From reddvinylene at gmail.com Fri Aug 1 08:17:55 2008 From: reddvinylene at gmail.com (Redd Vinylene) Date: Fri Aug 1 08:18:02 2008 Subject: Multiple IPs In-Reply-To: References: Message-ID: Whooops, # patch -p6 < bz_jail7-20080727-11-at146062.diff Yeah that's more like it ;) On Fri, Aug 1, 2008 at 10:05 AM, Redd Vinylene wrote: > Big ups to Bjoern A. Zeeb for his multiple IP patch as well as his > friendly support service ;) > > I'd just like to confirm, however, if this is how it's done? > > # cd /usr/src > # wget http://people.freebsd.org/~bz/bz_jail7-20080727-11-at146062.diff > # patch -p6 bz_jail7-20080727-11-at146062.diff > # make buildworld > # make buildkernel KERNCONF=GENERIC > # make installworld > # make installkernel KERNCONF=GENERIC > # mergemaster -U > > Now to the jail part (this is exactly how I created the jail in the first place) > > # export D=/usr/jail/camel > # mkdir -p $D > # make world DESTDIR=$D > # cd etc/ > # make distribution DESTDIR=$D > # mount -t devfs devfs $D/dev > > Thank you all! > > Redd Vinylene > http://www.home.no/reddvinylene > From reddvinylene at gmail.com Fri Aug 1 08:22:06 2008 From: reddvinylene at gmail.com (Redd Vinylene) Date: Fri Aug 1 08:22:13 2008 Subject: Multiple IPs In-Reply-To: References: Message-ID: Also, under jail_X_ip in rc.conf, must I enter the IPs one by one or can I specify an entire range? Much obliged! On Fri, Aug 1, 2008 at 10:17 AM, Redd Vinylene wrote: > Whooops, > > # patch -p6 < bz_jail7-20080727-11-at146062.diff > > Yeah that's more like it ;) > > On Fri, Aug 1, 2008 at 10:05 AM, Redd Vinylene wrote: >> Big ups to Bjoern A. Zeeb for his multiple IP patch as well as his >> friendly support service ;) >> >> I'd just like to confirm, however, if this is how it's done? >> >> # cd /usr/src >> # wget http://people.freebsd.org/~bz/bz_jail7-20080727-11-at146062.diff >> # patch -p6 bz_jail7-20080727-11-at146062.diff >> # make buildworld >> # make buildkernel KERNCONF=GENERIC >> # make installworld >> # make installkernel KERNCONF=GENERIC >> # mergemaster -U >> >> Now to the jail part (this is exactly how I created the jail in the first place) >> >> # export D=/usr/jail/camel >> # mkdir -p $D >> # make world DESTDIR=$D >> # cd etc/ >> # make distribution DESTDIR=$D >> # mount -t devfs devfs $D/dev >> >> Thank you all! >> >> Redd Vinylene >> http://www.home.no/reddvinylene >> > From reddvinylene at gmail.com Fri Aug 1 08:30:09 2008 From: reddvinylene at gmail.com (Redd Vinylene) Date: Fri Aug 1 08:30:15 2008 Subject: Multiple IPs Message-ID: Big ups to Bjoern A. Zeeb for his multiple IP patch as well as his friendly support service ;) I'd just like to confirm, however, if this is how it's done? # cd /usr/src # wget http://people.freebsd.org/~bz/bz_jail7-20080727-11-at146062.diff # patch -p6 bz_jail7-20080727-11-at146062.diff # make buildworld # make buildkernel KERNCONF=GENERIC # make installworld # make installkernel KERNCONF=GENERIC # mergemaster -U Now to the jail part (this is exactly how I created the jail in the first place) # export D=/usr/jail/camel # mkdir -p $D # make world DESTDIR=$D # cd etc/ # make distribution DESTDIR=$D # mount -t devfs devfs $D/dev Thank you all! Redd Vinylene http://www.home.no/reddvinylene From bzeeb-lists at lists.zabbadoz.net Fri Aug 1 17:25:07 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Fri Aug 1 17:25:20 2008 Subject: Multiple IPs In-Reply-To: References: Message-ID: <20080801171343.M88849@maildrop.int.zabbadoz.net> On Fri, 1 Aug 2008, Redd Vinylene wrote: Hi, > # patch -p6 < bz_jail7-20080727-11-at146062.diff could be that it needs to be -p7 Try with patch -C -p6/7 (with -C) first and check that it does not complain. > Yeah that's more like it ;) > > On Fri, Aug 1, 2008 at 10:05 AM, Redd Vinylene wrote: >> Big ups to Bjoern A. Zeeb for his multiple IP patch as well as his >> friendly support service ;) >> >> I'd just like to confirm, however, if this is how it's done? >> >> # cd /usr/src >> # wget http://people.freebsd.org/~bz/bz_jail7-20080727-11-at146062.diff preferably use "fetch" as it comes with base;-) >> # patch -p6 bz_jail7-20080727-11-at146062.diff see above >> # make buildworld >> # make buildkernel KERNCONF=GENERIC >> # make installworld >> # make installkernel KERNCONF=GENERIC you do not need KERNCONF=GENERIC (that's the default) for both commands. >> # mergemaster -U >> >> Now to the jail part (this is exactly how I created the jail in the first place) >> >> # export D=/usr/jail/camel >> # mkdir -p $D >> # make world DESTDIR=$D that should be make installworld DESTDIR=$D >> # cd etc/ nope, no longer needed >> # make distribution DESTDIR=$D yes >> # mount -t devfs devfs $D/dev Rather not. Set jail_camel_devfs_enable="YES" in /etc/rc.conf (assuming the `name' of the jail will be camel). See the Jails section at the end of /etc/defaults/rc.conf for the other options. The IP addresses will need to be given as a ',' sepcarated list like: jail_camel_ip="192.0.2.1,192.0.2.17,192.0.2.255" You'll need a reboot somewhen for the new kernel etc. you can do sh /etc/rc.d/jail stop sh /etc/rc.d/jail start sh /etc/rc.d/jail stop camel sh /etc/rc.d/jail start camel ... I hope that helps. -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From reddvinylene at gmail.com Fri Aug 1 17:26:22 2008 From: reddvinylene at gmail.com (Redd Vinylene) Date: Fri Aug 1 17:26:32 2008 Subject: The best way to upgrade my FreeBSD and its jails Message-ID: My dedicated server is mother, its two jails are camel and box. Is this the best way to upgrade all of them? Pretty cool huh? - # FreeBSD/i386 mother.reddvinylene.no csup /etc/cvsupfile && \ cd /usr/src && \ make buildworld && \ make buildkernel && \ make installworld && \ make installkernel && \ make delete-old && \ make delete-old-libs && \ mergemaster -U&& \ export D=/usr/jail/camel && \ make installworld DESTDIR=$D && \ make installworld installkernel DESTDIR=$D && \ make delete-old DESTDIR=$D && \ make delete-old-libs DESTDIR=$D && \ cd etc/ && \ make distribution DESTDIR=$D && \ cd .. && \ mergemaster -U -D $D && \ export D=/usr/jail/box && \ make installworld DESTDIR=$D && \ make installworld installkernel DESTDIR=$D && \ make delete-old DESTDIR=$D && \ make delete-old-libs DESTDIR=$D && \ cd etc/ && \ make distribution DESTDIR=$D && \ cd .. && \ mergemaster -U -D $D && \ chflags -R noschg /usr/obj/* && \ rm -rf /usr/obj/* - Redd Vinylene http://www.home.no/reddvinylene From reddvinylene at gmail.com Fri Aug 1 17:28:03 2008 From: reddvinylene at gmail.com (Redd Vinylene) Date: Fri Aug 1 17:28:15 2008 Subject: The best way to upgrade my FreeBSD and its jails Message-ID: My dedicated server is mother, its two jails are camel and box. Is this the best way to upgrade all of them? Pretty cool huh? - # FreeBSD/i386 mother.reddvinylene.no csup /etc/cvsupfile && \ cd /usr/src && \ make buildworld && \ make buildkernel && \ make installworld && \ make installkernel && \ make delete-old && \ make delete-old-libs && \ mergemaster -U&& \ export D=/usr/jail/camel && \ make installworld DESTDIR=$D && \ make installworld installkernel DESTDIR=$D && \ make delete-old DESTDIR=$D && \ make delete-old-libs DESTDIR=$D && \ cd etc/ && \ make distribution DESTDIR=$D && \ cd .. && \ mergemaster -U -D $D && \ export D=/usr/jail/box && \ make installworld DESTDIR=$D && \ make installworld installkernel DESTDIR=$D && \ make delete-old DESTDIR=$D && \ make delete-old-libs DESTDIR=$D && \ cd etc/ && \ make distribution DESTDIR=$D && \ cd .. && \ mergemaster -U -D $D && \ chflags -R noschg /usr/obj/* && \ rm -rf /usr/obj/* - Redd Vinylene http://www.home.no/reddvinylene From simon at FreeBSD.org Fri Aug 1 18:27:05 2008 From: simon at FreeBSD.org (Simon L. Nielsen) Date: Fri Aug 1 18:27:12 2008 Subject: new multi-/no-ip4/v6 jail patches In-Reply-To: <20080727174715.F57089@maildrop.int.zabbadoz.net> References: <20080727115111.D57089@maildrop.int.zabbadoz.net> <20080727152715.Y57089@maildrop.int.zabbadoz.net> <20080727174715.F57089@maildrop.int.zabbadoz.net> Message-ID: <20080801181000.GA1526@zaphod.nitro.dk> On 2008.07.27 17:48:26 +0000, Bjoern A. Zeeb wrote: > On Sun, 27 Jul 2008, Bjoern A. Zeeb wrote: > >> On Sun, 27 Jul 2008, Bjoern A. Zeeb wrote: >> >> Hi, >> >> there is a regression in there with unbound udp connects. I am >> investigating and the patches are gone for the moment. I'll let you >> know once I updated them. > > the new patches are here: > > HEAD: http://people.freebsd.org/~bz/bz_jail-20080727-10-at146056.diff > 7-STABLE: http://people.freebsd.org/~bz/bz_jail7-20080727-10-at146056.diff This patch has been running since without problems on sky.FreeBSD.org (which hosts the FreeBSD wiki and more): 6:07PM up 5 days, 49 mins, 1 user, load averages: 0.00, 0.05, 0.07 -- Simon L. Nielsen From 000.fbsd at quip.cz Fri Aug 1 19:00:36 2008 From: 000.fbsd at quip.cz (Miroslav Lachman) Date: Fri Aug 1 19:00:43 2008 Subject: The best way to upgrade my FreeBSD and its jails In-Reply-To: References: Message-ID: <48935D68.2080603@quip.cz> Redd Vinylene wrote: > My dedicated server is mother, its two jails are camel and box. Is > this the best way to upgrade all of them? > > Pretty cool huh? > > - > > # FreeBSD/i386 mother.reddvinylene.no > > csup /etc/cvsupfile && \ > > cd /usr/src && \ > > make buildworld && \ > > make buildkernel && \ > > make installworld && \ > > make installkernel && \ > > make delete-old && \ > > make delete-old-libs && \ > > mergemaster -U&& \ > > export D=/usr/jail/camel && \ > > make installworld DESTDIR=$D && \ > > make installworld installkernel DESTDIR=$D && \ > > make delete-old DESTDIR=$D && \ > > make delete-old-libs DESTDIR=$D && \ > > cd etc/ && \ > > make distribution DESTDIR=$D && \ > > cd .. && \ > > mergemaster -U -D $D && \ > > export D=/usr/jail/box && \ > > make installworld DESTDIR=$D && \ > > make installworld installkernel DESTDIR=$D && \ > > make delete-old DESTDIR=$D && \ > > make delete-old-libs DESTDIR=$D && \ > > cd etc/ && \ > > make distribution DESTDIR=$D && \ > > cd .. && \ > > mergemaster -U -D $D && \ > > chflags -R noschg /usr/obj/* && \ > > rm -rf /usr/obj/* It would be better if you post what version you are running and to what version you want to update / upgrade. If you want to use some RELEASE, you can user freebsd-update command for binary update of base and jails. Also it is not good to do all the above steps as one chained command. Miroslav Lachman From mikhailg at webanoide.org Fri Aug 1 23:14:09 2008 From: mikhailg at webanoide.org (Mikhail Goriachev) Date: Fri Aug 1 23:14:15 2008 Subject: The best way to upgrade my FreeBSD and its jails In-Reply-To: References: Message-ID: <489398AD.6000900@webanoide.org> Redd Vinylene wrote: > My dedicated server is mother, its two jails are camel and box. Is > this the best way to upgrade all of them? We probably should keep this to freebsd-jail@ only. Had a look at http://pastie.org/245821 and have a few notes for you: 1.