From christer.edwards at gmail.com Sat Nov 1 09:27:01 2008 From: christer.edwards at gmail.com (Christer Edwards) Date: Sat Nov 1 09:27:08 2008 Subject: dhcpd possible within jail? Message-ID: <20081101155205.GD90953@parkman.zelut.org> I recently set up a few jails for internal network services (sshd, bind, dhcpd, etc.) The only issue I have so far is that dhcpd doesn't seem to work within the jail env. It appears to start properly, and the process shows in top, but no leases are ever given out. I have the following in my jail /etc/rc.conf: ## dhcpd options dhcpd_enable="YES" dhcpd_flags="-q" dhcpd_conf="/usr/local/etc/dhcpd.conf" dhcpd_ifaces="hme0" dhcpd_withumask="022" dhcpd_chuser_enable="YES" dhcpd_withuser="dhcpd" dhcpd_withgroup="dhcpd" dhcpd_chroot_enable="NO" dhcpd_devfs_enable="NO" #dhcpd_makedev_enable="YES" dhcpd_rootdir="/var/db/dhcpd" dhcpd_includedir="" #dhcpd_jail_enable="YES" dhcpd_hostname="hostname.domain.tld" dhcpd_ipaddress="192.168.0.13" I have also allowed raw_sockets from the host (unless there is another way to accomplish this). If anyone can tell me what I'm missing, or if its simply a jail limitation I'd appreciate it. thanks in advance, christer -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 487 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20081101/fa4819c1/attachment.pgp From bzeeb-lists at lists.zabbadoz.net Sat Nov 1 13:15:08 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Sat Nov 1 13:15:15 2008 Subject: dhcpd possible within jail? In-Reply-To: <20081101155205.GD90953@parkman.zelut.org> References: <20081101155205.GD90953@parkman.zelut.org> Message-ID: <20081101200710.V41609@maildrop.int.zabbadoz.net> On Sat, 1 Nov 2008, Christer Edwards wrote: > I recently set up a few jails for internal network services (sshd, bind, > dhcpd, etc.) The only issue I have so far is that dhcpd doesn't seem to > work within the jail env. It appears to start properly, and the process > shows in top, but no leases are ever given out. [ ...] > I have also allowed raw_sockets from the host (unless there is another > way to accomplish this). > > If anyone can tell me what I'm missing, or if its simply a jail > limitation I'd appreciate it. dhcpd imho needs bpf, so you would have to expose /dev/bpf* to that jail and perhaps also /dev/net* things.. try adding something like this to your /etc/devfs.rules [devfsrules_jail_dhcp=5] add include $devfsrules_hide_all add include $devfsrules_unhide_basic add include $devfsrules_unhide_login add path 'bpf*' unhide add path net unhide add path 'net/*' unhide the number is the first free that is not in your /etc/defaults/devfs.rules and /etc/devfs.rules. That done change the /etc/rc.conf line for that jail to jail_FOOOOOO_devfs_ruleset="devfsrules_jail_dhcp" with FOOOOOO being the right jail name of course and restart the jail. Within the jail do a ls -l /dev/bpf* ; if there are no entries you'll need to reapply the devfs rules from the base system (sh /etc/rc.d/devfs start might do that). Try the ls again. imho, you do not need to allow raw sockets. HTH /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From christer.edwards at gmail.com Sat Nov 1 16:19:22 2008 From: christer.edwards at gmail.com (Christer Edwards) Date: Sat Nov 1 16:19:29 2008 Subject: dhcpd possible within jail? In-Reply-To: <20081101200710.V41609@maildrop.int.zabbadoz.net> References: <20081101155205.GD90953@parkman.zelut.org> <20081101200710.V41609@maildrop.int.zabbadoz.net> Message-ID: <20081101231803.GA1764@parkman.zelut.org> On Sat, Nov 01, 2008 at 08:13:46PM +0000, Bjoern A. Zeeb wrote: > try adding something like this to your /etc/devfs.rules > > [devfsrules_jail_dhcp=5] > add include $devfsrules_hide_all > add include $devfsrules_unhide_basic > add include $devfsrules_unhide_login > add path 'bpf*' unhide > add path net unhide > add path 'net/*' unhide I've added the above lines and the devices now are listed in /usr/jail/jailname/dev/. I get the same output in the logs with or without the devfs changes.. Nov 1 17:07:40 molly dhcpd: Wrote 0 deleted host decls to leases file. Nov 1 17:07:40 molly dhcpd: Wrote 0 new dynamic host decls to leases file. Nov 1 17:07:40 molly dhcpd: Wrote 0 leases to leases file. the dhcpd.leases file is updated when the daemon is restarted but, again, asking another client to request an address goes ignored. I'm beginning to wonder if its related to my network configuration rather than my jail configuration. DSL modem > netgear wireless AP/switch (dhcp disabled) > netgear gigabit switch > clients. > imho, you do not need to allow raw sockets. With raw sockets turned off it looks like dhcpd is not able to send the icmp echo request to verify the requested address is available.. (dhcpd.conf(5)) Christer -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 487 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20081101/56ad76f4/attachment.pgp From bugmaster at FreeBSD.org Mon Nov 3 03:06:55 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Nov 3 03:08:11 2008 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200811031106.mA3B6s4i010943@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/126368 jail [jail] Running ktrace/kdump in jail leads to stale jai o kern/120753 jail [jail] Zombie jails (jailed child process exits while o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o kern/97071 jail [jail] [patch] add security.jail.jid sysctl o kern/89989 jail [jail] [patch] Add option -I (ASCII 73) PID to specif s kern/89528 jail [jail] [patch] impossible to kill a jail o kern/84215 jail [jail] [patch] wildcard ip (INADDR_ANY) should not bin o kern/74314 jail [resolver] [jail] DNS resolver broken under certain ja o kern/72498 jail [libc] [jail] timestamp code on jailed SMP machine gen o kern/68192 jail [quotas] [jail] Cannot use quotas on jailed systems o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 12 problems total. From matheuscucoloto at gmail.com Thu Nov 6 03:33:50 2008 From: matheuscucoloto at gmail.com (Matheus Cucoloto) Date: Thu Nov 6 03:33:57 2008 Subject: Succesful patch on several hosts with RELENG_7 In-Reply-To: References: Message-ID: Hi, Lorenzo. I tried to apply this patch, but i had no success. That is the message I got: (On make buidkernel KERNCONF=GENERIC) ----------------------------------------------- cc -c -O -pipe -std=c99 -g -Wall -Wredundant-decls -Wnested-externs -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual -Wundef -Wno-pointer-sign -fformat-extensions -nostdinc -I. -I/usr/src/sys -I/usr/src/sys/contrib/altq -D_KERNEL -DHAVE_KERNEL_OPTION_HEADERS -include opt_global.h -fno-common -finline-limit=8000 --param inline-unit-growth=100 --param large-function-growth=1000 -mno-align-long-strings -mpreferred-stack-boundary=2 -mno-mmx -mno-3dnow -mno-sse -mno-sse2 -mno-sse3 -ffreestanding -Werror /usr/src/sys/netinet/raw_ip.c cc1: warnings being treated as errors /usr/src/sys/netinet/raw_ip.c: In function 'rip_bind': /usr/src/sys/netinet/raw_ip.c:785: warning: implicit declaration of function 'jailed_ip4' /usr/src/sys/netinet/raw_ip.c:785: warning: nested extern declaration of 'jailed_ip4' *** Error code 1 Stop in /usr/obj/usr/src/sys/GENERIC. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. ---------------------------------------------------------------- Any hint? # uname -a FreeBSD .cne.grupoirapida.com.br 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #0: Tue Nov 4 17:36:38 UTC 2008 matheus@.cne.grupoirapida.com.br:/usr/obj/usr/src/sys/GENERIC i386 Thank's On Fri, Oct 24, 2008 at 2:07 PM, Lorenzo Perone wrote: > > Hi, > > Just wanted to give my feedback > on Your patch bz_jail7-20080920-01-at150161.diff, which I got > by reading this list, on > > http://people.freebsd.org/~bz/bz_jail7-20080920-01-at150161.diff > > Just patched several RELENG_7 hosts (FreeBSD 7.0-PRERELEASE, > last one yesterday), and for the time being, it works like a > charm. THANK YOU VERY MUCH for this patch and Your efforts, > as this is a very important feature for me and for several > others. I hope so much that it will be included into RELENG_7o > fficially, and/or that You will be update it eventually, > if necessary. > > Kudos, Regards && lots of free beer.. > > Lorenzo > > > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > -- Matheus Cucoloto System Admin. Net Admin. From bzeeb-lists at lists.zabbadoz.net Thu Nov 6 03:45:08 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Thu Nov 6 03:45:14 2008 Subject: Succesful patch on several hosts with RELENG_7 In-Reply-To: References: Message-ID: <20081106114254.E16105@maildrop.int.zabbadoz.net> On Thu, 6 Nov 2008, Matheus Cucoloto wrote: Hi, > I tried to apply this patch, but i had no success. > > That is the message I got: ... > > Any hint? http://lists.freebsd.org/pipermail/freebsd-jail/2008-October/000577.html So the reason there is no 7 patch is that Robert