From bugmaster at FreeBSD.org Mon Jun 2 11:06:56 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Jun 2 11:07:08 2008 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200806021106.m52B6tbZ093210@freefall.freebsd.org> Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- s kern/89528 jail [jail] [patch] impossible to kill a jail o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail 2 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with o kern/68192 jail [quotas] [jail] Cannot use quotas on jailed systems o kern/72498 jail [libc] [jail] timestamp code on jailed SMP machine gen o kern/74314 jail [resolver] [jail] DNS resolver broken under certain ja o kern/84215 jail [jail] [patch] wildcard ip (INADDR_ANY) should not bin o kern/89989 jail [jail] [patch] Add option -I (ASCII 73) PID to specif o kern/97071 jail [jail] [patch] add security.jail.jid sysctl o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o kern/120753 jail [jail] Zombie jails (jailed child process exits while 9 problems total. From alexus at gmail.com Mon Jun 2 23:52:10 2008 From: alexus at gmail.com (alexus) Date: Mon Jun 2 23:52:14 2008 Subject: FreeBSD-7.0 MULTIPLE-IPs In-Reply-To: <6ae50c2d0805121128t7721bc1kda6f2a187be03165@mail.gmail.com> References: <6ae50c2d0805121128t7721bc1kda6f2a187be03165@mail.gmail.com> Message-ID: <6ae50c2d0806021652l1e079b0ft72cbb34c223474e7@mail.gmail.com> anyone? On Mon, May 12, 2008 at 2:28 PM, alexus wrote: > Hello, > > I saw there is a few patches out there that gives jail ability to have > more then 1(one) IP address, however all those patches are very old > and jail in FreeBSD-7.0 has more then it had even 2-3 years ago, so I > was wondering if there is a new patch that works with FreeBSD-7, maybe > implmenting this patch is somewhat easier in 7.0 vs older releases? I > think DragonFly implmeneted one of the patches directly into core, why > FreeBSD won't do it already? > -- > http://alexus.org/ > -- http://alexus.org/ From alexus at gmail.com Tue Jun 3 00:17:26 2008 From: alexus at gmail.com (alexus) Date: Tue Jun 3 00:17:28 2008 Subject: New wiki page - Jails In-Reply-To: <48388C96.1050807@quip.cz> References: <4838851D.9010007@quip.cz> <20080524213123.E65662@maildrop.int.zabbadoz.net> <48388C96.1050807@quip.cz> Message-ID: <6ae50c2d0806021717g333e8e47v597d7fc311f82786@mail.gmail.com> i'm more concern about: Multi-IPv4/v6/no-IP jails In progress Bjoern A. Zeeb The multi-IPv4/v6 jails project was resumed in early January after previous work had been abandoned in 2006. As an alternate solution to full network stack virtualization, this work shall provide a lightweight solution for multi-IP virtualization. Perforce based on FreeBSD 7.x?/8.x any ETA at all? seems like such a demanding feature, yet its barly made it to the list of things to do :( On Sat, May 24, 2008 at 5:45 PM, Miroslav Lachman <000.fbsd@quip.cz> wrote: > > > Bjoern A. Zeeb wrote: > >> On Sat, 24 May 2008, Miroslav Lachman wrote: >> >> Hi, >> >>> I just started with some informations on http://wiki.freebsd.org/Jails >>> So let me know what you think about it and do not hesitate with more >>> ideas. >> >> >> Thanks for the summary. >> >> Just on a sidenote: most of the 'Future plans' will never happen as >> part of jails but as part of a larger virtualization technique if they >> are going to happen at all. >> Basically virtualizing everything under the name of jails does ot make >> a lot of sense. At one point you want a hypervisor and simply boot >> different instances. > > Yes, I am aware of it. It is just a list of "known" feature requests. If you > have some background knowledge of what and how is planned in FreeBSD for > Jail or Vimage, please let me know and I can write some notes to each > 'Future plan' item (someting like 'covered by Vimage' or 'will never appear > in Jails' etc.) or you can do it yourself, if you have write access to the > wiki page. > > Miroslav Lachman > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > -- http://alexus.org/ From frank at harz.behrens.de Tue Jun 3 06:21:31 2008 From: frank at harz.behrens.de (Frank Behrens) Date: Tue Jun 3 06:21:33 2008 Subject: New wiki page - Jails In-Reply-To: <6ae50c2d0806021717g333e8e47v597d7fc311f82786@mail.gmail.com> References: <48388C96.1050807@quip.cz> Message-ID: <200806030621.m536LMFN002000@post.frank-behrens.de> alexus wrote on 2 Jun 2008 20:17: > Multi-IPv4/v6/no-IP jails > In progress > Bjoern A. Zeeb > The multi-IPv4/v6 jails project was resumed in early January after > previous work had been abandoned in 2006. > As an alternate solution to full network stack virtualization, this > work shall provide a lightweight solution for multi-IP virtualization. > Perforce > based on FreeBSD 7.x?/8.x > > > any ETA at all? seems like such a demanding feature, yet its barly > made it to the list of things to do :( I can't give you an ETA, but I can give you a good feeling. ;-) On Bjoerns page are already patches available. I'm testing this on RELENG_7 and did not see any problems, it works very well on a (small) productive system. -- Frank Behrens, Osterwieck, Germany PGP-key 0x5B7C47ED on public servers available. From ike at lesmuug.org Tue Jun 3 09:26:00 2008 From: ike at lesmuug.org (Isaac Levy) Date: Tue Jun 3 09:26:05 2008 Subject: FreeBSD-7.0 MULTIPLE-IPs In-Reply-To: <6ae50c2d0806021652l1e079b0ft72cbb34c223474e7@mail.gmail.com> References: <6ae50c2d0805121128t7721bc1kda6f2a187be03165@mail.gmail.com> <6ae50c2d0806021652l1e079b0ft72cbb34c223474e7@mail.gmail.com> Message-ID: <4290E004-F4CF-4537-A9FC-B630BAD634CC@lesmuug.org> Hello Alexus, I haven't been very close to this lately, so I may be stepping out of turn- but there's one big reason: The Virtual IP stack implementation underway (separate from the jail mechanism, but of course, QUITE perfect for jailing uses). I first learned Marko Zec's work on the virtual IP stack at EuroBSDCon 2007: http://2007.eurobsdcon.org/tutorial-virtualized-network-stack.html However, Bjoern Zeeb has resumed a jail-specific multi-ip implimentation- the current status seems to be updated soemwhat frequently here (yay!): http://wiki.freebsd.org/Jails#head-27743b977485318e421b24962498cf007f70dacf "The multi-IPv4/v6 jails project was resumed in early January after previous work had been abandoned in 2006. As an alternate solution to full network stack virtualization, this work shall provide a lightweight solution for multi-IP virtualization. Perforce based on FreeBSD 7.x?/8.x" Sadly for you however, at the time of this writing, it seems the 7.x patches are 'in progress'. -- To answer the dragonfly jail patch question- Dragonfly is a fork of the 4.x FreeBSD code, and with that, is now extremely different from FreeBSD 5.x onward. Therefore, many patches from the 4.x era code are straight inline with Dragonfly. Hope that answers your question or provides some direction, even if the answer doesn't meet your needs. Best, .ike On Jun 2, 2008, at 7:52 PM, alexus wrote: > anyone? > > On Mon, May 12, 2008 at 2:28 PM, alexus wrote: >> Hello, >> >> I saw there is a few patches out there that gives jail ability to >> have >> more then 1(one) IP address, however all those patches are very old >> and jail in FreeBSD-7.0 has more then it had even 2-3 years ago, so I >> was wondering if there is a new patch that works with FreeBSD-7, >> maybe >> implmenting this patch is somewhat easier in 7.0 vs older releases? I >> think DragonFly implmeneted one of the patches directly into core, >> why >> FreeBSD won't do it already? >> -- >> http://alexus.org/ >> > > > > -- > http://alexus.org/ > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail- > unsubscribe@freebsd.org" > From bzeeb-lists at lists.zabbadoz.net Tue Jun 3 09:40:07 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Tue Jun 3 09:40:10 2008 Subject: FreeBSD-7.0 MULTIPLE-IPs In-Reply-To: <4290E004-F4CF-4537-A9FC-B630BAD634CC@lesmuug.org> References: <6ae50c2d0805121128t7721bc1kda6f2a187be03165@mail.gmail.com> <6ae50c2d0806021652l1e079b0ft72cbb34c223474e7@mail.gmail.com> <4290E004-F4CF-4537-A9FC-B630BAD634CC@lesmuug.org> Message-ID: <20080603093306.O83875@maildrop.int.zabbadoz.net> On Tue, 3 Jun 2008, Isaac Levy wrote: Hi ike, > I first learned Marko Zec's work on the virtual IP stack at EuroBSDCon 2007: > http://2007.eurobsdcon.org/tutorial-virtualized-network-stack.html If you knew about things that happened at BSDCan 2008;-) Where have you been? > However, Bjoern Zeeb has resumed a jail-specific multi-ip implimentation- the > current status seems to be updated soemwhat frequently here (yay!): > http://wiki.freebsd.org/Jails#head-27743b977485318e421b24962498cf007f70dacf > > "The multi-IPv4/v6 jails project was resumed in early January after previous > work had been abandoned in 2006. > As an alternate solution to full network stack virtualization, this work > shall provide a lightweight solution for multi-IP virtualization. Perforce > based on FreeBSD 7.x?/8.x" > > Sadly for you however, at the time of this writing, it seems the 7.x patches > are 'in progress'. Well the entire things is "in progress" and as this is a FAQ the RELENG_7 patch that is out there is a bit outdated and I am working on an updated version as soon as I have tested what is in p4 on HEAD and feel that it still is as stable as the old patch was. BTW. Any HEAD version would be as old as the RELENG_7 one. Go here to find your way to the (old but stable) patch: http://www.freebsd.org/news/status/report-2008-01-2008-03.html#Multi-IPv4/v6/no-IP-jails I'll keep people updated on this list as soon as I have anything new. /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From ike at lesmuug.org Tue Jun 3 14:05:35 2008 From: ike at lesmuug.org (Isaac Levy) Date: Tue Jun 3 14:05:42 2008 Subject: FreeBSD-7.0 MULTIPLE-IPs In-Reply-To: <20080603093306.O83875@maildrop.int.zabbadoz.net> References: <6ae50c2d0805121128t7721bc1kda6f2a187be03165@mail.gmail.com> <6ae50c2d0806021652l1e079b0ft72cbb34c223474e7@mail.gmail.com> <4290E004-F4CF-4537-A9FC-B630BAD634CC@lesmuug.org> <20080603093306.O83875@maildrop.int.zabbadoz.net> Message-ID: Hi Bjorn, On Jun 3, 2008, at 5:38 AM, Bjoern A. Zeeb wrote: > On Tue, 3 Jun 2008, Isaac Levy wrote: > > Hi ike, > >> I first learned Marko Zec's work on the virtual IP stack at >> EuroBSDCon 2007: >> http://2007.eurobsdcon.org/tutorial-virtualized-network-stack.html > > If you knew about things that happened at BSDCan 2008;-) Where have > you been? Oh, work :) I was pulled into a job which I let consume my entire life for a while here, I'll be out of the thick of it for summer. > > > >> However, Bjoern Zeeb has resumed a jail-specific multi-ip >> implimentation- the current status seems to be updated soemwhat >> frequently here (yay!): >> http://wiki.freebsd.org/Jails#head-27743b977485318e421b24962498cf007f70dacf >> >> "The multi-IPv4/v6 jails project was resumed in early January after >> previous work had been abandoned in 2006. >> As an alternate solution to full network stack virtualization, this >> work shall provide a lightweight solution for multi-IP >> virtualization. Perforce >> based on FreeBSD 7.x?