From owner-freebsd-jail@FreeBSD.ORG Fri Mar 22 00:46:59 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id ACEBE9A2; Fri, 22 Mar 2013 00:46:59 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from m2.gritton.org (gritton.org [199.192.164.235]) by mx1.freebsd.org (Postfix) with ESMTP id 6D07D3FF; Fri, 22 Mar 2013 00:46:59 +0000 (UTC) Received: from glorfindel.gritton.org (c-174-52-130-157.hsd1.ut.comcast.net [174.52.130.157]) (authenticated bits=0) by m2.gritton.org (8.14.5/8.14.5) with ESMTP id r2M0kvMm034059; Thu, 21 Mar 2013 18:46:58 -0600 (MDT) (envelope-from jamie@FreeBSD.org) Message-ID: <514BAA01.20402@FreeBSD.org> Date: Thu, 21 Mar 2013 18:46:57 -0600 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.2.24) Gecko/20120129 Thunderbird/3.1.16 MIME-Version: 1.0 To: Miroslav Lachman <000.fbsd@quip.cz> Subject: Re: new jail(8) ignoring devfs_ruleset? References: <511E61F5.1000805@omnilan.de> <511EC759.4060704@FreeBSD.org> <5121EC52.5040502@omnilan.de> <20130219212430.GA92116@felucia.tataz.chchile.org> <514B9EF6.3000607@quip.cz> <514BA14F.3090609@FreeBSD.org> <514BA3D9.5010901@quip.cz> In-Reply-To: <514BA3D9.5010901@quip.cz> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Harald Schmalzbauer , freebsd-jail@FreeBSD.org, freebsd-stable@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Mar 2013 00:46:59 -0000 On 03/21/13 18:20, Miroslav Lachman wrote: > Jamie Gritton wrote: >> On 03/21/13 17:59, Miroslav Lachman wrote: >>> Jeremie Le Hen wrote: >>>> On Mon, Feb 18, 2013 at 09:54:42AM +0100, Harald Schmalzbauer wrote: >>>>> schrieb Jamie Gritton am 16.02.2013 00:40 (localtime): >>>>>> On 02/15/13 09:27, Harald Schmalzbauer wrote: >>>>>>> Hello, >>>>>>> >>>>>>> like already posted, on 9.1-R, I highly appreciate the new jail(8) >>>>>>> and >>>>>>> jail.conf capabilities. Thanks for that extension! >>>>>>> >>>>>>> Accidentally I saw that "devfs_ruleset" seems to be ignored. >>>>>>> If I list /dev/ I see all the hosts disk devices etc. >>>>>>> I set "devfs_ruleset = 4;" and "enforce_statfs = 1;" in jail.conf. >>>>>>> Inside the jail, >>>>>>> sysctl security.jail.devfs_ruleset returnes "1". >>>>>>> But like mentioned, I can access all devices... > > [...] > >>> I can confirm mentioned problem on my FreeBSD 9.1-RELEASE amd64 GENERIC >>> >>> I am now testing new jail.conf possibilities and I am seeing all devices >>> in /dev in jail. >>> >>> Even if I set all this in my jail.conf >>> >>> exec.start = "/bin/sh /etc/rc"; >>> exec.stop = "/bin/sh /etc/rc.shutdown"; >>> exec.clean; >>> mount.devfs; >>> devfs_ruleset = 4; >>> allow.set_hostname = false; >>> >>> path = "/vol0/jail/$name"; >>> exec.consolelog = "/var/log/jail/$name.console"; >>> mount.fstab = "/etc/fstab.$name"; >>> >>> ## Jail bali >>> bali { >>> host.hostname = "bali.XXXXXXX.YY; >>> ip4.addr = xx.xx.xx.xx; >>> devfs_ruleset = 4; >>> } > > [...] > >>> Is it a problem in my understanding of manpage / configuration, or is it >>> a bug in jail command on 9.1-RELEASE? >> >> It's a bug (deficiency) in the jail command. > > Is there a workaround or is it impossible to use jails with devfs on > FreeBSD 9.1? > Shouldn't it be mentioned in 9.1 errata? > > Is it fixed in stable/9? > > Thank you for your reply and your great work on new jails! It's not fixed anywhere yet - it sometimes works in current, and sometimes doesn't. I've been meaning to patch it up, but it the problem is what I think it is, the patching up is a pretty big operation. It doesn't mean you can't use jails with devfs in 9.1, just that you can't use them with jail.conf. The old jail rc file that's all shell-based is still the official jail startup method, and that one still works. So existing systems will still work as expected, hence no errata. - Jamie