and I finally found a solution for one of the problems that came up during the review and I still need to implement it. My plan was to do so later today... There will be a new set of patches soon (famous last words;) /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From dez at accid.net Fri Nov 7 09:32:21 2008 From: dez at accid.net (dez@accid.net) Date: Fri Nov 7 09:32:29 2008 Subject: multi-ip jails on 7.1-BETA2 Message-ID: <491477C8.2060809@accid.net> Hi list, I've just setup a 7.1-BETA2 server with Bjoern Zeeb's patch [1], following the instructions described in [2]. It all went well, patch applied ok, userland tools, kernel and world built successfully. However, the new jail utility doesn't accept multiple IPs on the command line: server% jail usage: jail [-i] [-J jid_file] [-s securelevel] \ [-l -u username | -U username] path hostname ip-number command ... Using the same patch and setup instructions I can get a working multi-ip jail setup using 7.1-PRERELEASE-200809 snapshot. Does the said patch not work with the beta? As Bjoern indicated in an earlier mail to the list, "There will be a new set of patches soon". Will they work with the beta and final 7.1 releases? Many thanks. [1] - http://people.freebsd.org/~bz/bz_jail7-20080920-01-at150161.diff [2] - http://www.mail-archive.com/freebsd-jail@freebsd.org/msg00459.html -- Dez From bzeeb-lists at lists.zabbadoz.net Fri Nov 7 12:35:08 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Fri Nov 7 12:35:14 2008 Subject: multi-ip jails on 7.1-BETA2 In-Reply-To: <491477C8.2060809@accid.net> References: <491477C8.2060809@accid.net> Message-ID: <20081107203010.U16105@maildrop.int.zabbadoz.net> On Fri, 7 Nov 2008, dez@accid.net wrote: > server% jail > usage: jail [-i] [-J jid_file] [-s securelevel] \ > [-l -u username | -U username] path hostname ip-number command ... that's not a patched userland (this jail binary is old and was not updated). Did you also rebuild userland or only the kernel? /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From bugmaster at FreeBSD.org Mon Nov 10 03:06:53 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Nov 10 03:08:20 2008 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200811101106.mAAB6qCt049758@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/126368 jail [jail] Running ktrace/kdump in jail leads to stale jai o kern/120753 jail [jail] Zombie jails (jailed child process exits while o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o kern/97071 jail [jail] [patch] add security.jail.jid sysctl o kern/89989 jail [jail] [patch] Add option -I (ASCII 73) PID to specif s kern/89528 jail [jail] [patch] impossible to kill a jail o kern/84215 jail [jail] [patch] wildcard ip (INADDR_ANY) should not bin o kern/74314 jail [resolver] [jail] DNS resolver broken under certain ja o kern/72498 jail [libc] [jail] timestamp code on jailed SMP machine gen o kern/68192 jail [quotas] [jail] Cannot use quotas on jailed systems o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 12 problems total. From dez at accid.net Mon Nov 10 08:58:43 2008 From: dez at accid.net (Vicks Desmond) Date: Mon Nov 10 08:58:50 2008 Subject: multi-ip jails on 7.1-BETA2 In-Reply-To: <20081107203010.U16105@maildrop.int.zabbadoz.net> References: <491477C8.2060809@accid.net> <20081107203010.U16105@maildrop.int.zabbadoz.net> Message-ID: <4918683E.4070103@accid.net> Bjoern A. Zeeb wrote: > On Fri, 7 Nov 2008, dez@accid.net wrote: > >> server% jail >> usage: jail [-i] [-J jid_file] [-s securelevel] \ >> [-l -u username | -U username] path hostname ip-number command ... > > that's not a patched userland (this jail binary is old and was not > updated). Did you also rebuild userland or only the kernel? Thanks for your reply. Having checked everything again I found that I was using patch(1) with -C argument (ie, check, but don't do), which explains why the userland wasn't updated. Now things are working as expected and I'm a proud owner of a multi-ip jail :) Sorry for the noise and note to self - don't blindly copy and paste commands, especially one's that I think I understand. Cheers, -- Dez From huynhnguyen at mikorn.com Tue Nov 11 22:55:39 2008 From: huynhnguyen at mikorn.com (huynhnguyen) Date: Tue Nov 11 22:55:46 2008 Subject: can jail use 2 NICS? Message-ID: <002b01c94490$260ebfd0$722c3f70$@com> Hi All, First, nice day! My problem with jails - my server have 2 NICs, o bge0: 192.168.1.2/24 bge0_alias0: 192.168.1.3/24 o bge1: 11.0.0.2/24 bge1_alias0: 11.0.0.3/24 I want to set up a jail to use both of NICs I have try with jail_jail1_interface="bge0, bge1" jail_jail1_ip="192.168.1.3, 11.0.0.3" -------------- jail_jail1_interface="bge0" jail_jail1_interface="bge1" jail_jail1_ip="192.168.1.3" jail_jail1_ip="11.0.0.3" --------------- but I can?t do it. Anybody know it? Could you help me? From wmoran at collaborativefusion.com Wed Nov 12 06:17:12 2008 From: wmoran at collaborativefusion.com (Bill Moran) Date: Wed Nov 12 06:17:22 2008 Subject: can jail use 2 NICS? In-Reply-To: <002b01c94490$260ebfd0$722c3f70$@com> References: <002b01c94490$260ebfd0$722c3f70$@com> Message-ID: <20081112090702.840305a6.wmoran@collaborativefusion.com> In response to "huynhnguyen" : > > - my server have 2 NICs, > [...] > > I want to set up a jail to use both of NICs [...] > --------------- > but I can?t do it. Anybody know it? Could you help me? It's not possible with the current codebase. There's work being done to add this feature to 8.x, but with 7.x and earlier, you need to figure out how to make your jails work with a single NIC. -- Bill Moran Collaborative Fusion Inc. http://people.collaborativefusion.com/~wmoran/ wmoran@collaborativefusion.com Phone: 412-422-3463x4023 From bzeeb-lists at lists.zabbadoz.net Wed Nov 12 06:30:09 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Wed Nov 12 06:30:15 2008 Subject: can jail use 2 NICS? In-Reply-To: <20081112090702.840305a6.wmoran@collaborativefusion.com> References: <002b01c94490$260ebfd0$722c3f70$@com> <20081112090702.840305a6.wmoran@collaborativefusion.com> Message-ID: <20081112142044.J67750@maildrop.int.zabbadoz.net> On Wed, 12 Nov 2008, Bill Moran wrote: Hi, > In response to "huynhnguyen" : >> >> - my server have 2 NICs, >> > [...] >> >> I want to set up a jail to use both of NICs > [...] >> --------------- >> but I can??t do it. Anybody know it? Could you help me? > > It's not possible with the current codebase. There's work being done > to add this feature to 8.x, but with 7.x and earlier, you need to > figure out how to make your jails work with a single NIC. The only thing that does not work is the rc jail_*_interface knob. Which I again . Sorry. This is just another reason to remove this thing and have someone who needs this by a proper mgmt solution. "huynhnguyen": obviously, as Bill already indicated, you need a patch to have more than one IP per jail as the current jail system in any version of freebsd only supports one IP address (see man pages). If you have the patch compiled in ... > jail_jail1_interface="bge0, bge1" remove this and similar lines from your configuration. You had the IPs configured on the interfaces already anyway. > jail_jail1_ip="192.168.1.3, 11.0.0.3" And remove the white space after the comma. Regards, Bjoern -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From huynhnguyen at mikorn.com Wed Nov 12 17:27:19 2008 From: huynhnguyen at mikorn.com (huynhnguyen) Date: Wed Nov 12 17:27:26 2008 Subject: can jail use 2 NICS? In-Reply-To: <20081112142044.J67750@maildrop.int.zabbadoz.net> References: <002b01c94490$260ebfd0$722c3f70$@com> <20081112090702.840305a6.wmoran@collaborativefusion.com> <20081112142044.J67750@maildrop.int.zabbadoz.net> Message-ID: <000301c9452e$f79af6b0$e6d0e410$@com> I got the answer. Thank Bill, thank Bjoern . Re: can jail use 2 NICS? ------------------------------ > In response to "huynhnguyen" : >> >> - my server have 2 NICs, ------------------------------ On Wed, 12 Nov 2008, Bill Moran wrote: > It's not possible with the current codebase. There's work being done > to add this feature to 8.x, but with 7.x and earlier, you need to > figure out how to make your jails work with a single NIC. ----------------------------- >On Wed, 12 Nov 2008, Bjoern A. Zeeb wrote: >obviously, as Bill already indicated, you need a patch to have more than >one IP per jail as the current jail system in any version of freebsd only >supports one IP address (see man pages). >If you have the patch compiled in ... > jail_jail1_interface="bge0, bge1" >remove this and similar lines from your configuration. >You had the IPs configured on the interfaces already anyway. > jail_jail1_ip="192.168.1.3, 11.0.0.3" A>nd remove the white space after the comma. ----------------------------- From nbari at k9.cx Thu Nov 13 10:57:54 2008 From: nbari at k9.cx (Nicolas de Bari Embriz Garcia Rojas) Date: Thu Nov 13 