- As Miroslav already mentioned - it is not a good idea to daisy chain everything. You should break the procedure into two steps. Firstly upgrade the host and make sure the upgrade went well. Once you're certain that everything is ok, then proceed upgrading jails. I personally disable jails (jail_enable="NO"), then reboot (to avoid any zombie jails), perform upgrade on all jails and then enable them back on. 2.- Your upgrading sequence is a bit off. Have a look at /usr/src/Makefile for further details and correct sequence: # make buildworld # make buildkernel # make installkernel # reboot # mergemaster -p # make installworld # make delete-old # mergemaster # reboot # make delete-old-libs 3.- You don't need kernels inside your jails. Having them won't hurt you, but they consume space. In other words, you shouldn't execute the following (or similar): # make DESTDIR=$D installkernel 4.- The "make distribution DESTDIR=$D" should be executed only once - when a jail is created. Otherwise you're nuking your configurations in jail's /etc and probably somewhere else. Have a go at this, you might find some use for it: ----------------------- JAILSDIR=/usr/local/jails cd /usr/src for jail in `ls ${JAILSDIR}`; do mergemaster -pD ${JAILSDIR}/${jail} make installworld DESTDIR=${JAILSDIR}/${jail} mergemaster -iD ${JAILSDIR}/${jail} done ----------------------- Regards, Mikhail. -- Mikhail Goriachev Webanoide From 000.fbsd at quip.cz Sat Aug 2 07:28:22 2008 From: 000.fbsd at quip.cz (Miroslav Lachman) Date: Sat Aug 2 07:28:28 2008 Subject: The best way to upgrade my FreeBSD and its jails In-Reply-To: <489398AD.6000900@webanoide.org> References: <489398AD.6000900@webanoide.org> Message-ID: <48940CAB.9040001@quip.cz> Mikhail Goriachev wrote: > Redd Vinylene wrote: > >> My dedicated server is mother, its two jails are camel and box. Is >> this the best way to upgrade all of them? > > > We probably should keep this to freebsd-jail@ only. > > Had a look at http://pastie.org/245821 and have a few notes for you: > > 1.- As Miroslav already mentioned - it is not a good idea to daisy chain > everything. You should break the procedure into two steps. Firstly > upgrade the host and make sure the upgrade went well. Once you're > certain that everything is ok, then proceed upgrading jails. > > I personally disable jails (jail_enable="NO"), then reboot (to avoid any > zombie jails), perform upgrade on all jails and then enable them back on. > > 2.- Your upgrading sequence is a bit off. Have a look at > /usr/src/Makefile for further details and correct sequence: > > # make buildworld > # make buildkernel > # make installkernel > # reboot > # mergemaster -p > # make installworld > # make delete-old > # mergemaster > # reboot > # make delete-old-libs > > 3.- You don't need kernels inside your jails. Having them won't hurt > you, but they consume space. In other words, you shouldn't execute the > following (or similar): > > # make DESTDIR=$D installkernel > > 4.- The "make distribution DESTDIR=$D" should be executed only once - > when a jail is created. Otherwise you're nuking your configurations in > jail's /etc and probably somewhere else. One thing to note - If you do delete-old delete-old-libs you probably need to recompile all installed ports because of lib dependencies. > Have a go at this, you might find some use for it: > > ----------------------- > JAILSDIR=/usr/local/jails > > cd /usr/src > > for jail in `ls ${JAILSDIR}`; do > mergemaster -pD ${JAILSDIR}/${jail} > make installworld DESTDIR=${JAILSDIR}/${jail} > mergemaster -iD ${JAILSDIR}/${jail} > done > ----------------------- From reddvinylene at gmail.com Sat Aug 2 10:04:01 2008 From: reddvinylene at gmail.com (Redd Vinylene) Date: Sat Aug 2 10:04:07 2008 Subject: The best way to upgrade my FreeBSD and its jails In-Reply-To: <48940CAB.9040001@quip.cz> References: <489398AD.6000900@webanoide.org> <48940CAB.9040001@quip.cz> Message-ID: Thanks a lot guys for your great design insight! I hope others will find this thread interesting as well. Here's the final upgrade script I decided to use (my shell is zsh): - # FreeBSD/i386 mother.naoshige.net csup /etc/cvsupfile cd /usr/src make buildworld buildkernel && \ mergemaster -p && \ make installworld installkernel delete-old delete-old-libs && \ mergemaster -i -U && \ JAILS=/usr/local/jails cd /usr/src for jail in $JAILS/*; do mergemaster -p -D $JAILS/$jail && \ make installworld delete-old delete-old-libs DESTDIR=$JAILS/$jail && \ mergemaster -i -U -D $JAILS/$jail && \ done chflags -R noschg /usr/obj/* rm -rf /usr/obj/* - Much obliged! On Sat, Aug 2, 2008 at 9:28 AM, Miroslav Lachman <000.fbsd@quip.cz> wrote: > Mikhail Goriachev wrote: >> >> Redd Vinylene wrote: >> >>> My dedicated server is mother, its two jails are camel and box. Is >>> this the best way to upgrade all of them? >> >> >> We probably should keep this to freebsd-jail@ only. >> >> Had a look at http://pastie.org/245821 and have a few notes for you: >> >> 1.- As Miroslav already mentioned - it is not a good idea to daisy chain >> everything. You should break the procedure into two steps. Firstly upgrade >> the host and make sure the upgrade went well. Once you're certain that >> everything is ok, then proceed upgrading jails. >> >> I personally disable jails (jail_enable="NO"), then reboot (to avoid any >> zombie jails), perform upgrade on all jails and then enable them back on. >> >> 2.- Your upgrading sequence is a bit off. Have a look at /usr/src/Makefile >> for further details and correct sequence: >> >> # make buildworld >> # make buildkernel >> # make installkernel >> # reboot >> # mergemaster -p >> # make installworld >> # make delete-old >> # mergemaster >> # reboot >> # make delete-old-libs >> >> 3.- You don't need kernels inside your jails. Having them won't hurt you, >> but they consume space. In other words, you shouldn't execute the following >> (or similar): >> >> # make DESTDIR=$D installkernel >> >> 4.- The "make distribution DESTDIR=$D" should be executed only once - when >> a jail is created. Otherwise you're nuking your configurations in jail's >> /etc and probably somewhere else. > > One thing to note - If you do delete-old delete-old-libs you probably need > to recompile all installed ports because of lib dependencies. > >> Have a go at this, you might find some use for it: >> >> ----------------------- >> JAILSDIR=/usr/local/jails >> >> cd /usr/src >> >> for jail in `ls ${JAILSDIR}`; do >> mergemaster -pD ${JAILSDIR}/${jail} >> make installworld DESTDIR=${JAILSDIR}/${jail} >> mergemaster -iD ${JAILSDIR}/${jail} >> done >> ----------------------- > From reddvinylene at gmail.com Sat Aug 2 14:26:37 2008 From: reddvinylene at gmail.com (Redd Vinylene) Date: Sat Aug 2 14:26:43 2008 Subject: The best way to upgrade my FreeBSD and its jails In-Reply-To: References: <489398AD.6000900@webanoide.org> <48940CAB.9040001@quip.cz> Message-ID: Slight improvement, set -e replaces all the && \: - # FreeBSD/i386 mother.naoshige.net set -e csup /etc/cvsupfile cd /usr/src make buildworld buildkernel mergemaster -p make installworld installkernel delete-old delete-old-libs mergemaster -i -U JAILS=/usr/local/jails for jail in $JAILS/*; do mergemaster -p -D $JAILS/$jail make installworld delete-old delete-old-libs DESTDIR=$JAILS/$jail mergemaster -i -U -D $JAILS/$jail done chflags -R noschg /usr/obj/* rm -rf /usr/obj/* - Peace! On Sat, Aug 2, 2008 at 12:03 PM, Redd Vinylene wrote: > Thanks a lot guys for your great design insight! > > I hope others will find this thread interesting as well. Here's the > final upgrade script I decided to use (my shell is zsh): > > - > > # FreeBSD/i386 mother.naoshige.net > > csup /etc/cvsupfile > > cd /usr/src > > make buildworld buildkernel && \ > > mergemaster -p && \ > > make installworld installkernel delete-old delete-old-libs && \ > > mergemaster -i -U && \ > > JAILS=/usr/local/jails > > cd /usr/src > > for jail in $JAILS/*; do > > mergemaster -p -D $JAILS/$jail && \ > > make installworld delete-old delete-old-libs DESTDIR=$JAILS/$jail && \ > > mergemaster -i -U -D $JAILS/$jail && \ > > done > > chflags -R noschg /usr/obj/* > > rm -rf /usr/obj/* > > - > > Much obliged! > > On Sat, Aug 2, 2008 at 9:28 AM, Miroslav Lachman <000.fbsd@quip.cz> wrote: >> Mikhail Goriachev wrote: >>> >>> Redd Vinylene wrote: >>> >>>> My dedicated server is mother, its two jails are camel and box. Is >>>> this the best way to upgrade all of them? >>> >>> >>> We probably should keep this to freebsd-jail@ only. >>> >>> Had a look at http://pastie.org/245821 and have a few notes for you: >>> >>> 1.