/8.x" >> >> Sadly for you however, at the time of this writing, it seems the >> 7.x patches are 'in progress'. > > Well the entire things is "in progress" and as this is a FAQ the > RELENG_7 patch that is out there is a bit outdated and I am working on > an updated version as soon as I have tested what is in p4 on HEAD and > feel that it still is as stable as the old patch was. > BTW. Any HEAD version would be as old as the RELENG_7 one. > > Go here to find your way to the (old but stable) patch: > http://www.freebsd.org/news/status/report-2008-01-2008-03.html#Multi-IPv4/ > v6/no-IP-jails > > I'll keep people updated on this list as soon as I have anything new. Excellent! Thanks for posting the update! Rocket, .ike From 000.fbsd at quip.cz Tue Jun 3 22:13:51 2008 From: 000.fbsd at quip.cz (Miroslav Lachman) Date: Tue Jun 3 22:13:54 2008 Subject: A simple rc.d jail patch to enable priority In-Reply-To: <20080225151304.nan0he4xcs8kk00w@webmail.leidinger.net> References: <20080224163005.GG15445@oak.pl> <20080225151304.nan0he4xcs8kk00w@webmail.leidinger.net> Message-ID: <4845C229.4020503@quip.cz> Alexander Leidinger wrote: > Quoting Jan Srzednicki (from Sun, 24 Feb 2008 17:30:05 > +0100): > >> Hello, >> >> I have written this tiny little patch to the jail rc.d script, which >> allows user to set jail nice value. It doesn't change any default >> behaviour. >> >> Can that make it to the trees? >> Patch attached. > > You need to provide documentation for it if you want that someone > considers it for inclusion into the tree. I took it and sent PR conf/124248 with patch for rc.d/jail, defaults/rc.conf and man5/rc.conf.5 Please let me know if commited, so I can update status of the patch on http://wiki.freebsd.org/Jails Miroslav Lachman From nbari at k9.cx Fri Jun 6 05:39:55 2008 From: nbari at k9.cx (Nicolas de Bari Embriz Garcia Rojas) Date: Fri Jun 6 05:39:59 2008 Subject: ipsec Message-ID: <4F5A1DE6-3E56-4F53-9C0F-90D318DF8AC7@k9.cx> I had to make an VPN using IPSEC, the vpn is on the master host and is working but if it is only available from the master host not the jails, how can i make the jails to ping/access/telnet the VPN? I have something like this: 192.10.10.1---->A.A.A.A<------VPN /INTERNET--------->B.B.B.B--- >196.18.20.121 jails1 --->A.A.A.1 _| jails2 --->A.A.A.2 _| the jail1 is the one that needs the vpn to acces but if y try to ping 196.18.20.121 from jail1 with public IP (A.A.A.1) does not get any response, the VPN is only working from the master host. Any ideas on how to fixt this? my kernel has already compiled with: options IPSEC options IPSEC_ESP options IPSEC_DEBUG options IPSEC_FILTERGIF device crypto device enc options IPSEC_NAT_T regards -- > nbari From nbari at k9.cx Mon Jun 9 05:59:28 2008 From: nbari at k9.cx (Nicolas de Bari Embriz Garcia Rojas) Date: Mon Jun 9 05:59:32 2008 Subject: ipsec ipencap Message-ID: this option IPSEC_FILTERGIF seems only to work when using ipencap, but any idea on how to make it work when not using ipencap ? regards. I had to make an VPN using IPSEC, the vpn is on the master host and is working but if it is only available from the master host not the jails, how can i make the jails to ping/access/telnet the VPN? I have something like this: 192.10.10.1---->A.A.A.A<------VPN /INTERNET--------->B.B.B.B--- >196.18.20.121 jails1 --->A.A.A.1 _| jails2 --->A.A.A.2 _| the jail1 is the one that needs the vpn to acces but if y try to ping 196.18.20.121 from jail1 with public IP (A.A.A.1) does not get any response, the VPN is only working from the master host. Any ideas on how to fixt this? my kernel has already compiled with: options IPSEC options IPSEC_ESP options IPSEC_DEBUG options IPSEC_FILTERGIF device crypto device enc options IPSEC_NAT_T regards -- > nbari From bugmaster at FreeBSD.org Mon Jun 9 11:07:01 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Jun 9 11:07:20 2008 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200806091107.m59B71k6070782@freefall.freebsd.org> Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- s kern/89528 jail [jail] [patch] impossible to kill a jail o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail 2 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with o kern/68192 jail [quotas] [jail] Cannot use quotas on jailed systems o kern/72498 jail [libc] [jail] timestamp code on jailed SMP machine gen o kern/74314 jail [resolver] [jail] DNS resolver broken under certain ja o kern/84215 jail [jail] [patch] wildcard ip (INADDR_ANY) should not bin o kern/89989 jail [jail] [patch] Add option -I (ASCII 73) PID to specif o kern/97071 jail [jail] [patch] add security.jail.jid sysctl o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o kern/120753 jail [jail] Zombie jails (jailed child process exits while 9 problems total. From bzeeb-lists at lists.zabbadoz.net Mon Jun 9 17:35:07 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Mon Jun 9 17:35:17 2008 Subject: ipsec In-Reply-To: <4F5A1DE6-3E56-4F53-9C0F-90D318DF8AC7@k9.cx> References: <4F5A1DE6-3E56-4F53-9C0F-90D318DF8AC7@k9.cx> Message-ID: <20080609173344.O83875@maildrop.int.zabbadoz.net> On Fri, 6 Jun 2008, Nicolas de Bari Embriz Garcia Rojas wrote: > I had to make an VPN using IPSEC, the vpn is on the master host and is > working but if it is only available from the master host not the jails, how > can i make the jails to ping/access/telnet the VPN? use a correct policy on the base host (you cannot do this from within the jail). PS: things like this are better discussed on net@ -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From nbari at k9.cx Mon Jun 9 19:36:22 2008 From: nbari at k9.cx (Nicolas de Bari Embriz Garcia Rojas) Date: Mon Jun 9 19:36:26 2008 Subject: ipsec In-Reply-To: <20080609173344.O83875@maildrop.int.zabbadoz.net> References: <4F5A1DE6-3E56-4F53-9C0F-90D318DF8AC7@k9.cx> <20080609173344.O83875@maildrop.int.zabbadoz.net> Message-ID: <10EDE3B1-4574-4EEA-B913-AE72AF89DCD0@k9.cx> Hello, how to use the correct policy on the base host ? can you please explain more. regards. -- > nbari On Jun 9, 2008, at 12:34 PM, Bjoern A. Zeeb wrote: > On Fri, 6 Jun 2008, Nicolas de Bari Embriz Garcia Rojas wrote: > >> I had to make an VPN using IPSEC, the vpn is on the master host and >> is working but if it is only available from the master host not the >> jails, how can i make the jails to ping/access/telnet the VPN? > > use a correct policy on the base host (you cannot do this from within > the jail). > > > PS: things like this are better discussed on net@ > > -- > Bjoern A. Zeeb Stop bit received. Insert coin for new > game. From cco1817-0 at yahoo.de Thu Jun 12 23:50:01 2008 From: cco1817-0 at yahoo.de (cco1817-0@yahoo.de) Date: Thu Jun 12 23:50:06 2008 Subject: Populating a jail with "make world"??? Message-ID: <192473.80058.qm@web27606.mail.ukl.yahoo.com> Hello, I'm about to learn how to use jails and I've some confusions after reading the handbook and some other ressources. Chapter 23.4 warns "do not use make world". Chapter 15.4 invites me to use "make world" etc. to populate a jail. I've never used "make world" or "make buildworld" until now. I used the install.sh scripts from RELEASE images to install a new machine or to "update" (reason for this: I don't know what make **** is doing). Can someone please explain me the disadvantages if I use the install.sh scripts for my (service-) jails? BTW: No related to jails, but does it make sense to recompile a freshly installed system completely using "make world/buildworld"? Thanks in advance! Ede __________________________________________________________ Gesendet von Yahoo! Mail. Dem pfiffigeren Posteingang. http://de.overview.mail.yahoo.com From jorge at bsdchile.cl Fri Jun 13 00:25:43 2008 From: jorge at bsdchile.cl (Jorge Medina) Date: Fri Jun 13 00:25:47 2008 Subject: Populating a jail with "make world"??? In-Reply-To: <192473.80058.qm@web27606.mail.ukl.yahoo.com> References: <192473.80058.qm@web27606.mail.ukl.yahoo.com> Message-ID: <28d0e6b80806121725p641a9a1fv27fb082d1bee1a82@mail.gmail.com> On Thu, Jun 12, 2008 at 7:23 PM, wrote: > Hello, > > I'm about to learn how to use jails and I've some confusions after reading the handbook and some other ressources. > > Chapter 23.4 warns "do not use make world". > Chapter 15.4 invites me to use "make world" etc. to populate a jail. you just follow this steps: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-build.html and work fine. > I've never used "make world" or "make buildworld" until now. I used the install.sh scripts from RELEASE images to install a new machine or to "update" (reason for this: I don't know what make **** is doing). Can someone please explain me the disadvantages if I use the install.sh scripts for my (service-) jails? > > BTW: No related to jails, but does it make sense to recompile a freshly installed system completely using "make world/buildworld"? > > Thanks in advance! > Ede > > > > __________________________________________________________ > Gesendet von Yahoo! Mail. > Dem pfiffigeren Posteingang. > http://de.overview.mail.yahoo.com > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > -- Jorge Andr?s Medina Oliva. Systems Manager and Developer. BSDCHiLE. From edwin at mavetju.org Sun Jun 15 05:54:38 2008 From: edwin at mavetju.org (Edwin Groothuis) Date: Sun Jun 15 05:54:42 2008 Subject: Populating a jail with "make world"??? In-Reply-To: <192473.80058.qm@web27606.mail.ukl.yahoo.com> Message-ID: <20080615053457.GA33997@k7.mavetju> > I'm about to learn how to use jails and I've some confusions after > reading the handbook and some other ressources. > I've never used "make world" or "make buildworld" until now. I used > the install.sh scripts from RELEASE images to install a new machine > or to "update" (reason for this: I don't know what make **** is > doing). Can someone please explain me the disadvantages if I use > the install.sh scripts for my (service-) jails? If you want jails without the hassles of buildworld and friends, can I suggest to use sysutils/ezjail? See http://erdgeist.org/arts/software/ezjail/ for more details. Edwin -- Edwin Groothuis | Personal website: http://www.mavetju.org edwin@mavetju.org | Weblog: http://www.mavetju.org/weblog/ From bugmaster at FreeBSD.org Mon Jun 16 11:06:58 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Jun 16 11:07:41 2008 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200806161106.m5GB6vTN036751@freefall.freebsd.org> Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- s kern/89528 jail [jail] [patch] impossible to kill a jail o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail 2 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with o kern/68192 jail [quotas] [jail] Cannot use quotas on jailed systems o kern/72498 jail [libc] [jail] timestamp code on jailed SMP machine gen o kern/74314 jail [resolver] [jail] DNS resolver broken under certain ja o kern/84215 jail [jail] [patch] wildcard ip (INADDR_ANY) should not bin o kern/89989 jail [jail] [patch] Add option -I (ASCII 73) PID to specif o kern/97071 jail [jail] [patch] add security.jail.jid sysctl o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o kern/120753 jail [jail] Zombie jails (jailed child process exits while 9 problems total. From bzeeb-lists at lists.zabbadoz.net Tue Jun 17 18:05:08 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Tue Jun 17 18:05:11 2008 Subject: new set of multi-IPv4/v6/noIP jail patches Message-ID: <20080617175607.B83875@maildrop.int.zabbadoz.net> Hi, while for some stuff only infrastructure is there, there is more now. Any feedback would be welcome. I'll have to work on something else the next week so not going to implement the full set of "state", ... Get the diffs from: http://sources.zabbadoz.net/freebsd/jail.html Warning; I have basically tested them for 7-STABLE and HEAD, but no longer than 10 minutes each. Warning: you will have to recompile world and kernel Warning: input/output of tools like jls changed so ports or other tools might break. In case you want a noIP jail you have to give the mandatory "IP address" argument as empty string like "" . Warning: you'll find out yourself;) /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From peter at pean.org Thu Jun 19 10:09:04 2008 From: peter at pean.org (=?ISO-8859-1?Q?Peter_Ankerst=E5l?=) Date: Thu Jun 19 10:09:10 2008 Subject: tun/gif interfaces inside jail. Message-ID: Is it possible to give root access to a certain tun-interface inside a jail? In order to use OpenVPN or something like that? -- Peter Ankerst?l peter@pean.org From jille at hexon.cx Thu Jun 19 10:27:06 2008 From: jille at hexon.cx (Jille Timmmermans) Date: Thu Jun 19 10:27:09 2008 Subject: tun/gif interfaces inside jail. In-Reply-To: References: Message-ID: <485A30DA.8080807@hexon.cx> No. You must run OpenVPN outside of your jail Peter Ankerst?l wrote: > Is it possible to give root access to a certain tun-interface inside a > jail? > In order to use OpenVPN or something like that? > -- > Peter Ankerst?l > peter@pean.org > > > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" From scheidell at secnap.net Thu Jun 19 10:49:21 2008 From: scheidell at secnap.net (Michael Scheidell) Date: Thu Jun 19 10:49:25 2008 Subject: tun/gif interfaces inside jail. In-Reply-To: <485A30DA.8080807@hexon.cx> References: <485A30DA.8080807@hexon.cx> Message-ID: <485A359A.8010303@secnap.net> Jille Timmmermans wrote: > No. > You must run OpenVPN outside of your jail > > Peter Ankerst?l wrote: I have read RUMORS that you can have the jailed systems route through and access the jail which is outside the jail, but so far, have not sean any real 'cookbook' on how to do it. I tried it a couple of times and gave up. I wanted to get it to work, but with all the partial hints about routing, natd, pf rules with no real solution, I gave up and bought a $500 sonicwall firewall. -- Michael Scheidell, CTO Main: 561-999-5000, Office: 561-939-7259 > *| *SECNAP Network Security Corporation Winner 2008 Technosium hot company award. www.technosium.com/hotcompanies/ _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com _________________________________________________________________________ From 000.fbsd at quip.cz Thu Jun 19 15:56:16 2008 From: 000.fbsd at quip.cz (Miroslav Lachman) Date: Thu Jun 19 15:56:21 2008 Subject: tun/gif interfaces inside jail. In-Reply-To: References: Message-ID: <485A81AF.2090200@quip.cz> Peter Ankerst?l wrote: > Is it possible to give root access to a certain tun-interface inside a > jail? > In order to use OpenVPN or something like that? > -- Jail can use only 1 IP address (currently). If you need to use only some ports on VPN, you can use port redirect by firewall. I am using it to access MSSQL server throught VPN from jail. See my message in this list from 2008-04-22 with subject "Re: routing" Miroslav Lachman From Albert.Shih at obspm.fr Thu Jun 19 15:57:44 2008 From: Albert.Shih at obspm.fr (Albert Shih) Date: Thu Jun 19 15:57:48 2008 Subject: Acces to apache log. Message-ID: <20080619154704.GA89585@pcjas.obspm.fr> Hi all I'm using FreeBSD with jail. On those jail I'm running apache and tomcat (not apache/tomcat, but apache and tomcat not in same jail of course). Now my user (developper team) want to have access to tomcat log and apache log for debugging. I really prefer to not grant ssh access to my developper (the code is push with subversion). How can I do that ? Make the acces to apache-log and tomcat-log (or anything log) to my users ? Regards. -- Albert SHIH SIO batiment 15 Observatoire de Paris Meudon 5 Place Jules Janssen 92195 Meudon Cedex Heure local/Local time: Jeu 19 jui 2008 17:44:04 CEST From albinootje at gmail.com Thu Jun 19 16:50:59 2008 From: albinootje at gmail.com (albinootje) Date: Thu Jun 19 16:51:03 2008 Subject: Acces to apache log. In-Reply-To: <20080619154704.GA89585@pcjas.obspm.fr> References: <20080619154704.GA89585@pcjas.obspm.fr> Message-ID: <485A87B1.7020509@gmail.com> Albert Shih wrote: Hi, > I'm using FreeBSD with jail. On those jail I'm running apache and tomcat > (not apache/tomcat, but apache and tomcat not in same jail of course). > > Now my user (developper team) want to have access to tomcat log and apache > log for debugging. > > I really prefer to not grant ssh access to my developper (the code is push > with subversion). > > How can I do that ? Make the acces to apache-log and tomcat-log (or anything log) > to my users ? If I was in the same situation i would make another jail just to provide the log-files with read-only "nullfs" mounts for that person. Or use for that user scponly with chroot option as shell, which is a little bit more work, and then again use nullfs to mount the logfile directories for that user. Good luck! Kind regards, Albi. From lists at mschuette.name Thu Jun 19 17:21:09 2008 From: lists at mschuette.name (=?ISO-8859-1?Q?Martin_Sch=FCtte?=) Date: Thu Jun 19 17:21:14 2008 Subject: Acces to apache log. In-Reply-To: <20080619154704.GA89585@pcjas.obspm.fr> References: <20080619154704.GA89585@pcjas.obspm.fr> Message-ID: <485A91AD.2070006@mschuette.name> Albert Shih schrieb: > How can I do that ? Make the acces to apache-log and tomcat-log (or anything log) > to my users ? Maybe some unconventional approach: use syslog to write all logs to a user-accessible location. (If they have no shell account at all, then to a file on the Apache server they cann access by HTTPS.) Example from httpd.conf: CustomLog /var/log/apache/access.log combined CustomLog "|/usr/bin/logger -p local1.info -t apache" complete Then in syslog.conf on the apache server: local1.info /usr/local/www/userdata/access.log and on backend-servers: local1.info @other-server Oh, and make sure the syslogd is portfiltered so it is not accessible from the internat but only from your backend servers. I do not know about Tomcat, but it should be able to log to syslog as well. -- Martin From alexus at gmail.com Thu Jun 19 18:23:33 2008 From: alexus at gmail.com (alexus) Date: Thu Jun 19 18:23:35 2008 Subject: new set of multi-IPv4/v6/noIP jail patches In-Reply-To: <20080617175607.B83875@maildrop.int.zabbadoz.net> References: <20080617175607.B83875@maildrop.int.zabbadoz.net> Message-ID: <6ae50c2d0806191123v1794d682rcae256d3a22625ed@mail.gmail.com> I'm about to try out your latest patch http://sources.zabbadoz.net/freebsd/jail/20080617-01-jail-7.0R.diff i didn't find any instructions, did I missed them or they just don't exists at all? can you give us some short cheat sheet on what needs to be done in order to install and use it correctly? On Tue, Jun 17, 2008 at 2:03 PM, Bjoern A. Zeeb wrote: > Hi, > > while for some stuff only infrastructure is there, there is more now. > Any feedback would be welcome. I'll have to work on something else the > next week so not going to implement the full set of "state", ... > > Get the diffs from: http://sources.zabbadoz.net/freebsd/jail.html > > Warning; I have basically tested them for 7-STABLE and HEAD, but no > longer than 10 minutes each. > > Warning: you will have to recompile world and kernel > > Warning: input/output of tools like jls changed so ports or > other tools might break. In case you want a noIP jail you have > to give the mandatory "IP address" argument as empty string like > "" . > > Warning: you'll find out yourself;) > > > /bz > > -- > Bjoern A. Zeeb Stop bit received. Insert coin for new game. > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > -- http://alexus.org/ From peter at pean.org Thu Jun 19 18:30:31 2008 From: peter at pean.org (=?ISO-8859-1?Q?Peter_Ankerst=E5l?