From lambert at lambertfam.org Wed Jul 2 20:55:02 2008 From: lambert at lambertfam.org (Scott Lambert) Date: Wed Jul 2 20:55:04 2008 Subject: Migration of Jail from one host to another? Message-ID: <20080702202235.GA16820@sysmon.tcworks.net> I'm probably doing this completely wrong. I setup a couple of jails using simple image files because I thought that would make migration to another server more straightforward. I am now trying to migrate my first jail. I am using the ezjail tools for creating and maintaining jails. The existing jail host is 6.2-STABLE FreeBSD 6.2-STABLE #1: Sun Mar 11 21:46:01 CDT 2007, ezjail-2.0.1. The new jail host is 7.0-STABLE FreeBSD 7.0-STABLE #0: Sat May 10 06:29:00 CDT 2008, ezjail-2.1. I have created a test jail on the 7.0-STABLE box with ezjail-admin which works perfectly, using what I believe were the exact same parameters given, other than IP/hostname, when I created the 6.2-STABLE jail. # ezjail-admin create -i -s 1G test 192.168.8.237 I have moved over the fstab.migrate_jail file, and the /u/l/e/ezjail/migrate_jail config file for the 6.2-STABLE jail to the 7.0-STABLE box and created an empty directory beside the 7.0 test jail's empty directory. I shut down the jail on the 6.2-STABLE host and scp'd the image file to the 7.0-STABLE box. I put it beside the empty jail directory. I made sure the fstab.test and the fstab.migrate_jail look the same except for jail name changes. I made sure the /u/l/e/ezjail/test and /u/l/e/ezjail/migrate_jail files look the same except for jail name changes. # more /etc/fstab.test /home/ezjails/test.device /home/ezjails/test ufs rw 0 0 /home/ezjails/basejail /home/ezjails/test/basejail nullfs ro 0 0 # more /etc/fstab.migrate_jail /home/ezjails/migrate.jail.device /home/ezjails/migrate.jail ufs rw 0 0 /home/ezjails/basejail /home/ezjails/migrate.jail/basejail nullfs ro 0 0 # more test_tcworks_net export jail_test_hostname="test" export jail_test_ip="192.168.8.237" export jail_test_rootdir="/home/ezjails/test" export jail_test_exec="/bin/sh /etc/rc" export jail_test_mount_enable="YES" export jail_test_devfs_enable="YES" export jail_test_devfs_ruleset="devfsrules_jail" export jail_test_procfs_enable="YES" export jail_test_fdescfs_enable="YES" export jail_test_image="/home/ezjails/test.img" export jail_test_imagetype="simple" export jail_test_attachparams="" export jail_test_attachblocking="" export jail_test_forceblocking="" # more migrate_jail export jail_migrate_jail_hostname="migrate.jail" export jail_migrate_jail_ip="192.168.8.238" export jail_migrate_jail_rootdir="/home/ezjails/migrate.jail" export jail_migrate_jail_exec="/bin/sh /etc/rc" export jail_migrate_jail_mount_enable="YES" export jail_migrate_jail_devfs_enable="YES" export jail_migrate_jail_devfs_ruleset="devfsrules_jail" export jail_migrate_jail_procfs_enable="YES" export jail_migrate_jail_fdescfs_enable="YES" export jail_migrate_jail_image="/home/ezjails/migrate.jail.img" export jail_migrate_jail_imagetype="simple" export jail_migrate_jail_attachparams="" export jail_migrate_jail_attachblocking="" export jail_migrate_jail_forceblocking="" 14:35:33 Wed Jul 02 # egrep -v '^(#|$)' ../ezjail.conf ezjail_jaildir=/home/ezjails /usr/local/etc/rc.d/ezjail.sh start ezjailConfiguring jails:. Starting jails: testnetmount: /home/ezjails/migrate.jail.device : Operation not permitted df: /home/ezjails/migrate.jail/dev: No such file or directory mount: /home/ezjails/migrate.jail/dev: No such file or directory /etc/rc.d/jail: WARNING: devfs_domount(): Unable to mount devfs on /home/ezjails/migrate.jail/dev /etc/rc.d/jail: WARNING: devfs_mount_jail: devfs was not mounted on /home/ezjails/migrate.jail/dev cd: can't cd to /home/ezjails/migrate.jail/dev mount: /home/ezjails/migrate.jail/dev: No such file or directory cannot start jail "migrate_jail": jail: getpwnam: root: No such file or directory . # ls -la /home/ezjails/ total 2098282 drwxr-xr-x 9 root wheel 512 Jul 2 14:27 . drwxr-xr-x 3182 root wheel 58368 Jun 3 22:58 .. drwxr-xr-x 9 root wheel 512 Jun 4 00:40 basejail drwxr-xr-x 2 root wheel 512 Jun 3 22:58 ezjailtemp drwxr-xr-x 3 root wheel 512 Jun 4 00:41 flavours drwxr-xr-x 2 root wheel 512 Jul 1 16:54 fulljail lrwxr-xr-x 1 root wheel 14 Jul 2 13:45 log -> ../var/run/log drwxr-xr-x 12 root wheel 512 Jun 4 00:41 newjail drwxr-xr-x 2 root wheel 512 Jul 1 17:43 migrate.jail lrwxr-xr-x 1 root wheel 8 Jul 2 14:27 migrate.jail.device -> /dev/md9 -rw-r--r-- 1 root wheel 1073741824 Jul 1 17:02 migrate.jail.img drwxr-xr-x 13 root wheel 512 Jul 2 13:46 test lrwxr-xr-x 1 root wheel 8 Jul 2 14:27 test.device -> /dev/md8 -rw-r--r-- 1 root wheel 1073741824 Jul 2 14:28 test.img # ls -la /home/ezjails/migrate.jail total 4 drwxr-xr-x 2 root wheel 512 Jul 1 17:43 . drwxr-xr-x 9 root wheel 512 Jul 2 14:27 .. # ls -la /home/ezjails/test total 31 drwxr-xr-x 13 root wheel 512 Jul 2 13:46 . drwxr-xr-x 9 root wheel 512 Jul 2 14:27 .. drwxrwxr-x 2 root operator 512 Jul 2 13:46 .snap -r--r--r-- 1 root wheel 6188 Jul 2 13:46 COPYRIGHT drwxr-xr-x 9 root wheel 512 Jun 4 00:40 basejail lrwxrwxrwx 1 root wheel 13 Jul 2 13:46 bin -> /basejail/bin lrwxrwxrwx 1 root wheel 14 Jul 2 13:46 boot -> /basejail/boot dr-xr-xr-x 5 root wheel 512 Jul 2 14:27 dev drwxr-xr-x 20 root wheel 2048 Jul 2 13:50 etc lrwxrwxrwx 1 root wheel 13 Jul 2 13:46 lib -> /basejail/lib lrwxrwxrwx 1 root wheel 17 Jul 2 13:46 libexec -> /basejail/libexec drwxr-xr-x 2 root wheel 512 Jul 2 13:46 media drwxr-xr-x 2 root wheel 512 Jul 2 13:46 mnt dr-xr-xr-x 1 root wheel 0 Jul 2 14:31 proc lrwxrwxrwx 1 root wheel 16 Jul 2 13:46 rescue -> /basejail/rescue drwxr-xr-x 2 root wheel 512 Jul 2 13:46 root lrwxrwxrwx 1 root wheel 14 Jul 2 13:46 sbin -> /basejail/sbin lrwxrwxrwx 1 root wheel 11 Jul 2 13:46 sys -> usr/src/sys drwxrwxrwt 6 root wheel 512 Jul 2 14:27 tmp drwxr-xr-x 4 root wheel 512 Jul 2 13:46 usr drwxr-xr-x 22 root wheel 512 Jul 2 14:27 var # /usr/local/etc/rc.d/ezjail.sh stop rcorder: could not open log: No such file or directory ezjailStopping jails: test.tcworks.net. The log symlink exists in the /u/l/e/ezjails directory on the 6.2-STABLE host also, but I don't remember it messing with rcorder. I can't just run an ezjail.sh stop command on that host to test as I have other production jails there. I don't think it has anything to do with my problem, but... # ls -la /home/ezjails/ total 2098282 drwxr-xr-x 9 root wheel 512 Jul 2 14:32 . drwxr-xr-x 3182 root wheel 58368 Jun 3 22:58 .. drwxr-xr-x 9 root wheel 512 Jun 4 00:40 basejail drwxr-xr-x 2 root wheel 512 Jun 3 22:58 ezjailtemp drwxr-xr-x 3 root wheel 512 Jun 4 00:41 flavours drwxr-xr-x 2 root wheel 512 Jul 1 16:54 fulljail lrwxr-xr-x 1 root wheel 14 Jul 2 13:45 log -> ../var/run/log drwxr-xr-x 12 root wheel 512 Jun 4 00:41 newjail drwxr-xr-x 2 root wheel 512 Jul 1 17:43 migrate.jail lrwxr-xr-x 1 root wheel 8 Jul 2 14:27 migrate.jail.device -> /dev/md9 -rw-r--r-- 1 root wheel 1073741824 Jul 1 17:02 migrate.jail.img drwxr-xr-x 2 root wheel 512 Jul 2 13:46 test -rw-r--r-- 1 root wheel 1073741824 Jul 2 14:32 test.img I'm obviously missing something obvious here. A clue-by-four to the head would be much appreciated. -- Scott Lambert KC5MLE Unix SysAdmin lambert@lambertfam.org From 000.fbsd at quip.cz Thu Jul 3 10:01:32 2008 From: 000.fbsd at quip.cz (Miroslav Lachman) Date: Thu Jul 3 10:01:35 2008 Subject: Memory limits on 7.0 In-Reply-To: <48616B3F.4030705@brewtab.com> References: <48616B3F.4030705@brewtab.com> Message-ID: <486CA390.9020109@quip.cz> Christopher Thunes wrote: > Hey everyone, > I spent some time working on getting cdjones' memory limit patches > updated for 7.0 and beyond and thought I'd post my progress. I've > attached my current patch which implements memory limits on 7.0-RELEASE, > but only for the