=1402445223; bh=VMDhVEaHByLsdUG7010UroUbIL/JV3Su2Xs9oujj18w=; h=Message-ID:Date:From:Reply-To:MIME-Version:To:Subject: Content-Type:Content-Transfer-Encoding; b=de8j7gTAVcSifmzINgSA2cVAalPrRcT+kbafxiDui0JSX8t1vNBvKFVS/LP5V95fT TZ/wT7C2n80sOBm+fy8RdJyp9PoXILcM9AuLmpJUBuj4eoHg3XdywID8UrRFawXHcY 7ZBhKqOICyaem/ONiH6CC4rrcUBZySxQecrW25Jc= Message-ID: <53979DA8.60002@sky-ip.org> Date: Wed, 11 Jun 2014 03:07:04 +0300 From: "s7r@sky-ip.org" Reply-To: s7r@sky-ip.org User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: freebsd-jail@freebsd.org Subject: Assign Lookback address 127.0.0.1 to jail X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-CTCH-RefID: str=0001.0A020201.53979DA6.0012, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0 X-CTCH-VOD: Unknown X-CTCH-Spam: Unknown X-CTCH-Score: 0.000 X-CTCH-Rules: X-CTCH-Flags: 0 X-CTCH-ScoreCust: 0.000 X-CTCH-SenderID: s7r@sky-ip.org X-CTCH-SenderID-TotalMessages: 1 X-CTCH-SenderID-TotalSpam: 0 X-CTCH-SenderID-TotalSuspected: 0 X-CTCH-SenderID-TotalBulk: 0 X-CTCH-SenderID-TotalConfirmed: 0 X-CTCH-SenderID-TotalRecipients: 0 X-CTCH-SenderID-TotalVirus: 0 X-CTCH-SenderID-BlueWhiteFlag: 0 X-Scanned-By: MIMEDefang 2.72 on 172.18.214.134 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jun 2014 00:12:25 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Operating system is FreeBSD 10.0 64 Bit I have installed ezjail from ports and properly configured a jail with its own static and dedicated IP address. Everything works good, it's just that I have an application which requires to talk to another one via RPC on IP 127.0.0.1, and I have noticed the jail does not have a lo0 interface or localhost 127.0.0.1 IP address. This is bad because the application has no choice but to bind to the public IP address assigned to the jail, and it's not safe. How can I add a lo0 interface with IP 127.0.0.1 to a jail? Thanks in advance. - -- s7r PGP Fingerprint: 7C36 9232 5ABD FB0B 3021 03F1 837F A52C 8126 5B11 PGP Pubkey: http://www.sky-ip.org/s7r@sky-ip.org.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTl52nAAoJEIN/pSyBJlsRAgUH/iAk37ZUDob/HOfkcRHsKlwI hMrbPN6c6Beyx9unwKnyjtO+uP2R4PXK9acDM2vSRWlRrXWcanyQRpuf2gFlsaw4 H+MXNnHd/h5DX4ImfgNpajhpPEWB+inGJgWtP0rK4cmNAGk2YxdI1kkjgK4sCTxb RYhD2dlbO9hSqLAV52CFEDAX1qOpl2/+sQR7mODfwCuaa/G9M4/tTwwOqK5/EAYA ebjB2iZC0ll6Z51ARFKt9nbKuZOcD5ut1+yU4LcRHst+R/DSG/V5OzAnhsvDy7ma zd34fEje83ZRA1v4HZRGixM/r5Hk/4mQQFHg6wQPjZPGo+JKGxP3sWOv3lJj6pI= =ic9O -----END PGP SIGNATURE----- From owner-freebsd-jail@FreeBSD.ORG Wed Jun 11 00:20:48 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A32CADCC for ; Wed, 11 Jun 2014 00:20:48 +0000 (UTC) Received: from mx1.scaleengine.net (beauharnois2.bhs1.scaleengine.net [142.4.218.15]) by mx1.freebsd.org (Postfix) with ESMTP id 7D587232C for ; Wed, 11 Jun 2014 00:20:47 +0000 (UTC) Received: from [10.1.1.2] (S01060001abad1dea.hm.shawcable.net [50.70.146.73]) (Authenticated sender: allanjude.freebsd@scaleengine.com) by mx1.scaleengine.net (Postfix) with ESMTPSA id DA4A785AC7 for ; Wed, 11 Jun 2014 00:20:39 +0000 (UTC) Message-ID: <5397A0D9.403@freebsd.org> Date: Tue, 10 Jun 2014 20:20:41 -0400 From: Allan Jude User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: freebsd-jail@freebsd.org Subject: Re: Assign Lookback address 127.0.0.1 to jail References: <53979DA8.60002@sky-ip.org> In-Reply-To: <53979DA8.60002@sky-ip.org> X-Enigmail-Version: 1.6 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="BVhMS0lKlQaVC6l70AshcOpJpA23aPXNM" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jun 2014 00:20:48 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --BVhMS0lKlQaVC6l70AshcOpJpA23aPXNM Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 2014-06-10 20:07, s7r@sky-ip.org wrote: > Hi, >=20 > Operating system is FreeBSD 10.0 64 Bit >=20 > I have installed ezjail from ports and properly configured a jail with > its own static and dedicated IP address. Everything works good, it's > just that I have an application which requires to talk to another one > via RPC on IP 127.0.0.1, and I have noticed the jail does not have a > lo0 interface or localhost 127.0.0.1 IP address. >=20 > This is bad because the application has no choice but to bind to the > public IP address assigned to the jail, and it's not safe. >=20 > How can I add a lo0 interface with IP 127.0.0.1 to a jail? >=20 > Thanks in advance. > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"= >=20 Does it have to be 127.0.0.1? You can add an alias like 127.0.0.2 to the lo0 interface and use that. Inside the jail, 127.0.0.1 is mapped to the IP of the jail. Using ezjail, you can also allocate more than 1 IP address to a jail by comma separating them You can also make it automatically alias the IPs for you with the syntax:= em0|192.168.0.10,lo0|127.0.0.2 etc --=20 Allan Jude --BVhMS0lKlQaVC6l70AshcOpJpA23aPXNM Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTl6DbAAoJEJrBFpNRJZKfDGoP/3s7PBq7QHA1o/4hn2Mx/vZq sbqRlXIeQVCkTgpw8tt5WayfdmgX+8UNU+KUiUt7qG9X21cFvvjUFm0EJmtvkBxG ipsZKac8wwoXWBIS6lMB9cLfGxkrek2Nr3GJ0/w4g83E538ZQXn05n7upYWXdKeN 2lgC1RHrK4W2SEvqa958UFDerl7plU8YxTgvzSa5xvz1dGKS484XY+nkZOIAldjX SkAYUgsYWSP6JabrlM99BGKDdybKsFNfor7QN3zNsYxNn6rywIPJPgDctCmCEn4s bJPVX/evri66n3KJoM6vx73W6VaFe5JvJmnf90Pvkw5UQjL74dXplHpcOtbqforC KhLB5g7qN0zENc168qpN37MQCmq3aYjuLZqjvjTOXRLc1Gc18GaR9DKKAab6D5Oh 62msKCPGQ8coBrO+mRi2gsCk5y7+VTG+uztvwG4z9nQMFXgykKXv9/98RX3Ta/hm ULM+ClOpn/evl0xJBJbQxiTR04Fn6evvnliwTgLSLsDqmdh+YtDSPN5J9LYYf0YL TLz+8+IluJrB4BJHcD1gDfgG0EQ5M8GaiZjfoux/+GCk8tot+7xOEt1rQsA9O4HW V3VB5oi2UjJcu+bPSDBLa5X6TFxHg5eHf9DUeJ6iqBO6nnY1QDH4Wb+Mk/RHZVTi R8md13GMFcxfJDqBtAb8 =um75 -----END PGP SIGNATURE----- --BVhMS0lKlQaVC6l70AshcOpJpA23aPXNM-- From owner-freebsd-jail@FreeBSD.ORG Wed Jun 11 00:23:08 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8123BE16 for ; Wed, 11 Jun 2014 00:23:08 +0000 (UTC) Received: from outbound.mailhostbox.com (outbound.mailhostbox.com [162.222.225.22]) by mx1.freebsd.org (Postfix) with ESMTP id 48E8F23B1 for ; Wed, 11 Jun 2014 00:23:08 +0000 (UTC) Received: from [192.168.1.2] (unknown [109.99.157.72]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: s7r@sky-ip.org) by outbound.mailhostbox.com (Postfix) with ESMTPSA id 7E7F3638FC5 for ; Wed, 11 Jun 2014 00:23:08 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sky-ip.org; s=20110108; t=1402446189; bh=hTsRc1MwPJDI7tDw+VcjaPVoS2jzkFs3IeDKvJZjTmE=; h=Message-ID:Date:From:Reply-To:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=YSX/rzsxf4YU+kvmiDR7vPFqmXXpkQ98848DQZSwmgihH/cbPsFGgPTw5iNblKby1 itOCsZO+giJozpi/Zqrb40eiu2ycox4j6i0bGRbpnulJ1AkKkgdcjxRnSAZ1mz3G5U ScfBPPDSdoAdLpetKZcYitRhSP+BZFYEvmR2Wow0= Message-ID: <5397A16E.8080504@sky-ip.org> Date: Wed, 11 Jun 2014 03:23:10 +0300 From: "s7r@sky-ip.org" Reply-To: s7r@sky-ip.org User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: freebsd-jail@freebsd.org Subject: Re: Assign Lookback address 127.0.0.1 to jail References: <53979DA8.60002@sky-ip.org> <5397A0D9.403@freebsd.org> In-Reply-To: <5397A0D9.403@freebsd.org> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-CTCH-RefID: str=0001.0A020203.5397A16B.009B, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0 X-CTCH-VOD: Unknown X-CTCH-Spam: Unknown X-CTCH-Score: 0.000 X-CTCH-Rules: X-CTCH-Flags: 0 X-CTCH-ScoreCust: 0.000 X-CTCH-SenderID: s7r@sky-ip.org X-CTCH-SenderID-TotalMessages: 1 X-CTCH-SenderID-TotalSpam: 0 X-CTCH-SenderID-TotalSuspected: 0 X-CTCH-SenderID-TotalBulk: 0 X-CTCH-SenderID-TotalConfirmed: 0 X-CTCH-SenderID-TotalRecipients: 0 X-CTCH-SenderID-TotalVirus: 0 X-CTCH-SenderID-BlueWhiteFlag: 0 X-Scanned-By: MIMEDefang 2.72 on 172.18.214.134 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jun 2014 00:23:08 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 6/11/2014 3:20 AM, Allan Jude wrote: > On 2014-06-10 20:07, s7r@sky-ip.org wrote: >> Hi, >> >> Operating system is FreeBSD 10.0 64 Bit >> >> I have installed ezjail from ports and properly configured a jail >> with its own static and dedicated IP address. Everything works >> good, it's just that I have an application which requires to talk >> to another one via RPC on IP 127.0.0.1, and I have noticed the >> jail does not have a lo0 interface or localhost 127.0.0.1 IP >> address. >> >> This is bad because the application has no choice but to bind to >> the public IP address assigned to the jail, and it's not safe. >> >> How can I add a lo0 interface with IP 127.0.0.1 to a jail? >> >> Thanks in advance. >> _______________________________________________ >> freebsd-jail@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-jail To >> unsubscribe, send any mail to >> "freebsd-jail-unsubscribe@freebsd.org" >> > > Does it have to be 127.0.0.1? You can add an alias like 127.0.0.2 > to the lo0 interface and use that. > > Inside the jail, 127.0.0.1 is mapped to the IP of the jail. > > Using ezjail, you can also allocate more than 1 IP address to a > jail by comma separating them > > You can also make it automatically alias the IPs for you with the > syntax: > > em0|192.168.0.10,lo0|127.0.0.2 etc > > Thank you Allan for your fast reply. I have the jail already created via: # ezjail-admin create How do I modify the already existing jail to have 127.0.0.2, for example, or can't I just have 127.0.0.1 in the jail? - -- s7r PGP Fingerprint: 7C36 9232 5ABD FB0B 3021 03F1 837F A52C 8126 5B11 PGP Pubkey: http://www.sky-ip.org/s7r@sky-ip.org.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTl6FtAAoJEIN/pSyBJlsRV9MIAJtCIdKxWlHmtRPfiv7lUzoV U8NrQ0S7qPjlhQyvHha3gqid1MIm7gUHAHMcdpV++QSlk8P6PuOHNVTfthVq2hhV l9vIyFS7/e60a0QLOdtay9z9u4tyb2VFGa7uNewj8RSzmi9Yj0QeLvYZRMhk7SbG DEeb4k8+7etKvjHyv4OwF1dqrnOIgNMxsmhF3wxKLieahNFJWIJBzgRXIYZJTuwj 5LbwV9CYakVWlYdNNHh5gc9MkSvdC93MeUFXRjtsdFiHnda+kmDTwGhtXoI+NIZJ zpfQLAQZv8j7awkQnxpgiTNGfJ3NyZaMRGZZsLp007uiA1JahDggXIt6l0g1fqI= =LY3I -----END PGP SIGNATURE----- From owner-freebsd-jail@FreeBSD.ORG Wed Jun 11 00:28:48 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A187BE82 for ; Wed, 11 Jun 2014 00:28:48 +0000 (UTC) Received: from mx1.scaleengine.net (beauharnois2.bhs1.scaleengine.net [142.4.218.15]) by mx1.freebsd.org (Postfix) with ESMTP id 625AA23DB for ; Wed, 11 Jun 2014 00:28:47 +0000 (UTC) Received: from [10.1.1.2] (S01060001abad1dea.hm.shawcable.net [50.70.146.73]) (Authenticated sender: allanjude.freebsd@scaleengine.com) by mx1.scaleengine.net (Postfix) with ESMTPSA id 145BC85AF5 for ; Wed, 11 Jun 2014 00:28:47 +0000 (UTC) Message-ID: <5397A2C3.1090109@freebsd.org> Date: Tue, 10 Jun 2014 20:28:51 -0400 From: Allan Jude User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: freebsd-jail@freebsd.org Subject: Re: Assign Lookback address 127.0.0.1 to jail References: <53979DA8.60002@sky-ip.org> <5397A0D9.403@freebsd.org> <5397A16E.8080504@sky-ip.org> In-Reply-To: <5397A16E.8080504@sky-ip.org> X-Enigmail-Version: 1.6 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="0NibSQHfFMdJob5WP0EHfXpwP7mXahol4" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jun 2014 00:28:48 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --0NibSQHfFMdJob5WP0EHfXpwP7mXahol4 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 2014-06-10 20:23, s7r@sky-ip.org wrote: > On 6/11/2014 3:20 AM, Allan Jude wrote: >> On 2014-06-10 20:07, s7r@sky-ip.org wrote: >>> Hi, >>> >>> Operating system is FreeBSD 10.0 64 Bit >>> >>> I have installed ezjail from ports and properly configured a jail >>> with its own static and dedicated IP address. Everything works >>> good, it's just that I have an application which requires to talk >>> to another one via RPC on IP 127.0.0.1, and I have noticed the >>> jail does not have a lo0 interface or localhost 127.0.0.1 IP >>> address. >>> >>> This is bad because the application has no choice but to bind to >>> the public IP address assigned to the jail, and it's not safe. >>> >>> How can I add a lo0 interface with IP 127.0.0.1 to a jail? >>> >>> Thanks in advance.=20 >>> _______________________________________________=20 >>> freebsd-jail@freebsd.org mailing list=20 >>> http://lists.freebsd.org/mailman/listinfo/freebsd-jail To >>> unsubscribe, send any mail to >>> "freebsd-jail-unsubscribe@freebsd.org" >>> >=20 >> Does it have to be 127.0.0.1? You can add an alias like 127.0.0.2 >> to the lo0 interface and use that. >=20 >> Inside the jail, 127.0.0.1 is mapped to the IP of the jail. >=20 >> Using ezjail, you can also allocate more than 1 IP address to a >> jail by comma separating them >=20 >> You can also make it automatically alias the IPs for you with the >> syntax: >=20 >> em0|192.168.0.10,lo0|127.0.0.2 etc >=20 >=20 >=20 > Thank you Allan for your fast reply. >=20 > I have the jail already created via: > # ezjail-admin create >=20 > How do I modify the already existing jail to have 127.0.0.2, for > example, or can't I just have 127.0.0.1 in the jail? >=20 > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"= >=20 Stop the jail, and then edit /usr/local/etc/ezjail/jail_name and change the line that defines the IPs --=20 Allan Jude --0NibSQHfFMdJob5WP0EHfXpwP7mXahol4 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTl6LDAAoJEJrBFpNRJZKfJRIP/2NCXclD5N0aLE+Ek0usQoj5 Zfc7yxP+Flzd9IyQqto51WcBfuowU5QcRgRnq7sXRZC4lNdFJtOKzgJbJ+JxwjSO pebt784HANCgR9hEekWJk81VSiaRIT9Zt5OZbzyfP7I6GrWReBt2V/KcC2jy9N+S EE8G69rCnwgz19E12Up95DLcMSXrJcxG097n5Vs2EwvmrdwuAJpGLQkXktosA+0O oioQbrHpiMw4fG1FfbgyXfNraKad8Ru3hRRPxDDFfhE6u9dMUjRba257vH2/utHu jfJKS4Bn37qaQJq189sX08mzPD4j8lTL51rI0Ss38ht9/X/SX5pRInZkmJREKbwB zVbexZIQnSqxM38g/LJdOdD6UsEFJA+U3WF10Y/43s5MKGLnjPR8dmDKKuNuXT+0 ulHOC5o9+NOAtd4xnaE8fLc/Q6A8SYt9XMHi5E/NfcHpehwedn9hV1ZEJOQ/dKuC U3CSQYNXfj4hH5MMWNtgWz8dH1wY60FU2CxWOMNhyPLpcSho0AOdTKCTT/n63KKd 8BOr4AB+EXneipcJRwMCTtUeugbH7b5q9ensOLQs1oxdbuZgHSHdLs0vA8KSRSaH gXsaBoeuU8JkgJnwIURBOiZ57SnIH5vjXzLRT9iX7u3xH5k+lOK3rSb1dcaxuLF3 YIFtHh/D7S2SdWT5Gp/3 =VA9N -----END PGP SIGNATURE----- --0NibSQHfFMdJob5WP0EHfXpwP7mXahol4-- From owner-freebsd-jail@FreeBSD.ORG Wed Jun 11 01:19:11 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id F197034F for ; Wed, 11 Jun 2014 01:19:10 +0000 (UTC) Received: from outbound.mailhostbox.com (outbound.mailhostbox.com [162.222.225.22]) by mx1.freebsd.org (Postfix) with ESMTP id B8B2C2743 for ; Wed, 11 Jun 2014 01:19:10 +0000 (UTC) Received: from [192.168.1.2] (unknown [109.99.157.72]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: s7r@sky-ip.org) by outbound.mailhostbox.com (Postfix) with ESMTPSA id 0627863978E for ; Wed, 11 Jun 2014 01:19:09 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sky-ip.org; s=20110108; t=1402449551; bh=g63zktm3Vt9OeBYi4tfkmOMbX4U5YeS0rhFSprMfvFY=; h=Message-ID:Date:From:Reply-To:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=fXTErusD8Syj3VAuc8GCT1jzyZWfROMbb+EWfe3ypWYy4unThl934ltoThqfbbmQP b5Uvn1br2CvPJtaamwc/BScUHJibR27U5ty0wF429Y+/97bEdWipLs7jZiMeJIDwBG 4Meci9Dl4M2/qrkvuciJvL16+ciT/AQfvtrTneSs= Message-ID: <5397AE8F.8020000@sky-ip.org> Date: Wed, 11 Jun 2014 04:19:11 +0300 From: "s7r@sky-ip.org" Reply-To: s7r@sky-ip.org User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: freebsd-jail@freebsd.org Subject: Re: Assign Lookback address 127.0.0.1 to jail References: <53979DA8.60002@sky-ip.org> <5397A0D9.403@freebsd.org> <5397A16E.8080504@sky-ip.org> <5397A2C3.1090109@freebsd.org> In-Reply-To: <5397A2C3.1090109@freebsd.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-CTCH-RefID: str=0001.0A020206.5397AE8D.00A2, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0 X-CTCH-VOD: Unknown X-CTCH-Spam: Unknown X-CTCH-Score: 0.000 X-CTCH-Rules: X-CTCH-Flags: 0 X-CTCH-ScoreCust: 0.000 X-CTCH-SenderID: s7r@sky-ip.org X-CTCH-SenderID-TotalMessages: 1 X-CTCH-SenderID-TotalSpam: 0 X-CTCH-SenderID-TotalSuspected: 0 X-CTCH-SenderID-TotalBulk: 0 X-CTCH-SenderID-TotalConfirmed: 0 X-CTCH-SenderID-TotalRecipients: 0 X-CTCH-SenderID-TotalVirus: 0 X-CTCH-SenderID-BlueWhiteFlag: 0 X-Scanned-By: MIMEDefang 2.72 on 172.18.214.134 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jun 2014 01:19:11 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 6/11/2014 3:28 AM, Allan Jude wrote: > On 2014-06-10 20:23, s7r@sky-ip.org wrote: >> On 6/11/2014 3:20 AM, Allan Jude wrote: >>> On 2014-06-10 20:07, s7r@sky-ip.org wrote: >>>> Hi, >>>> >>>> Operating system is FreeBSD 10.0 64 Bit >>>> >>>> I have installed ezjail from ports and properly configured a >>>> jail with its own static and dedicated IP address. Everything >>>> works good, it's just that I have an application which >>>> requires to talk to another one via RPC on IP 127.0.0.1, and >>>> I have noticed the jail does not have a lo0 interface or >>>> localhost 127.0.0.1 IP address. >>>> >>>> This is bad because the application has no choice but to bind >>>> to the public IP address assigned to the jail, and it's not >>>> safe. >>>> >>>> How can I add a lo0 interface with IP 127.0.0.1 to a jail? >>>> >>>> Thanks in advance. >>>> _______________________________________________ >>>> freebsd-jail@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-jail To >>>> unsubscribe, send any mail to >>>> "freebsd-jail-unsubscribe@freebsd.org" >>>> >> >>> Does it have to be 127.0.0.1? You can add an alias like >>> 127.0.0.2 to the lo0 interface and use that. >> >>> Inside the jail, 127.0.0.1 is mapped to the IP of the jail. >> >>> Using ezjail, you can also allocate more than 1 IP address to >>> a jail by comma separating them >> >>> You can also make it automatically alias the IPs for you with >>> the syntax: >> >>> em0|192.168.0.10,lo0|127.0.0.2 etc >> >> >> >> Thank you Allan for your fast reply. >> >> I have the jail already created via: # ezjail-admin create >> >> >> How do I modify the already existing jail to have 127.0.0.2, for >> example, or can't I just have 127.0.0.1 in the jail? >> >> _______________________________________________ >> freebsd-jail@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-jail To >> unsubscribe, send any mail to >> "freebsd-jail-unsubscribe@freebsd.org" >> > > Stop the jail, and then edit /usr/local/etc/ezjail/jail_name > > and change the line that defines the IPs > Thank you it works, with 127.0.0.2 If I try to add 127.0.0.1 will this create any conflicts with the host or will it work? Because i have something important listening on hosts's 127.0.0.1 and don't want to mess up. I would need the same configuration within the jail also, so that's why I need the .1 localhost IP. - -- s7r PGP Fingerprint: 7C36 9232 5ABD FB0B 3021 03F1 837F A52C 8126 5B11 PGP Pubkey: http://www.sky-ip.org/s7r@sky-ip.org.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTl66PAAoJEIN/pSyBJlsR3kQIAMONQ/3FrX9tQBbdJRc7N3eP a/fIOnBYWZCu7ad0DF2NXfOIzfrQBuKCGhm3CLQmzVGw0k/fdD/Yu/U9/kdjgI/n A/ZELHZmowQPfao8tK6eSqeOmw6gNzhCth5ILfH0CJvvarjBXUi7ygHhwzB1U97n sqJzKv8cDAVf67Sd3YbNNa2FoXdM32esEpsjnB8dJEF9ijzv54ovXdREYZhgkibX IN1XcsfUGLdtZDL14+JXlTOaBDk9WgUuoEcsWeAZtM8VVaTiN/QqYbywf598hxLN 5G3AyyfUrLAq4z2RjnzZ2SGAIqv42CyE4MSf3Sft/fFNRExxiq3xAoWmwaTqRnk= =3gqI -----END PGP SIGNATURE----- From owner-freebsd-jail@FreeBSD.ORG Wed Jun 11 01:46:38 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 59FE36E5 for ; Wed, 11 Jun 2014 01:46:38 +0000 (UTC) Received: from mail-ig0-x236.google.com (mail-ig0-x236.google.com [IPv6:2607:f8b0:4001:c05::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E6E782955 for ; Wed, 11 Jun 2014 01:46:37 +0000 (UTC) Received: by mail-ig0-f182.google.com with SMTP id a13so213081igq.15 for ; Tue, 10 Jun 2014 18:46:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:from:subject:date:to; bh=YnbXWfETv8lxgvqvE4+s1z1MvXQFwmsqGUN/QYCHqts=; b=Edabu2+vDFvfDwwtE+OXzhfEDdonqOkOZM24+l4ExSMWTu0K/j8hKN9qxJsZXTFiog jZq4uk+rzb27oGlsyBrE0JOL0kzKczs2jAOd9Woy8Rscnvur728gzg/Fbdy4Z5Z29rOB rNm/7cnfvVOxhweDgv9saZUWTsrPrb7q9Pr58= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:from:subject:date:to; bh=YnbXWfETv8lxgvqvE4+s1z1MvXQFwmsqGUN/QYCHqts=; b=cQPy8EOT7j9RK6yxpg5wBUrNYtbr4j7sjHfJO4codY8FmZSgknNt8qedjjROPLdG0U V5oEpPsJMirTFK1b+CGkjoqigAn+1dFF24BvuS55Sy4hCiRAt+UogOppFnJe4XcaC8FF x0LBG0QkzUHoRwW6WFRXiQppYrQi6tcdzths9mjNuOTg0ViunZmrFpimWi61Y15vyn9k +r6hc3312bnLa1tW+tgxkPbPeUQX7koj/sXZY3PELmDqYH2Ld4FBEG+uZd7ssLqPCuSD 7GwFBDrIw4ps2tuEKO1Jetf1DbhrNDEp3Jd0pggaXsP+jW547VgCKHdKPJTxB6a4MDk0 yHzw== X-Gm-Message-State: ALoCoQlHfSOighfZZj5X3xXvJWYHScVyyI6QZkFbBSZdhmu2b23hpGop7dJEOjzQb/IYEYGKn5tM X-Received: by 10.50.153.8 with SMTP id vc8mr49663910igb.16.1402451196728; Tue, 10 Jun 2014 18:46:36 -0700 (PDT) Received: from [172.31.35.2] (75-128-101-59.dhcp.sgnw.mi.charter.com. [75.128.101.59]) by mx.google.com with ESMTPSA id jh7sm104162283igb.22.2014.06.10.18.46.35 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 10 Jun 2014 18:46:35 -0700 (PDT) References: <53979DA8.60002@sky-ip.org> <5397A0D9.403@freebsd.org> <5397A16E.8080504@sky-ip.org> <5397A2C3.1090109@freebsd.org> <5397AE8F.8020000@sky-ip.org> Mime-Version: 1.0 (1.0) In-Reply-To: <5397AE8F.8020000@sky-ip.org> Content-Type: multipart/signed; micalg=sha1; boundary=Apple-Mail-B5BB1EFA-FDEE-41BC-ABFF-7049AEAE9080; protocol="application/pkcs7-signature" Content-Transfer-Encoding: 7bit Message-Id: <8B8FC782-7DF2-4BD3-883D-4ADE7E07822A@dataix.net> X-Mailer: iPhone Mail (11B554a) From: Jason Hellenthal Subject: Re: Assign Lookback address 127.0.0.1 to jail Date: Tue, 10 Jun 2014 21:46:30 -0400 To: "s7r@sky-ip.org" X-Content-Filtered-By: Mailman/MimeDel 2.1.18 Cc: "freebsd-jail@freebsd.org" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jun 2014 01:46:38 -0000 --Apple-Mail-B5BB1EFA-FDEE-41BC-ABFF-7049AEAE9080 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable You could just go with building the host kernel with VIMAGE . . . Then eac= h jail has its own virtual network stack. =20 --=20 Jason Hellenthal Voice: 95.30.17.6/616 JJH48-ARIN > On Jun 10, 2014, at 21:19, "s7r@sky-ip.org" wrote: >=20 > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 >=20 >> On 6/11/2014 3:28 AM, Allan Jude wrote: >>> On 2014-06-10 20:23, s7r@sky-ip.org wrote: >>>> On 6/11/2014 3:20 AM, Allan Jude wrote: >>>>> On 2014-06-10 20:07, s7r@sky-ip.org wrote: >>>>> Hi, >>>>>=20 >>>>> Operating system is FreeBSD 10.0 64 Bit >>>>>=20 >>>>> I have installed ezjail from ports and properly configured a >>>>> jail with its own static and dedicated IP address. Everything >>>>> works good, it's just that I have an application which >>>>> requires to talk to another one via RPC on IP 127.0.0.1, and >>>>> I have noticed the jail does not have a lo0 interface or >>>>> localhost 127.0.0.1 IP address. >>>>>=20 >>>>> This is bad because the application has no choice but to bind >>>>> to the public IP address assigned to the jail, and it's not >>>>> safe. >>>>>=20 >>>>> How can I add a lo0 interface with IP 127.0.0.1 to a jail? >>>>>=20 >>>>> Thanks in advance.=20 >>>>> _______________________________________________=20 >>>>> freebsd-jail@freebsd.org mailing list=20 >>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-jail To=20 >>>>> unsubscribe, send any mail to=20 >>>>> "freebsd-jail-unsubscribe@freebsd.org" >>>=20 >>>> Does it have to be 127.0.0.1? You can add an alias like >>>> 127.0.0.2 to the lo0 interface and use that. >>>=20 >>>> Inside the jail, 127.0.0.1 is mapped to the IP of the jail. >>>=20 >>>> Using ezjail, you can also allocate more than 1 IP address to >>>> a jail by comma separating them >>>=20 >>>> You can also make it automatically alias the IPs for you with >>>> the syntax: >>>=20 >>>> em0|192.168.0.10,lo0|127.0.0.2 etc >>>=20 >>>=20 >>>=20 >>> Thank you Allan for your fast reply. >>>=20 >>> I have the jail already created via: # ezjail-admin create >>> >>>=20 >>> How do I modify the already existing jail to have 127.0.0.2, for=20 >>> example, or can't I just have 127.0.0.1 in the jail? >>>=20 >>> _______________________________________________=20 >>> freebsd-jail@freebsd.org mailing list=20 >>> http://lists.freebsd.org/mailman/listinfo/freebsd-jail To >>> unsubscribe, send any mail to >>> "freebsd-jail-unsubscribe@freebsd.org" >>=20 >> Stop the jail, and then edit /usr/local/etc/ezjail/jail_name >>=20 >> and change the line that defines the IPs >=20 > Thank you it works, with 127.0.0.2 >=20 > If I try to add 127.0.0.1 will this create any conflicts with the host > or will it work? Because i have something important listening on > hosts's 127.0.0.1 and don't want to mess up. I would need the same > configuration within the jail also, so that's why I need the .1 > localhost IP. >=20 > - --=20 > s7r > PGP Fingerprint: 7C36 9232 5ABD FB0B 3021 03F1 837F A52C 8126 5B11 > PGP Pubkey: http://www.sky-ip.org/s7r@sky-ip.org.asc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.17 (MingW32) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ >=20 > iQEcBAEBAgAGBQJTl66PAAoJEIN/pSyBJlsR3kQIAMONQ/3FrX9tQBbdJRc7N3eP > a/fIOnBYWZCu7ad0DF2NXfOIzfrQBuKCGhm3CLQmzVGw0k/fdD/Yu/U9/kdjgI/n > A/ZELHZmowQPfao8tK6eSqeOmw6gNzhCth5ILfH0CJvvarjBXUi7ygHhwzB1U97n > sqJzKv8cDAVf67Sd3YbNNa2FoXdM32esEpsjnB8dJEF9ijzv54ovXdREYZhgkibX > IN1XcsfUGLdtZDL14+JXlTOaBDk9WgUuoEcsWeAZtM8VVaTiN/QqYbywf598hxLN > 5G3AyyfUrLAq4z2RjnzZ2SGAIqv42CyE4MSf3Sft/fFNRExxiq3xAoWmwaTqRnk=3D > =3D3gqI > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" --Apple-Mail-B5BB1EFA-FDEE-41BC-ABFF-7049AEAE9080 Content-Type: application/pkcs7-signature; name=smime.p7s Content-Disposition: attachment; filename=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIUOTCCBjAw ggUYoAMCAQICAwohwzANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0 YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcx ODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENB MB4XDTE0MDYwMzAzMzkyN1oXDTE1MDYwMzE4MDgxM1owSDEfMB0GA1UEAwwWamhlbGxlbnRoYWxA ZGF0YWl4Lm5ldDElMCMGCSqGSIb3DQEJARYWamhlbGxlbnRoYWxAZGF0YWl4Lm5ldDCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAJKGjiPzL417iKfMoeneq5efP1IaUUtMOy8yf+e7vO6k JF8PWpXPevNbHzgWqB+EyEqjlNdsIApe9dl8Pb4/wLxjGpeoI9h83WzblarnczZfK7s0eyT/qN0Q d9wFoX7ScyFdpFNW4TyCUNsRrqWkW1PM+nYcix9Ro9i9N89nQjIuND/2JZBgnGVys1yAqN6XF2e8 RAKlD1e5hJ3xyM7STk74Jex9b/D8jF/gmKTbJZ8zKST3VnEVIPTNUtDyCKrfwHEUT7PlLTPFBmXS YxbK33AkYF7hHR8YP1zzlShucaef1Fsqj1dz151XjqIvgLetfDUDQJTRKaQSqouYbQibC4sCAwEA AaOCAtwwggLYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggr BgEFBQcDBDAdBgNVHQ4EFgQUzDac0huOVpzovDj7gQlVDDg1z4swHwYDVR0jBBgwFoAUU3Ltkpzg 2ssBXHx+ljVO8tS4UYIwIQYDVR0RBBowGIEWamhlbGxlbnRoYWxAZGF0YWl4Lm5ldDCCAUwGA1Ud IASCAUMwggE/MIIBOwYLKwYBBAGBtTcBAgMwggEqMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0 YXJ0c3NsLmNvbS9wb2xpY3kucGRmMIH3BggrBgEFBQcCAjCB6jAnFiBTdGFydENvbSBDZXJ0aWZp Y2F0aW9uIEF1dGhvcml0eTADAgEBGoG+VGhpcyBjZXJ0aWZpY2F0ZSB3YXMgaXNzdWVkIGFjY29y ZGluZyB0byB0aGUgQ2xhc3MgMSBWYWxpZGF0aW9uIHJlcXVpcmVtZW50cyBvZiB0aGUgU3RhcnRD b20gQ0EgcG9saWN5LCByZWxpYW5jZSBvbmx5IGZvciB0aGUgaW50ZW5kZWQgcHVycG9zZSBpbiBj b21wbGlhbmNlIG9mIHRoZSByZWx5aW5nIHBhcnR5IG9ibGlnYXRpb25zLjA2BgNVHR8ELzAtMCug KaAnhiVodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9jcnR1MS1jcmwuY3JsMIGOBggrBgEFBQcBAQSB gTB/MDkGCCsGAQUFBzABhi1odHRwOi8vb2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMS9jbGll bnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFz czEuY2xpZW50LmNhLmNydDAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJ KoZIhvcNAQELBQADggEBABTurlkTDTe7R/3Va4AJzgeLybzHTijxvU9VE985fuKRBxS3x0cjKODM Gv4ynlsHCZHONGouIbuU1W0dcaiWA2Qxo0gqwXoGFZ65ERgRhot1n8UKQTvVKg/qhd2RGgqaqFFY qagXQAPglmpyvq3Hk6AN0E9XqAnbWCVaXUk0Al/TgZlCFtfE1NxfSkfF6u4ffkhj3AHHkbtBXsAe aSVF/ZJ7ET4Ji//oozVxJktOFQzb96HgMYKMk/YSznIqt3guY3KJbahQiVouWErvQaMYsXX5JUOQ YjnSa2/axNOTnUCPhDrgoS7BAJtJvNao8XWkRpp8RqqqhIywhrCsQlkRj7MwggY0MIIEHKADAgEC AgEeMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQu MSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYDVQQDEyBT dGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNzEwMjQyMTAxNTVaFw0xNzEwMjQy MTAxNTVaMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMi U2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xh c3MgMSBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQDHCYPMzi3YGrEppC4Tq5a+ijKDjKaIQZZVR63UbxIP6uq/I0fhCu+cQhoUfE6E RKKnu8zPf1Jwuk0tsvVCk6U9b+0UjM0dLep3ZdE1gblK/1FwYT5Pipsu2yOMluLqwvsuz9/9f1+1 PKHG/FaR/wpbfuIqu54qzHDYeqiUfsYzoVflR80DAC7hmJ+SmZnNTWyUGHJbBpA8Q89lGxahNvur yGaC/o2/ceD2uYDX9U8Eg5DpIpGQdcbQeGarV04WgAUjjXX5r/2dabmtxWMZwhZna//jdiSyrrSM TGKkDiXm6/3/4ebfeZuCYKzN2P8O2F/Xe2AC/Y7zeEsnR7FOp+uXAgMBAAGjggGtMIIBqTAPBgNV HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUU3Ltkpzg2ssBXHx+ljVO8tS4 UYIwHwYDVR0jBBgwFoAUTgvvGqRAW6UXaYcwyjRoQ9BBrvIwZgYIKwYBBQUHAQEEWjBYMCcGCCsG AQUFBzABhhtodHRwOi8vb2NzcC5zdGFydHNzbC5jb20vY2EwLQYIKwYBBQUHMAKGIWh0dHA6Ly93 d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNydDBbBgNVHR8EVDBSMCegJaAjhiFodHRwOi8vd3d3LnN0 YXJ0c3NsLmNvbS9zZnNjYS5jcmwwJ6AloCOGIWh0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3Nmc2Nh LmNybDCBgAYDVR0gBHkwdzB1BgsrBgEEAYG1NwECATBmMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3 LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRmMDQGCCsGAQUFBwIBFihodHRwOi8vd3d3LnN0YXJ0c3Ns LmNvbS9pbnRlcm1lZGlhdGUucGRmMA0GCSqGSIb3DQEBBQUAA4ICAQAKgwh9eKssBly4Y4xerhy5 I3dNoXHYfYa8PlVLL/qtXnkFgdtY1o95CfegFJTwqBBmf8pyTUnFsukDFUI22zF5bVHzuJ+GxhnS qN2sD1qetbYwBYK2iyYA5Pg7Er1A+hKMIzEzcduRkIMmCeUTyMyikfbUFvIBivtvkR8ZFAk22BZy +pJfAoedO61HTz4qSfQoCRcLN5A0t4DkuVhTMXIzuQ8CnykhExD6x4e6ebIbrjZLb7L+ocR0y4Yj Cl/Pd4MXU91y0vTipgr/O75CDUHDRHCCKBVmz/Rzkc/b970MEeHt5LC3NiWTgBSvrLEuVzBKM586 YoRD9Dy3OHQgWI270g+5MYA8GfgI/EPT5G7xPbCDz+zjdH89PeR3U4So4lSXur6H6vp+m9TQXPF3 a0LwZrp8MQ+Z77U1uL7TelWO5lApsbAonrqASfTpaprFVkL4nyGH+NHST2ZJPWIBk81i6Vw0ny0q ZW2Niy/QvVNKbb43A43ny076khXO7cNbBIRdJ/6qQNq9Bqb5C0Q5nEsFcj75oxQRqlKf6TcvGbjx kJh8BYtv9ePsXklAxtm8J7GCUBthHSQgepbkOexhJ0wP8imUkyiPHQ0GvEnd83129fZjoEhdGwXV 27ioRKbj/cIq7JRXun0NbeY+UdMYu9jGfIpDLtUUGSgsg2zMGs5R4jCCB8kwggWxoAMCAQICAQEw DQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzAp BgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0 Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA2MDkxNzE5NDYzNloXDTM2MDkxNzE5NDYz NlowfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3Vy ZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwYjbCbxsRnx4 n5V7tTOQ8nJi1sE2ICIkXs7pd/JDCqIGZKTMjjb4OOYj8G5tsTzdcqOFHKHTPbQzK9Mvr/7qsEFZ Z7bEBn0KnnSF1nlMgDd63zkFUln39BtGQ6TShYXSw3HzdWI0uiyKfx6P7u000BHHls1SPboz1t1N 3gs7SkufwiYv+rUWHHI1d8o8XebK4SaLGjZ2XAHbdBQl/u21oIgP3XjKLR8HlzABLXJ5+kbWEyqo uaarg0kd5fLv3eQBjhgKj2NTFoViqQ4ZOsy1ZqbCa3QH5Cvhdj60bdj2ROFzYh87xL6gU1YlbFEJ 96qryr92/W2b853bvz1mvAxWqq+YSJU6S9+nWFDZOHWpW+pDDAL/mevobE1wWyllnN2qXcyvATHs DOvSjejqnHvmbvcnZgwaSNduQuM/3iE+e+ENcPtjqqhsGlS0XCV6yaLJixamuyx+F14FTVhuEh0B 7hIQDcYyfxj//PT6zW6R6DZJvhpIaYvClk0aErJpF8EKkNb6eSJIv7p7afhwx/p6N9jYDdJ2T1f/ kLfjkdLd78Jgt2c63f6qnPDUi39yIs7Gn5e2+K+KoBCo2fsYxra1XFI8ibYZKnMBCg8DsxJg8nov gdujbv8mMJf1i92JV7atPbOvK8W3dgLwpdYrmoYUKnL24zOMXQlLE9+7jHQTUksCAwEAAaOCAlIw ggJOMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgGuMB0GA1UdDgQWBBROC+8apEBbpRdphzDKNGhD 0EGu8jBkBgNVHR8EXTBbMCygKqAohiZodHRwOi8vY2VydC5zdGFydGNvbS5vcmcvc2ZzY2EtY3Js LmNybDAroCmgJ4YlaHR0cDovL2NybC5zdGFydGNvbS5vcmcvc2ZzY2EtY3JsLmNybDCCAV0GA1Ud IASCAVQwggFQMIIBTAYLKwYBBAGBtTcBAQEwggE7MC8GCCsGAQUFBwIBFiNodHRwOi8vY2VydC5z dGFydGNvbS5vcmcvcG9saWN5LnBkZjA1BggrBgEFBQcCARYpaHR0cDovL2NlcnQuc3RhcnRjb20u b3JnL2ludGVybWVkaWF0ZS5wZGYwgdAGCCsGAQUFBwICMIHDMCcWIFN0YXJ0IENvbW1lcmNpYWwg KFN0YXJ0Q29tKSBMdGQuMAMCAQEagZdMaW1pdGVkIExpYWJpbGl0eSwgcmVhZCB0aGUgc2VjdGlv biAqTGVnYWwgTGltaXRhdGlvbnMqIG9mIHRoZSBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhv cml0eSBQb2xpY3kgYXZhaWxhYmxlIGF0IGh0dHA6Ly9jZXJ0LnN0YXJ0Y29tLm9yZy9wb2xpY3ku cGRmMBEGCWCGSAGG+EIBAQQEAwIABzA4BglghkgBhvhCAQ0EKxYpU3RhcnRDb20gRnJlZSBTU0wg Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkwDQYJKoZIhvcNAQEFBQADggIBABZsmfRmDDT10IVefQrs 2hBOOBxe36YlBUuRMsHoO/E93UQJWwdJiinLZgK3sZr3JZgJPI4b4d02hytLu2jTOWY9oCbH8jmR HVGrgnt+1c5a5OIDV3Bplwj5XlimCt+MBppFFhY4Cl5X9mLHegIF5rwetfKe9Kkpg/iyFONuKIdE w5Aa3jipPKxDTWRFzt0oqVzyc3sE+Bfoq7HzLlxkbnMxOhK4vLMR5H2PgVGaO42J9E2TZns8A+3T mh2a82VQ9aDQdZ8vr/DqgkOY+GmciXnEQ45GcuNkNhKv9yUeOImQd37Da2q5w8tES6x4kIvnxywe SxFEyDRSJ80KXZ+FwYnVGnjylRBTMt2AhGZ12bVoKPthLr6EqDjAmRKGpR5nZK0GLi+pcIXHlg98 iWX1jkNUDqvdpYA5lGDANMmWcCyjEvUfSHu9HH5rt52Q9CI7rvj8Ksr6glKg769LVZPrwbXwIous NE4mIgShhyx1SrflfRPXuAxkwDbSyS+GEowjCcEbgjtzSaNqV4eU5dZ4xZlDY+NN4Hct4WWZcmkE GkcJ5g8BViT7H78OealYLrnECQF+lbptAAY+supKEDnY0Cv1v+x1v5cCxQkbCNxVN+KB+zeEQ2Ig yudWS2Xq/mzBJJMkoTTrBf+aIq6bfT/xZVEKpjBqs/SIHIAN/HKK6INeMYIDbzCCA2sCAQEwgZQw gYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUg RGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAxIFBy aW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQQIDCiHDMAkGBSsOAwIaBQCgggGvMBgGCSqGSIb3 DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE0MDYxMTAxNDYzMlowIwYJKoZIhvcN AQkEMRYEFEBsCDhdiH56hsKPNan5GjpPkPDAMIGlBgkrBgEEAYI3EAQxgZcwgZQwgYwxCzAJBgNV BAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBD ZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAxIFByaW1hcnkgSW50 ZXJtZWRpYXRlIENsaWVudCBDQQIDCiHDMIGnBgsqhkiG9w0BCRACCzGBl6CBlDCBjDELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENl cnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRl cm1lZGlhdGUgQ2xpZW50IENBAgMKIcMwDQYJKoZIhvcNAQEBBQAEggEASrWk+bTy1+1qdAs2pbON kHoPKuE6THWdKpJBL15RArR2y06tTP/CfxE31PegSWuX/aVaisZ6wPvG09xIwkbbGzsuR9n1Pcvr zJDfx2vETZ1dl9xH2SITCnNlp+l+CGaXlhe+HIJKt04GqosIpfmM6jN8VLvrMX0gQH7/5rYpIFtE 4cE2oM1kf/2jm2TWaaf1qVw0IGQPOiJcLVC+AogZB1tj+zb+Z0pZQ8iklltd4QiPjLKmVXLE8mcR gwtVX+pTTB3SCLdiMkmG/yqwPrZTBJ7s2EZrf3OriNuydfzWEeVGtEt2oqJ8T/HeiNMRsU3pcYo+ ga3Satk6+Q7Bxp+CtAAAAAAAAA== --Apple-Mail-B5BB1EFA-FDEE-41BC-ABFF-7049AEAE9080-- From owner-freebsd-jail@FreeBSD.ORG Wed Jun 11 01:49:33 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B6CAB7C2 for ; Wed, 11 Jun 2014 01:49:33 +0000 (UTC) Received: from mx1.scaleengine.net (beauharnois2.bhs1.scaleengine.net [142.4.218.15]) by mx1.freebsd.org (Postfix) with ESMTP id 8F3A92971 for ; Wed, 11 Jun 2014 01:49:32 +0000 (UTC) Received: from [10.1.1.2] (S01060001abad1dea.hm.shawcable.net [50.70.146.73]) (Authenticated sender: allanjude.freebsd@scaleengine.com) by mx1.scaleengine.net (Postfix) with ESMTPSA id A145985CE9 for ; Wed, 11 Jun 2014 01:49:31 +0000 (UTC) Message-ID: <5397B5AD.9090505@freebsd.org> Date: Tue, 10 Jun 2014 21:49:33 -0400 From: Allan Jude User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: freebsd-jail@freebsd.org Subject: Re: Assign Lookback address 127.0.0.1 to jail References: <53979DA8.60002@sky-ip.org> <5397A0D9.403@freebsd.org> <5397A16E.8080504@sky-ip.org> <5397A2C3.1090109@freebsd.org> <5397AE8F.8020000@sky-ip.org> In-Reply-To: <5397AE8F.8020000@sky-ip.org> X-Enigmail-Version: 1.6 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="kL65ti9oNJET1hiURTmCbWSqUiMxTorvd" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jun 2014 01:49:33 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --kL65ti9oNJET1hiURTmCbWSqUiMxTorvd Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 2014-06-10 21:19, s7r@sky-ip.org wrote: > On 6/11/2014 3:28 AM, Allan Jude wrote: >> On 2014-06-10 20:23, s7r@sky-ip.org wrote: >>> On 6/11/2014 3:20 AM, Allan Jude wrote: >>>> On 2014-06-10 20:07, s7r@sky-ip.org wrote: >>>>> Hi, >>>>> >>>>> Operating system is FreeBSD 10.0 64 Bit >>>>> >>>>> I have installed ezjail from ports and properly configured a >>>>> jail with its own static and dedicated IP address. Everything >>>>> works good, it's just that I have an application which >>>>> requires to talk to another one via RPC on IP 127.0.0.1, and >>>>> I have noticed the jail does not have a lo0 interface or >>>>> localhost 127.0.0.1 IP address. >>>>> >>>>> This is bad because the application has no choice but to bind >>>>> to the public IP address assigned to the jail, and it's not >>>>> safe. >>>>> >>>>> How can I add a lo0 interface with IP 127.0.0.1 to a jail? >>>>> >>>>> Thanks in advance.