From bzeeb-lists at lists.zabbadoz.net Mon Dec 1 01:45:09 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Mon Dec 1 01:45:16 2008 Subject: HEADS UP: r185435 multi-IPv4/v6/no-IP jails in HEAD Message-ID: <20081201085229.D80401@maildrop.int.zabbadoz.net> Hi, as you may have already noticed multi-IPv4/v6/no-IP jails have hit HEAD. See commit message attached. The bad news first: expect an update on the rc script to make the more obscure rc features like configuring IPs on interfaces when starting jails and giving a possible netmask work with multiple IPs and IPv6. The good news: In case you do not use those features or still only use one IP per jail everything should just work fine and there are no changes needed. More news: In case you want to use multiple IPs or a mix of v4 and v6 addresses you just give them as a comma separated list on both the command line or in rc.conf like: jail / example 192.0.2.250,2001:db8::75,2001:db8::99,2001:db8::55,2001:db8::14,192.0.2.254 /bin/sh or: jail_example_ip="192.0.2.2,2001:db8::2,2001:db8::1,2001:db8::4,2001:db8::13,192.0.2.3" In case you do want to start a jail without any IP, give an empty argument on command line: jail / noip.example.net "" /bin/sh Additionally you can give a jail a name now using the -n option: jail -n "bz's private noip jail" / noip.example.net "" /bin/sh You may not want to use special characters or whitespace but it is just a string, so you can. There are no restrictions and even 10 jails could have the same name. The jail (inside) cannot change the name. It's set upon jail creation and unchangeable from then on. What else is new: the -h option to jail makes it resolve the hostname to IP addresses and will merge those to the jail IPs. Note: that this can give you unexpected results on the primary jail IP. See jail(8) for more information. jls tries to be as backward compatible as possible. That means it will only show one IPv4 if called as `jls`; obviously this won't work well for no-IP or IPv6-only jails. This was done to try to not confuse scripts people have in their classic setups. jls -v will give you the full information, including: - state: usually ACTIVE. - in case you also give '-a' you will also see jails in other states, for example jails hanging around waiting for a socket to timeout but with no processes left after it was stopped; it will say DYING. - Every jail gets its own cpuset inherited from the process that started the jail. You can list, etc the mask by jail id: cpuset -g -j 8 or by set id: cpuset -g -s 5 Or even change it if you want. Threads within jails should be able to further restrict themselves even within the jail but nothing outside their scope. See the cpuset manpages for further information. The IPs will be listed in the following order: the primary IP per AF which is the first IP of that AF given to the jail command and then they should be sorted in ascending order. jexec now takes the optional jail name to attach to a jail but will refuse to do anything if the jail cannot be uniquely identifed. In case you use the jail name you have to give an empty argument for the jail id like: jexec -n "bz's private noip jail" "" /bin/sh You can also give both jail name and jail ID and both will have to match, else it will complain. Obviously only giving the jail id still works. The -h hostname option is gone again. You should use the jail name for management purposes now. A sample full jls output (admittedly a bit ugly this way): sun$ jls -av JID Hostname Path Name State CPUSetID IP Address(es) 21 sun / hangtest DYING 6 192.0.2.99 8 noip.example.net / bz's private noip jail ALIVE 5 3 j3.sunny.example.net /local/jails/j1 ALIVE 4 2001:db8::5 2 j2.sunny.example.net /local/jails/j1 ALIVE 3 192.0.2.1 1 j1.sunny.example.net /local/jails/j1 ALIVE 2 192.0.2.2 192.0.2.3 2001:db8::2 2001:db8::1 2001:db8::4 2001:db8::13 In case you have more questions the man pages do not address, or problem, etc. please follow-up to freebsd-jail@ . Regards, Bjoern PS: the MFC question was answered in the commit message so do not ask. -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. ---------- Forwarded message ---------- Date: Sat, 29 Nov 2008 14:32:14 +0000 (UTC) Subject: svn commit: r185435 - in head: lib/libc/sys lib/libkvm share/man/man4 sys/compat/freebsd32 sys/kern sys/net sys/netinet sys/netinet6 sys/security/mac_bsdextended sys/sys usr.bin/cpuset usr.sbin/jai... Author: bz Date: Sat Nov 29 14:32:14 2008 New Revision: 185435 URL: http://svn.freebsd.org/changeset/base/185435 Log: MFp4: Bring in updated jail support from bz_jail branch. This enhances the current jail implementation to permit multiple addresses per jail. In addtion to IPv4, IPv6 is supported as well. Due to updated checks it is even possible to have jails without an IP address at all, which basically gives one a chroot with restricted process view, no networking,.. SCTP support was updated and supports IPv6 in jails as well. Cpuset support permits jails to be bound to specific processor sets after creation. Jails can have an unrestricted (no duplicate protection, etc.) name in addition to the hostname. The jail name cannot be changed from within a jail and is considered to be used for management purposes or as audit-token in the future. DDB 'show jails' command was added to aid debugging. Proper compat support permits 32bit jail binaries to be used on 64bit systems to manage jails. Also backward compatibility was preserved where possible: for jail v1 syscalls, as well as with user space management utilities. Both jail as well as prison version were updated for the new features. A gap was intentionally left as the intermediate versions had been used by various patches floating around the last years. Bump __FreeBSD_version for the afore mentioned and in kernel changes. Special thanks to: - Pawel Jakub Dawidek (pjd) for his multi-IPv4 patches and Olivier Houchard (cognet) for initial single-IPv6 patches. - Jeff Roberson (jeff) and Randall Stewart (rrs) for their help, ideas and review on cpuset and SCTP support. - Robert Watson (rwatson) for lots and lots of help, discussions, suggestions and review of most of the patch at various stages. - John Baldwin (jhb) for his help. - Simon L. Nielsen (simon) as early adopter testing changes on cluster machines as well as all the testers and people who provided feedback the last months on freebsd-jail and