older (and default in -RELEASE) bsd4 scheduler (won't > work at all on ULE). I haven't yet started work for ULE or getting CPU > sharing working. This patch also includes fixes for problems in the > original cdjones patches. If you want to give it a whirl it should apply > cleanly to a 7.0-RELEASE source tree and if you run into any issues let > me know. Thanx for you work, I put it on Jails wiki! I hope I'll give it a try in next week after I setup new testing machine with ZFS, 4GB of RAM and lot of jails for testing :) Do you plan to work on ULE version? (AFAIK ULE will be default for next release) Miroslav Lachman From c2thunes at brewtab.com Thu Jul 3 13:18:28 2008 From: c2thunes at brewtab.com (Christopher Thunes) Date: Thu Jul 3 13:18:33 2008 Subject: Memory limits on 7.0 In-Reply-To: <486CA390.9020109@quip.cz> References: <48616B3F.4030705@brewtab.com> <486CA390.9020109@quip.cz> Message-ID: <486CD19B.9070909@brewtab.com> Yes, my plan is to get everything working on both schedulers, but at this point I'm not sure what kind of time frame I'm looking at. At the moment I'm getting everything up to date on the 4bsd scheduler so once I finish that up I'll begin working on ULE. - Chris Miroslav Lachman wrote: > Christopher Thunes wrote: >> Hey everyone, >> I spent some time working on getting cdjones' memory limit patches >> updated for 7.0 and beyond and thought I'd post my progress. I've >> attached my current patch which implements memory limits on >> 7.0-RELEASE, but only for the older (and default in -RELEASE) bsd4 >> scheduler (won't work at all on ULE). I haven't yet started work for >> ULE or getting CPU sharing working. This patch also includes fixes for >> problems in the original cdjones patches. If you want to give it a >> whirl it should apply cleanly to a 7.0-RELEASE source tree and if you >> run into any issues let me know. > > Thanx for you work, I put it on Jails wiki! I hope I'll give it a try in > next week after I setup new testing machine with ZFS, 4GB of RAM and lot > of jails for testing :) > > Do you plan to work on ULE version? (AFAIK ULE will be default for next > release) > > Miroslav Lachman From bugmaster at FreeBSD.org Mon Jul 7 11:07:01 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Jul 7 11:08:27 2008 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200807071107.m67B70t3062079@freefall.freebsd.org> Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- s kern/89528 jail [jail] [patch] impossible to kill a jail o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail 2 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with o kern/68192 jail [quotas] [jail] Cannot use quotas on jailed systems o kern/72498 jail [libc] [jail] timestamp code on jailed SMP machine gen o kern/74314 jail [resolver] [jail] DNS resolver broken under certain ja o kern/84215 jail [jail] [patch] wildcard ip (INADDR_ANY) should not bin o kern/89989 jail [jail] [patch] Add option -I (ASCII 73) PID to specif o kern/97071 jail [jail] [patch] add security.jail.jid sysctl o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o kern/120753 jail [jail] Zombie jails (jailed child process exits while 9 problems total. From c2thunes at brewtab.com Mon Jul 7 16:50:09 2008 From: c2thunes at brewtab.com (Christopher Thunes) Date: Mon Jul 7 16:50:15 2008 Subject: new set of multi-IPv4/v6/noIP jail patches In-Reply-To: <6ae50c2d0806191123v1794d682rcae256d3a22625ed@mail.gmail.com> References: <20080617175607.B83875@maildrop.int.zabbadoz.net> <6ae50c2d0806191123v1794d682rcae256d3a22625ed@mail.gmail.com> Message-ID: <48724934.8050503@brewtab.com> Bjoern, Should these patches allow multiples IPs which are on multiple interfaces? I've been playing around with this and was unable to assign IP address from more than one interface correctly. jls will show all IPs correctly but from within the jail only IPs from one interface show up in ifconfig and are able to be binded to. - Chris Thunes From bzeeb-lists at lists.zabbadoz.net Mon Jul 7 17:10:07 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Mon Jul 7 17:10:13 2008 Subject: new set of multi-IPv4/v6/noIP jail patches In-Reply-To: <48724934.8050503@brewtab.com> References: <20080617175607.B83875@maildrop.int.zabbadoz.net> <6ae50c2d0806191123v1794d682rcae256d3a22625ed@mail.gmail.com> <48724934.8050503@brewtab.com> Message-ID: <20080707170411.N57089@maildrop.int.zabbadoz.net> On Mon, 7 Jul 2008, Christopher Thunes wrote: Hi, > Should these patches allow multiples IPs which are on multiple interfaces? > I've been playing around with this and was unable to assign IP address from > more than one interface correctly. jls will show all IPs correctly but from > within the jail only IPs from one interface show up in ifconfig and are able > to be binded to. Did the patch apply cleanly? Which one? Which release? dopt# ifconfig lo1 create dopt# ifconfig lo1 inet 192.0.2.100/32 dopt# ifconfig lo2 create dopt# ifconfig lo2 inet 192.0.2.200/32 dopt# jail -n multiif /local/jails/j1 dopt 192.0.2.100,192.0.2.200 /sbin/ifconfig -a fxp0: flags=8802 metric 0 mtu 1500 options=b ether 00:e0:81:31:db:62 media: Ethernet autoselect (none) status: no carrier bge0: flags=8843 metric 0 mtu 1500 options=9b ether 00:e0:81:31:db:8c media: Ethernet autoselect (1000baseTX ) status: active bge1: flags=8802 metric 0 mtu 1500 options=9b ether 00:e0:81:31:db:8d media: Ethernet autoselect (none) status: no carrier lo0: flags=8049 metric 0 mtu 16384 lo1: flags=8049 metric 0 mtu 16384 inet 192.0.2.100 netmask 0xffffffff lo2: flags=8049 metric 0 mtu 16384 inet 192.0.2.200 netmask 0xffffffff dopt# Works here. Greetings Bjoern -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From peter at pean.org Mon Jul 7 17:32:42 2008 From: peter at pean.org (=?ISO-8859-1?Q?Peter_Ankerst=E5l?=) Date: Mon Jul 7 17:32:50 2008 Subject: new set of multi-IPv4/v6/noIP jail patches In-Reply-To: <20080617175607.B83875@maildrop.int.zabbadoz.net> References: <20080617175607.B83875@maildrop.int.zabbadoz.net> Message-ID: <0991CC77-2DE4-454D-BE9F-BB1223B512B8@pean.org> On Jun 17, 2008, at 8:03 PM, Bjoern A. Zeeb wrote: > Hi, > > while for some stuff only infrastructure is there, there is more now. > Any feedback would be welcome. I'll have to work on something else the > next week so not going to implement the full set of "state", ... Is there any possibility to get these patches to work together with the memory-limiting patches? From c2thunes at brewtab.com Mon Jul 7 17:39:27 2008 From: c2thunes at brewtab.com (Christopher Thunes) Date: Mon Jul 7 17:39:33 2008 Subject: new set of multi-IPv4/v6/noIP jail patches In-Reply-To: <20080707170411.N57089@maildrop.int.zabbadoz.net> References: <20080617175607.B83875@maildrop.int.zabbadoz.net> <6ae50c2d0806191123v1794d682rcae256d3a22625ed@mail.gmail.com> <48724934.8050503@brewtab.com> <20080707170411.N57089@maildrop.int.zabbadoz.net> Message-ID: <487254C2.1030808@brewtab.com> Hi Bjoern, I apologize for not including this information originally. This is the 7.0-RELEASE patch but I applied it against a kernel with the memory limits patch already in place. I had to manually merge most of kern_jail.c by hand. I tried again to start a jail and found that I could run the following and it works as you demonstrated. [root@virt] ~ # jail -n test1 /usr/jail/4001/ test1 208.86.224.219,10.11.40.2 /sbin/ifconfig -a priv0: flags=8843 metric 0 mtu 1500 options=19b ether 00:30:48:c2:89:2a inet 10.11.40.2 netmask 0xffffffff broadcast 10.11.40.2 media: Ethernet autoselect (1000baseTX ) status: active pub0: flags=8843 metric 0 mtu 1500 options=19b ether 00:30:48:c2:89:2b inet 208.86.224.219 netmask 0xffffffff broadcast 208.86.224.219 media: Ethernet autoselect (100baseTX ) status: active That is one IP each from two