From bugmaster at FreeBSD.org Mon Aug 3 11:07:02 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Aug 3 11:09:00 2009 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200908031107.n73B707V088657@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 4 problems total. From scheidell at secnap.net Thu Aug 6 14:12:29 2009 From: scheidell at secnap.net (Michael Scheidell) Date: Thu Aug 6 14:12:37 2009 Subject: crontab hanging won't die on SIGTERM in jail Message-ID: <4A7AE4D4.2090600@secnap.net> anyone having problems during an in jail shutdown with crontab hanging? I have seen this in 6.4 and 7.1, on i386 and amd64. I don't remember problems with 6.3 using jailtools (jkill -r), OR shutdown -r +0 OR reboot reboot: SIGTSTP init: No such process truss shows: truss -p 87553 (null)() = 0 (0x0) gettimeofday({1249567500.835698},0x0) = 0 (0x0) stat("tabs",{mode=drwx------ ,inode=10458278,size=512,blksize=4096}) = 0 (0x0) stat("/etc/crontab",{mode=-rw-r--r-- ,inode=10461256,size=748,blksize=4096}) = 0 (0x0) gettimeofday({1249567500.836244},0x0) = 0 (0x0) fork() = 88217 (0x15899) gettimeofday({1249567500.836862},0x0) = 0 (0x0) nanosleep({60.000000000}) ERR#4 'Interrupted system call' SIGNAL 20 (SIGCHLD) SIGNAL 20 (SIGCHLD) wait4(0xffffffff,0xbfbfe99c,0x1,0x0) = 88217 (0x15899) wait4(0xffffffff,0xbfbfe99c,0x1,0x0) ERR#10 'No child processes' sigreturn(0xbfbfe9d0) ERR#4 'Interrupted system call' gettimeofday({1249567500.842115},0x0) = 0 (0x0) killall -SIGTERM cron (caused NO truss activity) it sees a HUP: killall -SIGHUP cron truss: SIGNAL 1 (SIGHUP) (null)() ERR#4 'Interrupted system call' gettimeofday({17.000000},0x0) = 0 (0x0) (null)() = 0 (0x0) SIGKILL will kill it. -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ From scheidell at secnap.net Thu Aug 6 14:23:21 2009 From: scheidell at secnap.net (Michael Scheidell) Date: Thu Aug 6 14:23:27 2009 Subject: crontab hanging won't die on SIGTERM in jail In-Reply-To: <4A7AE4D4.2090600@secnap.net> References: <4A7AE4D4.2090600@secnap.net> Message-ID: <4A7AE762.2070408@secnap.net> this doesn't stop cron: /etc/rc.d/cron stop (just keeps spitting out the pid) killall -SIGTERM cron (doesn't work) killall -SIGQUIT|SIGKILL seems to work. Workaround is this: echo "sigstop=SIGQUIT" > /etc/rc.conf.d/cron works fine now. isn't needed in base, just in jail. Michael Scheidell wrote: > anyone having problems during an in jail shutdown with crontab hanging? > I have seen this in 6.4 and 7.1, on i386 and amd64. > I don't remember problems with 6.3 > > > using jailtools (jkill -r), OR > shutdown -r +0 > > OR > > reboot > reboot: SIGTSTP init: No such process > > truss shows: > truss -p 87553 > (null)() = 0 (0x0) > gettimeofday({1249567500.835698},0x0) = 0 (0x0) > stat("tabs",{mode=drwx------ ,inode=10458278,size=512,blksize=4096}) = > 0 (0x0) > stat("/etc/crontab",{mode=-rw-r--r-- > ,inode=10461256,size=748,blksize=4096}) = 0 (0x0) > gettimeofday({1249567500.836244},0x0) = 0 (0x0) > fork() = 88217 (0x15899) > gettimeofday({1249567500.836862},0x0) = 0 (0x0) > nanosleep({60.000000000}) ERR#4 'Interrupted > system call' > SIGNAL 20 (SIGCHLD) > SIGNAL 20 (SIGCHLD) > wait4(0xffffffff,0xbfbfe99c,0x1,0x0) = 88217 (0x15899) > wait4(0xffffffff,0xbfbfe99c,0x1,0x0) ERR#10 'No child > processes' > sigreturn(0xbfbfe9d0) ERR#4 'Interrupted > system call' > gettimeofday({1249567500.842115},0x0) = 0 (0x0) > > > killall -SIGTERM cron > > (caused NO truss activity) > > it sees a HUP: > > killall -SIGHUP cron > > truss: > SIGNAL 1 (SIGHUP) > (null)() ERR#4 'Interrupted > system call' > gettimeofday({17.000000},0x0) = 0 (0x0) > (null)() = 0 (0x0) > > > SIGKILL will kill it. > > -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ From scheidell at secnap.net Thu Aug 6 15:02:57 2009 From: scheidell at secnap.net (Michael Scheidell) Date: Thu Aug 6 15:03:03 2009 Subject: crontab hanging won't die on SIGTERM in jail In-Reply-To: <4A7AE762.2070408@secnap.net> References: <4A7AE4D4.2090600@secnap.net> <4A7AE762.2070408@secnap.net> Message-ID: <4A7AF0AB.40605@secnap.net> meant