other channels. - My employer, CK Software GmbH, for the support so I could work on this. Reviewed by: (see above) MFC after: 3 months (this is just so that I get the mail) X-MFC Before: 7.2-RELEASE if possible From stb at lassitu.de Mon Dec 1 02:56:31 2008 From: stb at lassitu.de (Stefan Bethke) Date: Mon Dec 1 02:56:37 2008 Subject: HEADS UP: r185435 multi-IPv4/v6/no-IP jails in HEAD In-Reply-To: <20081201085229.D80401@maildrop.int.zabbadoz.net> References: <20081201085229.D80401@maildrop.int.zabbadoz.net> Message-ID: <688EA2E2-DA27-4DD3-BD76-150551BB3268@lassitu.de> Am 01.12.2008 um 10:41 schrieb Bjoern A. Zeeb: > as you may have already noticed multi-IPv4/v6/no-IP jails have hit > HEAD. See commit message attached. Thank you and everyone who worked so hard on this for so long! I shall proceed to put this into production this year, if I find the time before xmas to move the 10-odd jails over to a new set of machines :-) Stefan -- Stefan Bethke Fon +49 170 346 0140 From bugmaster at FreeBSD.org Mon Dec 1 03:06:58 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Dec 1 03:08:25 2008 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200812011106.mB1B6vUs052589@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid s kern/89528 jail [jail] [patch] impossible to kill a jail o kern/72498 jail [libc] [jail] timestamp code on jailed SMP machine gen o kern/68192 jail [quotas] [jail] Cannot use quotas on jailed systems o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 6 problems total. From Alexander at Leidinger.net Mon Dec 1 03:46:49 2008 From: Alexander at Leidinger.net (Alexander Leidinger) Date: Mon Dec 1 03:47:00 2008 Subject: HEADS UP: r185435 multi-IPv4/v6/no-IP jails in HEAD In-Reply-To: <20081201085229.D80401@maildrop.int.zabbadoz.net> References: <20081201085229.D80401@maildrop.int.zabbadoz.net> Message-ID: <20081201122937.81475f0zhfsjya4o@webmail.leidinger.net> Quoting "Bjoern A. Zeeb" (from Mon, 1 Dec 2008 09:41:46 +0000 (UTC)): > Hi, > > as you may have already noticed multi-IPv4/v6/no-IP jails have hit > HEAD. See commit message attached. Will this introduce changes how multicast is handled in jails, or is it the same behavior as before (whatever the previous behavior was). > Additionally you can give a jail a name now using the -n option: > jail -n "bz's private noip jail" / noip.example.net "" /bin/sh > You may not want to use special characters or whitespace but it is > just a string, so you can. There are no restrictions and even 10 jails > could have the same name. The jail (inside) cannot change the name. > It's set upon jail creation and unchangeable from then on. Is this private name visible inside the jail (I don't need this feature, so I don't care, but people should know so that they don't put offensive stuff there in case it is visible inside)? Bye, Alexander. -- Since we cannot hope for order, let us withdraw with style from the chaos. -- Tom Stoppard http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137 From alexus at gmail.com Tue Dec 2 18:33:05 2008 From: alexus at gmail.com (alexus) Date: Tue Dec 2 18:33:12 2008 Subject: HEADS UP: r185435 multi-IPv4/v6/no-IP jails in HEAD In-Reply-To: <20081201122937.81475f0zhfsjya4o@webmail.leidinger.net> References: <20081201085229.D80401@maildrop.int.zabbadoz.net> <20081201122937.81475f0zhfsjya4o@webmail.leidinger.net> Message-ID: <6ae50c2d0812021800x791d2cfeh45d590de120f76df@mail.gmail.com> as far as I understood HEAD is 8.0-CURRENT is there a way for us to start using it before 8.0 hits -RELEASE which according to freebsd.org will be in june 2009, which we all know how accured their schedule is, so, my guess is very well Q4 of 2009 (if we lucky), I somehow was under impression (and i guess i was wrong) that it will come out in 7.1, I have a server that needs to be migrated and really doing so without multi ip patch will be a really big ......... -- http://alexus.org/ From peterjeremy at optushome.com.au Thu Dec 4 19:46:29 2008 From: peterjeremy at optushome.com.au (Peter Jeremy) Date: Thu Dec 4 19:46:36 2008 Subject: HEADS UP: r185435 multi-IPv4/v6/no-IP jails in HEAD In-Reply-To: <6ae50c2d0812021800x791d2cfeh45d590de120f76df@mail.gmail.com> References: <20081201085229.D80401@maildrop.int.zabbadoz.net> <20081201122937.81475f0zhfsjya4o@webmail.leidinger.net> <6ae50c2d0812021800x791d2cfeh45d590de120f76df@mail.gmail.com> Message-ID: <20081204190848.GG58682@server.vk2pj.dyndns.org> On 2008-Dec-02 21:00:23 -0500, alexus wrote: >as far as I understood HEAD is 8.0-CURRENT Yes. >is there a way for us to start using it before 8.0 hits -RELEASE There are two ways. The first is: 1) Checkout a copy of the HEAD src tree via your chosen source tracker (cvs/cvsup/ctm/...) 2) Follow the instructions in /usr/src/UPDATING to build and install 3) Test well on a non-production box in as close to your production environment as possible. Be prepared to feed back problems and test fixes. 4) Once you are satisfied that it works for you, place it in production. This is basically the same as any other FreeBSD release except that you should test more rigourously. Your second option is to take the patches from r185435 and apply them to your 7.x source tree. This may take some massaging (I'm not sure how much 7 and 8 differ in the affected areas). bz@ may be interested in your experiences. Then test and roll-out as above. >lucky), I somehow was under impression (and i guess i was wrong) that >it will come out in 7.1, It's far too late for any new features in 7.1 but the commit log says it should be in 7.2. -- Peter Jeremy Please excuse any delays as the result of my ISP's inability to implement an MTA that is either RFC2821-compliant or matches their claimed behaviour. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20081205/823a7c6a/attachment.pgp From bzeeb-lists at lists.zabbadoz.net Fri Dec 5 01:15:09 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Fri Dec 5 01:15:22 2008 Subject: HEADS UP: r185435 multi-IPv4/v6/no-IP jails in HEAD In-Reply-To: <20081204190848.GG58682@server.vk2pj.dyndns.org> References: <20081201085229.D80401@maildrop.int.zabbadoz.net> <20081201122937.81475f0zhfsjya4o@webmail.leidinger.net> <6ae50c2d0812021800x791d2cfeh45d590de120f76df@mail.gmail.com> <20081204190848.GG58682@server.vk2pj.dyndns.org> Message-ID: <20081205085902.K80401@maildrop.int.zabbadoz.net> On Fri, 5 Dec 2008, Peter Jeremy wrote: Hi, > On 2008-Dec-02 21:00:23 -0500, alexus wrote: >> as far as I understood HEAD is 8.0-CURRENT > > Yes. > >> is there a way for us to start using it before 8.0 hits -RELEASE > > There are two ways. The first is: > 1) Checkout a copy of the HEAD src tree via your chosen source tracker > (cvs/cvsup/ctm/...) > 2) Follow the instructions in /usr/src/UPDATING to build and install > 3) Test well on a non-production box in as close to your production > environment as possible. Be prepared to feed back problems and > test fixes. > 4) Once you are satisfied that it works for you, place it in production. > > This is basically the same as any other FreeBSD release except that you > should test more rigourously. That's for running HEAD. I would be careful doing this on a production system if one does not know what one is really doing when doing this;) > Your second option is to take the patches from r185435 and apply them > to your 7.x source tree. This may take some massaging (I'm not sure > how much 7 and 8 differ in the affected areas). bz@ may be interested > in your experiences. Then test and roll-out as above. There is difference, though not much. Thus just taking the patch won't work but the solution was posted like 2 weeks ago: http://lists.freebsd.org/pipermail/freebsd-jail/2008-November/000615.html Look for where it says "RELENG_7". >> lucky), I somehow was under impression (and i guess i was wrong) that >> it will come out in 7.1, > > It's far too late for any new features in 7.1 but the commit log says > it should be in 7.2. Yupp that's the plan. And the reason it will not be in 7.1-RELEASE is that noone provided the needed bribing money. See http://lists.freebsd.org/pipermail/freebsd-jail/2008-November/000619.html (not serious here). It's been just too late. Regards, Bjoern -- Bjoern A. Zeeb The greatest risk is not taking one. From bseklecki at collaborativefusion.com Fri Dec 5 05:52:58 2008 From: bseklecki at collaborativefusion.com (Brian A. Seklecki) Date: Fri Dec 5 05:53:04 2008 Subject: HEADS UP: r185435 multi-IPv4/v6/no-IP jails in HEAD In-Reply-To: <6ae50c2d0812021800x791d2cfeh45d590de120f76df@mail.gmail.com> References: <20081201085229.D80401@maildrop.int.zabbadoz.net> <20081201122937.81475f0zhfsjya4o@webmail.leidinger.net> <6ae50c2d0812021800x791d2cfeh45d590de120f76df@mail.gmail.com> Message-ID: <1228483574.2805.499.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> On Tue, 2008-12-02 at 21:00 -0500, alexus wrote: > as far as I understood HEAD is 8.0-CURRENT The trick is to bribe the right people to get it RFP'd into 7.2R. :) ~BAS -- Brian A. Seklecki Collaborative Fusion, Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part Url : http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20081205/a9c314bf/attachment.pgp From des at des.no Fri Dec 5 12:04:56 2008 From: des at des.no (=?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?=) Date: Fri Dec 5 12:05:07 2008 Subject: HEADS UP: r185435 multi-IPv4/v6/no-IP jails in HEAD In-Reply-To: <1228483574.2805.499.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> (Brian A. Seklecki's message of "Fri, 05 Dec 2008 13:26:14 +0000") References: <20081201085229.D80401@maildrop.int.zabbadoz.net> <20081201122937.81475f0zhfsjya4o@webmail.leidinger.net> <6ae50c2d0812021800x791d2cfeh45d590de120f76df@mail.gmail.com> <1228483574.2805.499.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> Message-ID: <86skp2l804.fsf@ds4.des.no> "Brian A. Seklecki" writes: > alexus writes: > > as far as I understood HEAD is 8.0-CURRENT > The trick is to bribe the right people to get it RFP'd into 7.2R. :) The question is, does it change existing behavior, or just add new functionality? If the former, it should not be MFCed. DES -- Dag-Erling Sm?rgrav - des@des.no From bseklecki at collaborativefusion.com Fri Dec 5 12:05:36 2008 From: bseklecki at collaborativefusion.com (Brian A. Seklecki) Date: Fri Dec 5 12:05:48 2008 Subject: HEADS UP: r185435 multi-IPv4/v6/no-IP jails in HEAD In-Reply-To: <86skp2l804.fsf@ds4.des.no> References: <20081201085229.D80401@maildrop.int.zabbadoz.net> <20081201122937.81475f0zhfsjya4o@webmail.leidinger.net> <6ae50c2d0812021800x791d2cfeh45d590de120f76df@mail.gmail.com> <1228483574.2805.499.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> <86skp2l804.fsf@ds4.des.no> Message-ID: <1228507529.2805.539.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> On Fri, 2008-12-05 at 20:47 +0100, Dag-Erling Sm?rgrav wrote: > The question is, does it change existing behavior, or just add new > functionality? The syntax semantics should be backward compatible, so likely the latter. -- Brian A. Seklecki Collaborative Fusion, Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part Url : http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20081205/b837c09e/attachment.pgp From bugmaster at FreeBSD.org Mon Dec 8 03:06:58 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Dec 8 03:08:17 2008 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200812081106.mB8B6vId014302@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid s kern/89528 jail [jail] [patch] impossible to kill a jail o kern/72498 jail [libc] [jail] timestamp code on jailed SMP machine gen o kern/68192 jail [quotas] [jail] Cannot use quotas on jailed systems o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 6 problems total. From bzeeb-lists at lists.zabbadoz.net Thu Dec 11 14:15:07 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Thu Dec 11 14:15:14 2008 Subject: HEADS UP: r185435 multi-IPv4/v6/no-IP jails in HEAD In-Reply-To: <49418BD9.8080105@h3q.com> References: <20081201085229.D80401@maildrop.int.zabbadoz.net> <20081201122937.81475f0zhfsjya4o@webmail.leidinger.net> <6ae50c2d0812021800x791d2cfeh45d590de120f76df@mail.gmail.com> <1228483574.2805.499.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> <86skp2l804.fsf@ds4.des.no> <1228507529.2805.539.