From freebsd at hub.org Mon Sep 1 02:52:30 2008 From: freebsd at hub.org (Marc G. Fournier) Date: Mon Sep 1 02:52:36 2008 Subject: cPanel or Plesk ... Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Has anyone gotten either to work in a jail? I got Plesk installed on a 6.x jail awhile back, but when you went into the interface to create a virtual host, an error was generated due to lack of file system quotas, and didn't have much time to pursue that ... - -- Marc G. Fournier Hub.Org Hosting Solutions S.A. (http://www.hub.org) Email . scrappy@hub.org MSN . scrappy@hub.org Yahoo . yscrappy Skype: hub.org ICQ . 7615664 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAki7VOoACgkQ4QvfyHIvDvMNlgCgx0zOZhG/O6xfy7NDWEzcS9h8 RdkAn2YhC20te7oHXAHw+2tVAw1TjRjB =9OlA -----END PGP SIGNATURE----- From bugmaster at FreeBSD.org Mon Sep 1 11:06:57 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Sep 1 11:08:10 2008 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200809011106.m81B6v1e068470@freefall.freebsd.org> Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- s kern/89528 jail [jail] [patch] impossible to kill a jail o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o kern/126368 jail [jail] Running ktrace/kdump in jail leads to stale jai 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with o kern/68192 jail [quotas] [jail] Cannot use quotas on jailed systems o kern/72498 jail [libc] [jail] timestamp code on jailed SMP machine gen o kern/74314 jail [resolver] [jail] DNS resolver broken under certain ja o kern/84215 jail [jail] [patch] wildcard ip (INADDR_ANY) should not bin o kern/89989 jail [jail] [patch] Add option -I (ASCII 73) PID to specif o kern/97071 jail [jail] [patch] add security.jail.jid sysctl o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o kern/120753 jail [jail] Zombie jails (jailed child process exits while 9 problems total. From 000.fbsd at quip.cz Mon Sep 1 21:30:06 2008 From: 000.fbsd at quip.cz (Miroslav Lachman) Date: Mon Sep 1 21:30:13 2008 Subject: conf/124248: [patch] add support for nice value for rc.d/jail + rc.conf In-Reply-To: <200806032138.m53Lccwn006905@freefall.freebsd.org> References: <200806032138.m53Lccwn006905@freefall.freebsd.org> Message-ID: <48BC5EF9.402@quip.cz> linimon@FreeBSD.org wrote: > Old Synopsis: adds support for nice value for rc.d/jail + rc.conf > New Synopsis: [patch] add support for nice value for rc.d/jail + rc.conf > > Responsible-Changed-From-To: freebsd-bugs->freebsd-rc > Responsible-Changed-By: linimon > Responsible-Changed-When: Tue Jun 3 21:38:18 UTC 2008 > Responsible-Changed-Why: > Over to maintainer(s). > > http://www.freebsd.org/cgi/query-pr.cgi?pr=124248 Is there any chance to have it in FreeBSD 7.1 RELEASE? Miroslav Lachman From gexlie at gmail.com Mon Sep 1 22:06:27 2008 From: gexlie at gmail.com (Matkhamtkha Brekher) Date: Mon Sep 1 22:06:36 2008 Subject: Multiple IPs Message-ID: <53cc795f0809011444t69ba43b5t5eca7e4604235fb4@mail.gmail.com> this patch is broken today ive tried to compile the patched world and it stops compiling with due to error: cc -O2 -fno-strict-aliasing -pipe -DLIBC_SCCS -I/usr/src/lib/libkvm -DSUPPORT_OLD_XPRISON -c /usr/src/lib/libkvm/kvm.c cc -O2 -fno-strict-aliasing -pipe -DLIBC_SCCS -I/usr/src/lib/libkvm -DSUPPORT_OLD_XPRISON -c /usr/src/lib/libkvm/kvm_i386.c cc -O2 -fno-strict-aliasing -pipe -DLIBC_SCCS -I/usr/src/lib/libkvm -DSUPPORT_OLD_XPRISON -c /usr/src/lib/libkvm/kvm_cptime.c cc -O2 -fno-strict-aliasing -pipe -DLIBC_SCCS -I/usr/src/lib/libkvm -DSUPPORT_OLD_XPRISON -c /usr/src/lib/libkvm/kvm_file.c cc -O2 -fno-strict-aliasing -pipe -DLIBC_SCCS -I/usr/src/lib/libkvm -DSUPPORT_OLD_XPRISON -c /usr/src/lib/libkvm/kvm_getloadavg.c cc -O2 -fno-strict-aliasing -pipe -DLIBC_SCCS -I/usr/src/lib/libkvm -DSUPPORT_OLD_XPRISON -c /usr/src/lib/libkvm/kvm_getswapinfo.c cc -O2 -fno-strict-aliasing -pipe -DLIBC_SCCS -I/usr/src/lib/libkvm -DSUPPORT_OLD_XPRISON -c /usr/src/lib/libkvm/kvm_pcpu.c cc -O2 -fno-strict-aliasing -pipe -DLIBC_SCCS -I/usr/src/lib/libkvm -DSUPPORT_OLD_XPRISON -c /usr/src/lib/libkvm/kvm_proc.c /usr/src/lib/libkvm/kvm_proc.c: In function 'kvm_read_prison_id': /usr/src/lib/libkvm/kvm_proc.c:113: error: storage size of 'xp' isn't known /usr/src/lib/libkvm/kvm_proc.c: In function 'kvm_proclist': /usr/src/lib/libkvm/kvm_proc.c:430: warning: passing argument 1 of 'bintime2timeval' from incompatible pointer type *** Error code 1 Stop in /usr/src/lib/libkvm. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. > # cd /usr/src > # wget http://people.freebsd.org/~bz/bz_jail7-20080727-11-at146062.diff > # patch -p6 bz_jail7-20080727-11-at146062.diff > # make buildworld > # make buildkernel KERNCONF=GENERIC > # make installworld > # make installkernel KERNCONF=GENERIC > # mergemaster -U From bzeeb-lists at lists.zabbadoz.net Mon Sep 1 22:20:08 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Mon Sep 1 22:20:14 2008 Subject: Multiple IPs In-Reply-To: <53cc795f0809011444t69ba43b5t5eca7e4604235fb4@mail.gmail.com> References: <53cc795f0809011444t69ba43b5t5eca7e4604235fb4@mail.gmail.com> Message-ID: <20080901221215.N65801@maildrop.int.zabbadoz.net> On Tue, 2 Sep 2008, Matkhamtkha Brekher wrote: > this patch is broken > > today ive tried to compile the patched world and it stops compiling > with due to error: I bet you got errors over errors when you tried to apply it. check the output or the return code from patch in your scripts... patch < .... case $? in 0) ;; # all fine * echo "PATCH DID NOT APPLY CLEANLY" >&2 exit 1 ;; esac You could try with patch -C first btw to not hose your src tre... I am wroking towards getting it into HEAD and once 7 will be in freeze I'll generate a new patch but 7 has been hosed for a while and people are doing last minute MFCs now so I would have had to regen it every few hours. -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From freebsd at hub.org Tue Sep 2 01:06:03 2008 From: freebsd at hub.org (Marc G. Fournier) Date: Tue Sep 2 01:06:16 2008 Subject: cPanel in a jail ... seems to work ... Message-ID: <681FC7B8A3FE76F9056F4B54@ganymede.hub.