10:58:00 2008 Subject: zfs on disk with ufs Message-ID: Hi all, I have 2 disk using raid 1 (hardware) ~ 250gb with default freebsd partition schema, I would like to resize /usr partition and to use ZFS on the space left on disk. It is posible to do so ? Or can I reinstall freebsd and only have 10GB for /usr and the rest of the disk for ZFS. It is posible to have ZFS and UFS on the same disk. regards. -- > nbari -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 163 bytes Desc: This is a digitally signed message part Url : http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20081113/fee08374/PGP.pgp From bzeeb-lists at lists.zabbadoz.net Thu Nov 13 11:25:08 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Thu Nov 13 11:25:15 2008 Subject: zfs on disk with ufs In-Reply-To: References: Message-ID: <20081113191840.O67750@maildrop.int.zabbadoz.net> On Thu, 13 Nov 2008, Nicolas de Bari Embriz Garcia Rojas wrote: > Hi all, I have 2 disk using raid 1 (hardware) ~ 250gb with default freebsd > partition schema, I would like to resize /usr partition and to use ZFS on the > space left on disk. > > It is posible to do so ? > > Or can I reinstall freebsd and only have 10GB for /usr and the rest of the > disk for ZFS. It is posible to have ZFS and UFS on the same disk. freebsd-questions@ might be a better place to ask. Reply-To: set /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From bsam at ipt.ru Thu Nov 13 13:25:11 2008 From: bsam at ipt.ru (Boris Samorodov) Date: Thu Nov 13 13:25:24 2008 Subject: can jail use 2 NICS? In-Reply-To: <002b01c94490$260ebfd0$722c3f70$@com> (huynhnguyen@mikorn.com's message of "Wed\, 12 Nov 2008 13\:30\:21 +0700") References: <002b01c94490$260ebfd0$722c3f70$@com> Message-ID: <71714243@ipt.ru> On Wed, 12 Nov 2008 13:30:21 +0700 huynhnguyen wrote: > o bge0: 192.168.1.2/24 > bge0_alias0: 192.168.1.3/24 > o bge1: 11.0.0.2/24 > bge1_alias0: 11.0.0.3/24 Sorry, it's not an answer to your original question. But imho you can't use /24 for an alias address. According to ifconfig(8): ----- alias Establish an additional network address for this interface. This is sometimes useful when changing network numbers, and one wishes to accept packets addressed to the old interface. If the address is on the same subnet as the first network address for this interface, a non-conflicting netmask must be given. Usually 0xffffffff is most appropriate. ----- As I understand the mask /32 should be used here. WBR -- bsam From bsam at ipt.ru Thu Nov 13 13:25:13 2008 From: bsam at ipt.ru (Boris Samorodov) Date: Thu Nov 13 13:25:24 2008 Subject: attn: "huynhnguyen" In-Reply-To: (Mail Delivery System's message of "Thu\, 13 Nov 2008 23\:42\:53 +0300") References: Message-ID: <84193851@ipt.ru> Sorry for freebsd-jail subscribers, this is an information for "huynhnguyen" . FYI: if you are interested here is the answer from you MTA: On Thu, 13 Nov 2008 23:42:53 +0300 Mail Delivery System wrote: > This message was created automatically by mail delivery software. > A message that you sent could not be delivered to one or more of its > recipients. This is a permanent error. The following address(es) failed: > huynhnguyen@mikorn.com > SMTP error from remote mail server after RCPT TO:: > host mail.mikorn.com [211.115.125.19]: 554 : > Client host rejected: Access denied WBR -- bsam From ruben at verweg.com Fri Nov 14 04:54:12 2008 From: ruben at verweg.com (Ruben van Staveren) Date: Fri Nov 14 04:54:20 2008 Subject: can jail use 2 NICS? Message-ID: Hi, I ran into this issue myself, and repatched /etc/rc.d/jail to work with this jail_erg_ipv6="net0|2001:980:fff:96::c0a8:181" # Jail's IP number jail_erg_ip="192.168.1.129" # Jail's IP number jail_erg_interface="lo0" So default for everything is lo0, but you can override stuff by prefixing and address with | Have fun at http://ruben.is.verweg.com/stuff/jail of course, YMMV - Ruben -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20081114/f1e594e0/PGP.pgp From lopez.on.the.lists at yellowspace.net Sat Nov 15 20:27:50 2008 From: lopez.on.the.lists at yellowspace.net (Lorenzo Perone) Date: Sat Nov 15 20:27:57 2008 Subject: problem possibly related to multi-ip jail patch? Message-ID: <2192B50F-16AE-4BC8-ACEC-6C5B99804DA0@yellowspace.net> Hi all, I've been experiencing problems with one of the machines running FreeBSD 7.1-PRERELEASE #2: Thu Oct 16 20:23:09 CEST 2008 with the multi-ip patch bz_jail7-20080920-01-at150161.diff, and I'm wondering if it possibly related to the patch - in any case, any advice would be very welcome. It happens that mysql (tried both 4.0 and 5.1, in 2 separate jails), at some time stop responding to connections, and mysql gets stuck in sbwait state. It is only killable with kill -9 each of the two mysqlds is running in a jail on one private IP, serving connections to a webserver nearby - the latter having one public and one private IP, communicating with the other jail via the private network. I also experienced two complete system hangs (which must not be necessarily related to the mysql problem) both during a shutdown -r now. one was a panic, in another case the machine was still pingable but did not shut down completely. I could only reset it over the DRAC. here's a screenshot I made over the Dell RAC: http://lorenzo.yellowspace.net/stuck.png Since I'm also using zfs there and the kernel has been built with the DTRACE options. any advice (also about which more details that I should/could provide) would be very welcome... thanx && regards, Lorenzo From bzeeb-lists at lists.zabbadoz.net Sun Nov 16 02:15:10 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Sun Nov 16 02:15:17 2008 Subject: can jail use 2 NICS? In-Reply-To: References: Message-ID: <20081116101126.T61259@maildrop.int.zabbadoz.net> On Fri, 14 Nov 2008, Ruben van Staveren wrote: Hi, > I ran into this issue myself, and repatched /etc/rc.d/jail to work with this > > jail_erg_ipv6="net0|2001:980:fff:96::c0a8:181" # Jail's IP > number > jail_erg_ip="192.168.1.129" # Jail's IP number > jail_erg_interface="lo0" > > So default for everything is lo0, but you can override stuff by prefixing and > address with | > > Have fun at http://ruben.is.verweg.com/stuff/jail > of course, YMMV would that work as well with multiple IPs (per address family)? I kind of lost track. An are you also supporting the netmask feature from ru@? -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From bzeeb-lists at lists.zabbadoz.net Sun Nov 16 02:15:11 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Sun Nov 16 02:15:28 2008 Subject: hangs for 7.1-PRE [was: problem possibly related to multi-ip jail patch?] In-Reply-To: <2192B50F-16AE-4BC8-ACEC-6C5B99804DA0@yellowspace.net> References: <2192B50F-16AE-4BC8-ACEC-6C5B99804DA0@yellowspace.net> Message-ID: <20081116100529.Y61259@maildrop.int.zabbadoz.net> On Sun, 16 Nov 2008, Lorenzo Perone wrote: Hi, > I've been experiencing problems with one of the machines running FreeBSD > 7.1-PRERELEASE #2: Thu Oct 16 20:23:09 CEST 2008 with the multi-ip patch > bz_jail7-20080920-01-at150161.diff, and I'm wondering if it possibly related > to the patch - in any case, any advice would be very welcome. bottom line is that most of this looks less likely to be a jail problem. > It happens that mysql (tried both 4.0 and 5.1, in 2 separate jails), at some > time stop responding to connections, and mysql gets stuck in sbwait state. It > is only killable with kill -9 Yeah, I had been seeing mysql hang or go to 99% CPU for years once in a while; it's been more rare the last months. I have seen it in- and outside of jails, with or without patches. You could try to see if you can get backtraces of those processes. > each of the two mysqlds is running in a jail on one private IP, serving > connections to a webserver nearby - the latter having one public and one > private IP, communicating with the other jail via the private network. > > I also experienced two complete system hangs (which must not be necessarily > related to the mysql problem) both during a shutdown -r now. one was a panic, > in another case the machine was still pingable but did not shut down > completely. I could only reset it over the DRAC. here's a screenshot I made > over the Dell RAC: http://lorenzo.yellowspace.net/stuck.png Looking at your image I see more problems before the shutdown so this as well is most likely not a jail problem. > Since I'm also using zfs there and the kernel has been built with the DTRACE > options. > > any advice (also about which more details that I should/could provide) would > be very welcome... I am Cc:ing the answer to stable@ and setting reply-to: to move the discussion there. /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From ruben at verweg.com Sun Nov 16 04:21:46 2008 From: ruben at verweg.com (Ruben van Staveren) Date: Sun Nov 16 04:21:52 2008 Subject: can jail use 2 NICS? In-Reply-To: <20081116101126.T61259@maildrop.int.zabbadoz.net> References: <20081116101126.T61259@maildrop.int.zabbadoz.net> Message-ID: On 16 Nov 2008, at 11:12, Bjoern A. Zeeb wrote: > On Fri, 14 Nov 2008, Ruben van Staveren wrote: > > Hi, > >> I ran into this issue myself, and repatched /etc/rc.d/jail to work >> with this >> >> jail_erg_ipv6="net0|2001:980:fff:96::c0a8:181" # >> Jail's IP number >> jail_erg_ip="192.168.1.129" # Jail's IP number >> jail_erg_interface="lo0" >> >> So default for everything is lo0, but you can override stuff by >> prefixing and address with | >> >> Have fun at http://ruben.is.verweg.com/stuff/jail >> of course, YMMV > > would that work as well with multiple IPs (per address family)? I kind you mean like jail__ip="net0|addr1 net1|addr2" ? it does. > of lost track. An are you also supporting the netmask feature from > ru@? It doesn't do netmask/prefix length but that should be easy to add. btw I am working only against RELENG_7 so I don't know of any new network features in HEAD. Should get a new macbook soon so I can run vmware fusion to check that out ;) > > > -- > Bjoern A. Zeeb Stop bit received. Insert coin for new > game. Cheers, Ruben -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20081116/1fe956a3/PGP.pgp From bzeeb-lists at lists.zabbadoz.net Sun Nov 16 06:15:08 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Sun Nov 16 06:15:15 2008 Subject: can jail use 2 NICS? In-Reply-To: References: <20081116101126.T61259@maildrop.int.zabbadoz.net> Message-ID: <20081116135929.S61259@maildrop.int.zabbadoz.net> On Sun, 16 Nov 2008, Ruben van Staveren wrote: > > On 16 Nov 2008, at 11:12, Bjoern A. Zeeb wrote: > >> On Fri, 14 Nov 2008, Ruben van Staveren wrote: >> >> Hi, >> >>> I ran into this issue myself, and repatched /etc/rc.d/jail to work with >>> this >>> >>> jail_erg_ipv6="net0|2001:980:fff:96::c0a8:181" # Jail's >>> IP number >>> jail_erg_ip="192.168.1.129" # Jail's IP number >>> jail_erg_interface="lo0" >>> >>> So default for everything is lo0, but you can override stuff by prefixing >>> and address with | >>> >>> Have fun at http://ruben.is.verweg.com/stuff/jail >>> of course, YMMV >> >> would that work as well with multiple IPs (per address family)? I kind > > you mean like jail__ip="net0|addr1 net1|addr2" ? it does. >> of lost track. An are you also supporting the netmask feature from >> ru@? > > It doesn't do netmask/prefix length but that should be easy to add. btw I am > working only against RELENG_7 so I don't know of any new network features in > HEAD. Should get a new macbook soon so I can run vmware fusion to check that > out ;) Having that working as well would be a good thing, and I'd prefer that in constrast to "netmask 255.255.255.255". Only going with prefix notation (which usually would be /32 or /128) instead of having an extra jail__netmask would be something I'd be fine with even though this seems to end up in a long and complicated list of options. See http://svn.freebsd.org/viewvc/base?view=revision&revision=183325 for Ruslan's commit to HEAD which had been discussed here before. So the basic idea could be to only have jail__ip="" jail__ip6="" and each of them would have a format like: [iface|]address[/prefix] where iface and prefix are optional and prefix only makes sense if iface is given? If iface is given it means configure the address with prefix to the given interface; if prefix is not given the default would be /32 for ipv4 and /128 for ipv6. So now this would give really long and complicated lines in rc.conf. Do you think we could have something like the _alias for interface addresses so that it would be like: jail__ip="" # default jail__ip_multi0="" # second IP of the jail jail__ip_multi1="" # third IP of the jail jail__ip_multi2="" # 4th IP of the jail and similar for IPv6? (multi might not be the best suffix) Something along those lines? Ruslan, what do you think about something like that? We could have that for HEAD and 7 just now and add the _multi support with the multi-IP jail patches? Could you and Ruben work together to build this? Regards, Bjoern -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From bugmaster at FreeBSD.org Mon Nov 17 03:06:52 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Nov 17 03:08:23 2008 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200811171106.mAHB6q2D082564@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/126368 jail [jail] Running ktrace/kdump in jail leads to stale jai o kern/120753 jail [jail] Zombie jails (jailed child process exits while o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o kern/97071 jail [jail] [patch] add security.jail.jid sysctl o kern/89989 jail [jail] [patch] Add option -I (ASCII 73) PID to specif s kern/89528 jail [jail] [patch] impossible to kill a jail o kern/84215 jail [jail] [patch] wildcard ip (INADDR_ANY) should not bin o kern/74314 jail [resolver] [jail] DNS resolver broken under certain ja o kern/72498 jail [libc] [jail] timestamp code on jailed SMP machine gen o kern/68192 jail [quotas] [jail] Cannot use quotas on jailed systems o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 12 problems total. From lopez.on.the.lists at yellowspace.net Mon Nov 17 14:42:12 2008 From: lopez.on.the.lists at yellowspace.net (Lorenzo Perone) Date: Mon Nov 17 14:42:19 2008 Subject: problem possibly related to multi-ip jail patch? In-Reply-To: <2192B50F-16AE-4BC8-ACEC-6C5B99804DA0@yellowspace.net> References: <2192B50F-16AE-4BC8-ACEC-6C5B99804DA0@yellowspace.net> Message-ID: <3C37B5AC-FC79-4C05-A87C-7B4341DED32D@yellowspace.net> sorry for posting that crap - turns out I forgot vfs.zfs.prefetch_disable="1" in loader.conf and that had the fatal consequences, which were related to zfs rather than to Bjoern's patch. the jails patch works as expected so far and turned out to be unrelated to the problems described. Regards and apologies, Lorenzo On 16.11.2008, at 05:27, Lorenzo Perone wrote: > Hi all, > > I've been experiencing problems with one of the machines running > FreeBSD 7.1-PRERELEASE #2: Thu Oct 16 20:23:09 CEST 2008 with the > multi-ip patch bz_jail7-20080920-01-at150161.diff, and I'm wondering > if it possibly related to the patch - in any case, any advice would > be very welcome. > > It happens that mysql (tried both 4.0 and 5.1, in 2 separate jails), > at some time stop responding to connections, and mysql gets stuck in > sbwait state. It is only killable with kill -9 > > each of the two mysqlds is running in a jail on one private IP, > serving connections to a webserver nearby - the latter having one > public and one private IP, communicating with the other jail via the > private network. > > I also experienced two complete system hangs (which must not be > necessarily related to the mysql problem) both during a shutdown -r > now. one was a panic, in another case the machine was still pingable > but did not shut down completely. I could only reset it over the > DRAC. here's a screenshot I made over the Dell RAC: http://lorenzo.yellowspace.net/stuck.png > > Since I'm also using zfs there and the kernel has been built with > the DTRACE options. > > any advice (also about which more details that I should/could > provide) would be very welcome... > > thanx && regards, > > > Lorenzo > > > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail- > unsubscribe@freebsd.org" From bzeeb-lists at lists.zabbadoz.net Thu Nov 20 10:25:07 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Thu Nov 20 10:25:14 2008 Subject: jail translates destination IP? In-Reply-To: <20081120161440.GA3537@grosbein.pp.ru> References: <20081120161440.GA3537@grosbein.pp.ru> Message-ID: <20081120182035.H61259@maildrop.int.zabbadoz.net> On Thu, 20 Nov 2008, Eugene Grosbein wrote: Hi, freebsd-jail@ is a good place to ask jail questiosn as well. > For some strange reason, RAW sockets (when allowed) and TCP beheave > very differently in jail (7.1-PRERELEASE). In host's rc.conf: > > jail_enable="YES" > jail_list="test" > jail_devfs_enable="YES" > jail_test_rootdir="/mnt/big/jail/test" > jail_test_hostname="myname.ru" > jail_test_ip="192.168.0.1" > jail_test_interface="lo0" > > "/etc/rc.d/jail start" does all right and I may rlogin into jail. > > In host environment I run tcpdump -np -i lo0. > Inside jail I ping 127.0.0.1, it succeedes and tcpdump shows that requests > go from 192.168.0.1 to 127.0.0.1 really. But when I try to telnet 127.0.0.1 25 > from jail, tcpdump shows that TCP SYN are sent to 192.168.0.1, so telnet fails. > > There is no NAT here. It it a bug? What happens with TCP is the expected behaviour. I wonder more about the raw socket case and am not sure this is correct. jails try to "simulate" the non-existing loopback by re-writing the IPs to the jail-IP, which obviously has other implications. You should never be able to connect from inside the jail to the base systems 127.0.0.1 