=) Date: Thu Jun 19 18:30:35 2008 Subject: new set of multi-IPv4/v6/noIP jail patches In-Reply-To: <6ae50c2d0806191123v1794d682rcae256d3a22625ed@mail.gmail.com> References: <20080617175607.B83875@maildrop.int.zabbadoz.net> <6ae50c2d0806191123v1794d682rcae256d3a22625ed@mail.gmail.com> Message-ID: <35EA21CD-E643-41CA-B7F9-875AB9F4B092@pean.org> On Jun 19, 2008, at 8:23 PM, alexus wrote: > I'm about to try out your latest patch > http://sources.zabbadoz.net/freebsd/jail/20080617-01-jail-7.0R.diff > > i didn't find any instructions, did I missed them or they just don't > exists at all? > can you give us some short cheat sheet on what needs to be done in > order to install and use it correctly? > > I guess its just to put it in /usr/src and run patch < 20080617-01- jail-7.0R.diff and recompile. Then there is some changes to the jail manual so I guess it can be read there. -- Peter Ankerst?l peter@pean.org From bzeeb-lists at lists.zabbadoz.net Thu Jun 19 19:05:08 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Thu Jun 19 19:05:12 2008 Subject: new set of multi-IPv4/v6/noIP jail patches In-Reply-To: <6ae50c2d0806191123v1794d682rcae256d3a22625ed@mail.gmail.com> References: <20080617175607.B83875@maildrop.int.zabbadoz.net> <6ae50c2d0806191123v1794d682rcae256d3a22625ed@mail.gmail.com> Message-ID: <20080619185834.E83875@maildrop.int.zabbadoz.net> On Thu, 19 Jun 2008, alexus wrote: Hi, > I'm about to try out your latest patch > http://sources.zabbadoz.net/freebsd/jail/20080617-01-jail-7.0R.diff be aware that this one will be updated again soonish (as some things do not yet work [raw ipv6 sockets to be precise is what I am aware of so far]). > i didn't find any instructions, did I missed them or they just don't > exists at all? > can you give us some short cheat sheet on what needs to be done in > order to install and use it correctly? cd /usr/src fetch http://sources.zabbadoz.net/freebsd/jail/20080617-01-jail-7.0R.diff patch -C < 20080617-01-jail-7.0R.diff echo $? if it says "0" patch < 20080617-01-jail-7.0R.diff if it says anything else, the patch would not apply cleanly. Tell me along with the CVS checkout date of your sources. [ consult the apropriate docs for all those following steps. The handbook might help ] make buildworld make buildkernel su make installworld make installkernel mergemaster reboot be prepared for panics, reboots, ... ;-) Read the man pages on jail, jls and jexec. I hope that short summary helps. Bjoern PS: if you are staying with 7.0-RELEASE be sure to get the sources for -p2 as an Errata Notice just went in (which my patch isn't aware of yet but should still apply). -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From cloud at madpowah.org Thu Jun 19 19:45:28 2008 From: cloud at madpowah.org (cloud) Date: Thu Jun 19 19:45:31 2008 Subject: Acces to apache log. In-Reply-To: <485A87B1.7020509@gmail.com> References: <20080619154704.GA89585@pcjas.obspm.fr> <485A87B1.7020509@gmail.com> Message-ID: <485A961D.3060701@madpowah.org> On my server with jails, I have changed the error-log directive of Apache to send logs in an other jail which is listening with syslog and it works fine. Then you have just to create an acces in this jail. albinootje wrote: > Albert Shih wrote: > > Hi, > > >> I'm using FreeBSD with jail. On those jail I'm running apache and tomcat >> (not apache/tomcat, but apache and tomcat not in same jail of course). >> >> Now my user (developper team) want to have access to tomcat log and apache >> log for debugging. >> >> I really prefer to not grant ssh access to my developper (the code is push >> with subversion). >> >> How can I do that ? Make the acces to apache-log and tomcat-log (or anything log) >> to my users ? >> > > If I was in the same situation i would make another jail just to provide > the log-files > with read-only "nullfs" mounts for that person. > > Or use for that user scponly with chroot option as shell, which is a > little bit more work, > and then again use nullfs to mount the logfile directories for that user. > > Good luck! > > Kind regards, > Albi. > > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > From wolf at k18.ch Fri Jun 20 03:18:12 2008 From: wolf at k18.ch (Alain Wolf) Date: Fri Jun 20 03:18:16 2008 Subject: Acces to apache log. In-Reply-To: <20080619154704.GA89585@pcjas.obspm.fr> References: <20080619154704.GA89585@pcjas.obspm.fr> Message-ID: <485B1B2F.90909@k18.ch> On 19.06.2008 17:47, Albert Shih wrote: > Hi all > > I'm using FreeBSD with jail. On those jail I'm running apache and tomcat > (not apache/tomcat, but apache and tomcat not in same jail of course). > > Now my user (developper team) want to have access to tomcat log and apache > log for debugging. > > I really prefer to not grant ssh access to my developper (the code is push > with subversion). > > How can I do that ? Make the acces to apache-log and tomcat-log (or anything log) > to my users ? > > Regards. > Ours access log-files trough a protected website. From peter at pean.org Fri Jun 20 12:32:56 2008 From: peter at pean.org (=?ISO-8859-1?Q?Peter_Ankerst=E5l?=) Date: Fri Jun 20 12:33:01 2008 Subject: new set of multi-IPv4/v6/noIP jail patches In-Reply-To: <20080617175607.B83875@maildrop.int.zabbadoz.net> References: <20080617175607.B83875@maildrop.int.zabbadoz.net> Message-ID: On Jun 17, 2008, at 8:03 PM, Bjoern A. Zeeb wrote: > Hi, > > while for some stuff only infrastructure is there, there is more now. > Any feedback would be welcome. I'll have to work on something else the > next week so not going to implement the full set of "state", ... > > Get the diffs from: http://sources.zabbadoz.net/freebsd/jail.html > > Warning; I have basically tested them for 7-STABLE and HEAD, but no > longer than 10 minutes each. > > Warning: you will have to recompile world and kernel > > Warning: input/output of tools like jls changed so ports or > other tools might break. In case you want a noIP jail you have > to give the mandatory "IP address" argument as empty string like > "" . > > Warning: you'll find out yourself;) Maybe Im stupid, but I cant figure out the syntax in rc.conf for multiple ips. From bzeeb-lists at lists.zabbadoz.net Fri Jun 20 12:45:06 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Fri Jun 20 12:45:17 2008 Subject: new set of multi-IPv4/v6/noIP jail patches In-Reply-To: References: <20080617175607.B83875@maildrop.int.zabbadoz.net> Message-ID: <20080620123721.V83875@maildrop.int.zabbadoz.net> On Fri, 20 Jun 2008, Peter Ankerst?l wrote: > > On Jun 17, 2008, at 8:03 PM, Bjoern A. Zeeb wrote: > >> Hi, >> >> while for some stuff only infrastructure is there, there is more now. >> Any feedback would be welcome. I'll have to work on something else the >> next week so not going to implement the full set of "state", ... >> >> Get the diffs from: http://sources.zabbadoz.net/freebsd/jail.html >> >> Warning; I have basically tested them for 7-STABLE and HEAD, but no >> longer than 10 minutes each. >> >> Warning: you will have to recompile world and kernel >> >> Warning: input/output of tools like jls changed so ports or >> other tools might break. In case you want a noIP jail you have >> to give the mandatory "IP address" argument as empty string like >> "" . >> >> Warning: you'll find out yourself;) > > Maybe Im stupid, but I cant figure out the syntax in rc.conf for multiple > ips. "a,b,c,d,f,g" like you would give it on the command line. jail_a_ip="192.0.2.2,2001:db8:13:68::2,2001:db8:13:68::1,2001:db8:13:68::4,2001:db8:13:68::13,192.0.2.3" If you use the ifconfig stuff (jail_x_interface=...) from the jail startup script someone else has a patch for that... I don't care about it as I never liked it. /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From ruben at verweg.com Fri Jun 20 14:26:39 2008 From: ruben at verweg.com (Ruben van Staveren) Date: Fri Jun 20 14:26:43 2008 Subject: new set of multi-IPv4/v6/noIP jail patches Message-ID: <78553FE8-BB3A-4AD5-9926-7B095260741D@verweg.com> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20080620/59cee2b5/PGP.pgp From alexus at gmail.com Sat Jun 21 17:35:05 2008 From: alexus at gmail.com (alexus) Date: Sat Jun 21 17:35:09 2008 Subject: new set of multi-IPv4/v6/noIP jail patches In-Reply-To: <78553FE8-BB3A-4AD5-9926-7B095260741D@verweg.com> References: <78553FE8-BB3A-4AD5-9926-7B095260741D@verweg.com> Message-ID: <6ae50c2d0806211035y73e09f15xde28403b824eb421@mail.gmail.com> cc -c -O -pipe -std=c99 -g -Wall -Wredundant-decls -Wnested-externs -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual -Wundef -Wno-pointer-sign -fformat-extensions -nostdinc -I. -I/usr/src/sys -I/usr/src/sys/contrib/altq -D_KERNEL -DHAVE_KERNEL_OPTION_HEADERS -include opt_global.h -fno-common -finline-limit=8000 --param inline-unit-growth=100 --param large-function-growth=1000 -mno-align-long-strings -mpreferred-stack-boundary=2 -mno-mmx -mno-3dnow -mno-sse -mno-sse2 -mno-sse3 -ffreestanding -Werror /usr/src/sys/kern/kern_jail.c cc1: warnings being treated as errors /usr/src/sys/kern/kern_jail.c: In function 'prison_if': /usr/src/sys/kern/kern_jail.c:876: warning: unused variable 'sai6' *** Error code 1 Stop in /usr/obj/usr/src/sys/t. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. bash-3.2# On Fri, Jun 20, 2008 at 10:10 AM, Ruben van Staveren wrote: > >> Maybe Im stupid, but I cant figure out the syntax in rc.conf for multiple >> ips. > > > You might try this patch against /etc/rc.d/jail to help starting > multi-IPv4/v6/no-IP jails > > Just the 1st iteration > > open issues > > * add support for no-IP jails > * handle ipv6 addresses more cleanly (support notations like > 2001:888:1029::10.1.1.1, 2001:888:1029:0:0:0:0:1) > > this is because you'll get "address not assigned" errors because ifconfig > doesn't seem to make the v6 address canonical. This only happens when you > stop the jail btw. > > you'll need to stuff v6 stuff in _ipv6 variables though. > > > > > > > Regards, > Ruben > > > -- http://alexus.org/ From alexus at gmail.com Sat Jun 21 17:37:08 2008 From: alexus at gmail.com (alexus) Date: Sat Jun 21 17:37:11 2008 Subject: new set of multi-IPv4/v6/noIP jail patches In-Reply-To: <6ae50c2d0806211035y73e09f15xde28403b824eb421@mail.gmail.com> References: <78553FE8-BB3A-4AD5-9926-7B095260741D@verweg.com> <6ae50c2d0806211035y73e09f15xde28403b824eb421@mail.gmail.com> Message-ID: <6ae50c2d0806211037g31d8e9beqeea36b480ee62f3b@mail.gmail.com> this is against http://sources.zabbadoz.net/freebsd/jail/20080617-01-jail-7.0R.diff with 7.0-RELEASE-p2 On Sat, Jun 21, 2008 at 1:35 PM, alexus wrote: > cc -c -O -pipe -std=c99 -g -Wall -Wredundant-decls -Wnested-externs > -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline > -Wcast-qual -Wundef -Wno-pointer-sign -fformat-extensions -nostdinc > -I. -I/usr/src/sys -I/usr/src/sys/contrib/altq -D_KERNEL > -DHAVE_KERNEL_OPTION_HEADERS -include opt_global.h -fno-common > -finline-limit=8000 --param inline-unit-growth=100 --param > large-function-growth=1000 -mno-align-long-strings > -mpreferred-stack-boundary=2 -mno-mmx -mno-3dnow -mno-sse -mno-sse2 > -mno-sse3 -ffreestanding -Werror /usr/src/sys/kern/kern_jail.c > cc1: warnings being treated as errors > /usr/src/sys/kern/kern_jail.c: In function 'prison_if': > /usr/src/sys/kern/kern_jail.c:876: warning: unused variable 'sai6' > *** Error code 1 > > Stop in /usr/obj/usr/src/sys/t. > *** Error code 1 > > Stop in /usr/src. > *** Error code 1 > > Stop in /usr/src. > bash-3.2# > > On Fri, Jun 20, 2008 at 10:10 AM, Ruben van Staveren wrote: >> >>> Maybe Im stupid, but I cant figure out the syntax in rc.conf for multiple >>> ips. >> >> >> You might try this patch against /etc/rc.d/jail to help starting >> multi-IPv4/v6/no-IP jails >> >> Just the 1st iteration >> >> open issues >> >> * add support for no-IP jails >> * handle ipv6 addresses more cleanly (support notations like >> 2001:888:1029::10.1.1.1, 2001:888:1029:0:0:0:0:1) >> >> this is because you'll get "address not assigned" errors because ifconfig >> doesn't seem to make the v6 address canonical. This only happens when you >> stop the jail btw. >> >> you'll need to stuff v6 stuff in _ipv6 variables though. >> >> >> >> >> >> >> Regards, >> Ruben >> >> >> > > > > -- > http://alexus.org/ > -- http://alexus.org/ From jeremie at le-hen.org Sat Jun 21 17:51:00 2008 From: jeremie at le-hen.org (Jeremie Le Hen) Date: Sat Jun 21 17:51:05 2008 Subject: Populating a jail with "make world"??? In-Reply-To: <192473.80058.qm@web27606.mail.ukl.yahoo.com> References: <192473.80058.qm@web27606.mail.ukl.yahoo.com> Message-ID: <20080621172125.GQ46885@obiwan.tataz.chchile.org> Hi, On Thu, Jun 12, 2008 at 11:23:19PM +0000, cco1817-0@yahoo.de wrote: > Hello, > > I'm about to learn how to use jails and I've some confusions after > reading the handbook and some other ressources. > > Chapter 23.4 warns "do not use make world". Chapter 15.4 invites me > to use "make world" etc. to populate a jail. "make world" does the following: for each directory: compile install "make buildworld installworld" does the following: for each directory: compile for each directory install Using "make world" to create a jail is harmless, but using "make world" to update a running jail or the host may lead to temporary inconsistencies on the system during the process. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From bzeeb-lists at lists.zabbadoz.net Sat Jun 21 21:35:08 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Sat Jun 21 21:35:10 2008 Subject: new set of multi-IPv4/v6/noIP jail patches In-Reply-To: <6ae50c2d0806211037g31d8e9beqeea36b480ee62f3b@mail.gmail.com> References: <78553FE8-BB3A-4AD5-9926-7B095260741D@verweg.com> <6ae50c2d0806211035y73e09f15xde28403b824eb421@mail.gmail.com> <6ae50c2d0806211037g31d8e9beqeea36b480ee62f3b@mail.gmail.com> Message-ID: <20080621212933.J83875@maildrop.int.zabbadoz.net> On Sat, 21 Jun 2008, alexus wrote: > this is against > http://sources.zabbadoz.net/freebsd/jail/20080617-01-jail-7.0R.diff > with 7.0-RELEASE-p2 > > On Sat, Jun 21, 2008 at 1:35 PM, alexus wrote: >> cc -c -O -pipe -std=c99 -g -Wall -Wredundant-decls -Wnested-externs >> -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline >> -Wcast-qual -Wundef -Wno-pointer-sign -fformat-extensions -nostdinc >> -I. -I/usr/src/sys -I/usr/src/sys/contrib/altq -D_KERNEL >> -DHAVE_KERNEL_OPTION_HEADERS -include opt_global.h -fno-common >> -finline-limit=8000 --param inline-unit-growth=100 --param >> large-function-growth=1000 -mno-align-long-strings >> -mpreferred-stack-boundary=2 -mno-mmx -mno-3dnow -mno-sse -mno-sse2 >> -mno-sse3 -ffreestanding -Werror /usr/src/sys/kern/kern_jail.c >> cc1: warnings being treated as errors >> /usr/src/sys/kern/kern_jail.c: In function 'prison_if': >> /usr/src/sys/kern/kern_jail.c:876: warning: unused variable 'sai6' >> *** Error code 1 Are you building without INET6 in your kernel config? This should fix it: struct sockaddr_in *sai; +#ifdef INET6 struct sockaddr_in6 *sai6; +#endif int ok; I'll commit it and you'll have it with the next patchset. /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From bugmaster at FreeBSD.org Mon Jun 23 11:06:57 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Jun 23 11:07:19 2008 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200806231106.m5NB6uNZ065001@freefall.freebsd.org> Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- s kern/89528 jail [jail] [patch] impossible to kill a jail o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail 2 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with o kern/68192 jail [quotas] [jail] Cannot use quotas on jailed systems o kern/72498 jail [libc] [jail] timestamp code on jailed SMP machine gen o kern/74314 jail [resolver] [jail] DNS resolver broken under certain ja o kern/84215 jail [jail] [patch] wildcard ip (INADDR_ANY) should not bin o kern/89989 jail [jail] [patch] Add option -I (ASCII 73) PID to specif o kern/97071 jail [jail] [patch] add security.jail.jid sysctl o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o kern/120753 jail [jail] Zombie jails (jailed child process exits while 9 problems total. From alexus at gmail.com Mon Jun 23 19:57:47 2008 From: alexus at gmail.com (alexus) Date: Mon Jun 23 19:57:50 2008 Subject: new set of multi-IPv4/v6/noIP jail patches In-Reply-To: <20080621212933.J83875@maildrop.int.zabbadoz.net> References: <78553FE8-BB3A-4AD5-9926-7B095260741D@verweg.com> <6ae50c2d0806211035y73e09f15xde28403b824eb421@mail.gmail.com> <6ae50c2d0806211037g31d8e9beqeea36b480ee62f3b@mail.gmail.com> <20080621212933.J83875@maildrop.int.zabbadoz.net> Message-ID: <6ae50c2d0806231257y48791f03r2b3518517f0af653@mail.gmail.com> yeah, I dont have IPV6, and whatever you gave me isn't enough at least for me, i don't know how incorporate this code into patch, can you post a new patch with these fixes? Thanks! On Sat, Jun 21, 2008 at 5:32 PM, Bjoern A. Zeeb wrote: > On Sat, 21 Jun 2008, alexus wrote: > >> this is against >> http://sources.zabbadoz.net/freebsd/jail/20080617-01-jail-7.0R.diff >> with 7.0-RELEASE-p2 >> >> On Sat, Jun 21, 2008 at 1:35 PM, alexus wrote: >>> >>> cc -c -O -pipe -std=c99 -g -Wall -Wredundant-decls -Wnested-externs >>> -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline >>> -Wcast-qual -Wundef -Wno-pointer-sign -fformat-extensions -nostdinc >>> -I. -I/usr/src/sys -I/usr/src/sys/contrib/altq -D_KERNEL >>> -DHAVE_KERNEL_OPTION_HEADERS -include opt_global.h -fno-common >>> -finline-limit=8000 --param inline-unit-growth=100 --param >>> large-function-growth=1000 -mno-align-long-strings >>> -mpreferred-stack-boundary=2 -mno-mmx -mno-3dnow -mno-sse -mno-sse2 >>> -mno-sse3 -ffreestanding -Werror /usr/src/sys/kern/kern_jail.c >>> cc1: warnings being treated as errors >>> /usr/src/sys/kern/kern_jail.c: In function 'prison_if': >>> /usr/src/sys/kern/kern_jail.c:876: warning: unused variable 'sai6' >>> *** Error code 1 > > Are you building without INET6 in your kernel config? > > This should fix it: > > struct sockaddr_in *sai; > +#ifdef INET6 > struct sockaddr_in6 *sai6; > +#endif > int ok; > > > I'll commit it and you'll have it with the next patchset. > > > /bz > > -- > Bjoern A. Zeeb Stop bit received. Insert coin for new game. > -- http://alexus.org/ From bzeeb-lists at lists.zabbadoz.net Mon Jun 23 23:15:08 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Mon Jun 23 23:15:12 2008 Subject: new set of multi-IPv4/v6/noIP jail patches In-Reply-To: <6ae50c2d0806231257y48791f03r2b3518517f0af653@mail.gmail.com> References: <78553FE8-BB3A-4AD5-9926-7B095260741D@verweg.com> <6ae50c2d0806211035y73e09f15xde28403b824eb421@mail.gmail.com> <6ae50c2d0806211037g31d8e9beqeea36b480ee62f3b@mail.gmail.com> <20080621212933.J83875@maildrop.int.zabbadoz.net> <6ae50c2d0806231257y48791f03r2b3518517f0af653@mail.gmail.com> Message-ID: <20080623200215.J83875@maildrop.int.zabbadoz.net> On Mon, 23 Jun 2008, alexus wrote: > yeah, I dont have IPV6, and whatever you gave me isn't enough at least > for me, i don't know how incorporate this code into patch, can you > post a new patch with these fixes? Don't incorp it into the patch, edit the patched file and rebuild. you go to /usr/src/sys/kern (if your sources are in /usr/src) vi kern_jail.c go to the line from the error message and find the place where to add the two lines I had marked with +. I'll not re-roll another 7.0R patch before I have done the HEAD to RELENG_7 and then to 7.0-R chain entirely. It'll at least be another day or two once the builds and the boots and everything was tested. /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From spry at anarchy.in.the.ph Tue Jun 24 10:38:01 2008 From: spry at anarchy.in.the.ph (Mars G Miro) Date: Tue Jun 24 10:38:07 2008 Subject: new jail patches -- OK Message-ID: Greetz, I've just tested, over the last month, bz@'s new jail patches for ipv4/ipv6 patches and they work OK. The only thing I haven't tested is the no-IP stuff. Prolly when I have the time. Thanks! -- cheers mars From c2thunes at brewtab.com Tue Jun 24 21:56:33 2008 From: c2thunes at brewtab.com (Christopher Thunes) Date: Tue Jun 24 21:56:38 2008 Subject: Memory limits on 7.0 Message-ID: <48616B3F.4030705@brewtab.com> Hey everyone, I spent some time working on getting cdjones' memory limit patches updated for 7.0 and beyond