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> <49418BD9.8080105@h3q.com> Message-ID: <20081211221113.S97918@maildrop.int.zabbadoz.net> On Thu, 11 Dec 2008, Philipp Wuensche wrote: Hi, > Brian A. Seklecki wrote: >> On Fri, 2008-12-05 at 20:47 +0100, Dag-Erling Sm?rgrav wrote: >>> The question is, does it change existing behavior, or just add new >>> functionality? >> >> The syntax semantics should be backward compatible, so likely the >> latter. > > Not entirely true, the jls output is totaly different than before and > breaks third-party applications like jailaudit and ezjail. This is only true if you use any of the new features. In case you use single-IPv4 jails as before there should be absoultely no change in the output format. /bz PS: I trimmed the CC: list as noone was able to adhere to Reply-To. -- Bjoern A. Zeeb The greatest risk is not taking one. From cryx-freebsd at h3q.com Thu Dec 11 14:20:12 2008 From: cryx-freebsd at h3q.com (Philipp Wuensche) Date: Thu Dec 11 14:20:31 2008 Subject: HEADS UP: r185435 multi-IPv4/v6/no-IP jails in HEAD In-Reply-To: <1228507529.2805.539.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> References: <20081201085229.D80401@maildrop.int.zabbadoz.net> <20081201122937.81475f0zhfsjya4o@webmail.leidinger.net> <6ae50c2d0812021800x791d2cfeh45d590de120f76df@mail.gmail.com> <1228483574.2805.499.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> <86skp2l804.fsf@ds4.des.no> <1228507529.2805.539.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> Message-ID: <49418BD9.8080105@h3q.com> Brian A. Seklecki wrote: > On Fri, 2008-12-05 at 20:47 +0100, Dag-Erling Sm?rgrav wrote: >> The question is, does it change existing behavior, or just add new >> functionality? > > The syntax semantics should be backward compatible, so likely the > latter. Not entirely true, the jls output is totaly different than before and breaks third-party applications like jailaudit and ezjail. It is uneasy to parse too. greetings, Philipp From cryx-freebsd at h3q.com Thu Dec 11 14:30:29 2008 From: cryx-freebsd at h3q.com (Philipp Wuensche) Date: Thu Dec 11 14:30:41 2008 Subject: HEADS UP: r185435 multi-IPv4/v6/no-IP jails in HEAD In-Reply-To: <20081211221113.S97918@maildrop.int.zabbadoz.net> References: <20081201085229.D80401@maildrop.int.zabbadoz.net> <20081201122937.81475f0zhfsjya4o@webmail.leidinger.net> <6ae50c2d0812021800x791d2cfeh45d590de120f76df@mail.gmail.com> <1228483574.2805.499.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> <86skp2l804.fsf@ds4.des.no> <1228507529.2805.539.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> <49418BD9.8080105@h3q.com> <20081211221113.S97918@maildrop.int.zabbadoz.net> Message-ID: <49419482.2040502@h3q.com> Bjoern A. Zeeb wrote: > On Thu, 11 Dec 2008, Philipp Wuensche wrote: > > Hi, > >> Brian A. Seklecki wrote: >>> On Fri, 2008-12-05 at 20:47 +0100, Dag-Erling Sm?rgrav wrote: >>>> The question is, does it change existing behavior, or just add new >>>> functionality? >>> >>> The syntax semantics should be backward compatible, so likely the >>> latter. >> >> Not entirely true, the jls output is totaly different than before and >> breaks third-party applications like jailaudit and ezjail. > > This is only true if you use any of the new features. In case you use > single-IPv4 jails as before there should be absoultely no change in the > output format. Why do I get the new jls output then when I only use one ipaddr. for a jail and none of the new features at all? > PS: I trimmed the CC: list as noone was able to adhere to Reply-To. freebsd-current should be in the CC as the discussion is if it is MFCd and let loose to 7.2R greetings, Philipp From des at des.no Thu Dec 11 14:32:54 2008 From: des at des.no (=?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?=) Date: Thu Dec 11 14:33:10 2008 Subject: HEADS UP: r185435 multi-IPv4/v6/no-IP jails in HEAD In-Reply-To: <49418BD9.8080105@h3q.com> (Philipp Wuensche's message of "Thu, 11 Dec 2008 22:53:29 +0100") References: <20081201085229.D80401@maildrop.int.zabbadoz.net> <20081201122937.81475f0zhfsjya4o@webmail.leidinger.net> <6ae50c2d0812021800x791d2cfeh45d590de120f76df@mail.gmail.com> <1228483574.2805.499.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> <86skp2l804.fsf@ds4.des.no> <1228507529.2805.539.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> <49418BD9.8080105@h3q.com> Message-ID: <867i66s5pn.fsf@ds4.des.no> Philipp Wuensche writes: > Not entirely true, the jls output is totaly different than before and > breaks third-party applications like jailaudit and ezjail. > > It is uneasy to parse too. jls | tail +3 | while read line ; do set $line if [ $# = 3 ] ; then echo "jail $1 (name $2 root $3) IPs:" elif [ $# = 1 ] ; then echo " $1" else echo "huh?" fi done DES -- Dag-Erling Sm?rgrav - des@des.no From bzeeb-lists at lists.zabbadoz.net Thu Dec 11 14:50:07 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Thu Dec 11 14:50:13 2008 Subject: HEADS UP: r185435 multi-IPv4/v6/no-IP jails in HEAD In-Reply-To: <49419482.2040502@h3q.com> References: <20081201085229.D80401@maildrop.int.zabbadoz.net> <20081201122937.81475f0zhfsjya4o@webmail.leidinger.net> <6ae50c2d0812021800x791d2cfeh45d590de120f76df@mail.gmail.com> <1228483574.2805.499.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> <86skp2l804.fsf@ds4.des.no> <1228507529.2805.539.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> <49418BD9.8080105@h3q.com> <20081211221113.S97918@maildrop.int.zabbadoz.net> <49419482.2040502@h3q.com> Message-ID: <20081211224737.B97918@maildrop.int.zabbadoz.net> On Thu, 11 Dec 2008, Philipp Wuensche wrote: Hi, >>> Not entirely true, the jls output is totaly different than before and >>> breaks third-party applications like jailaudit and ezjail. >> >> This is only true if you use any of the new features. In case you use >> single-IPv4 jails as before there should be absoultely no change in the >> output format. > > Why do I get the new jls output then when I only use one ipaddr. for a > jail and none of the new features at all? What are you using? The version from HEAD or are you running a patch on either HEAD or 7 and if so from when? /bz -- Bjoern A. Zeeb The greatest risk is not taking one. From cryx-freebsd at h3q.com Thu Dec 11 14:52:31 2008 From: cryx-freebsd at h3q.com (Philipp Wuensche) Date: Thu Dec 11 14:52:44 2008 Subject: HEADS UP: r185435 multi-IPv4/v6/no-IP jails in HEAD In-Reply-To: <20081211224737.B97918@maildrop.int.zabbadoz.net> References: <20081201085229.D80401@maildrop.int.zabbadoz.net> <20081201122937.81475f0zhfsjya4o@webmail.leidinger.net> <6ae50c2d0812021800x791d2cfeh45d590de120f76df@mail.gmail.com> <1228483574.2805.499.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> <86skp2l804.fsf@ds4.des.no> <1228507529.2805.539.