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Everything appears to have installed fine, I can login, create accounts, etc ... all in all, I'm impressed ... but, I seem to have one process 'running wild': # ps aux | grep stunnel root 93708 92.2 0.0 12780 3500 ?? RJ 12:18AM 40:34.35 /usr/local/bin/stunnel /tmp/stunnel_test.conf root 93704 0.0 0.0 12780 3416 ?? IJ 12:18AM 0:00.00 /usr/local/bin/stunnel /tmp/stunnel_test.conf root 93705 0.0 0.0 12780 3308 ?? IJ 12:18AM 0:00.00 /usr/local/bin/stunnel /tmp/stunnel_test.conf root 93706 0.0 0.0 12780 3308 ?? IJ 12:18AM 0:00.00 /usr/local/bin/stunnel /tmp/stunnel_test.conf root 93707 0.0 0.0 12780 3308 ?? IJ 12:18AM 0:00.00 /usr/local/bin/stunnel /tmp/stunnel_test.conf root 3802 0.0 0.0 456 372 p6 D+J 1:02AM 0:00.00 grep stunnel 92.2% of the CPU? Wow ... Does anyone know what this is for, and why its using so much CPU? - -- Marc G. Fournier Hub.Org Hosting Solutions S.A. (http://www.hub.org) Email . scrappy@hub.org MSN . scrappy@hub.org Yahoo . yscrappy Skype: hub.org ICQ . 7615664 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAki8kXUACgkQ4QvfyHIvDvM6OACg0mLx5etJdLjOvh+x6qThZlPJ 0EsAn0h+mqvxGHzCLdhr2OEHQTA1XSuA =70sT -----END PGP SIGNATURE----- From stas at FreeBSD.org Tue Sep 2 12:14:46 2008 From: stas at FreeBSD.org (Stanislav Sedov) Date: Tue Sep 2 12:15:16 2008 Subject: cPanel in a jail ... seems to work ... In-Reply-To: <681FC7B8A3FE76F9056F4B54@ganymede.hub.org> References: <681FC7B8A3FE76F9056F4B54@ganymede.hub.org> Message-ID: <20080902153719.2148127c.stas@FreeBSD.org> On Mon, 01 Sep 2008 22:05:57 -0300 "Marc G. Fournier" mentioned: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Everything appears to have installed fine, I can login, create accounts, etc > ... all in all, I'm impressed ... but, I seem to have one process 'running > wild': > > > # ps aux | grep stunnel > root 93708 92.2 0.0 12780 3500 ?? RJ 12:18AM 40:34.35 > /usr/local/bin/stunnel /tmp/stunnel_test.conf > root 93704 0.0 0.0 12780 3416 ?? IJ 12:18AM 0:00.00 > /usr/local/bin/stunnel /tmp/stunnel_test.conf > root 93705 0.0 0.0 12780 3308 ?? IJ 12:18AM 0:00.00 > /usr/local/bin/stunnel /tmp/stunnel_test.conf > root 93706 0.0 0.0 12780 3308 ?? IJ 12:18AM 0:00.00 > /usr/local/bin/stunnel /tmp/stunnel_test.conf > root 93707 0.0 0.0 12780 3308 ?? IJ 12:18AM 0:00.00 > /usr/local/bin/stunnel /tmp/stunnel_test.conf > root 3802 0.0 0.0 456 372 p6 D+J 1:02AM 0:00.00 grep stunnel > > 92.2% of the CPU? Wow ... > > Does anyone know what this is for, and why its using so much CPU? > What does truss say? -- Stanislav Sedov ST4096-RIPE -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20080902/914e612a/attachment.pgp From mjguzik at gmail.com Wed Sep 3 13:51:54 2008 From: mjguzik at gmail.com (Mateusz Guzik) Date: Wed Sep 3 13:52:01 2008 Subject: kern/126368: Running ktrace/kdump in jail leads to stale jails In-Reply-To: <6ae50c2d0808141716g5c213fe9ha688c7b544a0fb35@mail.gmail.com> References: <200808081740.m78He4bc084276@freefall.freebsd.org> <20080808184224.H88849@maildrop.int.zabbadoz.net> <20080809234717.GC13799@skucha.home.aster.pl> <6ae50c2d0808141716g5c213fe9ha688c7b544a0fb35@mail.gmail.com> Message-ID: <20080903135150.GA68588@skucha.home.aster.pl> On Thu, Aug 14, 2008 at 08:16:38PM -0400, alexus wrote: > where can I get latest patch? that I can apply to 7.0-RELEASE-p3 ? > Sorry for very late reply, you can grab it from here: http://student.agh.edu.pl/~frag/kern_ktrace.diff Thanks, -- Mateusz Guzik From alexus at gmail.com Thu Sep 4 04:20:38 2008 From: alexus at gmail.com (alexus) Date: Thu Sep 4 04:20:44 2008 Subject: Multiple IPs In-Reply-To: <20080901221215.N65801@maildrop.int.zabbadoz.net> References: <53cc795f0809011444t69ba43b5t5eca7e4604235fb4@mail.gmail.com> <20080901221215.N65801@maildrop.int.zabbadoz.net> Message-ID: <6ae50c2d0809032120u1f6d9929rfe1fdac57c44bb6c@mail.gmail.com> Bjoern, is there a new patch available by any chance? can you at least post somewhere latest patch that was working? also, would your know if your patch be included in 7.1-RELEASE? Thanks in advance, and thanks for good work! On Mon, Sep 1, 2008 at 6:15 PM, Bjoern A. Zeeb wrote: > On Tue, 2 Sep 2008, Matkhamtkha Brekher wrote: > >> this patch is broken >> >> today ive tried to compile the patched world and it stops compiling >> with due to error: > > I bet you got errors over errors when you tried to apply it. > > check the output or the return code from patch in your scripts... > patch < .... > case $? in > 0) ;; # all fine > * echo "PATCH DID NOT APPLY CLEANLY" >&2 > exit 1 > ;; > esac > > You could try with patch -C first btw to not hose your src tre... > > > > I am wroking towards getting it into HEAD and once 7 will be in freeze > I'll generate a new patch but 7 has been hosed for a while and people > are doing last minute MFCs now so I would have had to regen it every > few hours. > > > -- > Bjoern A. Zeeb Stop bit received. Insert coin for new game. > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > -- http://alexus.org/ From simon at FreeBSD.org Fri Sep 5 21:15:43 2008 From: simon at FreeBSD.org (Simon L. Nielsen) Date: Fri Sep 5 21:15:58 2008 Subject: conf/124248: [patch] add support for nice value for rc.d/jail + rc.conf In-Reply-To: <48BC5EF9.402@quip.cz> References: <200806032138.m53Lccwn006905@freefall.freebsd.org> <48BC5EF9.402@quip.cz> Message-ID: <20080905205737.GD1448@arthur.nitro.dk> On 2008.09.01 23:30:33 +0200, Miroslav Lachman wrote: > linimon@FreeBSD.org wrote: > > Old Synopsis: adds support for nice value for rc.d/jail + rc.conf > > New Synopsis: [patch] add support for nice value for rc.d/jail + rc.conf > > > > Responsible-Changed-From-To: freebsd-bugs->freebsd-rc > > Responsible-Changed-By: linimon > > Responsible-Changed-When: Tue Jun 3 21:38:18 UTC 2008 > > Responsible-Changed-Why: > > Over to maintainer(s). > > > > http://www.freebsd.org/cgi/query-pr.cgi?pr=124248 > > Is there any chance to have it in FreeBSD 7.1 RELEASE? As the patch hasn't been commited yet to -CURRENT, having it in 7.1 is somewhat unlikely. Somebody need to take an interest first... -- Simon L. Nielsen From bugmaster at FreeBSD.org Mon Sep 8 02:22:23 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Sep 8 02:23:26 2008 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200809080222.m882MMFf006718@freefall.freebsd.org> The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/126368 jail [jail] Running ktrace/kdump in jail leads to stale jai o kern/120753 jail [jail] Zombie jails (jailed child process exits while o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o kern/97071 jail [jail] [patch] add security.jail.jid sysctl o kern/89989 jail [jail] [patch] Add option -I (ASCII 73) PID to specif s kern/89528 jail [jail] [patch] impossible to kill a jail o kern/84215 jail [jail] [patch] wildcard ip (INADDR_ANY) should not bin o kern/74314 jail [resolver] [jail] DNS resolver broken under certain ja o kern/72498 jail [libc] [jail] timestamp code on jailed SMP machine gen o kern/68192 jail [quotas] [jail] Cannot use quotas on jailed systems o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 12 problems total. Bugs can be in one of several states: o - open A problem report has been submitted, no sanity checking performed. a - analyzed The problem is understood and a solution is being sought. f - feedback Further work requires additional information from the originator or the community - possibly confirmation of the effectiveness of a proposed solution. p - patched A patch has been committed, but some issues (MFC and / or confirmation from originator) are still open. r - repocopy The resolution of the problem report is dependent on a repocopy operation within the CVS repository which is awaiting completion. s - suspended The problem is not being worked on, due to lack of information or resources. This is a prime candidate for somebody who is looking for a project to do. If the problem cannot be solved at all, it will be closed, rather than suspended. c - closed A problem report is closed when any changes have been integrated, documented, and tested -- or when fixing the problem is abandoned. From tomrapier at mailvault.com Fri Sep 12 22:25:19 2008 From: tomrapier at mailvault.com (tomrapier) Date: Fri Sep 12 22:25:26 2008 Subject: Using pf to redirect traffic from a jail Message-ID: <20080912221126.7E4ADB6414A@gateway.mailvault.com> Hello, I'm having trouble redirecting traffic from a jail using pf. An example rule is this: rdr on lo0 proto tcp from 10.24.0.1 to !10.24.0.1 -> 127.0.0.1 port 8080 The jail is assigned 10.24.0.1, which is an alias on the loopback interface. nc -l 8080 is running on the host for testing. In the jail, running nc -vv 192.168.0.1 80 times out after a time, and the listening nc doesn't pick up. What am I doing wrong? From tomrapier at mailvault.com Sat Sep 13 00:19:41 2008 From: tomrapier at mailvault.com (tomrapier) Date: Sat Sep 13 00:19:48 2008 Subject: Using pf to redirect traffic from a jail Message-ID: <20080913002429.E2831B64149@gateway.mailvault.com> On 13-Sep-2008 00:30:50 +0200, you wrote: > Hello, > > I'm having trouble redirecting traffic from a jail using pf. An example > rule is this: > > rdr on lo0 proto tcp from 10.24.0.1 to !10.24.0.1 -> 127.0.0.1 port > 8080 > > The jail is assigned 10.24.0.1, which is an alias on the loopback > interface. nc -l 8080 is running on the host for testing. > > In the jail, running nc -vv 192.168.0.1 80 times out after a time, and > the listening nc doesn't pick up. > > What am I doing wrong? > > solved it myself. needed a route-to rule. From bugmaster at FreeBSD.org Mon Sep 15 15:18:50 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Sep 15 15:20:08 2008 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200809151518.m8FFIow6018922@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/126368 jail [jail] Running ktrace/kdump in jail leads to stale jai o kern/120753 jail [jail] Zombie jails (jailed child process exits while o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o kern/97071 jail [jail] [patch] add security.jail.jid sysctl o kern/89989 jail [jail] [patch] Add option -I (ASCII 73) PID to specif s kern/89528 jail [jail] [patch] impossible to kill a jail o kern/84215 jail [jail] [patch] wildcard ip (INADDR_ANY) should not bin o kern/74314 jail [resolver] [jail] DNS resolver broken under certain ja o kern/72498 jail [libc] [jail] timestamp code on jailed SMP machine gen o kern/68192 jail [quotas] [jail] Cannot use quotas on jailed systems o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 12 problems total. From bzeeb-lists at lists.zabbadoz.net Tue Sep 16 20:10:07 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Tue Sep 16 20:14:02 2008 Subject: [CFR/T] multi-/no-IP jail patch for HEAD Message-ID: <20080916200015.X65801@maildrop.int.zabbadoz.net> Hi, I have put a close to be commit candidate (if ipv4 src addr selection is in upfront) online here: http://people.freebsd.org/~bz/bz_jail-20080915-02-svn.diff This is for HEAD, for review and testing. Changes since last release: - SCTP enabled (again) for IPv4 and on for v6 as well. Might need another pari of eyes or someone to write regression tests. - jls -a/-v implemented/documented - updated ipv4 source address selection (changes semantics, please test/review carefully) - minor cleanup Please report anything you want/that need sto be/... changed/fixed/... Thanks. /bz PS: for anyone crying for RELENG_7. I am trying to put a patch together the next days. -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From reddvinylene at gmail.com Tue Sep 16 21:04:40 2008 From: reddvinylene at gmail.com (Redd Vinylene) Date: Tue Sep 16 21:04:46 2008 Subject: [CFR/T] multi-/no-IP jail patch for HEAD In-Reply-To: <20080916200015.X65801@maildrop.int.zabbadoz.net> References: <20080916200015.X65801@maildrop.int.zabbadoz.net> Message-ID: On Tue, Sep 16, 2008 at 10:08 PM, Bjoern A. Zeeb < bzeeb-lists@lists.zabbadoz.net> wrote: > Hi, > > I have put a close to be commit candidate (if ipv4 src addr selection > is in upfront) online here: > > http://people.freebsd.org/~bz/bz_jail-20080915-02-svn.diff > > This is for HEAD, for review and testing. > > Changes since last release: > - SCTP enabled (again) for IPv4 and on for v6 as well. Might need > another pari of eyes or someone to write regression tests. > - jls -a/-v implemented/documented > - updated ipv4 source address selection (changes semantics, please > test/review carefully) > - minor cleanup > > Please report anything you want/that need sto be/... changed/fixed/... > > Thanks. > /bz > > > PS: for anyone crying for RELENG_7. I am trying to put a patch > together the next days. > > -- > Bjoern A. Zeeb Stop bit received. Insert coin for new game. > > Excellent work! Keep it up bro! -- http://www.home.no/reddvinylene From twitter at alexus.org Thu Sep 18 05:00:09 2008 From: twitter at alexus.org (a1exus) Date: Thu Sep 18 05:00:14 2008 Subject: a1exus wants to keep up with you on Twitter Message-ID: <48d1d8dbea6ec_68ae155558d2b0f055e5@twitter-web038.twitter.com.tmail> To find out more about Twitter, visit the link below: http://twitter.com/i/513b1ceac3945d5a0f10894b12f3febe6abbac44 Thanks, -The Twitter Team About Twitter Twitter is a unique approach to communication and networking based on the simple concept of status. What are you doing? What are your friends doing?right now? With Twitter, you may answer this question over SMS, IM, or the Web and the responses are shared between contacts. This message was sent by a Twitter user who entered your email address. If