interfaces. I tried with two from the public interface and one from the private interface and then it failed to assign the address on the private interface. All necessary aliases have been created. [root@virt] ~ # jail -n test1 /usr/jail/4001/ test1 208.86.224.219,208.86.224.220,10.11.40.2 /sbin/ifconfig -a priv0: flags=8843 metric 0 mtu 1500 options=19b ether 00:30:48:c2:89:2a media: Ethernet autoselect (1000baseTX ) status: active pub0: flags=8843 metric 0 mtu 1500 options=19b ether 00:30:48:c2:89:2b inet 208.86.224.219 netmask 0xffffffff broadcast 208.86.224.219 inet 208.86.224.220 netmask 0xffffffff broadcast 208.86.224.220 media: Ethernet autoselect (100baseTX ) status: active Other combinations give other strange results. Assigning two address from each interface resulted in two being assigned to the private interface but only one to the public interface. I'm not sure what's going on or if I'm just doing something stupid but any insight would be appreciated. Much Thanks, Chris Bjoern A. Zeeb wrote: > On Mon, 7 Jul 2008, Christopher Thunes wrote: > > Hi, > >> Should these patches allow multiples IPs which are on multiple >> interfaces? I've been playing around with this and was unable to >> assign IP address from more than one interface correctly. jls will >> show all IPs correctly but from within the jail only IPs from one >> interface show up in ifconfig and are able to be binded to. > > Did the patch apply cleanly? Which one? Which release? > > dopt# ifconfig lo1 create > dopt# ifconfig lo1 inet 192.0.2.100/32 > dopt# ifconfig lo2 create > dopt# ifconfig lo2 inet 192.0.2.200/32 > dopt# jail -n multiif /local/jails/j1 dopt 192.0.2.100,192.0.2.200 > /sbin/ifconfig -a > fxp0: flags=8802 metric 0 mtu 1500 > options=b > ether 00:e0:81:31:db:62 > media: Ethernet autoselect (none) > status: no carrier > bge0: flags=8843 metric 0 mtu 1500 > options=9b > ether 00:e0:81:31:db:8c > media: Ethernet autoselect (1000baseTX ) > status: active > bge1: flags=8802 metric 0 mtu 1500 > options=9b > ether 00:e0:81:31:db:8d > media: Ethernet autoselect (none) > status: no carrier > lo0: flags=8049 metric 0 mtu 16384 > lo1: flags=8049 metric 0 mtu 16384 > inet 192.0.2.100 netmask 0xffffffff > lo2: flags=8049 metric 0 mtu 16384 > inet 192.0.2.200 netmask 0xffffffff > dopt# > > Works here. > > > Greetings > Bjoern > From bzeeb-lists at lists.zabbadoz.net Mon Jul 7 19:15:08 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Mon Jul 7 19:15:14 2008 Subject: new set of multi-IPv4/v6/noIP jail patches In-Reply-To: <487254C2.1030808@brewtab.com> References: <20080617175607.B83875@maildrop.int.zabbadoz.net> <6ae50c2d0806191123v1794d682rcae256d3a22625ed@mail.gmail.com> <48724934.8050503@brewtab.com> <20080707170411.N57089@maildrop.int.zabbadoz.net> <487254C2.1030808@brewtab.com> Message-ID: <20080707183022.P57089@maildrop.int.zabbadoz.net> On Mon, 7 Jul 2008, Christopher Thunes wrote: Hi, I can reproduce this and I know the bug. I'll post an updated patch in a few days. /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From c2thunes at brewtab.com Fri Jul 11 06:54:09 2008 From: c2thunes at brewtab.com (Christopher Thunes) Date: Fri Jul 11 06:54:18 2008 Subject: new set of multi-IPv4/v6/noIP jail patches In-Reply-To: <0991CC77-2DE4-454D-BE9F-BB1223B512B8@pean.org> References: <20080617175607.B83875@maildrop.int.zabbadoz.net> <0991CC77-2DE4-454D-BE9F-BB1223B512B8@pean.org> Message-ID: <48770394.4080105@brewtab.com> Hey Peter, I've got some test system running with both of these in place. The memory limiting code I'm working with is still incomplete as of now but if you are interested I can put up a patch of what is currently available in a week or so. The extent of memory limit completeness is outlined here http://lists.freebsd.org/pipermail/freebsd-jail/2008-June/000333.html - Chris Thunes Peter Ankerst?l wrote: > > On Jun 17, 2008, at 8:03 PM, Bjoern A. Zeeb wrote: > >> Hi, >> >> while for some stuff only infrastructure is there, there is more now. >> Any feedback would be welcome. I'll have to work on something else the >> next week so not going to implement the full set of "state", ... > > Is there any possibility to get these patches to work together with the > memory-limiting patches? > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" From bugmaster at FreeBSD.org Mon Jul 14 11:07:01 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Jul 14 11:08:07 2008 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200807141107.m6EB70Cc014457@freefall.freebsd.org> Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- s kern/89528 jail [jail] [patch] impossible to kill a jail o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail 2 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with o kern/68192 jail [quotas] [jail] Cannot use quotas on jailed systems o kern/72498 jail [libc] [jail] timestamp code on jailed SMP machine gen o kern/74314 jail [resolver] [jail] DNS resolver broken under certain ja o kern/84215 jail [jail] [patch] wildcard ip (INADDR_ANY) should not bin o kern/89989 jail [jail] [patch] Add option -I (ASCII 73) PID to specif o kern/97071 jail [jail] [patch] add security.jail.jid sysctl o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o kern/120753 jail [jail] Zombie jails (jailed child process exits while 9 problems total. From oscar at cubarte.cult.cu Wed Jul 16 23:26:06 2008 From: oscar at cubarte.cult.cu (Oscar Glez) Date: Wed Jul 16 23:26:13 2008 Subject: Mount problems Message-ID: <487E7B0C.40402@cubarte.cult.cu> I'm using FreeBSD 6.3 and ezjail. When I try to mount the cdrom device, previously unhidden with a devfs rule and visible in /dev directory, it returns "Operation not permitted" The same happens when I try to mount a nullfs. The nullfs module is loaded inside jail. Is this a normal behavior? From s.musatov at penza.ertelecom.ru Fri Jul 18 14:30:53 2008 From: s.musatov at penza.ertelecom.ru (=?koi8-r?B?7dXTwdTP1yDz1MHOydPMwdcg5dfHxc7YxdfJ3g==?=) Date: Fri Jul 18 14:31:12 2008 Subject: update freebsd 6.3 to 7.0 Message-ID: <6CF3873CD4BBE6489ABF5DD499DA909AC16EF7@PENZAMAIL.penza.ertelecom.loc> Hello, I will like to update FreeBSD 6.3 GENERIC to FreeBSD 7.0. I have some problems: When I was refreshed the system, all jails have ceased to work. Only if iam update all jails to freebsd 7.0 all will be work. How to force to work jails without upgrade him? There are 10 Very important jails in our system. From jeno.kiev at gmail.com Sat Jul 19 12:57:08 2008 From: jeno.kiev at gmail.com (=?KOI8-R?B?5dfHxc7JyiD7wdDP18HM?=) Date: Sat Jul 19 12:57:15 2008 Subject: getpwnam: root: No such file or directory Message-ID: hello =) When I try to start jail (/etc/rc.d/jail start) I have: ==== /etc/rc.conf: //: Permission denied Configuring jails:. Starting jails: cannot start jail "test": jail: getpwnam: root: No such file or directory ==== how it's correct? =\ Thanks! From 000.fbsd at quip.cz Sat Jul 19 13:23:32 2008 From: 000.fbsd at quip.cz (Miroslav Lachman) Date: Sat Jul 19 13:23:38 2008 Subject: getpwnam: root: No such file or directory In-Reply-To: References: Message-ID: <4881EAE1.8060008@quip.cz> ??????? ??????? wrote: > hello =) > > When I try to start jail (/etc/rc.d/jail start) I have: > > ==== > /etc/rc.conf: //: Permission denied > Configuring jails:. > Starting jails: cannot start jail "test": > jail: getpwnam: root: No such file or directory > ==== > > how it's correct? =\ Can you post your rc.conf and how you populated jail environment? Miroslav Lachman From mikhailg at webanoide.org Sat Jul 19 18:58:51 2008 From: mikhailg at webanoide.org (Mikhail Goriachev) Date: Sat Jul 19 18:58:57 2008 Subject: getpwnam: root: No such file or directory In-Reply-To: References: Message-ID: <488233B0.1000904@webanoide.org> ??????? ??????? wrote: > hello =) > > When I try to start jail (/etc/rc.d/jail start) I have: > > ==== > /etc/rc.conf: //: Permission denied > Configuring jails:. > Starting jails: cannot start jail "test": > jail: getpwnam: root: No such file or directory You need to rebuild your master.passwd file: /usr/sbin/pwd_mkdb -d /jaildir/etc -p /jaildir/etc/master.passwd Regards, Mikhail. -- Mikhail Goriachev Webanoide From mikhailg at webanoide.org Sat Jul 19 21:31:23 2008 From: mikhailg at webanoide.org (Mikhail Goriachev) Date: Sat Jul 19 21:31:29 2008 Subject: getpwnam: root: No such file or directory In-Reply-To: References: <488233B0.1000904@webanoide.org> Message-ID: <48825D18.1010001@webanoide.org> ??????? ??????? wrote: > Thanks! > > I try: > # /usr/sbin/pwd_mkdb -d /usr/local/jails/test/etc -p > /usr/local/jails/test/etc/master.passwd > > and I have: > > # pwd_mkdb: /usr/local/jails/test/etc/master.passwd: No such file or directory > > then I make empty file: > > # touch /usr/local/jails/test/etc/master.passwd > > all good! no errors, no messages... > > I try start jail again, and I have: =\ > > ============================= > /etc/rc.conf: //: Permission denied > Configuring jails:. > Starting jails: cannot start jail "test": > jail: root: no such user > ============================= The jail hasn't been completely populated. As Miroslav already stated, can you show us the rc.conf of the host and the way you populated the jail? Regards, Mikhail. -- Mikhail Goriachev Webanoide From mikhailg at webanoide.org Sun Jul 20 00:40:26 2008 From: mikhailg at webanoide.org (Mikhail Goriachev) Date: Sun Jul 20 00:40:33 2008 Subject: getpwnam: root: No such file or directory In-Reply-To: References: <488233B0.1000904@webanoide.org> <48825D18.1010001@webanoide.org> Message-ID: <48828965.5000802@webanoide.org> Please make sure you also reply to the list (freebsd-jail@freebsd.org). ??????? ??????? wrote: >> As Miroslav already stated, can you show us the rc.conf of the host and the >> way you populated the jail? > > rc.conf of main os: > =========================================================== > defaultrouter="xxx.xxx.236.249" > ifconfig_fxp0="inet xxx.xxx.236.251/29" > ifconfig_fxp0_alias0="inet xxx.xxx.10.131/26" > ifconfig_lo0_alias0="inet xxx.xxx.236.253/30" > > // test jail > ifconfig_fxp0_alias0="inet xxx.xxx.10.160 netmask 255.255.255.0" ^^^^^^^^^^^ You declared ifconfig_fxp0_alias0 twice. This will cause confusion in your system. > ifconfig_fxp0_alias1="inet xxx.xxx.10.161 netmask 255.255.255.0" > [...] > > jail_enable="YES" > jail_list="test" > jail_set_hostname_allow="YES" You might want to add the following lines: jail_exec_start="/bin/sh /etc/rc" jail_exec_stop="/bin/sh /etc/rc.shutdown" > jail_test_rootdir="/usr/local/jails/test" > jail_test_hostname="test-jail.local" > jail_test_ip="xxx.xxx.10.160" > jail_test_devfs_enable="YES" > jail_test_procfs_enable="YES" > jail_test_flags="-l -U root" ^^^^^^^^^^^^^^^ The jail_test_flags is unnecessary. [...] > > I just saw that the file "/usr/local/jails/test/etc/master.passwd" is empty... > > I try add "root" user: > > open jail: > > # jail /usr/local/jails/test/ test xxx.xxx.10.160 /bin/csh > > # adduser > > I have: > > =========================================================== > Username: root > Full name: > Uid (Leave empty for default): > > Login group [root]: Login group is root. Invite root into other groups? []: > Login class [default]: > Shell (sh csh tcsh date nologin) [sh]: > Home directory [/home/root]: > > Home directory permissions (Leave empty for default): Use > password-based authentication? [yes]: > Use an empty password? (yes/no) [no]: > Use a random password? (yes/no) [no]: > Enter password: > Enter password again: > Lock out the account after creation? [no]: > Username : root > Password : ***** > Full Name : > Uid : 1001 > Class : > Groups : root > Home : /home/root > Home Mode : > Shell : /bin/sh > Locked : no > OK? (yes/no): y > pwd_mkdb: root uid should be 0 > pwd_mkdb: at line #1 > pwd_mkdb: /etc/master.passwd: Inappropriate file type or format > pw: user 'root' disappeared during update > adduser: ERROR: There was an error adding user (root). > Add another user? (yes/no): > =========================================================== You can't just add the root account. The jail/system should already come with everything. It seems like you didn't populate the jail, that is why there are many missing pieces. What steps did you take to make your jail? Regards, Mikhail. -- Mikhail Goriachev Webanoide From 000.fbsd at quip.cz Sun Jul 20 07:37:46 2008 From: 000.fbsd at quip.cz (Miroslav Lachman) Date: Sun Jul 20 07:37:53 2008 Subject: getpwnam: root: No such file or directory In-Reply-To: <48825D18.1010001@webanoide.org> References: <488233B0.1000904@webanoide.org> <48825D18.1010001@webanoide.org> Message-ID: <4882EB5C.20206@quip.cz> Mikhail Goriachev wrote: > ??????? ??????? wrote: > >> Thanks! >> >> I try: >> # /usr/sbin/pwd_mkdb -d /usr/local/jails/test/etc -p >> /usr/local/jails/test/etc/master.passwd >> >> and I have: >> >> # pwd_mkdb: /usr/local/jails/test/etc/master.passwd: No such file or >> directory >> >> then I make empty file: >> >> # touch /usr/local/jails/test/etc/master.passwd >> >> all good! no errors, no messages... >> >> I try start jail again, and I have: =\ >> >> ============================= >> /etc/rc.conf: //: Permission denied >> Configuring jails:. >> Starting jails: cannot start jail "test": >> jail: root: no such user >> ============================= Did you run "make distribution DESTDIR=/path/to/jail/dir" or something similar? I don't think so and your jail environment seems uncomplete! Read the man page example section: http://www.freebsd.org/cgi/man.cgi?query=jail&sektion=0&manpath=FreeBSD+7.0-RELEASE and Handbook to build jail properly http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-build.html > The jail hasn't been completely populated. > > As Miroslav already stated, can you show us the rc.conf of the host and > the way you populated the jail? > > > Regards, > Mikhail. > From mikhailg at webanoide.org Sun Jul 20 08:20:32 2008 From: mikhailg at webanoide.org (Mikhail Goriachev) Date: Sun Jul 20 08:20:38 2008 Subject: getpwnam: root: No such file or directory In-Reply-To: References: <488233B0.1000904@webanoide.org> <48825D18.1010001@webanoide.org> <48828965.5000802@webanoide.org> Message-ID: <4882F53C.6060604@webanoide.org> ??????? ??????? wrote: > Thanks! > >> You can't just add the root account. The jail/system should already come >> with everything. It seems like you didn't populate the jail, that is why >> there are many missing pieces. >> >> What steps did you take to make your jail? > > 1. download freebsd sources > 2. build jail, I use this script: > =================================================== > #!/bin/sh > > case "$2" in > create) > jail_dir="$1" > mkdir -p ${jail_dir} > cd /usr/src > mkdir -p ${jail_dir} > make world DESTDIR=${jail_dir} > cd /usr/src/etc ^^^^^^^^^^^^^^^ You should not change into /usr/src/etc. Remove that line from the script. > make distribution DESTDIR=${jail_dir} This is the line that populates most of your jail but it fails because it is executed from /usr/src/etc instead of /usr/src. That is why you get missing pieces. So part of your script should look something like: mkdir -p ${jail_dir} cd /usr/src make installworld DESTDIR=${jail_dir} make distribution DESTDIR=${jail_dir} mount_devfs devfs ${jail_dir}/dev You should read the Jails section in the Handbook and also the man page for jail for further details. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails.html Regards, Mikhail. -- Mikhail Goriachev Webanoide From bzeeb-lists at lists.zabbadoz.net Sun Jul 20 09:15:08 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Sun Jul 20 09:15:15 2008 Subject: multi-ip jail patch on freebsd 7 In-Reply-To: <4881C486.8040401@zirakzigil.org> References: <4881C486.8040401@zirakzigil.org> Message-ID: <20080720090947.F57089@maildrop.int.zabbadoz.net> On Sat, 19 Jul 2008, Giulio Ferro wrote: > Since the multi-ip jail feature isn't yet part of the base system (why???) > I was searching the internet for a suitable patch to apply manually. > > I couldn't find any. The one I found didn't apply cleanly to a 7 system. > Can any of you point me to a working multi-ip jail patch? freebsd-jail@ would be a better list. I would happily point you at one but my webserver is down at the moment. I hope you can waut anther few days as I am swamped... -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From mikhailg at webanoide.org Sun Jul 20 18:11:48 2008 From: mikhailg at webanoide.org (Mikhail Goriachev) Date: Sun Jul 20 18:12:10 2008 Subject: getpwnam: root: No such file or directory In-Reply-To: References: <488233B0.1000904@webanoide.org> <48825D18.1010001@webanoide.org> <48828965.5000802@webanoide.org> <4882F53C.6060604@webanoide.org> Message-ID: <48837FD3.6020308@webanoide.org> Please make sure you also reply to the list. ??????? ??????? wrote: > Mikhail Goriachev, thanks!!! > I remove line "cd /usr/src/etc", make installworld and now all good! =) > root user exists, I add user and login from ssh to jail =) No worries. I'm glad it finally got going for you. > but I have 2 questions: > 1. when I start jail (/etc/rc.d/jail start), I have: > > /etc/rc.conf: //: Permission denied > Configuring jails:. > Starting jails: host1-jail.local. > > how correct error on first line? =\ Check file permissions for both, the jail and main OS: # ls -l /etc/rc.conf # ls -l /usr/local/jails/test/etc/rc.conf They both should be 644. Also check the logs: /var/log/jail_test_console.log /var/log/messages > > 2. MAC in jail and main os identical?! Yes they are identical because they both share the same network card. > how you see MAC "00:14:85:3a:58:90" in jail and main os identical oO > I need internet connection in my jail and main os =( but if jail and > main os have identical mac, it's unreal =( in LAN can't be 2 computers > with one mac =( or I something confuse?! =\ In your case this is only one computer with multiple IPs (aliases). This is normal behaviour. As of sharing the Internet connection, well it all depends on your resources and how you design the system. For instance, in some situations (single interface hosts) I bind my jails to lo0 and then use NAT to share the Internet. If you have access to multiple public IPs then you can bind jails directly to the public interface. +------ eth0 ------+ | | | lo0 | | | +------------------+ In other situations, where jails should be reached from the LAN, I bind them to the interface that faces the LAN (eth1) instead of lo0 or the Internet (eth0) and NAT is also used here. +------ eth0 ------+ | | | lo0 | | | +------ eth1 ------+ Basically everything depends on your needs and goals. Regards, Mikhail. -- Mikhail Goriachev Webanoide From bugmaster at FreeBSD.org Mon Jul 21 11:06:58 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Jul 21 11:08:01 2008 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200807211106.m6LB6vaO031911@freefall.freebsd.org> Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- s kern/89528 jail [jail] [patch] impossible to kill a jail o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail 2 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with o kern/68192 jail [quotas] [jail] Cannot use quotas on jailed systems o kern/72498 jail [libc] [jail] timestamp code on jailed SMP machine gen o kern/74314 jail [resolver] [jail] DNS resolver broken under certain ja o kern/84215 jail [jail] [patch] wildcard ip (INADDR_ANY) should not bin o kern/89989 jail [jail] [patch] Add option -I (ASCII 73) PID to specif o kern/97071 jail [jail] [patch] add security.jail.jid sysctl o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o kern/120753 jail [jail] Zombie jails (jailed child process exits while 9 problems total. From killing at multiplay.co.uk Tue Jul 22 22:46:05 2008 From: killing at multiplay.co.uk (Steven Hartland) Date: Tue Jul 22 22:46:13 2008 Subject: sockets still open for shutdown jail days later Message-ID: <527A23E52F1E45E5A5642A8099A87981@multiplay.co.uk> I shutdown a jail on one of our 7.0-release boxes the other day and while doing some more maintenance on one of the other jails I notice the other still listed in jls. After doing some digging I found we have 60 sockets still open for said jail. tcp4 0 58500 X.X.X.X.80 Y.Y.Y.Y.26696 LAST_ACK tcp4 0 53845 X.X.X.X.80 Y.Y.Y.Y.64765 LAST_ACK ... The jail was shutdown a few days ago now so I would have expected any lingering sockets to have expired and been cleaned up but clearly not. This interface is also no longer bound to the source IP. So is this issue in the jail code or a problem in the IP stack? Anyone seen this before? Regards Steve ================================================ This e.mail is private and confidential between Multiplay (UK) Ltd. and the person or entity to whom it is addressed. In the event of misdirection, the recipient is prohibited from using, copying, printing or otherwise disseminating it or any information contained in it. In the event of misdirection, illegible or incomplete transmission please telephone +44 845 868 1337 or return the E.mail to postmaster@multiplay.co.uk. From auryn at zirakzigil.org Thu Jul 24 21:14:14 2008 From: auryn at zirakzigil.org (Giulio Ferro) Date: Thu Jul 24 21:14:25 2008 Subject: multi-ip jail patch on freebsd 7 In-Reply-To: <20080720090947.F57089@maildrop.int.zabbadoz.net> References: <4881C486.8040401@zirakzigil.org> <20080720090947.F57089@maildrop.int.zabbadoz.net> Message-ID: <4888EA5D.1050704@zirakzigil.org> Bjoern A. Zeeb wrote: >> Since the multi-ip jail feature isn't yet part of the base system >> (why???) >> I was searching the internet for a suitable patch to apply manually. >> >> I couldn't find any. The one I found didn't apply cleanly to a 7 system. >> Can any of you point me to a working multi-ip jail patch? > > freebsd-jail@ would be a better list. > > I would happily point you at one but my webserver is down at the > moment. I hope you can waut anther few days as I am swamped... > Thanks anyway, I'll ask there... From auryn at zirakzigil.org Thu Jul 24 21:16:36 2008 From: auryn at zirakzigil.org (Giulio Ferro) Date: Thu Jul 24 21:16:42 2008 Subject: multi-ip Message-ID: <4888EAEC.2040303@zirakzigil.org> Hello all. Can anyone point me to a working and reasonably stable patch for multi-ip jails in freebsd 7 amd64? I googled around, but I couldn't find any. Thanks in advance. From jille at quis.cx Fri Jul 25 08:19:05 2008 From: jille at quis.cx (Jille) Date: Fri Jul 25 08:19:12 2008 Subject: multi-ip In-Reply-To: <4888EAEC.2040303@zirakzigil.org> References: <4888EAEC.2040303@zirakzigil.org> Message-ID: <488988B7.3000503@quis.cx> Hello Giulio, You can find them here: http://sources.zabbadoz.net/freebsd/jail.html Unfortunately the webserver is moving atm, so you'll have to wait. Bjoern Zeeb will probably send a message to the list when they are back online. -- Jille Giulio Ferro wrote: > Hello all. > > Can anyone point me to a working and reasonably stable patch > for multi-ip jails in freebsd 7 amd64? I googled around, but I > couldn't find any. > > Thanks in advance. > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" From bzeeb-lists at lists.zabbadoz.net Sun Jul 27 12:10:08 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Sun Jul 27 12:10:15 2008 Subject: new multi-/no-ip4/v6 jail patches Message-ID: <20080727115111.D57089@maildrop.int.zabbadoz.net> Hi, I have temporary put two patches generated from p4 here[1] for HEAD and for 7-STABLE as of now (you really need that latest 8/7). If you are in /usr/src you best run patch -s -p7 -C < /path/to/patch echo $? to see if the patch applies cleanly. patch should not print anything and echo $? should print 0. Else you'll have to manually resolve rejects after the next step: patch -s -p7 < /path/to/patch There is/will be no updated patch for 7.0pX (7.0 RELEASE branch) atm. Most imporatant changes: - fixed lookup mechanism for v4 and v6 for jail IP addresses (only relevant if you had more than 2 IPs per AF) - directly bind the IP if there is only one per AF. - ipv4 source address selection - jail state support - cpuset support What still needs to be done: - break out ipv4 source address selection for HEAD - review SCTP after the latest import (still disbaled in jails) - cleanup - review review review - feel free to mail me any comments. - the complete list is here: http://perforce.freebsd.org/fileViewer.cgi?FSPC=//depot/user/bz/jail/TODO&REV=21 Worst problem: - jls output is really ugly now In case of any comments/problems/... preferably mail freebsd-jail@ instead of mailing me directly. /bz References: [1] temporary location for multi-/no-ipv4/v6 patches for HEAD: http://people.freebsd.org/~bz/bz_jail-20080727-01-at146034.diff RELENG_7: http://people.freebsd.org/~bz/bz_jail7-20080726-03-at146006.diff -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From bzeeb-lists at lists.zabbadoz.net Sun Jul 27 15:30:08 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Sun Jul 27 15:30:15 2008 Subject: new multi-/no-ip4/v6 jail patches In-Reply-To: <20080727115111.D57089@maildrop.int.zabbadoz.net> References: <20080727115111.D57089@maildrop.int.zabbadoz.net> Message-ID: <20080727152715.Y57089@maildrop.int.zabbadoz.net> On Sun, 27 Jul 2008, Bjoern A. Zeeb wrote: Hi, there is a regression in there with unbound udp connects. I am investigating and the patches are gone for the moment. I'll let you know once I updated them. /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From bzeeb-lists at lists.zabbadoz.net Sun Jul 27 17:50:07 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Sun Jul 27 17:50:14 2008 Subject: new multi-/no-ip4/v6 jail patches In-Reply-To: <20080727152715.Y57089@maildrop.int.zabbadoz.net> References: <20080727115111.D57089@maildrop.int.zabbadoz.net> <20080727152715.Y57089@maildrop.int.zabbadoz.net> Message-ID: <20080727174715.F57089@maildrop.int.zabbadoz.net> On Sun, 27 Jul 2008, Bjoern A. Zeeb wrote: > On Sun, 27 Jul 2008, Bjoern A. Zeeb wrote: > > Hi, > > there is a regression in there with unbound udp connects. I am > investigating and the patches are gone for the moment. I'll let you > know once I updated them. the new patches are here: HEAD: http://people.freebsd.org/~bz/bz_jail-20080727-10-at146056.diff 7-STABLE: http://people.freebsd.org/~bz/bz_jail7-20080727-10-at146056.diff /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From bzeeb-lists at lists.zabbadoz.net Sun Jul 27 19:50:08 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Sun Jul 27 19:50:14 2008 Subject: new multi-/no-ip4/v6 jail patches In-Reply-To: <20080727174715.F57089@maildrop.int.zabbadoz.net> References: <20080727115111.D57089@maildrop.int.zabbadoz.net> <20080727152715.Y57089@maildrop.int.zabbadoz.net> <20080727174715.F57089@maildrop.int.zabbadoz.net> Message-ID: <20080727194902.N57089@maildrop.int.zabbadoz.net> On Sun, 27 Jul 2008, Bjoern A. Zeeb wrote: Hi, > the new patches are here: > > HEAD: > http://people.freebsd.org/~bz/bz_jail-20080727-10-at146056.diff > 7-STABLE: > http://people.freebsd.org/~bz/bz_jail7-20080727-10-at146056.diff And as the MFC for the backout of the unr allocator was comitted here's a new patch for RELENG_7: http://people.freebsd.org/~bz/bz_jail7-20080727-11-at146062.diff -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From bugmaster at FreeBSD.org Mon Jul 28 11:06:59 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Jul 28 11:08:07 2008 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200807281106.m6SB6wOU078949@freefall.freebsd.org> Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- s kern/89528 jail [jail] [patch] impossible to kill a jail o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail 2 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with o kern/68192 jail [quotas] [jail] Cannot use quotas on jailed systems o kern/72498 jail [libc] [jail] timestamp code on jailed SMP machine gen o kern/74314 jail [resolver] [jail] DNS resolver broken under certain ja o kern/84215 jail [jail] [patch] wildcard ip (INADDR_ANY) should not bin o kern/89989 jail [jail] [patch] Add option -I (ASCII 73) PID to specif o kern/97071 jail [jail] [patch] add security.jail.jid sysctl o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o kern/120753 jail [jail] Zombie jails (jailed child process exits while 9 problems total. From spry at anarchy.in.the.ph Mon Jul 28 12:26:29 2008 From: spry at anarchy.in.the.ph (Mars G Miro) Date: Mon Jul 28 12:26:35 2008 Subject: new multi-/no-ip4/v6 jail patches In-Reply-To: <20080727194902.N57089@maildrop.int.zabbadoz.net> References: <20080727115111.D57089@maildrop.int.zabbadoz.net> <20080727152715.Y57089@maildrop.int.zabbadoz.net> <20080727174715.F57089@maildrop.int.zabbadoz.net> <20080727194902.N57089@maildrop.int.zabbadoz.net> Message-ID: On Mon, Jul 28, 2008 at 3:49 AM, Bjoern A. Zeeb wrote: > On Sun, 27 Jul 2008, Bjoern A. Zeeb wrote: > > Hi, > >> the new patches are here: >> >> HEAD: http://people.freebsd.org/~bz/bz_jail-20080727-10-at146056.diff >> 7-STABLE: http://people.freebsd.org/~bz/bz_jail7-20080727-10-at146056.diff > > And as the MFC for the backout of the unr allocator was comitted > here's a new patch for RELENG_7: > http://people.freebsd.org/~bz/bz_jail7-20080727-11-at146062.diff > Hiya What I've tested on my test jail: - IPv6-only, 1 IPv6 - IPv6-only, 4 IPv6s - IPv4-only, 5 IPs - IPv6+IPv4, 4 IPv6, 5 IPv4s Plus apache (w/ ipv6) running on the jail. Works great! Thanks ;-) > > -- > Bjoern A. Zeeb Stop bit received. Insert coin for new game. > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > -- cheers mars From auryn at zirakzigil.org Mon Jul 28 16:18:54 2008 From: auryn at zirakzigil.org (Giulio Ferro) Date: Mon Jul 28 16:19:04 2008 Subject: new multi-/no-ip4/v6 jail patches In-Reply-To: <20080727194902.N57089@maildrop.int.zabbadoz.net> References: <20080727115111.D57089@maildrop.int.zabbadoz.net> <20080727152715.Y57089@maildrop.int.zabbadoz.net> <20080727174715.F57089@maildrop.int.zabbadoz.net> <20080727194902.N57089@maildrop.int.zabbadoz.net> Message-ID: <488DF15F.5030703@zirakzigil.org> Bjoern A. Zeeb wrote: > On Sun, 27 Jul 2008, Bjoern A. Zeeb wrote: > > Hi, > >> the new patches are here: >> >> HEAD: http://people.freebsd.org/~bz/bz_jail-20080727-10-at146056.diff >> 7-STABLE: >> http://people.freebsd.org/~bz/bz_jail7-20080727-10-at146056.diff > > And as the MFC for the backout of the unr allocator was comitted > here's a new patch for RELENG_7: > http://people.freebsd.org/~bz/bz_jail7-20080727-11-at146062.diff > > Thanks a lot! I'll try it as soon as I can... From schulra at earlham.edu Tue Jul 29 18:46:41 2008 From: schulra at earlham.edu (Randy Schultz) Date: Tue Jul 29 18:46:48 2008 Subject: visudo non-functional in 7.0-RELEASE jail Message-ID: Heya, Been using jails for a while with 6.2 and 6.3. Today I'm working my first lab box with 7.0-RELEASE. Set everything up with ezjail, e.g. ezjail-admin create... Everything builds/installs fine, no barks. Sudo installed via make install in /usr/ports/security/sudo on both parent and jail after a portsnap update. The version of sudo works fine