loopback IP. This is a known "feature" (limitation) of jails. Full network stack virtualization will no longer have that problem. /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From Alexander at Leidinger.net Fri Nov 21 04:46:41 2008 From: Alexander at Leidinger.net (Alexander Leidinger) Date: Fri Nov 21 04:46:48 2008 Subject: Jails & multicast? Message-ID: <20081121133103.123166twjls14360@webmail.leidinger.net> Hi, does someone know if multicast is supposed to work in a jail? I'm playing around with avahi (mDNS / DNS-SD) in a jail. Now that I defined a lot of service descriptions for all my jails, I wanted to test this and tried to browse the service descriptions via mDNS. But somehow I get no output. The avahi server is in the same jail as the avahi browser. In the server output I see connections from the browser, but the browser hangs and does not return (-> ctrl+c to abort = last line in the following output): ---snip--- dbus-protocol.c: interface=org.freedesktop.Avahi.Server, path=/, member=GetAPIVersion dbus-protocol.c: interface=org.freedesktop.Avahi.Server, path=/, member=GetState dbus-protocol.c: interface=org.freedesktop.Avahi.Server, path=/, member=DomainBrowserNew dbus-protocol.c: client :1.51 vanished. ---snip--- And here some info from ifmcstat. In the jail: ---snip--- # ifmcstat dc0: inet 0.0.0.0 inet 0.0.0.0 inet 0.0.0.0 inet 0.0.0.0 inet 0.0.0.0 inet 0.0.0.0 inet 0.0.0.0 inet 0.0.0.0 inet 0.0.0.0 inet 0.0.0.0 inet 0.0.0.0 inet 0.0.0.0 inet 0.0.0.0 inet 0.0.0.0 group 224.0.0.251 igmpv2 mcast-macaddr 01:00:5e:00:00:fb refcnt 1 group 224.0.0.1 mcast-macaddr 01:00:5e:00:00:01 refcnt 1 lo0: inet 0.0.0.0 group 224.0.0.1 inet6 ::1:0:0 inet6 ::1:0:0 group ff02::202%lo0 refcnt 1 group ff01::1%lo0 refcnt 2 group ff02::2:82d1:3fc1%lo0 refcnt 2 group ff02::1%lo0 refcnt 2 group ff02::1:ff00:1%lo0 refcnt 2 ---snip--- And outside the jail: ---snip--- # ifmcstat dc0: inet 192.168.1.2 inet 192.168.1.100 inet 192.168.1.101 inet 192.168.1.102 inet 192.168.1.103 inet 192.168.1.104 inet 192.168.1.105 inet 192.168.1.106 inet 192.168.1.107 inet 192.168.1.108 inet 192.168.1.110 inet 192.168.1.111 inet 192.168.1.113 inet 192.168.1.114 group 224.0.0.251 igmpv2 mcast-macaddr 01:00:5e:00:00:fb refcnt 1 group 224.0.0.1 mcast-macaddr 01:00:5e:00:00:01 refcnt 1 lo0: inet 127.0.0.1 group 224.0.0.1 inet6 fe80::1%lo0 inet6 ::1 group ff02::202%lo0 refcnt 1 group ff01::1%lo0 refcnt 2 group ff02::2:82d1:3fc1%lo0 refcnt 2 group ff02::1%lo0 refcnt 2 group ff02::1:ff00:1%lo0 refcnt 2 ---snip--- It's the first time I play around with multicast, any hints how to debug this further are welcome. Anything I need to setup so that this works? I have options MROUTING in the kernel, but that's all I did related to multicast. Bye, Alexander. -- The light at the end of the tunnel can be a helluva nuisance, especially if you're using the tunnel as a darkroom. http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137 From ru at freebsd.org Fri Nov 21 12:49:00 2008 From: ru at freebsd.org (Ruslan Ermilov) Date: Fri Nov 21 12:49:07 2008 Subject: can jail use 2 NICS? In-Reply-To: <20081116135929.S61259@maildrop.int.zabbadoz.net> References: <20081116101126.T61259@maildrop.int.zabbadoz.net> <20081116135929.S61259@maildrop.int.zabbadoz.net> Message-ID: <20081121202316.GB28339@edoofus.dev.vega.ru> Hi, Have been traveling, hence long "no reply"... On Sun, Nov 16, 2008 at 02:10:35PM +0000, Bjoern A. Zeeb wrote: > So the basic idea could be to only have > jail__ip="" > jail__ip6="" > > and each of them would have a format like: > > [iface|]address[/prefix] I'd suggest [iface:] instead. > where iface and prefix are optional and prefix only makes sense if > iface is given? > > If iface is given it means configure the address with prefix to the > given interface; if prefix is not given the default would be /32 for > ipv4 and /128 for ipv6. > > So now this would give really long and complicated lines in rc.conf. > Do you think we could have something like the _alias for interface > addresses so that it would be like: > > jail__ip="" # default > jail__ip_multi0="" # second IP of the jail > jail__ip_multi1="" # third IP of the jail > jail__ip_multi2="" # 4th IP of the jail > > and similar for IPv6? > > (multi might not be the best suffix) > > Something along those lines? > > Ruslan, what do you think about something like that? We could have > that for HEAD and 7 just now and add the _multi support with the > multi-IP jail patches? Could you and Ruben work together to build > this? > I think this is a good idea. My workaround with routes I mentioned doesn't actually work, so currently we use a version from HEAD on our production servers, and the modified version of ezjail port that supports netmasks. Cheers, -- Ruslan Ermilov ru@FreeBSD.org FreeBSD committer From bzeeb-lists at lists.zabbadoz.net Fri Nov 21 14:40:06 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Fri Nov 21 14:40:13 2008 Subject: can jail use 2 NICS? In-Reply-To: <20081121202316.GB28339@edoofus.dev.vega.ru> References: <20081116101126.T61259@maildrop.int.zabbadoz.net> <20081116135929.S61259@maildrop.int.zabbadoz.net> <20081121202316.GB28339@edoofus.dev.vega.ru> Message-ID: <20081121223541.H61259@maildrop.int.zabbadoz.net> On Fri, 21 Nov 2008, Ruslan Ermilov wrote: Hi, > Have been traveling, hence long "no reply"... > > On Sun, Nov 16, 2008 at 02:10:35PM +0000, Bjoern A. Zeeb wrote: >> So the basic idea could be to only have >> jail__ip="" >> jail__ip6="" >> >> and each of them would have a format like: >> >> [iface|]address[/prefix] > > I'd suggest [iface:] instead. be aware that : might be problematic to parse from shell with IPv6 addresses as it would either be: bge0:2001:db8::1 or just 2001:db8::1 >> where iface and prefix are optional and prefix only makes sense if >> iface is given? >> >> If iface is given it means configure the address with prefix to the >> given interface; if prefix is not given the default would be /32 for >> ipv4 and /128 for ipv6. >> >> So now this would give really long and complicated lines in rc.conf. >> Do you think we could have something like the _alias for interface >> addresses so that it would be like: >> >> jail__ip="" # default >> jail__ip_multi0="" # second IP of the jail >> jail__ip_multi1="" # third IP of the jail >> jail__ip_multi2="" # 4th IP of the jail >> >> and similar for IPv6? >> >> (multi might not be the best suffix) >> >> Something along those lines? >> >> Ruslan, what do you think about something like that? We could have >> that for HEAD and 7 just now and add the _multi support with the >> multi-IP jail patches? Could you and Ruben work together to build >> this? >> > I think this is a good idea. My workaround with routes > I mentioned doesn't actually work, so currently we use > a version from HEAD on our production servers, and the > modified version of ezjail port that supports netmasks. Sounds like a plan then. Thanks a lot. /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From ruben at verweg.com Fri Nov 21 17:24:32 2008 From: ruben at verweg.com (Ruben van Staveren) Date: Fri Nov 21 17:24:38 2008 Subject: can jail use 2 NICS? In-Reply-To: <20081121202316.GB28339@edoofus.dev.vega.ru> References: <20081116101126.T61259@maildrop.int.zabbadoz.net> <20081116135929.S61259@maildrop.int.zabbadoz.net> <20081121202316.GB28339@edoofus.dev.vega.ru> Message-ID: <7CE62E42-B1C2-4D4E-860B-C4F2F5849ABE@verweg.com> Hi, On 21 Nov 2008, at 21:23, Ruslan Ermilov wrote: > Hi, > > Have been traveling, hence long "no reply"... > > On Sun, Nov 16, 2008 at 02:10:35PM +0000, Bjoern A. Zeeb wrote: >> So the basic idea could be to only have >> jail__ip="" >> jail__ip6="" >> >> and each of them would have a format like: >> >> [iface|]address[/prefix] > > I'd suggest [iface:] instead. This will get a bit ambiguous when IPv6 addresses are used... >> where iface and prefix are optional and prefix only makes sense if >> iface is given? >> >> If iface is given it means configure the address with prefix to the >> given interface; if prefix is not given the default would be /32 for >> ipv4 and /128 for ipv6. Yes, and I prefer the prefix notation above the subnet mask one. Related, I still need to look at ifconfig canonicalizing stuff like 2001:888:1029::192.168.1.129 before operating on the interface structure. This helps in ifconfig delete 2001:888:1029::192.168.1.129 currently this does not work because on ifconfig up the value is converted to 2001:888:1029::c0a8:181 >> So now this would give really long and complicated lines in rc.conf. >> Do you think we could have something like the _alias for interface >> addresses so that it would be like: >> >> jail__ip="" # default >> jail__ip_multi0="" # second IP of the jail >> jail__ip_multi1="" # third IP of the jail >> jail__ip_multi2="" # 4th IP of the jail >> >> and similar for IPv6? >> >> (multi might not be the