sig_stop=. stranger yet, this works: echo 'sig_stop=SIGTERM' > /etc/rc.conf.d/cron truss shows the sigterm now just fine. Michael Scheidell wrote: > this doesn't stop cron: > > /etc/rc.d/cron stop > (just keeps spitting out the pid) > > killall -SIGTERM cron (doesn't work) > > killall -SIGQUIT|SIGKILL seems to work. > > > Workaround is this: > > echo "sigstop=SIGQUIT" > /etc/rc.conf.d/cron > > works fine now. > > > isn't needed in base, just in jail. > > > > Michael Scheidell wrote: >> anyone having problems during an in jail shutdown with crontab hanging? >> I have seen this in 6.4 and 7.1, on i386 and amd64. >> I don't remember problems with 6.3 >> >> >> using jailtools (jkill -r), OR >> shutdown -r +0 >> >> OR >> >> reboot >> reboot: SIGTSTP init: No such process >> >> truss shows: >> truss -p 87553 >> (null)() = 0 (0x0) >> gettimeofday({1249567500.835698},0x0) = 0 (0x0) >> stat("tabs",{mode=drwx------ ,inode=10458278,size=512,blksize=4096}) >> = 0 (0x0) >> stat("/etc/crontab",{mode=-rw-r--r-- >> ,inode=10461256,size=748,blksize=4096}) = 0 (0x0) >> gettimeofday({1249567500.836244},0x0) = 0 (0x0) >> fork() = 88217 (0x15899) >> gettimeofday({1249567500.836862},0x0) = 0 (0x0) >> nanosleep({60.000000000}) ERR#4 'Interrupted >> system call' >> SIGNAL 20 (SIGCHLD) >> SIGNAL 20 (SIGCHLD) >> wait4(0xffffffff,0xbfbfe99c,0x1,0x0) = 88217 (0x15899) >> wait4(0xffffffff,0xbfbfe99c,0x1,0x0) ERR#10 'No child >> processes' >> sigreturn(0xbfbfe9d0) ERR#4 'Interrupted >> system call' >> gettimeofday({1249567500.842115},0x0) = 0 (0x0) >> >> >> killall -SIGTERM cron >> >> (caused NO truss activity) >> >> it sees a HUP: >> >> killall -SIGHUP cron >> >> truss: >> SIGNAL 1 (SIGHUP) >> (null)() ERR#4 'Interrupted >> system call' >> gettimeofday({17.000000},0x0) = 0 (0x0) >> (null)() = 0 (0x0) >> >> >> SIGKILL will kill it. >> >> > -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ From coco at executive-computing.de Thu Aug 6 15:49:41 2009 From: coco at executive-computing.de (Marco Steinbach) Date: Thu Aug 6 15:49:48 2009 Subject: crontab hanging won't die on SIGTERM in jail In-Reply-To: <4A7AE4D4.2090600@secnap.net> References: <4A7AE4D4.2090600@secnap.net> Message-ID: <4A7AF719.6000201@executive-computing.de> Michael Scheidell schrieb: > anyone having problems during an in jail shutdown with crontab hanging? > I have seen this in 6.4 and 7.1, on i386 and amd64. > I don't remember problems with 6.3 > Using 6.3, 6.4 and 7.2 on i386 and amd64, I never experienced this behaviour. To make sure, I just tried killall -SIGTERM cron and /etc/rc.d/cron stop in several jails on different machines, and this seems to work as intended for me. MfG CoCo From scheidell at secnap.net Thu Aug 6 15:50:03 2009 From: scheidell at secnap.net (Michael Scheidell) Date: Thu Aug 6 15:50:14 2009 Subject: crontab hanging won't die on SIGTERM in jail In-Reply-To: <4A7AF719.6000201@executive-computing.de> References: <4A7AE4D4.2090600@secnap.net> <4A7AF719.6000201@executive-computing.de> Message-ID: <4A7AFBB5.3030706@secnap.net> then doing this doesn't make any sense (but fixed it) echo 'sig_stop=SIGTERM' > /etc/rc.conf.d/cron or, this even fixed it: echo 'sig_stop=SIGTERM' >> /etc/rc.conf the 'killall -SIGTERM cron' worked UNLESS I HAD PREVIOUSLY TRIED /etc/rc.d/cron stop. now, with sig_stop in a conf file, it works. doesn't make sense, but works. Something, somewhere, somebody is masking or setting sig_stop to '' as a default. I can't find it. rc.subr seems to indicate it will set it to SIGTERM if undef: grep sig_stop /etc/* rc.subr:# kill $sig_stop $rc_pid rc.subr:# ($sig_stop defaults to TERM.) rc.subr: _doit=$(_run_rc_killcmd "${sig_stop:-TERM}") nothing in /etc/defaults/* or /etc/rc.conf overrides it grep sig_stop /etc/defaults/* grep sig_stop /etc/rc.d/cron grep sig_stop /etc/rc.d/* /etc/rc.d/nfsd:sig_stop="USR1" -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ From stef-list at memberwebs.com Thu Aug 6 16:36:14 2009 From: stef-list at memberwebs.com (Stef Walter) Date: Thu Aug 6 16:36:20 2009 Subject: crontab hanging won't die on SIGTERM in jail References: <4A7AE4D4.2090600@secnap.net> Message-ID: <20090806161117.90CA23039807@mx.npubs.com> Michael Scheidell wrote: > anyone having problems during an in jail shutdown with crontab hanging? > I have seen this in 6.4 and 7.1, on i386 and amd64. > I don't remember problems with 6.3 I see this same problem in certain jails. A jail that has this problem does it consistently, jails without the problem (on the same machine, same FreeBSD userland/kernel) don't have the problem consistently. In these cases, sending cron the TERM signal just doesn't do anything. You have to wait for at least one minute after jail startup for cron to get into this unTERMable state. I haven't had time to do further debugging on this, but I figured I'd pitch in with what I've experienced. Cheers, Stef From scheidell at secnap.net Thu Aug 6 17:17:42 2009 From: scheidell at secnap.net (Michael Scheidell) Date: Thu Aug 6 17:17:48 2009 Subject: crontab hanging won't die on SIGTERM in jail In-Reply-To: <20090806161117.90CA23039807@mx.npubs.com> References: <4A7AE4D4.2090600@secnap.net> <20090806161117.90CA23039807@mx.npubs.com> Message-ID: <4A7B103F.6040400@secnap.net> Stef Walter wrote: > Michael Scheidell wrote: > >> anyone having problems during an in jail shutdown with crontab hanging? >> I have seen this in 6.4 and 7.1, on i386 and amd64. >> I don't remember problems with 6.3 >> > > I see this same problem in certain jails. A jail that has this problem > does it consistently, jails without the problem (on the same machine, > same FreeBSD userland/kernel) don't have the problem consistently. > > In these cases, sending cron the TERM signal just doesn't do anything. > > You have to wait for at least one minute after jail startup for cron to > get into this unTERMable state. > > YOU ARE RIGHT! it is intermentent. Try this (for me) on those boxes (before you try /etc/rc.d/cron restart: echo 'sig_stop=SIGKILL' > /etc/rc.conf.d/cron you arn't running ezjail, are you? could there be anything in ezjail that would do this? yes: boot someone in jail. /etc/rc.d/cron restart or killall -SIGTERM cron works. wait (for what?). ?? controlling terminal to quit? the first cron parse? some time (I went to lunch) and guess what. SIGTERM won't stop it. -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ From stef-list at memberwebs.com Fri Aug 7 01:11:19 2009 From: stef-list at memberwebs.com (Stef Walter) Date: Fri Aug 7 01:11:24 2009 Subject: crontab hanging won't die on SIGTERM in jail References: <4A7AE4D4.2090600@secnap.net> <20090806161117.90CA23039807@mx.npubs.com> <4A7B103F.6040400@secnap.net> Message-ID: <20090807011116.5A7D53039712@mx.npubs.com> Michael Scheidell wrote: > you arn't running ezjail, are you? could there be anything in ezjail > that would do this? I'm not running ezjail, and I don't think it's related. For me the common denominator for the jails that exhibit this, is that java (java/jdk15) is started from an rc.d script. This is anecdotal at best. It also doesn't happen immediately. Today I was playing with such a jail and cron would happily restart (ie: '/etc/rc.d/cron restart') until I left it alone for a few hours. I have a dummy cron job (eg: /usr/bin/true), which runs every minute. /var/log/cron shows that the job is still being run even when cron is ignoring the TERM signal. Cheers, Stef From stef-list at memberwebs.com Fri Aug 7 01:14:19 2009 From: stef-list at memberwebs.com (Stef Walter) Date: Fri Aug 7 01:14:25 2009 Subject: crontab hanging won't die on SIGTERM in jail References: <4A7AE4D4.2090600@secnap.net> <20090806161117.90CA23039807@mx.npubs.com> <4A7B103F.6040400@secnap.net> Message-ID: <20090807011416.E02BC3039712@mx.npubs.com> Michael Scheidell wrote: >>> anyone having problems during an in jail shutdown with crontab hanging? >>> I have seen this in 6.4 and 7.1, on i386 and amd64. >>> I don't remember problems with 6.3 Oh, and I'm seeing it on 6.3-RELEASE-p12 i386 userland jails running on 7.2-RELEASE-p1 amd64 kernel. I'll try to