- As Miroslav already mentioned - it is not a good idea to daisy chain >>> everything. You should break the procedure into two steps. Firstly upgrade >>> the host and make sure the upgrade went well. Once you're certain that >>> everything is ok, then proceed upgrading jails. >>> >>> I personally disable jails (jail_enable="NO"), then reboot (to avoid any >>> zombie jails), perform upgrade on all jails and then enable them back on. >>> >>> 2.- Your upgrading sequence is a bit off. Have a look at /usr/src/Makefile >>> for further details and correct sequence: >>> >>> # make buildworld >>> # make buildkernel >>> # make installkernel >>> # reboot >>> # mergemaster -p >>> # make installworld >>> # make delete-old >>> # mergemaster >>> # reboot >>> # make delete-old-libs >>> >>> 3.- You don't need kernels inside your jails. Having them won't hurt you, >>> but they consume space. In other words, you shouldn't execute the following >>> (or similar): >>> >>> # make DESTDIR=$D installkernel >>> >>> 4.- The "make distribution DESTDIR=$D" should be executed only once - when >>> a jail is created. Otherwise you're nuking your configurations in jail's >>> /etc and probably somewhere else. >> >> One thing to note - If you do delete-old delete-old-libs you probably need >> to recompile all installed ports because of lib dependencies. >> >>> Have a go at this, you might find some use for it: >>> >>> ----------------------- >>> JAILSDIR=/usr/local/jails >>> >>> cd /usr/src >>> >>> for jail in `ls ${JAILSDIR}`; do >>> mergemaster -pD ${JAILSDIR}/${jail} >>> make installworld DESTDIR=${JAILSDIR}/${jail} >>> mergemaster -iD ${JAILSDIR}/${jail} >>> done >>> ----------------------- >> > From reddvinylene at gmail.com Sat Aug 2 17:08:52 2008 From: reddvinylene at gmail.com (Redd Vinylene) Date: Sat Aug 2 17:08:58 2008 Subject: jail_box_ip="" Message-ID: Hey, I got a couple of hundred IPs, is there an easy way to add them all to jail_box_ip="ip1,ip2,ip3" without making like the longest line ever? Like this? jail_box_ip="66.252.2.4,\ 66.252.2.5,\ 66.252.2.6,\ Unfortunately that doesn't look too good. Nor does: export x=$(cat ips);export jail_ips=''; for ip in $x; do export jail_ips="$jail_ips,$ip"; done; export jail_ips=$(echo $jail_ips | sed s/,$/''/ | sed s/^,//); Is there a more beautiful alternative? Thanks! From reddvinylene at gmail.com Sat Aug 2 17:17:38 2008 From: reddvinylene at gmail.com (Redd Vinylene) Date: Sat Aug 2 17:17:45 2008 Subject: jail_box_ip="" In-Reply-To: References: Message-ID: Here's what I got so far: http://pastie.org/246189 And this is just wishful thinking I guess: http://pastie.org/246190 On Sat, Aug 2, 2008 at 7:08 PM, Redd Vinylene wrote: > Hey, I got a couple of hundred IPs, is there an easy way to add them > all to jail_box_ip="ip1,ip2,ip3" without making like the longest line > ever? > > Like this? > > jail_box_ip="66.252.2.4,\ > 66.252.2.5,\ > 66.252.2.6,\ > > Unfortunately that doesn't look too good. > > Nor does: > > export x=$(cat ips);export jail_ips=''; for ip in $x; do export > jail_ips="$jail_ips,$ip"; done; export jail_ips=$(echo $jail_ips | sed > s/,$/''/ | sed s/^,//); > > Is there a more beautiful alternative? > > Thanks! > -- http://www.home.no/reddvinylene From m.seaman at infracaninophile.co.uk Sat Aug 2 17:37:54 2008 From: m.seaman at infracaninophile.co.uk (Matthew Seaman) Date: Sat Aug 2 17:38:01 2008 Subject: jail_box_ip="" In-Reply-To: References: Message-ID: <48949B5F.4070300@infracaninophile.co.uk> Redd Vinylene wrote: > Hey, I got a couple of hundred IPs, is there an easy way to add them > all to jail_box_ip="ip1,ip2,ip3" without making like the longest line > ever? > > Like this? > > jail_box_ip="66.252.2.4,\ > 66.252.2.5,\ > 66.252.2.6,\ > > Unfortunately that doesn't look too good. > > Nor does: > > export x=$(cat ips);export jail_ips=''; for ip in $x; do export > jail_ips="$jail_ips,$ip"; done; export jail_ips=$(echo $jail_ips | sed > s/,$/''/ | sed s/^,//); > > Is there a more beautiful alternative? /etc/rc.conf is just /bin/sh code. All you need to do is set the variables -- usually by assigning a static string, but you can use whatever constructs you want. Well - within reason. Making something as critical as the system boot process depend on a bunch of other files or processes is not a good idea on the whole. You can include multi-line whitespace in the variables by using single quotes: jail_box_ip='66.252.2.4, 66.252.2.5, 66.252.2.6, 66.252.2.7' Assuming that the init script that processes this data isn't phased by the inclusion of a bit of whitespace. Or you can generate the required numbers, assuming they are consecutive: jail_box_ip=$( jot -w "66.252.2.%d" -s "," 5 4 ) Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20080802/7cd9c94f/signature.pgp From reddvinylene at gmail.com Sat Aug 2 18:07:35 2008 From: reddvinylene at gmail.com (Redd Vinylene) Date: Sat Aug 2 18:07:48 2008 Subject: jail_box_ip="" In-Reply-To: <48949B5F.4070300@infracaninophile.co.uk> References: <48949B5F.4070300@infracaninophile.co.uk> Message-ID: jail_box_ip=$( jot -w "66.252.2.%d" -s "," 124 4 ) What a gorgeous solution ;) Thanks man! On Sat, Aug 2, 2008 at 7:37 PM, Matthew Seaman wrote: > Redd Vinylene wrote: >> >> Hey, I got a couple of hundred IPs, is there an easy way to add them >> all to jail_box_ip="ip1,ip2,ip3" without making like the longest line >> ever? >> >> Like this? >> >> jail_box_ip="66.252.2.4,\ >> 66.252.2.5,\ >> 66.252.2.6,\ >> >> Unfortunately that doesn't look too good. >> >> Nor does: >> >> export x=$(cat ips);export jail_ips=''; for ip in $x; do export >> jail_ips="$jail_ips,$ip"; done; export jail_ips=$(echo $jail_ips | sed >> s/,$/''/ | sed s/^,//); >> >> Is there a more beautiful alternative? > > /etc/rc.conf is just /bin/sh code. All you need to do is set > the variables -- usually by assigning a static string, but you > can use whatever constructs you want. Well - within reason. Making > something as critical as the system boot process depend on a bunch of > other files or processes is not a good idea on the whole. > > You can include multi-line whitespace in the variables by using single > quotes: > > jail_box_ip='66.252.2.4, > 66.252.2.5, > 66.252.2.6, > 66.252.2.7' > > Assuming that the init script that processes this data isn't phased > by the inclusion of a bit of whitespace. > > Or you can generate the required numbers, assuming they are > consecutive: > > jail_box_ip=$( jot -w "66.252.2.%d" -s "," 5 4 ) > > Cheers, > > Matthew > > -- > Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard > Flat 3 > PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate > Kent, CT11 9PW > > -- http://www.home.no/reddvinylene From reddvinylene at gmail.com Sat Aug 2 18:10:24 2008 From: reddvinylene at gmail.com (Redd Vinylene) Date: Sat Aug 2 18:10:36 2008 Subject: jail_box_ip="" In-Reply-To: References: <48949B5F.4070300@infracaninophile.co.uk> Message-ID: Can something similar be used for my ifconfig_rl0_aliasN="inet 66.252.2.N netmask 255.255.255.255" as well? On Sat, Aug 2, 2008 at 8:07 PM, Redd Vinylene wrote: > jail_box_ip=$( jot -w "66.252.2.%d" -s "," 124 4 ) > > What a gorgeous solution ;) > > Thanks man! > > On Sat, Aug 2, 2008 at 7:37 PM, Matthew Seaman > wrote: >> Redd Vinylene wrote: >>> >>> Hey, I got a couple of hundred IPs, is there an easy way to add them >>> all to jail_box_ip="ip1,ip2,ip3" without making like the longest line >>> ever? >>> >>> Like this? >>> >>> jail_box_ip="66.252.2.4,\ >>> 66.252.2.5,\ >>> 66.252.2.6,\ >>> >>> Unfortunately that doesn't look too good. >>> >>> Nor does: >>> >>> export x=$(cat ips);export jail_ips=''; for ip in $x; do export >>> jail_ips="$jail_ips,$ip"; done; export jail_ips=$(echo $jail_ips | sed >>> s/,$/''/ | sed s/^,//); >>> >>> Is there a more beautiful alternative? >> >> /etc/rc.conf is just /bin/sh code. All you need to do is set >> the variables -- usually by assigning a static string, but you >> can use whatever constructs you want. Well - within reason. Making >> something as critical as the system boot process depend on a bunch of >> other files or processes is not a good idea on the whole. >> >> You can include multi-line whitespace in the variables by using single >> quotes: >> >> jail_box_ip='66.252.2.4, >> 66.252.2.5, >> 66.252.2.6, >> 66.252.2.7' >> >> Assuming that the init script that processes this data isn't phased >> by the inclusion of a bit of whitespace. >> >> Or you can generate the required numbers, assuming they are >> consecutive: >> >> jail_box_ip=$( jot -w "66.252.2.%d" -s "," 5 4 ) >> >> Cheers, >> >> Matthew >> >> -- >> Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard >> Flat 3 >> PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate >> Kent, CT11 9PW >> >> > > > > -- > http://www.home.no/reddvinylene > -- http://www.home.no/reddvinylene From lars+lister.freebsd at adventuras.no Sat Aug 2 19:32:07 2008 From: lars+lister.freebsd at adventuras.no (Lars Kristiansen) Date: Sat Aug 2 19:32:14 2008 Subject: jail_box_ip="" In-Reply-To: References: <48949B5F.4070300@infracaninophile.co.uk> Message-ID: <4894B274.7060308@adventuras.no> Redd Vinylene skrev: > Can something similar be used for my > > ifconfig_rl0_aliasN="inet 66.252.2.N netmask 255.255.255.255" > > as well? > This is not as elegant, but may help in a similar way: alia=-1; while [ "$alia" -lt '123' ] ; do alia=$(($alia+1)) ; ips=$(($alia+4)) ; echo "ifconfig_rl0_alias$alia=\"inet 66.252.2.