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> <49418BD9.8080105@h3q.com> <20081211221113.S97918@maildrop.int.zabbadoz.net> <49419482.2040502@h3q.com> <20081211224737.B97918@maildrop.int.zabbadoz.net> Message-ID: <494199AD.2060404@h3q.com> Bjoern A. Zeeb wrote: > On Thu, 11 Dec 2008, Philipp Wuensche wrote: > > Hi, > >>>> Not entirely true, the jls output is totaly different than before and >>>> breaks third-party applications like jailaudit and ezjail. >>> >>> This is only true if you use any of the new features. In case you use >>> single-IPv4 jails as before there should be absoultely no change in the >>> output format. >> >> Why do I get the new jls output then when I only use one ipaddr. for a >> jail and none of the new features at all? > > What are you using? The version from HEAD or are you running a patch > on either HEAD or 7 and if so from when? The version from HEAD without any patches. * $FreeBSD: src/usr.sbin/jls/jls.c,v 1.7 2008/12/11 01:04:25 bz Exp $ greetings, philipp From andrew at modulus.org Thu Dec 11 14:53:56 2008 From: andrew at modulus.org (Andrew Snow) Date: Thu Dec 11 14:54:13 2008 Subject: HEADS UP: r185435 multi-IPv4/v6/no-IP jails in HEAD In-Reply-To: <867i66s5pn.fsf@ds4.des.no> References: <20081201085229.D80401@maildrop.int.zabbadoz.net> <20081201122937.81475f0zhfsjya4o@webmail.leidinger.net> <6ae50c2d0812021800x791d2cfeh45d590de120f76df@mail.gmail.com> <1228483574.2805.499.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> <86skp2l804.fsf@ds4.des.no> <1228507529.2805.539.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> <49418BD9.8080105@h3q.com> <867i66s5pn.fsf@ds4.des.no> Message-ID: <494195E6.8000409@modulus.org> I patched my jls to output the list of jails in XML & CSV format. makes things alot nicer to script with. Might be worth doing for everyone. - Andrew From bzeeb-lists at lists.zabbadoz.net Thu Dec 11 15:20:08 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Thu Dec 11 15:20:18 2008 Subject: HEADS UP: r185435 multi-IPv4/v6/no-IP jails in HEAD In-Reply-To: <494199AD.2060404@h3q.com> References: <20081201085229.D80401@maildrop.int.zabbadoz.net> <20081201122937.81475f0zhfsjya4o@webmail.leidinger.net> <6ae50c2d0812021800x791d2cfeh45d590de120f76df@mail.gmail.com> <1228483574.2805.499.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> <86skp2l804.fsf@ds4.des.no> <1228507529.2805.539.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> <49418BD9.8080105@h3q.com> <20081211221113.S97918@maildrop.int.zabbadoz.net> <49419482.2040502@h3q.com> <20081211224737.B97918@maildrop.int.zabbadoz.net> <494199AD.2060404@h3q.com> Message-ID: <20081211231422.T97918@maildrop.int.zabbadoz.net> On Thu, 11 Dec 2008, Philipp Wuensche wrote: Hi, ok, after another round of private mails I got it; I had been living with jail patches for too long; the jls output (without -v) should be on one line and not on two. That wasn't intended. Unfortunately noone had complained the months before.. I'll look at this. /bz -- Bjoern A. Zeeb The greatest risk is not taking one. From bzeeb-lists at lists.zabbadoz.net Sun Dec 14 03:25:07 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Sun Dec 14 03:25:14 2008 Subject: HEADS UP: r185435 multi-IPv4/v6/no-IP jails in HEAD In-Reply-To: <20081211231422.T97918@maildrop.int.zabbadoz.net> References: <20081201085229.D80401@maildrop.int.zabbadoz.net> <20081201122937.81475f0zhfsjya4o@webmail.leidinger.net> <6ae50c2d0812021800x791d2cfeh45d590de120f76df@mail.gmail.com> <1228483574.2805.499.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> <86skp2l804.fsf@ds4.des.no> <1228507529.2805.539.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> <49418BD9.8080105@h3q.com> <20081211221113.S97918@maildrop.int.zabbadoz.net> <49419482.2040502@h3q.com> <20081211224737.B97918@maildrop.int.zabbadoz.net> <494199AD.2060404@h3q.com> <20081211231422.T97918@maildrop.int.zabbadoz.net> Message-ID: <20081214112145.O97918@maildrop.int.zabbadoz.net> On Thu, 11 Dec 2008, Bjoern A. Zeeb wrote: Hi, > ok, after another round of private mails I got it; I had been living > with jail patches for too long; the jls output (without -v) should be > on one line and not on two. That wasn't intended. Unfortunately noone > had complained the months before.. I'll look at this. can you try this patch? http://people.freebsd.org/~bz/20081214-01-jls-v1.diff /bz -- Bjoern A. Zeeb The greatest risk is not taking one. From cryx-freebsd at h3q.com Sun Dec 14 04:37:15 2008 From: cryx-freebsd at h3q.com (Philipp Wuensche) Date: Sun Dec 14 04:37:27 2008 Subject: HEADS UP: r185435 multi-IPv4/v6/no-IP jails in HEAD In-Reply-To: <20081214112145.O97918@maildrop.int.zabbadoz.net> References: <20081201085229.D80401@maildrop.int.zabbadoz.net> <20081201122937.81475f0zhfsjya4o@webmail.leidinger.net> <6ae50c2d0812021800x791d2cfeh45d590de120f76df@mail.gmail.com> <1228483574.2805.499.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> <86skp2l804.fsf@ds4.des.no> <1228507529.2805.539.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> <49418BD9.8080105@h3q.com> <20081211221113.S97918@maildrop.int.zabbadoz.net> <49419482.2040502@h3q.com> <20081211224737.B97918@maildrop.int.zabbadoz.net> <494199AD.2060404@h3q.com> <20081211231422.T97918@maildrop.int.zabbadoz.net> <20081214112145.O97918@maildrop.int.zabbadoz.net> Message-ID: <4944FDF8.4070803@h3q.com> Bjoern A. Zeeb wrote: > On Thu, 11 Dec 2008, Bjoern A. Zeeb wrote: > > Hi, > >> ok, after another round of private mails I got it; I had been living >> with jail patches for too long; the jls output (without -v) should be >> on one line and not on two. That wasn't intended. Unfortunately noone >> had complained the months before.. I'll look at this. > > can you try this patch? > http://people.freebsd.org/~bz/20081214-01-jls-v1.diff Works for me, jls without arguments now gives the old output, -v shows all the new features! thanks! greetings, Philipp From bzeeb-lists at lists.zabbadoz.net Sun Dec 14 09:05:08 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Sun Dec 14 09:05:20 2008 Subject: HEADS UP: r185435 multi-IPv4/v6/no-IP jails in HEAD In-Reply-To: <4944FDF8.4070803@h3q.com> References: <20081201085229.D80401@maildrop.int.zabbadoz.net> <20081201122937.81475f0zhfsjya4o@webmail.leidinger.net> <6ae50c2d0812021800x791d2cfeh45d590de120f76df@mail.gmail.com> <1228483574.2805.499.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> <86skp2l804.fsf@ds4.des.no> <1228507529.2805.539.