and thought I'd post my progress. I've attached my current patch which implements memory limits on 7.0-RELEASE, but only for the older (and default in -RELEASE) bsd4 scheduler (won't work at all on ULE). I haven't yet started work for ULE or getting CPU sharing working. This patch also includes fixes for problems in the original cdjones patches. If you want to give it a whirl it should apply cleanly to a 7.0-RELEASE source tree and if you run into any issues let me know. - Chris -------------- next part -------------- A non-text attachment was scrubbed... Name: memory_limits_70.patch Type: text/x-diff Size: 33505 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20080624/3745f85b/memory_limits_70.bin From bsam at ipt.ru Wed Jun 25 14:30:32 2008 From: bsam at ipt.ru (Boris Samorodov) Date: Wed Jun 25 14:30:37 2008 Subject: is nfs mount inside jail possible? Message-ID: <62852722@bb.ipt.ru> Hello FreeBSD jail gurus, I've found at google some advices how to do a nfs mount inside a jail. Those advices don't help me. And according to jail(8): ----- # uname -a FreeBSD box.bsam.ru 8.0-CURRENT FreeBSD 8.0-CURRENT #0: Mon Jun 16 17:18:23 MSD 2008 root@box.bsam.ru:/usr/obj/usr/src/sys/BOX amd64 # lsvfs Filesystem Refs Flags -------------------------------- ----- --------------- nfs4 0 network zfs 6 jail ntfs 0 ufs 4 nfs 0 network msdosfs 0 procfs 4 synthetic cd9660 0 read-only devfs 5 synthetic nullfs 7 loopback fdescfs 4 synthetic ----- ... nfs seems not to be jail friendly. Here is the question at subject. Thanks! WBR -- Boris Samorodov (bsam) Research Engineer, http://www.ipt.ru Telephone & Internet SP FreeBSD committer, http://www.FreeBSD.org The Power To Serve From wmoran at collaborativefusion.com Wed Jun 25 14:49:48 2008 From: wmoran at collaborativefusion.com (Bill Moran) Date: Wed Jun 25 14:49:55 2008 Subject: is nfs mount inside jail possible? In-Reply-To: <62852722@bb.ipt.ru> References: <62852722@bb.ipt.ru> Message-ID: <20080625103721.bdc7daee.wmoran@collaborativefusion.com> In response to Boris Samorodov : > > ... nfs seems not to be jail friendly. Here is the question at > subject. Thanks! You can NFS mount on the host, and it will be visible within the jail. Don't know if that helps your situation or not. -- Bill Moran Collaborative Fusion Inc. http://people.collaborativefusion.com/~wmoran/ wmoran@collaborativefusion.com Phone: 412-422-3463x4023 **************************************************************** IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. **************************************************************** From bsam at ipt.ru Wed Jun 25 14:56:50 2008 From: bsam at ipt.ru (Boris Samorodov) Date: Wed Jun 25 14:56:58 2008 Subject: is nfs mount inside jail possible? In-Reply-To: <20080625103721.bdc7daee.wmoran@collaborativefusion.com> (Bill Moran's message of "Wed\, 25 Jun 2008 10\:37\:21 -0400") References: <62852722@bb.ipt.ru> <20080625103721.bdc7daee.wmoran@collaborativefusion.com> Message-ID: <93253417@bb.ipt.ru> On Wed, 25 Jun 2008 10:37:21 -0400 Bill Moran wrote: > In response to Boris Samorodov : > > > > ... nfs seems not to be jail friendly. Here is the question at > > subject. Thanks! > You can NFS mount on the host, and it will be visible within the jail. > Don't know if that helps your situation or not. Yep, I know it. I'd prefer to use mounts within a jail. They should be dynamic: a process mounts it, uses and unmounts. Otherwise there will be too many mounts... Bill, thanks for your try. WBR -- Boris Samorodov (bsam) Research Engineer, http://www.ipt.ru Telephone & Internet SP FreeBSD committer, http://www.FreeBSD.org The Power To Serve From Alexander at Leidinger.net Wed Jun 25 15:34:12 2008 From: Alexander at Leidinger.net (Alexander Leidinger) Date: Wed Jun 25 15:34:17 2008 Subject: is nfs mount inside jail possible? In-Reply-To: <62852722@bb.ipt.ru> References: <62852722@bb.ipt.ru> Message-ID: <20080625173401.116369ceeiewif40@webmail.leidinger.net> Quoting Boris Samorodov (from Wed, 25 Jun 2008 17:53:49 +0400): > # lsvfs > Filesystem Refs Flags > -------------------------------- ----- --------------- > nfs4 0 network > zfs 6 jail > ntfs 0 > ufs 4 > nfs 0 network > msdosfs 0 > procfs 4 synthetic > cd9660 0 read-only > devfs 5 synthetic > nullfs 7 loopback > fdescfs 4 synthetic > ----- > > ... nfs seems not to be jail friendly. Here is the question at > subject. Thanks! Correct. If you are not afraid to patch the system: zfs has the JAIL flag set, you just need to do the same with nfs. To do this edit src/sys/nfsclient/nfs_vfsopts.c, search VFS_SET and change it to VFS_SET(nfs_vfsops, nfs, VFCF_NETWORK|VFCF_JAIL); I suggest to not do this with tmpfs if you do shared hosting (you don't want that strangers eat up all your physical RAM). Bye, Alexander. -- Peers's Law: The solution to a problem changes the nature of the problem. http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137 From Alexander at Leidinger.net Wed Jun 25 15:53:06 2008 From: Alexander at Leidinger.net (Alexander Leidinger) Date: Wed Jun 25 15:53:12 2008 Subject: is nfs mount inside jail possible? In-Reply-To: <20080625173401.116369ceeiewif40@webmail.leidinger.net> References: <62852722@bb.ipt.ru> <20080625173401.116369ceeiewif40@webmail.leidinger.net> Message-ID: <20080625175252.18342qpk0oc2zc4k@webmail.leidinger.net> Quoting Alexander Leidinger (from Wed, 25 Jun 2008 17:34:01 +0200): > To do this edit src/sys/nfsclient/nfs_vfsopts.c, search VFS_SET and > change it to > VFS_SET(nfs_vfsops, nfs, VFCF_NETWORK|VFCF_JAIL); Oh: I haven't checked if this actually works. I don't know if all places DTRT then. Normally it should work, but you better test if it really puts the FS in the place where you want it, that you can mount/umount it, that "mount -v" shows the expected output on the host and in the jail, and so on. Similar things can be done for src/sys/fs/{cd9660|msdosfs|ntfs|nullfs|smbfs|udf|unionfs}. Those are the FS's which _should_ be safe, either because they work with untrusted data anyway, or because it's a loopback mount. But again, I haven't tested any of them (I have them patched locally, but even the initial testing is on my TODO list with a low priority). Bye, Alexander. -- At the end of the semester you will recall having enrolled in a course at the beginning of the semester -- and never attending. http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137 From rwatson at FreeBSD.org Wed Jun 25 16:03:44 2008 From: rwatson at FreeBSD.org (Robert Watson) Date: Wed Jun 25 16:03:54 2008 Subject: is nfs mount inside jail possible? In-Reply-To: <20080625175252.18342qpk0oc2zc4k@webmail.leidinger.net> References: <62852722@bb.ipt.ru> <20080625173401.116369ceeiewif40@webmail.leidinger.net> <20080625175252.18342qpk0oc2zc4k@webmail.leidinger.net> Message-ID: <20080625165505.P87282@fledge.watson.org> On Wed, 25 Jun 2008, Alexander Leidinger wrote: > Oh: I haven't checked if this actually works. I don't know if all places > DTRT then. Normally it should work, but you better test if it really puts > the FS in the place where you want it, that you can mount/umount it, that > "mount -v" shows the expected output on the host and in the jail, and so on. > > Similar things can be done for > src/sys/fs/{cd9660|msdosfs|ntfs|nullfs|smbfs|udf|unionfs}. Those are the > FS's which _should_ be safe, either because they work with untrusted data > anyway, or because it's a loopback mount. But again, I haven't tested any of > them (I have them patched locally, but even the initial testing is on my > TODO list with a low priority). Safe in the sense that they might, or might not, immediately panic. Not safe in the sense that the resulting system would necessarily have the expected or desired security properties. It wouldn't surprise me if, just for example, allowing user mounting of nullfs from within jail allowed the user to escape from the jail and access files outside the jail in the host system. Establishing that this is not the case is fairly non-trivial and has to be done very carefully. I would recommend extreme caution. Robert N M Watson Computer Laboratory University of Cambridge From rwatson at FreeBSD.org Wed Jun 25 16:08:44 2008 From: rwatson at FreeBSD.org (Robert Watson) Date: Wed Jun 25 16:08:49 2008 Subject: is nfs mount inside jail possible? In-Reply-To: <20080625173401.116369ceeiewif40@webmail.leidinger.net> References: <62852722@bb.ipt.ru> <20080625173401.116369ceeiewif40@webmail.leidinger.net> Message-ID: <20080625164434.J87282@fledge.watson.org> On Wed, 25 Jun 2008, Alexander Leidinger wrote: >> ... nfs seems not to be jail friendly. Here is the question at subject. >> Thanks! > > Correct. If you are not afraid to patch the system: zfs has the JAIL flag > set, you just need to do the same with nfs. > > To do this edit src/sys/nfsclient/nfs_vfsopts.c, search VFS_SET and change > it to VFS_SET(nfs_vfsops, nfs, VFCF_NETWORK|VFCF_JAIL); > > I suggest to not do this with tmpfs if you do shared hosting (you don't want > that strangers eat up all your physical RAM). The security implications of doing this are rather non-trivial, and should be carefully taken carefully into account. This is not a configuration I would recommend for most sites on the basis that they might not be well-equipped to reason about the indirect security consequences. There are also some potentially tricky technical elements here -- for example, some versions of FreeBSD are known to have TCP implementations that are not entirely happy with NFS running in a jail. Likewise, some of the associated services of NFS, such as rpc.statd and rpc.lockd, will not work properly with virtualization prior to 8.x (and possibly after) as they both have interesting security requirements and rely on things like each IP address being associated with at most one client. Robert N M Watson Computer Laboratory University of Cambridge From Alexander at Leidinger.net Wed Jun 25 16:42:02 2008 From: Alexander at Leidinger.net (Alexander Leidinger) Date: Wed Jun 25 16:42:08 2008 Subject: is nfs mount inside jail possible? In-Reply-To: <20080625165505.P87282@fledge.watson.org> References: <62852722@bb.ipt.ru> <20080625173401.116369ceeiewif40@webmail.leidinger.net> <20080625175252.18342qpk0oc2zc4k@webmail.leidinger.net> <20080625165505.P87282@fledge.watson.org> Message-ID: <20080625184151.20404iq2r7t4iomc@webmail.leidinger.net> Quoting Robert Watson (from Wed, 25 Jun 2008 16:57:17 +0100 (BST)): > On Wed, 25 Jun 2008, Alexander Leidinger wrote: > >> Oh: I haven't checked if this actually works. I don't know if all >> places DTRT then. Normally it should work, but you better test if >> it really puts the FS in the place where you want it, that you can >> mount/umount it, that "mount -v" shows the expected output on the >> host and in the jail, and so on. >> >> Similar things can be done for >> src/sys/fs/{cd9660|msdosfs|ntfs|nullfs|smbfs|udf|unionfs}. Those >> are the FS's which _should_ be safe, either because they work with >> untrusted data anyway, or because it's a loopback mount. But again, >> I haven't tested any of them (I have them patched locally, but even >> the initial testing is on my TODO list with a low priority). > > Safe in the sense that they might, or might not, immediately panic. > Not safe in the sense that the resulting system would necessarily > have the expected or desired security properties. It wouldn't > surprise me if, just for example, allowing user mounting of nullfs > from within jail allowed the user to escape from the jail and access > files outside the jail in the host system. I just had a look at the man page of nmount (that's what is used to mount nullfs, and some other FS's). nmount gets the pathname (realpath). realpath prints the path relative to the jail root, not the real name in the jail-host. If nmount is not jail aware, then we have a meltdown. nmount is using NDINIT/namei. If I read namei/NDINIT correctly, it picks the correct path in a jail (else name lookups in a jail wouldn't work, right?). Any filesystem which gets a source path also needs to use namei (AFAIK, please correct me if I'm wrong), so this side of the mounting has the same properties. For FS's which don't use nmount but the old mount stuff, I don't know. > Establishing that this is not the case is fairly non-trivial and has > to be done very carefully. I would recommend extreme caution. At least for nmount based things this would implicitly mean we have a _very_ big problem with jails (if my above analysis of the code is correct) in other places, as the mountpoint is resolved via namei in the kernel. Bye, Alexander. -- Personnel recruiting is a triumph of hope over experience. http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137 From rwatson at FreeBSD.org Wed Jun 25 16:53:37 2008 From: rwatson at FreeBSD.org (Robert Watson) Date: Wed Jun 25 16:53:41 2008 Subject: is nfs mount inside jail possible? In-Reply-To: <20080625184151.20404iq2r7t4iomc@webmail.leidinger.net> References: <62852722@bb.ipt.ru> <20080625173401.116369ceeiewif40@webmail.leidinger.net> <20080625175252.18342qpk0oc2zc4k@webmail.leidinger.net> <20080625165505.P87282@fledge.watson.org> <20080625184151.20404iq2r7t4iomc@webmail.leidinger.net> Message-ID: <20080625174425.W87282@fledge.watson.org> On Wed, 25 Jun 2008, Alexander Leidinger wrote: >> Safe in the sense that they might, or might not, immediately panic. Not >> safe in the sense that the resulting system would necessarily have the >> expected or desired security properties. It wouldn't surprise me if, just >> for example, allowing user mounting of nullfs from within jail allowed the >> user to escape from the jail and access files outside the jail in the host >> system. > > I just had a look at the man page of nmount (that's what is used to mount > nullfs, and some other FS's). nmount gets the pathname (realpath). realpath > prints the path relative to the jail root, not the real name in the > jail-host. If nmount is not jail aware, then we have a meltdown. nmount is > using NDINIT/namei. If I read namei/NDINIT correctly, it picks the correct > path in a jail (else name lookups in a jail wouldn't work, right?). Any > filesystem which gets a source path also needs to use namei (AFAIK, please > correct me if I'm wrong), so this side of the mounting has the same > properties. > > For FS's which don't use nmount but the old mount stuff, I don't know. > >> Establishing that this is not the case is fairly non-trivial and has to be >> done very carefully. I would recommend extreme caution. > > At least for nmount based things this would implicitly mean we have a _very_ > big problem with jails (if my above analysis of the code is correct) in > other places, as the mountpoint is resolved via namei in the kernel. Jail is carefully structured around the idea that, in general, processes running with root privilege need very few actual privileges, they mostly just run with the root uid and override file permissions, signal protection, and low port number restrictions. So we scope the name spaces available to root processes in jail and grant a few specific privileges we believe are safe. Things like mounting file systems, raw device access, kernel module loading, etc, are in stark contrast to this as they frob (to use the term loosely) the substrate in which processes run: the integrity of the file system name space, the kernel, etc. Preventing those operations is part of what gives jail its integrity guarantees, and chipping away at those protections is inherently a risky activity. I don't know of any specific vulnerabilities that will open up, and I don't have time to read the source code to find them now, but I do promise you that if you allow arbitrary mounting of file systems in jail, you will likely run into quite a few, simply because mounting of file systems is a sensitive operation, modifies the file system name space that we rely on for containment, and because file systems and the file system infrastructure have generally not been designed with this in mind. Especially not for the idea of an unprivileged root user. So, per my comments, I would recommend extreme caution because the implications are very tricky to reason about, requiring careful auditing of source code to ensure that expected protections will continue to be enforced. Caveat emptor. Beware the dog. Enter at your own risk. There be dragons. Run away! Robert N M Watson Computer Laboratory University of Cambridge From wmoran at collaborativefusion.com Wed Jun 25 17:05:15 2008 From: wmoran at collaborativefusion.com (Bill Moran) Date: Wed Jun 25 17:05:22 2008 Subject: is nfs mount inside jail possible? In-Reply-To: <93253417@bb.ipt.ru> References: <62852722@bb.ipt.ru> <20080625103721.bdc7daee.wmoran@collaborativefusion.com> <93253417@bb.ipt.ru> Message-ID: <20080625130401.e03329dc.wmoran@collaborativefusion.com> In response to Boris Samorodov : > On Wed, 25 Jun 2008 10:37:21 -0400 Bill Moran wrote: > > > In response to Boris Samorodov : > > > > > > ... nfs seems not to be jail friendly. Here is the question at > > > subject. Thanks! > > > You can NFS mount on the host, and it will be visible within the jail. > > Don't know if that helps your situation or not. > > Yep, I know it. I'd prefer to use mounts within a jail. They should be > dynamic: a process mounts it, uses and unmounts. Otherwise there will > be too many mounts... How many is too many? Why do you think that number is too many? You could run the automounter on the host. -- Bill Moran Collaborative Fusion Inc. http://people.collaborativefusion.com/~wmoran/ wmoran@collaborativefusion.com Phone: 412-422-3463x4023 From Alexander at Leidinger.net Thu Jun 26 06:06:35 2008 From: Alexander at Leidinger.net (Alexander Leidinger) Date: Thu Jun 26 06:06:40 2008 Subject: is nfs mount inside jail possible? In-Reply-To: <20080625174425.W87282@fledge.watson.org> References: <62852722@bb.ipt.ru> <20080625173401.116369ceeiewif40@webmail.leidinger.net> <20080625175252.18342qpk0oc2zc4k@webmail.leidinger.net> <20080625165505.P87282@fledge.watson.org> <20080625184151.20404iq2r7t4iomc@webmail.leidinger.net> <20080625174425.W87282@fledge.watson.org> Message-ID: <20080626080625.12031sjuk9s5fp5w@webmail.leidinger.net> Quoting Robert Watson (from Wed, 25 Jun 2008 17:53:36 +0100 (BST)): > I don't know of any specific vulnerabilities that will open up, and > I don't have time to read the source code to find them now, but I do > promise you that if you allow arbitrary mounting of file systems in > jail, you will likely run into quite a few, simply because mounting > of file systems is a sensitive operation, modifies the file system I agree, but I put the focus on "arbitrary". What I specially did not include in the list was ufs, procfs, fdescfs and some more. UFS can cause a kernel panic if used with a bad FS image. For procfs we even recommend to not mount it in a normal system, and for others I don't know if they are robust enough. For nullfs all depends if it can break out of the jail or not. If it can not, I don't see why we should not allow to mount it in a jail. Based upon what I've read in the source, it's even easy to test. As it gets path names the kernel resolves itself, the test would be to modify mount_nullfs to not do the realpath, and test by adding some "../" into the path (ok, this is a simplified description, there are several cases which have to be tested, but it is not rocked science). For other FS it depends what they are/do and how robust they are. Wasn't there a FS-fuzzing paper a while ago which tested several FreeBSD FS for robustness? Very interesting would be the robustness for cd9660, msdosfs and udf. Those are candidates which would be interesting to use in a jail. > So, per my comments, I would recommend extreme caution because the > implications are very tricky to reason about, requiring careful > auditing of source code to ensure that expected protections will > continue to be enforced. Caveat emptor. Beware the dog. Enter at > your own risk. There be dragons. Run away! I agree with everything except the "Run away!" :) This is CS, the outcome should be deterministic... :) Bye, Alexander. -- Man who sleep in beer keg wake up stickey. http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137 From bsam at ipt.ru Thu Jun 26 12:32:00 2008 From: bsam at ipt.ru (Boris Samorodov) Date: Thu Jun 26 