=20 >>>>> _______________________________________________=20 >>>>> freebsd-jail@freebsd.org mailing list=20 >>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-jail To=20 >>>>> unsubscribe, send any mail to=20 >>>>> "freebsd-jail-unsubscribe@freebsd.org" >>>>> >>> >>>> Does it have to be 127.0.0.1? You can add an alias like >>>> 127.0.0.2 to the lo0 interface and use that. >>> >>>> Inside the jail, 127.0.0.1 is mapped to the IP of the jail. >>> >>>> Using ezjail, you can also allocate more than 1 IP address to >>>> a jail by comma separating them >>> >>>> You can also make it automatically alias the IPs for you with >>>> the syntax: >>> >>>> em0|192.168.0.10,lo0|127.0.0.2 etc >>> >>> >>> >>> Thank you Allan for your fast reply. >>> >>> I have the jail already created via: # ezjail-admin create >>> >>> >>> How do I modify the already existing jail to have 127.0.0.2, for=20 >>> example, or can't I just have 127.0.0.1 in the jail? >>> >>> _______________________________________________=20 >>> freebsd-jail@freebsd.org mailing list=20 >>> http://lists.freebsd.org/mailman/listinfo/freebsd-jail To >>> unsubscribe, send any mail to >>> "freebsd-jail-unsubscribe@freebsd.org" >>> >=20 >> Stop the jail, and then edit /usr/local/etc/ezjail/jail_name >=20 >> and change the line that defines the IPs >=20 >=20 > Thank you it works, with 127.0.0.2 >=20 > If I try to add 127.0.0.1 will this create any conflicts with the host > or will it work? Because i have something important listening on > hosts's 127.0.0.1 and don't want to mess up. I would need the same > configuration within the jail also, so that's why I need the .1 > localhost IP. >=20 > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"= >=20 When the host and the jail share an IP, the jail wins. So, if you run sshd on both, then ssh'ing to the shared IP will goto the jail. However, if you don't run sshd in the jail and you do on the host, the connection will 'fall through' to the host. So, as long as the jail isn't going to use the same port # as your important app, you can share. --=20 Allan Jude --kL65ti9oNJET1hiURTmCbWSqUiMxTorvd Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTl7WwAAoJEJrBFpNRJZKfGY0QAKaaTUQYXuzYaVaddHV+lebZ byRISbwlXVt/v5BLuPiz+51GOZW0SIqMEHMmC2eOXPmO89wc9NF7wuWb/ShtHxZW azdVfbgLO1SO0NFMUDdYdwvQ+AbxC1xOO6JKqCvBat0RdJMvIMHe/uPpmMnxdh5Z PAEsqa8LwdddOr89yJi2NXuRGmCeBF/uWvTGpssNLN0eZhP6ZVM4ZIIcy/GWPt2E mLTcq71KsioqWTTP1fa4hJOgRtWZMkURvbrWIM5RbnOEflA2xyhHMhwYia/j1zVK o3rhEsx4Ly//9GHVityGco5xM+FOosdW9po/G9dDgjaYfqfx+NE4/N+yAOF3ok6L IpS/KCwMK1wkg5ubsn/IGeObouR92/GPBysP7GRw4B2MuZhzi5j3wfXiN2lCaGmw O29On39ErcezmkchuNfekKBXOWuT4n5kLBIC8HlGYIVR9P33ueIy8l8ME6a/Zq2M nfVmuAh7u8FOl8/J4J7qXZ+GP12rlu87MkZb7RsfwNn0PRT094d2axBRrBx2DLe6 taLmHIuPj4h//0nTqoM1wpemCH7ZFgiXWRh37apWb5VUGH5EXJJIv95NEe5SjpAe UajtmcIzdVGaw0tjvYhj/oXxpmJjhfo2/M8ZZbtIqOwLkrwfox4sSmu9MMOo5iKk 6K9W2j0szUEiQIJEf1kn =+B2l -----END PGP SIGNATURE----- --kL65ti9oNJET1hiURTmCbWSqUiMxTorvd-- From owner-freebsd-jail@FreeBSD.ORG Wed Jun 11 19:53:41 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9FDC4EAF for ; Wed, 11 Jun 2014 19:53:41 +0000 (UTC) Received: from outbound.mailhostbox.com (outbound.mailhostbox.com [162.222.225.22]) by mx1.freebsd.org (Postfix) with ESMTP id 6424C2EA6 for ; Wed, 11 Jun 2014 19:53:41 +0000 (UTC) Received: from [192.168.1.2] (unknown [109.99.157.72]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: s7r@sky-ip.org) by outbound.mailhostbox.com (Postfix) with ESMTPSA id 802A7638E0F; Wed, 11 Jun 2014 19:53:39 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sky-ip.org; s=20110108; t=1402516421; bh=+YYXhviIVqqxldZzemGOnu269PWX25v2X3vVVpYHB4g=; h=Message-ID:Date:From:Reply-To:MIME-Version:To:CC:Subject: References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=BaLLm5PyR426HrjAK+xPRiTm/snYyx21hVI2UBCNjZnJzppDZDuEwVru1hC7y+B5f /xbUFmIICKd6BcoaSF6cMEhptUIjWU75qqjnKP53NSXDZGSVIyoiIDTPyrxZoj/kMW 8G3oc4Z1hY2/97SWmEgrSL+c6+XF9q5dip2344nE= Message-ID: <5398B3C4.4050009@sky-ip.org> Date: Wed, 11 Jun 2014 22:53:40 +0300 From: "s7r@sky-ip.org" Reply-To: s7r@sky-ip.org User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: Jason Hellenthal Subject: Re: Assign Lookback address 127.0.0.1 to jail References: <53979DA8.60002@sky-ip.org> <5397A0D9.403@freebsd.org> <5397A16E.8080504@sky-ip.org> <5397A2C3.1090109@freebsd.org> <5397AE8F.8020000@sky-ip.org> <8B8FC782-7DF2-4BD3-883D-4ADE7E07822A@dataix.net> In-Reply-To: <8B8FC782-7DF2-4BD3-883D-4ADE7E07822A@dataix.net> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-CTCH-RefID: str=0001.0A02020A.5398B3C3.01C4, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0 X-CTCH-VOD: Unknown X-CTCH-Spam: Unknown X-CTCH-Score: 0.000 X-CTCH-Rules: X-CTCH-Flags: 0 X-CTCH-ScoreCust: 0.000 X-CTCH-SenderID: s7r@sky-ip.org X-CTCH-SenderID-TotalMessages: 1 X-CTCH-SenderID-TotalSpam: 0 X-CTCH-SenderID-TotalSuspected: 0 X-CTCH-SenderID-TotalBulk: 0 X-CTCH-SenderID-TotalConfirmed: 0 X-CTCH-SenderID-TotalRecipients: 0 X-CTCH-SenderID-TotalVirus: 0 X-CTCH-SenderID-BlueWhiteFlag: 0 X-Scanned-By: MIMEDefang 2.72 on 172.18.214.134 Cc: "freebsd-jail@freebsd.org" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jun 2014 19:53:41 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 6/11/2014 4:46 AM, Jason Hellenthal wrote: > You could just go with building the host kernel with VIMAGE . . . > Then each jail has its own virtual network stack. > > image.png > > -- Jason Hellenthal Voice: 95.30.17.6/616 JJH48-ARIN > > On Jun 10, 2014, at 21:19, "s7r@sky-ip.org > " > > wrote: > > On 6/11/2014 3:28 AM, Allan Jude wrote: >>>> On 2014-06-10 20:23, s7r@sky-ip.org >>>> wrote: >>>>> On 6/11/2014 3:20 AM, Allan Jude wrote: >>>>>> On 2014-06-10 20:07, s7r@sky-ip.org >>>>>> wrote: >>>>>>> Hi, >>>>>>> >>>>>>> Operating system is FreeBSD 10.0 64 Bit >>>>>>> >>>>>>> I have installed ezjail from ports and properly >>>>>>> configured a jail with its own static and dedicated IP >>>>>>> address. Everything works good, it's just that I have >>>>>>> an application which requires to talk to another one >>>>>>> via RPC on IP 127.0.0.1, and I have noticed the jail >>>>>>> does not have a lo0 interface or localhost 127.0.0.1 IP >>>>>>> address. >>>>>>> >>>>>>> This is bad because the application has no choice but >>>>>>> to bind to the public IP address assigned to the jail, >>>>>>> and it's not safe. >>>>>>> >>>>>>> How can I add a lo0 interface with IP 127.0.0.1 to a >>>>>>> jail? >>>>>>> >>>>>>> Thanks in advance. >>>>>>> _______________________________________________ >>>>>>> freebsd-jail@freebsd.org >>>>>>> mailing list >>>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-jail >>>>>>> To unsubscribe, send any mail to >>>>>>> "freebsd-jail-unsubscribe@freebsd.org >>>>>>> " >>>>>>> >>>>> >>>>>> Does it have to be 127.0.0.1? You can add an alias like >>>>>> 127.0.0.2 to the lo0 interface and use that. >>>>> >>>>>> Inside the jail, 127.0.0.1 is mapped to the IP of the >>>>>> jail. >>>>> >>>>>> Using ezjail, you can also allocate more than 1 IP >>>>>> address to a jail by comma separating them >>>>> >>>>>> You can also make it automatically alias the IPs for you >>>>>> with the syntax: >>>>> >>>>>> em0|192.168.0.10,lo0|127.0.0.2 etc >>>>> >>>>> >>>>> >>>>> Thank you Allan for your fast reply. >>>>> >>>>> I have the jail already created via: # ezjail-admin create >>>>> >>>>> >>>>> How do I modify the already existing jail to have >>>>> 127.0.0.2, for example, or can't I just have 127.0.0.1 in >>>>> the jail? >>>>> >>>>> _______________________________________________ >>>>> freebsd-jail@freebsd.org >>>>> mailing list >>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-jail To >>>>> unsubscribe, send any mail to >>>>> "freebsd-jail-unsubscribe@freebsd.org >>>>> " >>>>> >>>> >>>> Stop the jail, and then edit /usr/local/etc/ezjail/jail_name >>>> >>>> and change the line that defines the IPs >>>> > > Thank you it works, with 127.0.0.2 > > If I try to add 127.0.0.1 will this create any conflicts with the > host or will it work? Because i have something important listening > on hosts's 127.0.0.1 and don't want to mess up. I would need the > same configuration within the jail also, so that's why I need the > .1 localhost IP. > >> _______________________________________________ >> freebsd-jail@freebsd.org >> mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-jail To >> unsubscribe, send any mail to >> "freebsd-jail-unsubscribe@freebsd.org >> " Hey Jason Thanks for your suggestion. can you please ellaborate a little bit and tell me how can i do this step by step? I have an already installed system with ezjail and already created one jail - how can I add VIMAGE to have virtual network stack in each jail without having to reinstall the host or the jails? Thank you, looking forward for your reply. - -- s7r PGP Fingerprint: 7C36 9232 5ABD FB0B 3021 03F1 837F A52C 8126 5B11 PGP Pubkey: http://www.sky-ip.org/s7r@sky-ip.org.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTmLPEAAoJEIN/pSyBJlsRabgH/iG/pNAmpmb5ZBYksIjm4U5K hOvKcOzGiZMn/8LgbJWYf930T8li0UFmr2MttKLjkbojju/zeqjWdYfRI4t+QI5Y JbKj0BFHA6hPxED7BDNaorHOA/jlAbreToyzMGVlK1EIo/CxCOroMBomomucjlAx LxICOVrUPmHfR/f3h+sOAgqTytflQQ389PalC7gBZ7IH72JTIEFpc+8Ql5+GPDCL cLKrrPiTXwQqurJHQMcaaTJ3DJ1Bk1WSipJiqyRNzWIkM29q/CwEeZcyxc+7tbet EZaL2JechFirmlSRRj/uINqzjW5xCN4uppXBn8FakB75Ort7zRguOryH9gh98WE= =gyIS -----END PGP SIGNATURE----- From owner-freebsd-jail@FreeBSD.ORG Wed Jun 11 20:56:34 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 69072F5A for ; Wed, 11 Jun 2014 20:56:34 +0000 (UTC) Received: from mail-qc0-x236.google.com (mail-qc0-x236.google.com [IPv6:2607:f8b0:400d:c01::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1D7542525 for ; Wed, 11 Jun 2014 20:56:34 +0000 (UTC) Received: by mail-qc0-f182.google.com with SMTP id m20so549114qcx.27 for ; Wed, 11 Jun 2014 13:56:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=2Ad7nPAeXYnkchVTnQWC/ZSXWKy3y1qyGDjWqO5CzyM=; b=gr5RmThxhjdpL0IJi0ZQc4UMGgx/eZNgXCATGEiIF5lFO8gLBhq2eTlbW813u7Y01L N+S+0ooJXjzbJW7v7/uvYasCBgDjCm/hcpj1A/p8Bwl24Xkm7cgaoz9/e4V65tLSg/fC g17ASr2ueGS8mdXL4SfdMbj6Ur1a9B3KiDX7Q= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=2Ad7nPAeXYnkchVTnQWC/ZSXWKy3y1qyGDjWqO5CzyM=; b=Kk9c3ybhGh9vKRzywNrSLGN8dGGn9XljSp9NZ0YJmb5XldH7q5y1zT453HcjgR5N/G 0w44TuUQyo1dTzgMHCggdREL8cdrZUOqxulktInvqm8XSq3VawDq/e1z2St6zmkwCRel EX2LUSOXNiBnjIIPr5Rug75euc9aE/zy6co7DUshYWqk3+3IB5JX4ugr18kw4pZ/sxg+ oFHvnN1dSF8MxA4ZYS++Uuz6YQl99qUNVE2Z6/0PjZjOwCtS/rTGNX0U5I3hKGNKaiZi sTVYzwv9Wq1qsaitTIXttve8SxJ43CXRLjuxNgj/0P5NZ/sGRy7tFRMB0Fen68OTXo7n y2vg== X-Gm-Message-State: ALoCoQlVE608QO8NErhauHbFXV1wcpSzscavDnRVKKLj+Wevok3yK4lqyEe9RFrdfby+mq20i5YH MIME-Version: 1.0 X-Received: by 10.140.98.234 with SMTP id o97mr52970432qge.35.1402520193127; Wed, 11 Jun 2014 13:56:33 -0700 (PDT) Received: by 10.140.92.198 with HTTP; Wed, 11 Jun 2014 13:56:33 -0700 (PDT) X-Originating-IP: [75.128.101.59] In-Reply-To: <5398B3C4.4050009@sky-ip.org> References: <53979DA8.60002@sky-ip.org> <5397A0D9.403@freebsd.org> <5397A16E.8080504@sky-ip.org> <5397A2C3.1090109@freebsd.org> <5397AE8F.8020000@sky-ip.org> <8B8FC782-7DF2-4BD3-883D-4ADE7E07822A@dataix.net> <5398B3C4.4050009@sky-ip.org> Date: Wed, 11 Jun 2014 16:56:33 -0400 Message-ID: Subject: Re: Assign Lookback address 127.0.0.1 to jail From: Jason Hellenthal To: "s7r@sky-ip.org" Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18 Cc: "freebsd-jail@freebsd.org" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jun 2014 20:56:34 -0000 Simple. echo 'options VIMAGE' >>/sys/`uname -p`/GENERIC cd /usr/src && make buildkernel && make installkernel Make the necessary adjustments to ensure your system is stable as you want it to be during testing and then lock the settings for the jails into the perspective configuration files and the host systems /etc/rc.conf for the interfaces you will use. Just an example of my base jail that I use for setting up other jails on the fly... exec.stop = "/bin/sh /etc/rc.shutdown"; exec.poststop = "umount /export/cnt/$name/dev"; exec.clean; mount.devfs; path = "/export/cnt/$name"; allow.raw_sockets; allow.socket_af; vnet = new; base { host.hostname = base; vnet.interface = vnet0; securelevel = 3; exec.start = "ifconfig vnet0 inet 172.X.X.22/22 broadcast 172.X.X.255"; exec.start += "route add default 172.X.X.1"; exec.start += "/bin/sh /etc/rc"; } And in my systems rc.conf... ifconfig_interface0_name="vnet0" I actually give my base template jail a full actual interface to work with so I can segment it off on the network at the switch level and drop it into another management vlan. But the configuration is simple and similar to other interfaces virtual or not like if_epair(4). The rest of the jail configuration as in rc.conf and such within the jail is the same as if it was not a VIMAGE so you should already be aware of those details so I won't rattle on with those. But if you have any specific questions about this as you move through setting up VIMAGE jails feel free to give me a hollar directly or back to this list and Ill be happy to give you a hand. On Wed, Jun 11, 2014 at 3:53 PM, s7r@sky-ip.org wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 6/11/2014 4:46 AM, Jason Hellenthal wrote: > > You could just go with building the host kernel with VIMAGE . . . > > Then each jail has its own virtual network stack. > > > > image.png > > > > -- Jason Hellenthal Voice: 95.30.17.6/616 JJH48-ARIN > > > > On Jun 10, 2014, at 21:19, "s7r@sky-ip.org > > " > > > wrote: > > > > On 6/11/2014 3:28 AM, Allan Jude wrote: > >>>> On 2014-06-10 20:23, s7r@sky-ip.org > >>>> wrote: > >>>>> On 6/11/2014 3:20 AM, Allan Jude wrote: > >>>>>> On 2014-06-10 20:07, s7r@sky-ip.org > >>>>>> wrote: > >>>>>>> Hi, > >>>>>>> > >>>>>>> Operating system is FreeBSD 10.0 64 Bit > >>>>>>> > >>>>>>> I have installed ezjail from ports and properly > >>>>>>> configured a jail with its own static and dedicated IP > >>>>>>> address. Everything works good, it's just that I have > >>>>>>> an application which requires to talk to another one > >>>>>>> via RPC on IP 127.0.0.1, and I have noticed the jail > >>>>>>> does not have a lo0 interface or localhost 127.0.0.1 IP > >>>>>>> address. > >>>>>>> > >>>>>>> This is bad because the application has no choice but > >>>>>>> to bind to the public IP address assigned to the jail, > >>>>>>> and it's not safe. > >>>>>>> > >>>>>>> How can I add a lo0 interface with IP 127.0.0.1 to a > >>>>>>> jail? > >>>>>>> > >>>>>>> Thanks in advance. > >>>>>>> _______________________________________________ > >>>>>>> freebsd-jail@freebsd.org > >>>>>>> mailing list > >>>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-jail > >>>>>>> To unsubscribe, send any mail to > >>>>>>> "freebsd-jail-unsubscribe@freebsd.org > >>>>>>> " > >>>>>>> > >>>>> > >>>>>> Does it have to be 127.0.0.1? You can add an alias like > >>>>>> 127.0.0.2 to the lo0 interface and use that. > >>>>> > >>>>>> Inside the jail, 127.0.0.1 is mapped to the IP of the > >>>>>> jail. > >>>>> > >>>>>> Using ezjail, you can also allocate more than 1 IP > >>>>>> address to a jail by comma separating them > >>>>> > >>>>>> You can also make it automatically alias the IPs for you > >>>>>> with the syntax: > >>>>> > >>>>>> em0|192.168.0.10,lo0|127.0.0.2 etc > >>>>> > >>>>> > >>>>> > >>>>> Thank you Allan for your fast reply. > >>>>> > >>>>> I have the jail already created via: # ezjail-admin create > >>>>> > >>>>> > >>>>> How do I modify the already existing jail to have > >>>>> 127.0.0.2, for example, or can't I just have 127.0.0.1 in > >>>>> the jail? > >>>>> > >>>>> _______________________________________________ > >>>>> freebsd-jail@freebsd.org > >>>>> mailing list > >>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-jail To > >>>>> unsubscribe, send any mail to > >>>>> "freebsd-jail-unsubscribe@freebsd.org > >>>>> " > >>>>> > >>>> > >>>> Stop the jail, and then edit /usr/local/etc/ezjail/jail_name > >>>> > >>>> and change the line that defines the IPs > >>>> > > > > Thank you it works, with 127.0.0.2 > > > > If I try to add 127.0.0.1 will this create any conflicts with the > > host or will it work? Because i have something important listening > > on hosts's 127.0.0.1 and don't want to mess up. I would need the > > same configuration within the jail also, so that's why I need the > > .1 localhost IP. > > > >> _______________________________________________ > >> freebsd-jail@freebsd.org > >> mailing list > >> http://lists.freebsd.org/mailman/listinfo/freebsd-jail To > >> unsubscribe, send any mail to > >> "freebsd-jail-unsubscribe@freebsd.org > >> " > > > Hey Jason > > Thanks for your suggestion. can you please ellaborate a little bit and > tell me how can i do this step by step? I have an already installed > system with ezjail and already created one jail - how can I add VIMAGE > to have virtual network stack in each jail without having to reinstall > the host or the jails? Thank you, looking forward for your reply. > > - -- > s7r > PGP Fingerprint: 7C36 9232 5ABD FB0B 3021 03F1 837F A52C 8126 5B11 > PGP Pubkey: http://www.sky-ip.org/s7r@sky-ip.org.asc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.17 (MingW32) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQEcBAEBAgAGBQJTmLPEAAoJEIN/pSyBJlsRabgH/iG/pNAmpmb5ZBYksIjm4U5K > hOvKcOzGiZMn/8LgbJWYf930T8li0UFmr2MttKLjkbojju/zeqjWdYfRI4t+QI5Y > JbKj0BFHA6hPxED7BDNaorHOA/jlAbreToyzMGVlK1EIo/CxCOroMBomomucjlAx > LxICOVrUPmHfR/f3h+sOAgqTytflQQ389PalC7gBZ7IH72JTIEFpc+8Ql5+GPDCL > cLKrrPiTXwQqurJHQMcaaTJ3DJ1Bk1WSipJiqyRNzWIkM29q/CwEeZcyxc+7tbet > EZaL2JechFirmlSRRj/uINqzjW5xCN4uppXBn8FakB75Ort7zRguOryH9gh98WE= > =gyIS > -----END PGP SIGNATURE----- > From owner-freebsd-jail@FreeBSD.ORG Wed Jun 11 21:17:26 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C491B952 for ; Wed, 11 Jun 2014 21:17:26 +0000 (UTC) Received: from outbound.mailhostbox.com (outbound.mailhostbox.com [162.222.225.21]) by mx1.freebsd.org (Postfix) with ESMTP id 85DFE279F for ; Wed, 11 Jun 2014 21:17:26 +0000 (UTC) Received: from [192.168.1.2] (unknown [109.99.157.72]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: s7r@sky-ip.org) by outbound.mailhostbox.com (Postfix) with ESMTPSA id 81E836381EC; Wed, 11 Jun 2014 21:11:11 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sky-ip.org; s=20110108; t=1402521073; bh=t2iZiv+UlZXzr3FCg/fRineu+MtRwI5ABrMcc36ktNM=; h=Message-ID:Date:From:Reply-To:MIME-Version:To:CC:Subject: References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=MhELcb9aZbsnVtc1dTbbZldF5OusYQivfLyupPhUCL+9DlOz1wVCxNP9dPD1KDWZc mldg0ragpghEsRrybfxkAU3hmggpANr7e646sm6zyexK4nr07W7sarcsNRbz02YhTi XvKnGdGNrI7ZdCf2CQtTWYrJv1Iy4BdrXxwppCHo= Message-ID: <5398C5F0.6030203@sky-ip.org> Date: Thu, 12 Jun 2014 00:11:12 +0300 From: "s7r@sky-ip.org" Reply-To: s7r@sky-ip.org User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: Jason Hellenthal Subject: Re: Assign Lookback address 127.0.0.1 to jail References: <53979DA8.60002@sky-ip.org> <5397A0D9.403@freebsd.org> <5397A16E.8080504@sky-ip.org> <5397A2C3.1090109@freebsd.org> <5397AE8F.8020000@sky-ip.org> <8B8FC782-7DF2-4BD3-883D-4ADE7E07822A@dataix.net> <5398B3C4.4050009@sky-ip.org> In-Reply-To: X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-CTCH-RefID: str=0001.0A020204.5398C5F0.0034, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0 X-CTCH-VOD: Unknown X-CTCH-Spam: Unknown X-CTCH-Score: 0.000 X-CTCH-Rules: X-CTCH-Flags: 0 X-CTCH-ScoreCust: 0.000 X-CTCH-SenderID: s7r@sky-ip.org X-CTCH-SenderID-TotalMessages: 1 X-CTCH-SenderID-TotalSpam: 0 X-CTCH-SenderID-TotalSuspected: 0 X-CTCH-SenderID-TotalBulk: 0 X-CTCH-SenderID-TotalConfirmed: 0 X-CTCH-SenderID-TotalRecipients: 0 X-CTCH-SenderID-TotalVirus: 0 X-CTCH-SenderID-BlueWhiteFlag: 0 X-Scanned-By: MIMEDefang 2.72 on 172.18.214.134 Cc: "freebsd-jail@freebsd.org" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jun 2014 21:17:26 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 6/11/2014 11:56 PM, Jason Hellenthal wrote: > Simple. > > echo 'options VIMAGE' >>/sys/`uname -p`/GENERIC cd /usr/src && make > buildkernel && make installkernel > This is perfectly, clear - hope it does not affect the current functionality and installed ports on the running machine? > Make the necessary adjustments to ensure your system is stable as > you want it to be during testing and then lock the settings for the > jails into the perspective configuration files and the host > systems /etc/rc.conf for the interfaces you will use. > > Just an example of my base jail that I use for setting up other > jails on the fly... exec.stop = "/bin/sh /etc/rc.shutdown"; > exec.poststop = "umount /export/cnt/$name/dev"; exec.clean; > > mount.devfs; > > path = "/export/cnt/$name"; > > allow.raw_sockets; allow.socket_af; vnet = new; > > base { host.hostname = base; vnet.interface = vnet0; securelevel = > 3; exec.start = "ifconfig vnet0 inet 172.X.X.22/22 broadcast > 172.X.X.255"; exec.start += "route add default 172.X.X.1"; > exec.start += "/bin/sh /etc/rc"; } > Q1: All This is tot be pasted into jails's /etc/rc.conf file? Q2: 172.X.X.22/22 -> I want to assign a public IP address to the jail, and a local loopback address. Q3: route add default - this is the default router? this should be the host's public IP address or the IP address of the gateway assigned by my ISP? > And in my systems rc.conf... ifconfig_interface0_name="vnet0" > No IP address here or alias for vnet0? In host's /etc/rc.conf? Just interface0_name="vnet0"? Shouldn't interface0 be em0, the default interface of the host? Shouldn't that come first? > I actually give my base template jail a full actual interface to > work with so I can segment it off on the network at the switch > level and drop it into another management vlan. But the > configuration is simple and similar to other interfaces virtual or > not like if_epair(4). > > The rest of the jail configuration as in rc.conf and such within > the jail is the same as if it was not a VIMAGE so you should > already be aware of those details so I won't rattle on with those. > But if you have any specific questions about this as you move > through setting up VIMAGE jails feel free to give me a hollar > directly or back to this list and Ill be happy to give you a hand. > > > > > On Wed, Jun 11, 2014 at 3:53 PM, s7r@sky-ip.org > > > wrote: > > On 6/11/2014 4:46 AM, Jason Hellenthal wrote: >> You could just go with building the host kernel with VIMAGE . . >> . Then each jail has its own virtual network stack. > >> image.png > >> -- Jason Hellenthal Voice: 95.30.17.6/616 >> > JJH48-ARIN > >> On Jun 10, 2014, at 21:19, "s7r@sky-ip.org >> > >" >> >> wrote: > >> On 6/11/2014 3:28 AM, Allan Jude wrote: >>>>> On 2014-06-10 20:23, s7r@sky-ip.org >>>>> > > >>>>> wrote: >>>>>> On 6/11/2014 3:20 AM, Allan Jude wrote: >>>>>>> On 2014-06-10 20:07, s7r@sky-ip.org >>>>>>> >>>>>> > wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> Operating system is FreeBSD 10.0 64 Bit >>>>>>>> >>>>>>>> I have installed ezjail from ports and properly >>>>>>>> configured a jail with its own static and dedicated >>>>>>>> IP address. Everything works good, it's just that I >>>>>>>> have an application which requires to talk to another >>>>>>>> one via RPC on IP 127.0.0.1, and I have noticed the >>>>>>>> jail does not have a lo0 interface or localhost >>>>>>>> 127.0.0.1 IP address. >>>>>>>> >>>>>>>> This is bad because the application has no choice >>>>>>>> but to bind to the public IP address assigned to the >>>>>>>> jail, and it's not safe. >>>>>>>> >>>>>>>> How can I add a lo0 interface with IP 127.0.0.1 to a >>>>>>>> jail? >>>>>>>> >>>>>>>> Thanks in advance. >>>>>>>> _______________________________________________ >>>>>>>> freebsd-jail@freebsd.org >>>>>>>> >>>>>>>> > mailing list >>>>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-jail >>>>>>>> >>>>>>>> To unsubscribe, send any mail to >>>>>>>> "freebsd-jail-unsubscribe@freebsd.org > >>>>>>>> >" >>>>>>>> >>>>>> >>>>>>> Does it have to be 127.0.0.1? You can add an alias >>>>>>> like 127.0.0.2 to the lo0 interface and use that. >>>>>> >>>>>>> Inside the jail, 127.0.0.1 is mapped to the IP of the >>>>>>> jail. >>>>>> >>>>>>> Using ezjail, you can also allocate more than 1 IP >>>>>>> address to a jail by comma separating them >>>>>> >>>>>>> You can also make it automatically alias the IPs for >>>>>>> you with the syntax: >>>>>> >>>>>>> em0|192.168.0.10,lo0|127.0.0.2 etc >>>>>> >>>>>> >>>>>> >>>>>> Thank you Allan for your fast reply. >>>>>> >>>>>> I have the jail already created via: # ezjail-admin >>>>>> create >>>>>> >>>>>> How do I modify the already existing jail to have >>>>>> 127.0.0.2, for example, or can't I just have 127.0.0.1 >>>>>> in the jail? >>>>>> >>>>>> _______________________________________________ >>>>>> freebsd-jail@freebsd.org >>>>>> > > >>>>>> mailing list >>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-jail >>>>>> To unsubscribe, send any mail to >>>>>> "freebsd-jail-unsubscribe@freebsd.org > >>>>>> >" >>>>>> >>>>> >>>>> Stop the jail, and then edit >>>>> /usr/local/etc/ezjail/jail_name >>>>> >>>>> and change the line that defines the IPs >>>>> > >> Thank you it works, with 127.0.0.2 > >> If I try to add 127.0.0.1 will this create any conflicts with >> the host or will it work? Because i have something important >> listening on hosts's 127.0.0.1 and don't want to mess up. I would >> need the same configuration within the jail also, so that's why I >> need the .1 localhost IP. > >>> _______________________________________________ >>> freebsd-jail@freebsd.org > > >>> mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-jail To >>> unsubscribe, send any mail to >>> "freebsd-jail-unsubscribe@freebsd.org > >>> >" > > > Hey Jason > > Thanks for your suggestion. can you please ellaborate a little bit > and tell me how can i do this step by step? I have an already > installed system with ezjail and already created one jail - how can > I add VIMAGE to have virtual network stack in each jail without > having to reinstall the host or the jails? Thank you, looking > forward for your reply. > > > Thank you. - -- s7r PGP Fingerprint: 7C36 9232 5ABD FB0B 3021 03F1 837F A52C 8126 5B11 PGP Pubkey: http://www.sky-ip.org/s7r@sky-ip.org.