$ips netmask 255.255.255.255\"" ; done Regards Lars, arbeids?kende, Oslo > On Sat, Aug 2, 2008 at 8:07 PM, Redd Vinylene wrote: >> jail_box_ip=$( jot -w "66.252.2.%d" -s "," 124 4 ) >> >> What a gorgeous solution ;) >> >> Thanks man! >> >> On Sat, Aug 2, 2008 at 7:37 PM, Matthew Seaman >> wrote: >>> Redd Vinylene wrote: >>>> Hey, I got a couple of hundred IPs, is there an easy way to add them >>>> all to jail_box_ip="ip1,ip2,ip3" without making like the longest line >>>> ever? >>>> >>>> Like this? >>>> >>>> jail_box_ip="66.252.2.4,\ >>>> 66.252.2.5,\ >>>> 66.252.2.6,\ >>>> >>>> Unfortunately that doesn't look too good. >>>> >>>> Nor does: >>>> >>>> export x=$(cat ips);export jail_ips=''; for ip in $x; do export >>>> jail_ips="$jail_ips,$ip"; done; export jail_ips=$(echo $jail_ips | sed >>>> s/,$/''/ | sed s/^,//); >>>> >>>> Is there a more beautiful alternative? >>> /etc/rc.conf is just /bin/sh code. All you need to do is set >>> the variables -- usually by assigning a static string, but you >>> can use whatever constructs you want. Well - within reason. Making >>> something as critical as the system boot process depend on a bunch of >>> other files or processes is not a good idea on the whole. >>> >>> You can include multi-line whitespace in the variables by using single >>> quotes: >>> >>> jail_box_ip='66.252.2.4, >>> 66.252.2.5, >>> 66.252.2.6, >>> 66.252.2.7' >>> >>> Assuming that the init script that processes this data isn't phased >>> by the inclusion of a bit of whitespace. >>> >>> Or you can generate the required numbers, assuming they are >>> consecutive: >>> >>> jail_box_ip=$( jot -w "66.252.2.%d" -s "," 5 4 ) >>> >>> Cheers, >>> >>> Matthew >>> >>> -- >>> Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard >>> Flat 3 >>> PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate >>> Kent, CT11 9PW >>> >>> >> >> >> -- >> http://www.home.no/reddvinylene >> > > > From reddvinylene at gmail.com Sat Aug 2 20:22:55 2008 From: reddvinylene at gmail.com (Redd Vinylene) Date: Sat Aug 2 20:23:07 2008 Subject: jail_box_ip="" In-Reply-To: <4894B274.7060308@adventuras.no> References: <48949B5F.4070300@infracaninophile.co.uk> <4894B274.7060308@adventuras.no> Message-ID: Actually: jail_box_ip=$( jot -w "66.252.2.%d" -s "," 124 4 ) gives me: Aug 2 20:10:50 mother root: /etc/rc: WARNING: devfs_set_ruleset: you must specify a ruleset number Aug 2 20:10:58 mother root: /etc/rc: ERROR: jail: No IP address has been defined for box On Sat, Aug 2, 2008 at 9:16 PM, Lars Kristiansen wrote: > Redd Vinylene skrev: >> >> Can something similar be used for my >> >> ifconfig_rl0_aliasN="inet 66.252.2.N netmask 255.255.255.255" >> >> as well? >> > > This is not as elegant, but may help in a similar way: > > alia=-1; > while [ "$alia" -lt '123' ] ; do > alia=$(($alia+1)) ; > ips=$(($alia+4)) ; > echo "ifconfig_rl0_alias$alia=\"inet 66.252.2.$ips netmask > 255.255.255.255\"" ; > done > > > Regards > Lars, > arbeids?kende, Oslo > > >> On Sat, Aug 2, 2008 at 8:07 PM, Redd Vinylene >> wrote: >>> >>> jail_box_ip=$( jot -w "66.252.2.%d" -s "," 124 4 ) >>> >>> What a gorgeous solution ;) >>> >>> Thanks man! >>> >>> On Sat, Aug 2, 2008 at 7:37 PM, Matthew Seaman >>> wrote: >>>> >>>> Redd Vinylene wrote: >>>>> >>>>> Hey, I got a couple of hundred IPs, is there an easy way to add them >>>>> all to jail_box_ip="ip1,ip2,ip3" without making like the longest line >>>>> ever? >>>>> >>>>> Like this? >>>>> >>>>> jail_box_ip="66.252.2.4,\ >>>>> 66.252.2.5,\ >>>>> 66.252.2.6,\ >>>>> >>>>> Unfortunately that doesn't look too good. >>>>> >>>>> Nor does: >>>>> >>>>> export x=$(cat ips);export jail_ips=''; for ip in $x; do export >>>>> jail_ips="$jail_ips,$ip"; done; export jail_ips=$(echo $jail_ips | sed >>>>> s/,$/''/ | sed s/^,//); >>>>> >>>>> Is there a more beautiful alternative? >>>> >>>> /etc/rc.conf is just /bin/sh code. All you need to do is set >>>> the variables -- usually by assigning a static string, but you >>>> can use whatever constructs you want. Well - within reason. Making >>>> something as critical as the system boot process depend on a bunch of >>>> other files or processes is not a good idea on the whole. >>>> >>>> You can include multi-line whitespace in the variables by using single >>>> quotes: >>>> >>>> jail_box_ip='66.252.2.4, >>>> 66.252.2.5, >>>> 66.252.2.6, >>>> 66.252.2.7' >>>> >>>> Assuming that the init script that processes this data isn't phased >>>> by the inclusion of a bit of whitespace. >>>> >>>> Or you can generate the required numbers, assuming they are >>>> consecutive: >>>> >>>> jail_box_ip=$( jot -w "66.252.2.%d" -s "," 5 4 ) >>>> >>>> Cheers, >>>> >>>> Matthew >>>> >>>> -- >>>> Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard >>>> Flat 3 >>>> PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate >>>> Kent, CT11 9PW >>>> >>>> >>> >>> >>> -- >>> http://www.home.no/reddvinylene >>> >> >> >> > > -- http://www.home.no/reddvinylene From reddvinylene at gmail.com Sat Aug 2 21:43:41 2008 From: reddvinylene at gmail.com (Redd Vinylene) Date: Sat Aug 2 21:43:47 2008 Subject: Can't SSH into my jails after a makeworld Message-ID: Greetings, I have a little problem here. I can't seem to SSH into my jails any longer, I get taken straight back to the mothership. jexec works though. The problem occurred after I did a makeworld (http://pastie.org/246273) on top of a fresh /usr/src with Bjoern's multiple IP patch from 20080727. Here's my mothership's rc.conf http://pastie.org/246290 Many thanks. I'm sorry about all this mess. -- http://www.home.no/reddvinylene From mikhailg at webanoide.org Sat Aug 2 21:55:52 2008 From: mikhailg at webanoide.org (Mikhail Goriachev) Date: Sat Aug 2 21:55:59 2008 Subject: Can't SSH into my jails after a makeworld In-Reply-To: References: Message-ID: <4894D7DA.101@webanoide.org> Redd Vinylene wrote: > Greetings, > > I have a little problem here. I can't seem to SSH into my jails any > longer, I get taken straight back to the mothership. jexec works > though. > > The problem occurred after I did a makeworld > (http://pastie.org/246273) on top of a fresh /usr/src with Bjoern's > multiple IP patch from 20080727. Whenever you execute this: # csup /etc/cvsupfile The multi-ip patch goes away. You have to reapply the patch after you sync the sources. Regards, Mikhail. -- Mikhail Goriachev Webanoide From bzeeb-lists at lists.zabbadoz.net Sat Aug 2 22:00:08 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Sat Aug 2 22:00:15 2008 Subject: Can't SSH into my jails after a makeworld In-Reply-To: References: Message-ID: <20080802215132.M88849@maildrop.int.zabbadoz.net> On Sat, 2 Aug 2008, Redd Vinylene wrote: Hi, > I have a little problem here. I can't seem to SSH into my jails any > longer, I get taken straight back to the mothership. jexec works > though. what does sysctl security.jail.jailed_sockets_first give? If you jexec into jail, does sshd actually run? Did it give an error/warning? What does netstat -an show? (in case this is long do not psate it into mail and/or make sure there are no extra line wraps). -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From reddvinylene at gmail.com Sun Aug 3 01:01:06 2008 From: reddvinylene at gmail.com (Redd Vinylene) Date: Sun Aug 3 01:01:13 2008 Subject: Can't SSH into my jails after a makeworld In-Reply-To: <20080802215132.M88849@maildrop.int.zabbadoz.net> References: <20080802215132.M88849@maildrop.int.zabbadoz.net> Message-ID: On Sat, Aug 2, 2008 at 11:55 PM, Mikhail Goriachev wrote: > > Whenever you execute this: > > # csup /etc/cvsupfile > > The multi-ip patch goes away. You have to reapply the patch after you sync > the sources. My bad, I forgot to mention that I commented that. On Sat, Aug 2, 2008 at 11:55 PM, Bjoern A. Zeeb wrote: > > what does > sysctl security.jail.jailed_sockets_first > give? security.jail.jailed_sockets_first: 1 > If you jexec into jail, does sshd actually run? Did it give an > error/warning? What does netstat -an show? (in case this is long do > not psate it into mail and/or make sure there are no extra line wraps). I actually got it working. But sometimes, after reboots, none of them will start. Is there anything I can do to debug? Might this be because I forgot to stop the jails prior to the makeworld? - Also, these stopped working: jail_camel_devfs_ruleset="camel_ruleset" jail_box_devfs_ruleset="box_ruleset" Producing: Starting jails:/etc/rc.d/jail: WARNING: devfs_set_ruleset: you must specify a ruleset number devfs rule: ioctl DEVFSIO_SAPPLY: No such process So I had to switch over to: jail_camel_devfs_ruleset="devfsrules_jail" jail_box_devfs_ruleset="devfsrules_jail" - Another strange thing, this just freezes up: # /etc/rc.d/jail start Configuring jails:. Starting jails: I can't terminate it either: # /etc/rc.d/jail start Configuring jails:. Starting jails:^C^C^C -- http://www.home.no/reddvinylene From m.seaman at infracaninophile.co.uk Sun Aug 3 07:53:18 2008 From: m.seaman at infracaninophile.co.uk (Matthew Seaman) Date: Sun Aug 3 07:53:25 2008 Subject: jail_box_ip="" In-Reply-To: References: <48949B5F.4070300@infracaninophile.co.uk> Message-ID: <489563D3.3060507@infracaninophile.co.uk> Redd Vinylene wrote: > Can something similar be used for my > > ifconfig_rl0_aliasN="inet 66.252.2.N netmask 255.255.255.255" > > as well? You'ld have to write a loop: for N in $( jot 124 4 ) ; do eval "ifconfig_rl0_alias$N=\"inet 66.252.2.