migrate one of the offending jails to a system with the same kernel version as the jail. That's why I didn't post about this earlier: I'm sufficiently off the beaten path, to not expect help debugging such things... :S Cheers, Stef From scheidell at secnap.net Fri Aug 7 01:46:22 2009 From: scheidell at secnap.net (Michael Scheidell) Date: Fri Aug 7 01:46:28 2009 Subject: crontab hanging won't die on SIGTERM in jail Message-ID: <0fbf01ca1700$db62247e$0d01460a@secnap.com> Try my workaround . What cod it hurt? I'm not running java but am starting a number or perk based daemons . Some close control tty. -- Michael Scheidell Sent from my Windows Mobile phone -----Original Message----- From: Stef Walter Sent: Thursday, August 06, 2009 9:14 PM To: Michael Scheidell Cc: freebsd-jail@freebsd.org Subject: Re: crontab hanging won't die on SIGTERM in jail Michael Scheidell wrote: >>> anyone having problems during an in jail shutdown with crontab hanging? >>> I have seen this in 6.4 and 7.1, on i386 and amd64. >>> I don't remember problems with 6.3 Oh, and I'm seeing it on 6.3-RELEASE-p12 i386 userland jails running on 7.2-RELEASE-p1 amd64 kernel. I'll try to migrate one of the offending jails to a system with the same kernel version as the jail. That's why I didn't post about this earlier: I'm sufficiently off the beaten path, to not expect help debugging such things... :S Cheers, Stef _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ From stef-list at memberwebs.com Fri Aug 7 16:27:17 2009 From: stef-list at memberwebs.com (Stef Walter) Date: Fri Aug 7 16:27:23 2009 Subject: crontab hanging won't die on SIGTERM in jail References: <0fbf01ca1700$db62247e$0d01460a@secnap.com> Message-ID: <20090807162714.55F313039832@mx.npubs.com> Michael Scheidell wrote: > Try my workaround . The work around is close, it should be: # mkdir -p /etc/rc.conf.d # echo "sig_stop=SIGQUIT" > /etc/rc.conf.d/cron > What cod it hurt? As far as I can tell, nothing. But I'd like to eventually find out what's actually causing the problem. Cheers, Stef From scheidell at secnap.net Fri Aug 7 16:33:04 2009 From: scheidell at secnap.net (Michael Scheidell) Date: Fri Aug 7 16:33:10 2009 Subject: crontab hanging won't die on SIGTERM in jail In-Reply-To: <20090807162714.55F313039832@mx.npubs.com> References: <0fbf01ca1700$db62247e$0d01460a@secnap.com> <20090807162714.55F313039832@mx.npubs.com> Message-ID: <4A7C574A.20200@secnap.net> Stef Walter wrote: > # mkdir -p /etc/rc.conf.d > # echo "sig_stop=SIGQUIT" > /etc/rc.conf.d/cron > > from lots of man pages, and old POSIX docs, they say that to 'reboot' or stop a unix system you send a SIGTERM to everything. the 'critcal' systems that need to stay up during reboot/haltsys (init!, getty) or anything that needs to do cleanup are supposed to trap (and ignore SIGTERM) once the non critical systems are stopped, THEN you send the SIGQUIT. I can't see anything critical about cron running during a reboot or haltsys. SIGQUIT should be the default for it anyway. did you verify that this works for you? that after setting for hours /etc/rc.d/cron stop works? (I had one sitting overnight, worked. yes, I want to know why.. I suspect its some combination of something rc. calls (something in my /usr/local/etc/rc.d dir) but don't know why it 'hangs around'. maybe one of those rc scripts sets something bad. -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ From bugmaster at FreeBSD.org Mon Aug 10 11:07:00 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Aug 10 11:08:37 2009 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200908101106.n7AB6xha025207@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 4 problems total. From bugmaster at FreeBSD.org Mon Aug 17 11:06:58 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Aug 17 11:08:55 2009 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200908171106.n7HB6vob075847@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 4 problems total. From geekounet at poildetroll.net Tue Aug 18 23:09:11 2009 From: geekounet at poildetroll.net (Pierre Guinoiseau) Date: Tue Aug 18 23:09:18 2009 Subject: Vimage vs. jails In-Reply-To: <4A8B30D5.9000400@elischer.org> References: <20090818215721.23230@gmx.net> <4A8B30D5.9000400@elischer.org> Message-ID: <4A8B3495.7010304@poildetroll.net> Hi, Julian Elischer wrote: > it's not Vimage vs Jails > but > Vimage as part of Jails. > > > Peter Cornelius wrote: >> Hi there, >> >> I just see the vimage changes going into RELENG_8 and I now am >> getting my hands dirty, finally. So thanks to all involved. >> >> Just to get my head around this the right way, I understand that >> there is no plan to merge vimage and jail into a single jail >> utility, right? > > Actually it IS now all one utility... > Add the 'vnet' option to jail to get it to create a new vnet withthe > jail, otherwise it acts as before. > >> >> I may want a large number of vimages "w/o" jails, or at least a >> number of jails "inside" a couple of vimages (reason being the >> default route issue raised a while ago). > > can you expand on that? > > example comand lines include: > jail -c host.hostname=test path=/ vnet command=/bin/tcsh > ( make a jail with the same root as normal but with a separate > network stack.) > > > jail -c host.hostname=test path=/ vnet children.max=4 \ > command=/bin/tcsh > (same as above, excep the jail made is in turn able to make > up to 4 child jails > BTW, when will we be able to set those new parameters in rc.conf? The current jails rc script still uses the old way for setting up (or maybe did I missed something?), so it doesn't allow to add those new parameters. :( It may be a desirable feature for 8.0-RELEASE I think. > >> >> Thanks again, and >> >> All the best, >> >> Peter. >> >> --- >> >> PS. I see a couple of lock order reversals on RELENG_8 which I >> would like to report if the build currently running did not address >> them -- do we prefer them to a mailing list or to gnats? > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 260 bytes Desc: OpenPGP digital signature Url : http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20090818/1b3b014a/signature.pgp From julian at elischer.org Tue Aug 18 23:41:46 2009 From: julian at elischer.org (Julian Elischer) Date: Tue Aug 18 23:41:52 2009 Subject: Vimage vs. jails In-Reply-To: <4A8B3495.7010304@poildetroll.net> References: <20090818215721.23230@gmx.net> <4A8B30D5.9000400@elischer.org> <4A8B3495.7010304@poildetroll.net> Message-ID: <4A8B392D.9080603@elischer.org> Pierre Guinoiseau wrote: > Hi, > > Julian Elischer wrote: >> it's not Vimage vs Jails >> but >> Vimage as part of Jails. >> >> >> Peter Cornelius wrote: >>> Hi there, >>> >>> I just see the vimage changes going into RELENG_8 and I now am >>> getting my hands dirty, finally. So thanks to all involved. >>> >>> Just to get my head around this the right way, I understand that >>> there is no plan to merge vimage and jail into a single jail >>> utility, right? >> Actually it IS now all one utility... >> Add the 'vnet' option to jail to get it to create a new vnet withthe >> jail, otherwise it acts as before. >> >>> I may want a large number of vimages "w/o" jails, or at least a >>> number of jails "inside" a couple of vimages (reason being the >>> default route issue raised a while ago). >> can you expand on that? >> >> example comand lines include: >> jail -c host.hostname=test path=/ vnet command=/bin/tcsh >> ( make a jail with the same root as normal but with a separate >> network stack.) >> >> >> jail -c host.hostname=test path=/ vnet children.max=4 \ >> command=/bin/tcsh >> (same as above, excep the jail made is in turn able to make >> up to 4 child jails >> > > BTW, when will we be able to set those new parameters in rc.conf? The > current jails rc script still uses the old way for setting up (or maybe > did I missed something?), so it doesn't allow to add those new > parameters. :( It may be a desirable feature for 8.0-RELEASE I think. The 8.0 vimage/vnet feature is a "feature test" facility. it allows you to test it out but no-one in their right mind would tell