you'd prefer not to receive emails when other people invite you to Twitter, click here: http://twitter.com/i/optout/a1ae3fe17e8c9ee0c3002dc63c2e3698cea19807 From bzeeb-lists at lists.zabbadoz.net Sat Sep 20 17:10:07 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Sat Sep 20 17:10:10 2008 Subject: multi-/no-ipv4/6 patch for releng_7 Message-ID: <20080919174810.K65801@maildrop.int.zabbadoz.net> Hi, here's a new patch for RELENG_7. In contrast to before I have NOT TESTED this patch THOROUGHLY. In case you find any problem let me know and I might be able to fix it (quickly) and post a new patch (if your bugreport is good:). Changes since last release (same as for HEAD): - SCTP enabled (again) for IPv4 and on for v6 as well. Might need another pari of eyes or someone to write regression tests. - jls -a/-v implemented/documented -- output format has changed. - updated ipv4 source address selection (changes semantics, please test/review carefully) - minor cleanup Please report anything you want/that need sto be/... changed/fixed/... Ah the patch is here: http://people.freebsd.org/~bz/bz_jail7-20080920-01-at150161.diff /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From bugmaster at FreeBSD.org Mon Sep 22 11:06:56 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Sep 22 11:07:22 2008 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200809221106.m8MB6tOx015411@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/126368 jail [jail] Running ktrace/kdump in jail leads to stale jai o kern/120753 jail [jail] Zombie jails (jailed child process exits while o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o kern/97071 jail [jail] [patch] add security.jail.jid sysctl o kern/89989 jail [jail] [patch] Add option -I (ASCII 73) PID to specif s kern/89528 jail [jail] [patch] impossible to kill a jail o kern/84215 jail [jail] [patch] wildcard ip (INADDR_ANY) should not bin o kern/74314 jail [resolver] [jail] DNS resolver broken under certain ja o kern/72498 jail [libc] [jail] timestamp code on jailed SMP machine gen o kern/68192 jail [quotas] [jail] Cannot use quotas on jailed systems o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 12 problems total. From schulra at earlham.edu Mon Sep 22 14:04:53 2008 From: schulra at earlham.edu (Randy Schultz) Date: Mon Sep 22 14:04:58 2008 Subject: request for (security) comments on this setup Message-ID: Heya, I'm mounting some iSCSI storage in a jail. It's mounting in the jail via fstab.. When the jail is up and I'm logged into the jail I can cd to the mount point, r/w etc., everything seems to work. What's weird tho' is, while a df on the parent shows the partion mounted as expected, a df inside the jail shows the local disk but not the iSCSI mount. This is fbsd 7.1-prerelease, the jail's name is spectro. On the parent: Root Dude ? df -h|egrep data /dev/da0s1d 1.3T 2.9G 1.2T 0% /usr/local/jails/spectro/data Root Dude ? cat /etc/fstab.spectro /usr/local/jails/basejail /usr/local/jails/spectro/basejail nullfs ro 0 0 /dev/da0s1d /usr/local/jails/spectro/data ufs rw 1 1 in the jail: Dude ? df -h Filesystem Size Used Avail Capacity Mounted on /dev/mirror/gm0s1e 178G 43G 121G 26% / Root Dude ? dmesg|egrep da0 da0 at iscsi0 bus 0 target 0 lun 0 da0: Fixed Direct Ac Root Dude ? cd /data Root Dude ? ls -l total 5830386 drwxrwxr-x 2 root operator 512 Sep 19 17:52 .snap -rw-r----- 1 root wheel 5967380480 Sep 22 09:44 all.5 Root Dude ? touch test Root Dude ? ls -l total 5836930 drwxrwxr-x 2 root operator 512 Sep 19 17:52 .snap -rw-r----- 1 root wheel 5974065152 Sep 22 09:45 all.5 -rw-r--r-- 1 root wheel 0 Sep 22 09:44 test Root Dude ? iostat 1 tty ad4 ad6 da0 cpu tin tout KB/t tps MB/s KB/t tps MB/s KB/t tps MB/s us ni sy in id 0 5 33.42 4 0.12 33.43 4 0.12 62.62 2 0.11 0 0 0 0 100 0 232 64.00 6 0.37 64.00 4 0.25 58.95 19 1.09 0 0 0 0 100 0 78 60.57 14 0.83 61.00 16 0.95 53.09 22 1.14 0 0 0 0 100 ^C So, my first question is what am I missing, the second is does mounting things this way into a jail pose any sort of risk for escaping the jail? -- Randy (schulra@earlham.edu) 765.983.1283 <*> Love with your heart, think with your head; not the other way around. From bzeeb-lists at lists.zabbadoz.net Mon Sep 22 15:55:08 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Mon Sep 22 15:55:10 2008 Subject: request for (security) comments on this setup In-Reply-To: References: Message-ID: <20080922155111.T65801@maildrop.int.zabbadoz.net> On Mon, 22 Sep 2008, Randy Schultz wrote: Hi, > I'm mounting some iSCSI storage in a jail. It's mounting in the jail via > fstab.. When the jail is up and I'm logged into the jail I can cd > to the mount point, r/w etc., everything seems to work. What's weird tho' > is, > while a df on the parent shows the partion mounted as expected, a df inside > the jail shows the local disk but not the iSCSI mount. > ... > So, my first question is what am I missing, the second is does mounting > things > this way into a jail pose any sort of risk for escaping the jail? Does anything change if you do a sysctl security.jail.enforce_statfs=1 If that's what you want you can add the following lines to /etc/sysctl.conf in the base system so it is automatically set upon boot: # jails security.jail.enforce_statfs=1 /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From schulra at earlham.edu Mon Sep 22 16:25:40 2008 From: schulra at earlham.edu (Randy Schultz) Date: Mon Sep 22 16:25:43 2008 Subject: request for (security) comments on this setup In-Reply-To: <20080922155111.T65801@maildrop.int.zabbadoz.net> References: <20080922155111.T65801@maildrop.int.zabbadoz.net> Message-ID: On Mon, 22 Sep 2008, Bjoern A. Zeeb spaketh thusly: -}On Mon, 22 Sep 2008, Randy Schultz wrote: -} -}Hi, -} -}> I'm mounting some iSCSI storage in a jail. It's mounting in the jail via -}> fstab.. When the jail is up and I'm logged into the jail I can cd -}> to the mount point, r/w etc., everything seems to work. What's weird tho' -}> is, -}> while a df on the parent shows the partion mounted as expected, a df inside -}> the jail shows the local disk but not the iSCSI mount. -}> ... -}> So, my first question is what am I missing, the second is does mounting -}> things -}> this way into a jail pose any sort of risk for escaping the jail? -} -}Does anything change if you do a -} sysctl security.jail.enforce_statfs=1 Arg. I never thought to check for a sysctl option. Indeed it does. Tnx much for the poke. -- Randy (schulra@earlham.edu) 765.983.1283 <*> Love with your heart, think with your head; not the other way around. From 