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) iQEcBAEBAgAGBQJTmMXvAAoJEIN/pSyBJlsRexUH/j3MJ7iX+jjONjdYseELq749 6ZgyaVGS7WqC5Wzst2bd3nlmRUS4qkVLTJRzrFEw5mLpTxOpmgmYZSIEzWHt83Rq s++Et0wB3TKRMUofbI1Pfy+tyox+Q3vunXU1w0HtUS/IWceEsIO7k2nqZPnzwnuq RdwShXn1OCosdpu+ERG6WRZjjUsv//5gwZBTaEyp/ksJX6XaryviuTWZ1ZYJnICS ricFl26XcqW6SDHqTAav5WGWVOiLSZnwn9JovyFmiMywlKa0ytkc/wRdCYOUFWla KHkMJlCATeFPPO3tCmOfl9uU5uOoAbzdImI16Xs+WDpy9zCNPQq4zlCwg8kZPIM= =8N1Z -----END PGP SIGNATURE----- From owner-freebsd-jail@FreeBSD.ORG Wed Jun 11 21:31:30 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1265EF4F for ; Wed, 11 Jun 2014 21:31:30 +0000 (UTC) Received: from mail-ie0-x22b.google.com (mail-ie0-x22b.google.com [IPv6:2607:f8b0:4001:c03::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BEF9529A1 for ; Wed, 11 Jun 2014 21:31:29 +0000 (UTC) Received: by mail-ie0-f171.google.com with SMTP id x19so350244ier.30 for ; Wed, 11 Jun 2014 14:31:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:from:subject:date:to; bh=a318087zvthGp1xtueUWjyTTDFd5WJtzl78y8x7W14o=; b=Lg7BVk56U9svWH9ksTrxn9/LwwOl9twi8guRhp0jjGRAZaDoQ0VPYi0xuGE1+3Hbib 7/UWOg/Z6CloR4mYUL3yqDXWitQ+NE88FqL/uDzYLlqNla24Iq7PVVbgSD+KBbixUOPG hKhp1yyEAcEcah0fHh1uB3an5b2fa79mWqo8k= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:from:subject:date:to; bh=a318087zvthGp1xtueUWjyTTDFd5WJtzl78y8x7W14o=; b=G59WyHz8A6lX1owZ9T21EwSo+1jb8qQA1VKv7jvSw+Ku+u/oAFygGuflhDV0vyimlD 3P73h+HFA6iodK4RXRIoTZis/ojJ1OwxZZfVqNAeH2oLpA0cNSGh5zYofSWlnhY8Yh/q FfM0uqzdD6obFiz7C8Q3TBk653U76qNAA/CuhXcVvPImPa7RjazOkBej1oIyyTj7+DUg tIGB4WfpXpOaGpG4VZexoMTCleQK63zw9qHnUCgA1UCu0+jQXq/etiCrX077ODbUdNIP HiwVsNg3B+bTyE9CvqIK4coVoLJnvM0oK2gL8YvZc3B7XS8CtRcT2azNaCp51y27XEN9 jYEg== X-Gm-Message-State: ALoCoQntamP0G76InwbfMvkvfpQdcVlSp8BMEXRERdZs7lyfqiJIq+w4v0nhYAUk0iYqnUaO36Y/ X-Received: by 10.51.17.97 with SMTP id gd1mr928068igd.18.1402522288999; Wed, 11 Jun 2014 14:31:28 -0700 (PDT) Received: from [172.31.35.2] (75-128-101-59.dhcp.sgnw.mi.charter.com. [75.128.101.59]) by mx.google.com with ESMTPSA id mj5sm190023igb.6.2014.06.11.14.31.27 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 11 Jun 2014 14:31:28 -0700 (PDT) References: <53979DA8.60002@sky-ip.org> <5397A0D9.403@freebsd.org> <5397A16E.8080504@sky-ip.org> <5397A2C3.1090109@freebsd.org> <5397AE8F.8020000@sky-ip.org> <8B8FC782-7DF2-4BD3-883D-4ADE7E07822A@dataix.net> <5398B3C4.4050009@sky-ip.org> <5398C5F0.6030203@sky-ip.org> Mime-Version: 1.0 (1.0) In-Reply-To: <5398C5F0.6030203@sky-ip.org> Content-Type: multipart/signed; micalg=sha1; boundary=Apple-Mail-AB37220B-ACF4-407C-81AE-F92F18A4C79D; protocol="application/pkcs7-signature" Content-Transfer-Encoding: 7bit Message-Id: <0FA473B3-D3F9-4291-9A85-D16D201FF19A@dataix.net> X-Mailer: iPhone Mail (11B554a) From: Jason Hellenthal Subject: Re: Assign Lookback address 127.0.0.1 to jail Date: Wed, 11 Jun 2014 17:31:25 -0400 To: "s7r@sky-ip.org" X-Content-Filtered-By: Mailman/MimeDel 2.1.18 Cc: "freebsd-jail@freebsd.org" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jun 2014 21:31:30 -0000 --Apple-Mail-AB37220B-ACF4-407C-81AE-F92F18A4C79D Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable --=20 Jason Hellenthal Voice: 95.30.17.6/616 JJH48-ARIN > On Jun 11, 2014, at 17:11, "s7r@sky-ip.org" wrote: >=20 > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 >=20 >> On 6/11/2014 11:56 PM, Jason Hellenthal wrote: >> Simple. >>=20 >> echo 'options VIMAGE' >>/sys/`uname -p`/GENERIC cd /usr/src && make >> buildkernel && make installkernel > This is perfectly, clear - hope it does not affect the current > functionality and installed ports on the running machine? >=20 >> Make the necessary adjustments to ensure your system is stable as >> you want it to be during testing and then lock the settings for the >> jails into the perspective configuration files and the host >> systems /etc/rc.conf for the interfaces you will use. >>=20 >> Just an example of my base jail that I use for setting up other >> jails on the fly... exec.stop =3D "/bin/sh /etc/rc.shutdown";=20 >> exec.poststop =3D "umount /export/cnt/$name/dev"; exec.clean; >>=20 >> mount.devfs; >>=20 >> path =3D "/export/cnt/$name"; >>=20 >> allow.raw_sockets; allow.socket_af; vnet =3D new; >>=20 >> base { host.hostname =3D base; vnet.interface =3D vnet0; securelevel =3D >> 3; exec.start =3D "ifconfig vnet0 inet 172.X.X.22/22 broadcast=20 >> 172.X.X.255"; exec.start +=3D "route add default 172.X.X.1";=20 >> exec.start +=3D "/bin/sh /etc/rc"; } > Q1: All This is tot be pasted into jails's /etc/rc.conf file? That portion is for the jail.conf(5) syntax. /etc/jail.conf Possibly easyjail ? In /usr/local as well but I'm unfamiliar with easyjail b= ut the above settings in place should effect globally. >=20 > Q2: 172.X.X.22/22 -> I want to assign a public IP address to the jail, > and a local loopback address. You wont have to worry about the loop back as that will be automatically con= figured since it will now have its own virtual network stack. And it's very o= wn lo0 interface. The public IP space you can just change that 172 class B to whatever you nee= d in the jail.conf to set that for every time the jail starts. >=20 > Q3: route add default - this is the default router? this should be the > host's public IP address or the IP address of the gateway assigned by > my ISP? If I'm understanding that correctly yes. Think of this now as its own entity= with its own network stack. Your just configuring it just like you would if= you were setting up an actual additional machine on your network. >=20 >> And in my systems rc.conf... ifconfig_interface0_name=3D"vnet0" > No IP address here or alias for vnet0? In host's /etc/rc.conf? Just > interface0_name=3D"vnet0"? Shouldn't interface0 be em0, the default > interface of the host? Shouldn't that come first? >=20 >> I actually give my base template jail a full actual interface to >> work with so I can segment it off on the network at the switch >> level and drop it into another management vlan. But the >> configuration is simple and similar to other interfaces virtual or >> not like if_epair(4). >>=20 >> The rest of the jail configuration as in rc.conf and such within >> the jail is the same as if it was not a VIMAGE so you should >> already be aware of those details so I won't rattle on with those. >> But if you have any specific questions about this as you move >> through setting up VIMAGE jails feel free to give me a hollar >> directly or back to this list and Ill be happy to give you a hand. >>=20 >>=20 >>=20 >>=20 >> On Wed, Jun 11, 2014 at 3:53 PM, s7r@sky-ip.org >> > >> wrote: >>=20 >>> On 6/11/2014 4:46 AM, Jason Hellenthal wrote: >>> You could just go with building the host kernel with VIMAGE . . >>> . Then each jail has its own virtual network stack. >>=20 >>> image.png >>=20 >>> -- Jason Hellenthal Voice: 95.30.17.6/616 >>> >> JJH48-ARIN >>=20 >>> On Jun 10, 2014, at 21:19, "s7r@sky-ip.org >>> >> >" > > >> >>> wrote: >>=20 >>> On 6/11/2014 3:28 AM, Allan Jude wrote: >>>>>> On 2014-06-10 20:23, s7r@sky-ip.org >>>>>> >> > >>>>>> wrote: >>>>>>>> On 6/11/2014 3:20 AM, Allan Jude wrote: >>>>>>>> On 2014-06-10 20:07, s7r@sky-ip.org >>>>>>>> >>>>>>> > wrote: >>>>>>>>> Hi, >>>>>>>>>=20 >>>>>>>>> Operating system is FreeBSD 10.0 64 Bit >>>>>>>>>=20 >>>>>>>>> I have installed ezjail from ports and properly=20 >>>>>>>>> configured a jail with its own static and dedicated >>>>>>>>> IP address. Everything works good, it's just that I >>>>>>>>> have an application which requires to talk to another >>>>>>>>> one via RPC on IP 127.0.0.1, and I have noticed the >>>>>>>>> jail does not have a lo0 interface or localhost >>>>>>>>> 127.0.0.1 IP address. >>>>>>>>>=20 >>>>>>>>> This is bad because the application has no choice >>>>>>>>> but to bind to the public IP address assigned to the >>>>>>>>> jail, and it's not safe. >>>>>>>>>=20 >>>>>>>>> How can I add a lo0 interface with IP 127.0.0.1 to a=20 >>>>>>>>> jail? >>>>>>>>>=20 >>>>>>>>> Thanks in advance.=20 >>>>>>>>> _______________________________________________=20 >>>>>>>>> freebsd-jail@freebsd.org >>>>>>>>> =20 >>>>>>>>> > > mailing list >>>>>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to >>>>>>>>> "freebsd-jail-unsubscribe@freebsd.org >> >>>>>>>>> > >" >>>>>>>=20 >>>>>>>> Does it have to be 127.0.0.1? You can add an alias >>>>>>>> like 127.0.0.2 to the lo0 interface and use that. >>>>>>>=20 >>>>>>>> Inside the jail, 127.0.0.1 is mapped to the IP of the=20 >>>>>>>> jail. >>>>>>>=20 >>>>>>>> Using ezjail, you can also allocate more than 1 IP=20 >>>>>>>> address to a jail by comma separating them >>>>>>>=20 >>>>>>>> You can also make it automatically alias the IPs for >>>>>>>> you with the syntax: >>>>>>>=20 >>>>>>>> em0|192.168.0.10,lo0|127.0.0.2 etc >>>>>>>=20 >>>>>>>=20 >>>>>>>=20 >>>>>>> Thank you Allan for your fast reply. >>>>>>>=20 >>>>>>> I have the jail already created via: # ezjail-admin >>>>>>> create >>>>>>>=20 >>>>>>> How do I modify the already existing jail to have=20 >>>>>>> 127.0.0.2, for example, or can't I just have 127.0.0.1 >>>>>>> in the jail? >>>>>>>=20 >>>>>>> _______________________________________________=20 >>>>>>> freebsd-jail@freebsd.org >>>>>>> >> > > >>>>>>> mailing list=20 >>>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-jail >>>>>>> To unsubscribe, send any mail to=20 >>>>>>> "freebsd-jail-unsubscribe@freebsd.org >> >>>>>>> > >" >>>>>>=20 >>>>>> Stop the jail, and then edit >>>>>> /usr/local/etc/ezjail/jail_name >>>>>>=20 >>>>>> and change the line that defines the IPs >>=20 >>> Thank you it works, with 127.0.0.2 >>=20 >>> If I try to add 127.0.0.1 will this create any conflicts with >>> the host or will it work? Because i have something important >>> listening on hosts's 127.0.0.1 and don't want to mess up. I would >>> need the same configuration within the jail also, so that's why I >>> need the .1 localhost IP. >>=20 >>>> _______________________________________________=20 >>>> freebsd-jail@freebsd.org >> > > >>>> mailing list=20 >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-jail To=20 >>>> unsubscribe, send any mail to=20 >>>> "freebsd-jail-unsubscribe@freebsd.org >> >>>> > >" >>=20 >>=20 >> Hey Jason >>=20 >> Thanks for your suggestion. can you please ellaborate a little bit >> and tell me how can i do this step by step? I have an already >> installed system with ezjail and already created one jail - how can >> I add VIMAGE to have virtual network stack in each jail without >> having to reinstall the host or the jails? Thank you, looking >> forward for your reply. > Thank you. > - --=20 > s7r > PGP Fingerprint: 7C36 9232 5ABD FB0B 3021 03F1 837F A52C 8126 5B11 > PGP Pubkey: http://www.sky-ip.org/s7r@sky-ip.org.asc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.17 (MingW32) >=20 > iQEcBAEBAgAGBQJTmMXvAAoJEIN/pSyBJlsRexUH/j3MJ7iX+jjONjdYseELq749 > 6ZgyaVGS7WqC5Wzst2bd3nlmRUS4qkVLTJRzrFEw5mLpTxOpmgmYZSIEzWHt83Rq > s++Et0wB3TKRMUofbI1Pfy+tyox+Q3vunXU1w0HtUS/IWceEsIO7k2nqZPnzwnuq > RdwShXn1OCosdpu+ERG6WRZjjUsv//5gwZBTaEyp/ksJX6XaryviuTWZ1ZYJnICS > ricFl26XcqW6SDHqTAav5WGWVOiLSZnwn9JovyFmiMywlKa0ytkc/wRdCYOUFWla > KHkMJlCATeFPPO3tCmOfl9uU5uOoAbzdImI16Xs+WDpy9zCNPQq4zlCwg8kZPIM=3D > =3D8N1Z > -----END PGP SIGNATURE----- --Apple-Mail-AB37220B-ACF4-407C-81AE-F92F18A4C79D Content-Type: application/pkcs7-signature; name=smime.p7s Content-Disposition: attachment; filename=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIUOTCCBjAw ggUYoAMCAQICAwohwzANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0 YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcx ODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENB MB4XDTE0MDYwMzAzMzkyN1oXDTE1MDYwMzE4MDgxM1owSDEfMB0GA1UEAwwWamhlbGxlbnRoYWxA ZGF0YWl4Lm5ldDElMCMGCSqGSIb3DQEJARYWamhlbGxlbnRoYWxAZGF0YWl4Lm5ldDCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAJKGjiPzL417iKfMoeneq5efP1IaUUtMOy8yf+e7vO6k JF8PWpXPevNbHzgWqB+EyEqjlNdsIApe9dl8Pb4/wLxjGpeoI9h83WzblarnczZfK7s0eyT/qN0Q d9wFoX7ScyFdpFNW4TyCUNsRrqWkW1PM+nYcix9Ro9i9N89nQjIuND/2JZBgnGVys1yAqN6XF2e8 RAKlD1e5hJ3xyM7STk74Jex9b/D8jF/gmKTbJZ8zKST3VnEVIPTNUtDyCKrfwHEUT7PlLTPFBmXS YxbK33AkYF7hHR8YP1zzlShucaef1Fsqj1dz151XjqIvgLetfDUDQJTRKaQSqouYbQibC4sCAwEA AaOCAtwwggLYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggr BgEFBQcDBDAdBgNVHQ4EFgQUzDac0huOVpzovDj7gQlVDDg1z4swHwYDVR0jBBgwFoAUU3Ltkpzg 2ssBXHx+ljVO8tS4UYIwIQYDVR0RBBowGIEWamhlbGxlbnRoYWxAZGF0YWl4Lm5ldDCCAUwGA1Ud IASCAUMwggE/MIIBOwYLKwYBBAGBtTcBAgMwggEqMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0 YXJ0c3NsLmNvbS9wb2xpY3kucGRmMIH3BggrBgEFBQcCAjCB6jAnFiBTdGFydENvbSBDZXJ0aWZp Y2F0aW9uIEF1dGhvcml0eTADAgEBGoG+VGhpcyBjZXJ0aWZpY2F0ZSB3YXMgaXNzdWVkIGFjY29y ZGluZyB0byB0aGUgQ2xhc3MgMSBWYWxpZGF0aW9uIHJlcXVpcmVtZW50cyBvZiB0aGUgU3RhcnRD b20gQ0EgcG9saWN5LCByZWxpYW5jZSBvbmx5IGZvciB0aGUgaW50ZW5kZWQgcHVycG9zZSBpbiBj b21wbGlhbmNlIG9mIHRoZSByZWx5aW5nIHBhcnR5IG9ibGlnYXRpb25zLjA2BgNVHR8ELzAtMCug KaAnhiVodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9jcnR1MS1jcmwuY3JsMIGOBggrBgEFBQcBAQSB gTB/MDkGCCsGAQUFBzABhi1odHRwOi8vb2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMS9jbGll bnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFz czEuY2xpZW50LmNhLmNydDAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJ KoZIhvcNAQELBQADggEBABTurlkTDTe7R/3Va4AJzgeLybzHTijxvU9VE985fuKRBxS3x0cjKODM Gv4ynlsHCZHONGouIbuU1W0dcaiWA2Qxo0gqwXoGFZ65ERgRhot1n8UKQTvVKg/qhd2RGgqaqFFY qagXQAPglmpyvq3Hk6AN0E9XqAnbWCVaXUk0Al/TgZlCFtfE1NxfSkfF6u4ffkhj3AHHkbtBXsAe aSVF/ZJ7ET4Ji//oozVxJktOFQzb96HgMYKMk/YSznIqt3guY3KJbahQiVouWErvQaMYsXX5JUOQ YjnSa2/axNOTnUCPhDrgoS7BAJtJvNao8XWkRpp8RqqqhIywhrCsQlkRj7MwggY0MIIEHKADAgEC AgEeMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQu MSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYDVQQDEyBT dGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNzEwMjQyMTAxNTVaFw0xNzEwMjQy MTAxNTVaMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMi U2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xh c3MgMSBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQDHCYPMzi3YGrEppC4Tq5a+ijKDjKaIQZZVR63UbxIP6uq/I0fhCu+cQhoUfE6E RKKnu8zPf1Jwuk0tsvVCk6U9b+0UjM0dLep3ZdE1gblK/1FwYT5Pipsu2yOMluLqwvsuz9/9f1+1 PKHG/FaR/wpbfuIqu54qzHDYeqiUfsYzoVflR80DAC7hmJ+SmZnNTWyUGHJbBpA8Q89lGxahNvur yGaC/o2/ceD2uYDX9U8Eg5DpIpGQdcbQeGarV04WgAUjjXX5r/2dabmtxWMZwhZna//jdiSyrrSM TGKkDiXm6/3/4ebfeZuCYKzN2P8O2F/Xe2AC/Y7zeEsnR7FOp+uXAgMBAAGjggGtMIIBqTAPBgNV HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUU3Ltkpzg2ssBXHx+ljVO8tS4 UYIwHwYDVR0jBBgwFoAUTgvvGqRAW6UXaYcwyjRoQ9BBrvIwZgYIKwYBBQUHAQEEWjBYMCcGCCsG AQUFBzABhhtodHRwOi8vb2NzcC5zdGFydHNzbC5jb20vY2EwLQYIKwYBBQUHMAKGIWh0dHA6Ly93 d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNydDBbBgNVHR8EVDBSMCegJaAjhiFodHRwOi8vd3d3LnN0 YXJ0c3NsLmNvbS9zZnNjYS5jcmwwJ6AloCOGIWh0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3Nmc2Nh LmNybDCBgAYDVR0gBHkwdzB1BgsrBgEEAYG1NwECATBmMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3 LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRmMDQGCCsGAQUFBwIBFihodHRwOi8vd3d3LnN0YXJ0c3Ns LmNvbS9pbnRlcm1lZGlhdGUucGRmMA0GCSqGSIb3DQEBBQUAA4ICAQAKgwh9eKssBly4Y4xerhy5 I3dNoXHYfYa8PlVLL/qtXnkFgdtY1o95CfegFJTwqBBmf8pyTUnFsukDFUI22zF5bVHzuJ+GxhnS qN2sD1qetbYwBYK2iyYA5Pg7Er1A+hKMIzEzcduRkIMmCeUTyMyikfbUFvIBivtvkR8ZFAk22BZy +pJfAoedO61HTz4qSfQoCRcLN5A0t4DkuVhTMXIzuQ8CnykhExD6x4e6ebIbrjZLb7L+ocR0y4Yj Cl/Pd4MXU91y0vTipgr/O75CDUHDRHCCKBVmz/Rzkc/b970MEeHt5LC3NiWTgBSvrLEuVzBKM586 YoRD9Dy3OHQgWI270g+5MYA8GfgI/EPT5G7xPbCDz+zjdH89PeR3U4So4lSXur6H6vp+m9TQXPF3 a0LwZrp8MQ+Z77U1uL7TelWO5lApsbAonrqASfTpaprFVkL4nyGH+NHST2ZJPWIBk81i6Vw0ny0q ZW2Niy/QvVNKbb43A43ny076khXO7cNbBIRdJ/6qQNq9Bqb5C0Q5nEsFcj75oxQRqlKf6TcvGbjx kJh8BYtv9ePsXklAxtm8J7GCUBthHSQgepbkOexhJ0wP8imUkyiPHQ0GvEnd83129fZjoEhdGwXV 27ioRKbj/cIq7JRXun0NbeY+UdMYu9jGfIpDLtUUGSgsg2zMGs5R4jCCB8kwggWxoAMCAQICAQEw DQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzAp BgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0 Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA2MDkxNzE5NDYzNloXDTM2MDkxNzE5NDYz NlowfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3Vy ZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwYjbCbxsRnx4 n5V7tTOQ8nJi1sE2ICIkXs7pd/JDCqIGZKTMjjb4OOYj8G5tsTzdcqOFHKHTPbQzK9Mvr/7qsEFZ Z7bEBn0KnnSF1nlMgDd63zkFUln39BtGQ6TShYXSw3HzdWI0uiyKfx6P7u000BHHls1SPboz1t1N 3gs7SkufwiYv+rUWHHI1d8o8XebK4SaLGjZ2XAHbdBQl/u21oIgP3XjKLR8HlzABLXJ5+kbWEyqo uaarg0kd5fLv3eQBjhgKj2NTFoViqQ4ZOsy1ZqbCa3QH5Cvhdj60bdj2ROFzYh87xL6gU1YlbFEJ 96qryr92/W2b853bvz1mvAxWqq+YSJU6S9+nWFDZOHWpW+pDDAL/mevobE1wWyllnN2qXcyvATHs DOvSjejqnHvmbvcnZgwaSNduQuM/3iE+e+ENcPtjqqhsGlS0XCV6yaLJixamuyx+F14FTVhuEh0B 7hIQDcYyfxj//PT6zW6R6DZJvhpIaYvClk0aErJpF8EKkNb6eSJIv7p7afhwx/p6N9jYDdJ2T1f/ kLfjkdLd78Jgt2c63f6qnPDUi39yIs7Gn5e2+K+KoBCo2fsYxra1XFI8ibYZKnMBCg8DsxJg8nov gdujbv8mMJf1i92JV7atPbOvK8W3dgLwpdYrmoYUKnL24zOMXQlLE9+7jHQTUksCAwEAAaOCAlIw ggJOMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgGuMB0GA1UdDgQWBBROC+8apEBbpRdphzDKNGhD 0EGu8jBkBgNVHR8EXTBbMCygKqAohiZodHRwOi8vY2VydC5zdGFydGNvbS5vcmcvc2ZzY2EtY3Js LmNybDAroCmgJ4YlaHR0cDovL2NybC5zdGFydGNvbS5vcmcvc2ZzY2EtY3JsLmNybDCCAV0GA1Ud IASCAVQwggFQMIIBTAYLKwYBBAGBtTcBAQEwggE7MC8GCCsGAQUFBwIBFiNodHRwOi8vY2VydC5z dGFydGNvbS5vcmcvcG9saWN5LnBkZjA1BggrBgEFBQcCARYpaHR0cDovL2NlcnQuc3RhcnRjb20u b3JnL2ludGVybWVkaWF0ZS5wZGYwgdAGCCsGAQUFBwICMIHDMCcWIFN0YXJ0IENvbW1lcmNpYWwg KFN0YXJ0Q29tKSBMdGQuMAMCAQEagZdMaW1pdGVkIExpYWJpbGl0eSwgcmVhZCB0aGUgc2VjdGlv biAqTGVnYWwgTGltaXRhdGlvbnMqIG9mIHRoZSBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhv cml0eSBQb2xpY3kgYXZhaWxhYmxlIGF0IGh0dHA6Ly9jZXJ0LnN0YXJ0Y29tLm9yZy9wb2xpY3ku cGRmMBEGCWCGSAGG+EIBAQQEAwIABzA4BglghkgBhvhCAQ0EKxYpU3RhcnRDb20gRnJlZSBTU0wg Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkwDQYJKoZIhvcNAQEFBQADggIBABZsmfRmDDT10IVefQrs 2hBOOBxe36YlBUuRMsHoO/E93UQJWwdJiinLZgK3sZr3JZgJPI4b4d02hytLu2jTOWY9oCbH8jmR HVGrgnt+1c5a5OIDV3Bplwj5XlimCt+MBppFFhY4Cl5X9mLHegIF5rwetfKe9Kkpg/iyFONuKIdE w5Aa3jipPKxDTWRFzt0oqVzyc3sE+Bfoq7HzLlxkbnMxOhK4vLMR5H2PgVGaO42J9E2TZns8A+3T mh2a82VQ9aDQdZ8vr/DqgkOY+GmciXnEQ45GcuNkNhKv9yUeOImQd37Da2q5w8tES6x4kIvnxywe SxFEyDRSJ80KXZ+FwYnVGnjylRBTMt2AhGZ12bVoKPthLr6EqDjAmRKGpR5nZK0GLi+pcIXHlg98 iWX1jkNUDqvdpYA5lGDANMmWcCyjEvUfSHu9HH5rt52Q9CI7rvj8Ksr6glKg769LVZPrwbXwIous NE4mIgShhyx1SrflfRPXuAxkwDbSyS+GEowjCcEbgjtzSaNqV4eU5dZ4xZlDY+NN4Hct4WWZcmkE GkcJ5g8BViT7H78OealYLrnECQF+lbptAAY+supKEDnY0Cv1v+x1v5cCxQkbCNxVN+KB+zeEQ2Ig yudWS2Xq/mzBJJMkoTTrBf+aIq6bfT/xZVEKpjBqs/SIHIAN/HKK6INeMYIDbzCCA2sCAQEwgZQw gYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUg RGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAxIFBy aW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQQIDCiHDMAkGBSsOAwIaBQCgggGvMBgGCSqGSIb3 DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE0MDYxMTIxMzEyN1owIwYJKoZIhvcN AQkEMRYEFKeIjWGP1K8sO/TptavCGuYR0TGVMIGlBgkrBgEEAYI3EAQxgZcwgZQwgYwxCzAJBgNV BAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBD ZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAxIFByaW1hcnkgSW50 ZXJtZWRpYXRlIENsaWVudCBDQQIDCiHDMIGnBgsqhkiG9w0BCRACCzGBl6CBlDCBjDELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENl cnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRl cm1lZGlhdGUgQ2xpZW50IENBAgMKIcMwDQYJKoZIhvcNAQEBBQAEggEAhbiguZqbPTO2OruuMBlO edXag3uIYHWiGwIQXh+psZp4IUqun9txhalzk+xY9BfWZwld/DyG4QNf71gyhKxVeuIRSRgJntaf gaXC6OFOnPLfB8joJgrMdSkjC3Q40jtodruMGWJ2JjX1uGv8RLUslHYh6gph/LHEDxgCjEroRcGl b9yY66Xs/32OXPX9ntsjrW4MWJqLbA9x8jm7KMpgdvj2aDJqdn6Dfoju5RbHQP32xETIcHLlYpot cAJCtWDNIRI+V/bQX2kQba2PL7yEogSvf4xXJzOqCZLAJyfonQx9ZqeEmgbmmKi+5b4PqCSmPjsG NzYlTpPLqPCSfCd/6AAAAAAAAA== --Apple-Mail-AB37220B-ACF4-407C-81AE-F92F18A4C79D-- From owner-freebsd-jail@FreeBSD.ORG Sun Jun 15 04:56:28 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1FA1BACF for ; Sun, 15 Jun 2014 04:56:28 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 04D5720A0 for ; Sun, 15 Jun 2014 04:56:28 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.8/8.14.8) with ESMTP id s5F4uRCF065679 for ; Sun, 15 Jun 2014 05:56:27 +0100 (BST) (envelope-from bz-noreply@freebsd.org) From: bz-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 190944] [jail] su -m not working in jail Date: Sun, 15 Jun 2014 04:56:28 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 10.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: Needs Triage X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-jail@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to short_desc bug_severity Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Jun 2014 04:56:28 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=190944 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|freebsd-bugs@FreeBSD.org |freebsd-jail@FreeBSD.org Summary|su -m not |[jail] su -m not |working in jail |working in jail Severity|Affects Only Me |Affects Many People --- Comment #2 from Mark Linimon --- Over to maintainers. -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-jail@FreeBSD.ORG Sun Jun 15 12:52:43 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8C914FED for ; Sun, 15 Jun 2014 12:52:43 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 748C127DC for ; Sun, 15 Jun 2014 12:52:43 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.8/8.14.8) with ESMTP id s5FCqh0g069096 for ; Sun, 15 Jun 2014 13:52:43 +0100 (BST) (envelope-from bz-noreply@freebsd.org) From: bz-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 190944] [jail] su -m not working in jail Date: Sun, 15 Jun 2014 12:52:43 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 10.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: joeb1@a1poweruser.com X-Bugzilla-Status: Needs Triage X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-jail@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Jun 2014 12:52:43 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=190944 joeb1@a1poweruser.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |joeb1@a1poweruser.com --- Comment #3 from joeb1@a1poweruser.com --- I cannot duplicate this "su -m xxxx command" problem on my 10.0-RELEASE-p3 system. I would say this problem is more about the way you have created your jail and user accounts than a problem with the su command. Please provide details about how you created your jail and the user accounts in that jail that you are trying to use the su command on. -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-jail@FreeBSD.ORG Tue Jun 17 11:25:27 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DCFB0FEB for ; Tue, 17 Jun 2014 11:25:27 +0000 (UTC) Received: from mx01.cellcontainer.com (mx01.cellcontainer.com [81.0.104.240]) by mx1.freebsd.org (Postfix) with ESMTP id 8B5242392 for ; Tue, 17 Jun 2014 11:25:27 +0000 (UTC) Received: from mx01.cellcontainer.com (localhost [127.0.0.1]) by mx01.cellcontainer.com (Postfix) with ESMTP id 9A480296 for ; Tue, 17 Jun 2014 11:15:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cellcontainer.com; h= message-id:date:subject:from:to:mime-version:content-type; s= selector1; bh=6fZdyDNmZMZjbuyzNAALD+dg4vg=; b=A1/4I2TPisTOfKmXtM RmJ7tBRVwFXYqrk/cfDKEkInk/SJCeYdZoc4CvLNbKkc4F9BfWctNbXdtpKlTdu3 cP6vpwW5Zff9QCmQaIHb6rItiH7xUFtnIQ1/faD6DfRiP+tHfxsxWvJV3AuqvJVO vxQHvyVKAZxBrWoFjYy8Yu3Xo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=cellcontainer.com; h= message-id:date:subject:from:to:mime-version:content-type; q= dns; s=selector1; b=fJvf5uODFSGRxR+QSc+X6vuzZl3VwZ4pRxThQUkc0dU1 dNZ38RNou9FAyC6oxZw3rJYjtszDE+7bB4dIcVRdwutf0d5+51EWC5NTs5pnQbNq ya0PjkYQxB75hR4xb1ptZHDqDZiJIC1vwoIAyimOjtmhtiy6RJhR2DmBXUfMe4E= Received: from gpo.cellcontainer.com (unknown [10.5.100.101]) by mx01.cellcontainer.com (Postfix) with ESMTP id 95885295 for ; Tue, 17 Jun 2014 11:15:30 +0000 (UTC) Received: by gpo.cellcontainer.com (Postfix, from userid 58) id 8A6DDBB14A; Tue, 17 Jun 2014 11:15:30 +0000 (UTC) Received: from gpo.cellcontainer.com (localhost [127.0.0.1]) by gpo.cellcontainer.com (Postfix) with ESMTP id 6387DBB140 for ; Tue, 17 Jun 2014 11:15:30 +0000 (UTC) Message-ID: <1403003730.53a0235260385@gpo.cellcontainer.com> Date: Tue, 17 Jun 2014 23:15:30 +1200 Subject: iocage - drop in jail manager From: Peter Toth To: "freebsd-jail@freebsd.org" MIME-Version: 1.0 X-MimeOLE: Produced by Group-Office 3.7.41 X-Mailer: Group-Office 3.7.41 X-Priority: 3 (Normal) Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jun 2014 11:25:27 -0000 For anyone interested in managing jails with VNET, ZFS and resource l= imits I have created a jail manager script https://github.com/pannon= /iocage . Basically rewritten most of "zjails" in pure sh with simpl= icity in mind. 90% is done final commits will be happening in th= e next 2 weeks. Feel free to give it a test drive. P= =C2=A0 From owner-freebsd-jail@FreeBSD.ORG Tue Jun 17 15:53:51 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A69D12C3 for ; Tue, 17 Jun 2014 15:53:51 +0000 (UTC) Received: from relay.mailchannels.net (si-002-i152.relay.mailchannels.net [108.178.49.164]) (using TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 10F012DF3 for ; Tue, 17 Jun 2014 15:53:50 +0000 (UTC) X-Sender-Id: _forwarded-from|107.201.34.133 Received: from mail-24.name-services.com (unknown [10.218.133.212]) by relay.mailchannels.net (Postfix) with ESMTPA id A70DD122BBF; Tue, 17 Jun 2014 15:38:02 +0000 (UTC) X-Sender-Id: _forwarded-from|107.201.34.133 Received: from mail-24.name-services.com (mail-24.name-services.com [10.244.170.26]) (using TLSv1 with cipher AES128-SHA) by 0.0.0.0:2500 (trex/5.2.3); Tue, 17 Jun 2014 15:38:02 GMT X-MC-Relay: Forwarding X-MailChannels-SenderId: _forwarded-from|107.201.34.133 X-MailChannels-Auth-Id: demandmedia Received: from [10.0.10.1] (107-201-34-133.lightspeed.bcvloh.sbcglobal.net [107.201.34.133]) by mail-24.name-services.com with SMTP; Tue, 17 Jun 2014 08:37:54 -0700 Message-ID: <53A060D4.1080100@a1poweruser.com> Date: Tue, 17 Jun 2014 11:37:56 -0400 From: Fbsd8 User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: Peter Toth Subject: Re: iocage - drop in jail manager References: <1403003730.53a0235260385@gpo.cellcontainer.com> In-Reply-To: <1403003730.53a0235260385@gpo.cellcontainer.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jun 2014 15:53:51 -0000 Peter Toth wrote: > For anyone interested in managing jails with VNET, ZFS and resource > limits I have created a jail manager script > https://github.com/pannon/iocage . Basically rewritten most of > "zjails" in pure sh with simplicity in mind. > > 90% is done final commits will be happening in the next 2 weeks. Feel > free to give it a test drive. > Will this script work on i386 systems? Will this script work on a generic system with no zfs disk area enabled? Does vnet jail still have "lost memory bug" when stopping vnet jail? Do any of the host firewalls (ie; ipfw, ipf, pf) work on host and in multiple vnet jail at same time? Does NAT function work in vnet jail? Can non-vnet jails be created? From owner-freebsd-jail@FreeBSD.ORG Tue Jun 17 20:47:16 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 956568CA for ; Tue, 17 Jun 2014 20:47:16 +0000 (UTC) Received: from mx01.cellcontainer.com (mx01.cellcontainer.com [81.0.104.240]) by mx1.freebsd.org (Postfix) with ESMTP id 14A942B96 for ; Tue, 17 Jun 2014 20:47:15 +0000 (UTC) Received: from mx01.cellcontainer.com (localhost [127.0.0.1]) by mx01.cellcontainer.com (Postfix) with ESMTP id 220D5363 for ; Tue, 17 Jun 2014 20:47:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cellcontainer.com; h= message-id:date:subject:from:to:cc:mime-version:content-type :in-reply-to:references; s=selector1; bh=Rvclf2UTRA2UHEedbhwpgb3 32w8=; b=nA04Ffo1L53Zfwe5ER8D7RZwk/UKGmlWuRPW+FjX+y/ZpkJ4z0e8QQs irVeoAq4Ve27Ni8kOY+It+dTtI1M+aL0hcZ3Tdk0nEfdnCILszRQPV1HQwuAL4R5 b/dBRVZjCdLhZwKm48hkKRtlW1uvpR9CI3/u4dphI2ScCGQkDwaU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=cellcontainer.com; h= message-id:date:subject:from:to:cc:mime-version:content-type :in-reply-to:references; q=dns; s=selector1; b=eEQrwhHCe0PpcSET2 /XR/hzTrteb4weMx8JYP0vIcMU88pmlFQG7FkfphH0X/tOhOOlLBbblzuOPfTpLm rWm6PKOuEGkaZhMqCYLRXMGtKv4sBTBf5O5+gDpk7P4bFUmLqVf4PQ3NGhR4YXFc wXagJA/MAazYNO6QF+CZa5s9Sk= Received: from gpo.cellcontainer.com (unknown [10.5.100.101]) by mx01.cellcontainer.com (Postfix) with ESMTP id 1B6EE362 for ; Tue, 17 Jun 2014 20:47:14 +0000 (UTC) Received: by gpo.cellcontainer.com (Postfix, from userid 58) id 0FF24BBF4B; Tue, 17 Jun 2014 20:47:14 +0000 (UTC) Received: from gpo.cellcontainer.com (localhost [127.0.0.1]) by gpo.cellcontainer.com (Postfix) with ESMTP id D182CBBF3B for ; Tue, 17 Jun 2014 20:47:10 +0000 (UTC) Message-ID: <1403038030.53a0a94eaf728@gpo.cellcontainer.com> Date: Wed, 18 Jun 2014 08:47:10 +1200 Subject: Re: iocage - drop in jail manager From: Peter Toth To: Fbsd8 MIME-Version: 1.0 X-MimeOLE: Produced by Group-Office 3.7.41 In-Reply-To: <53A060D4.1080100@a1poweruser.com> References: <53A060D4.1080100@a1poweruser.com> X-Mailer: Group-Office 3.7.41 X-Priority: 3 (Normal) Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18 Cc: "freebsd-jail@freebsd.org" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jun 2014 20:47:16 -0000 You can find the answer to all of your questions in the man page= :) Cheers P On Wednesday, 18-06-2014 on 3:37 = Fbsd8 wrote: Peter Toth wrote: > For anyone interested i= n managing jails with VNET, ZFS and resource > limits I have created= a jail manager script > https://github.com/pannon/iocage . Basicall= y rewritten most of > "zjails" in pure sh with simplicity in mind= .. >=20 > 90% is done final commits will be happening in the next 2= weeks. Feel > free to give it a test drive. >=20 W= ill this script work on i386 systems? Will this script work on = a generic system with no zfs disk area enabled? Does vnet= jail still have "lost memory bug" when stopping vnet jail? D= o any of the host firewalls (ie; ipfw, ipf, pf) work on host and in = multiple vnet jail at same time? Does NAT function work in vnet jai= l? Can non-vnet jails be created? From owner-freebsd-jail@FreeBSD.ORG Fri Jun 20 14:48:09 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C69E5B11 for ; Fri, 20 Jun 2014 14:48:09 +0000 (UTC) Received: from furnace.wzff.de (furnace.wzff.de [176.9.216.40]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 88F862891 for ; Fri, 20 Jun 2014 14:48:08 +0000 (UTC) Received: from mw by furnace.wzff.de with local (Exim 4.80.1 (FreeBSD)) (envelope-from ) id 1Wy02z-000Oqs-4J for freebsd-jail@freebsd.org; Fri, 20 Jun 2014 16:44:09 +0200 Date: Fri, 20 Jun 2014 16:44:09 +0200 From: Moritz Wilhelmy To: freebsd-jail@freebsd.org Subject: Jail network connectivity issues Message-ID: <20140620144408.GY9432@barfooze.de> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jun 2014 14:48:09 -0000 Hello, I have a jail with a public IP address assigned to it on 10.0/amd64, however both inbound and outbound connections randomly fail. I'm using ipfilter as a packet filter but the issue persists when I reboot without ipfilter enabled. Usually inbound connections work a couple of times (around 4) and the 5th-ish attempt at establishing a TCP connection fails with a connection timeout. From that point on it's hit-and-miss. Nothing else on the system is listening on the port. The timeouting connection does not show up in the host system, neither in tcpdump or -- if enabled -- ipmon, the ipfilter monitoring utility. When trying to telnet out of the box, the connection hangs before "Trying