$N netmask 255.255.255.255\"" done Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20080803/e42501ed/signature.pgp From bzeeb-lists at lists.zabbadoz.net Mon Aug 4 07:50:08 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Mon Aug 4 07:50:59 2008 Subject: Patch no longer applying cleanly Message-ID: <20080804074505.Y88849@maildrop.int.zabbadoz.net> Hi, FYI: I am aware of that the jail patches are no longer applying cleanly. There are upcoming changes during this week which will add further conflicts. I'll update the patches once those changes are in and the tree should be stable again with regard to the jail work. /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From bugmaster at FreeBSD.org Mon Aug 4 11:06:57 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Aug 4 11:08:04 2008 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200808041106.m74B6vlt082104@freefall.freebsd.org> Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- s kern/89528 jail [jail] [patch] impossible to kill a jail o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail 2 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with o kern/68192 jail [quotas] [jail] Cannot use quotas on jailed systems o kern/72498 jail [libc] [jail] timestamp code on jailed SMP machine gen o kern/74314 jail [resolver] [jail] DNS resolver broken under certain ja o kern/84215 jail [jail] [patch] wildcard ip (INADDR_ANY) should not bin o kern/89989 jail [jail] [patch] Add option -I (ASCII 73) PID to specif o kern/97071 jail [jail] [patch] add security.jail.jid sysctl o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o kern/120753 jail [jail] Zombie jails (jailed child process exits while 9 problems total. From reddvinylene at gmail.com Wed Aug 6 16:25:12 2008 From: reddvinylene at gmail.com (Redd Vinylene) Date: Wed Aug 6 16:25:24 2008 Subject: identd on jail with multiple IPs Message-ID: Greetings! I cannot seem to make identd work on a jail with multiple IPs (Bjoern Zeeb's patch): jail # cat /etc/inetd.conf auth stream tcp nowait root internal auth -r -f -n -o UNKNOWN -t 30 - jail # grep inetd /etc/rc.conf inetd_enable="YES" - host # grep jail /etc/rc.conf jail_enable="YES" jail_list="box" jail_box_ip="80.252.2.4,80.252.2.5,80.252.2.6,80.252.2.7,80.252.2.8,80.252.2.9,80.252.2.10,80.252.2.11,80.252.2.12,80.252.2.13,80.252.2.14,80.252.2.15,80.252.2.16,80.252.2.17,80.252.2.18,80.252.2.19,80.252.2.20,80.252.2.21,80.252.2.22,80.252.2.23,80.252.2.24,80.252.2.25,80.252.2.26,80.252.2.27,80.252.2.28,80.252.2.29,80.252.2.30,80.252.2.31,80.252.2.32,80.252.2.33,80.252.2.34,80.252.2.35,80.252.2.36,80.252.2.37,80.252.2.38,80.252.2.39,80.252.2.40,80.252.2.41,80.252.2.42,80.252.2.43,80.252.2.44,80.252.2.45,80.252.2.46,80.252.2.47,80.252.2.48,80.252.2.49,80.252.2.50,80.252.2.51,80.252.2.52,80.252.2.53,80.252.2.54,80.252.2.55,80.252.2.56,80.252.2.57,80.252.2.58,80.252.2.59,80.252.2.60,80.252.2.61,80.252.2.62,80.252.2.63,80.252.2.64,80.252.2.65,80.252.2.80,80.252.2.67,80.252.2.68,80.252.2.69,80.252.2.70,80.252.2.71,80.252.2.72,80.252.2.73,80.252.2.74,80.252.2.75,80.252.2.76,80.252.2.77,80.252.2.78,80.252.2.79,80.252.2.80,80.252.2.81,80.252.2.82,80.252.2.83,80.252.2.84,80.252.2.85,80.252.2.86,80.252.2.87,80.252.2.88,80.252.2.89,80.252.2.90,80.252.2.91,80.252.2.92,80.252.2.93,80.252.2.94,80.252.2.95,80.252.2.96,80.252.2.97,80.252.2.98,80.252.2.99,80.252.2.100,80.252.2.101,80.252.2.102,80.252.2.103,80.252.2.104,80.252.2.105,80.252.2.106,80.252.2.107,80.252.2.108,80.252.2.109,80.252.2.110,80.252.2.111,80.252.2.112,80.252.2.113,80.252.2.114,80.252.2.115,80.252.2.116,80.252.2.117,80.252.2.118,80.252.2.119,80.252.2.120,80.252.2.121,80.252.2.122,80.252.2.123,80.252.2.124,80.252.2.125,80.252.2.126,80.252.2.127" jail_box_rootdir="/usr/jail/box" jail_box_hostname="box.fox-host.net" jail_box_devfs_enable="YES" jail_box_devfs_ruleset="devfsrules_jail" - It worked when I had just one IP in jail_box_ip. Is there a way to make auth listen to all my IPs, or should I switch to oidentd or pidentd? Many thanks! -- http://www.home.no/reddvinylene From bzeeb-lists at lists.zabbadoz.net Wed Aug 6 20:20:08 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Wed Aug 6 20:20:19 2008 Subject: identd on jail with multiple IPs In-Reply-To: References: Message-ID: <20080806201636.J88849@maildrop.int.zabbadoz.net> On Wed, 6 Aug 2008, Redd Vinylene wrote: > I cannot seem to make identd work on a jail with multiple IPs (Bjoern > Zeeb's patch): So do you have any kind of error message? packet traces or anything to further isolate the problem rather than "does not work"? -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From reddvinylene at gmail.com Wed Aug 6 20:58:04 2008 From: reddvinylene at gmail.com (Redd Vinylene) Date: Wed Aug 6 20:58:11 2008 Subject: identd on jail with multiple IPs In-Reply-To: <20080806201636.J88849@maildrop.int.zabbadoz.net> References: <20080806201636.J88849@maildrop.int.zabbadoz.net> Message-ID: Good evening Bjoern, Exactly how do I do a packet trace? I could do a tcpdump -n -e -ttt -i rl0 but I don't know how to filter out all the noise. But actually, identd works just fine here with the jail's first IP, 66.252.2.4. The problem must be elsewhere. When I change the IP to 66.252.2.5, or any other IP besides the first, I get errors like: ERROR Closing Link: 0.0.0.0 (A-banned: [AKILL ID:1212791563K-a] [exp/idsh] Connections from this netrange are required to respond to identd requests in order to connect to DALnet. Visit http://kline.dal.net/exploits/ident.htm for more information. Contact your provider if identd is not working (2008/08/04 02.07)) When connecting to irc.freenode.net though, it defaults back to 66.252.2.4 no matter what IP I use. Maybe I've just twisted some of the basics? - The host (mother)'s rc.conf http://pastie.org/248762 (you've probably seen that one before though) - 66.252.2.4# cat /etc/rc.conf sshd_enable="YES" inetd_enable="YES" linux_enable="YES" clear_tmp_enable="YES" update_motd="NO" - 66.252.2.4# cat /etc/resolv.conf # Same as the host. Perhaps it should only contain "nameserver 66.252.2.2"? nameserver 69.65.17.101 nameserver 69.65.16.102 - 66.252.2.4# cat /etc/hosts 127.0.0.1 localhost localhost.fox-host.net 66.252.2.2 mother.fox-host.net mother 66.252.2.3 camel.fox-host.net camel 66.252.2.4 box.fox-host.net box - 66.252.2.4# uname -a FreeBSD mother.fox-host.net 7.0-STABLE FreeBSD 7.0-STABLE #3: Sat Aug 2 18:55:18 CDT 2008 kalle@mother.fox-host.net:/usr/obj/usr/src/sys/GENERIC i386 - Maybe you'd be willing to log onto the box yourself and boss it around a little? Cheers, Redd On Wed, Aug 6, 2008 at 10:18 PM, Bjoern A. Zeeb wrote: > On Wed, 6 Aug 2008, Redd Vinylene wrote: > >> I cannot seem to make identd work on a jail with multiple IPs (Bjoern >> Zeeb's patch): > > So do you have any kind of error message? packet traces or anything to > further isolate the problem rather than "does not work"? > > -- > Bjoern A. Zeeb Stop bit received. Insert coin for new game. > -- http://www.home.no/reddvinylene From reddvinylene at gmail.com Wed Aug 6 21:01:21 2008 From: reddvinylene at gmail.com (Redd Vinylene) Date: Wed Aug 6 21:01:58 2008 Subject: identd on jail with multiple IPs In-Reply-To: References: <20080806201636.J88849@maildrop.int.zabbadoz.net> Message-ID: Could it be a DNS misconfiguration perhaps? On Wed, Aug 6, 2008 at 10:58 PM, Redd Vinylene wrote: > Good evening Bjoern, > > Exactly how do I do a packet trace? I could do a tcpdump -n -e -ttt -i > rl0 but I don't know how to filter out all the noise. > > But actually, identd works just fine here with the jail's first IP, > 66.252.2.4. The problem must be elsewhere. > > When I change the IP to 66.252.2.5, or any other IP besides the first, > I get errors like: > > ERROR Closing Link: 0.0.0.0 (A-banned: [AKILL ID:1212791563K-a] > [exp/idsh] Connections from this netrange are required to respond to > identd requests in order to connect to DALnet. Visit > http://kline.dal.net/exploits/ident.htm for more information. Contact > your provider if identd is not working (2008/08/04 02.07)) > > When connecting to irc.freenode.net though, it defaults back to > 66.252.2.4 no matter what IP I use. > > Maybe I've just twisted some of the basics? > > - > > The host (mother)'s rc.conf http://pastie.org/248762 (you've probably > seen that one before though) > > - > > 66.252.2.4# cat /etc/rc.conf > sshd_enable="YES" > inetd_enable="YES" > linux_enable="YES" > clear_tmp_enable="YES" > update_motd="NO" > > - > > 66.252.2.4# cat /etc/resolv.conf > # Same as the host. Perhaps it should only contain "nameserver 66.252.2.2"? > nameserver 69.65.17.101 > nameserver 69.65.16.102 > > - > > 66.252.2.4# cat /etc/hosts > 127.0.0.1 localhost localhost.fox-host.net > 66.252.2.2 mother.fox-host.net mother > 66.252.2.3 camel.fox-host.net camel > 66.252.2.4 box.fox-host.net box > > - > > 66.252.2.4# uname -a > FreeBSD mother.fox-host.net 7.0-STABLE FreeBSD 7.0-STABLE #3: Sat Aug > 2 18:55:18 CDT 2008 > kalle@mother.fox-host.net:/usr/obj/usr/src/sys/GENERIC i386 > > - > > Maybe you'd be willing to log onto the box yourself and boss it around a little? > > Cheers, > Redd > > On Wed, Aug 6, 2008 at 10:18 PM, Bjoern A. Zeeb > wrote: >> On Wed, 6 Aug 2008, Redd Vinylene wrote: >> >>> I cannot seem to make identd work on a jail with multiple IPs (Bjoern >>> Zeeb's patch): >> >> So do you have any kind of error message? packet traces or anything to >> further isolate the problem rather than "does not work"? >> >> -- >> Bjoern A. Zeeb Stop bit received. Insert coin for new game. >> > > > > -- > http://www.home.no/reddvinylene > -- http://www.home.no/reddvinylene From reddvinylene at gmail.com Wed Aug 6 22:54:36 2008 From: reddvinylene at gmail.com (Redd Vinylene) Date: Wed Aug 6 22:54:43 