in the parent. In the jail however I always get: zincite# /usr/local/sbin/visudo visudo: /usr/local/etc/sudoers busy, try again later Sudoers is not busy. This is on a fresh jail that only I have access to, doing a visudo right after the make install finishes. My first thought was the jail dev/fs perms were somehow messed up but I can write to /usr/local/etc. In fact I can vi /usr/local/etc/sudoers and write it back out. I've checked the sysctl flags. They are the same as on a working 6.x parent(but I've included them here FWIW): Root Dude ? sysctl -a|egrep jail security.jail.jailed: 0 security.jail.mount_allowed: 0 security.jail.chflags_allowed: 0 security.jail.allow_raw_sockets: 0 security.jail.enforce_statfs: 2 security.jail.sysvipc_allowed: 0 security.jail.socket_unixiproute_only: 1 security.jail.set_hostname_allowed: 1 Rc.conf has: ezjail_enable=YES jail_list="zincite" jail_zincite_rootdir=/usr/local/jails/zincite jail_zincite_hostname=zincite.earlham.edu jail_zincite_ip=159.28.83.137 jail_zincite_interface=bge0 #jail_zincite_fstab="/etc/zincite.fstab" jail_zincite_mount_enable="YES" jail_zincite_devfs_enable="YES" Fstab is pretty standard: Root Dude ? cat /etc/fstab.zincite /usr/local/jails/basejail /usr/local/jails/zincite/basejail nullfs ro 0 0 The /usr/local/jails/zincite/etc/devfs.conf is non-tweaked zincite# ls -l /dev total 0 dr-xr-xr-x 2 root wheel 512 Jul 29 16:23 fd lrwxr-xr-x 1 root wheel 14 Jul 29 16:23 log -> ../var/run/log crw-rw-rw- 1 root wheel 0, 6 Jul 29 17:33 null crw-rw-rw- 1 root wheel 0, 121 Jul 29 17:26 ptyp0 crw-rw-rw- 1 root wheel 0, 123 Jul 29 17:38 ptyp1 crw-rw-rw- 1 root wheel 0, 10 Jul 29 12:23 random lrwxr-xr-x 1 root wheel 4 Jul 29 16:23 stderr -> fd/2 lrwxr-xr-x 1 root wheel 4 Jul 29 16:23 stdin -> fd/0 lrwxr-xr-x 1 root wheel 4 Jul 29 16:23 stdout -> fd/1 crw-rw-rw- 1 root wheel 0, 122 Jul 29 17:26 ttyp0 crw--w---- 1 rj tty 0, 124 Jul 29 17:38 ttyp1 lrwxr-xr-x 1 root wheel 6 Jul 29 16:23 urandom -> random crw-rw-rw- 1 root wheel 0, 7 Jul 29 16:23 zero and /usr/local/etc/ezjail/zincite contains: export jail_zincite_hostname="zincite" export jail_zincite_ip="159.28.83.137" export jail_zincite_rootdir="/usr/local/jails/zincite" export jail_zincite_exec="/bin/sh /etc/rc" export jail_zincite_mount_enable="YES" export jail_zincite_devfs_enable="YES" export jail_zincite_devfs_ruleset="devfsrules_jail" export jail_zincite_procfs_enable="YES" export jail_zincite_fdescfs_enable="YES" export jail_zincite_image="" export jail_zincite_imagetype="" export jail_zincite_attachparams="" export jail_zincite_attachblocking="" export jail_zincite_forceblocking="" I tried tracing visudo but that didn't give me much: ... 1293: open("/usr/local/etc/sudoers",O_RDWR|O_CREAT,0440) = 3 (0x3) 1293: fcntl(3,F_SETLK,0x7fffffffe390) ERR#22 'Invalid argument' visudo: 1293: write(2,"visudo: ",8) = 8 (0x8) /usr/local/etc/sudoers busy, try again later 1293: write(2,"/usr/local/etc/sudoers busy, try"...,44) = 44 (0x2c) 1293: write(2,"\n",1) = 1 (0x1) 1293: process exit, rval = 1 I noted the invalid argument, thought busted port, but same thing works great on the parent. I'm running out of places to poke. -- Randy (schulra@earlham.edu) 765.983.1283 <*> Love with your heart, think with your head; not the other way around. From bsam at ipt.ru Tue Jul 29 18:58:22 2008 From: bsam at ipt.ru (Boris Samorodov) Date: Tue Jul 29 18:58:29 2008 Subject: visudo non-functional in 7.0-RELEASE jail In-Reply-To: (Randy Schultz's message of "Tue\, 29 Jul 2008 14\:20\:34 -0400 \(EDT\)") References: Message-ID: <71363369@ipt.ru> On Tue, 29 Jul 2008 14:20:34 -0400 (EDT) Randy Schultz wrote: > Been using jails for a while with 6.2 and 6.3. Today I'm working my first lab > box with 7.0-RELEASE. Set everything up with ezjail, e.g. ezjail-admin > create... Everything builds/installs fine, no barks. Sudo installed via make > install in /usr/ports/security/sudo on both parent and jail after a portsnap > update. The version of sudo works fine in the parent. In the jail however I > always get: > zincite# /usr/local/sbin/visudo > visudo: /usr/local/etc/sudoers busy, try again later > Sudoers is not busy. This is on a fresh jail that only I have access to, > doing a visudo right after the make install finishes. > My first thought was the jail dev/fs perms were somehow messed up but I can > write to /usr/local/etc. In fact I can vi /usr/local/etc/sudoers and write it > back out. > I've checked the sysctl flags. They are the same as on a working 6.x > parent(but I've included them here FWIW): I'm not sure that this configuration (6.x parent and 7.x jail) is supported. I think that just the opposite may (or should) work. Just my imho though. I'll be glad to be wrong here... > Root Dude ? sysctl -a|egrep jail > security.jail.jailed: 0 > security.jail.mount_allowed: 0 > security.jail.chflags_allowed: 0 > security.jail.allow_raw_sockets: 0 > security.jail.enforce_statfs: 2 > security.jail.sysvipc_allowed: 0 > security.jail.socket_unixiproute_only: 1 > security.jail.set_hostname_allowed: 1 > Rc.conf has: > ezjail_enable=YES > jail_list="zincite" > jail_zincite_rootdir=/usr/local/jails/zincite > jail_zincite_hostname=zincite.earlham.edu > jail_zincite_ip=159.28.83.137 > jail_zincite_interface=bge0 > #jail_zincite_fstab="/etc/zincite.fstab" > jail_zincite_mount_enable="YES" > jail_zincite_devfs_enable="YES" > Fstab is pretty standard: > Root Dude ? cat /etc/fstab.zincite > /usr/local/jails/basejail /usr/local/jails/zincite/basejail nullfs ro 0 0 > The /usr/local/jails/zincite/etc/devfs.conf is non-tweaked > zincite# ls -l /dev > total 0 > dr-xr-xr-x 2 root wheel 512 Jul 29 16:23 fd > lrwxr-xr-x 1 root wheel 14 Jul 29 16:23 log -> ../var/run/log > crw-rw-rw- 1 root wheel 0, 6 Jul 29 17:33 null > crw-rw-rw- 1 root wheel 0, 121 Jul 29 17:26 ptyp0 > crw-rw-rw- 1 root wheel 0, 123 Jul 29 17:38 ptyp1 > crw-rw-rw- 1 root wheel 0, 10 Jul 29 12:23 random > lrwxr-xr-x 1 root wheel 4 Jul 29 16:23 stderr -> fd/2 > lrwxr-xr-x 1 root wheel 4 Jul 29 16:23 stdin -> fd/0 > lrwxr-xr-x 1 root wheel 4 Jul 29 16:23 stdout -> fd/1 > crw-rw-rw- 1 root wheel 0, 122 Jul 29 17:26 ttyp0 > crw--w---- 1 rj tty 0, 124 Jul 29 17:38 ttyp1 > lrwxr-xr-x 1 root wheel 6 Jul 29 16:23 urandom -> random > crw-rw-rw- 1 root wheel 0, 7 Jul 29 16:23 zero > and /usr/local/etc/ezjail/zincite contains: > export jail_zincite_hostname="zincite" > export jail_zincite_ip="159.28.83.137" > export jail_zincite_rootdir="/usr/local/jails/zincite" > export jail_zincite_exec="/bin/sh /etc/rc" > export jail_zincite_mount_enable="YES" > export jail_zincite_devfs_enable="YES" > export jail_zincite_devfs_ruleset="devfsrules_jail" > export jail_zincite_procfs_enable="YES" > export jail_zincite_fdescfs_enable="YES" > export jail_zincite_image="" > export jail_zincite_imagetype="" > export jail_zincite_attachparams="" > export jail_zincite_attachblocking="" > export jail_zincite_forceblocking="" > I tried tracing visudo but that didn't give me much: > ... > 1293: open("/usr/local/etc/sudoers",O_RDWR|O_CREAT,0440) = 3 (0x3) > 1293: fcntl(3,F_SETLK,0x7fffffffe390) ERR#22 'Invalid argument' > visudo: 1293: write(2,"visudo: ",8) = 8 (0x8) > /usr/local/etc/sudoers busy, try again later 1293: > write(2,"/usr/local/etc/sudoers busy, try"...,44) = 44 (0x2c) > 1293: write(2,"\n",1) = 1 (0x1) > 1293: process exit, rval = 1 > I noted the invalid argument, thought busted port, but same thing works great > on the parent. > I'm running out of places to poke. WBR -- bsam From bsam at ipt.ru Tue Jul 29 19:19:58 2008 From: bsam at ipt.ru (Boris Samorodov) Date: Tue Jul 29 19:20:05 2008 Subject: Mail delivery failed: returning message to sender In-Reply-To: (Mail Delivery System's message of "Tue\, 29 Jul 2008 22\:58\:22 +0400") References: Message-ID: <94562073@ipt.ru> Sorry freebsd-jail-list reader, this message is for Randy Schultz. Dear Randy, just FYI, but your mail server is blocking messages... On Tue, 29 Jul 2008 22:58:22 +0400 Mail Delivery System wrote: > This message was created automatically by mail delivery software. > A message that you sent could not be delivered to one or more of its > recipients. This is a permanent error. The following address(es) failed: > schulra@earlham.edu > SMTP error from remote mail server after end of data: > host diakatra.earlham.edu [159.28.1.37]: 554 Service unavailable; Client host [services.ipt.ru] blocked using Barracuda Reputation; http://bbl.barracudacentral.com/q.cgi?ip=85.173.16.156 > ------ This is a copy of the message, including all the headers. ------ > Return-path: > Received: from [85.173.16.156] (helo=localhost.my.domain) > by services.ipt.ru with esmtpa (Exim 4.54 (FreeBSD)) > id 1KNuOp-000Ily-Mp; Tue, 29 Jul 2008 22:58:19 +0400 > To: Randy Schultz > Cc: freebsd-jail@freebsd.org > Subject: Re: visudo non-functional in 7.0-RELEASE jail > References: > From: Boris Samorodov > Date: Tue, 29 Jul 2008 22:57:10 +0400 > In-Reply-To: (Randy Schultz's message of "Tue\, 29 Jul 2008 14\:20\:34 -0400 \(EDT\)") > Message-ID: <71363369@ipt.ru> > User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.2 (berkeley-unix) > MIME-Version: 1.0 > Content-Type: text/plain; charset=us-ascii > On Tue, 29 Jul 2008 14:20:34 -0400 (EDT) Randy Schultz wrote: [...] WBR -- bsam From schulra at earlham.edu Tue Jul 29 19:56:03 2008 From: schulra at earlham.edu (Randy Schultz) Date: Tue Jul 29 19:56:09 2008 Subject: Mail delivery failed: returning message to sender In-Reply-To: <94562073@ipt.ru> References: <94562073@ipt.ru> Message-ID: On Tue, 29 Jul 2008, Boris Samorodov spaketh thusly: -}Sorry freebsd-jail-list reader, -} -} -}this message is for Randy Schultz. -} -}Dear Randy, just FYI, but your mail server is blocking messages... Taking this off-line. Tnx Boris. -} -} -}On Tue, 29 Jul 2008 22:58:22 +0400 Mail Delivery System wrote: -} -}> This message was created automatically by mail delivery software. -} -}> A message that you sent could not be delivered to one or more of its -}> recipients. This is a permanent error. The following address(es) failed: -} -}> schulra@earlham.edu -}> SMTP error from remote mail server after end of data: -}> host diakatra.earlham.edu [159.28.1.37]: 554 Service unavailable; Client host [services.ipt.ru] blocked using Barracuda Reputation; http://bbl.barracudacentral.com/q.cgi?ip=85.173.16.156 -} -}> ------ This is a copy of the message, including all the headers. ------ -} -}> Return-path: -}> Received: from [85.173.16.156] (helo=localhost.my.domain) -}> by services.ipt.ru with esmtpa (Exim 4.54 (FreeBSD)) -}> id 1KNuOp-000Ily-Mp; Tue, 29 Jul 2008 22:58:19 +0400 -}> To: Randy Schultz -}> Cc: freebsd-jail@freebsd.org -}> Subject: Re: visudo non-functional in 7.0-RELEASE jail -}> References: -}> From: Boris Samorodov -}> Date: Tue, 29 Jul 2008 22:57:10 +0400 -}> In-Reply-To: (Randy Schultz's message of "Tue\, 29 Jul 2008 14\:20\:34 -0400 \(EDT\)") -}> Message-ID: <71363369@ipt.ru> -}> User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.2 (berkeley-unix) -}> MIME-Version: 1.0 -}> Content-Type: text/plain; charset=us-ascii -} -}> On Tue, 29 Jul 2008 14:20:34 -0400 (EDT) Randy Schultz wrote: -} -}[...] -} -}WBR -}-- -}bsam -}_______________________________________________ -}freebsd-jail@freebsd.org mailing list -}http://lists.freebsd.org/mailman/listinfo/freebsd-jail -}To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" -} -- Randy (schulra@earlham.edu) 765.983.1283 <*> Love with your heart, think with your head; not the other way around. From edwin at mavetju.org Tue Jul 29 22:30:53 2008 From: edwin at mavetju.org (Edwin Groothuis) Date: Tue Jul 29 22:31:03 2008 Subject: visudo non-functional in 7.0-RELEASE jail Message-ID: <20080729221150.GA92564@k7.mavetju> Since lock_file() consists of three different functions depending on your capabilities, could you pastebin the output of your config.log somwwhere to figure out which was is used? I have visudo (and sudo) here working without any problems, inside and outside jails. Edwin -- Edwin Groothuis | Personal website: http://www.mavetju.org edwin@mavetju.org | Weblog: http://www.mavetju.org/weblog/ From schulra at earlham.edu Wed Jul 30 16:04:19 2008 From: schulra at earlham.edu (Randy Schultz) Date: Wed Jul 30 16:04:26 2008 Subject: visudo non-functional in 7.0-RELEASE jail In-Reply-To: <20080729221150.GA92564@k7.mavetju> References: <20080729221150.GA92564@k7.mavetju> Message-ID: On Wed, 30 Jul 2008, Edwin Groothuis spaketh thusly: -}Since lock_file() consists of three different functions depending -}on your capabilities, could you pastebin the output of your config.log -}somwwhere to figure out which was is used? http://www.pastebin.be/13079 -} -}I have visudo (and sudo) here working without any problems, inside -}and outside jails. For fbsd 7.0? I have it for 6.x. If yours is 7.0 then I must have missed something. Did you set your jails up the long way or with ezjail? -- Randy (schulra@earlham.edu) 765.983.1283 <*> Love with your heart, think with your head; not the other way around. From bsam at ipt.ru Wed Jul 30 16:47:57 2008 From: bsam at ipt.ru (Boris Samorodov) Date: Wed Jul 30 16:48:04 2008 Subject: visudo non-functional in 7.0-RELEASE jail In-Reply-To: (Randy Schultz's message of "Wed\, 30 Jul 2008 12\:04\:16 -0400 \(EDT\)") References: <20080729221150.GA92564@k7.mavetju> Message-ID: <14238192@ipt.ru> On Wed, 30 Jul 2008 12:04:16 -0400 (EDT) Randy Schultz wrote: > On Wed, 30 Jul 2008, Edwin Groothuis spaketh thusly: > -}Since lock_file() consists of three different functions depending > -}on your capabilities, could you pastebin the output of your config.log > -}somwwhere to figure out which was is used? > http://www.pastebin.be/13079 > -} > -}I have visudo (and sudo) here working without any problems, inside > -}and outside jails. > For fbsd 7.0? I have it for 6.x. If yours is 7.0 then I must have missed > something. Did you set your jails up the long way or with ezjail? I have 7-STABLE here and some ezjail jails. The "sudo ezjail update -i" command gives me: ----- % ls -l /space/jails/basejail/usr/bin/su -r-xr-xr-x 1 root wheel 16904 30 ??? 20:34 /space/jails/basejail/usr/bin/su ----- ...while before updating it has been: ----- -r-sr-xr-x 1 root wheel 16904 23 ??? 19:09 /space/jails/basejail/usr/bin/su ----- Note the bit "s" for the owner of the file. Sure the command "sudo chmod u+s /space/jails/basejail/usr/bin/su" helps here. HTH and WBR -- bsam From schulra at earlham.edu Wed Jul 30 17:06:26 2008 From: schulra at earlham.edu (Randy Schultz) Date: Wed Jul 30 17:06:32 2008 Subject: visudo non-functional in 7.0-RELEASE jail In-Reply-To: <14238192@ipt.ru> References: <20080729221150.GA92564@k7.mavetju> <14238192@ipt.ru> Message-ID: On Wed, 30 Jul 2008, Boris Samorodov spaketh thusly: -} -}I have 7-STABLE here and some ezjail jails. The "sudo ezjail update -i" -}command gives me: -}----- -}% ls -l /space/jails/basejail/usr/bin/su -}-r-xr-xr-x 1 root wheel 16904 30 июл 20:34 /space/jails/basejail/usr/bin/su -}----- -} -}...while before updating it has been: -}----- -}-r-sr-xr-x 1 root wheel 16904 23 июл 19:09 /space/jails/basejail/usr/bin/su -}----- -} -}Note the bit "s" for the owner of the file. Sure the command -}"sudo chmod u+s /space/jails/basejail/usr/bin/su" helps here. Hey Boris, Tnx for the hint. Unfortunately my su in and out of the jail both have the same perms of 4555 so the problem is elsewhere. -- Randy (schulra@earlham.edu) 765.983.1283 <*> Love with your heart, think with your head; not the other way around.