000.fbsd at quip.cz Mon Sep 22 19:14:14 2008 From: 000.fbsd at quip.cz (Miroslav Lachman) Date: Mon Sep 22 19:14:16 2008 Subject: request for (security) comments on this setup In-Reply-To: <20080922155111.T65801@maildrop.int.zabbadoz.net> References: <20080922155111.T65801@maildrop.int.zabbadoz.net> Message-ID: <48D7EEA3.4040504@quip.cz> Bjoern A. Zeeb wrote: > On Mon, 22 Sep 2008, Randy Schultz wrote: > > Hi, > >> I'm mounting some iSCSI storage in a jail. It's mounting in the jail via >> fstab.. When the jail is up and I'm logged into the jail I >> can cd >> to the mount point, r/w etc., everything seems to work. What's weird >> tho' is, >> while a df on the parent shows the partion mounted as expected, a df >> inside >> the jail shows the local disk but not the iSCSI mount. >> ... >> So, my first question is what am I missing, the second is does >> mounting things >> this way into a jail pose any sort of risk for escaping the jail? > > > Does anything change if you do a > sysctl security.jail.enforce_statfs=1 > > If that's what you want you can add the following lines to > /etc/sysctl.conf in the base system so it is automatically set upon > boot: > > # jails > security.jail.enforce_statfs=1 Have this any impact on security? # sysctl -d security.jail.enforce_statfs security.jail.enforce_statfs: Processes in jail cannot see all mounted file systems For what this sysctl is implemented? Thanks Miroslav Lachman From glarkin at FreeBSD.org Mon Sep 22 20:10:46 2008 From: glarkin at FreeBSD.org (Greg Larkin) Date: Mon Sep 22 20:10:49 2008 Subject: request for (security) comments on this setup In-Reply-To: <48D7EEA3.4040504@quip.cz> References: <20080922155111.T65801@maildrop.int.zabbadoz.net> <48D7EEA3.4040504@quip.cz> Message-ID: <48D7F756.9040704@FreeBSD.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Miroslav Lachman wrote: > Bjoern A. Zeeb wrote: >> On Mon, 22 Sep 2008, Randy Schultz wrote: >> >> Hi, >> >>> I'm mounting some iSCSI storage in a jail. It's mounting in the jail >>> via >>> fstab.. When the jail is up and I'm logged into the jail I >>> can cd >>> to the mount point, r/w etc., everything seems to work. What's weird >>> tho' is, >>> while a df on the parent shows the partion mounted as expected, a df >>> inside >>> the jail shows the local disk but not the iSCSI mount. >>> ... >>> So, my first question is what am I missing, the second is does >>> mounting things >>> this way into a jail pose any sort of risk for escaping the jail? >> >> >> Does anything change if you do a >> sysctl security.jail.enforce_statfs=1 >> >> If that's what you want you can add the following lines to >> /etc/sysctl.conf in the base system so it is automatically set upon >> boot: >> >> # jails >> security.jail.enforce_statfs=1 > > Have this any impact on security? > > # sysctl -d security.jail.enforce_statfs > security.jail.enforce_statfs: Processes in jail cannot see all mounted > file systems > > For what this sysctl is implemented? > > Thanks > > Miroslav Lachman Hi Miroslav, - From the jail(8) man page: security.jail.enforce_statfs This MIB entry determines which information processes in a jail are able to get about mount-points. It affects the behaviour of the following syscalls: statfs(2), fstatfs(2), getfsstat(2) and fhstatfs(2) (as well as similar compatibility syscalls). When set to 0, all mount-points are available without any restrictions. When set to 1, only mount-points below the jail's chroot directory are visible. In addition to that, the path to the jail's chroot direc- tory is removed from the front of their pathnames. When set to 2 (default), above syscalls can operate only on a mount-point where the jail's chroot directory is located. Hope that helps, Greg - -- Greg Larkin http://www.FreeBSD.org/ - The Power To Serve http://www.sourcehosting.net/ - Ready. Set. Code. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFI1/dW0sRouByUApARAn8jAKC7BV/WcYK9jD0u8rT78dKpUxxKTgCeKu5v 6Z1BxjUUhlNPeszk+JCNDOg= =ja/n -----END PGP SIGNATURE----- From 000.fbsd at quip.cz Mon Sep 22 21:18:50 2008 From: 000.fbsd at quip.cz (Miroslav Lachman) Date: Mon Sep 22 21:18:58 2008 Subject: request for (security) comments on this setup In-Reply-To: <48D7F756.9040704@FreeBSD.org> References: <20080922155111.T65801@maildrop.int.zabbadoz.net> <48D7EEA3.4040504@quip.cz> <48D7F756.9040704@FreeBSD.org> Message-ID: <48D80BD4.8050505@quip.cz> Greg Larkin wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Miroslav Lachman wrote: > >>Bjoern A. Zeeb wrote: >> >>>On Mon, 22 Sep 2008, Randy Schultz wrote: >>> >>>Hi, >>> >>> >>>>I'm mounting some iSCSI storage in a jail. It's mounting in the jail >>>>via >>>>fstab.. When the jail is up and I'm logged into the jail I >>>>can cd >>>>to the mount point, r/w etc., everything seems to work. What's weird >>>>tho' is, >>>>while a df on the parent shows the partion mounted as expected, a df >>>>inside >>>>the jail shows the local disk but not the iSCSI mount. >>>>... >>>>So, my first question is what am I missing, the second is does >>>>mounting things >>>>this way into a jail pose any sort of risk for escaping the jail? >>> >>> >>>Does anything change if you do a >>> sysctl security.jail.enforce_statfs=1 >>> >>>If that's what you want you can add the following lines to >>>/etc/sysctl.conf in the base system so it is automatically set upon >>>boot: >>> >>># jails >>>security.jail.enforce_statfs=1 >> >>Have this any impact on security? >> >># sysctl -d security.jail.enforce_statfs >>security.jail.enforce_statfs: Processes in jail cannot see all mounted >>file systems >> >>For what this sysctl is implemented? >> >>Thanks >> >>Miroslav Lachman > > > Hi Miroslav, > > - From the jail(8) man page: > > security.jail.enforce_statfs > > This MIB entry determines which information processes in a jail are > able to get about mount-points. It affects the behaviour of the > following syscalls: statfs(2), fstatfs(2), getfsstat(2) and > fhstatfs(2) (as well as similar compatibility syscalls). When set > to 0, all mount-points are available without any restrictions. When > set to 1, only mount-points below the jail's chroot directory are > visible. In addition to that, the path to the jail's chroot direc- > tory is removed from the front of their pathnames. When set to 2 > (default), above syscalls can operate only on a mount-point where > the jail's chroot directory is located. > > Hope that helps, > Greg Thank you, I forgot to open jail(8) man page before posting :) If I understand it correct - it is just about what informations (about mountpoints) are visible to processes inside jail without any security impact and it is safe to use security.jail.enforce_statfs=1. Am I right? (I am sorry for maybe dump questions, but I am not kernel/OS developer and statfs, fstatfs, getfsstat did not tell me much) Miroslav Lachman From glarkin at FreeBSD.org Mon Sep 22 22:22:24 2008 From: glarkin at FreeBSD.org (Greg Larkin) Date: Mon Sep 22 22:22:25 2008 Subject: request for (security) comments on this setup In-Reply-To: <48D80BD4.8050505@quip.cz> References: <20080922155111.T65801@maildrop.int.zabbadoz.net> <48D7EEA3.4040504@quip.cz> <48D7F756.9040704@FreeBSD.org> <48D80BD4.8050505@quip.cz> Message-ID: <48D81AA0.6030605@FreeBSD.