...", except sometimes when it works. Even then, the connection is established excruciatingly slow, while outside the jail, connections are established instantaneously. On the host system, specifying the jail's IP as telnet's source IP via -s works, so I doubt it's my ISP's fault. To make sure the configuration in the jail tree isn't what's causing the issues I created another jail with "/" as root directory and the jail's IP assigned and /bin/sh as command. Same issue. This leads me to believe that the jail subsystem is responsible somehow. Any ideas what I might be missing? Best, Moritz -- Die Beamten können nicht den ganzen Tag mit dem Grundgesetz unter dem Arm herumlaufen. -Hermann Höcherl, 1963 From owner-freebsd-jail@FreeBSD.ORG Tue Jun 24 19:53:48 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6363810B for ; Tue, 24 Jun 2014 19:53:48 +0000 (UTC) Received: from smtp3.hushmail.com (smtp3.hushmail.com [65.39.178.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.hushmail.com", Issuer "Self-signed" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4A05E2622 for ; Tue, 24 Jun 2014 19:53:48 +0000 (UTC) Received: from smtp3.hushmail.com (localhost [127.0.0.1]) by smtp3.hushmail.com (Postfix) with SMTP id 7AD09E0367 for ; Tue, 24 Jun 2014 19:21:29 +0000 (UTC) Received: from smtp.hushmail.com (w8.hushmail.com [65.39.178.52]) by smtp3.hushmail.com (Postfix) with ESMTP for ; Tue, 24 Jun 2014 19:21:29 +0000 (UTC) Received: by smtp.hushmail.com (Postfix, from userid 99) id 53C1460258; Tue, 24 Jun 2014 19:21:29 +0000 (UTC) MIME-Version: 1.0 Date: Tue, 24 Jun 2014 15:21:29 -0400 To: freebsd-jail@freebsd.org Subject: ezjail update errors From: "Kenta S." Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="UTF-8" Message-Id: <20140624192129.53C1460258@smtp.hushmail.com> X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Jun 2014 19:53:48 -0000 I'm trying to update my jail system. "ezjail-admin update -u" gives me this problem: Looking up update.FreeBSD.org mirrors... 5 mirrors found. Fetching metadata signature for 9.2-RELEASE from update5.freebsd.org... done. Fetching metadata index... done. Inspecting system... done. Preparing to download files... done. The following files will be added as part of updating to 9.2-RELEASE-p8: /etc/pkg /etc/pkg/FreeBSD.conf /usr/share/keys /usr/share/keys/pkg /usr/share/keys/pkg/revoked /usr/share/keys/pkg/trusted /usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301 /usr/src/etc/pkg /usr/src/etc/pkg/FreeBSD.conf /usr/src/etc/pkg/Makefile /usr/src/share/keys /usr/src/share/keys/Makefile /usr/src/share/keys/pkg /usr/src/share/keys/pkg/Makefile /usr/src/share/keys/pkg/trusted /usr/src/share/keys/pkg/trusted/Makefile /usr/src/share/keys/pkg/trusted/pkg.freebsd.org.2013102301 The following files will be updated as part of updating to 9.2-RELEASE-p8: /etc/mtree/BSD.root.dist /etc/mtree/BSD.usr.dist /var/db/mergemaster.mtree Installing updates...install: mkdir /usr/jails/newjail//usr/share: File exists install: mkdir /usr/jails/newjail//usr/share: File exists install: mkdir /usr/jails/newjail//usr/share: File exists install: mkdir /usr/jails/newjail//usr/share: File exists install: mkdir /usr/jails/newjail//usr/src: File exists install: mkdir /usr/jails/newjail//usr/src: File exists install: mkdir /usr/jails/newjail//usr/src: File exists install: mkdir /usr/jails/newjail//usr/src: File exists install: /usr/jails/newjail//usr/share/keys/pkg/trusted/pkg.freebsd.org.2013102301: No such file or directory install: /usr/jails/newjail//usr/src/etc/pkg/FreeBSD.conf: No such file or directory install: /usr/jails/newjail//usr/src/etc/pkg/Makefile: No such file or directory install: /usr/jails/newjail//usr/src/share/keys/Makefile: No such file or directory install: /usr/jails/newjail//usr/src/share/keys/pkg/Makefile: No such file or directory install: /usr/jails/newjail//usr/src/share/keys/pkg/trusted/Makefile: No such file or directory install: /usr/jails/newjail//usr/src/share/keys/pkg/trusted/pkg.freebsd.org.2013102301: No such file or directory done. From owner-freebsd-jail@FreeBSD.ORG Tue Jun 24 20:40:00 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B19888D8 for ; Tue, 24 Jun 2014 20:40:00 +0000 (UTC) Received: from furnace.wzff.de (furnace.wzff.de [176.9.216.40]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7333A2B2B for ; Tue, 24 Jun 2014 20:39:59 +0000 (UTC) Received: from mw by furnace.wzff.de with local (Exim 4.80.1 (FreeBSD)) (envelope-from ) id 1WzXVP-000OMy-H9 for freebsd-jail@freebsd.org; Tue, 24 Jun 2014 22:39:51 +0200 Date: Tue, 24 Jun 2014 22:39:51 +0200 From: Moritz Wilhelmy To: freebsd-jail@freebsd.org Subject: Re: Jail network connectivity issues Message-ID: <20140624203951.GZ9432@barfooze.de> References: <20140620144408.GY9432@barfooze.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20140620144408.GY9432@barfooze.de> User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Jun 2014 20:40:00 -0000 After more research it seems that my ISP is at fault after all. Best regards and thank you, Moritz From owner-freebsd-jail@FreeBSD.ORG Thu Jun 26 01:29:15 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 88FD7239 for ; Thu, 26 Jun 2014 01:29:15 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6FB032B18 for ; Thu, 26 Jun 2014 01:29:15 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.8/8.14.8) with ESMTP id s5Q1TFqH095699 for ; Thu, 26 Jun 2014 02:29:15 +0100 (BST) (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 191279] [jail] jail allow.sysvipc - doesn't work until jail is started TWICE after reboot Date: Thu, 26 Jun 2014 01:29:15 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 9.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: Needs Triage X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-jail@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to short_desc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jun 2014 01:29:15 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=191279 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|freebsd-bugs@FreeBSD.org |freebsd-jail@FreeBSD.org Summary|jail allow.sysvipc - |[jail] jail allow.sysvipc - |doesn't work until jail is |doesn't work until jail is |started TWICE after reboot |started TWICE after reboot --- Comment #1 from Mark Linimon --- Over to maintainers. -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-jail@FreeBSD.ORG Thu Jun 26 01:58:07 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1F241CE4 for ; Thu, 26 Jun 2014 01:58:07 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 06A122DB5 for ; Thu, 26 Jun 2014 01:58:07 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.8/8.14.8) with ESMTP id s5Q1w68b072909 for ; Thu, 26 Jun 2014 02:58:06 +0100 (BST) (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 191181] [jail] Jailnames cannot contain a dash Date: Thu, 26 Jun 2014 01:58:07 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.0-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: Needs Triage X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-jail@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: component assigned_to short_desc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jun 2014 01:58:07 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=191181 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Component|misc |kern Assignee|freebsd-bugs@FreeBSD.org |freebsd-jail@FreeBSD.org Summary|Jailnames cannot contain a |[jail] Jailnames cannot |dash |contain a dash --- Comment #2 from Mark Linimon --- over to maintainers. -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-jail@FreeBSD.ORG Thu Jun 26 02:06:23 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 214F9FD4 for ; Thu, 26 Jun 2014 02:06:23 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0923A2E91 for ; Thu, 26 Jun 2014 02:06:23 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.8/8.14.8) with ESMTP id s5Q26Mjk018758 for ; Thu, 26 Jun 2014 03:06:22 +0100 (BST) (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 191181] [jail] Jailnames cannot contain a dash Date: Thu, 26 Jun 2014 02:06:23 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.0-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: allanjude@FreeBSD.org X-Bugzilla-Status: Needs Triage X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-jail@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jun 2014 02:06:23 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=191181 Allan Jude changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |allanjude@FreeBSD.org --- Comment #3 from Allan Jude --- Can you provide more detail, like your jail.conf etc -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-jail@FreeBSD.ORG Thu Jun 26 04:35:09 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4D94C9AA for ; Thu, 26 Jun 2014 04:35:09 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 34B5D2A9D for ; Thu, 26 Jun 2014 04:35:09 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.8/8.14.8) with ESMTP id s5Q4Z9kN077046 for ; Thu, 26 Jun 2014 05:35:09 +0100 (BST) (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 191279] [jail] jail allow.sysvipc - doesn't work until jail is started TWICE after reboot Date: Thu, 26 Jun 2014 04:35:09 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 9.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: dewayne@heuristicsystems.com.au X-Bugzilla-Status: Needs Triage X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-jail@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jun 2014 04:35:09 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=191279 dewayne@heuristicsystems.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dewayne@heuristicsystems.co | |m.au --- Comment #2 from dewayne@heuristicsystems.com.au --- Dreamcat, Testing on two stables built within last 24 hours # uname -oprUK FreeBSD 9.3-PRERELEASE i386 903500 903500 and FreeBSD 10.0-STABLE amd64 1000710 1000710 Looks like this issue is no reproducible in later versions (there have been a lot of changes in Stable since 9.2R): # sysctl -a|grep sysvi security.jail.param.allow.sysvipc: 0 security.jail.sysvipc_allowed: 1 My jail.conf contains test1 { ip4.addr = "10.0.5.241"; devfs_ruleset = "4"; allow.sysvipc; allow.chflags; } which is the jail that I tested for sysvipc. -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-jail@FreeBSD.ORG Thu Jun 26 08:02:03 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8FC7780F for ; Thu, 26 Jun 2014 08:02:03 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 77B7F2B29 for ; Thu, 26 Jun 2014 08:02:03 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.8/8.14.8) with ESMTP id s5Q823re059106 for ; Thu, 26 Jun 2014 09:02:03 +0100 (BST) (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 191181] [jail] Jailnames cannot contain a dash Date: Thu, 26 Jun 2014 08:02:03 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.0-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: rs@bytecamp.net X-Bugzilla-Status: Needs Triage X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-jail@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jun 2014 08:02:03 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=191181 --- Comment #4 from rs@bytecamp.net --- The message occurs even without an existing /etc/jail.conf. The system is 10.0-RELEASE-p2 #1 r265140. What further information is required? -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-jail@FreeBSD.ORG Thu Jun 26 08:36:41 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2F8011FF for ; Thu, 26 Jun 2014 08:36:41 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 169782D96 for ; Thu, 26 Jun 2014 08:36:41 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.8/8.14.8) with ESMTP id s5Q8aeoS095879 for ; Thu, 26 Jun 2014 09:36:40 +0100 (BST) (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 191279] [jail] jail allow.sysvipc - doesn't work until jail is started TWICE after reboot Date: Thu, 26 Jun 2014 08:36:41 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 9.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: dreamcat4@gmail.com X-Bugzilla-Status: Needs Triage X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-jail@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jun 2014 08:36:41 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=191279 --- Comment #3 from dreamcat4@gmail.com --- Thanks man! It's good news to hear. Hopefully the bug will go away once I'm moved to 10.0.(In reply to dewayne from comment #2) > Dreamcat, Testing on two stables built within last 24 hours > # sysctl -a|grep sysvi > security.jail.param.allow.sysvipc: 0 > security.jail.sysvipc_allowed: 1 > > My jail.conf contains > test1 { ip4.addr = "10.0.5.241"; devfs_ruleset = "4"; allow.sysvipc; > allow.chflags; } > > which is the jail that I tested for sysvipc. Thanks for testing this. You individual jail setting looks good. My global sysvipc setting is different than yours however: freenas ~/ root^> sysctl -a|grep Sylvia security.jail.param.allow.sysvipc: 0 security.jail.sysvipc_allowed: 0 Reason: Don't want to enable it for all the other jails. It is only needed on 1 specific jail. FYI: Another PR relevant to isolating ipc to single-jail: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=48471 -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-jail@FreeBSD.ORG Mon Jun 30 01:34:04 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9360B2C7 for ; Mon, 30 Jun 2014 01:34:04 +0000 (UTC) Received: from mx01.cellcontainer.com (mx01.cellcontainer.com [81.0.104.240]) by mx1.freebsd.org (Postfix) with ESMTP id 135E92C23 for ; Mon, 30 Jun 2014 01:34:03 +0000 (UTC) Received: from mx01.cellcontainer.com (localhost [127.0.0.1]) by mx01.cellcontainer.com (Postfix) with ESMTP id AF327841 for ; Mon, 30 Jun 2014 01:33:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cellcontainer.com; h= message-id:date:subject:from:to:mime-version:content-type :in-reply-to:references; s=selector1; bh=ExM2b4/j5hIXDs56T7glh2h ZEO4=; b=rdyDGDnK+A3koCeLPogbclH88fsLfgkYOOneOIMghrJdPv0mAUmc67X 6MZKmomzgM/G8cTK3xVFPl5kaZjdP6eJlhrqZvqabV3tJ5IY5sitRHolD5ye3ER+ Rg5n0eVZ+T6xQLjpht3gZS7W1jaQWNgOjshIEFlMkugV6yevPVo4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=cellcontainer.com; h= message-id:date:subject:from:to:mime-version:content-type :in-reply-to:references; q=dns; s=selector1; b=YYBPt6Z0JhjzwvCly +cxPzUCl6JO5BT+/QCjcL2Us8SCHVL42oUQViq8zJJCznh1ON2fC/nMxtKcqW/Pz u9t66NjuHXexz6ZElg2MJUmkgMRVwanlL1LkOHCZuEj6eBW5/K9SkTus0OfbhlZl NTp6hlIHjmcxIPgv56lWeES8VA= Received: from gpo.cellcontainer.com (unknown [10.5.100.101]) by mx01.cellcontainer.com (Postfix) with ESMTP id DE9A4840 for ; Mon, 30 Jun 2014 01:33:54 +0000 (UTC) Received: by gpo.cellcontainer.com (Postfix, from userid 58) id C2395BC6C5; Mon, 30 Jun 2014 01:33:54 +0000 (UTC) Received: from gpo.cellcontainer.com (localhost [127.0.0.1]) by gpo.cellcontainer.com (Postfix) with ESMTP id 92CB3BC6B9 for ; Mon, 30 Jun 2014 01:33:54 +0000 (UTC) Message-ID: <1404092034.53b0be828b25c@gpo.cellcontainer.com> Date: Mon, 30 Jun 2014 13:33:54 +1200 Subject: Re: iocage - drop in jail manager From: Peter Toth To: "freebsd-jail@freebsd.org" MIME-Version: 1.0 X-MimeOLE: Produced by Group-Office 3.7.41 In-Reply-To: <53A060D4.1080100@a1poweruser.com> X-Priority: 3 (Normal) References: <53A060D4.1080100@a1poweruser.com> X-Mailer: Group-Office 3.7.41 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Jun 2014 01:34:04 -0000 Pushed up a new version to github (1.3.1) http://pannon.github.io/io= cage/ . Man page is finished and created WIKI too (will be back-fill= ing pages). The new version supports non-VNET jails too (shared IP b= ased jails). There is a differential jail packaging function as well= as import/export. Many thanks for the feedback from the few who= emailed me. P On Wednesday, 18-06-2014 on 3:37 Fbsd= 8 wrote: Peter Toth wrote: > For anyone interested in ma= naging jails with VNET, ZFS and resource > limits I have created a j= ail manager script > https://github.com/pannon/iocage . Basically re= written most of > "zjails" in pure sh with simplicity in mind. > = > 90% is done final commits will be happening in the next 2 wee= ks. Feel > free to give it a test drive. >=20 Will = this script work on i386 systems? Will this script work on a ge= neric system with no zfs disk area enabled? Does vnet jai= l still have "lost memory bug" when stopping vnet jail? Do an= y of the host firewalls (ie; ipfw, ipf, pf) work on host and in=20 mul= tiple vnet jail at same time? Does NAT function work in vnet jai= l? Can non-vnet jails be created? From owner-freebsd-jail@FreeBSD.ORG Tue Jul 1 06:31:49 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id AA10E644 for ; Tue, 1 Jul 2014 06:31:49 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 92BB32A1F for ; Tue, 1 Jul 2014 06:31:49 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.8/8.14.8) with ESMTP id s616VnRo038878 for ; Tue, 1 Jul 2014 07:31:49 +0100 (BST) (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 180916] [jail] [regression] jail startup is broken for 8.4 without INET6 Date: Tue, 01 Jul 2014 06:31:49 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 8.4-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: redrat@mail.ru X-Bugzilla-Status: In Discussion X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-jail@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Jul 2014 06:31:49 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=180916 Alexey Markov changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |redrat@mail.ru --- Comment #2 from Alexey Markov --- This patch was tested almost for an year and works like a charm. Any chance to see it committed to 8-STABLE? -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-jail@FreeBSD.ORG Tue Jul 1 07:09:31 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 77F2EED for ; Tue, 1 Jul 2014 07:09:31 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5D8242CF8 for ; Tue, 1 Jul 2014 07:09:31 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.8/8.14.8) with ESMTP id s6179ViF064993 for ; Tue, 1 Jul 2014 08:09:31 +0100 (BST) (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 180916] [jail] [regression] jail startup is broken for 8.4 without INET6 Date: Tue, 01 Jul 2014 07:09:31 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 8.4-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: pi@FreeBSD.org X-Bugzilla-Status: In Discussion X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: crees@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Jul 2014 07:09:31 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=180916 Kurt Jaeger changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |pi@FreeBSD.org Assignee|freebsd-jail@FreeBSD.org |crees@FreeBSD.org --- Comment #3 from Kurt Jaeger --- Can you apply this patch to 8/8.4-STABLE as well ? -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-jail@FreeBSD.ORG Sat Jul 5 19:07:50 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B8624BFD for ; Sat, 5 Jul 2014 19:07:50 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A03DE2427 for ; Sat, 5 Jul 2014 19:07:50 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.8/8.14.8) with ESMTP id s65J7oG0007654 for ; Sat, 5 Jul 2014 20:07:50 +0100 (BST) (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 188753] [jail] mount devfs ruleset ignored Date: Sat, 05 Jul 2014 19:07:50 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: gavin@FreeBSD.org X-Bugzilla-Status: In Discussion X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-jail@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc version Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Jul 2014 19:07:50 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=188753 Gavin Atkinson changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |gavin@FreeBSD.org Version|unspecified |10.0-RELEASE --- Comment #3 from Gavin Atkinson --- It sounds like your system has not been patched, and is missing at least the FreeBSD-SA-14:07.devfs security advisory patch. -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-jail@FreeBSD.ORG Sat Jul 5 22:02:14 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7AAA8897 for ; Sat, 5 Jul 2014 22:02:14 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 61746232A for ; Sat, 5 Jul 2014 22:02:14 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.8/8.14.8) with ESMTP id s65M2ELj082793 for ; Sat, 5 Jul 2014 23:02:14 +0100 (BST) (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 191279] [jail] jail allow.sysvipc - doesn't work until jail is started TWICE after reboot Date: Sat, 05 Jul 2014 22:02:14 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 9.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: freebsdbugs@zilly.org X-Bugzilla-Status: Needs Triage X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-jail@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Jul 2014 22:02:14 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=191279 zilly changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |freebsdbugs@zilly.org --- Comment #4 from zilly --- I have the identical issue using Freebsd 10.0, qjail 3.4, and the allow.sysvipc flag. It does not matter whether security.jail.sysvipc_allowed is set to 0 or 1 on the host. # uname -oprUK FreeBSD 10.0-RELEASE-p6 amd64 1000510 1000510 Relevant section of qjail log file on first jail start: FATAL: could not create shared memory segment: Function not implemented DETAIL: Failed system call was shmget(key=5432001, size=40, 03600). Like dreamcat4, sysvipc works once the jail has been started a second time after each time the host boots. -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-jail@FreeBSD.ORG Sun Jul 6 00:41:59 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4A5F6A1A for ; Sun, 6 Jul 2014 00:41:59 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 32D2D2ECF for ; Sun, 6 Jul 2014 00:41:59 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.8/8.14.8) with ESMTP id s660fxHE088949 for ; Sun, 6 Jul 2014 01:41:59 +0100 (BST) (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 188753] [jail] mount devfs ruleset ignored Date: Sun, 06 Jul 2014 00:41:59 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: joeb1@a1poweruser.com X-Bugzilla-Status: In Discussion X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-jail@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Jul 2014 00:41:59 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=188753 joeb1@a1poweruser.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |joeb1@a1poweruser.com --- Comment #4 from joeb1@a1poweruser.com --- security advisory -p1 changes /etc/defaults/rc.conf parameter devfs_load_rulesets="NO" to devfs_load_rulesets="YES" That fixed this problem for me. -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-jail@FreeBSD.ORG Sun Jul 6 01:36:19 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A0B64E80 for ; Sun, 6 Jul 2014 01:36:19 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6E49F225E for ; Sun, 6 Jul 2014 01:36:19 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.8/8.14.8) with ESMTP id s661aJM3064701 for ; Sun, 6 Jul 2014 02:36:19 +0100 (BST) (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 191279] [jail] jail allow.sysvipc - doesn't work until jail is started TWICE after reboot Date: Sun, 06 Jul 2014 01:36:19 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 9.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: joeb1@a1poweruser.com X-Bugzilla-Status: Needs Triage X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-jail@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Jul 2014 01:36:19 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=191279 joeb1@a1poweruser.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |joeb1@a1poweruser.com --- Comment #5 from joeb1@a1poweruser.com --- When you say the allow.sysvipc parameter has no effect on a jails first start after system boot. Just how are you determining this? Do you see the "allow.sysvipc" listed by the "jls -name -j jailname" command. I installed 10.0 from disc1.iso to a empty hard drive and running qjail-3.4 and after starting the jail "jls -name -j jailname" shows "allow.sysvipc" which means its enabled, and no error messages in the jails console log. Seeing jls showing the "allow.sysvipc" instead of "allow.nosysvipc" is the only indicator I have available to verify its being set correctly. This indicator does not really prove the sysvipc function for the jail is functional. As far as I know you need to run some application in the jail that requires sysvipc access as the only true test. This application may have to be started one time to set some application internal default setting before it knows sysvipc is enabled on its second start. Look for a application configure file to set sysvipc as the default instead of the tcp default setting. What application are you running in the jail and how does that application get started? Almost 99% sure your problem is caused by your jailed application and not qjail or jail(8). -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-jail@FreeBSD.ORG Sun Jul 6 08:08:20 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 089443BA for ; Sun, 6 Jul 2014 08:08:20 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E29942B67 for ; Sun, 6 Jul 2014 08:08:19 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.8/8.14.8) with ESMTP id s6688JMJ013480 for ; Sun, 6 Jul 2014 09:08:19 +0100 (BST) (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 191279] [jail] jail allow.sysvipc - doesn't work until jail is started TWICE after reboot Date: Sun, 06 Jul 2014 08:08:20 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 9.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: dreamcat4@gmail.com X-Bugzilla-Status: Needs Triage X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-jail@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Jul 2014 08:08:20 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=191279 --- Comment #6 from dreamcat4@gmail.com --- (In reply to joeb1 from comment #5) > When you say the allow.sysvipc parameter has no effect on a jails first > start after system boot. Just how are you determining this? I was previously checking the log file of the program 'zabbix2-server'. Which is unable to start, and logfile gives the reason: zabbix_server [4414]: cannot create Semaphore: [78] Function not implemented zabbix_server [4414]: unable to create mutex for log file However now that someone else has reproduced it too, I will try more things! > Do you see the "allow.sysvipc" listed by the "jls -name -j jailname" command. > I installed 10.0 from disc1.iso to a empty hard drive and running qjail-3.4 > and after starting the jail "jls -name -j jailname" shows "allow.sysvipc" > which means its enabled, and no error messages in the jails console log. This is on my host, after a fresh reboot: freenas // root^> qjail list STA JID NIC IP Jailname --- ---- --- --------------- -------------------------------------------------- DR 1 re0 192.168.1.205 nas4free DR 2 re0 192.168.1.81 nginx-webdav DR 3 re0 192.168.1.206 openvpn lo0|127.0.0.1 DR 4 re0 192.168.1.38 ps3netsrv DR 5 re0 192.168.1.207 tvheadend lo0|127.0.0.207 DR 6 re0 192.168.1.223 ums4 lo0|127.0.0.223 DR 7 re0 192.168.1.41 virtualbox lo0|127.0.0.2 DR 8 re0 192.168.1.214 webcamd lo0|127.0.0.214 DR 9 re0 192.168.1.212 zabbix lo0|127.0.0.212 freenas // root^> jls -h -j zabbix allow.sysvipc allow.sysvipc 0 freenas // root^> qjail restart zabbix Jail successfully stopped zabbix Jail successfully started zabbix freenas // root^> jls -h -j zabbix allow.sysvipc allow.sysvipc 1 Above we can see that jls will indeed report the problem if it occurs. Since I can still reproduce the error, I am investigating more today. Please bear with me... > Seeing jls showing the "allow.sysvipc" instead of "allow.nosysvipc" is the > only indicator I have available to verify its being set correctly. This There is also the command 'ipcs', which can be run inside the jail. Here again is my output after a another system reboot: freenas // root^> qjail console zabbix Last login: Sun Jul 6 08:05:03 on pts/0 FreeBSD 9.2-RELEASE-p3 (FREENAS.amd64) #0 r262572+7b72365: Fri Mar 14 15:50:04 PDT 2014 Welcome to your FreeBSD jail. zabbix ~/ root~# ipcs Message Queues: T ID KEY MODE OWNER GROUP Shared Memory: T ID KEY MODE OWNER GROUP Semaphores: T ID KEY MODE OWNER GROUP zabbix ~/ root~# exit logout freenas // root^> qjail restart zabbix Jail successfully stopped zabbix Jail successfully started zabbix freenas // root^> qjail console zabbix Last login: Sun Jul 6 08:53:45 on pts/0 FreeBSD 9.2-RELEASE-p3 (FREENAS.amd64) #0 r262572+7b72365: Fri Mar 14 15:50:04 PDT 2014 Welcome to your FreeBSD jail. zabbix ~/ root~# ipcs Message Queues: T ID KEY MODE OWNER GROUP Shared Memory: T ID KEY MODE OWNER GROUP m 65536 1745323649 --rw------- zabbix zabbix m 65537 2013759105 --rw------- zabbix zabbix m 65538 1946650241 --rw------- zabbix zabbix m 65539 1728546433 --rw------- zabbix zabbix m 65540 1929873025 --rw------- zabbix zabbix m 65541 1393002113 --rw------- zabbix zabbix m 65542 1980204673 --rw------- zabbix zabbix m 65543 1812431314 --rw------- zabbix zabbix Semaphores: T ID KEY MODE OWNER GROUP s 65536 2047313537 --rw------- zabbix zabbix s 65537 2047312338 --rw------- zabbix zabbix zabbix ~/ root~# > indicator does not really prove the sysvipc function for the jail is > functional. As far as I know you need to run some application in the jail > that requires sysvipc access as the only true test. This application may > have to be started one time to set some application internal default setting > before it knows sysvipc is enabled on its second start. Look for a That would suggest be could just be restarting the zabbix_server application (rather than the jail). However that is not the case here. 2nd, 3rd, 4th, restart etc of zabbix_server rc.d script makes no difference. Wheras restarting the jail once, zabbix did not repeat error message, and all was OK. > application configure file to set sysvipc as the default instead of the tcp > default setting. What application are you running in the jail and how does > that application get started? Unfortunately sysvipc / unix semaphores is always required for this particular program (zabbix). It has no option to switch them off, or use some alternative mechanism instead (such as TCP). Otherwise I would have disabled sysvipc usage in the zabbix application a long time ago. > Almost 99% sure your problem is caused by your jailed application and not > qjail or jail(8). Nah. I would be very surprised, given today's output from jls and ipcs commands, that the problem is anything to do with the zabbix application itself. It just seems some of us could reproduce this issue, and some of us can't. We seem to have 2 reports of success. And equally 2 of fail. What seems to be missing is better instructions to reproduce this (my fault). There must be some other circumstances specific to my host, which is triggering this to occur... I will find out today. For one thing, we know that on startup, qjail is changing the same jail.conf file. Then re-calling jail(8) program again on the next jail in the list. So maybe that's got something to do with it. Please bear with me. I will look into it further. -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-jail@FreeBSD.ORG Sun Jul 6 09:53:28 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4232574A for ; Sun, 6 Jul 2014 09:53:28 +0000 (UTC) Received: from mail-qa0-x232.google.com (mail-qa0-x232.google.com [IPv6:2607:f8b0:400d:c00::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 067B522CA for ; Sun, 6 Jul 2014 09:53:27 +0000 (UTC) Received: by mail-qa0-f50.google.com with SMTP id m5so2557791qaj.9 for ; Sun, 06 Jul 2014 02:53:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=bohsMvNziAKdtijvS6PaoxoUnav7+KhGNnIfMSNxiQM=; b=tspyPXevS37iqDBxbcUqF1g6j5ZOmSbql1M1fhD+NRYIht820DYOU0g11fVjhGw/eu CtRo79nJOk/OlpZ5SRgNHzTlijOnXd7JTFLWJqsGjH+i6sKFDwV47MiI+L+Ue/LhHTKZ x/uuRgo/214FWp5OTfs+mH1v+CFw78OZIH97B9ECPlgpr7nUmPIi8n6KxPOk2dor7zgV /ECMY/QZuVNcIDy3/TYVXS+JBT4iH7Lex/5Mfcm7M+JO5ykZC2ISX/TctLyEvbTuzS9H SV7TeDjlHcKOYJ/F/F6iPmp+CEy1P6lnXr8bCd8S6kWY117aVPgLp3s17iXFpb0rjCYI g01g== MIME-Version: 1.0 X-Received: by 10.224.69.202 with SMTP id a10mr36226187qaj.100.1404640407023; Sun, 06 Jul 2014 02:53:27 -0700 (PDT) Received: by 10.140.89.5 with HTTP; Sun, 6 Jul 2014 02:53:26 -0700 (PDT) Date: Sun, 6 Jul 2014 11:53:26 +0200 Message-ID: Subject: PF+Jail+IRC Cannot redirect oidentd from jail without "~" From: "bryn1u85 ." To: freebsd-jail@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Jul 2014 09:53:28 -0000 Hey, I have a problem, have been sitting since a few days and can't resolve the problem. I want to redirect oidentd port 113 from jail, becuse i use to irssi and want to connect with irc servers without "~" before ident example ~ident@host . I don't know what else can i do. Nothing helps. My etc/pf.conf ... nat on em0 from $ip_oksymoron to any -> $ip_pub rdr on em0 inet proto tcp from any to $ip_pub port 113 -> $ip_oksymoron port 113 ... black in all pass in on $ext_if proto tcp from any to $ip_oksymoron port 113 ... I checked from host without pf, works well. Checked from host with pf and works well but from jail it still doesn't work. Someone can help with this issue ? From owner-freebsd-jail@FreeBSD.ORG Sun Jul 6 10:35:04 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D51229C for ; Sun, 6 Jul 2014 10:35:04 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BC0472581 for ; Sun, 6 Jul 2014 10:35:04 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.8/8.14.8) with ESMTP id s66AZ4vU032142 for ; Sun, 6 Jul 2014 11:35:04 +0100 (BST) (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 191279] [jail] jail allow.sysvipc - doesn't work until jail is started TWICE after reboot Date: Sun, 06 Jul 2014 10:35:04 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 9.