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> <49418BD9.8080105@h3q.com> <20081211221113.S97918@maildrop.int.zabbadoz.net> <49419482.2040502@h3q.com> <20081211224737.B97918@maildrop.int.zabbadoz.net> <494199AD.2060404@h3q.com> <20081211231422.T97918@maildrop.int.zabbadoz.net> <20081214112145.O97918@maildrop.int.zabbadoz.net> <4944FDF8.4070803@h3q.com> Message-ID: <20081214165921.N97918@maildrop.int.zabbadoz.net> On Sun, 14 Dec 2008, Philipp Wuensche wrote: Hi, >>> ok, after another round of private mails I got it; I had been living >>> with jail patches for too long; the jls output (without -v) should be >>> on one line and not on two. That wasn't intended. Unfortunately noone >>> had complained the months before.. I'll look at this. >> >> can you try this patch? >> http://people.freebsd.org/~bz/20081214-01-jls-v1.diff > > Works for me, jls without arguments now gives the old output, -v shows > all the new features! Thanks for testing. Comitted it to HEAD. /bz -- Bjoern A. Zeeb The greatest risk is not taking one. From bugmaster at FreeBSD.org Mon Dec 15 03:06:54 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Dec 15 03:08:23 2008 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200812151106.mBFB6smV004376@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid s kern/89528 jail [jail] [patch] impossible to kill a jail o kern/72498 jail [libc] [jail] timestamp code on jailed SMP machine gen o kern/68192 jail [quotas] [jail] Cannot use quotas on jailed systems o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 6 problems total. From bseklecki at collaborativefusion.com Mon Dec 15 09:57:35 2008 From: bseklecki at collaborativefusion.com (Brian A. Seklecki) Date: Mon Dec 15 09:57:52 2008 Subject: HEADS UP: r185435 multi-IPv4/v6/no-IP jails in HEAD In-Reply-To: <49418BD9.8080105@h3q.com> References: <20081201085229.D80401@maildrop.int.zabbadoz.net> <20081201122937.81475f0zhfsjya4o@webmail.leidinger.net> <6ae50c2d0812021800x791d2cfeh45d590de120f76df@mail.gmail.com> <1228483574.2805.499.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> <86skp2l804.fsf@ds4.des.no> <1228507529.2805.539.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> <49418BD9.8080105@h3q.com> Message-ID: <1229363854.1722.39.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> On Thu, 2008-12-11 at 22:53 +0100, Philipp Wuensche wrote: > Not entirely true, the jls output is totaly different than before and > breaks third-party applications like jailaudit and ezjail. Right, well, whether they check for VERSION > 70200x or 80000, the format will is likely to change. Once everything has been sorted out, they can add support now, push out the updates, and the version in common use will be forward/backward compatible. Whatever we have to do to light a fire there -- I just don't want ezjail-admin compatibility to be a showstopper on this. > > It is uneasy to parse too. -- Brian A. Seklecki Collaborative Fusion, Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part Url : http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20081215/e0b4409d/attachment.pgp From bzeeb-lists at lists.zabbadoz.net Mon Dec 15 11:55:07 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Mon Dec 15 11:55:25 2008 Subject: HEADS UP: r185435 multi-IPv4/v6/no-IP jails in HEAD In-Reply-To: <1229363854.1722.39.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> References: <20081201085229.D80401@maildrop.int.zabbadoz.net> <20081201122937.81475f0zhfsjya4o@webmail.leidinger.net> <6ae50c2d0812021800x791d2cfeh45d590de120f76df@mail.gmail.com> <1228483574.2805.499.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> <86skp2l804.fsf@ds4.des.no> <1228507529.2805.539.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> <49418BD9.8080105@h3q.com> <1229363854.1722.39.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> Message-ID: <20081215194716.M97918@maildrop.int.zabbadoz.net> On Mon, 15 Dec 2008, Brian A. Seklecki wrote: > On Thu, 2008-12-11 at 22:53 +0100, Philipp Wuensche wrote: >> Not entirely true, the jls output is totaly different than before and >> breaks third-party applications like jailaudit and ezjail. > > Right, well, whether they check for VERSION > 70200x or 80000, the > format will is likely to change. > > Once everything has been sorted out, they can add support now, push out > the updates, and the version in common use will be forward/backward > compatible. > > Whatever we have to do to light a fire there -- I just don't want > ezjail-admin compatibility to be a showstopper on this. Two comments: the format as is, is most likely to stay for the livetime of the 7.x branch once things are MFCed. For 8 with vimage and we'll get an entirely new management interface for all this. /bz PS: yes, I know rc.d/jail foo still needs integration. Has anyone tested what was posted? -- Bjoern A. Zeeb The greatest risk is not taking one. From Albert.Shih at obspm.fr Wed Dec 17 13:20:04 2008 From: Albert.Shih at obspm.fr (Albert Shih) Date: Wed Dec 17 13:20:09 2008 Subject: Nagios & Jail Message-ID: <20081217210542.GA25347@obspm.fr> Hi all. I'm trying to install a nagios server in a jail. I've a problem with check_ping. [root@]# /usr/local/libexec/nagios/check_ping -H some_host -w 3000.0,80% -c 5000.0,100% -p 5 CRITICAL - You need more args!!! Could not open pipe: So I think it's become the ?ping problem?. So I put sysctl -w security.jail.allow_raw_sockets=1 in the host-jail-server. In the jail I can make a ping but the nagios check_ping don't work. Anyone have succefully install a nagios server in a jail ? Regards. -- Albert SHIH SIO batiment 15 Observatoire de Paris Meudon 5 Place Jules Janssen 92195 Meudon Cedex T?l?phone : 01 45 07 76 26 Heure local/Local time: Mer 17 d?c 2008 22:02:55 CET From bzeeb-lists at lists.zabbadoz.net Wed Dec 17 13:30:08 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Wed Dec 17 13:30:17 2008 Subject: Nagios & Jail In-Reply-To: <20081217210542.GA25347@obspm.fr> References: <20081217210542.GA25347@obspm.fr> Message-ID: <20081217212740.I97918@maildrop.int.zabbadoz.net> On Wed, 17 Dec 2008, Albert Shih wrote: Hi, > I'm trying to install a nagios server in a jail. > > I've a problem with check_ping. > > [root@]# /usr/local/libexec/nagios/check_ping -H some_host -w 3000.0,80% -c 5000.0,100% -p 5 > CRITICAL - You need more args!!! > Could not open pipe: > > So I think it's become the ?ping problem?. So I put > > sysctl -w