best suffix) >> >> Something along those lines? From a user point of view, it will make a messy configuration. it might be more preferable then to have something in the order of jail "" { iface prefix addr [] [/] addr [] [/] ... } For Bjoern I think something like this in an /etc/jail.conf will mark a clear separation between rc.conf and jail management ? >> Ruslan, what do you think about something like that? We could have >> that for HEAD and 7 just now and add the _multi support with the >> multi-IP jail patches? Could you and Ruben work together to build >> this? >> > I think this is a good idea. My workaround with routes > I mentioned doesn't actually work, so currently we use > a version from HEAD on our production servers, and the > modified version of ezjail port that supports netmasks. The route thing, is that the setfib configuration from HEAD ? > > Cheers, > -- > Ruslan Ermilov > ru@FreeBSD.org > FreeBSD committer Regards, Ruben -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20081122/ff509c36/PGP.pgp From bugmaster at FreeBSD.org Mon Nov 24 03:07:16 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Nov 24 03:08:22 2008 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200811241107.mAOB7FxS019943@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/126368 jail [jail] Running ktrace/kdump in jail leads to stale jai o kern/120753 jail [jail] Zombie jails (jailed child process exits while o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o kern/97071 jail [jail] [patch] add security.jail.jid sysctl o kern/89989 jail [jail] [patch] Add option -I (ASCII 73) PID to specif s kern/89528 jail [jail] [patch] impossible to kill a jail o kern/84215 jail [jail] [patch] wildcard ip (INADDR_ANY) should not bin o kern/74314 jail [resolver] [jail] DNS resolver broken under certain ja o kern/72498 jail [libc] [jail] timestamp code on jailed SMP machine gen o kern/68192 jail [quotas] [jail] Cannot use quotas on jailed systems o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 12 problems total. From spry at anarchy.in.the.ph Tue Nov 25 22:11:49 2008 From: spry at anarchy.in.the.ph (Mars G Miro) Date: Tue Nov 25 22:12:21 2008 Subject: Succesful patch on several hosts with RELENG_7 In-Reply-To: <20081106114254.E16105@maildrop.int.zabbadoz.net> References: <20081106114254.E16105@maildrop.int.zabbadoz.net> Message-ID: On Thu, Nov 6, 2008 at 7:44 PM, Bjoern A. Zeeb wrote: > On Thu, 6 Nov 2008, Matheus Cucoloto wrote: > > Hi, > >> I tried to apply this patch, but i had no success. >> >> That is the message I got: > > ... >> >> Any hint? > > http://lists.freebsd.org/pipermail/freebsd-jail/2008-October/000577.html > > So the reason there is no 7 patch is that Robert and I finally found a > solution for one of the problems that came up during the review and I > still need to implement it. My plan was to do so later today... > > There will be a new set of patches soon (famous last words;) > > So, any word on the new set of patches? ;-) I've had a box in production w/ this multi-IP patch (v4 and v6 in use) and it been running fine smoothly. I wanted to updated to the latest 7.1X but the last patch doesn't apply cleanly. Thanks. > /bz > > -- > Bjoern A. Zeeb Stop bit received. Insert coin for new game. > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > -- cheers mars From bzeeb-lists at lists.zabbadoz.net Tue Nov 25 23:35:07 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Tue Nov 25 23:35:14 2008 Subject: Succesful patch on several hosts with RELENG_7 In-Reply-To: References: <20081106114254.E16105@maildrop.int.zabbadoz.net> Message-ID: <20081126070902.B61259@maildrop.int.zabbadoz.net> On Wed, 26 Nov 2008, Mars G Miro wrote: Hi, > So, any word on the new set of patches? ;-) I have one for HEAD, almost had one all the time. In case you want to test it on HEAD as it would be comitted let me know. As it comes to 7, see my yesterday's work here: http://perforce.freebsd.org/chv.cgi?CH=153529 merging 40 or so changesets back from HEAD. I need to check that it compiles and works and reduce the diff to HEAD in a few places. Regards, Bjoern -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From spry at anarchy.in.the.ph Tue Nov 25 23:45:20 2008 From: spry at anarchy.in.the.ph (Mars G Miro) Date: Tue Nov 25 23:45:27 2008 Subject: Succesful patch on several hosts with RELENG_7 In-Reply-To: <20081126070902.B61259@maildrop.int.zabbadoz.net> References: <20081106114254.E16105@maildrop.int.zabbadoz.net> <20081126070902.B61259@maildrop.int.zabbadoz.net> Message-ID: On Wed, Nov 26, 2008 at 3:31 PM, Bjoern A. Zeeb wrote: > On Wed, 26 Nov 2008, Mars G Miro wrote: > > Hi, > >> So, any word on the new set of patches? ;-) > > I have one for HEAD, almost had one all the time. In case you want to > test it on HEAD as it would be comitted let me know. > > As it comes to 7, see my yesterday's work here: > http://perforce.freebsd.org/chv.cgi?CH=153529 > merging 40 or so changesets back from HEAD. I need to check that it > compiles and works and reduce the diff to HEAD in a few places. > > Nice. ahm, how do i grab those changes in one diff again? Thanks. > Regards, > Bjoern > > -- > Bjoern A. Zeeb Stop bit received. Insert coin for new game. > -- cheers mars From bzeeb-lists at lists.zabbadoz.net Wed Nov 26 00:35:08 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Wed Nov 26 00:35:14 2008 Subject: Succesful patch on several hosts with RELENG_7 In-Reply-To: References: <20081106114254.E16105@maildrop.int.zabbadoz.net> <20081126070902.B61259@maildrop.int.zabbadoz.net> Message-ID: <20081126082955.P61259@maildrop.int.zabbadoz.net> On Wed, 26 Nov 2008, Mars G Miro wrote: > On Wed, Nov 26, 2008 at 3:31 PM, Bjoern A. Zeeb > wrote: >> On Wed, 26 Nov 2008, Mars G Miro wrote: >> >> Hi, >> >>> So, any word on the new set of patches? ;-) >> >> I have one for HEAD, almost had one all the time. In case you want to >> test it on HEAD as it would be comitted let me know. >> >> As it comes to 7, see my yesterday's work here: >> http://perforce.freebsd.org/chv.cgi?CH=153529 >> merging 40 or so changesets back from HEAD. I need to check that it >> compiles and works and reduce the diff to HEAD in a few places. >> >> > > Nice. ahm, how do i grab those changes in one diff again? those changes alone don't help you to get anything working. I'll publish a complete patch for 7 once I finished the list from above: - check it compiles - make sure it works You don't want to immediately panic your server, do you? I prefer to at least have caught the obvious parts;-) /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From spry at anarchy.in.the.ph Wed Nov 26 01:22:30 2008 From: spry at anarchy.in.the.ph (Mars G Miro) Date: Wed Nov 26 01:22:37 2008 Subject: Succesful patch on several hosts with RELENG_7 In-Reply-To: <20081126082955.P61259@maildrop.int.zabbadoz.net> References: <20081106114254.E16105@maildrop.int.zabbadoz.net> <20081126070902.B61259@maildrop.int.zabbadoz.net> <20081126082955.P61259@maildrop.int.zabbadoz.net> Message-ID: On Wed, Nov 26, 2008 at 4:31 PM, Bjoern A. Zeeb wrote: > On Wed, 26 Nov 2008, Mars G Miro wrote: > >> On Wed, Nov 26, 2008 at 3:31 PM, Bjoern A. Zeeb >> wrote: >>> >>> On Wed, 26 Nov 2008, Mars G Miro wrote: >>> >>> Hi, >>> >>>> So, any word on the new set of patches? ;-) >>> >>> I have one for HEAD, almost had one all the time. In case you want to >>> test it on HEAD as it would be comitted let me know. >>> >>> As it comes to 7, see my yesterday's work here: >>> http://perforce.freebsd.org/chv.cgi?CH=153529 >>> merging 40 or so changesets back from HEAD. I need to check that it >>> compiles and works and reduce the diff to HEAD in a few places. >>> >>> >> >> Nice. ahm, how do i grab those changes in one diff again? > > those changes alone don't help you to get anything working. > I'll publish a complete patch for 7 once I finished the list from > above: > - check it compiles > - make sure it works > > You don't want to immediately panic your server, do you? I prefer to > at least have caught the obvious parts;-) > Ok cool. I can test patches for recent 7.X and 8.X. Thanks. > /bz > > -- > Bjoern A. Zeeb Stop bit received. Insert coin for new game. > -- cheers mars From bzeeb-lists at lists.zabbadoz.net Wed Nov 26 16:00:09 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Wed Nov 26 16:00:15 2008 Subject: Anyone interested in jail patches? Message-ID: <20081126234502.S61259@maildrop.int.zabbadoz.net> Hi, it's 1am and I am out of caffeine so excuse all those typos and in case there will be bugs blame them on whatever you want...; I just want to get this out, finally, to you. If you are interested in a new set of jail patches... anyone?;-) 1) read the changelog from http://perforce.freebsd.org/chv.cgi?CH=153529 that's a good summary for the diff to the last set of patches. 