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Miroslav Lachman wrote: > Greg Larkin wrote: [...] >> >> >> Hi Miroslav, >> >> - From the jail(8) man page: >> >> security.jail.enforce_statfs >> >> This MIB entry determines which information processes in a jail are >> able to get about mount-points. It affects the behaviour of the >> following syscalls: statfs(2), fstatfs(2), getfsstat(2) and >> fhstatfs(2) (as well as similar compatibility syscalls). When set >> to 0, all mount-points are available without any restrictions. When >> set to 1, only mount-points below the jail's chroot directory are >> visible. In addition to that, the path to the jail's chroot direc- >> tory is removed from the front of their pathnames. When set to 2 >> (default), above syscalls can operate only on a mount-point where >> the jail's chroot directory is located. >> >> Hope that helps, >> Greg > > Thank you, I forgot to open jail(8) man page before posting :) > If I understand it correct - it is just about what informations (about > mountpoints) are visible to processes inside jail without any security > impact and it is safe to use security.jail.enforce_statfs=1. Am I right? > (I am sorry for maybe dump questions, but I am not kernel/OS developer > and statfs, fstatfs, getfsstat did not tell me much) > No worries - I did a little experiment with a jail I have running to show you what the jail can see for different settings of the sysctl: - ---> enforce_statfs=2 (default) [glarkin@r90-3 ~]$ df Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/da1s1d 8119416 6401772 1068092 86% / - ---> enforce_statfs=1 [glarkin@r90-3 ~]$ df Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/da1s1d 8119416 6401772 1068092 86% / devfs 1 1 0 100% /dev procfs 4 4 0 100% /proc - ---> enforce_statfs=0 [glarkin@r90-3 ~]$ df Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/da0s1a 507630 46858 420162 10% / devfs 1 1 0 100% /dev /dev/da0s1e 444142 91984 316628 23% /tmp /dev/da0s1g 5074328 985860 3682522 21% /usr /dev/da0s1d 63214 20352 37806 35% /usr/home /dev/da0s1f 1012974 280278 651660 30% /var /dev/da1s1d 8119416 6401772 1068092 86% /SHN /dev/da3s1d 2025328 1128128 735174 61% /usr/ports /dev/da2s1d 2025328 444708 1418594 24% /usr/src devfs 1 1 0 100% /var/named/dev devfs 1 1 0 100% /SHN/Jails/Jail3/dev procfs 4 4 0 100% /SHN/Jails/Jail3/proc It looks like setting 1 or 2 is sufficient for programs executing in the jail. If the sysctl is set to 0, you can see the filesystems on the host server, but you still can't access them, as far as I can tell. Regards, Greg - -- Greg Larkin http://www.FreeBSD.org/ - The Power To Serve http://www.sourcehosting.net/ - Ready. Set. Code. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFI2Bqg0sRouByUApARAgEMAJwLD3pvD66vwnSIPst+Xnir5UYDhACgoNat +WeCH3jD8R3lxvYoX3xYwnE= =i8Rd -----END PGP SIGNATURE----- From bzeeb-lists at lists.zabbadoz.net Tue Sep 23 11:50:07 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Tue Sep 23 11:50:12 2008 Subject: multi-/no-ipv4/6 patch for releng_7 In-Reply-To: <20080919174810.K65801@maildrop.int.zabbadoz.net> References: <20080919174810.K65801@maildrop.int.zabbadoz.net> Message-ID: <20080923114731.G65801@maildrop.int.zabbadoz.net> On Sat, 20 Sep 2008, Bjoern A. Zeeb wrote: Hi, > here's a new patch for RELENG_7. In contrast to before I have NOT > TESTED this patch THOROUGHLY. FYI: I know production machines with ipv4/ipv6 jails that have been up for two days running this patch. > In case you find any problem let me know and I might be able to fix > it (quickly) and post a new patch (if your bugreport is good:). > > Changes since last release (same as for HEAD): > - SCTP enabled (again) for IPv4 and on for v6 as well. Might need > another pari of eyes or someone to write regression tests. > - jls -a/-v implemented/documented -- output format has changed. > - updated ipv4 source address selection (changes semantics, please > test/review carefully) > - minor cleanup > > Please report anything you want/that need sto be/... changed/fixed/... > > Ah the patch is here: > http://people.freebsd.org/~bz/bz_jail7-20080920-01-at150161.diff > > /bz > > -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From bzeeb-lists at lists.zabbadoz.net Wed Sep 24 18:35:08 2008 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Wed Sep 24 18:35:15 2008 Subject: cvs commit: src/etc/rc.d jail src/share/man/man5 rc.conf.5 In-Reply-To: <200809241525.m8OFPifi095256@repoman.freebsd.org> References: <200809241525.m8OFPifi095256@repoman.freebsd.org> Message-ID: <20080924181315.S65801@maildrop.int.zabbadoz.net> On Wed, 24 Sep 2008, Ruslan Ermilov wrote: > ru 2008-09-24 15:18:27 UTC > > FreeBSD src repository > > Modified files: > etc/rc.d jail > share/man/man5 rc.conf.5 > Log: > SVN rev 183325 on 2008-09-24 15:18:27Z by ru > > Allow a jail's IP alias to be created with an arbitrary netmask. So I had been talking with various people during the last weeks/months about this feature of configuring an interface from rc.d/jail and I had been >< close to remove it a lot of times but it seems people prefer to actually mix network configuration, management and jail startup/teardown in a single script, which I think is a very questionable thing especially considering that we already had an SA for[1] that script for other means. So you now I have v4/v6/multi/no-IP jails and once the next vimage step is in I plan to have it hit the tree and I am currently integrating a patch that would even have allow the ifconfig to work with multiple IPv4/v6 addresses because up to now I decided to leave this feature in. Now adding a netmask only makes sense for exactly one use case to my understanding and this is not going to play well with whatever will hit the tree. Adding yet another variable to rc.conf to control another question knob is something, as I hate to say, I am no longer going to be ok with (this has nothhing to do with you or that it might be needed in a setup). My suggestion would be, that if we want thos features to add them separately doing a superset of the startup script or something just for this and actualy use network.subr or the like to set it up but keep the list of IP/Netmasks kind of separated from options for the jail(8) command. In worst case stomething like this (read the BUT later) and have a jail_example_ipv4_alias0="192.0.2.1/24" jail_example_ipv4_alias1="192.0.2.2/32" jail_example_ipv4_alias2="192.0.2.2 netmask 255.255.255.255" jail_example_ipv6_alias0="2001:dbe::1" jail_example_ipv6_alias1="2001:dbe::2/128" and then have a single knob jail_example_configure_ips_on_interfaces="NO" and still use the above list create the jail(8) argument if you want it like that. BUT wait the above is not going to work out as I am missing the interface for each alias instance. We need a full interface X af X address X netmask tupple with each entry and a defined order per AF as the first IP will be specially treated. That's why I am saying networking is networking and jails are jails and to combine both you need a management app/script/... as it is too many options/knobs/... FYI for the multi-IP jails (without this feature) I didn't even have to think about the startup script as it would just have continued to work. Adding no-IP support I had to change an exit case to _foo="\"\"" in rc.d/jail. With supporting the ifconfig you need to a a few more lines. With the netmasks I still have no idea where we'll end up. I suggest we once and for all discuss this on freebsd-jail, decide how to continue with this feature. I am Cc:ing and setting Reply-to: > MFC after: 3 days I would kindly ask you to hold back an MFC into 7 until there is a conclusion. > > Revision Changes Path > 1.40 +3 -1 src/etc/rc.d/jail > 1.348 +7 -1 src/share/man/man5/rc.conf.5 > References: [1] http://security.freebsd.org/advisories/FreeBSD-SA-07:01.jail.asc -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From ru at freebsd.org Thu Sep 25 06:00:22 2008 From: ru at freebsd.org (Ruslan Ermilov) Date: Thu Sep 25 06:00:40 2008 Subject: cvs commit: src/etc/rc.d jail src/share/man/man5 rc.conf.5 In-Reply-To: <20080924181315.S65801@maildrop.int.zabbadoz.net> References: <200809241525.m8OFPifi095256@repoman.freebsd.org> <20080924181315.S65801@maildrop.int.zabbadoz.net> Message-ID: <20080925052004.GB76968@edoofus.dev.vega.ru> Hi Bjoern, On Wed, Sep 24, 2008 at 06:34:53PM +0000, Bjoern A. Zeeb wrote: > On Wed, 24 Sep 2008, Ruslan Ermilov wrote: > > > ru 2008-09-24 15:18:27 UTC > > > > FreeBSD src repository > > > > Modified files: > > etc/rc.d jail > > share/man/man5 rc.conf.5 > > Log: > > SVN rev 183325 on 2008-09-24 15:18:27Z by ru > > > > Allow a jail's IP alias to be created with an arbitrary netmask. > > So I had been talking with various people during the last weeks/months > about this feature of configuring an interface from rc.d/jail and I > had been >< close to remove it a lot of times but it seems people > prefer to actually mix network configuration, management and jail > startup/teardown in a single script, which I think is a very > questionable thing especially considering that we already had an > SA for[1] that script for other means. > > So you now I have v4/v6/multi/no-IP jails and once the next vimage > step is in I plan to have it hit the tree and I am currently > integrating a patch that would even have allow the ifconfig to work with > multiple IPv4/v6 addresses because up to now I decided to leave this > feature in. > > Now adding a netmask only makes sense for exactly one use case to my > understanding and this is not going to play well with whatever will > hit the tree. > At work, we use ezjail as a management tool for jails. We want our jails to be moveable between a set of hosts, so a jail's IP doesn't necessarily belong to host X at any given time. With the netmask in rc.d/jail hardcoded to 255.255.255.255, we have to configure a host's interface with IP addresses/netmasks corresponding to jails' IPs (and we have different IP networks). In practice this means we waste real IPs for nothing -- for a host with a single jail we waste one real IP address. To picture it: on a host that's not otherwise configured with 192.168.0 addresses, to up a jail with 192.168.0.13 we have to waste one more address from 192.168.0, e.g. 192.168.0.1, for the host to be able to route packets between 192.168.0.13 and 192.168.0.*. > Adding yet another variable to rc.conf to control another question > knob is something, as I hate to say, I am no longer going to be ok > with (this has nothhing to do with you or that it might be needed in a > setup). > > My suggestion would be, that if we want thos features to add > them separately doing a superset of the startup script or something > just for this and actualy use network.subr or the like to set it up > but keep the list of IP/Netmasks kind of separated from options for > the jail(8) command. > > In worst case stomething like this (read the BUT later) and have a > jail_example_ipv4_alias0="192.0.2.1/24" > jail_example_ipv4_alias1="192.0.2.2/32" > jail_example_ipv4_alias2="192.0.2.2 netmask 255.255.255.255" > jail_example_ipv6_alias0="2001:dbe::1" > jail_example_ipv6_alias1="2001:dbe::2/128" > and then have a single knob > jail_example_configure_ips_on_interfaces="NO" > and still use the above list create the jail(8) argument if you want > it like that. > > BUT wait the above is not going to work out as I am missing the > interface for each alias instance. > We need a full interface X af X address X netmask tupple with each > entry and a defined order per AF as the first IP will be specially > treated. > > That's why I am saying networking is networking and jails are jails > and to combine both you need a management app/script/... as it is > too many options/knobs/... > > FYI for the multi-IP jails (without this feature) I didn't even have > to think about the startup script as it would just have continued to > work. Adding no-IP support I had to change an exit case to _foo="\"\"" > in rc.d/jail. > > With supporting the ifconfig you need to a a few more lines. > > With the netmasks I still have no idea where we'll end up. > > I suggest we once and for all discuss this on freebsd-jail, decide > how to continue with this feature. I am Cc:ing and setting Reply-to: > > > MFC after: 3 days > > I would kindly ask you to hold back an MFC into 7 until there is a > conclusion. > I'd be happy with anything that allowed us NOT to waste