security.jail.allow_raw_sockets=1 > > in the host-jail-server. > > In the jail I can make a ping but the nagios check_ping don't work. > > Anyone have succefully install a nagios server in a jail ? so do you know what check_ping is trying to do? Does it give you an error message? Anything? /bz -- Bjoern A. Zeeb The greatest risk is not taking one. From scheidell at secnap.net Wed Dec 17 13:40:42 2008 From: scheidell at secnap.net (Michael Scheidell) Date: Wed Dec 17 13:40:54 2008 Subject: Nagios & Jail In-Reply-To: <20081217210542.GA25347@obspm.fr> References: <20081217210542.GA25347@obspm.fr> Message-ID: <49496DCC.8060600@secnap.net> hmm we have it working, let me see how. Albert Shih wrote: > Hi all. > > I'm trying to install a nagios server in a jail. > > -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * King of Spam Filters, SC Magazine 2008 * Information Security Award 2008, Info Security Products Guide * CRN Magazine Top 40 Emerging Security Vendors _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ From spry at anarchy.in.the.ph Wed Dec 17 19:00:20 2008 From: spry at anarchy.in.the.ph (Mars G Miro) Date: Wed Dec 17 19:00:27 2008 Subject: Nagios & Jail In-Reply-To: <20081217210542.GA25347@obspm.fr> References: <20081217210542.GA25347@obspm.fr> Message-ID: On Thu, Dec 18, 2008 at 5:05 AM, Albert Shih wrote: > Hi all. > > I'm trying to install a nagios server in a jail. > > I've a problem with check_ping. > > [root@]# /usr/local/libexec/nagios/check_ping -H some_host -w 3000.0,80% -c 5000.0,100% -p 5 > CRITICAL - You need more args!!! > Could not open pipe: > > So I think it's become the ?ping problem?. So I put > > sysctl -w security.jail.allow_raw_sockets=1 > > in the host-jail-server. > > In the jail I can make a ping but the nagios check_ping don't work. > > Anyone have succefully install a nagios server in a jail ? > I have. I recall having the same problem w/ an older version of nagios. But the recent versions should work fine. I'm using -devel tho. > Regards. > -- > Albert SHIH > SIO batiment 15 > Observatoire de Paris Meudon > 5 Place Jules Janssen > 92195 Meudon Cedex > T?l?phone : 01 45 07 76 26 > Heure local/Local time: > Mer 17 d?c 2008 22:02:55 CET > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > -- cheers mars From scheidell at secnap.net Thu Dec 18 02:46:21 2008 From: scheidell at secnap.net (Michael Scheidell) Date: Thu Dec 18 02:46:28 2008 Subject: Nagios & Jail In-Reply-To: <20081217212740.I97918@maildrop.int.zabbadoz.net> References: <20081217210542.GA25347@obspm.fr> <20081217212740.I97918@maildrop.int.zabbadoz.net> Message-ID: <494A29FA.3060101@secnap.net> Try nagios 3.03. I think they will do the trick. Bjoern A. Zeeb wrote: > On Wed, 17 Dec 2008, Albert Shih wrote: > > Hi, > >> I'm trying to install a nagios server in a jail. >> -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * King of Spam Filters, SC Magazine 2008 * Information Security Award 2008, Info Security Products Guide * CRN Magazine Top 40 Emerging Security Vendors _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ From Albert.Shih at obspm.fr Thu Dec 18 03:06:13 2008 From: Albert.Shih at obspm.fr (Albert Shih) Date: Thu Dec 18 03:06:29 2008 Subject: Nagios & Jail In-Reply-To: <494A29FA.3060101@secnap.net> References: <20081217210542.GA25347@obspm.fr> <20081217212740.I97918@maildrop.int.zabbadoz.net> <494A29FA.3060101@secnap.net> Message-ID: <20081218110610.GC1653@obspm.fr> Le 18/12/2008 ? 05:46:18-0500, Michael Scheidell a ?crit > Try nagios 3.03. > > I think they will do the trick. I'm using nagios 3.06 ... and it's not working. Thanks for your answer. Regards. JAS -- Albert SHIH SIO batiment 15 Observatoire de Paris Meudon 5 Place Jules Janssen 92195 Meudon Cedex T?l?phone : 01 45 07 76 26 Heure local/Local time: Jeu 18 d?c 2008 12:05:40 CET From scheidell at secnap.net Thu Dec 18 03:41:55 2008 From: scheidell at secnap.net (Michael Scheidell) Date: Thu Dec 18 03:42:02 2008 Subject: Nagios & Jail In-Reply-To: <20081218110610.GC1653@obspm.fr> References: <20081217210542.GA25347@obspm.fr> <20081217212740.I97918@maildrop.int.zabbadoz.net> <494A29FA.3060101@secnap.net> <20081218110610.GC1653@obspm.fr> Message-ID: <494A3700.4000300@secnap.net> Works here (tm). doublecheck these sysctl's: security.jail.socket_unixiproute_only: 1 security.jail.enforce_statfs: 2 security.jail.allow_raw_sockets: 1 Albert Shih wrote: > Le 18/12/2008 ? 05:46:18-0500, Michael Scheidell a ?crit > >> Try nagios 3.03. >> >> I think they will do the trick. >> > > I'm using nagios 3.06 ... and it's not working. > > Thanks for your answer. > > Regards. > > JAS > -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * King of Spam Filters, SC Magazine 2008 * Information Security Award 2008, Info Security Products Guide * CRN Magazine Top 40 Emerging Security Vendors _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ From scheidell at secnap.net Thu Dec 18 03:47:03 2008 From: scheidell at secnap.net (Michael Scheidell) Date: Thu Dec 18 03:47:16 2008 Subject: listserver problems? Message-ID: <494A3835.30302@secnap.net> might be generic listserver issues, but I noticed that at least on freebsd-jail list, it does NOT strip out dkim/domainkeys signatures. that might not be to bad, but it does 'mung' the headers, so dkim signed email passed through freebsd mailing list server comes back as a forged signature. whoever is working on the listservers can contact me for assistance on it. maybe just a postfix header IGNORE rule would strip it back out. -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * King of Spam Filters, SC Magazine 2008 * Information Security Award 2008, Info Security Products Guide * CRN Magazine Top 40 Emerging Security Vendors _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ From scheidell at secnap.net Thu Dec 18 03:59:14 2008 From: scheidell at secnap.net (Michael Scheidell) Date: Thu Dec 18 03:59:27 2008 Subject: Nagios & Jail In-Reply-To: <20081218110610.GC1653@obspm.fr> References: <20081217210542.GA25347@obspm.fr> <20081217212740.I97918@maildrop.int.zabbadoz.net> <494A29FA.3060101@secnap.net> <20081218110610.GC1653@obspm.fr> Message-ID: <494A3B0F.4070801@secnap.net> What plugin versions are you running? Im running latest also. pkg_info | grep nagios Albert Shih wrote: > Le 18/12/2008 ? 