2) I freshly integrated both branches; there had been a few changes since yesterday after my testing but those should be ok. It also means that the patches should apply to the sources of `now`. 2a) for HEAD: http://people.freebsd.org/~bz/bz_jail-20081126-02-at153644.diff 2b) for RELENG_7: http://people.freebsd.org/~bz/bz_jail7-20081126-02-at153644.diff 2c) there is no 7.0-RELEASE support anymore; sorry. As always please report problems or success stories to the list rather than to me directly. Same usually applies for questions. In case you are happy consider http://www.freebsdfoundation.org/donate/ . Regards, Bjoern -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From spry at anarchy.in.the.ph Wed Nov 26 23:22:50 2008 From: spry at anarchy.in.the.ph (Mars G Miro) Date: Wed Nov 26 23:22:57 2008 Subject: Anyone interested in jail patches? In-Reply-To: <20081126234502.S61259@maildrop.int.zabbadoz.net> References: <20081126234502.S61259@maildrop.int.zabbadoz.net> Message-ID: On Thu, Nov 27, 2008 at 7:56 AM, Bjoern A. Zeeb wrote: > Hi, > > it's 1am and I am out of caffeine so excuse all those typos and in case > there will be bugs blame them on whatever you want...; I just want to > get this out, finally, to you. > > If you are interested in a new set of jail patches... anyone?;-) > > 1) read the changelog from http://perforce.freebsd.org/chv.cgi?CH=153529 > that's a good summary for the diff to the last set of patches. > > 2) I freshly integrated both branches; there had been a few changes > since yesterday after my testing but those should be ok. It also > means that the patches should apply to the sources of `now`. > Tried both on recent 7.X and 8.X. Used about 4,5 different IPs ( IPv4 and v6 ) for the jails. So far so good ;-) Thanks! > 2a) for HEAD: > http://people.freebsd.org/~bz/bz_jail-20081126-02-at153644.diff > > 2b) for RELENG_7: > http://people.freebsd.org/~bz/bz_jail7-20081126-02-at153644.diff > > 2c) there is no 7.0-RELEASE support anymore; sorry. > > > As always please report problems or success stories to the list rather > than to me directly. Same usually applies for questions. In case you > are happy consider http://www.freebsdfoundation.org/donate/ . > > > Regards, > Bjoern > > -- > Bjoern A. Zeeb Stop bit received. Insert coin for new game. > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > -- cheers mars From bzeeb-lists at lists.zabbadoz.net Thu Nov 27 04:35:07 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Thu Nov 27 04:35:13 2008 Subject: Anyone interested in jail patches? In-Reply-To: References: <20081126234502.S61259@maildrop.int.zabbadoz.net> Message-ID: <20081127123322.Y61259@maildrop.int.zabbadoz.net> On Thu, 27 Nov 2008, Mars G Miro wrote: Hi, > Tried both on recent 7.X and 8.X. Used about 4,5 different IPs ( IPv4 > and v6 ) for the jails. > > So far so good ;-) That was good news the next morning:) Thanks. Regards, Bjoern -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From frank at harz.behrens.de Thu Nov 27 13:18:45 2008 From: frank at harz.behrens.de (Frank Behrens) Date: Thu Nov 27 13:18:52 2008 Subject: Anyone interested in jail patches? In-Reply-To: <20081126234502.S61259@maildrop.int.zabbadoz.net> Message-ID: <200811272118.mARLIdKH006580@post.behrens.de> Hi Bjoern, thanks for the good news! Bjoern A. Zeeb wrote on 26 Nov 2008 23:56: > 2b) for RELENG_7: > http://people.freebsd.org/~bz/bz_jail7-20081126-02-at153644.diff I already used your patch from May 2008 in production without any problems. The update was no problem, you patch applied cleanly to current sources. Until now I could not see any regression in jail handling compared to the version from May, so I would say: good work. (Source address handling is another topic and another thread.) There is still a question left: In earlier version we had a sysctl security.jail.jailed_sockets_first. This sysctl was removed, so I assume it is "built-in" now, eventually I did not see any problems. On the other side I still read in the patched jail(2) man page: "Similarly, it might be a good idea to add an address alias flag such that daemons listening on all IPs (INADDR_ANY) will not bind on that address...". Can you explain the current behaviour? I did not test your patch with multiple IPv4 adresses, but jails are working well with an IPv4 and IPv6 address. I would like to see this functionality in RELENG_7. Thanks again for your good work, I believe many FreeBSD users will appreciate this long missed feature. Frank -- Frank Behrens, Osterwieck, Germany PGP-key 0x5B7C47ED on public servers available. From bzeeb-lists at lists.zabbadoz.net Thu Nov 27 16:00:09 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Thu Nov 27 16:00:17 2008 Subject: HEADS UP: multi/no-IPv4/v6 jails going to hit HEAD Message-ID: <20081127233005.E61259@maildrop.int.zabbadoz.net> Hi, I haven't heard back anything bad after (almost) 24 hours since I had released the latest patchset. So this is the HEADS UP for you that unless major regessions or other important "stop"s show up I plan to commit the latest multi/no-IPv4/v6 jail patch to HEAD saturday (2008-11-29) morning UTC. You'll find a few things like man page dates, etc. updated to the current diff so it will slightly change - but there should be no functional changes anymore (unless a regression is found or make universe won't like me later today;-). For patches see my original mail to freebsd-jail from last night below and the entire thread here: http://lists.freebsd.org/pipermail/freebsd-jail/2008-November/000615.html This is mostly intended for two things: - to get out of the way for other vimage/mgmt work for 8.x - possible MFC to 7 in a few weeks or rather months (don't even think about asking for 7.1-RELEASE; the answer would be: in case you are going to donate 100.000 USD I could start talking to re@ about that but we might need more money for bribing during the negotiations;) and: - add a lot of good FreeBSD marketing after the commit here - send patches! :-) Regards, Bjoern ------------------------------------------------------------------------ Date: Wed, 26 Nov 2008 23:56:55 +0000 (UTC) From: Bjoern A. Zeeb To: freebsd-jail@freebsd.org Subject: Anyone interested in jail patches? Hi, it's 1am and I am out of caffeine so excuse all those typos and in case there will be bugs blame them on whatever you want...; I just want to get this out, finally, to you. If you are interested in a new set of jail patches... anyone?;-) 1) read the changelog from http://perforce.freebsd.org/chv.cgi?CH=153529 that's a good summary for the diff to the last set of patches. 2) I freshly integrated both branches; there had been a few changes since yesterday after my testing but those should be ok. It also means that the patches should apply to the sources of `now`. 2a) for HEAD: http://people.freebsd.org/~bz/bz_jail-20081126-02-at153644.diff 2b) for RELENG_7: http://people.freebsd.org/~bz/bz_jail7-20081126-02-at153644.diff 2c) there is no 7.0-RELEASE support anymore; sorry. As always please report problems or success stories to the list rather than to me directly. Same usually applies for questions. In case you are happy consider http://www.freebsdfoundation.org/donate/ . Regards, Bjoern ------------------------------------------------------------------------ -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From nbari at k9.cx Fri Nov 28 09:49:30 2008 From: nbari at k9.cx (Nicolas de Bari Embriz Garcia Rojas) Date: Fri Nov 28 09:49:36 2008 Subject: Diskless Operation Message-ID: Hi all, it is posible to set up an dislkess operation system under a jail ? regards -- > nbari -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 163 bytes Desc: This is a digitally signed message part Url : http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20081128/8484f4a2/PGP.pgp From bz at FreeBSD.org Sat Nov 29 08:51:04 2008 From: bz at FreeBSD.org (bz@FreeBSD.org) Date: Sat Nov 29 08:51:10 2008 Subject: kern/74314: [resolver] [jail] DNS resolver broken under certain jail conditions Message-ID: <200811291651.mATGp4fE099583@freefall.freebsd.org> Synopsis: [resolver] [jail] DNS resolver broken under certain jail conditions Responsible-Changed-From-To: freebsd-jail->bz Responsible-Changed-By: bz Responsible-Changed-When: Sat Nov 29 16:50:28 UTC 2008 Responsible-Changed-Why: Sounds like a NAT or configuration error. Let's see if it's still relevant and if so if we can get more information. http://www.freebsd.org/cgi/query-pr.cgi?pr=74314 From bz at FreeBSD.org Sat Nov 29 08:55:16 2008 From: bz at FreeBSD.org (bz@FreeBSD.org) Date: Sat Nov 29 08:55:23 2008 Subject: kern/84215: [jail] [patch] wildcard ip (INADDR_ANY) should not bind inside a jail Message-ID: <200811291655.mATGtGhv099669@freefall.freebsd.org> Synopsis: [jail] [patch] wildcard ip (INADDR_ANY) should not bind inside a jail Responsible-Changed-From-To: freebsd-jail->bz Responsible-Changed-By: bz