IP addresses, preferably in FreeBSD 7.1. I have a solution that involves having static routes (in the example above, I'd add a route to 192.168.0/24 over some Ethernet interface that's equivalent to saying to resolve these IPs using ARP on this interface), but it's not ideal as I don't want these addresses to be accessible/resolvable when a host doesn't have configured IPs in this range. Cheers, -- Ruslan Ermilov ru@FreeBSD.org FreeBSD committer From simon at FreeBSD.org Thu Sep 25 20:56:01 2008 From: simon at FreeBSD.org (Simon L. Nielsen) Date: Thu Sep 25 20:56:12 2008 Subject: cvs commit: src/etc/rc.d jail src/share/man/man5 rc.conf.5 In-Reply-To: <20080925052004.GB76968@edoofus.dev.vega.ru> References: <200809241525.m8OFPifi095256@repoman.freebsd.org> <20080924181315.S65801@maildrop.int.zabbadoz.net> <20080925052004.GB76968@edoofus.dev.vega.ru> Message-ID: <20080925205558.GA1114@arthur.nitro.dk> [Trying to moving off commit lists] On 2008.09.25 09:20:04 +0400, Ruslan Ermilov wrote: > Hi Bjoern, > > On Wed, Sep 24, 2008 at 06:34:53PM +0000, Bjoern A. Zeeb wrote: > > On Wed, 24 Sep 2008, Ruslan Ermilov wrote: > > > > > ru 2008-09-24 15:18:27 UTC > > > > > > FreeBSD src repository > > > > > > Modified files: > > > etc/rc.d jail > > > share/man/man5 rc.conf.5 > > > Log: > > > SVN rev 183325 on 2008-09-24 15:18:27Z by ru > > > > > > Allow a jail's IP alias to be created with an arbitrary netmask. > > > > So I had been talking with various people during the last weeks/months > > about this feature of configuring an interface from rc.d/jail and I > > had been >< close to remove it a lot of times but it seems people > > prefer to actually mix network configuration, management and jail > > startup/teardown in a single script, which I think is a very > > questionable thing especially considering that we already had an > > SA for[1] that script for other means. > > > At work, we use ezjail as a management tool for jails. We want our [...] I think the main problem is that the configuration required for jails "today" is simply too much for what should be done in an rc.d script configured by rc.conf. At the Cambridge Devsummit we talked about creating some kind of more advanced jail management system and I think that is the way to go in the long run and kill off rc.d/jail. Of course doing this is no small task, but I think adding kludges to rc.conf is going to be increasingly painful. I'm not sure what form a management system should take, but having ezjail like functionality in base would be a good thing IMO. Personally I also have a rather strong dislike for the jail auto ip setting feature, but as people are using it removing the functionality will cause pain. -- Simon L. Nielsen From nejc at skoberne.net Fri Sep 26 00:14:16 2008 From: nejc at skoberne.net (=?ISO-8859-2?Q?Nejc_=A9koberne?=) Date: Fri Sep 26 00:14:23 2008 Subject: multi-/no-ipv4/6 patch for releng_7 Message-ID: <48DC25A5.3010109@skoberne.net> Hello, does this patch maybe also allow services in jail to listen at broadcast addresses? If not, do you maybe know is there any way to achieve this? Thanks, Nejc From ru at FreeBSD.org Fri Sep 26 05:33:51 2008 From: ru at FreeBSD.org (Ruslan Ermilov) Date: Fri Sep 26 05:33:58 2008 Subject: cvs commit: src/etc/rc.d jail src/share/man/man5 rc.conf.5 In-Reply-To: <20080925205558.GA1114@arthur.nitro.dk> References: <200809241525.m8OFPifi095256@repoman.freebsd.org> <20080924181315.S65801@maildrop.int.zabbadoz.net> <20080925052004.GB76968@edoofus.dev.vega.ru> <20080925205558.GA1114@arthur.nitro.dk> Message-ID: <20080926053340.GA84495@edoofus.dev.vega.ru> On Thu, Sep 25, 2008 at 10:55:59PM +0200, Simon L. Nielsen wrote: > Personally I also have a rather strong dislike for the jail auto ip > setting feature, but as people are using it removing the functionality > will cause pain. > It's quite normal that the jail's IP migrates with the jail itself, including not having an IP address configured if the jail is off. Otherwise (when the jail is off but its address is on), you may end up accessing a host system's Web/SSH/etc. server instead of jail's. Cheers, -- Ruslan Ermilov ru@FreeBSD.org FreeBSD committer From coco at executive-computing.de Sun Sep 28 19:31:01 2008 From: coco at executive-computing.de (Marco Steinbach) Date: Sun Sep 28 19:31:14 2008 Subject: request for (security) comments on this setup In-Reply-To: References: Message-ID: <48DFD6A3.80706@executive-computing.de> Randy Schultz wrote: > Heya, > > I'm mounting some iSCSI storage in a jail. It's mounting in the jail via > fstab.. When the jail is up and I'm logged into the jail I > can cd > to the mount point, r/w etc., everything seems to work. What's weird > tho' is, > while a df on the parent shows the partion mounted as expected, a df inside > the jail shows the local disk but not the iSCSI mount. A tad bit late, I realize. If you're not using any applications in need of being able to enumerate all mounted filesystems from within the jail, I'd leave security.jail.enforce_statfs alone, and simply use df . MfG CoCo From bugmaster at FreeBSD.org Mon Sep 29 11:06:53 2008 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Sep 29 11:08:01 2008 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200809291106.m8TB6qGI040839@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/126368 jail [jail] Running ktrace/kdump in jail leads to stale jai o kern/120753 jail [jail] Zombie jails (jailed child process exits while o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o kern/97071 jail [jail] [patch] add security.jail.jid sysctl o kern/89989 jail [jail] [patch] Add option -I (ASCII 73) PID to specif s kern/89528 jail [jail] [patch] impossible to kill a jail o kern/84215 jail [jail] [patch] wildcard ip (INADDR_ANY) should not bin o kern/74314 jail [resolver] [jail] DNS resolver broken under certain ja o kern/72498 jail [libc] [jail] timestamp code on jailed SMP machine gen o kern/68192 jail [quotas] [jail] Cannot use quotas on jailed systems o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 12 problems total. From pgollucci at p6m7g8.com Mon Sep 29 23:28:26 2008 From: pgollucci at p6m7g8.com (Philip M. Gollucci) Date: Mon Sep 29 23:28:32 2008 Subject: Multiple IPs In-Reply-To: <20080801171343.M88849@maildrop.int.zabbadoz.net> References: <20080801171343.M88849@maildrop.int.zabbadoz.net> Message-ID: <48E1623D.6020309@p6m7g8.com> Bjoern A. Zeeb wrote: >>> # make world DESTDIR=$D > > that should be make installworld DESTDIR=$D If thats true, the jail(8) man page is wrong. Though both should work ?