2008 Subject: identd on jail with multiple IPs In-Reply-To: References: <20080806201636.J88849@maildrop.int.zabbadoz.net> Message-ID: On Wed, Aug 6, 2008 at 11:01 PM, Redd Vinylene wrote: > Could it be a DNS misconfiguration perhaps? No it's not, I just had it confirmed. Either I got the basics wrong, or you got the patch wrong ;) Thank you so much for the help so far. Hopefully one of these days I'll be able to donate you guys a nice sum of money. Best regards, Redd -- http://www.home.no/reddvinylene From reddvinylene at gmail.com Thu Aug 7 14:47:23 2008 From: reddvinylene at gmail.com (Redd Vinylene) Date: Thu Aug 7 14:47:30 2008 Subject: identd on jail with multiple IPs In-Reply-To: References: <20080806201636.J88849@maildrop.int.zabbadoz.net> Message-ID: Bjoern, How much do you need to help me? I really need to get this stuff working. My friend who runs this server is regretting ever saying yes to my suggestion, as his customers are calling him every day giving him a hard time. On Thu, Aug 7, 2008 at 12:54 AM, Redd Vinylene wrote: > On Wed, Aug 6, 2008 at 11:01 PM, Redd Vinylene wrote: >> Could it be a DNS misconfiguration perhaps? > > No it's not, I just had it confirmed. Either I got the basics wrong, > or you got the patch wrong ;) > > Thank you so much for the help so far. Hopefully one of these days > I'll be able to donate you guys a nice sum of money. > > Best regards, > Redd > > -- > http://www.home.no/reddvinylene > -- http://www.home.no/reddvinylene From mikhailg at webanoide.org Thu Aug 7 18:17:04 2008 From: mikhailg at webanoide.org (Mikhail Goriachev) Date: Thu Aug 7 18:17:10 2008 Subject: identd on jail with multiple IPs In-Reply-To: References: <20080806201636.J88849@maildrop.int.zabbadoz.net> Message-ID: <489B3C11.9000305@webanoide.org> Redd Vinylene wrote: > Good evening Bjoern, > > Exactly how do I do a packet trace? I could do a tcpdump -n -e -ttt -i > rl0 but I don't know how to filter out all the noise. > > But actually, identd works just fine here with the jail's first IP, > 66.252.2.4. The problem must be elsewhere. Just a shot in the dark. How about redirecting all IPs to the jail's primary IP with PF or similar? This might get you going - temporarily. Regards, Mikhail. -- Mikhail Goriachev Webanoide From kris at FreeBSD.org Fri Aug 8 15:36:45 2008 From: kris at FreeBSD.org (kris@FreeBSD.org) Date: Fri Aug 8 15:36:56 2008 Subject: kern/126368: Running ktrace/kdump in jail leads to stale jails Message-ID: <200808081536.m78FaiHi073447@freefall.freebsd.org> Synopsis: Running ktrace/kdump in jail leads to stale jails Responsible-Changed-From-To: freebsd-bugs->freebsd-jail Responsible-Changed-By: kris Responsible-Changed-When: Fri Aug 8 15:36:29 UTC 2008 Responsible-Changed-Why: Looks like a simple patch to review http://www.freebsd.org/cgi/query-pr.cgi?pr=126368 From mjguzik at gmail.com Fri Aug 8 17:40:04 2008 From: mjguzik at gmail.com (Mateusz Guzik) Date: Fri Aug 8 17:40:10 2008 Subject: kern/126368: Running ktrace/kdump in jail leads to stale jails Message-ID: <200808081740.m78He4bc084276@freefall.freebsd.org> The following reply was made to PR kern/126368; it has been noted by GNATS. From: "Mateusz Guzik" To: bug-followup@freebsd.org Cc: Subject: Re: kern/126368: Running ktrace/kdump in jail leads to stale jails Date: Fri, 8 Aug 2008 19:30:22 +0200 Err, I made a mistake. crfree() will be called in case of failure (loop starting at line 959), so the following patch should be ok: --- sys/kern/kern_ktrace.c.orig 2008-08-08 16:37:45.000000000 +0200 +++ sys/kern/kern_ktrace.c 2008-08-08 19:25:16.000000000 +0200 @@ -933,12 +933,14 @@ error = VOP_WRITE(vp, &auio, IO_UNIT | IO_APPEND, cred); VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); vrele(vp); VFS_UNLOCK_GIANT(vfslocked); - if (!error) + if (!error) { + crfree(cred); return; + } /* * If error encountered, give up tracing on this vnode. We defer * all the vrele()'s on the vnode until after we are finished walking * the various lists to avoid needlessly holding locks. */ From bz at FreeBSD.org Fri Aug 8 19:02:04 2008 From: bz at FreeBSD.org (Bjoern A. Zeeb) Date: Fri Aug 8 19:02:10 2008 Subject: kern/126368: Running ktrace/kdump in jail leads to stale jails In-Reply-To: <200808081740.m78He4bc084276@freefall.freebsd.org> References: <200808081740.m78He4bc084276@freefall.freebsd.org> Message-ID: <20080808184224.H88849@maildrop.int.zabbadoz.net> On Fri, 8 Aug 2008, Mateusz Guzik wrote: > The following reply was made to PR kern/126368; it has been noted by GNATS. > > From: "Mateusz Guzik" > To: bug-followup@freebsd.org > Cc: > Subject: Re: kern/126368: Running ktrace/kdump in jail leads to stale jails > Date: Fri, 8 Aug 2008 19:30:22 +0200 > > Err, I made a mistake. crfree() will be called in case of failure > (loop starting at line 959), so the following patch should be ok: > > --- sys/kern/kern_ktrace.c.orig 2008-08-08 16:37:45.000000000 +0200 > +++ sys/kern/kern_ktrace.c 2008-08-08 19:25:16.000000000 +0200 > @@ -933,12 +933,14 @@ > error = VOP_WRITE(vp, &auio, IO_UNIT | IO_APPEND, cred); > VOP_UNLOCK(vp, 0, td); > vn_finished_write(mp); > vrele(vp); > VFS_UNLOCK_GIANT(vfslocked); > - if (!error) > + if (!error) { > + crfree(cred); > return; > + } that sounds more plausible w/o seeing the surrounding code. I had wondered already earlier today when I was pointed at. I'll look into this. > /* > * If error encountered, give up tracing on this vnode. We defer > * all the vrele()'s on the vnode until after we are finished walking > * the various lists to avoid needlessly holding locks. > */ > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From reddvinylene at gmail.com Sat Aug 9 12:38:33 2008 From: reddvinylene at gmail.com (Redd Vinylene) Date: Sat Aug 9 12:38:39 2008 Subject: My jails just died Message-ID: My jails just died. They worked just fine yesterday and I haven't touched anything. I've tried rebooting over and over but they just won't start. jls remains empty. (root@mother)(08/09+12:25) (/usr) /etc/rc.d/jail start Configuring jails:. Starting jails: Nothing happens. I'm confused. On Sat, Aug 9, 2008 at 12:33 PM, Redd Vinylene wrote: > Man that was very, very helpful indeed. Interesting network forensics there... > > Do you have PayPal? Also, do let me know when you're in Sweden so I > can buy you a beer :-)) > > I've now come up with this question: > > - > > I got a FreeBSD server, mother (66.252.2.2). On it, I've made two > jails, camel (66.252.2.3) and box (66.252.2.4 through to > 66.252.2.127). The problem is that reverse lookups for any of the IPs > preceding .4 on box fails. If I connect to IRC with .5 for instance, > it times out and reverts back to .4, whose lookup works just fine. > BIND runs on camel. Could the problem be that BIND is not upstream for > all those IPs? (I 'm not quite sure what that means though, a friend > just gave me a tip.) Maybe I must configure the reverse for each of > IPs individually? I would really like to keep the DNS server running > on camel though, as its dedicated to all my vital services, whereas > box is more the home of all my users, and thus expendable ;) My > (hopefully) relevant configuration files can be found here -- > http://pastie.org/250469 -- much obliged, and thanks! > > - > > Cheers! > > On Sat, Aug 9, 2008 at 12:33 AM, Bjoern A. Zeeb > wrote: >> On Fri, 8 Aug 2008, Redd Vinylene wrote: >> >> Hi, >> >>> Actually I'm not sure how to make identd to listen to all the IPs. >> >> by default it does and it looks like it does: >> tcp4 0 0 *.113 *.* LISTEN >> >> >>> There's no such option in the manuals. But ain't the problem more >>> related to the IPs? >>> >>> If you need access to the host as well, surely that is no problem! >> >> I wondered how your users would IRC from a non-default IP but now this >> is obvious. >> >> >> So what I did in one exterm was: >> >> (bjoern@box)(08/09+03:06) >> (~) telnet -s 66.252.2.38 66.252.2.117 22 Trying 66.252.2.117... >> Connected to 66.252.2.117. >> Escape character is '^]'. >> SSH-2.0-OpenSSH_4.5p1 FreeBSD-20061110 >> >> >> and in the other I checked netstat -an for port 22 to find the other >> port number: >> >> tcp4 0 0 66.252.2.117.22 66.252.2.38.50503 ESTABLISHED >> tcp4 0 0 66.252.2.38.50503 66.252.2.117.22 ESTABLISHED >> >> trying to remember how to speak ident (auth): >> >> (bjoern@box)(08/09+03:07) >> (~) telnet -s 66.252.2.117 66.252.2.38 113 >> Trying 66.252.2.38... >> Connected to 66.252.2.38. >> Escape character is '^]'. >> 22,50503 >> 22 , 50503 : ERROR : NO-USER >> Connection closed by foreign host. >> (bjoern@box)(08/09+03:08) >> (~) (bjoern@box)(08/09+03:08) >> (~) telnet -s 66.252.2.117 66.252.2.38 113 >> Trying 66.252.2.38... >> Connected to 66.252.2.38. >> Escape character is '^]'. >> 50503,22 >> 50503 , 22 : USERID : UNKNOWN : bjoern >> Connection closed by foreign host. >> (bjoern@box)(08/09+03:08) >> >> looks good. >> >> What I notcied was that it was responing very slowly. So next I will >> check inetd options (especially -w/-W) and if I can find obvious things >> like DNS timeouts... >> >> (~) ps axuwl | grep inetd >> root 47676 0.0 0.1 3240 1348 ?? IsJ Thu11PM 0:00.01 inetd 0 >> 1 0 44 0 select >> >> I wonder why I do not see any options there? Have you started inetd >> manually? >> >> The defaults are: >> >> (/etc/defaults) grep inetd rc.conf inetd_enable="NO" # Run the >> network daemon dispatcher (YES/NO). >> inetd_program="/usr/sbin/inetd" # path to inetd, if you want a different >> one. >> inetd_flags="-wW -C 60" # Optional flags to inetd >> (bjoern@box)(08/09+03:12) >> >> and rc.conf only has: >> (/etc) grep inetd rc.conf inetd_enable="YES" >> >> It's