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: dreamcat4@gmail.com X-Bugzilla-Status: Needs Triage X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-jail@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: attachments.created Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Jul 2014 10:35:04 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=191279 --- Comment #7 from dreamcat4@gmail.com --- Created attachment 144450 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=144450&action=edit More comprehensive test cases & results OK. This occur on qjail 3.4. I have tested more thoroughly now. For full details of those testing (to know too what else is eliminated), is documented in the attached .TXT file "testing-details.txt". My new findings: * The problem only appears when jail is started by the 'qjail.bootime' rc.d script. * The problem does not occur if the jail is started from the command line (by typing "qjail start $jailname"). * The 'qjail.bootime' rc.script can be restarted once, twice, tree times. After bootup (of which not matter if occur with rest of system boot). And the reported problem (sysvipc not working) will still occur. Does not 'go away' 2nd time. Recommend: future investigations should focus more on what is happening inside the 'qjail.bootime' rc.d scipt. I will continue to look further. Many thanks. -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-jail@FreeBSD.ORG Sun Jul 6 10:52:33 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 041EE45A for ; Sun, 6 Jul 2014 10:52:33 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C591926DE for ; Sun, 6 Jul 2014 10:52:32 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.8/8.14.8) with ESMTP id s66AqWBh024576 for ; Sun, 6 Jul 2014 11:52:32 +0100 (BST) (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 191279] [jail] jail allow.sysvipc - doesn't work until jail is started TWICE after reboot Date: Sun, 06 Jul 2014 10:52:33 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 9.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: dreamcat4@gmail.com X-Bugzilla-Status: Needs Triage X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-jail@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Jul 2014 10:52:33 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=191279 --- Comment #8 from dreamcat4@gmail.com --- Found it. The problem occurs in qjail program (not rc.d script). When saving the definition records (the qjail config file_. I think when enable with 'config -y', it save 'allow.sysvipc' correctly into 'qjail.local/$jailname'. But not get saved into 'qjail.global/$jailname'. So hence the rc.d start not work, whereas the command line does work. Not just sysvipc line. But devfs_ruleset line is also missing: ruleset="" sysvipc="" Do not appear in the qjail.global copy of the definition record. It is likely that the variable is set correct inside qjail program, but those extra line were not inserted of both templates (only local), so is missed when writing the 'qjail.global' to disk. See here: freenas // root^> cat /usr/local/etc/qjail.global/webcamd name="webcamd" ip4="192.168.1.214,lo0|127.0.0.214" ip6="" path="/usr/jails/webcamd" interface="re0" fstab="/usr/local/etc/qjail.fstab/webcamd" securelevel="" cpuset="" fib="" vnet="" vinterface="" rsockets="allow.raw_sockets" quotas="" nullfs="" zfs="" poststartssh="" deffile="/usr/local/etc/qjail.local/webcamd" image="" imagetype="" imageblockcount="" imagedevice="" freenas // root^> cat /usr/local/etc/qjail.local/webcamd name="webcamd" ip4="192.168.1.214,lo0|127.0.0.214" ip6="" path="/usr/jails/webcamd" interface="re0" fstab="/usr/local/etc/qjail.fstab/webcamd" securelevel="" cpuset="" fib="" vnet="" vinterface="" rsockets="allow.raw_sockets" ruleset="" sysvipc="allow.sysvipc" quotas="" nullfs="" zfs="" poststartssh="" deffile="/usr/local/etc/qjail.local/webcamd" image="" imagetype="" imageblockcount="" imagedevice="" freenas // root^> -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-jail@FreeBSD.ORG Sun Jul 6 11:39:43 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id AC727F52 for ; Sun, 6 Jul 2014 11:39:43 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 93BFD29E2 for ; Sun, 6 Jul 2014 11:39:43 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.8/8.14.8) with ESMTP id s66BdhZV042970 for ; Sun, 6 Jul 2014 12:39:43 +0100 (BST) (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 191279] [jail] jail allow.sysvipc - doesn't work until jail is started TWICE after reboot Date: Sun, 06 Jul 2014 11:39:43 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 9.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: dreamcat4@gmail.com X-Bugzilla-Status: Needs Triage X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-jail@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Jul 2014 11:39:43 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=191279 --- Comment #9 from dreamcat4@gmail.com --- No. Scratch that. This IS the qjial.bootime rc.d script. Who knew that was a place to overwrite jails settings files ??!! Clearly not I. Otherwise would have known to be including such fixes / ammendments in with the original patch. Don't even want to ask why. Or wish to hear any explanations for reasons behind what is going on in there. Let's just make a patch for it (the qjail rc.d script). To be included whenever the next qjail release. (from my point) This is not considered to be terribly urgent (for me / Finch users). Since we have an auto-patching function for qjail. I make a patch soon. -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-jail@FreeBSD.ORG Sun Jul 6 11:55:40 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 56355427 for ; Sun, 6 Jul 2014 11:55:40 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3D3C02B2D for ; Sun, 6 Jul 2014 11:55:40 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.8/8.14.8) with ESMTP id s66BteBB086299 for ; Sun, 6 Jul 2014 12:55:40 +0100 (BST) (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 191279] [jail] jail allow.sysvipc - doesn't work until jail is started TWICE after reboot Date: Sun, 06 Jul 2014 11:55:40 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 9.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: dreamcat4@gmail.com X-Bugzilla-Status: Needs Triage X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-jail@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: attachments.isobsolete flagtypes.name attachments.created Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Jul 2014 11:55:40 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=191279 dreamcat4@gmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #144450|0 |1 is obsolete| | Attachment #144452| |maintainer_approval?(dreamc Flags| |at4@gmail.com) --- Comment #10 from dreamcat4@gmail.com --- Created attachment 144452 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=144452&action=edit Patch file, in 'diff -ruN' format This patch aught to solve the issue. Not considered urgent. (Finch will auto patch in meantime, until next official qjail release). Also included: -ge 92 compatibility fix for Finch users on FreeNAS and NAS4Free. Who are still on FreeBSD 9.2. (they still can't upgrade yet). Without that will causes some Finch users problems / qjail installation error. -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-jail@FreeBSD.ORG Sun Jul 6 11:57:53 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 10873484 for ; Sun, 6 Jul 2014 11:57:53 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id EC4592B44 for ; Sun, 6 Jul 2014 11:57:52 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.8/8.14.8) with ESMTP id s66BvqpT088422 for ; Sun, 6 Jul 2014 12:57:52 +0100 (BST) (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 191279] [jail] jail allow.sysvipc - doesn't work until jail is started TWICE after reboot Date: Sun, 06 Jul 2014 11:57:53 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 9.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: dreamcat4@gmail.com X-Bugzilla-Status: Needs Triage X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-jail@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: flagtypes.name Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Jul 2014 11:57:53 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=191279 dreamcat4@gmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #144452| |maintainer_approval?(joeb1@ Flags| |a1poweruser.com) -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-jail@FreeBSD.ORG Sun Jul 6 12:13:01 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D67A8971 for ; Sun, 6 Jul 2014 12:13:01 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BD64D2CA7 for ; Sun, 6 Jul 2014 12:13:01 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.8/8.14.8) with ESMTP id s66CD1Fn006260 for ; Sun, 6 Jul 2014 13:13:01 +0100 (BST) (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 191279] [jail] jail allow.sysvipc - doesn't work until jail is started TWICE after reboot Date: Sun, 06 Jul 2014 12:13:01 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 9.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: joeb1@a1poweruser.com X-Bugzilla-Status: Needs Triage X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-jail@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: attachments.created Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Jul 2014 12:13:01 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=191279 --- Comment #11 from joeb1@a1poweruser.com --- Created attachment 144453 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=144453&action=edit official maintainer qjail.bootime patch -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-jail@FreeBSD.ORG Sun Jul 6 12:21:13 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 93B36BB3 for ; Sun, 6 Jul 2014 12:21:13 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7AA412CED for ; Sun, 6 Jul 2014 12:21:13 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.8/8.14.8) with ESMTP id s66CLDhK077639 for ; Sun, 6 Jul 2014 13:21:13 +0100 (BST) (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 191279] [jail] jail allow.sysvipc - doesn't work until jail is started TWICE after reboot Date: Sun, 06 Jul 2014 12:21:13 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 9.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: dreamcat4@gmail.com X-Bugzilla-Status: Needs Triage X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-jail@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: attachments.isobsolete flagtypes.name Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Jul 2014 12:21:13 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=191279 dreamcat4@gmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #144452|0 |1 is obsolete| | Attachment #144452|maintainer_approval?(dreamc | Flags|at4@gmail.com), | |maintainer_approval?(joeb1@ | |a1poweruser.com) | --- Comment #12 from dreamcat4@gmail.com --- Comment on attachment 144452 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=144452 Patch file, in 'diff -ruN' format Superseeded by Joe's patch. -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-jail@FreeBSD.ORG Sun Jul 6 12:50:00 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7B22D5C6 for ; Sun, 6 Jul 2014 12:50:00 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 62CA32EE1 for ; Sun, 6 Jul 2014 12:50:00 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.8/8.14.8) with ESMTP id s66Co0NW053224 for ; Sun, 6 Jul 2014 13:50:00 +0100 (BST) (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 191279] [jail] jail allow.sysvipc - doesn't work until jail is started TWICE after reboot Date: Sun, 06 Jul 2014 12:50:00 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 9.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: dreamcat4@gmail.com X-Bugzilla-Status: Needs Triage X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-jail@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Jul 2014 12:50:00 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=191279 --- Comment #13 from dreamcat4@gmail.com --- (In reply to joeb1 from comment #11) > Created attachment 144453 [details] > official maintainer qjail.bootime patch Joe, thanks for the patch correction. And fast response. Have re-tested with patch applied (it works). -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-jail@FreeBSD.ORG Mon Jul 7 15:19:02 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1C3D24EC for ; Mon, 7 Jul 2014 15:19:02 +0000 (UTC) Received: from mail.tyknet.dk (mail.tyknet.dk [IPv6:2a01:4f8:201:2327:144:76:253:226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CCACB2065 for ; Mon, 7 Jul 2014 15:19:01 +0000 (UTC) Received: from [10.10.2.24] (217.71.4.82.static.router4.bolignet.dk [217.71.4.82]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mail.tyknet.dk (Postfix) with ESMTPSA id 36BF123374B; Mon, 7 Jul 2014 15:18:58 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.8.3 mail.tyknet.dk 36BF123374B DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=gibfest.dk; s=default; t=1404746338; bh=BsH4afv8OE3sK3rJUlepHG8C9uBJ2q8LFSzCj8Wwt84=; h=Date:From:To:CC:Subject:References:In-Reply-To; b=sr7G7gkAe195STo/kE/4yuOqTPvrwgUnar2pp/XvRGeSbABwBI0a/LQ+N8siQM2Zc T91efgOP8ruy56fiLUYeryt0UAMEreAxtNYlZEntNQQtwGBh8oSKz2nGrt98U9fcBi kj5JO4VSPBSw1AMicWEgJKc42RjRw0Jmt5XYBDj0zwwLHQJW0k5E+kxLu6x/7bW+og ayGDgIN4OeBBeO2hr84sypOANvxfllul3MZM/s/nZTSDqPIpCKNOa3zM7uV05u7RI/ i3ksyttTqxS/x9e7o7av0sWNjN0WF4SLmjgYLMXYu32gg3Nf1b88xFQI+uzBzt6BLQ P3pVnZ/l73x7w== Message-ID: <53BABA64.20004@gibfest.dk> Date: Mon, 07 Jul 2014 17:19:00 +0200 From: Thomas Steen Rasmussen User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: m.bryn1u@gmail.com Subject: Re: PF+Jail+IRC Cannot redirect oidentd from jail without "~" References: In-Reply-To: X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Jul 2014 15:19:02 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06-07-2014 11:53, bryn1u85 . wrote: > Hey, > > I have a problem, have been sitting since a few days and can't > resolve the problem. > > I want to redirect oidentd port 113 from jail, becuse i use to > irssi and want to connect with irc servers without "~" before ident > example ~ident@host . > > I don't know what else can i do. Nothing helps. > > My etc/pf.conf > > ... nat on em0 from $ip_oksymoron to any -> $ip_pub rdr on em0 inet > proto tcp from any to $ip_pub port 113 -> $ip_oksymoron port 113 > ... black in all pass in on $ext_if proto tcp from any to > $ip_oksymoron port 113 ... > > I checked from host without pf, works well. Checked from host with > pf and works well but from jail it still doesn't work. Someone can > help with this issue ? Hello, Try adding the "static-port" keyword to your nat rule. Your TCP connections to IRC are coming from another port than you think, static-port fixes that. Best regards, Thomas Steen Rasmussen -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTurpkAAoJEHcv938JcvpYHRAP/RFoFafeg3tkDnyZZIeBcodW HH9F+BYebU+iut0A3KM0jcN5jw/UHh9R2DDQX5lDT7Zkou39nxyLehFPZJ2ukCpG jgn6cyi0/6pnjjF09thasBQSJvABy4Z/9T92s9g1WAHXvpcShRs3KaSq/AXbGdwx 9hOfhmg6Gxt8MzrANtRXpgdRSC2RU1lwKHWH2Qpskzu5d0sBVe2/Yv0BTZaSU/YU qUBaVWGeEy3ajlKFcGsi9bs6gVmCJPdu96SMkvJsdWxJRGBUvCkpt07SCkFXoOlS JkGUlMoorD6UvBQmYQizuFUfTd3gYMpu6/rH81dAARBohNQI741fUMz3NxTnEau5 yDyOZ2kEptYvYo1jK/a290aCFkkiblbmrt/r+oOgGQJPoQow13B2+b+qTnVvtOAj HHPsQL8tSVmgoYbIDdpORd25a/mQ8SMC3GJ1S0Y2wia4qkhhmzISPiR81BRersQy iD6pkJc22h39hvvJyxsUqrDe+lFbN6Sc3HiTvRPE3qu5f1tNafB9IAfDCDtcJOwx 4/tMbsBbpuLe6QKwuzOxP780M8n7degdIr9ItUInSrYV+fztQuUf1fvrkzZGcAQG +zZxu/nqfhIwvTyuiHgaCzohaka5mBYMyHVq5I8P4+7bpahdkHsYJOWedYfXU+02 1gm0UV0r0vyDfCxv7lIy =j9gn -----END PGP SIGNATURE----- From owner-freebsd-jail@FreeBSD.ORG Wed Jul 9 06:05:37 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 27896470 for ; Wed, 9 Jul 2014 06:05:37 +0000 (UTC) Received: from mail1.bur200.uecomm.net.au (mail1.bur200.uecomm.net.au [218.185.0.70]) by mx1.freebsd.org (Postfix) with ESMTP id D686824F6 for ; Wed, 9 Jul 2014 06:05:35 +0000 (UTC) Received: from mail.fdrive.com.au (unknown [115.186.196.106]) by mail1.bur200.uecomm.net.au (Postfix) with ESMTP id 3FB6CD4C0 for ; Wed, 9 Jul 2014 15:34:49 +1000 (EST) Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.fdrive.com.au (Postfix) with ESMTP id 81070E55BA for ; Wed, 9 Jul 2014 15:29:09 +1000 (EST) X-Virus-Scanned: amavisd-new at fdrive.com.au Received: from mail.fdrive.com.au ([127.0.0.1]) by localhost (mail.fdrive.com.au [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7jNTHn3bkaLU for ; Wed, 9 Jul 2014 15:29:01 +1000 (EST) Received: from PetersBigBox (ws-pross.vv.fda [192.168.50.199]) by mail.fdrive.com.au (Postfix) with ESMTPS id 1B76AE543A for ; Wed, 9 Jul 2014 15:29:01 +1000 (EST) Received: from localhost (localhost [127.0.0.1]) by PetersBigBox (Postfix) with ESMTP id F207B19201EE for ; Wed, 9 Jul 2014 15:34:40 +1000 (EST) Date: Wed, 9 Jul 2014 15:34:40 +1000 (EST) From: Peter Ross X-X-Sender: petros@PetersBigBox To: freebsd-jail@freebsd.org Subject: vnet jail and ipfw/nat on host - keep-state problem? Message-ID: User-Agent: Alpine 2.02 (DEB 1266 2009-07-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2014 06:05:37 -0000 Hi all, I am setting up a host with vnet jails without a public IP. E.g. a vnet jail with a DNS server (bind) running inside. The setup: Internet->age0(host interface with natd and external IP) ->bridge10(10.0.10.254)->epair1a ->epair1b(10.0.10.1 in bind vnet jail) Inside the jail I have a simple open ipfw firewall (ipfw allow ip4 from any to any) Here the rules relevant to let UDP port 53 connect from the outside world (with natd redirecting "redirect_port udp 10.0.10.1:53 external.ip:53") 00100 divert 8668 ip4 from any to any via age0 03100 allow udp from any to 10.0.10.1 dst-port 53 keep-state 03200 allow udp from any to me dst-port 53 keep-state This does not allow DNS requests from the outside, they only get returned by adding 03300 allow udp from me 53 to any I am pretty confident that the rules above work with "real interfaces". I have similar routers with ipfw/natd, there things are even more limited by interface rules (recv/xmit). Does this mean, "keep-state" are not working properly in the mentioned vnet setup? Regards Peter From owner-freebsd-jail@FreeBSD.ORG Wed Jul 9 06:43:19 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 79B559EF for ; Wed, 9 Jul 2014 06:43:19 +0000 (UTC) Received: from mail1.chu658.uecomm.net.au (mail1.chu658.uecomm.net.au [218.185.10.246]) by mx1.freebsd.org (Postfix) with ESMTP id 3780F2835 for ; Wed, 9 Jul 2014 06:43:18 +0000 (UTC) Received: from mail.fdrive.com.au (unknown [115.186.196.106]) by mail1.chu658.uecomm.net.au (Postfix) with ESMTP id 08B451CB1; Wed, 9 Jul 2014 16:24:36 +1000 (EST) Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.fdrive.com.au (Postfix) with ESMTP id 1154AE6491; Wed, 9 Jul 2014 16:18:54 +1000 (EST) X-Virus-Scanned: amavisd-new at fdrive.com.au Received: from mail.fdrive.com.au ([127.0.0.1]) by localhost (mail.fdrive.com.au [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZEKP2y0+7rij; Wed, 9 Jul 2014 16:18:45 +1000 (EST) Received: from PetersBigBox (ws-pross.vv.fda [192.168.50.199]) by mail.fdrive.com.au (Postfix) with ESMTPS id 7BCEDE64E4; Wed, 9 Jul 2014 16:18:45 +1000 (EST) Received: from localhost (localhost [127.0.0.1]) by PetersBigBox (Postfix) with ESMTP id AEBBB19204BB; Wed, 9 Jul 2014 16:24:27 +1000 (EST) Date: Wed, 9 Jul 2014 16:24:27 +1000 (EST) From: Peter Ross X-X-Sender: petros@PetersBigBox To: Peter Ross Subject: Re: vnet jail and ipfw/nat on host - keep-state problem? In-Reply-To: Message-ID: References: User-Agent: Alpine 2.02 (DEB 1266 2009-07-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2014 06:43:19 -0000 P.S. I also have the following rules near the top: 01000 check-state 01100 allow tcp from any to any established 01200 allow ip from any to any frag Peter On Wed, 9 Jul 2014, Peter Ross wrote: > Hi all, > > I am setting up a host with vnet jails without a public IP. > > E.g. a vnet jail with a DNS server (bind) running inside. > > The setup: > > Internet->age0(host interface with natd and external IP) > ->bridge10(10.0.10.254)->epair1a > ->epair1b(10.0.10.1 in bind vnet jail) > > Inside the jail I have a simple open ipfw firewall > (ipfw allow ip4 from any to any) > > Here the rules relevant to let UDP port 53 connect from the outside world > (with natd redirecting "redirect_port udp 10.0.10.1:53 external.ip:53") > > 00100 divert 8668 ip4 from any to any via age0 > 03100 allow udp from any to 10.0.10.1 dst-port 53 keep-state > 03200 allow udp from any to me dst-port 53 keep-state > > This does not allow DNS requests from the outside, they only get returned by > adding > > 03300 allow udp from me 53 to any > > I am pretty confident that the rules above work with "real interfaces". I > have similar routers with ipfw/natd, there things are even more limited by > interface rules (recv/xmit). > > Does this mean, "keep-state" are not working properly in the mentioned vnet > setup? > > Regards > Peter > From owner-freebsd-jail@FreeBSD.ORG Wed Jul 9 21:28:02 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E73DDBF8 for ; Wed, 9 Jul 2014 21:28:02 +0000 (UTC) Received: from mail-ie0-x233.google.com (mail-ie0-x233.google.com [IPv6:2607:f8b0:4001:c03::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B8A792C66 for ; Wed, 9 Jul 2014 21:28:02 +0000 (UTC) Received: by mail-ie0-f179.google.com with SMTP id lx4so5874779iec.10 for ; Wed, 09 Jul 2014 14:28:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:cc:content-type; bh=cwfCui00u2FlRMDmpL3fi52EOl6gGMx+8X1vWODdifA=; b=YNQqfxOL6ENuCl3PBJwhPV4DU9l8jMomFuRzi2Zamo300N4KeBRTBHSAAP+n2uMRoH G01oWvAyEXs17jcszkF3znCTPL8L+ELMYfSbp6NjKTDSkpSxRNomFF1n9dEVHSl+x+8k LUUTMUNBYieI3YAC3IWs8t91QgyMLqkxNxhQKmg8xKyfGZSx+g4TjnN3Co7dmDi7/XE8 vOiozGvWSuAX1BEshKwtErtY0taOTkamQDYHW8pwGAUcisJzL+zdKCz2yU2sF6003CPo D45teOGWtRFZrcBhZYUHLXeXJu8TABqArUkRo699u/PlnpjoMozq6HPYSx9xwycpgcyL X84g== MIME-Version: 1.0 X-Received: by 10.42.24.9 with SMTP id u9mr6623426icb.91.1404941282082; Wed, 09 Jul 2014 14:28:02 -0700 (PDT) Received: by 10.42.168.194 with HTTP; Wed, 9 Jul 2014 14:28:02 -0700 (PDT) Date: Thu, 10 Jul 2014 09:28:02 +1200 Message-ID: Subject: RE: vnet jail and ipfw/nat on host - keep-state problem? From: Peter Toth To: Peter.Ross@alumni.tu-berlin.de Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18 Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2014 21:28:03 -0000 Hi Peter, Try to make these changes: net.inet.ip.forwarding=1 # Enable IP forwarding between interfaces net.link.bridge.pfil_onlyip=0 # Only pass IP packets when pfil is enabled net.link.bridge.pfil_bridge=0 # Packet filter on the bridge interface net.link.bridge.pfil_member=0 # Packet filter on the member interface You can find some info here http://iocage.readthedocs.org/en/latest/help-no-internet.html I've had these issues before with PF and IPFW, by default these will be filtering on your bridge and member interfaces. Cheers, Peter From owner-freebsd-jail@FreeBSD.ORG Thu Jul 10 18:56:10 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 82F91A5 for ; Thu, 10 Jul 2014 18:56:10 +0000 (UTC) Received: from wonkity.com (wonkity.com [67.158.26.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "wonkity.com", Issuer "wonkity.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 350B828FB for ; Thu, 10 Jul 2014 18:56:06 +0000 (UTC) Received: from wonkity.com (localhost [127.0.0.1]) by wonkity.com (8.14.9/8.14.9) with ESMTP id s6AIu4HO077671 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Thu, 10 Jul 2014 12:56:04 -0600 (MDT) (envelope-from wblock@wonkity.com) Received: from localhost (wblock@localhost) by wonkity.com (8.14.9/8.14.9/Submit) with ESMTP id s6AIu4wC077668 for ; Thu, 10 Jul 2014 12:56:04 -0600 (MDT) (envelope-from wblock@wonkity.com) Date: Thu, 10 Jul 2014 12:56:04 -0600 (MDT) From: Warren Block To: freebsd-jail@FreeBSD.org Subject: mergemaster Message-ID: User-Agent: Alpine 2.11 (BSF 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (wonkity.com [127.0.0.1]); Thu, 10 Jul 2014 12:56:04 -0600 (MDT) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jul 2014 18:56:10 -0000 On a jail created with ezjail on 10-STABLE, mergemaster is not actually ignoring files set with IGNORE_FILES in the jail's /etc/mergemaster.rc. For example: /usr/jails/whatsit/etc/mergemaster.rc IGNORE_FILES="/boot/device.hints" >From the host: # cd /usr/src ; mergemaster -U -D /usr/jails/whatsit ... *** There is no installed version of ./boot/device.hints Use 'd' to delete the temporary ./boot/device.hints Use 'i' to install the temporary ./boot/device.hints Default is to leave the temporary file to deal with by hand How should I deal with this? [Leave it for later] Using IGNORE_FILES="/usr/jails/whatsit/boot/device.hints" in the jail does not work either. Nor does setting that value in the host's /etc/mergemaster.rc. Is this a problem with mergemaster or the jail setup? From a user standpoint, I would hope that mergemaster would read /etc/mergemaster.rc from the -D directory and use those values rather than the host's /etc/mergemaster.rc. Maybe it does that, but I'm doing it wrong. From owner-freebsd-jail@FreeBSD.ORG Thu Jul 10 20:45:55 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A772FEC8 for ; Thu, 10 Jul 2014 20:45:55 +0000 (UTC) Received: from mail-qg0-x229.google.com (mail-qg0-x229.google.com [IPv6:2607:f8b0:400d:c04::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6530F22C7 for ; Thu, 10 Jul 2014 20:45:55 +0000 (UTC) Received: by mail-qg0-f41.google.com with SMTP id i50so148301qgf.0 for ; Thu, 10 Jul 2014 13:45:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=clintarmstrong.net; s=google; h=mime-version:date:message-id:subject:from:to:content-type; bh=qowpPgvIlOZ3UjkgiLpLQDuZMGsVa8283+6UmZGI9wE=; b=uJmgpv9uNZGyg2zv6U6dCHHvu8y10L39cyNnDJQxR4C1sVp44IW/Aa4HIMPh7W5zzb V0IbEoSOEJlsnADDc04KM3hbuDclIPTOafff2eYyykBDnZ1RkPZpryx1peVaN8XF5CT+ vbDioKEZHkbNIIC9VSyXQBJe28TqldP5ISHTk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=qowpPgvIlOZ3UjkgiLpLQDuZMGsVa8283+6UmZGI9wE=; b=SaPvBbK8BEIBciDk73ohLQaZnZj58gO9jG8p7kveB7U/eNzNUk6bAb+wyInVUobwg1 ZMEKZP5+TYWEWqotcERPfQnbiM6YWXD+EcVWZyT2RxJToPlNde7/lizCxc2fgqKuRMfX HOGWaaPtS+KV9BfNZ8AoFSiB94+KblcRYzAin5pdeVvFG9AqlBHi6pRwHlW5RMpFk1LH yFqslNwFdWBtpXTbobQIrtUQgPUmiHgDslJJdGdwYmRbFvenY9zTbzh5n0rajWZta1GW /PQqWFZRBsDRTrnWo69nA92zbU8DiYkAS9fZ2ZqcPEOsGllXxnuHGrRCG6CuEc46WP5o e9SQ== X-Gm-Message-State: ALoCoQksZfiDkRHeL9s5Om60wOWdWppQ3De1ErJf7HS6osbON8lHDIQC52gM+kS7YbEPWV4PStey MIME-Version: 1.0 X-Received: by 10.140.51.37 with SMTP id t34mr80052216qga.50.1405025154375; Thu, 10 Jul 2014 13:45:54 -0700 (PDT) Received: by 10.140.84.37 with HTTP; Thu, 10 Jul 2014 13:45:54 -0700 (PDT) X-Originating-IP: [73.191.219.114] Date: Thu, 10 Jul 2014 16:45:54 -0400 Message-ID: Subject: VNET performance From: Clint Armstrong To: freebsd-jail@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jul 2014 20:45:55 -0000 What is the expected network performance of a VNET jail for network communication between the jail and the host, or between multiple jails? I expected it to approach the 10Gbps of the epair device, but I'm not seeing that. I see between 800 - 1200 Mbps in standard iperf tests both between the host bridge interface and the vnet jail inteface. I see the same poor speeds if I make 2 vnet jails and put one side of the epair in each and test between them. Is the overhead of vnet causing this? Is there anything I can do to improve this performance. I've tested and seen similar performance on 10.0-RELEASE and 11.0-CURRENT. From owner-freebsd-jail@FreeBSD.ORG Thu Jul 10 23:50:38 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D771F37A for ; Thu, 10 Jul 2014 23:50:38 +0000 (UTC) Received: from mx1.sbone.de (bird.sbone.de [46.4.1.90]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mx1.sbone.de", Issuer "SBone.DE" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 8BAF42449 for ; Thu, 10 Jul 2014 23:50:37 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id EA9D625D3815; Thu, 10 Jul 2014 23:50:26 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 9655CC22BA7; Thu, 10 Jul 2014 23:50:25 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id cwOUgyi3-T9V; Thu, 10 Jul 2014 23:50:24 +0000 (UTC) Received: from [IPv6:fde9:577b:c1a9:4410:4fa:4b84:1f36:739f] (unknown [IPv6:fde9:577b:c1a9:4410:4fa:4b84:1f36:739f]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 8B07CC22B9F; Thu, 10 Jul 2014 23:50:22 +0000 (UTC) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\)) Subject: Re: VNET performance From: "Bjoern A. Zeeb" In-Reply-To: Date: Thu, 10 Jul 2014 23:50:03 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: <221F8CBD-0763-4457-A587-948E887FAD17@lists.zabbadoz.net> References: To: Clint Armstrong X-Mailer: Apple Mail (2.1878.2) Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jul 2014 23:50:38 -0000 On 10 Jul 2014, at 20:45 , Clint Armstrong = wrote: > What is the expected network performance of a VNET jail for network > communication between the jail and the host, or between multiple = jails? I > expected it to approach the 10Gbps of the epair device, but I'm not = seeing > that. >=20 > I see between 800 - 1200 Mbps in standard iperf tests both between the = host > bridge interface and the vnet jail inteface. I see the same poor = speeds if > I make 2 vnet jails and put one side of the epair in each and test = between > them. >=20 > Is the overhead of vnet causing this? Is there anything I can do to = improve > this performance. >=20 > I=92ve tested and seen similar performance on 10.0-RELEASE and = 11.0-CURRENT. epair has a netisr queuing in between as you cannot call the input = routines directly from the output routines. I was able to get a bit = more traffic through by doing pinning games. I wonder what a vale switch for vnets could achieve. =97=20 Bjoern A. Zeeb "Come on. Learn, goddamn it.", WarGames, 1983 From owner-freebsd-jail@FreeBSD.ORG Fri Jul 11 07:11:45 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4B825C08 for ; Fri, 11 Jul 2014 07:11:45 +0000 (UTC) Received: from mail1.chu658.uecomm.net.au (mail1.chu658.uecomm.net.au [218.185.10.246]) by mx1.freebsd.org (Postfix) with ESMTP id 036E7276C for ; Fri, 11 Jul 2014 07:11:44 +0000 (UTC) Received: from mail.fdrive.com.au (unknown [115.186.196.106]) by mail1.chu658.uecomm.net.au (Postfix) with ESMTP id 988571E92; Fri, 11 Jul 2014 17:11:33 +1000 (EST) Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.fdrive.com.au (Postfix) with ESMTP id 2F4BAE5E38; Fri, 11 Jul 2014 17:11:24 +1000 (EST) X-Virus-Scanned: amavisd-new at fdrive.com.au Received: from mail.fdrive.com.au ([127.0.0.1]) by localhost (mail.fdrive.com.au [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JlkpcZVfzYqI; Fri, 11 Jul 2014 17:11:19 +1000 (EST) Received: from PetersBigBox (ws-pross.vv.fda [192.168.50.199]) by mail.fdrive.com.au (Postfix) with ESMTPS id 36BBDE5D82; Fri, 11 Jul 2014 17:11:19 +1000 (EST) Received: from localhost (localhost [127.0.0.1]) by PetersBigBox (Postfix) with ESMTP id DA1B819201EE; Fri, 11 Jul 2014 17:11:27 +1000 (EST) Date: Fri, 11 Jul 2014 17:11:27 +1000 (EST) From: Peter Ross X-X-Sender: petros@PetersBigBox To: Peter Toth Subject: RE: vnet jail and ipfw/nat on host - keep-state problem? In-Reply-To: Message-ID: References: User-Agent: Alpine 2.02 (DEB 1266 2009-07-14) MIME-Version: 1.0 Content-ID: Content-Type: TEXT/PLAIN; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 8BIT X-Content-Filtered-By: Mailman/MimeDel 2.1.18 Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2014 07:11:45 -0000 On Thu, 10 Jul 2014, Peter Toth wrote: > Hi Peter, > Try to make these changes: > > net.inet.ip.forwarding=1       # Enable IP forwarding between interfaces > net.link.bridge.pfil_onlyip=0  # Only pass IP packets when pfil is enabled > net.link.bridge.pfil_bridge=0  # Packet filter on the bridge interface > net.link.bridge.pfil_member=0  # Packet filter on the member interface > > You can find some info > here http://iocage.readthedocs.org/en/latest/help-no-internet.html > > I've had these issues before with PF and IPFW, by default these will be > filtering on your bridge and member interfaces. Thanks. It did not change anything. Now, inside_ the jail I run "ipfw allow ip from any to any". This on the host system: 01000 check-state 01100 allow tcp from any to any established 01200 allow ip from any to any frag 00100 divert 8668 ip4 from any to any via age0 03100 allow udp from any to 10.0.10.1 dst-port 53 keep-state 03200 allow udp from any to me dst-port 53 keep-state (with natd redirecting "redirect_port udp 10.0.10.1:53 external.ip:53") If I add 03300 allow udp from me 53 to any it works.. So it makes me think check-state isn't usable - because 03200 allow udp from any to me dst-port 53 keep-state should cover the returning packets. I played with your parameters but it did not help. But thanks for the idea. Here again the setup: Internet->age0(host interface with natd and external IP) ->bridge10(10.0.10.254)->epair1a ->epair1b(10.0.10.1 in bind vnet jail) I wonder what kind of restrictions exist with vnet.. it does not seem to work _exactly_ as a "real" network stack (the issues with pf inside the jail let me think of it too) Did I find a restriction, a bug - or just that I've got it wrong? Regards Peter From owner-freebsd-jail@FreeBSD.ORG Fri Jul 11 08:50:51 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 587CD42A for ; Fri, 11 Jul 2014 08:50:51 +0000 (UTC) Received: from mail-ig0-x232.google.com (mail-ig0-x232.google.com [IPv6:2607:f8b0:4001:c05::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 267492078 for ; Fri, 11 Jul 2014 08:50:51 +0000 (UTC) Received: by mail-ig0-f178.google.com with SMTP id hn18so747305igb.17 for ; Fri, 11 Jul 2014 01:50:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=w2ble7LUrJWVxK+7CzL1ZllkeFKQBFGrucVSW7Nn4Jc=; b=NJPs4fcA5XcDTZnSsoWMyVHFw1BQN//nYQz5bMsBfgsaa3LTB2T9W6KNSUZgColvp4 KjmWaUmraGwwo3Ip512VGCMqIG/dEtjO4N9k+ggVfZjIjebbcovAvt5Zk8tIgPpMw1Tc i9ztfbhnGsEOjWdZpTjDh8hVFR0xe1EBbc1Ojr5va0jtOlGaW5SVuvvkutQj0INe7O12 12bOaxknfj5nYvBS39j+R89zDRy4MAeurEAzMZegNf8C9zqAi6T1PA0VvnY+9bOehMQX 43uhvRaIWu/RZUOeq0NujSGjrmpFgsganS521bA3IyAnRiOFBbh3hxDzP68iXF08cD5N 5oeA== MIME-Version: 1.0 X-Received: by 10.43.13.132 with SMTP id pm4mr3125916icb.6.1405068650537; Fri, 11 Jul 2014 01:50:50 -0700 (PDT) Received: by 10.42.168.194 with HTTP; Fri, 11 Jul 2014 01:50:50 -0700 (PDT) In-Reply-To: References: Date: Fri, 11 Jul 2014 20:50:50 +1200 Message-ID: Subject: Re: vnet jail and ipfw/nat on host - keep-state problem? From: Peter Toth To: Peter Ross Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18 Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2014 08:50:51 -0000 Have not used natd with IPFW much as always preferred PF to do everything on the host. I have only a wild guess - the "me" keyword in IPFW is substituted only to the host's IPs known to itself. The host's IPFW firewall most likely doesn't know anything about IPs assigned to vnet interfaces inside the jail. Vnet jails behave more like separate physical hosts. Internet ---> [host] ------- (10.0.10.0 LAN) ------> [vnet jail] The PF issue inside a jail is a separate problem, PF is not fully VIMAGE/VNET aware as far as I know. Can someone comment on these or correct me? P On Fri, Jul 11, 2014 at 7:11 PM, Peter Ross wrote: > On Thu, 10 Jul 2014, Peter Toth wrote: > > Hi Peter, >> Try to make these changes: >> >> net.inet.ip.forwarding=1 # Enable IP forwarding between interfaces >> net.link.bridge.pfil_onlyip=0 # Only pass IP packets when pfil is enabled >> net.link.bridge.pfil_bridge=0 # Packet filter on the bridge interface >> net.link.bridge.pfil_member=0 # Packet filter on the member interface >> >> You can find some info >> here http://iocage.readthedocs.org/en/latest/help-no-internet.html >> >> I've had these issues before with PF and IPFW, by default these will be >> filtering on your bridge and member interfaces. >> > > Thanks. It did not change anything. > > Now, inside_ the jail I run "ipfw allow ip from any to any". > > This on the host system: > > 01000 check-state > 01100 allow tcp from any to any established > 01200 allow ip from any to any frag > 00100 divert 8668 ip4 from any to any via age0 > 03100 allow udp from any to 10.0.10.1 dst-port 53 keep-state > 03200 allow udp from any to me dst-port 53 keep-state > > (with natd redirecting "redirect_port udp 10.0.10.1:53 external.ip:53") > > If I add > > 03300 allow udp from me 53 to any > > it works.. > > So it makes me think check-state isn't usable - because > > 03200 allow udp from any to me dst-port 53 keep-state > > should cover the returning packets. > > I played with your parameters but it did not help. But thanks for the idea. > > Here again the setup: > > Internet->age0(host interface with natd and external IP) > ->bridge10(10.0.10.254)->epair1a > ->epair1b(10.0.10.1 in bind vnet jail) > > I wonder what kind of restrictions exist with vnet.. it does not seem to > work _exactly_ as a "real" network stack (the issues with pf inside the > jail let me think of it too) > > Did I find a restriction, a bug - or just that I've got it wrong? > > Regards > Peter From owner-freebsd-jail@FreeBSD.ORG Fri Jul 11 13:10:28 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 572E3738 for ; Fri, 11 Jul 2014 13:10:28 +0000 (UTC) Received: from mail-we0-x234.google.com (mail-we0-x234.google.com [IPv6:2a00:1450:400c:c03::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E15562743 for ; Fri, 11 Jul 2014 13:10:27 +0000 (UTC) Received: by mail-we0-f180.google.com with SMTP id k48so133865wev.39 for ; Fri, 11 Jul 2014 06:10:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:references:in-reply-to:subject:date:message-id:mime-version :content-type:thread-index:content-language; bh=1YOjUGRu8oT+M0VjN3xVRkoWS/Bxs3NnbIBPMvIzD48=; b=ozzdFm/EaQsE6aLuscVpBwZanlcHjFN2Wyv6VCcgxGirzTuyVUJB7gRWWRGQvj3ZbB 5mPzHlNDUbnRUJzt0HfI1k2rgc2xzr9I+W0uwVuCE4XQYQxG9w4/VkrV88phJj/IrpHG byBiYymTjg/25JHD7yUjiTTXlnMqyl3r2kPLF5fwy9X9YwT8l1CqmztlwuOx3NZZbmZB mNxc8xdxTl+TtqQEI9NpRGAaQkXfulKAIINA7t5U++Ri/u8gI1GntxHyy91GpWOdUI6D ba79+YOIpsOAiH+wZ/bd8vGo+bHAGBoKgkI2aOElk0I/xCcUwizVbdX6LdVPApgo7qqL 9XDQ== X-Received: by 10.195.17.164 with SMTP id gf4mr65189919wjd.45.1405084223396; Fri, 11 Jul 2014 06:10:23 -0700 (PDT) Received: from botmachine (muszelka.nat.student.pw.edu.pl. [194.29.137.5]) by mx.google.com with ESMTPSA id cz4sm7280458wib.23.2014.07.11.06.10.21 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 11 Jul 2014 06:10:22 -0700 (PDT) From: "Marcin Michta" To: References: <001501cf9cf7$cb848ab0$628da010$@gmail.com> In-Reply-To: <001501cf9cf7$cb848ab0$628da010$@gmail.com> Subject: Jail vnet features Date: Fri, 11 Jul 2014 15:12:39 +0200 Message-ID: <002801cf9d09$ccba9480$662fbd80$@gmail.com> MIME-Version: 1.0 X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQGLIYv5gJfWpp6uB/WFRcKdINHRZJwj0C/Q Content-Language: pl Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.18 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2014 13:10:28 -0000 Hello, I want to ask what are advantages and disadvantages using VNET? I know that it allows each jail to have a private networking stack, but what else? Regards Marthin From owner-freebsd-jail@FreeBSD.ORG Fri Jul 11 13:33:32 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6087DD55 for ; Fri, 11 Jul 2014 13:33:32 +0000 (UTC) Received: from relay.mailchannels.net (aso-006-i400.relay.mailchannels.net [143.95.81.29]) by mx1.freebsd.org (Postfix) with ESMTP id D45522977 for ; Fri, 11 Jul 2014 13:33:30 +0000 (UTC) X-Sender-Id: _forwarded-from|107.201.34.133 Received: from mail-24.name-services.com (unknown [10.204.17.9]) by relay.mailchannels.net (Postfix) with ESMTPA id B37E8122897; Fri, 11 Jul 2014 13:33:17 +0000 (UTC) X-Sender-Id: _forwarded-from|107.201.34.133 Received: from mail-24.name-services.com (mail-24.name-services.com [10.227.41.147]) (using TLSv1 with cipher AES128-SHA) by 0.0.0.0:2500 (trex/5.2.5); Fri, 11 Jul 2014 13:33:22 GMT X-MC-Relay: Forwarding X-MailChannels-SenderId: _forwarded-from|107.201.34.133 X-MailChannels-Auth-Id: demandmedia Received: from [10.0.10.1] (107-201-34-133.lightspeed.bcvloh.sbcglobal.net [107.201.34.133]) by mail-24.name-services.com with SMTP; Fri, 11 Jul 2014 06:33:12 -0700 Message-ID: <53BFE796.7020502@a1poweruser.com> Date: Fri, 11 Jul 2014 09:33:10 -0400 From: Fbsd8 User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: Peter Toth Subject: Re: vnet jail and ipfw/nat on host - keep-state problem? References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Peter Ross , freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2014 13:33:32 -0000 Peter Toth wrote: > Have not used natd with IPFW much as always preferred PF to do everything > on the host. > > I have only a wild guess - the "me" keyword in IPFW is substituted only to > the host's IPs known to itself. > The host's IPFW firewall most likely doesn't know anything about IPs > assigned to vnet interfaces inside the jail. > > Vnet jails behave more like separate physical hosts. > > Internet ---> [host] ------- (10.0.10.0 LAN) ------> [vnet jail] > > The PF issue inside a jail is a separate problem, PF is not fully > VIMAGE/VNET aware as far as I know. > > Can someone comment on these or correct me? > > P > > > > On Fri, Jul 11, 2014 at 7:11 PM, Peter Ross > wrote: > >> On Thu, 10 Jul 2014, Peter Toth wrote: >> >> Hi Peter, >>> Try to make these changes: >>> >>> net.inet.ip.forwarding=1 # Enable IP forwarding between interfaces >>> net.link.bridge.pfil_onlyip=0 # Only pass IP packets when pfil is enabled >>> net.link.bridge.pfil_bridge=0 # Packet filter on the bridge interface >>> net.link.bridge.pfil_member=0 # Packet filter on the member interface >>> >>> You can find some info >>> here http://iocage.readthedocs.org/en/latest/help-no-internet.html >>> >>> I've had these issues before with PF and IPFW, by default these will be >>> filtering on your bridge and member interfaces. >>> >> Thanks. It did not change anything. >> >> Now, inside_ the jail I run "ipfw allow ip from any to any". >> >> This on the host system: >> >> 01000 check-state >> 01100 allow tcp from any to any established >> 01200 allow ip from any to any frag >> 00100 divert 8668 ip4 from any to any via age0 >> 03100 allow udp from any to 10.0.10.1 dst-port 53 keep-state >> 03200 allow udp from any to me dst-port 53 keep-state >> >> (with natd redirecting "redirect_port udp 10.0.10.1:53 external.ip:53") >> >> If I add >> >> 03300 allow udp from me 53 to any >> >> it works.. >> >> So it makes me think check-state isn't usable - because >> >> 03200 allow udp from any to me dst-port 53 keep-state >> >> should cover the returning packets. >> >> I played with your parameters but it did not help. But thanks for the idea. >> >> Here again the setup: >> >> Internet->age0(host interface with natd and external IP) >> ->bridge10(10.0.10.254)->epair1a >> ->epair1b(10.0.10.1 in bind vnet jail) >> >> I wonder what kind of restrictions exist with vnet.. it does not seem to >> work _exactly_ as a "real" network stack (the issues with pf inside the >> jail let me think of it too) >> >> Did I find a restriction, a bug - or just that I've got it wrong? >> >> Regards >> Peter Any firewall function that runs in the kernel will not function inside of a vnet/vimage jail. From owner-freebsd-jail@FreeBSD.ORG Fri Jul 11 13:49:04 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9DA5029E for ; Fri, 11 Jul 2014 13:49:04 +0000 (UTC) Received: from relay.mailchannels.net (ar-005-i202.relay.mailchannels.net [162.253.144.84]) by mx1.freebsd.org (Postfix) with ESMTP id E10662AE4 for ; Fri, 11 Jul 2014 13:49:03 +0000 (UTC) X-Sender-Id: _forwarded-from|107.201.34.133 Received: from mail-24.name-services.com (unknown [10.33.130.169]) by relay.mailchannels.net (Postfix) with ESMTPA id AE984100D92; Fri, 11 Jul 2014 13:30:04 +0000 (UTC) X-Sender-Id: _forwarded-from|107.201.34.133 Received: from mail-24.name-services.com (mail-24.name-services.com [10.227.41.147]) (using TLSv1 with cipher AES128-SHA) by 0.0.0.0:2500 (trex/5.2.5); Fri, 11 Jul 2014 13:30:10 GMT X-MC-Relay: Forwarding X-MailChannels-SenderId: _forwarded-from|107.201.34.133 X-MailChannels-Auth-Id: demandmedia Received: from [10.0.10.1] (107-201-34-133.lightspeed.bcvloh.sbcglobal.net [107.201.34.133]) by mail-24.name-services.com with SMTP; Fri, 11 Jul 2014 06:28:29 -0700 Message-ID: <53BFE67C.6040301@a1poweruser.com> Date: Fri, 11 Jul 2014 09:28:28 -0400 From: Fbsd8 User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: Marcin Michta Subject: Re: Jail vnet features References: <001501cf9cf7$cb848ab0$628da010$@gmail.com> <002801cf9d09$ccba9480$662fbd80$@gmail.com> In-Reply-To: <002801cf9d09$ccba9480$662fbd80$@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2014 13:49:04 -0000 Marcin Michta wrote: > Hello, > > > > I want to ask what are advantages and disadvantages using VNET? > > I know that it allows each jail to have a private networking stack, but what > else? > > > > Regards > > Marthin > Its experimental, it has many bugs posted in PR system, loses memory every time a vnet jail is stopped, firewalls in vnet jail don't work, other that these show stoppers, use at your own risk. From owner-freebsd-jail@FreeBSD.ORG Fri Jul 11 19:56:11 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 860645BC for ; Fri, 11 Jul 2014 19:56:11 +0000 (UTC) Received: from frv199.fwdcdn.com (frv199.fwdcdn.com [212.42.77.199]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 416592092 for ; Fri, 11 Jul 2014 19:56:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ukr.net; s=ffe; h=Content-Transfer-Encoding:Content-Type:MIME-Version:References:In-Reply-To:Message-Id:Cc:To:Subject:From:Date; bh=JGtFA/C285nZqH4B72b4rS7y+V1iYV6LGn4+2o2Cqs0=; b=uakx+0o5MIugqgM9zMiBUHZtlnJzBpOawXDBrWkeGE2Q5h/I4z2yBqgMgkIejUntUNHg0saHxTBhl+uL+CZ7SUT7mgnId5xIhoqWVZY+UI5/xqDV5Ws37mkypd4ujTPC5o8DniL7xC876FnEw/P2v4wOXjIJP2JBLRJ425R0WJ0=; Received: from [10.10.10.34] (helo=frv34.fwdcdn.com) by frv199.fwdcdn.com with smtp ID 1X5gvG-000Jce-NT for freebsd-jail@freebsd.org; Fri, 11 Jul 2014 22:55:58 +0300 Date: Fri, 11 Jul 2014 22:55:58 +0300 From: wishmaster Subject: Re[2]: Jail vnet features To: Fbsd8 X-Mailer: mail.ukr.net 5.0 Message-Id: <1405108158.121371273.hhxi3qt1@frv34.fwdcdn.com> In-Reply-To: <53BFE67C.6040301@a1poweruser.com> References: <001501cf9cf7$cb848ab0$628da010$@gmail.com> <002801cf9d09$ccba9480$662fbd80$@gmail.com> <53BFE67C.6040301@a1poweruser.com> MIME-Version: 1.0 Received: from artemrts@ukr.net by frv34.fwdcdn.com; Fri, 11 Jul 2014 22:55:58 +0300 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: binary Content-Disposition: inline Cc: freebsd-jail@freebsd.org, Marcin Michta X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2014 19:56:11 -0000 --- Original message --- From: "Fbsd8" Date: 11 July 2014, 16:49:08 > Marcin Michta wrote: > > Hello, > > > > > > > > I want to ask what are advantages and disadvantages using VNET? > > > > I know that it allows each jail to have a private networking stack, but what > > else? > > > > > > > > Regards > > > > Marthin > > > > Its experimental, it has many bugs posted in PR system, loses memory > every time a vnet jail is stopped, firewalls in vnet jail don't work, > other that these show stoppers, use at your own risk. Hey, man. Stop panic! Firewall works very well. Memory leak on shutdown it is not very big problem. Main advantage for me is: I am able to filtering and prioritization traffic coming thought base system. My vnete'ed jails is like a regular LAN clients and they share INET pipe with appropriate weight. I use ipfw. From owner-freebsd-jail@FreeBSD.ORG Fri Jul 11 20:21:42 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B503FA1E for ; Fri, 11 Jul 2014 20:21:42 +0000 (UTC) Received: from mail-ig0-x229.google.com (mail-ig0-x229.google.com [IPv6:2607:f8b0:4001:c05::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 815D022F3 for ; Fri, 11 Jul 2014 20:21:42 +0000 (UTC) Received: by mail-ig0-f169.google.com with SMTP id r10so934932igi.0 for ; Fri, 11 Jul 2014 13:21:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=oPMg666ozHK37O7p+kb8W3q5cew957vgl1ERIvCdRBs=; b=xFPsLcNCvi1ckp8alaugf2AMUiKb8hSRDipjOD/9bYARTqS2g+1HyHKAxHJRjXP84d 2RZ4Os2nrJQfk76Nsh8SZuqAgVONds7LddIjoUjRT2O2EXWI6fVga7AuapsGiIYiwXkq 6d1NWUI3yambyUyj7fYBmcAxDIQAIMfF3of15bUw5S78mk+rrs5NoTYDGQeA/bku9vp/ WZU7BaAVIInE8Ko41oD2Lr/dYyHUx/BQZL2IjJm8o2jTQt0FPB3Q5pgJdix/FqB4N+c/ fDYEmR9CDm6iXSnw+TbZJ4+Qx7sxGo+rwDmppniYsgquTnAnjZDQEkhQw02gWq3uivU9 x6ew== MIME-Version: 1.0 X-Received: by 10.42.24.9 with SMTP id u9mr5330421icb.91.1405110101962; Fri, 11 Jul 2014 13:21:41 -0700 (PDT) Received: by 10.42.168.194 with HTTP; Fri, 11 Jul 2014 13:21:41 -0700 (PDT) In-Reply-To: <53BFE796.7020502@a1poweruser.com> References: <53BFE796.7020502@a1poweruser.com> Date: Sat, 12 Jul 2014 08:21:41 +1200 Message-ID: Subject: Re: vnet jail and ipfw/nat on host - keep-state problem? From: Peter Toth To: Fbsd8 Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18 Cc: Peter Ross , freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2014 20:21:42 -0000 This sounds a bit vague, can you please explain in more detail what you meant by this? IPFW works inside a vnet jail - You can manage per jail firewall instances without any issues. The only firewall which cannot function inside a jail (yet) is PF. P On Sat, Jul 12, 2014 at 1:33 AM, Fbsd8 wrote: > Peter Toth wrote: > >> Have not used natd with IPFW much as always preferred PF to do everything >> on the host. >> >> I have only a wild guess - the "me" keyword in IPFW is substituted only to >> the host's IPs known to itself. >> The host's IPFW firewall most likely doesn't know anything about IPs >> assigned to vnet interfaces inside the jail. >> >> Vnet jails behave more like separate physical hosts. >> >> Internet ---> [host] ------- (10.0.10.0 LAN) ------> [vnet jail] >> >> The PF issue inside a jail is a separate problem, PF is not fully >> VIMAGE/VNET aware as far as I know. >> >> Can someone comment on these or correct me? >> >> P >> >> >> >> On Fri, Jul 11, 2014 at 7:11 PM, Peter Ross > de> >> wrote: >> >> On Thu, 10 Jul 2014, Peter Toth wrote: >>> >>> Hi Peter, >>> >>>> Try to make these changes: >>>> >>>> net.inet.ip.forwarding=1 # Enable IP forwarding between interfaces >>>> net.link.bridge.pfil_onlyip=0 # Only pass IP packets when pfil is >>>> enabled >>>> net.link.bridge.pfil_bridge=0 # Packet filter on the bridge interface >>>> net.link.bridge.pfil_member=0 # Packet filter on the member interface >>>> >>>> You can find some info >>>> here http://iocage.readthedocs.org/en/latest/help-no-internet.html >>>> >>>> I've had these issues before with PF and IPFW, by default these will be >>>> filtering on your bridge and member interfaces. >>>> >>>> Thanks. It did not change anything. >>> >>> Now, inside_ the jail I run "ipfw allow ip from any to any". >>> >>> This on the host system: >>> >>> 01000 check-state >>> 01100 allow tcp from any to any established >>> 01200 allow ip from any to any frag >>> 00100 divert 8668 ip4 from any to any via age0 >>> 03100 allow udp from any to 10.0.10.1 dst-port 53 keep-state >>> 03200 allow udp from any to me dst-port 53 keep-state >>> >>> (with natd redirecting "redirect_port udp 10.0.10.1:53 external.ip:53") >>> >>> If I add >>> >>> 03300 allow udp from me 53 to any >>> >>> it works.. >>> >>> So it makes me think check-state isn't usable - because >>> >>> 03200 allow udp from any to me dst-port 53 keep-state >>> >>> should cover the returning packets. >>> >>> I played with your parameters but it did not help. But thanks for the >>> idea. >>> >>> Here again the setup: >>> >>> Internet->age0(host interface with natd and external IP) >>> ->bridge10(10.0.10.254)->epair1a >>> ->epair1b(10.0.10.1 in bind vnet jail) >>> >>> I wonder what kind of restrictions exist with vnet.. it does not seem to >>> work _exactly_ as a "real" network stack (the issues with pf inside the >>> jail let me think of it too) >>> >>> Did I find a restriction, a bug - or just that I've got it wrong? >>> >>> Regards >>> Peter >>> >> > Any firewall function that runs in the kernel will not function inside of > a vnet/vimage jail. > > > > From owner-freebsd-jail@FreeBSD.ORG Sat Jul 12 01:07:35 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 41A7E28A for ; Sat, 12 Jul 2014 01:07:35 +0000 (UTC) Received: from relay.mailchannels.net (aso-006-i400.relay.mailchannels.net [143.95.81.29]) by mx1.freebsd.org (Postfix) with ESMTP id ADED02B41 for ; Sat, 12 Jul 2014 01:07:33 +0000 (UTC) X-Sender-Id: _forwarded-from|107.201.34.133 Received: from mail-24.name-services.com (unknown [10.236.129.92]) by relay.mailchannels.net (Postfix) with ESMTPA id 7CFB2603E6; Sat, 12 Jul 2014 01:07:31 +0000 (UTC) X-Sender-Id: _forwarded-from|107.201.34.133 Received: from mail-24.name-services.com (mail-24.name-services.com [10.253.92.5]) (using TLSv1 with cipher AES128-SHA) by 0.0.0.0:2500 (trex/5.2.5); Sat, 12 Jul 2014 01:07:32 GMT X-MC-Relay: Forwarding X-MailChannels-SenderId: _forwarded-from|107.201.34.133 X-MailChannels-Auth-Id: demandmedia Received: from [10.0.10.1] (107-201-34-133.lightspeed.bcvloh.sbcglobal.net [107.201.34.133]) by mail-24.name-services.com with SMTP; Fri, 11 Jul 2014 18:07:26 -0700 Message-ID: <53C08A4D.4030803@a1poweruser.com> Date: Fri, 11 Jul 2014 21:07:25 -0400 From: Fbsd8 User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: wishmaster Subject: Re: Jail vnet features References: <001501cf9cf7$cb848ab0$628da010$@gmail.com> <002801cf9d09$ccba9480$662fbd80$@gmail.com> <53BFE67C.6040301@a1poweruser.com> <1405108158.121371273.hhxi3qt1@frv34.fwdcdn.com> In-Reply-To: <1405108158.121371273.hhxi3qt1@frv34.fwdcdn.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org, Marcin Michta X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jul 2014 01:07:35 -0000 wishmaster wrote: > > > --- Original message --- > From: "Fbsd8" > Date: 11 July 2014, 16:49:08 > > > >> Marcin Michta wrote: >>> Hello, >>> >>> >>> >>> I want to ask what are advantages and disadvantages using VNET? >>> >>> I know that it allows each jail to have a private networking stack, but what >>> else? >>> >>> >>> >>> Regards >>> >>> Marthin >>> >> Its experimental, it has many bugs posted in PR system, loses memory >> every time a vnet jail is stopped, firewalls in vnet jail don't work, >> other that these show stoppers, use at your own risk. > > Hey, man. Stop panic! > > Firewall works very well. Memory leak on shutdown it is not very big problem. > Main advantage for me is: I am able to filtering and prioritization traffic coming thought base system. My vnete'ed jails is like a regular LAN clients and they share INET pipe with appropriate weight. I use ipfw. > Oh ya, host panic on boot is another common happing with vimage and firewall ipf and pf trying to run inside of a vnet jail and on the host at the same time. Many people DO consider any kind of memory leak in kernel software such as vimage is a really big show stopper for not using it in a production system. If you read a little bit closer the previous post you will see it's talking about firewall running inside of a vnet/vimage jail. It doesn't say anything about running a host firewall directing traffic to a ip number assigned to a vnet jail. Here is a list of some of the vnet outstanding PR's 143808, 147950, 148155, 152148, 160496, 160541, 161094, 164763, 165252, 176112, 176929, 178480, 178482, 179264, 182350, 185092, 188010, 191468 vnet/vimage is experimental and should never be used in a production system and be exposed to the public network. It is not a secure software configuration. Sure you can disregard all warnings and common sense and risk your host system, thats your choice. From owner-freebsd-jail@FreeBSD.ORG Sat Jul 12 01:16:48 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 493794A5 for ; Sat, 12 Jul 2014 01:16:48 +0000 (UTC) Received: from relay.mailchannels.net (ar-005-i202.relay.mailchannels.net [162.253.144.84]) by mx1.freebsd.org (Postfix) with ESMTP id B48802C12 for ; Sat, 12 Jul 2014 01:16:46 +0000 (UTC) X-Sender-Id: _forwarded-from|107.201.34.133 Received: from mail-24.name-services.com (unknown [10.218.133.212]) by relay.mailchannels.net (Postfix) with ESMTPA id 1C96010009B; Sat, 12 Jul 2014 01:16:42 +0000 (UTC) X-Sender-Id: _forwarded-from|107.201.34.133 Received: from mail-24.name-services.com (mail-24.name-services.com [10.245.145.206]) (using TLSv1 with cipher AES128-SHA) by 0.0.0.0:2500 (trex/5.2.5); Sat, 12 Jul 2014 01:16:43 GMT X-MC-Relay: Forwarding X-MailChannels-SenderId: _forwarded-from|107.201.34.133 X-MailChannels-Auth-Id: demandmedia Received: from [10.0.10.1] (107-201-34-133.lightspeed.bcvloh.sbcglobal.net [107.201.34.133]) by mail-24.name-services.com with SMTP; Fri, 11 Jul 2014 18:16:38 -0700 Message-ID: <53C08C74.6000805@a1poweruser.com> Date: Fri, 11 Jul 2014 21:16:36 -0400 From: Fbsd8 User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: Peter Toth Subject: Re: vnet jail and ipfw/nat on host - keep-state problem? References: <53BFE796.7020502@a1poweruser.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: Peter Ross , freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jul 2014 01:16:48 -0000 Peter Toth wrote: > On Sat, Jul 12, 2014 at 1:33 AM, Fbsd8 > wrote: > > Peter Toth wrote: > > Have not used natd with IPFW much as always preferred PF to do > everything > on the host. > > I have only a wild guess - the "me" keyword in IPFW is > substituted only to > the host's IPs known to itself. > The host's IPFW firewall most likely doesn't know anything about IPs > assigned to vnet interfaces inside the jail. > > Vnet jails behave more like separate physical hosts. > > Internet ---> [host] ------- (10.0.10.0 LAN) ------> [vnet jail] > > The PF issue inside a jail is a separate problem, PF is not fully > VIMAGE/VNET aware as far as I know. > > Can someone comment on these or correct me? > > P > > > > On Fri, Jul 11, 2014 at 7:11 PM, Peter Ross > > > wrote: > > On Thu, 10 Jul 2014, Peter Toth wrote: > > Hi Peter, > > Try to make these changes: > > net.inet.ip.forwarding=1 # Enable IP forwarding > between interfaces > net.link.bridge.pfil_onlyip=0 # Only pass IP packets > when pfil is enabled > net.link.bridge.pfil_bridge=0 # Packet filter on the > bridge interface > net.link.bridge.pfil_member=0 # Packet filter on the > member interface > > You can find some info > here > http://iocage.readthedocs.org/__en/latest/help-no-internet.__html > > > I've had these issues before with PF and IPFW, by > default these will be > filtering on your bridge and member interfaces. > > Thanks. It did not change anything. > > Now, inside_ the jail I run "ipfw allow ip from any to any". > > This on the host system: > > 01000 check-state > 01100 allow tcp from any to any established > 01200 allow ip from any to any frag > 00100 divert 8668 ip4 from any to any via age0 > 03100 allow udp from any to 10.0.10.1 dst-port 53 keep-state > 03200 allow udp from any to me dst-port 53 keep-state > > (with natd redirecting "redirect_port udp 10.0.10.1:53 > external.ip:53") > > If I add > > 03300 allow udp from me 53 to any > > it works.. > > So it makes me think check-state isn't usable - because > > 03200 allow udp from any to me dst-port 53 keep-state > > should cover the returning packets. > > I played with your parameters but it did not help. But > thanks for the idea. > > Here again the setup: > > Internet->age0(host interface with natd and external IP) > ->bridge10(10.0.10.254)->__epair1a > ->epair1b(10.0.10.1 in bind vnet jail) > > I wonder what kind of restrictions exist with vnet.. it does > not seem to > work _exactly_ as a "real" network stack (the issues with pf > inside the > jail let me think of it too) > > Did I find a restriction, a bug - or just that I've got it > wrong? > > Regards > Peter > > > Any firewall function that runs in the kernel will not function > inside of a vnet/vimage jail. > > > > This sounds a bit vague, can you please explain in more detail what you > meant by this? > > IPFW works inside a vnet jail - You can manage per jail firewall > instances without any issues. > > The only firewall which cannot function inside a jail (yet) is PF. > > P > > You are incorrect. Here is a list of some of the vnet/vimage outstanding PR's 143808, 147950, 148155, 152148, 160496, 160541, 161094, 164763, 165252, 176112, 176929, 178480, 178482, 179264, 182350, 185092, 188010, 191468 From owner-freebsd-jail@FreeBSD.ORG Sat Jul 12 01:30:12 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 77A575CD for ; Sat, 12 Jul 2014 01:30:12 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5ED112CD8 for ; Sat, 12 Jul 2014 01:30:12 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.8/8.14.8) with ESMTP id s6C1UCJE005264 for ; Sat, 12 Jul 2014 01:30:12 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 142972] [jail] [patch] Support JAILv2 and vnet in rc.d/jail Date: Sat, 12 Jul 2014 01:30:12 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: conf X-Bugzilla-Version: 8.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: joeb1@a1poweruser.com X-Bugzilla-Status: In Discussion X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-jail@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jul 2014 01:30:12 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=142972 joeb1@a1poweruser.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |joeb1@a1poweruser.com --- Comment #10 from joeb1@a1poweruser.com --- This pr should be closed. This PR is against the /etc/rc.d/jail script which in 10.0 is depreciated and was replaced in 9.1 and newer with jail(8) program. This is dead. lets move on to jail(8) method of jails and vnet jails. -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-jail@FreeBSD.ORG Sat Jul 12 03:40:13 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id EDB90A6B for ; Sat, 12 Jul 2014 03:40:12 +0000 (UTC) Received: from mail-ig0-x233.google.com (mail-ig0-x233.google.com [IPv6:2607:f8b0:4001:c05::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B7C16274D for ; Sat, 12 Jul 2014 03:40:12 +0000 (UTC) Received: by mail-ig0-f179.google.com with SMTP id h18so122128igc.6 for ; Fri, 11 Jul 2014 20:40:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=N5HpnThpa4VbFPglzoRu5Y2lD8hXwT8UOBGmimJPQX8=; b=AT+Wm5ncX/ReCQTb0/436baR0gnLxRkhl/hcMzTui0n/P8fsO7WfmNVvyIRlr9EP3o 98A78Rjlh9XvKfKjINPHo+EqAbqp98K1sttqE9Dm1jOUEk8pgZBCiHY68TmhccrsdsRz x7L3sknZXph9m/6/7XtQuALr7vSM+siLrddCjBwsdIQxEQhBX9mlqe4iC7zL6nq+mFTy h4bv+41XCp6jYiC/h8EEFy2DXdvjRKjIR1AhqcUnFlVvWSiKHEy8dXvtFzT75nOKyXuH jFLamyz0gkfIqSf2phvzQ5FJTv6cR8zv/5BxbmSOpCsiDAI+EU+oUZFoHn+Qx3BT2Acu A/vg== MIME-Version: 1.0 X-Received: by 10.50.114.226 with SMTP id jj2mr9523174igb.27.1405136410652; Fri, 11 Jul 2014 20:40:10 -0700 (PDT) Received: by 10.43.59.6 with HTTP; Fri, 11 Jul 2014 20:40:10 -0700 (PDT) In-Reply-To: <53C08C74.6000805@a1poweruser.com> References: <53BFE796.7020502@a1poweruser.com> <53C08C74.6000805@a1poweruser.com> Date: Sat, 12 Jul 2014 15:40:10 +1200 Message-ID: Subject: Re: vnet jail and ipfw/nat on host - keep-state problem? From: Peter Toth To: Fbsd8 Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18 Cc: Peter Ross , freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jul 2014 03:40:13 -0000 Dear Joe Barbish (alias fbsd8@a1poweruser.com), When you going to stop trolling the FreeBSD mailing list and spread disinformation? For anyone interested please check this mail thread on who fbsd8 really is: http://lists.freebsd.org/pipermail/freebsd-jail//2013-March/002147.html Very telling isn't it! People come to this place to learn, share information, help out other folks and most importantly to have a constructive debate! (obviously some would rather divert this effort) The PR number's mentioned are mostly outdated from the 8.x and 9.x series - some of them are completely irrelevant (like ACPI) or for a i386 system. Beyond this I am categorically refusing to waste any energy and time on answering any trolling/diversion attempts by Joe Barbish. Most importantly I encourage anyone avoiding his dubious Qjail project by far - for details please check the link above. I am not going to burn time on dissecting each PR one-by-one but rather share my experience with VNET. Over the last year and a half have deployed numerous production systems based on amd64 10-RELEASE with VNET enabled and PF running on the host. Encountered 0 instability issues! Details on how to do this are here: http://iocage.readthedocs.org/en/latest/real-world.html As I mentioned before IPFW works in a jail and PF only works on the host. Back to the original issue though, Peter could you please share your IPFW config with me (maybe just send it directly to me), would be very interested to get it going in my lab setup and add a howto page to share this with others. Cheers, Peter On Sat, Jul 12, 2014 at 1:16 PM, Fbsd8 wrote: > Peter Toth wrote: > > On Sat, Jul 12, 2014 at 1:33 AM, Fbsd8 > fbsd8@a1poweruser.com>> wrote: >> >> Peter Toth wrote: >> >> Have not used natd with IPFW much as always preferred PF to do >> everything >> on the host. >> >> I have only a wild guess - the "me" keyword in IPFW is >> substituted only to >> the host's IPs known to itself. >> The host's IPFW firewall most likely doesn't know anything about >> IPs >> assigned to vnet interfaces inside the jail. >> >> Vnet jails behave more like separate physical hosts. >> >> Internet ---> [host] ------- (10.0.10.0 LAN) ------> [vnet jail] >> >> The PF issue inside a jail is a separate problem, PF is not fully >> VIMAGE/VNET aware as far as I know. >> >> Can someone comment on these or correct me? >> >> P >> >> >> >> On Fri, Jul 11, 2014 at 7:11 PM, Peter Ross >> > > >> >> wrote: >> >> On Thu, 10 Jul 2014, Peter Toth wrote: >> >> Hi Peter, >> >> Try to make these changes: >> >> net.inet.ip.forwarding=1 # Enable IP forwarding >> between interfaces >> net.link.bridge.pfil_onlyip=0 # Only pass IP packets >> when pfil is enabled >> net.link.bridge.pfil_bridge=0 # Packet filter on the >> bridge interface >> net.link.bridge.pfil_member=0 # Packet filter on the >> member interface >> >> You can find some info >> here >> http://iocage.readthedocs.org/ >> __en/latest/help-no-internet.