Responsible-Changed-When: Sat Nov 29 16:54:30 UTC 2008 Responsible-Changed-Why: Take. It seems that the proposed solution is not suitable for general FreeBSD but might no longer be needed with updated jails. Try to get feedback. http://www.freebsd.org/cgi/query-pr.cgi?pr=84215 From bzeeb-lists at lists.zabbadoz.net Sat Nov 29 09:05:08 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Sat Nov 29 09:05:14 2008 Subject: Anyone interested in jail patches? In-Reply-To: <200811272118.mARLIdKH006580@post.behrens.de> References: <200811272118.mARLIdKH006580@post.behrens.de> Message-ID: <20081129165714.E61259@maildrop.int.zabbadoz.net> On Thu, 27 Nov 2008, Frank Behrens wrote: Hi, > On the other side I still read in the patched jail(2) man page: > "Similarly, it might be a good idea to add an address alias flag such > that daemons listening on all IPs (INADDR_ANY) will not bind on that > address...". Can you explain the current behaviour? I think this question is related to your PR kern/84215. The current situation is: jails take precendence. So if sshd is listening on inaddr_any on the host and on inaddr_any inside a jail the connection to an IP belonging to a jail will end up inside the jail; any connections to IPs not beloning to jails will end up on the base. Obviously if you stop the jail and ssh to a former jail IP you'll end up on the bsae system and ssh would complain about different keys possibly while telnet or similar things won't notice. /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From bz at FreeBSD.org Sat Nov 29 09:17:46 2008 From: bz at FreeBSD.org (bz@FreeBSD.org) Date: Sat Nov 29 09:17:53 2008 Subject: kern/89989: [jail] [patch] Add option -I (ASCII 73) PID to specify tryprid within jail(2) Message-ID: <200811291717.mATHHkMx014971@freefall.freebsd.org> Synopsis: [jail] [patch] Add option -I (ASCII 73) PID to specify tryprid within jail(2) Responsible-Changed-From-To: freebsd-jail->bz Responsible-Changed-By: bz Responsible-Changed-When: Sat Nov 29 17:15:36 UTC 2008 Responsible-Changed-Why: Jail IDs are system internal. We had even (temporary) changed the allocator in the mean time. But jails in HEAD now support jail names for management purposes. See if that would work for the submitter. http://www.freebsd.org/cgi/query-pr.cgi?pr=89989 From bz at FreeBSD.org Sat Nov 29 09:20:02 2008 From: bz at FreeBSD.org (bz@FreeBSD.org) Date: Sat Nov 29 09:20:08 2008 Subject: kern/97071: [jail] [patch] add security.jail.jid sysctl Message-ID: <200811291720.mATHK2nx015052@freefall.freebsd.org> Synopsis: [jail] [patch] add security.jail.jid sysctl Responsible-Changed-From-To: freebsd-jail->bz Responsible-Changed-By: bz Responsible-Changed-When: Sat Nov 29 17:19:06 UTC 2008 Responsible-Changed-Why: JIDs are system internal and the PR doesn't give a reason why it would be helpful to know them within the jail. Ask for feedback. http://www.freebsd.org/cgi/query-pr.cgi?pr=97071 From bz at FreeBSD.org Sat Nov 29 09:37:30 2008 From: bz at FreeBSD.org (bz@FreeBSD.org) Date: Sat Nov 29 09:37:37 2008 Subject: kern/120753: [jail] Zombie jails (jailed child process exits while non-jailed parent is alive) Message-ID: <200811291737.mATHbTNk030664@freefall.freebsd.org> Synopsis: [jail] Zombie jails (jailed child process exits while non-jailed parent is alive) State-Changed-From-To: open->closed State-Changed-By: bz State-Changed-When: Sat Nov 29 17:33:15 UTC 2008 State-Changed-Why: This is not a bug. This is the way processes are tracked. Note that in your second exmaple your parent exists before your jail call but after your fork, so there is no parent to "collect" the dead child later so the jail can go away instantly. Responsible-Changed-From-To: freebsd-jail->bz Responsible-Changed-By: bz Responsible-Changed-When: Sat Nov 29 17:33:15 UTC 2008 Responsible-Changed-Why: Assign to me in case of possible follow-ups. http://www.freebsd.org/cgi/query-pr.cgi?pr=120753 From bz at FreeBSD.org Sat Nov 29 09:38:44 2008 From: bz at FreeBSD.org (bz@FreeBSD.org) Date: Sat Nov 29 09:38:51 2008 Subject: kern/126368: [jail] Running ktrace/kdump in jail leads to stale jails Message-ID: <200811291738.mATHciKY030714@freefall.freebsd.org> Synopsis: [jail] Running ktrace/kdump in jail leads to stale jails Responsible-Changed-From-To: freebsd-jail->bz Responsible-Changed-By: bz Responsible-Changed-When: Sat Nov 29 17:38:17 UTC 2008 Responsible-Changed-Why: I'll track this; I thought it was patched already but I'll look. http://www.freebsd.org/cgi/query-pr.cgi?pr=126368 From nejc at skoberne.net Sat Nov 29 10:30:07 2008 From: nejc at skoberne.net (Nejc Skoberne) Date: Sat Nov 29 10:30:14 2008 Subject: kern/126368: [jail] Running ktrace/kdump in jail leads to stale jails In-Reply-To: <200811291738.mATHciKY030714@freefall.freebsd.org> References: <200811291738.mATHciKY030714@freefall.freebsd.org> Message-ID: <493185D2.3050901@skoberne.net> Hello, > Synopsis: [jail] Running ktrace/kdump in jail leads to stale jails > > Responsible-Changed-From-To: freebsd-jail->bz > Responsible-Changed-By: bz > Responsible-Changed-When: Sat Nov 29 17:38:17 UTC 2008 > Responsible-Changed-Why: > I'll track this; I thought it was patched already but I'll look. As I wrote on August 10: "Sorry, please ignore the previous post, my problem of "the delay" seems to be unrelated with "ktrace-in-jail" issue. I guess this patch fixes the problem after all." So I think you don't need to look again ... Thanks, Nejc From frank at harz.behrens.de Sun Nov 30 08:32:24 2008 From: frank at harz.behrens.de (Frank Behrens) Date: Sun Nov 30 08:32:30 2008 Subject: Anyone interested in jail patches? In-Reply-To: <20081129165714.E61259@maildrop.int.zabbadoz.net> References: <200811272118.mARLIdKH006580@post.behrens.de> <20081129165714.E61259@maildrop.int.zabbadoz.net> Message-ID: <4932C01C.4020609@harz.behrens.de> Bjoern A. Zeeb wrote: > On Thu, 27 Nov 2008, Frank Behrens wrote: >> On the other side I still read in the patched jail(2) man page: >> "Similarly, it might be a good idea to add an address alias flag such >> that daemons listening on all IPs (INADDR_ANY) will not bind on that >> address...". Can you explain the current behaviour? > > I think this question is related to your PR kern/84215. Yes. > The current situation is: jails take precendence. So if sshd is > listening on inaddr_any on the host and on inaddr_any inside a jail > the connection to an IP belonging to a jail will end up inside the > jail; any connections to IPs not beloning to jails will end up on the > base. So we have now the desired behaviour. Your explanation should replace the (now incorrect) sentence in the man page. Please excuse my error, it is in jail(8), not jail(2). > Obviously if you stop the jail and ssh to a former jail IP you'll end > up on the bsae system and ssh would complain about different keys > possibly while telnet or similar things won't notice. This is expected and not easily to circumvent. Regards, Frank From bzeeb-lists at lists.zabbadoz.net Sun Nov 30 10:25:08 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Sun Nov 30 10:25:15 2008 Subject: Anyone interested in jail patches? In-Reply-To: <4932C01C.4020609@harz.behrens.de> References: <200811272118.mARLIdKH006580@post.behrens.de> <20081129165714.E61259@maildrop.int.zabbadoz.net> <4932C01C.4020609@harz.behrens.de> Message-ID: <20081130181856.W61259@maildrop.int.zabbadoz.net> On Sun, 30 Nov 2008, Frank Behrens wrote: Hi, > Bjoern A. Zeeb wrote: >> On Thu, 27 Nov 2008, Frank Behrens wrote: >>> On the other side I still read in the patched jail(2) man page: >>> "Similarly, it might be a good idea to add an address alias flag such >>> that daemons listening on all IPs (INADDR_ANY) will not bind on that >>> address...". Can you explain the current behaviour? >> >> I think this question is related to your PR kern/84215. > Yes. > >> The current situation is: jails take precendence. So if sshd is >> listening on inaddr_any on the host and on inaddr_any inside a jail >> the connection to an IP belonging to a jail will end up inside the >> jail; any connections to IPs not beloning to jails will end up on the >> base. > So we have now the desired behaviour. Your explanation should replace > the (now incorrect) sentence in the man page. Please excuse my error, it is > in jail(8), > not jail(2). > >> Obviously if you stop the jail and ssh to a former jail IP you'll end >> up on the bsae system and ssh would complain about different keys >> possibly while telnet or similar things won't notice. > This is expected and not easily to circumvent. Yes it is. You don't bind your sshd (or whatever) to inaddr_any on the base system but an IP exclusive to the base system. If the jail is stopped, you'll get connection refused instead of an unexpected behaviour. So what is in the man page is not entirely wrong. /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game.