probably okay to not rate limit and not tcpwrap it - as it is >> running. >> >> You may want to add the following to /etc/rc.conf >> inetd_flags="" >> >> >> >> Okay resolve.conf is populated as well: >> (/etc) cat resolv.conf >> >> # FreeBSD/i386 box.fox-host.net >> >> nameserver 69.65.17.101 >> >> nameserver 69.65.16.102 >> >> >> Typing netstat (without options) hangs after "box", when it starts to >> resolve the additional IPs which are not in /etc/hosts. >> >> (/etc) host -t ns 2.252.66.in-addr.arpa. Host 2.252.66.in-addr.arpa not >> found: 2(SERVFAIL) >> >> You may want to add the other IPs with some dummy values to >> /etc/hosts to temporarily most likely solve this problem. >> >> telnet 66.252.2.4 22 returns instantly from within the jail, >> telnet 66.252.2.5 22 takes ages to print the SSH "EHLO" >> >> So I guess you problem is neither with jails nor with auth(ident) but >> with something trying to do a reverse lookup (on your address) and >> timing out, timing out the ident lookups from IRC servers which should >> return almost instantly. >> >> Let me know if that helped. >> >> >> Bjoern >> >> PS: >> >> BTW. clock is way off on this box: >> Sat Aug 9 03:19:45 UTC 2008 >> but it's about >> Fri Aug 8 22:27:59 UTC 2008 >> >> -- >> Bjoern A. Zeeb Stop bit received. Insert coin for new game. >> > > > > -- > http://www.home.no/reddvinylene > -- http://www.home.no/reddvinylene From bzeeb-lists at lists.zabbadoz.net Sat Aug 9 12:45:08 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Sat Aug 9 12:45:14 2008 Subject: My jails just died In-Reply-To: References: Message-ID: <20080809124116.T88849@maildrop.int.zabbadoz.net> On Sat, 9 Aug 2008, Redd Vinylene wrote: Hi, > My jails just died. They worked just fine yesterday and I haven't > touched anything. what do you mean with "died"? Did the box crash and once booted, the jails were no longer started? Did you stop the jails and they didn't start again? > I've tried rebooting over and over but they just won't start. jls remains empty. This is not windows. rebooting usually does not help to solve problems unless you need to update the kernel;) > (root@mother)(08/09+12:25) > (/usr) /etc/rc.d/jail start > Configuring jails:. > Starting jails: > > Nothing happens. I'm confused. have you edited /etc/rc.conf on mother? Are the jails still configured there? -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From reddvinylene at gmail.com Sat Aug 9 18:54:17 2008 From: reddvinylene at gmail.com (Redd Vinylene) Date: Sat Aug 9 18:54:24 2008 Subject: My jails just died In-Reply-To: <489DE501.1060106@gmail.com> References: <489DE501.1060106@gmail.com> Message-ID: Hello albinootje :) It turned out to be a combination of sendmail and a couple of mongrel processes that prevented the jails from loading properly. Bjoern Zeeb helped me identify the issue, I disabled them, and my jails went back up! Much obliged though, and have a nice day! On Sat, Aug 9, 2008 at 8:42 PM, albinootje wrote: > Redd Vinylene wrote: > >> My jails just died. They worked just fine yesterday and I haven't >> touched anything. >> >> I've tried rebooting over and over but they just won't start. jls remains >> empty. >> >> (root@mother)(08/09+12:25) >> (/usr) /etc/rc.d/jail start >> Configuring jails:. >> Starting jails: >> >> Nothing happens. I'm confused. > > could you post the output of : # grep -i jails /etc/rc.conf > and # uname -a ? > > in the meantime you can try starting just one of your jails manually > following the jail manual page, like e.g. > > jail /data/jail/192.168.11.100 testhostname 192.168.11.100 \ > /bin/sh /etc/rc > > to narrow down the exact problem > > > -- http://www.home.no/reddvinylene From albinootje at gmail.com Sat Aug 9 19:09:00 2008 From: albinootje at gmail.com (albinootje) Date: Sat Aug 9 19:10:13 2008 Subject: My jails just died In-Reply-To: References: Message-ID: <489DE501.1060106@gmail.com> Redd Vinylene wrote: > My jails just died. They worked just fine yesterday and I haven't > touched anything. > > I've tried rebooting over and over but they just won't start. jls remains empty. > > (root@mother)(08/09+12:25) > (/usr) /etc/rc.d/jail start > Configuring jails:. > Starting jails: > > Nothing happens. I'm confused. could you post the output of : # grep -i jails /etc/rc.conf and # uname -a ? in the meantime you can try starting just one of your jails manually following the jail manual page, like e.g. jail /data/jail/192.168.11.100 testhostname 192.168.11.100 \ /bin/sh /etc/rc to narrow down the exact problem From mjguzik at gmail.com Sun Aug 10 00:13:15 2008 From: mjguzik at gmail.com (Mateusz Guzik) Date: Sun Aug 10 00:13:45 2008 Subject: kern/126368: Running ktrace/kdump in jail leads to stale jails In-Reply-To: <20080808184224.H88849@maildrop.int.zabbadoz.net> References: <200808081740.m78He4bc084276@freefall.freebsd.org> <20080808184224.H88849@maildrop.int.zabbadoz.net> Message-ID: <20080809234717.GC13799@skucha.home.aster.pl> On Fri, Aug 08, 2008 at 06:43:38PM +0000, Bjoern A. Zeeb wrote: > >The following reply was made to PR kern/126368; it has been noted by GNATS. > > > >From: "Mateusz Guzik" > >To: bug-followup@freebsd.org > >Cc: > >Subject: Re: kern/126368: Running ktrace/kdump in jail leads to stale jails > >Date: Fri, 8 Aug 2008 19:30:22 +0200 > > > >Err, I made a mistake. crfree() will be called in case of failure > >(loop starting at line 959), so the following patch should be ok: > > > >--- sys/kern/kern_ktrace.c.orig 2008-08-08 16:37:45.000000000 +0200 > >+++ sys/kern/kern_ktrace.c 2008-08-08 19:25:16.000000000 +0200 > >@@ -933,12 +933,14 @@ > > error = VOP_WRITE(vp, &auio, IO_UNIT | IO_APPEND, cred); > > VOP_UNLOCK(vp, 0, td); > > vn_finished_write(mp); > > vrele(vp); > > VFS_UNLOCK_GIANT(vfslocked); > >- if (!error) > >+ if (!error) { > >+ crfree(cred); > > return; > >+ } > > that sounds more plausible w/o seeing the surrounding code. I had > wondered already earlier today when I was pointed at. > > I'll look into this. > Sorry for the noise -- the first patch was right. ;) ktr_writerequest() is called multiple times and it _always_ calls crhold(), so crfree() must be called before it returns (even in case of failure). Also, in this function one can find: [..] crhold(cred) [..] if (vp == NULL) { KASSERT(cred == NULL, ("ktr_writerequest: cred != NULL")); return; } `Normal' kernel might leak credentials in this case, so I believe crfree() should be added there too. Thanks, and again, sorry for the noise. -- Mateusz Guzik -------------- next part -------------- A non-text attachment was scrubbed... Name: kern_ktrace.diff Type: text/x-diff Size: 863 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20080810/713d8f62/kern_ktrace.bin From nejc at skoberne.net Sun Aug 10 08:20:04 2008 From: nejc at skoberne.net (=?ISO-8859-2?Q?Nejc_=A9koberne?=) Date: Sun Aug 10 08:20:10 2008 Subject: kern/126368: [jail] Running ktrace/kdump in jail leads to stale jails Message-ID: <200808100820.m7A8K38E062260@freefall.freebsd.org> The following reply was made to PR kern/126368; it has been noted by GNATS. From: =?ISO-8859-2?Q?Nejc_=A9koberne?= To: bug-followup@FreeBSD.org, nejc@skoberne.net Cc: Subject: Re: kern/126368: [jail] Running ktrace/kdump in jail leads to stale jails Date: Sun, 10 Aug 2008 10:12:48 +0200 I have tried the submitted patch but I think it behaves strangely. I still see the stale jail, but only for about a minute after I have stopped it. After that, "jls" doesn't display the jail anymore. This about-one-minute delay is not present if I don't "ktrace" in the jail. From nejc at skoberne.net Sun Aug 10 08:50:04 2008 From: nejc at skoberne.net (=?ISO-8859-2?Q?Nejc_=A9koberne?=) Date: Sun Aug 10 08:50:10 2008 Subject: kern/126368: [jail] Running ktrace/kdump in jail leads to stale jails Message-ID: <200808100850.m7A8o4fu065168@freefall.freebsd.org> The following reply was made to PR kern/126368; it has been noted by GNATS. From: =?ISO-8859-2?Q?Nejc_=A9koberne?= To: bug-followup@FreeBSD.org, nejc@skoberne.net Cc: Subject: Re: kern/126368: [jail] Running ktrace/kdump in jail leads to stale jails Date: Sun, 10 Aug 2008 10:47:51 +0200 Sorry, please ignore the previous post, my problem of "the delay" seems to be unrelated with "ktrace-in-jail" issue. I guess this patch fixes the problem after all. From bugmaster at FreeBSD.org Mon Aug 11 11:07:00 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Aug 11 11:08:02 2008 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200808111106.m7BB6xGA047231@freefall.freebsd.org> Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- s kern/89528 jail [jail] [patch] impossible to kill a jail o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o kern/126368 jail [jail] Running ktrace/kdump in jail leads to stale jai 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with o kern/68192 jail [quotas] [jail] Cannot use quotas on jailed systems o kern/72498 jail [libc] [jail] timestamp code on jailed SMP machine gen o kern/74314 jail [resolver] [jail] DNS resolver broken under certain ja o kern/84215 jail [jail] [patch] wildcard ip (INADDR_ANY) should not bin o kern/89989 jail [jail] [patch] Add option -I (ASCII 73) PID to specif o kern/97071 jail [jail] [patch] add security.jail.jid sysctl o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o kern/120753 jail [jail] Zombie jails (jailed child process exits while 9 problems total. From alexus at gmail.com Fri Aug 15 00:44:45 2008 From: alexus at gmail.com (alexus) Date: Fri Aug 15 00:44:50 2008 Subject: kern/126368: Running ktrace/kdump in jail leads to stale jails In-Reply-To: <20080809234717.GC13799@skucha.home.aster.pl> References: <200808081740.m78He4bc084276@freefall.freebsd.org> <20080808184224.H88849@maildrop.int.zabbadoz.net> <20080809234717.GC13799@skucha.home.aster.pl> Message-ID: <6ae50c2d0808141716g5c213fe9ha688c7b544a0fb35@mail.gmail.com> where can I get latest patch? that I can apply to 7.0-RELEASE-p3 ? 