__html >> >> > internet.html> >> >> I've had these issues before with PF and IPFW, by >> default these will be >> filtering on your bridge and member interfaces. >> >> Thanks. It did not change anything. >> >> Now, inside_ the jail I run "ipfw allow ip from any to any". >> >> This on the host system: >> >> 01000 check-state >> 01100 allow tcp from any to any established >> 01200 allow ip from any to any frag >> 00100 divert 8668 ip4 from any to any via age0 >> 03100 allow udp from any to 10.0.10.1 dst-port 53 keep-state >> 03200 allow udp from any to me dst-port 53 keep-state >> >> (with natd redirecting "redirect_port udp 10.0.10.1:53 >> external.ip:53") >> >> >> If I add >> >> 03300 allow udp from me 53 to any >> >> it works.. >> >> So it makes me think check-state isn't usable - because >> >> 03200 allow udp from any to me dst-port 53 keep-state >> >> should cover the returning packets. >> >> I played with your parameters but it did not help. But >> thanks for the idea. >> >> Here again the setup: >> >> Internet->age0(host interface with natd and external IP) >> ->bridge10(10.0.10.254)->__epair1a >> >> ->epair1b(10.0.10.1 in bind vnet jail) >> >> I wonder what kind of restrictions exist with vnet.. it does >> not seem to >> work _exactly_ as a "real" network stack (the issues with pf >> inside the >> jail let me think of it too) >> >> Did I find a restriction, a bug - or just that I've got it >> wrong? >> >> Regards >> Peter >> >> >> Any firewall function that runs in the kernel will not function >> inside of a vnet/vimage jail. >> >> >> >> This sounds a bit vague, can you please explain in more detail what you >> meant by this? >> >> IPFW works inside a vnet jail - You can manage per jail firewall >> instances without any issues. >> >> The only firewall which cannot function inside a jail (yet) is PF. >> >> P >> >> >> > You are incorrect. > Here is a list of some of the vnet/vimage outstanding PR's > > 143808, 147950, 148155, 152148, 160496, 160541, 161094, 164763, 165252, > 176112, 176929, 178480, 178482, 179264, 182350, 185092, 188010, 191468 > > > > > > > From owner-freebsd-jail@FreeBSD.ORG Sat Jul 12 06:24:40 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4001EF06 for ; Sat, 12 Jul 2014 06:24:40 +0000 (UTC) Received: from home.opsec.eu (home.opsec.eu [IPv6:2001:14f8:200::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E714A2430 for ; Sat, 12 Jul 2014 06:24:39 +0000 (UTC) Received: from pi by home.opsec.eu with local (Exim 4.82 (FreeBSD)) (envelope-from ) id 1X5qjc-000OpI-7h; Sat, 12 Jul 2014 08:24:36 +0200 Date: Sat, 12 Jul 2014 08:24:36 +0200 From: Kurt Jaeger To: Fbsd8 Subject: Re: vnet jail and ipfw/nat on host - keep-state problem? Message-ID: <20140712062436.GS2586@home.opsec.eu> References: <53BFE796.7020502@a1poweruser.com> <53C08C74.6000805@a1poweruser.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <53C08C74.6000805@a1poweruser.com> Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jul 2014 06:24:40 -0000 Hi! > > On Sat, Jul 12, 2014 at 1:33 AM, Fbsd8 > > wrote: [...] > Here is a list of some of the vnet/vimage outstanding PR's > > 143808, 147950, 148155, 152148, 160496, 160541, 161094, 164763, 165252, > 176112, 176929, 178480, 178482, 179264, 182350, 185092, 188010, 191468 188010 was committed 2014-03-27 -- why is it still outstanding ? -- pi@opsec.eu +49 171 3101372 6 years to go ! From owner-freebsd-jail@FreeBSD.ORG Sat Jul 12 11:00:30 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id EBCA641E for ; Sat, 12 Jul 2014 11:00:30 +0000 (UTC) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 653D0285A for ; Sat, 12 Jul 2014 11:00:29 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id s6CB0MxI020325; Sat, 12 Jul 2014 21:00:22 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sat, 12 Jul 2014 21:00:22 +1000 (EST) From: Ian Smith To: Kurt Jaeger Subject: Re: vnet jail and ipfw/nat on host - keep-state problem? In-Reply-To: <20140712062436.GS2586@home.opsec.eu> Message-ID: <20140712205335.F50382@sola.nimnet.asn.au> References: <53BFE796.7020502@a1poweruser.com> <53C08C74.6000805@a1poweruser.com> <20140712062436.GS2586@home.opsec.eu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jul 2014 11:00:31 -0000 On Sat, 12 Jul 2014 08:24:36 +0200, Kurt Jaeger wrote: > Hi! > > > > On Sat, Jul 12, 2014 at 1:33 AM, Fbsd8 > > > wrote: > [...] > > Here is a list of some of the vnet/vimage outstanding PR's > > > > 143808, 147950, 148155, 152148, 160496, 160541, 161094, 164763, 165252, > > 176112, 176929, 178480, 178482, 179264, 182350, 185092, 188010, 191468 > > 188010 was committed 2014-03-27 -- why is it still outstanding ? 185092 was also fixed and merged back to stable/10 and stable/9 in May. I'm not about to check all of them .. we're used to these sour grapes. cheers, Ian From owner-freebsd-jail@FreeBSD.ORG Sat Jul 12 13:01:20 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 720F3946 for ; Sat, 12 Jul 2014 13:01:20 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 58F87210C for ; Sat, 12 Jul 2014 13:01:20 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.8/8.14.8) with ESMTP id s6CD1K86037750 for ; Sat, 12 Jul 2014 13:01:20 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 133265] [jail] is there a solution how to run nfs client in jail environment? Date: Sat, 12 Jul 2014 13:01:20 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: joeb1@a1poweruser.com X-Bugzilla-Status: In Discussion X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-jail@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jul 2014 13:01:20 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=133265 joeb1@a1poweruser.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |joeb1@a1poweruser.com --- Comment #5 from joeb1@a1poweruser.com --- Close this pr. In kernel ntfs has been removed from 10.0 base see http://svnweb.freebsd.org/base/head/sbin/Makefile?view=log&pathrev=247665 -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-jail@FreeBSD.ORG Sat Jul 12 13:29:47 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 90970E3F for ; Sat, 12 Jul 2014 13:29:47 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 777C122B5 for ; Sat, 12 Jul 2014 13:29:47 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.8/8.14.8) with ESMTP id s6CDTlEu090073 for ; Sat, 12 Jul 2014 13:29:47 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 133265] [jail] is there a solution how to run nfs client in jail environment? Date: Sat, 12 Jul 2014 13:29:47 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: lukasz@wasikowski.net X-Bugzilla-Status: In Discussion X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-jail@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jul 2014 13:29:47 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=133265 Lukasz Wasikowski changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lukasz@wasikowski.net --- Comment #6 from Lukasz Wasikowski --- ntfs is something completely different than nfs, this PR stands valid. -- You are receiving this mail because: You are the assignee for the bug. From owner-freebsd-jail@FreeBSD.ORG Sat Jul 12 14:52:57 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id AC09FCE5 for ; Sat, 12 Jul 2014 14:52:57 +0000 (UTC) Received: from relay.mailchannels.net (aso-006-i400.relay.mailchannels.net [143.95.81.29]) by mx1.freebsd.org (Postfix) with ESMTP id 2C139291D for ; Sat, 12 Jul 2014 14:52:56 +0000 (UTC) X-Sender-Id: _forwarded-from|107.201.34.133 Received: from mail-24.name-services.com (unknown [10.237.11.126]) by relay.mailchannels.net (Postfix) with ESMTPA id 2C3C610088A; Sat, 12 Jul 2014 14:52:48 +0000 (UTC) X-Sender-Id: _forwarded-from|107.201.34.133 Received: from mail-24.name-services.com (mail-24.name-services.com [10.253.92.5]) (using TLSv1 with cipher AES128-SHA) by 0.0.0.0:2500 (trex/5.2.5); Sat, 12 Jul 2014 14:52:48 GMT X-MC-Relay: Forwarding X-MailChannels-SenderId: _forwarded-from|107.201.34.133 X-MailChannels-Auth-Id: demandmedia Received: from [10.0.10.1] (107-201-34-133.lightspeed.bcvloh.sbcglobal.net [107.201.34.133]) by mail-24.name-services.com with SMTP; Sat, 12 Jul 2014 07:52:40 -0700 Message-ID: <53C14BB9.3030602@a1poweruser.com> Date: Sat, 12 Jul 2014 10:52:41 -0400 From: Fbsd8 User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: Peter Toth Subject: Re: vnet jail and ipfw/nat on host - keep-state problem? References: <53BFE796.7020502@a1poweruser.com> <53C08C74.6000805@a1poweruser.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: Peter Ross , freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jul 2014 14:52:57 -0000 Sham on you Peter Toth. Slander and calling names about someone who does not agree with you is childish and something I would expect from a 10 year old. This foolish post only shows how unprofessional your behavior is. Sham on you. Every thing stated by me is the truth and verified by the outstanding pr's. If you can't trust the PR system as credible, then what can you trust. I don't disagree that you may have a working vnet/vimage configuration running on your hobby host system or that your foolishly exposing your hobby host system to public network attack and host system takeover. There is a very big difference between software that does not crash when started and software that performs within its design parameters. I think just because your configuration does not crash means to you its working as expected. This is foolish in light of all the negative warnings about vimage. vimage is experimental and nothing you say can change that fact. Readers don't believe me or Peter Toth and review the listed pr numbers and do your own search of bugzilla on keyword vnet or vimage and make up your own mind. Peter Toth wrote: > Dear Joe Barbish (alias fbsd8@a1poweruser.com > ), > > When you going to stop trolling the FreeBSD mailing list and spread > disinformation? > > People come to this place to learn, share information, help out other > folks and most importantly to have a constructive debate! (obviously > some would rather divert this effort) > > The PR number's mentioned are mostly outdated from the 8.x and 9.x > series - some of them are completely irrelevant (like ACPI) or for a > i386 system. > Beyond this I am categorically refusing to waste any energy and time on > answering any trolling/diversion attempts by Joe Barbish. > > I am not going to burn time on dissecting each PR one-by-one but rather > share my experience with VNET. > > Over the last year and a half have deployed numerous production systems > based on amd64 10-RELEASE with VNET enabled and PF running on the host. > Encountered 0 instability issues! Details on how to do this are > here: http://iocage.readthedocs.org/en/latest/real-world.html > > As I mentioned before IPFW works in a jail and PF only works on the host. > > Back to the original issue though, Peter could you please share your > IPFW config with me (maybe just send it directly to me), would be very > interested to get it going in my lab setup and add a howto page to share > this with others. > > Cheers, > Peter > > > On Sat, Jul 12, 2014 at 1:16 PM, Fbsd8 > wrote: > > Peter Toth wrote: > > On Sat, Jul 12, 2014 at 1:33 AM, Fbsd8 >__> wrote: > > Peter Toth wrote: > > Have not used natd with IPFW much as always preferred PF > to do > everything > on the host. > > I have only a wild guess - the "me" keyword in IPFW is > substituted only to > the host's IPs known to itself. > The host's IPFW firewall most likely doesn't know > anything about IPs > assigned to vnet interfaces inside the jail. > > Vnet jails behave more like separate physical hosts. > > Internet ---> [host] ------- (10.0.10.0 LAN) ------> > [vnet jail] > > The PF issue inside a jail is a separate problem, PF is > not fully > VIMAGE/VNET aware as far as I know. > > Can someone comment on these or correct me? > > P > > > > On Fri, Jul 11, 2014 at 7:11 PM, Peter Ross > >> > > wrote: > > On Thu, 10 Jul 2014, Peter Toth wrote: > > Hi Peter, > > Try to make these changes: > > net.inet.ip.forwarding=1 # Enable IP > forwarding > between interfaces > net.link.bridge.pfil_onlyip=0 # Only pass IP > packets > when pfil is enabled > net.link.bridge.pfil_bridge=0 # Packet filter > on the > bridge interface > net.link.bridge.pfil_member=0 # Packet filter > on the > member interface > > You can find some info > here > > http://iocage.readthedocs.org/____en/latest/help-no-internet.____html > > > > > > > I've had these issues before with PF and IPFW, by > default these will be > filtering on your bridge and member interfaces. > > Thanks. It did not change anything. > > Now, inside_ the jail I run "ipfw allow ip from any > to any". > > This on the host system: > > 01000 check-state > 01100 allow tcp from any to any established > 01200 allow ip from any to any frag > 00100 divert 8668 ip4 from any to any via age0 > 03100 allow udp from any to 10.0.10.1 dst-port 53 > keep-state > 03200 allow udp from any to me dst-port 53 keep-state > > (with natd redirecting "redirect_port udp > 10.0.10.1:53 > external.ip:53") > > > If I add > > 03300 allow udp from me 53 to any > > it works.. > > So it makes me think check-state isn't usable - because > > 03200 allow udp from any to me dst-port 53 keep-state > > should cover the returning packets. > > I played with your parameters but it did not help. But > thanks for the idea. > > Here again the setup: > > Internet->age0(host interface with natd and external IP) > ->bridge10(10.0.10.254)->____epair1a > > ->epair1b(10.0.10.1 in bind vnet jail) > > I wonder what kind of restrictions exist with vnet.. > it does > not seem to > work _exactly_ as a "real" network stack (the issues > with pf > inside the > jail let me think of it too) > > Did I find a restriction, a bug - or just that I've > got it > wrong? > > Regards > Peter > > > Any firewall function that runs in the kernel will not function > inside of a vnet/vimage jail. > > > > This sounds a bit vague, can you please explain in more detail > what you meant by this? > > IPFW works inside a vnet jail - You can manage per jail firewall > instances without any issues. > > The only firewall which cannot function inside a jail (yet) is PF. > > P > > > > You are incorrect. > Here is a list of some of the vnet/vimage outstanding PR's > > 143808, 147950, 148155, 152148, 160496, 160541, 161094, 164763, > 165252, 176112, 176929, 178480, 178482, 179264, 182350, 185092, > 188010, 191468 > > > > > > > From owner-freebsd-jail@FreeBSD.ORG Sat Jul 12 15:51:49 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id EDF78BB9 for ; Sat, 12 Jul 2014 15:51:49 +0000 (UTC) Received: from mail.freebsd.systems (unknown [IPv6:2001:6a0:1cb::b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9FA542D92 for ; Sat, 12 Jul 2014 15:51:49 +0000 (UTC) Received: from mail.freebsd.systems (mail.freebsd.systems [IPv6:2001:6a0:1cb::b]) by mail.freebsd.systems (Postfix) with ESMTP id 6697DE1F; Sat, 12 Jul 2014 17:51:44 +0200 (CEST) X-Virus-Scanned: amavisd-new at freebsd.systems Received: from mail.freebsd.systems ([IPv6:2001:6a0:1cb::b]) by mail.freebsd.systems (scan.freebsd.systems [IPv6:2001:6a0:1cb::b]) (amavisd-new, port 10026) with ESMTP id d6Or715q_e5a; Sat, 12 Jul 2014 17:51:44 +0200 (CEST) Received: from [192.168.168.1] (89-71-136-148.dynamic.chello.pl [89.71.136.148]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mail.freebsd.systems (Postfix) with ESMTPSA id A6B74E1C; Sat, 12 Jul 2014 17:51:43 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=wasikowski.net; s=default; t=1405180303; bh=3nYLeH/ygPI1hQzhYHErpBP1RpwmkAl+MJOdQuwDne8=; h=Date:From:To:CC:References:In-Reply-To; b=DniorvKdlXYwgIYHBgG1vHgNMzRdSSI5OY4x6RZ5t+fKtWhG4pINKczbRUm+afdM8 APRnxh0qybwFRbfJ8wy5B06XgJVgnat8VgC0PYlCyD0KsdkR8uA8hQv9HTlpJSNvVf EGoBmvtBjoWblPQ89vo5Lr9+BGfi6u6zWA7Hvec7H+HDE+o4Rq61egOeHHTiqVvf4p e8d9lHAOP/arxniAWGfgPjEsUbqRWOCzLu2oxLD3moh1AdyFzPRWF0eC/9U6QCZAXD nNc9l5zeJYuV8DoTSh1K5D3B+082N1mBnR9WBPa7Mf84UjrZBEfg4Y9LnZW/XOX375 RZTfl8vwaw/8w== Message-ID: <53C15993.1070404@wasikowski.net> Date: Sat, 12 Jul 2014 17:51:47 +0200 From: =?UTF-8?B?xYF1a2FzeiBXxIVzaWtvd3NraQ==?= User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: Fbsd8 , Peter Toth Subject: Re: vnet jail and ipfw/nat on host - keep-state problem? References: <53BFE796.7020502@a1poweruser.com> <53C08C74.6000805@a1poweruser.com> <53C14BB9.3030602@a1poweruser.com> In-Reply-To: <53C14BB9.3030602@a1poweruser.com> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: Peter Ross , freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jul 2014 15:51:50 -0000 W dniu 2014-07-12 16:52, Fbsd8 pisze: > Sham on you Peter Toth. > Slander and calling names about someone who does not agree with you is > childish and something I would expect from a 10 year old. > > This foolish post only shows how unprofessional your behavior is. > Sham on you. And this came from person who stole someone else work [1] and then call original author paranoid, mentally ill and demential [2] Shame on you Joe Barbish. We remember what you did. Anyway, it's not your business to decide for others what they should run on production. It's their choice and their risk. [1] Claiming copyright on others work is stealing for me: http://lists.freebsd.org/pipermail/freebsd-jail//2013-March/002147.html [2] http://lists.freebsd.org/pipermail/freebsd-jail//2013-March/002149.html -- best regards, Lukasz Wasikowski From owner-freebsd-jail@FreeBSD.ORG Sat Jul 12 20:56:26 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4EE82CAD for ; Sat, 12 Jul 2014 20:56:26 +0000 (UTC) Received: from mail-ig0-x232.google.com (mail-ig0-x232.google.com [IPv6:2607:f8b0:4001:c05::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 16CB622E9 for ; Sat, 12 Jul 2014 20:56:26 +0000 (UTC) Received: by mail-ig0-f178.google.com with SMTP id uq10so563595igb.11 for ; Sat, 12 Jul 2014 13:56:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=T42QC3y+07GyaOpt8pnJS5p7a+ZDpNT9L2QYfKeHGio=; b=hTkzq0nj94nTQSKB5L3u4l9lNPgnmKhwE9dzXGIvBfUFykNHEdkCbpgy46MNCok5x6 qLDaCTqiSt2OEGjhuwQiryFtq6x5Na4bMSTMXuQy5OlfZWZGnWk9D3mO3CBCVUD6JJvz aD3HoB+xb7DEZmGVsuccKV9NaZj0HpJGTGQ0FF0m5j9haZx/fC0I903lgB215i0RNfHV F/gi7pSzA33PkJH93ZCCRFCbVPwhddP6eUgCu0XL+FB6U+1lZi3DyQJYDArEwAAYYdBv xh0qyDgPLk2MDcWbQQGUT2P9fMkbC+VHBPCFsoslSYfahm0vCev491XYiccm6CoM65SP M0+w== MIME-Version: 1.0 X-Received: by 10.42.216.143 with SMTP id hi15mr12646206icb.12.1405198585331; Sat, 12 Jul 2014 13:56:25 -0700 (PDT) Received: by 10.43.59.6 with HTTP; Sat, 12 Jul 2014 13:56:25 -0700 (PDT) In-Reply-To: <53C14BB9.3030602@a1poweruser.com> References: <53BFE796.7020502@a1poweruser.com> <53C08C74.6000805@a1poweruser.com> <53C14BB9.3030602@a1poweruser.com> Date: Sun, 13 Jul 2014 08:56:25 +1200 Message-ID: Subject: Re: vnet jail and ipfw/nat on host - keep-state problem? From: Peter Toth To: Fbsd8 Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18 Cc: Peter Ross , freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jul 2014 20:56:26 -0000 Unfortunately you don't even grasp what the meaning of the words like: shame, truth, childish or professional is - and that's the bottom line mate. On Sun, Jul 13, 2014 at 2:52 AM, Fbsd8 wrote: > Sham on you Peter Toth. > Slander and calling names about someone who does not agree with you is > childish and something I would expect from a 10 year old. > > This foolish post only shows how unprofessional your behavior is. > Sham on you. > > Every thing stated by me is the truth and verified by the outstanding > pr's. If you can't trust the PR system as credible, then what can you trust. > > I don't disagree that you may have a working vnet/vimage configuration > running on your hobby host system or that your foolishly exposing your > hobby host system to public network attack and host system takeover. There > is a very big difference between software that does not crash when started > and software that performs within its design parameters. I think just > because your configuration does not crash means to you its working as > expected. This is foolish in light of all the negative warnings about > vimage. > > vimage is experimental and nothing you say can change that fact. Readers > don't believe me or Peter Toth and review the listed pr numbers and do your > own search of bugzilla on keyword vnet or vimage and make up your own mind. > > > Peter Toth wrote: > >> Dear Joe Barbish (alias fbsd8@a1poweruser.com > fbsd8@a1poweruser.com>), >> >> >> When you going to stop trolling the FreeBSD mailing list and spread >> disinformation? >> People come to this place to learn, share information, help out other >> folks and most importantly to have a constructive debate! (obviously some >> would rather divert this effort) >> >> The PR number's mentioned are mostly outdated from the 8.x and 9.x series >> - some of them are completely irrelevant (like ACPI) or for a i386 system. >> Beyond this I am categorically refusing to waste any energy and time on >> answering any trolling/diversion attempts by Joe Barbish. >> >> I am not going to burn time on dissecting each PR one-by-one but rather >> share my experience with VNET. >> >> Over the last year and a half have deployed numerous production systems >> based on amd64 10-RELEASE with VNET enabled and PF running on the host. >> Encountered 0 instability issues! Details on how to do this are here: >> http://iocage.readthedocs.org/en/latest/real-world.html >> >> As I mentioned before IPFW works in a jail and PF only works on the host. >> >> Back to the original issue though, Peter could you please share your IPFW >> config with me (maybe just send it directly to me), would be very >> interested to get it going in my lab setup and add a howto page to share >> this with others. >> >> Cheers, >> Peter >> >> >> On Sat, Jul 12, 2014 at 1:16 PM, Fbsd8 > fbsd8@a1poweruser.com>> wrote: >> >> Peter Toth wrote: >> >> On Sat, Jul 12, 2014 at 1:33 AM, Fbsd8 > > >> >__> wrote: >> >> Peter Toth wrote: >> >> Have not used natd with IPFW much as always preferred PF >> to do >> everything >> on the host. >> >> I have only a wild guess - the "me" keyword in IPFW is >> substituted only to >> the host's IPs known to itself. >> The host's IPFW firewall most likely doesn't know >> anything about IPs >> assigned to vnet interfaces inside the jail. >> >> Vnet jails behave more like separate physical hosts. >> >> Internet ---> [host] ------- (10.0.10.0 LAN) ------> >> [vnet jail] >> >> The PF issue inside a jail is a separate problem, PF is >> not fully >> VIMAGE/VNET aware as far as I know. >> >> Can someone comment on these or correct me? >> >> P >> >> >> >> On Fri, Jul 11, 2014 at 7:11 PM, Peter Ross >> > > >> >> >> >> wrote: >> >> On Thu, 10 Jul 2014, Peter Toth wrote: >> >> Hi Peter, >> >> Try to make these changes: >> >> net.inet.ip.forwarding=1 # Enable IP >> forwarding >> between interfaces >> net.link.bridge.pfil_onlyip=0 # Only pass IP >> packets >> when pfil is enabled >> net.link.bridge.pfil_bridge=0 # Packet filter >> on the >> bridge interface >> net.link.bridge.pfil_member=0 # Packet filter >> on the >> member interface >> >> You can find some info >> here >> http://iocage.readthedocs.org/ >> ____en/latest/help-no-internet.____html >> > internet.__html> >> >> > org/en/latest/help-no-__internet.html >> >> > >> >> I've had these issues before with PF and IPFW, by >> default these will be >> filtering on your bridge and member interfaces. >> >> Thanks. It did not change anything. >> >> Now, inside_ the jail I run "ipfw allow ip from any >> to any". >> >> This on the host system: >> >> 01000 check-state >> 01100 allow tcp from any to any established >> 01200 allow ip from any to any frag >> 00100 divert 8668 ip4 from any to any via age0 >> 03100 allow udp from any to 10.0.10.1 dst-port 53 >> keep-state >> 03200 allow udp from any to me dst-port 53 keep-state >> >> (with natd redirecting "redirect_port udp >> 10.0.10.1:53 >> external.ip:53") >> >> >> If I add >> >> 03300 allow udp from me 53 to any >> >> it works.. >> >> So it makes me think check-state isn't usable - >> because >> >> 03200 allow udp from any to me dst-port 53 keep-state >> >> should cover the returning packets. >> >> I played with your parameters but it did not help. But >> thanks for the idea. >> >> Here again the setup: >> >> Internet->age0(host interface with natd and external >> IP) >> ->bridge10(10.0.10.254)->____epair1a >> >> >> ->epair1b(10.0.10.1 in bind vnet jail) >> >> I wonder what kind of restrictions exist with vnet.. >> it does >> not seem to >> work _exactly_ as a "real" network stack (the issues >> with pf >> inside the >> jail let me think of it too) >> >> Did I find a restriction, a bug - or just that I've >> got it >> wrong? >> >> Regards >> Peter >> >> >> Any firewall function that runs in the kernel will not >> function >> inside of a vnet/vimage jail. >> >> >> >> This sounds a bit vague, can you please explain in more detail >> what you meant by this? >> >> IPFW works inside a vnet jail - You can manage per jail firewall >> instances without any issues. >> >> The only firewall which cannot function inside a jail (yet) is PF. >> >> P >> >> >> >> You are incorrect. >> Here is a list of some of the vnet/vimage outstanding PR's >> >> 143808, 147950, 148155, 152148, 160496, 160541, 161094, 164763, >> 165252, 176112, 176929, 178480, 178482, 179264, 182350, 185092, >> 188010, 191468 >> >> >> >> >> >> >> >> > > From owner-freebsd-jail@FreeBSD.ORG Sun Jul 13 02:08:55 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CB4D6B09 for ; Sun, 13 Jul 2014 02:08:55 +0000 (UTC) Received: from wonkity.com (wonkity.com [67.158.26.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "wonkity.com", Issuer "wonkity.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 7162627E7 for ; Sun, 13 Jul 2014 02:08:55 +0000 (UTC) Received: from wonkity.com (localhost [127.0.0.1]) by wonkity.com (8.14.9/8.14.9) with ESMTP id s6D28q6v011238 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Sat, 12 Jul 2014 20:08:52 -0600 (MDT) (envelope-from wblock@wonkity.com) Received: from localhost (wblock@localhost) by wonkity.com (8.14.9/8.14.9/Submit) with ESMTP id s6D28qff011235 for ; Sat, 12 Jul 2014 20:08:52 -0600 (MDT) (envelope-from wblock@wonkity.com) Date: Sat, 12 Jul 2014 20:08:52 -0600 (MDT) From: Warren Block To: freebsd-jail@FreeBSD.org Subject: mergemaster and better support for ezjails Message-ID: User-Agent: Alpine 2.11 (BSF 23 2013-08-11) MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="3512871622-143809998-1405217332=:50320" X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (wonkity.com [127.0.0.1]); Sat, 12 Jul 2014 20:08:52 -0600 (MDT) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Jul 2014 02:08:55 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --3512871622-143809998-1405217332=:50320 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII A couple of patches to make mergemaster work better with ezjails. These are only very superficially tested. Feedback welcome. 1. If /etc/mergemaster.rc exists in the jail, it is sourced. This allows IGNORE_FILES to be set in the jail. And other settings, but that's the one I wanted. 