05:46:18-0500, Michael Scheidell a ?crit > >> Try nagios 3.03. >> >> I think they will do the trick. >> > > I'm using nagios 3.06 ... and it's not working. > -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * King of Spam Filters, SC Magazine 2008 * Information Security Award 2008, Info Security Products Guide * CRN Magazine Top 40 Emerging Security Vendors _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ From bzeeb-lists at lists.zabbadoz.net Thu Dec 18 05:10:08 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Thu Dec 18 05:10:14 2008 Subject: OT: Re: listserver problems? In-Reply-To: <494A3835.30302@secnap.net> References: <494A3835.30302@secnap.net> Message-ID: <20081218130857.G97918@maildrop.int.zabbadoz.net> On Thu, 18 Dec 2008, Michael Scheidell wrote: Hi, > might be generic listserver issues, but I noticed that at least on > freebsd-jail list, it does NOT strip out dkim/domainkeys signatures. > > that might not be to bad, but it does 'mung' the headers, so dkim signed > email passed through freebsd mailing list server comes back as a forged > signature. > > whoever is working on the listservers can contact me for assistance on it. > maybe just a postfix header IGNORE rule would strip it back out. please mail postmaster@f.o. and discuss with them. /bz -- Bjoern A. Zeeb The greatest risk is not taking one. From scheidell at secnap.net Thu Dec 18 06:45:54 2008 From: scheidell at secnap.net (Michael Scheidell) Date: Thu Dec 18 06:46:07 2008 Subject: listserver problems? In-Reply-To: <20081218145959.2d428ec8@anthesphoria.net> References: <494A3835.30302@secnap.net> <20081218145959.2d428ec8@anthesphoria.net> Message-ID: <494A6221.7080603@secnap.net> Nikola Le?i? wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > > Three objections to your DKIM signature: > > Thanks! the value of the great freebsd community! Been doing this since '83, and you will never find a more informed, more willing to help group out there anywhere. Thanks Nikola -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * King of Spam Filters, SC Magazine 2008 * Information Security Award 2008, Info Security Products Guide * CRN Magazine Top 40 Emerging Security Vendors _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ From greenwood.andy at gmail.com Thu Dec 18 06:46:36 2008 From: greenwood.andy at gmail.com (Andy Greenwood) Date: Thu Dec 18 06:46:43 2008 Subject: Nagios & Jail In-Reply-To: <20081217210542.GA25347@obspm.fr> References: <20081217210542.GA25347@obspm.fr> Message-ID: <494A5BC8.7090606@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Albert Shih wrote: > Hi all. > > I'm trying to install a nagios server in a jail. > > I've a problem with check_ping. > > [root@]# /usr/local/libexec/nagios/check_ping -H some_host -w 3000.0,80% -c 5000.0,100% -p 5 > CRITICAL - You need more args!!! > Could not open pipe: > > So I think it's become the ?ping problem?. So I put > > sysctl -w security.jail.allow_raw_sockets=1 > > in the host-jail-server. > > In the jail I can make a ping but the nagios check_ping don't work. > > Anyone have succefully install a nagios server in a jail ? > > Regards. I'm not exactly sure how I did it, but I remember having to change something from the defaults when I built the net-mgmt/nagios-plugins port because the check_ping command wasn't working right. I'd suggest going back and re-making that port to see if you get any error messages. I want to say that it wasn't finding the ping binary, but I don't think that's what it was. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAklKW8gACgkQEStKVA82Z+0C8ACfX5tAleQZJwkyd4/B6PCyieKj 98IAoKOKSYqguLuecO828//KN8eHWsv1 =CaW0 -----END PGP SIGNATURE----- From scheidell at secnap.net Thu Dec 18 06:51:48 2008 From: scheidell at secnap.net (Michael Scheidell) Date: Thu Dec 18 06:52:00 2008 Subject: Nagios & Jail In-Reply-To: <494A5BC8.7090606@gmail.com> References: <20081217210542.GA25347@obspm.fr> <494A5BC8.7090606@gmail.com> Message-ID: <494A6380.1090509@secnap.net> Andy Greenwood wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Albert Shih wrote: > >> Hi all. >> >> I'm trying to install a nagios server in a jail. >> >> I've a problem with check_ping. >> > only thing I see on mine is I have ipv6 disabled: (also, with_fping, with_netsnmp, with_mysql) all others disabled. -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * King of Spam Filters, SC Magazine 2008 * Information Security Award 2008, Info Security Products Guide * CRN Magazine Top 40 Emerging Security Vendors _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ From lists at c0mplx.org Thu Dec 18 09:22:19 2008 From: lists at c0mplx.org (Kurt Jaeger) Date: Thu Dec 18 09:22:31 2008 Subject: Nagios & Jail In-Reply-To: <20081217210542.GA25347@obspm.fr> References: <20081217210542.GA25347@obspm.fr> Message-ID: <20081218172218.GE3080@home.opsec.eu> Hi! > I've a problem with check_ping. > > [root@]# /usr/local/libexec/nagios/check_ping -H some_host -w 3000.0,80% -c 5000.0,100% -p 5 > CRITICAL - You need more args!!! > Could not open pipe: > Anyone have succefully install a nagios server in a jail ? Yes, and I think it's not a problem with ICMP sockets, but with the version of check_ping and what it's calling. Please try ./check_ping -v -v -v -H 212.71.195.58 -w 300.0,80% -c 500.0,100% -p 5 and tell us which version of ping it is calling. -- pi@opsec.eu +49 171 3101372 12 years to go ! From bugmaster at FreeBSD.org Mon Dec 22 03:06:54 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Dec 22 03:08:22 2008 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200812221106.mBMB6rf9060612@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid s kern/89528 jail [jail] [patch] impossible to kill a jail o kern/72498 jail [libc] [jail] timestamp code on jailed SMP machine gen o kern/68192 jail [quotas] [jail] Cannot use quotas on jailed systems o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 6 problems total. From bugmaster at FreeBSD.org Mon Dec 29 03:06:57 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Dec 29 03:08:19 2008 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200812291106.mBTB6uNv024482@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid s kern/89528 jail [jail] [patch] impossible to kill a jail o kern/72498 jail [libc] [jail] timestamp code on jailed SMP machine gen o kern/68192 jail [quotas] [jail] Cannot use quotas on jailed systems o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 6 problems total.