2008/8/9 Mateusz Guzik : > On Fri, Aug 08, 2008 at 06:43:38PM +0000, Bjoern A. Zeeb wrote: >> >The following reply was made to PR kern/126368; it has been noted by GNATS. >> > >> >From: "Mateusz Guzik" >> >To: bug-followup@freebsd.org >> >Cc: >> >Subject: Re: kern/126368: Running ktrace/kdump in jail leads to stale jails >> >Date: Fri, 8 Aug 2008 19:30:22 +0200 >> > >> >Err, I made a mistake. crfree() will be called in case of failure >> >(loop starting at line 959), so the following patch should be ok: >> > >> >--- sys/kern/kern_ktrace.c.orig 2008-08-08 16:37:45.000000000 +0200 >> >+++ sys/kern/kern_ktrace.c 2008-08-08 19:25:16.000000000 +0200 >> >@@ -933,12 +933,14 @@ >> > error = VOP_WRITE(vp, &auio, IO_UNIT | IO_APPEND, cred); >> > VOP_UNLOCK(vp, 0, td); >> > vn_finished_write(mp); >> > vrele(vp); >> > VFS_UNLOCK_GIANT(vfslocked); >> >- if (!error) >> >+ if (!error) { >> >+ crfree(cred); >> > return; >> >+ } >> >> that sounds more plausible w/o seeing the surrounding code. I had >> wondered already earlier today when I was pointed at. >> >> I'll look into this. >> > > Sorry for the noise -- the first patch was right. ;) > > ktr_writerequest() is called multiple times and it _always_ calls > crhold(), so crfree() must be called before it returns (even in case of > failure). > > Also, in this function one can find: > > [..] > crhold(cred) > [..] > if (vp == NULL) { > KASSERT(cred == NULL, ("ktr_writerequest: cred != NULL")); > return; > } > > `Normal' kernel might leak credentials in this case, so I believe crfree() should be added there too. > > Thanks, and again, sorry for the noise. > -- > Mateusz Guzik > > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > > -- http://alexus.org/ From bugmaster at FreeBSD.org Mon Aug 18 11:06:52 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Aug 18 11:08:02 2008 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200808181106.m7IB6p5I079845@freefall.freebsd.org> Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- s kern/89528 jail [jail] [patch] impossible to kill a jail o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o kern/126368 jail [jail] Running ktrace/kdump in jail leads to stale jai 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with o kern/68192 jail [quotas] [jail] Cannot use quotas on jailed systems o kern/72498 jail [libc] [jail] timestamp code on jailed SMP machine gen o kern/74314 jail [resolver] [jail] DNS resolver broken under certain ja o kern/84215 jail [jail] [patch] wildcard ip (INADDR_ANY) should not bin o kern/89989 jail [jail] [patch] Add option -I (ASCII 73) PID to specif o kern/97071 jail [jail] [patch] add security.jail.jid sysctl o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o kern/120753 jail [jail] Zombie jails (jailed child process exits while 9 problems total. From bugmaster at FreeBSD.org Mon Aug 25 11:06:53 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Aug 25 11:08:09 2008 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200808251106.m7PB6q6F027795@freefall.freebsd.org> Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- s kern/89528 jail [jail] [patch] impossible to kill a jail o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o kern/126368 jail [jail] Running ktrace/kdump in jail leads to stale jai 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with o kern/68192 jail [quotas] [jail] Cannot use quotas on jailed systems o kern/72498 jail [libc] [jail] timestamp code on jailed SMP machine gen o kern/74314 jail [resolver] [jail] DNS resolver broken under certain ja o kern/84215 jail [jail] [patch] wildcard ip (INADDR_ANY) should not bin o kern/89989 jail [jail] [patch] Add option -I (ASCII 73) PID to specif o kern/97071 jail [jail] [patch] add security.jail.jid sysctl o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o kern/120753 jail [jail] Zombie jails (jailed child process exits while 9 problems total. From nejc at skoberne.net Fri Aug 29 16:22:23 2008 From: nejc at skoberne.net (=?ISO-8859-2?Q?Nejc_=A9koberne?=) Date: Fri Aug 29 16:22:30 2008 Subject: Error on wiki page? Message-ID: <48B81FCC.40104@skoberne.net> Hello, on Jails wiki page [http://wiki.freebsd.org/Jails] there seems to be an error: "If you need to use ping inside jail, you must have jail_socket_unixiproute_only="NO" in hosts rc.conf." For me, this doesn't work. I have to turn on raw sockets (security.jail.allow_raw_sockets) in order to be able to use ping in jail. Or am I missing something? Thanks, Nejc From 000.fbsd at quip.cz Fri Aug 29 16:55:49 2008 From: 000.fbsd at quip.cz (Miroslav Lachman) Date: Fri Aug 29 16:55:56 2008 Subject: Error on wiki page? In-Reply-To: <48B81FCC.40104@skoberne.net> References: <48B81FCC.40104@skoberne.net> Message-ID: <48B82A30.1070405@quip.cz> Nejc ?koberne wrote: > Hello, > > on Jails wiki page [http://wiki.freebsd.org/Jails] there seems to be an error: > > "If you need to use ping inside jail, you must have jail_socket_unixiproute_only="NO" in hosts rc.conf." > > For me, this doesn't work. I have to turn on raw sockets (security.jail.allow_raw_sockets) > in order to be able to use ping in jail. > > Or am I missing something? You are right, I fixed it. Miroslav Lachman From jack at crepinc.com Sun Aug 31 04:12:13 2008 From: jack at crepinc.com (Jack C) Date: Sun Aug 31 04:12:21 2008 Subject: Building with Jail Patches Message-ID: <2ad0f9f60808302043i5ea4c20eoa83469f655020a9@mail.gmail.com> Greetings all, I apologize in advance for anything stupid I overlooked; I tried to search as best I could for answers before wasting your time. I've been trying to compile resource controls into jails for about the past week. No matter how hard I try, I always seem to run into some issue. I started by finding Chris Jones' Summer of Code patches, and attempting them against 6.0 to no avail. In reading archives of this list, I found the 7.0 memory control patch and tried that as well. Can anyone point out what I'm doing wrong? I installed this machine straight from 6.0 ISOs. No cvsup was performed. --- bsd6laptop# uname -a FreeBSD bsd6laptop.66fruit.com 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu Nov 3 09:36:13 UTC 2005 root@x64.samsco.home:/usr/obj/usr/src/sys/GENERIC i386 bsd6laptop# [apply the changes detailed in docs/INSTALL (without error)] bsd6laptop# make buildworld [... stuff working fine here ...] ===> usr.bin/elf2aout (all) cc -O2 -fno-strict-aliasing -pipe -Wsystem-headers -Wall -Wno-format-y2k -W -Wno-unused-parameter -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Wreturn-type -Wcast-qual -Wwrite-strings -Wswitch -Wshadow -Wcast-align -Wunused-parameter -c /usr/src/usr.bin/elf2aout/elf2aout.c /usr/src/usr.bin/elf2aout/elf2aout.c: In function `main': /usr/src/usr.bin/elf2aout/elf2aout.c:69: error: syntax error before "phentsize" /usr/src/usr.bin/elf2aout/elf2aout.c:120: error: `machine' undeclared (first use in this function) /usr/src/usr.bin/elf2aout/elf2aout.c:120: error: (Each undeclared identifier is reported only once /usr/src/usr.bin/elf2aout/elf2aout.c:120: error: for each function it appears in.) /usr/src/usr.bin/elf2aout/elf2aout.c:123: error: `phentsize' undeclared (first use in this function) /usr/src/usr.bin/elf2aout/elf2aout.c:129: error: `phnum' undeclared (first use in this function) *** Error code 1 Stop in /usr/src/usr.bin/elf2aout. *** Error code 1 [...] --- Similarly, I installed a 7.0 machine straight from ISO without update. I succeded to buildworld, buildkernel and installkernel, however in single user mode when I go to installworld, I am stopped at this: ---- [...] install-info --quiet --defsection="Programming & development tools." --defentry="* libcom_err: (com_err). A Common Error Description Library for UNIX." com_err.info /usr/share/info/dir *** Error code 1 Stop in /usr/src/lib/libcom_err/doc *** Error code 1 [...] --- On the 7.0 machine, if I cvsup to RELENG_7 or RELENG_7_0 (same issue with both), the patch does not apply: (I am not amazing at patching it seems... the only way I could get it to work is to make src.old, and the patches seem to be applied there.) --- hydra# uname -a FreeBSD hydra.66fruit.com 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008 root@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 hydra# grep RELENG /usr/local/etc/cvsup/src-supfile *default release=cvs tag=RELENG_7_0 hydra# pwd /usr hydra# cp -R src src.old hydra# patch < /root/jailmem.patch [... success and such ...] Hunk #13 succeeded at 482. Hunk #14 succeeded at 607. patch: **** malformed patch at line 424: diff -burN src.old/sys/kern/syscalls.c src.new/sys/kern/syscalls.c hydra# --- After cvsuping to the current 7 tree, I try again. --- hydra# grep RELENG /usr/local/etc/cvsup/src-supfile *default release=cvs tag=RELENG_7 ---cvsuping takes place here without issue--- hydra# patch < /root/jailmem.patch [... edited for brevity ...] Patching file src.old/sys/kern/init_sysent.c using Plan A... Hunk #1 failed at 2. Hunk #2 succeeded at 510 with fuzz 1 (offset -1 lines). [...] patch: **** malformed patch at line 424: diff -burN src.old/sys/kern/syscalls.c src.new/sys/kern/syscalls.c --- Could anyone perchance give me a condensed step-by-step as to getting the right source, patching, and compiling one of the resource patches out there? Sorry again for the long mail. Thanks, -Jack Carrozzo