2. If /etc/localtime in the jail is a plain file, as when tzsetup has been run in the jail, tzsetup reinstalls the same file. It will come from the host, but at first glance this does not seem to be a problem, seeing that jails should be updated after the host has been updated. Because /usr/share/zoneinfo does not exist in the jail, I did not see a clean way to use tzsetup -C. A link could be created to the basejail's /usr/share/zoneinfo, then deleted after tzsetup -C has run, or maybe there is a better way. --3512871622-143809998-1405217332=:50320 Content-Type: TEXT/PLAIN; charset=US-ASCII; name=mergemaster-ezjail.diff Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: attachment; filename=mergemaster-ezjail.diff LS0tIC91c3Ivc3JjL3Vzci5zYmluL21lcmdlbWFzdGVyL21lcmdlbWFzdGVy LnNoCTIwMTQtMDYtMDMgMDY6MTY6MDYuMDAwMDAwMDAwIC0wNjAwDQorKysg L3Vzci9zYmluL21lcmdlbWFzdGVyCTIwMTQtMDctMTIgMTk6NDA6MjIuMDAw MDAwMDAwIC0wNjAwDQpAQCAtMjUxLDE2ICsyNTEsMjkgQEANCiAjDQogVEVN UFJPT1Q9Jy92YXIvdG1wL3RlbXByb290Jw0KIA0KKyMgT3B0aW9ucyBzdHJp bmcgZm9yIGdldG9wdHMNCitPUFRfU1RSPSI6YXNjcnZoaXBDUG06dDpkdTp3 OkE6RDpGVSINCisNCisjIGlmIC1EIERFU1RESVIgaXMgc2V0LCBwcm9jZXNz IGl0IGZpcnN0DQorREVTVERJUj0iIg0KK3doaWxlIGdldG9wdHMgIiR7T1BU X1NUUn0iIENPTU1BTkRfTElORV9BUkdVTUVOVCA7IGRvDQorICBjYXNlICIk e0NPTU1BTkRfTElORV9BUkdVTUVOVH0iIGluDQorICBEKQ0KKyAgICBERVNU RElSPSR7T1BUQVJHfQ0KKyAgICA7Ow0KKyAgZXNhYw0KK2RvbmUNCisNCiAj IFJlYWQgL2V0Yy9tZXJnZW1hc3Rlci5yYyBmaXJzdCBzbyB0aGUgb25lIGlu ICRIT01FIGNhbiBvdmVycmlkZQ0KICMNCiBpZiBbIC1yIC9ldGMvbWVyZ2Vt YXN0ZXIucmMgXTsgdGhlbg0KLSAgLiAvZXRjL21lcmdlbWFzdGVyLnJjDQor ICAuICIke0RFU1RESVJ9L2V0Yy9tZXJnZW1hc3Rlci5yYyINCiBmaQ0KIA0K ICMgUmVhZCAubWVyZ2VtYXN0ZXJyYyBiZWZvcmUgY29tbWFuZCBsaW5lIHNv IENMSSBjYW4gb3ZlcnJpZGUNCiAjDQogaWYgWyAtciAiJEhPTUUvLm1lcmdl bWFzdGVycmMiIF07IHRoZW4NCi0gIC4gIiRIT01FLy5tZXJnZW1hc3RlcnJj Ig0KKyAgLiAiJHtERVNURElSfS8kSE9NRS8ubWVyZ2VtYXN0ZXJyYyINCiBm aQ0KIA0KIGZvciB2YXIgaW4gIiRAIiA7IGRvDQpAQCAtMjc5LDcgKzI5Miw4 IEBADQogDQogIyBDaGVjayB0aGUgY29tbWFuZCBsaW5lIG9wdGlvbnMNCiAj DQotd2hpbGUgZ2V0b3B0cyAiOmFzY3J2aGlwQ1BtOnQ6ZHU6dzpEOkE6RlUi IENPTU1BTkRfTElORV9BUkdVTUVOVCA7IGRvDQorT1BUSU5EPTENCit3aGls ZSBnZXRvcHRzICIke09QVF9TVFJ9IiBDT01NQU5EX0xJTkVfQVJHVU1FTlQg OyBkbw0KICAgY2FzZSAiJHtDT01NQU5EX0xJTkVfQVJHVU1FTlR9IiBpbg0K ICAgQSkNCiAgICAgQVJDSFNUUklORz0nVEFSR0VUX0FSQ0g9JyR7T1BUQVJH fQ0KQEAgLTM0NCw3ICszNTgsNyBAQA0KICAgICBTQ1JFRU5fV0lEVEg9JHtP UFRBUkd9DQogICAgIDs7DQogICBEKQ0KLSAgICBERVNURElSPSR7T1BUQVJH fQ0KKyAgICAjIGhhcyBhbHJlYWR5IGJlZW4gcHJvY2Vzc2VkDQogICAgIDs7 DQogICAqKQ0KICAgICBkaXNwbGF5X3VzYWdlDQpAQCAtMTMzNSwxMCArMTM0 OSwyMCBAQA0KIA0KIGlmIFsgLWUgIiR7REVTVERJUn0vZXRjL2xvY2FsdGlt ZSIgLWEgISAtTCAiJHtERVNURElSfS9ldGMvbG9jYWx0aW1lIiAtYSAteiAi JHtQUkVfV09STER9IiBdOyB0aGVuCSMgSWdub3JlIGlmIFRaID09IFVUQw0K ICAgZWNobyAnJw0KLSAgWyAtbiAiJHtERVNURElSfSIgXSAmJiB0enNfYXJn cz0iLUMgJHtERVNURElSfSINCi0gIGlmIFsgLWYgIiR7REVTVERJUn0vdmFy L2RiL3pvbmVpbmZvIiBdOyB0aGVuDQotICAgIGVjaG8gIioqKiBSZWluc3Rh bGxpbmcgYGNhdCAke0RFU1RESVJ9L3Zhci9kYi96b25laW5mb2AgYXMgJHtE RVNURElSfS9ldGMvbG9jYWx0aW1lIg0KLSAgICB0enNldHVwICR0enNfYXJn cyAtcg0KKyAgaWYgWyAtbiAiJHtERVNURElSfSIgXTsgdGhlbg0KKyAgICBT SEFSRT0iJHtERVNURElSfS91c3Ivc2hhcmUiDQorICAgIFpPTkVfSU5GTz0i JHtTSEFSRX0vem9uZWluZm8iDQorICAgIGlmIFsgLUwgIiR7U0hBUkV9IiAt YSAhIC1lICIke1pPTkVfSU5GT30iIF07IHRoZW4NCisgICAgICAjIC91c3Iv c2hhcmUgaXMgYSBsaW5rLCAvdXNyL3NoYXJlL3pvbmVpbmZvIGRvZXMgbm90 IGV4aXN0LCB0aGlzIGlzIGFuIGV6amFpbA0KKyAgICAgIHR6c19hcmdzPSIt ciBcIiR7REVTVERJUn1cIiINCisgICAgZWxzZQ0KKyAgICAgICMgdGhpcyBp cyBhIGZ1bGwgamFpbA0KKyAgICAgIHR6c19hcmdzPSItciAtQyBcIiR7REVT VERJUn1cIiINCisgICAgZmkNCisgICAgaWYgWyAtZiAiJHtERVNURElSfS92 YXIvZGIvem9uZWluZm8iIF07IHRoZW4NCisgICAgICBlY2hvICIqKiogUmVp bnN0YWxsaW5nIGBjYXQgJHtERVNURElSfS92YXIvZGIvem9uZWluZm9gIGFz ICR7REVTVERJUn0vZXRjL2xvY2FsdGltZSINCisgICAgICB0enNldHVwICR0 enNfYXJncw0KKyAgICBmaQ0KICAgZWxzZQ0KICAgICBlY2hvICIqKiogVGhl cmUgaXMgbm8gJHtERVNURElSfS92YXIvZGIvem9uZWluZm8gZmlsZSB0byB1 cGRhdGUgJHtERVNURElSfS9ldGMvbG9jYWx0aW1lLiINCiAgICAgZWNobyAn ICAgIFlvdSBzaG91bGQgcnVuIHR6c2V0dXAnDQo= --3512871622-143809998-1405217332=:50320-- From owner-freebsd-jail@FreeBSD.ORG Sun Jul 13 02:55:09 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D2FF5DEE for ; Sun, 13 Jul 2014 02:55:09 +0000 (UTC) Received: from mail-we0-x22e.google.com (mail-we0-x22e.google.com [IPv6:2a00:1450:400c:c03::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6CC102B08 for ; Sun, 13 Jul 2014 02:55:09 +0000 (UTC) Received: by mail-we0-f174.google.com with SMTP id x48so909181wes.19 for ; Sat, 12 Jul 2014 19:55:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=9znH52AXghPgU3lvVqYxNM6XdeQNqJo70kKX4o7Mg5Q=; b=GS0AOt2WHqNHowrsWgAJHL4F5Yx/yLtQfgd6HKKCADexLIlsAIvUkspxPbxJsCUZsS Ejvj0iUctOTz6jwQpEItqSofDjvJSeaBJTPYb/bqbK3EiSpdWyA8n7978SsWWWo+Qbo5 3LsOi5HrcWXsIPBp4imq+6GqYBHdtq8LJI6GUZKbn6Ik6Up3CyUeLOxa242idAu3teE2 m7X5F7tOfIY+exV3bS9PjC0WnkKKr8yJ/606jxb/1zMMMF70Rt+3WQaFJy2JwT0jrvhP kI/OzynixAuUuZVb5k8LMPgZgVf7YKhoALI4LuzoCqCtXVXVvAet/Mkwvj5oBPvwwBAB kk4w== X-Received: by 10.180.19.40 with SMTP id b8mr15387010wie.77.1405220107675; Sat, 12 Jul 2014 19:55:07 -0700 (PDT) Received: from dft-labs.eu (n1x0n-1-pt.tunnel.tserv5.lon1.ipv6.he.net. [2001:470:1f08:1f7::2]) by mx.google.com with ESMTPSA id wu6sm15543645wjb.46.2014.07.12.19.55.06 for (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Sat, 12 Jul 2014 19:55:06 -0700 (PDT) Date: Sun, 13 Jul 2014 04:55:04 +0200 From: Mateusz Guzik To: Warren Block Subject: Re: mergemaster and better support for ezjails Message-ID: <20140713025504.GB16884@dft-labs.eu> References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Jul 2014 02:55:09 -0000 On Sat, Jul 12, 2014 at 08:08:52PM -0600, Warren Block wrote: > A couple of patches to make mergemaster work better with ezjails. > > These are only very superficially tested. Feedback welcome. > > 1. If /etc/mergemaster.rc exists in the jail, it is sourced. This > allows IGNORE_FILES to be set in the jail. And other settings, but > that's the one I wanted. > How exactly does it work? Is jailed root allowed to create /etc/mergemaster.rc? If so, that would be a jail escape vector - an attacker puts commands they want to execute inside and mergemaster sourcing the file will trigger executing them. In fact running mergemaster from "outside" on an untrusted jail seems like a security weakness even without jailed-root controlled rc file since they can try to do something fishy with symlinks which now resolve to stuff on the host. The following should be safe enough: - have a dedicated RO jail - mount to-be-updated jail under /mnt/jail or whatever - mount sources/whatever RO under /usr/src or whatever - run update process from inside dedicated RO jail -- Mateusz Guzik From owner-freebsd-jail@FreeBSD.ORG Sun Jul 13 03:24:38 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1CEAD1CA for ; Sun, 13 Jul 2014 03:24:38 +0000 (UTC) Received: from wonkity.com (wonkity.com [67.158.26.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "wonkity.com", Issuer "wonkity.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id C33332DC6 for ; Sun, 13 Jul 2014 03:24:37 +0000 (UTC) Received: from wonkity.com (localhost [127.0.0.1]) by wonkity.com (8.14.9/8.14.9) with ESMTP id s6D3OZQR029164 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 12 Jul 2014 21:24:35 -0600 (MDT) (envelope-from wblock@wonkity.com) Received: from localhost (wblock@localhost) by wonkity.com (8.14.9/8.14.9/Submit) with ESMTP id s6D3OZw9029161; Sat, 12 Jul 2014 21:24:35 -0600 (MDT) (envelope-from wblock@wonkity.com) Date: Sat, 12 Jul 2014 21:24:35 -0600 (MDT) From: Warren Block To: Mateusz Guzik Subject: Re: mergemaster and better support for ezjails In-Reply-To: <20140713025504.GB16884@dft-labs.eu> Message-ID: References: <20140713025504.GB16884@dft-labs.eu> User-Agent: Alpine 2.11 (BSF 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (wonkity.com [127.0.0.1]); Sat, 12 Jul 2014 21:24:35 -0600 (MDT) Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Jul 2014 03:24:38 -0000 On Sun, 13 Jul 2014, Mateusz Guzik wrote: > On Sat, Jul 12, 2014 at 08:08:52PM -0600, Warren Block wrote: >> A couple of patches to make mergemaster work better with ezjails. >> >> These are only very superficially tested. Feedback welcome. >> >> 1. If /etc/mergemaster.rc exists in the jail, it is sourced. This >> allows IGNORE_FILES to be set in the jail. And other settings, but >> that's the one I wanted. >> > > How exactly does it work? > > Is jailed root allowed to create /etc/mergemaster.rc? Yes. Or at least I don't know of anything preventing that. > If so, that would be a jail escape vector - an attacker puts commands they > want to execute inside and mergemaster sourcing the file will trigger > executing them. Ouch. Seems obvious now that you mention it. Probably mergemaster.rc should have a defined format rather than being sourced anyway. Another way to implement ignored files would be to extend the definitions in (the host's) /etc/mergemaster.rc to include ignored files by jail name or full path. Full paths do not work presently because IGNORE_FILES just deletes the temporary file so it is not compared. > In fact running mergemaster from "outside" on an untrusted jail seems > like a security weakness even without jailed-root controlled rc file > since they can try to do something fishy with symlinks which now resolve > to stuff on the host. > > The following should be safe enough: > - have a dedicated RO jail > - mount to-be-updated jail under /mnt/jail or whatever > - mount sources/whatever RO under /usr/src or whatever > - run update process from inside dedicated RO jail Thank you! From owner-freebsd-jail@FreeBSD.ORG Sun Jul 13 05:37:48 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id AAD24833 for ; Sun, 13 Jul 2014 05:37:48 +0000 (UTC) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E0D7425D8 for ; Sun, 13 Jul 2014 05:37:46 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id s6D5bfRT059556; Sun, 13 Jul 2014 15:37:41 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sun, 13 Jul 2014 15:37:41 +1000 (EST) From: Ian Smith To: Warren Block Subject: Re: mergemaster and better support for ezjails In-Reply-To: Message-ID: <20140713152442.K50382@sola.nimnet.asn.au> References: MIME-Version: 1.0 Content-Type: MULTIPART/Mixed; BOUNDARY="3512871622-143809998-1405217332=:50320" Content-ID: <20140713152442.U50382@sola.nimnet.asn.au> Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Jul 2014 05:37:48 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --3512871622-143809998-1405217332=:50320 Content-Type: TEXT/PLAIN; FORMAT=flowed; CHARSET=US-ASCII Content-ID: <20140713152442.M50382@sola.nimnet.asn.au> On Sat, 12 Jul 2014 20:08:52 -0600, Warren Block wrote: > A couple of patches to make mergemaster work better with ezjails. > > These are only very superficially tested. Feedback welcome. > > 1. If /etc/mergemaster.rc exists in the jail, it is sourced. This > allows IGNORE_FILES to be set in the jail. And other settings, but > that's the one I wanted. # Read /etc/mergemaster.rc first so the one in $HOME can override # if [ -r /etc/mergemaster.rc ]; then - . /etc/mergemaster.rc + . "${DESTDIR}/etc/mergemaster.rc" fi # Read .mergemasterrc before command line so CLI can override # if [ -r "$HOME/.mergemasterrc" ]; then - . "$HOME/.mergemasterrc" + . "${DESTDIR}/$HOME/.mergemasterrc" fi Maybe a dumb question, but .. In both cases, don't we need to test the readability of those files with ${DESTDIR} prepended, rather than the originals, before sourcing them? Or can we here safely assume that they will exist? Or doesn't it matter? cheers, Ian --3512871622-143809998-1405217332=:50320 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME=mergemaster-ezjail.diff Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: ATTACHMENT; FILENAME=mergemaster-ezjail.diff LS0tIC91c3Ivc3JjL3Vzci5zYmluL21lcmdlbWFzdGVyL21lcmdlbWFzdGVy LnNoCTIwMTQtMDYtMDMgMDY6MTY6MDYuMDAwMDAwMDAwIC0wNjAwDQorKysg L3Vzci9zYmluL21lcmdlbWFzdGVyCTIwMTQtMDctMTIgMTk6NDA6MjIuMDAw MDAwMDAwIC0wNjAwDQpAQCAtMjUxLDE2ICsyNTEsMjkgQEANCiAjDQogVEVN UFJPT1Q9Jy92YXIvdG1wL3RlbXByb290Jw0KIA0KKyMgT3B0aW9ucyBzdHJp bmcgZm9yIGdldG9wdHMNCitPUFRfU1RSPSI6YXNjcnZoaXBDUG06dDpkdTp3 OkE6RDpGVSINCisNCisjIGlmIC1EIERFU1RESVIgaXMgc2V0LCBwcm9jZXNz IGl0IGZpcnN0DQorREVTVERJUj0iIg0KK3doaWxlIGdldG9wdHMgIiR7T1BU X1NUUn0iIENPTU1BTkRfTElORV9BUkdVTUVOVCA7IGRvDQorICBjYXNlICIk e0NPTU1BTkRfTElORV9BUkdVTUVOVH0iIGluDQorICBEKQ0KKyAgICBERVNU RElSPSR7T1BUQVJHfQ0KKyAgICA7Ow0KKyAgZXNhYw0KK2RvbmUNCisNCiAj IFJlYWQgL2V0Yy9tZXJnZW1hc3Rlci5yYyBmaXJzdCBzbyB0aGUgb25lIGlu ICRIT01FIGNhbiBvdmVycmlkZQ0KICMNCiBpZiBbIC1yIC9ldGMvbWVyZ2Vt YXN0ZXIucmMgXTsgdGhlbg0KLSAgLiAvZXRjL21lcmdlbWFzdGVyLnJjDQor ICAuICIke0RFU1RESVJ9L2V0Yy9tZXJnZW1hc3Rlci5yYyINCiBmaQ0KIA0K ICMgUmVhZCAubWVyZ2VtYXN0ZXJyYyBiZWZvcmUgY29tbWFuZCBsaW5lIHNv IENMSSBjYW4gb3ZlcnJpZGUNCiAjDQogaWYgWyAtciAiJEhPTUUvLm1lcmdl bWFzdGVycmMiIF07IHRoZW4NCi0gIC4gIiRIT01FLy5tZXJnZW1hc3RlcnJj Ig0KKyAgLiAiJHtERVNURElSfS8kSE9NRS8ubWVyZ2VtYXN0ZXJyYyINCiBm aQ0KIA0KIGZvciB2YXIgaW4gIiRAIiA7IGRvDQpAQCAtMjc5LDcgKzI5Miw4 IEBADQogDQogIyBDaGVjayB0aGUgY29tbWFuZCBsaW5lIG9wdGlvbnMNCiAj DQotd2hpbGUgZ2V0b3B0cyAiOmFzY3J2aGlwQ1BtOnQ6ZHU6dzpEOkE6RlUi IENPTU1BTkRfTElORV9BUkdVTUVOVCA7IGRvDQorT1BUSU5EPTENCit3aGls ZSBnZXRvcHRzICIke09QVF9TVFJ9IiBDT01NQU5EX0xJTkVfQVJHVU1FTlQg OyBkbw0KICAgY2FzZSAiJHtDT01NQU5EX0xJTkVfQVJHVU1FTlR9IiBpbg0K ICAgQSkNCiAgICAgQVJDSFNUUklORz0nVEFSR0VUX0FSQ0g9JyR7T1BUQVJH fQ0KQEAgLTM0NCw3ICszNTgsNyBAQA0KICAgICBTQ1JFRU5fV0lEVEg9JHtP UFRBUkd9DQogICAgIDs7DQogICBEKQ0KLSAgICBERVNURElSPSR7T1BUQVJH fQ0KKyAgICAjIGhhcyBhbHJlYWR5IGJlZW4gcHJvY2Vzc2VkDQogICAgIDs7 DQogICAqKQ0KICAgICBkaXNwbGF5X3VzYWdlDQpAQCAtMTMzNSwxMCArMTM0 OSwyMCBAQA0KIA0KIGlmIFsgLWUgIiR7REVTVERJUn0vZXRjL2xvY2FsdGlt ZSIgLWEgISAtTCAiJHtERVNURElSfS9ldGMvbG9jYWx0aW1lIiAtYSAteiAi JHtQUkVfV09STER9IiBdOyB0aGVuCSMgSWdub3JlIGlmIFRaID09IFVUQw0K ICAgZWNobyAnJw0KLSAgWyAtbiAiJHtERVNURElSfSIgXSAmJiB0enNfYXJn cz0iLUMgJHtERVNURElSfSINCi0gIGlmIFsgLWYgIiR7REVTVERJUn0vdmFy L2RiL3pvbmVpbmZvIiBdOyB0aGVuDQotICAgIGVjaG8gIioqKiBSZWluc3Rh bGxpbmcgYGNhdCAke0RFU1RESVJ9L3Zhci9kYi96b25laW5mb2AgYXMgJHtE RVNURElSfS9ldGMvbG9jYWx0aW1lIg0KLSAgICB0enNldHVwICR0enNfYXJn cyAtcg0KKyAgaWYgWyAtbiAiJHtERVNURElSfSIgXTsgdGhlbg0KKyAgICBT SEFSRT0iJHtERVNURElSfS91c3Ivc2hhcmUiDQorICAgIFpPTkVfSU5GTz0i JHtTSEFSRX0vem9uZWluZm8iDQorICAgIGlmIFsgLUwgIiR7U0hBUkV9IiAt YSAhIC1lICIke1pPTkVfSU5GT30iIF07IHRoZW4NCisgICAgICAjIC91c3Iv c2hhcmUgaXMgYSBsaW5rLCAvdXNyL3NoYXJlL3pvbmVpbmZvIGRvZXMgbm90 IGV4aXN0LCB0aGlzIGlzIGFuIGV6amFpbA0KKyAgICAgIHR6c19hcmdzPSIt ciBcIiR7REVTVERJUn1cIiINCisgICAgZWxzZQ0KKyAgICAgICMgdGhpcyBp cyBhIGZ1bGwgamFpbA0KKyAgICAgIHR6c19hcmdzPSItciAtQyBcIiR7REVT VERJUn1cIiINCisgICAgZmkNCisgICAgaWYgWyAtZiAiJHtERVNURElSfS92 YXIvZGIvem9uZWluZm8iIF07IHRoZW4NCisgICAgICBlY2hvICIqKiogUmVp bnN0YWxsaW5nIGBjYXQgJHtERVNURElSfS92YXIvZGIvem9uZWluZm9gIGFz ICR7REVTVERJUn0vZXRjL2xvY2FsdGltZSINCisgICAgICB0enNldHVwICR0 enNfYXJncw0KKyAgICBmaQ0KICAgZWxzZQ0KICAgICBlY2hvICIqKiogVGhl cmUgaXMgbm8gJHtERVNURElSfS92YXIvZGIvem9uZWluZm8gZmlsZSB0byB1 cGRhdGUgJHtERVNURElSfS9ldGMvbG9jYWx0aW1lLiINCiAgICAgZWNobyAn ICAgIFlvdSBzaG91bGQgcnVuIHR6c2V0dXAnDQo= --3512871622-143809998-1405217332=:50320-- From owner-freebsd-jail@FreeBSD.ORG Sun Jul 13 06:26:25 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D31B3DC9 for ; Sun, 13 Jul 2014 06:26:25 +0000 (UTC) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3C07E28C7 for ; Sun, 13 Jul 2014 06:26:24 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id s6D6QFMP061296; Sun, 13 Jul 2014 16:26:15 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sun, 13 Jul 2014 16:26:15 +1000 (EST) From: Ian Smith To: Peter Toth Subject: Re: securelevel in VNET jails using ipfw(8) In-Reply-To: Message-ID: <20140713161302.M50382@sola.nimnet.asn.au> References: <20140713014641.J50382@sola.nimnet.asn.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Jul 2014 06:26:25 -0000 On Sun, 13 Jul 2014 07:42:42 +1200, Peter Toth wrote: > Hi Ian, > > This is for the jail's securelevel option. If you set it to the highest > number 3 it will fail to load IPFW rules in a jail during startup. > > Snip from "man securelevel": > Network secure mode - same as highly secure mode, plus IP packet > filter rules (see ipfw(8), ipfirewall(4) and pfctl(8)) cannot be > changed and dummynet(4) or pf(4) configuration cannot be adjusted. > > Cheers, > Peter I understood why 3 wouldn't work. What I hadn't realised was that you were defaulting iocage jails to securelevel 3, which just shows that I hadn't read the manual :) ezjail has tests for securelevel > 0 re installing or updating, but I assumed that to refer to the host's securelevel. Thanks, Ian > On Sun, Jul 13, 2014 at 4:08 AM, Ian Smith wrote: > > > Hi Peter, > > > > from your FAQ at http://iocage.readthedocs.org/en/latest/faq.html > > > > "If you plan on using IPFW inside a jail make sure securelevel is set to 2" > > > > Unless this is also a FAQ you can point me to, can you explain why this > > is needed? Reading security(7) leaves me unclear on how securelevels > > apply in a jail, or what it may be about ipfw(8) particularly that could > > compromise jail (or host?) security, that other services could not? > > > > cheers, Ian From owner-freebsd-jail@FreeBSD.ORG Sun Jul 13 09:45:45 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A75B6373 for ; Sun, 13 Jul 2014 09:45:45 +0000 (UTC) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E2437264C for ; Sun, 13 Jul 2014 09:45:44 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id s6D9jUKi067830; Sun, 13 Jul 2014 19:45:32 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sun, 13 Jul 2014 19:45:30 +1000 (EST) From: Ian Smith To: Peter Ross Subject: Re: vnet jail and ipfw/nat on host - keep-state problem? In-Reply-To: Message-ID: <20140713185006.S50382@sola.nimnet.asn.au> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Jul 2014 09:45:45 -0000 Hi Peter, going back to your second message .. On Wed, 9 Jul 2014 16:24:27 +1000, Peter Ross wrote: > P.S. I also have the following rules near the top: > > 01000 check-state > 01100 allow tcp from any to any established For one thing, if you are running named as an authoritative nameserver in the jail, you'll also need to forward tcp port 53 traffic as well, as that's what's needed for zone updates to/from secondary NS. So you may need to separate tcp port 53 traffic from other host traffic too. And often, if setting state for your tcp rules as well, you rather want to _deny_ established traffic, but it does depend on your mix of rules. > 01200 allow ip from any to any frag Indeed. > Peter > > On Wed, 9 Jul 2014, Peter Ross wrote: > > > Hi all, > > > > I am setting up a host with vnet jails without a public IP. > > > > E.g. a vnet jail with a DNS server (bind) running inside. > > > > The setup: > > > > Internet->age0(host interface with natd and external IP) > > ->bridge10(10.0.10.254)->epair1a > > ->epair1b(10.0.10.1 in bind vnet jail) > > > > Inside the jail I have a simple open ipfw firewall > > (ipfw allow ip4 from any to any) > > > > Here the rules relevant to let UDP port 53 connect from the outside world > > (with natd redirecting "redirect_port udp 10.0.10.1:53 external.ip:53") > > > > 00100 divert 8668 ip4 from any to any via age0 > > 03100 allow udp from any to 10.0.10.1 dst-port 53 keep-state > > 03200 allow udp from any to me dst-port 53 keep-state > > > > This does not allow DNS requests from the outside, they only get returned > > by adding > > > > 03300 allow udp from me 53 to any It's not quite clear which addresses are where; could you show ifconfig for the host interfaces, including bridge and epair, obscuring public IP/s as necessary? 'me' on the host refers to any address configured on any of the host's interfaces, so might be a bit broad; more explicit rule/s might reveal this problem better? Personally I don't use stateful rules for DNS at all, and I'm pretty careful if ever I use 'in keep-state' at all. Hmm, maybe rule 3100 should be qualified with 'in', or you may be inflicting a double-state situation? Use 'ipfw -ted show' to examine dynamic rules incl. expired. > > I am pretty confident that the rules above work with "real interfaces". I > > have similar routers with ipfw/natd, there things are even more limited by > > interface rules (recv/xmit). > > > > Does this mean, "keep-state" are not working properly in the mentioned vnet > > setup? Not sure, but if it were me I'd add 'log' to all relevant rules and make sure net.inet.ip.fw.verbose_limit is set to something sensible, like the default of 100, in order to actually outline your flows. It might be helpful to temporarily log packets to and from the jail also, assuming that logging to jail's /etc/security is working properly these days? (verbose_limit reminds me of another of Joe B's silly recommendations in the IPFW Handbook section that I promised Warren I'd help clean up ..) cheers, Ian From owner-freebsd-jail@FreeBSD.ORG Sun Jul 13 16:17:04 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 842ABEC4 for ; Sun, 13 Jul 2014 16:17:04 +0000 (UTC) Received: from wonkity.com (wonkity.com [67.158.26.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "wonkity.com", Issuer "wonkity.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 31611234D for ; Sun, 13 Jul 2014 16:17:04 +0000 (UTC) Received: from wonkity.com (localhost [127.0.0.1]) by wonkity.com (8.14.9/8.14.9) with ESMTP id s6DGGxfo010229 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 13 Jul 2014 10:16:59 -0600 (MDT) (envelope-from wblock@wonkity.com) Received: from localhost (wblock@localhost) by wonkity.com (8.14.9/8.14.9/Submit) with ESMTP id s6DGGwn0010222; Sun, 13 Jul 2014 10:16:59 -0600 (MDT) (envelope-from wblock@wonkity.com) Date: Sun, 13 Jul 2014 10:16:58 -0600 (MDT) From: Warren Block To: Ian Smith Subject: Re: mergemaster and better support for ezjails In-Reply-To: <20140713152442.K50382@sola.nimnet.asn.au> Message-ID: References: <20140713152442.K50382@sola.nimnet.asn.au> User-Agent: Alpine 2.11 (BSF 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (wonkity.com [127.0.0.1]); Sun, 13 Jul 2014 10:16:59 -0600 (MDT) Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Jul 2014 16:17:04 -0000 On Sun, 13 Jul 2014, Ian Smith wrote: > On Sat, 12 Jul 2014 20:08:52 -0600, Warren Block wrote: >> A couple of patches to make mergemaster work better with ezjails. >> > These are only very superficially tested. Feedback welcome. >> > 1. If /etc/mergemaster.rc exists in the jail, it is sourced. This >> allows IGNORE_FILES to be set in the jail. And other settings, but >> that's the one I wanted. > > # Read /etc/mergemaster.rc first so the one in $HOME can override > # > if [ -r /etc/mergemaster.rc ]; then > - . /etc/mergemaster.rc > + . "${DESTDIR}/etc/mergemaster.rc" > fi > > # Read .mergemasterrc before command line so CLI can override > # > if [ -r "$HOME/.mergemasterrc" ]; then > - . "$HOME/.mergemasterrc" > + . "${DESTDIR}/$HOME/.mergemasterrc" > fi > > Maybe a dumb question, but .. > > In both cases, don't we need to test the readability of those files with > ${DESTDIR} prepended, rather than the originals, before sourcing them? Or > can we here safely assume that they will exist? Or doesn't it matter? Yes, you are right, but it doesn't matter because as Mateusz Guzik points out, it's not safe to source those files from a jail. From owner-freebsd-jail@FreeBSD.ORG Sun Jul 13 16:27:44 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7EB2636E for ; Sun, 13 Jul 2014 16:27:44 +0000 (UTC) Received: from mail-wi0-x22e.google.com (mail-wi0-x22e.google.com [IPv6:2a00:1450:400c:c05::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1820C2409 for ; Sun, 13 Jul 2014 16:27:43 +0000 (UTC) Received: by mail-wi0-f174.google.com with SMTP id d1so1440762wiv.1 for ; Sun, 13 Jul 2014 09:27:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id:mime-version:content-type :content-transfer-encoding:thread-index:content-language; bh=6fPQxWSDY1up1w6aHWRYQmKV15C8I7mtOF/t+GCfPWY=; b=KDhuYyqJa2x7AxOUvEUN4wwwsV7fItXUVx/fs8ZNsV1Ds7Nvpxm/FW+F27mtTJZ7oY st31yFbo223fxXFu55lNy3SVdkwfwxwXCgWlDyAnYGe8N6u0kocfiNBSXaCTMmGm7xFi gr9eebDQ3/aPGwJuxE4Q1JaYLMadQQccyaQRdageTd2gBQg+E0S6oURXLwQO5XDSiaO+ wMdKnXPD5Vy8DNSl44SaHbWYDqN3PLrV3tbDtxKqPmLywB5Q8Mp/3JplSMrY0rJt4/ur du80e+9OdQ2fuy201ZSRJRYGYAbFNTTfW6T0JW3rBxCx19c8Zt4o+Tw1WVJ4JIFebLB+ /3IA== X-Received: by 10.180.39.33 with SMTP id m1mr18936649wik.82.1405268862295; Sun, 13 Jul 2014 09:27:42 -0700 (PDT) Received: from botmachine (muszelka.nat.student.pw.edu.pl. [194.29.137.5]) by mx.google.com with ESMTPSA id cz4sm20433419wib.23.2014.07.13.09.27.40 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 13 Jul 2014 09:27:41 -0700 (PDT) From: "Marcin Michta" To: "'Fbsd8'" , "'wishmaster'" Subject: Re: Re: Jail vnet features Date: Sun, 13 Jul 2014 18:30:04 +0200 Message-ID: <001801cf9eb7$b4eeb3e0$1ecc1ba0$@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 14.0 Thread-Index: Ac+et40IFCA8Z/yPR46XsOfWoxPFqg== Content-Language: pl Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Jul 2014 16:27:44 -0000 > >wishmaster wrote: >>=20 >> =20 >> --- Original message --- >> From: "Fbsd8" >> Date: 11 July 2014, 16:49:08 >> =20 >>=20 >>=20 >>> Marcin Michta wrote: >>>> Hello, >>>> >>>> >>>> >>>> I want to ask what are advantages and disadvantages using VNET? >>>> >>>> I know that it allows each jail to have a private networking stack, = >>>> but what else? >>>> >>>> >>>> >>>> Regards >>>> >>>> Marthin >>>> >>> Its experimental, it has many bugs posted in PR system, loses memory = >>> every time a vnet jail is stopped, firewalls in vnet jail don't = work,=20 >>> other that these show stoppers, use at your own risk. >>=20 >> Hey, man. Stop panic! >>=20 >> Firewall works very well. Memory leak on shutdown it is not very big = problem. >> Main advantage for me is: I am able to filtering and prioritization = traffic coming thought base system. My vnete'ed jails is like a regular = LAN clients and they share INET pipe with appropriate weight. I use = ipfw. >>=20 > > >Oh ya, host panic on boot is another common happing with vimage and = firewall ipf and pf trying to run inside of a vnet jail and on the host = at the same time. > >Many people DO consider any kind of memory leak in kernel software such = as vimage is a really big show stopper for not using it in a production = system. > >If you read a little bit closer the previous post you will see it's = talking about firewall running inside of a vnet/vimage jail. It doesn't > say anything about running a host firewall directing traffic to a ip = number assigned to a vnet jail. > >Here is a list of some of the vnet outstanding PR's > >143808, 147950, 148155, 152148, 160496, 160541, 161094, 164763, 165252, = 176112, 176929, 178480, 178482, 179264, 182350, 185092, 188010, 191468 > >vnet/vimage is experimental and should never be used in a production = system and be exposed to the public network. It is not a secure software = configuration. Sure you can disregard all warnings and common sense and = risk >your host system, thats your choice. I didn't know about these problems I'll check these PR Thanks for help for you all :) Regards Marthin From owner-freebsd-jail@FreeBSD.ORG Sun Jul 13 23:02:38 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3CFB9EA1 for ; Sun, 13 Jul 2014 23:02:38 +0000 (UTC) Received: from mail-ig0-x22a.google.com (mail-ig0-x22a.google.com [IPv6:2607:f8b0:4001:c05::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0B9722143 for ; Sun, 13 Jul 2014 23:02:37 +0000 (UTC) Received: by mail-ig0-f170.google.com with SMTP id h3so1138951igd.3 for ; Sun, 13 Jul 2014 16:02:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=38CwAGJvb91yaRAzzrXhSmUfhfyXzQbA3LAl2YlWgO8=; b=EkexH+YYAsHsh7i7WkpTDDgcf4DyIPuDNmCh8pxcxtOiQYVHMynAeT0+0yutKPOpf3 xvBI1qWH5QWboaXKSmuATs9UL3qw3wN9TN+fvXQgNiSl2CVSoqKT92MFoVRHF/GB1C/X XueUoR93QwIfbgHf888F4s9ny6uh/ktfm9UiVgQhoJGGTEtxUpbY+Xq2y9dJ27pkY1T3 dHtehVMnpSD/1DJ3IqWbYqBqkq/HnmMKmp8jxw5hmFbrF0Tkf5Qs721TQuCmOm4mG9O8 nhjzwwx5gpYXqRhhmK3+gl6T/9dbgi7WPLb/OHcyP7hUzpEJLHqK56OtsVyXzGM2nPRd pQaQ== MIME-Version: 1.0 X-Received: by 10.50.112.136 with SMTP id iq8mr20373603igb.38.1405292556039; Sun, 13 Jul 2014 16:02:36 -0700 (PDT) Received: by 10.43.59.6 with HTTP; Sun, 13 Jul 2014 16:02:35 -0700 (PDT) In-Reply-To: <001801cf9eb7$b4eeb3e0$1ecc1ba0$@gmail.com> References: <001801cf9eb7$b4eeb3e0$1ecc1ba0$@gmail.com> Date: Mon, 14 Jul 2014 11:02:35 +1200 Message-ID: Subject: Re: Re: Jail vnet features From: Peter Toth To: Marcin Michta Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18 Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Jul 2014 23:02:38 -0000 On Mon, Jul 14, 2014 at 4:30 AM, Marcin Michta wrote: > > > >wishmaster wrote: > >> > >> > >> --- Original message --- > >> From: "Fbsd8" > >> Date: 11 July 2014, 16:49:08 > >> > >> > >> > >>> Marcin Michta wrote: > >>>> Hello, > >>>> > >>>> > >>>> > >>>> I want to ask what are advantages and disadvantages using VNET? > >>>> > >>>> I know that it allows each jail to have a private networking stack, > >>>> but what else? > >>>> > >>>> > >>>> > >>>> Regards > >>>> > >>>> Marthin > >>>> > >>> Its experimental, it has many bugs posted in PR system, loses memory > >>> every time a vnet jail is stopped, firewalls in vnet jail don't work, > >>> other that these show stoppers, use at your own risk. > >> > >> Hey, man. Stop panic! > >> > >> Firewall works very well. Memory leak on shutdown it is not very big > problem. > >> Main advantage for me is: I am able to filtering and prioritization > traffic coming thought base system. My vnete'ed jails is like a regular LAN > clients and they share INET pipe with appropriate weight. I use ipfw. > >> > > > > > >Oh ya, host panic on boot is another common happing with vimage and > firewall ipf and pf trying to run inside of a vnet jail and on the host at > the same time. > > > >Many people DO consider any kind of memory leak in kernel software such > as vimage is a really big show stopper for not using it in a production > system. > > > >If you read a little bit closer the previous post you will see it's > talking about firewall running inside of a vnet/vimage jail. It doesn't > > say anything about running a host firewall directing traffic to a ip > number assigned to a vnet jail. > > > >Here is a list of some of the vnet outstanding PR's > > > >143808, 147950, 148155, 152148, 160496, 160541, 161094, 164763, 165252, > 176112, 176929, 178480, 178482, 179264, 182350, 185092, 188010, 191468 > > > >vnet/vimage is experimental and should never be used in a production > system and be exposed to the public network. It is not a secure software > configuration. Sure you can disregard all warnings and common sense and > risk >your host system, thats your choice. > > I didn't know about these problems > I'll check these PR > Thanks for help for you all :) > > Regards > Marthin > > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > The majority of those PR's were raised for 8.x and 9.x and on top of that not even for production releases but RC, BETA and PRERELEASE. Some of those were resolved already and some are completely irrelevant. The vast majority refers to PF inside a jail, which is a known issue anyway (just avoid it). You can run IPFW inside a jail however and PF on the host itself all at the same time given that you use 10-RELEASE (preferably amd64). If you want to test drive VNET here are a few hints to avoid problems: 1. Don't try to enable PF inside the jail 2. Only add a wired and epair interfaces into a bridge - avoid wireless (might trigger a crash) 3. Don't use ALTQ - as far as I know ALTQ is not supported with VNET anyway yet 4. Use the GENERIC kernel configuration and just add options "VIMAGE" And just for amusement, two of those completely irrelevant PR's, not even VNET related listed previously: 188010 - https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=188010 (ACPI and BTW: Status: Issue Resolved FIXED) 176929 - https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=176929 (gnome-speech and Issue Resolved FIXED) Not going to dissect the other remaining PR's - as I mentioned above mostly outdated except the ones related to PF inside a jail and a memory leak which is not a showstopper and can be avoided. Also on another note, I constantly bump into alarmist and misinformation emails related to VNET by a certain individual. Telling folks off and actively deterring them from even trying to test drive VNET jails. This is not doing any favor to the community - VNET is one of the exciting features (like Crossbow in Illumos) people want to see mature. Actively deterring these efforts is definitely not going to help and has a very negative impact! As for the advantages, a VNET enabled jail will provide much better isolation (own network stack) and control than a shared IP based jail setup where the local traffic might be exposed across jails. Also VNET allows per jail IPFW firewall rules independent from the host's IPFW. With VNET you can build and simulate complex network setups I believe this was one of the main drives to create VIMAGE/VNET. Peter From owner-freebsd-jail@FreeBSD.ORG Tue Jul 15 09:06:53 2014 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id ED863490 for ; Tue, 15 Jul 2014 09:06:53 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D25152E8D for ; Tue, 15 Jul 2014 09:06:53 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.8/8.14.8) with ESMTP id s6F96rrI081337 for ; Tue, 15 Jul 2014 09:06:53 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 191279] [qjail] jail allow.sysvipc & devfs.ruleset - doesn't work from rc.d script Date: Tue, 15 Jul 2014 09:06:54 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 9.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: dreamcat4@gmail.com X-Bugzilla-Status: Issue Resolved X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-jail@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_status resolution short_desc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jul 2014 09:06:54 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=191279 dreamcat4@gmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Triage |Issue Resolved Resolution|--- |FIXED Summary|[jail] jail allow.sysvipc - |[qjail] jail allow.sysvipc |doesn't work until jail is |& devfs.ruleset - doesn't |started TWICE after reboot |work from rc.d script --- Comment #14 from dreamcat4@gmail.com --- Joe has fixed in qjail 3.5. It's been committed. -- You are receiving this mail because: You are the assignee for the bug.