12:32:05 2008 Subject: is nfs mount inside jail possible? In-Reply-To: <20080625175252.18342qpk0oc2zc4k@webmail.leidinger.net> (Alexander Leidinger's message of "Wed\, 25 Jun 2008 17\:52\:52 +0200") References: <62852722@bb.ipt.ru> <20080625173401.116369ceeiewif40@webmail.leidinger.net> <20080625175252.18342qpk0oc2zc4k@webmail.leidinger.net> Message-ID: <82521962@bb.ipt.ru> On Wed, 25 Jun 2008 17:52:52 +0200 Alexander Leidinger wrote: > Quoting Alexander Leidinger (from Wed, 25 > Jun 2008 17:34:01 +0200): > > To do this edit src/sys/nfsclient/nfs_vfsopts.c, search VFS_SET and > > change it to > > VFS_SET(nfs_vfsops, nfs, VFCF_NETWORK|VFCF_JAIL); > Oh: I haven't checked if this actually works. I don't know if all > places DTRT then. Normally it should work, but you better test if it > really puts the FS in the place where you want it, that you can > mount/umount it, that "mount -v" shows the expected output on the host > and in the jail, and so on. > Similar things can be done for > src/sys/fs/{cd9660|msdosfs|ntfs|nullfs|smbfs|udf|unionfs}. Those are > the FS's which _should_ be safe, either because they work with > untrusted data anyway, or because it's a loopback mount. But again, I > haven't tested any of them (I have them patched locally, but even the > initial testing is on my TODO list with a low priority). I see. If my task won't change I'll check what I ca do. Thanks! WBR -- Boris Samorodov (bsam) Research Engineer, http://www.ipt.ru Telephone & Internet SP FreeBSD committer, http://www.FreeBSD.org The Power To Serve From bsam at ipt.ru Thu Jun 26 12:37:02 2008 From: bsam at ipt.ru (Boris Samorodov) Date: Thu Jun 26 12:37:08 2008 Subject: is nfs mount inside jail possible? In-Reply-To: <20080625164434.J87282@fledge.watson.org> (Robert Watson's message of "Wed\, 25 Jun 2008 16\:50\:58 +0100 \(BST\)") References: <62852722@bb.ipt.ru> <20080625173401.116369ceeiewif40@webmail.leidinger.net> <20080625164434.J87282@fledge.watson.org> Message-ID: <16441660@bb.ipt.ru> On Wed, 25 Jun 2008 16:50:58 +0100 (BST) Robert Watson wrote: > On Wed, 25 Jun 2008, Alexander Leidinger wrote: > >> ... nfs seems not to be jail friendly. Here is the question at > >> subject. Thanks! > > > > Correct. If you are not afraid to patch the system: zfs has the JAIL > > flag set, you just need to do the same with nfs. > > > > To do this edit src/sys/nfsclient/nfs_vfsopts.c, search VFS_SET and > > change it to VFS_SET(nfs_vfsops, nfs, VFCF_NETWORK|VFCF_JAIL); > > > > I suggest to not do this with tmpfs if you do shared hosting (you > > don't want that strangers eat up all your physical RAM). > The security implications of doing this are rather non-trivial, and > should be carefully taken carefully into account. This is not a > configuration I would recommend for most sites on the basis that they > might not be well-equipped to reason about the indirect security > consequences. > There are also some potentially tricky technical elements here -- for > example, some versions of FreeBSD are known to have TCP > implementations that are not entirely happy with NFS running in a > jail. Likewise, some of the associated services of NFS, such as > rpc.statd and rpc.lockd, will not work properly with virtualization > prior to 8.x (and possibly after) as they both have interesting > security requirements and rely on things like each IP address being > associated with at most one client. Thanks, Robert. Security issues are surely should be taken into consideration here. I'll check if the task may be changed towards static mounts (i.e. outside the jail). WBR -- Boris Samorodov (bsam) Research Engineer, http://www.ipt.ru Telephone & Internet SP FreeBSD committer, http://www.FreeBSD.org The Power To Serve From bsam at ipt.ru Thu Jun 26 12:42:15 2008 From: bsam at ipt.ru (Boris Samorodov) Date: Thu Jun 26 12:42:19 2008 Subject: is nfs mount inside jail possible? In-Reply-To: <20080625130401.e03329dc.wmoran@collaborativefusion.com> (Bill Moran's message of "Wed\, 25 Jun 2008 13\:04\:01 -0400") References: <62852722@bb.ipt.ru> <20080625103721.bdc7daee.wmoran@collaborativefusion.com> <93253417@bb.ipt.ru> <20080625130401.e03329dc.wmoran@collaborativefusion.com> Message-ID: <50361347@bb.ipt.ru> On Wed, 25 Jun 2008 13:04:01 -0400 Bill Moran wrote: > In response to Boris Samorodov : > > On Wed, 25 Jun 2008 10:37:21 -0400 Bill Moran wrote: > > > > > In response to Boris Samorodov : > > > > > > > > ... nfs seems not to be jail friendly. Here is the question at > > > > subject. Thanks! > > > > > You can NFS mount on the host, and it will be visible within the jail. > > > Don't know if that helps your situation or not. > > > > Yep, I know it. I'd prefer to use mounts within a jail. They should be > > dynamic: a process mounts it, uses and unmounts. Otherwise there will > > be too many mounts... > How many is too many? Why do you think that number is too many? Approx. a thousand. For _me_ it is too many. ;-) > You could run the automounter on the host. Hm, I didn't think about it. Thanks for the pointer! WBR -- Boris Samorodov (bsam) Research Engineer, http://www.ipt.ru Telephone & Internet SP FreeBSD committer, http://www.FreeBSD.org The Power To Serve From alexus at gmail.com Sun Jun 29 01:41:36 2008 From: alexus at gmail.com (alexus) Date: Sun Jun 29 01:41:40 2008 Subject: new set of multi-IPv4/v6/noIP jail patches In-Reply-To: <20080623200215.J83875@maildrop.int.zabbadoz.net> References: <78553FE8-BB3A-4AD5-9926-7B095260741D@verweg.com> <6ae50c2d0806211035y73e09f15xde28403b824eb421@mail.gmail.com> <6ae50c2d0806211037g31d8e9beqeea36b480ee62f3b@mail.gmail.com> <20080621212933.J83875@maildrop.int.zabbadoz.net> <6ae50c2d0806231257y48791f03r2b3518517f0af653@mail.gmail.com> <20080623200215.J83875@maildrop.int.zabbadoz.net> Message-ID: <6ae50c2d0806281841m5758f444vd657f3cc8e94c69d@mail.gmail.com> when I tried your latest fixes, i got following -------------------------------------------------------------- >>> Installing everything -------------------------------------------------------------- cd /usr/src; /usr/obj/usr/src/make.i386/make -f Makefile.inc1 install ===> share/info (install) ===> lib (install) ===> lib/csu/i386-elf (install) cc -O2 -fno-strict-aliasing -pipe -I/usr/src/lib/csu/i386-elf/../common -I/usr/src/lib/csu/i386-elf/../../libc/include -Wsystem-headers -Wall -Wno-format-y2k -W -Wno-unused-parameter -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Wreturn-type -Wcast-qual -Wwrite-strings -Wswitch -Wshadow -Wcast-align -Wunused-parameter -Wchar-subscripts -Winline -Wnested-externs -Wredundant-decls -Wno-pointer-sign -c /usr/src/lib/csu/i386-elf/crt1.c cc -O2 -fno-strict-aliasing -pipe -I/usr/src/lib/csu/i386-elf/../common -I/usr/src/lib/csu/i386-elf/../../libc/include -Wsystem-headers -Wall -Wno-format-y2k -W -Wno-unused-parameter -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Wreturn-type -Wcast-qual -Wwrite-strings -Wswitch -Wshadow -Wcast-align -Wunused-parameter -Wchar-subscripts -Winline -Wnested-externs -Wredundant-decls -Wno-pointer-sign -c /usr/src/lib/csu/i386-elf/crti.S cc -O2 -fno-strict-aliasing -pipe -I/usr/src/lib/csu/i386-elf/../common -I/usr/src/lib/csu/i386-elf/../../libc/include -Wsystem-headers -Wall -Wno-format-y2k -W -Wno-unused-parameter -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Wreturn-type -Wcast-qual -Wwrite-strings -Wswitch -Wshadow -Wcast-align -Wunused-parameter -Wchar-subscripts -Winline -Wnested-externs -Wredundant-decls -Wno-pointer-sign -c /usr/src/lib/csu/i386-elf/crtn.S cc -O2 -fno-strict-aliasing -pipe -I/usr/src/lib/csu/i386-elf/../common -I/usr/src/lib/csu/i386-elf/../../libc/include -Wsystem-headers -Wall -Wno-format-y2k -W -Wno-unused-parameter -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Wreturn-type -Wcast-qual -Wwrite-strings -Wswitch -Wshadow -Wcast-align -Wunused-parameter -Wchar-subscripts -Winline -Wnested-externs -Wredundant-decls -Wno-pointer-sign -DGCRT -c -o gcrt1.o /usr/src/lib/csu/i386-elf/crt1.c install -o root -g wheel -m 444 crt1.o crti.o crtn.o gcrt1.o /usr/lib ===> lib/libc (install) install -C -o root -g wheel -m 444 libc.a /usr/lib install: libc.a: No such file or directory *** Error code 71 Stop in /usr/src/lib/libc. *** Error code 1 Stop in /usr/src/lib. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. (21:39:02 ) On Mon, Jun 23, 2008 at 7:13 PM, Bjoern A. Zeeb wrote: > On Mon, 23 Jun 2008, alexus wrote: > >> yeah, I dont have IPV6, and whatever you gave me isn't enough at least >> for me, i don't know how incorporate this code into patch, can you >> post a new patch with these fixes? > > Don't incorp it into the patch, edit the patched file and rebuild. > > you go to /usr/src/sys/kern (if your sources are in /usr/src) > vi kern_jail.c > go to the line from the error message and find the place where to add > the two lines I had marked with +. > > I'll not re-roll another 7.0R patch before I have done the HEAD to > RELENG_7 and then to 7.0-R chain entirely. It'll at least be another > day or two once the builds and the boots and everything was tested. > > /bz > > -- > Bjoern A. Zeeb Stop bit received. Insert coin for new game. > -- http://alexus.org/ From bugmaster at FreeBSD.org Mon Jun 30 11:07:01 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Jun 30 11:07:10 2008 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200806301106.m5UB6w3c095785@freefall.freebsd.org> Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- s kern/89528 jail [jail] [patch] impossible to kill a jail o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail 2 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with o kern/68192 jail [quotas] [jail] Cannot use quotas on jailed systems o kern/72498 jail [libc] [jail] timestamp code on jailed SMP machine gen o kern/74314 jail [resolver] [jail] DNS resolver broken under certain ja o kern/84215 jail [jail] [patch] wildcard ip (INADDR_ANY) should not bin o kern/89989 jail [jail] [patch] Add option -I (ASCII 73) PID to specif o kern/97071 jail [jail] [patch] add security.jail.jid sysctl o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o kern/120753 jail [jail] Zombie jails (jailed child process exits while 9 problems total.