you to use it in production. It's been some time since I used the rc.conf method of starting jails so I can't speak to how much change would be required. possibly just the addition of "jail_xxx_extra_params". I forgot to mention the ifconfig vnet additions too, to allow an interface to be assigned to a particular jail. > >>> Thanks again, and >>> >>> All the best, >>> >>> Peter. >>> >>> --- >>> >>> PS. I see a couple of lock order reversals on RELENG_8 which I >>> would like to report if the build currently running did not address >>> them -- do we prefer them to a mailing list or to gnats? > > From pcc at gmx.net Thu Aug 20 12:39:54 2009 From: pcc at gmx.net (Peter Cornelius) Date: Thu Aug 20 12:40:00 2009 Subject: Vimage vs. jails Message-ID: <20090820121309.122740@gmx.net> Hi guys, Thanks for the response, so it wasn?t such a bad question after all :) I "have" to pay toll to wifey & kids for a couple of days and will go on after that (hoping that the kernels I then build actually to run ;-)). Regards, Peter. -------- Original-Nachricht -------- > Datum: Tue, 18 Aug 2009 16:28:45 -0700 > Von: Julian Elischer > An: Pierre Guinoiseau > CC: Peter Cornelius , freebsd-virtualization@freebsd.org, freebsd-jail@freebsd.org > Betreff: Re: Vimage vs. jails > Pierre Guinoiseau wrote: > > Hi, > > > > Julian Elischer wrote: > >> it's not Vimage vs Jails > >> but > >> Vimage as part of Jails. > >> > >> > >> Peter Cornelius wrote: > >>> Hi there, > >>> > >>> I just see the vimage changes going into RELENG_8 and I now am > >>> getting my hands dirty, finally. So thanks to all involved. > >>> > >>> Just to get my head around this the right way, I understand that > >>> there is no plan to merge vimage and jail into a single jail > >>> utility, right? > >> Actually it IS now all one utility... > >> Add the 'vnet' option to jail to get it to create a new vnet withthe > >> jail, otherwise it acts as before. > >> > >>> I may want a large number of vimages "w/o" jails, or at least a > >>> number of jails "inside" a couple of vimages (reason being the > >>> default route issue raised a while ago). > >> can you expand on that? > >> > >> example comand lines include: > >> jail -c host.hostname=test path=/ vnet command=/bin/tcsh > >> ( make a jail with the same root as normal but with a separate > >> network stack.) > >> > >> > >> jail -c host.hostname=test path=/ vnet children.max=4 \ > >> command=/bin/tcsh > >> (same as above, excep the jail made is in turn able to make > >> up to 4 child jails > >> > > > > BTW, when will we be able to set those new parameters in rc.conf? The > > current jails rc script still uses the old way for setting up (or maybe > > did I missed something?), so it doesn't allow to add those new > > parameters. :( It may be a desirable feature for 8.0-RELEASE I think. > > > The 8.0 vimage/vnet feature is a "feature test" facility. > it allows you to test it out but no-one in their right mind > would tell you to use it in production. > > It's been some time since I used the rc.conf method of starting jails > so I can't speak to how much change would be required. > possibly just the addition of "jail_xxx_extra_params". > > I forgot to mention the ifconfig vnet additions too, to allow an > interface to be assigned to a particular jail. > > > > > >>> Thanks again, and > >>> > >>> All the best, > >>> > >>> Peter. > >>> > >>> --- > >>> > >>> PS. I see a couple of lock order reversals on RELENG_8 which I > >>> would like to report if the build currently running did not address > >>> them -- do we prefer them to a mailing list or to gnats? > > > > -- Jetzt kostenlos herunterladen: Internet Explorer 8 und Mozilla Firefox 3 - sicherer, schneller und einfacher! http://portal.gmx.net/de/go/atbrowser From jose.amengual at gmail.com Thu Aug 20 19:22:51 2009 From: jose.amengual at gmail.com (Jose Amengual) Date: Thu Aug 20 19:23:04 2009 Subject: Best practice to update jails In-Reply-To: <20090820121309.122740@gmx.net> References: <20090820121309.122740@gmx.net> Message-ID: <9C042ACE-8677-4104-BBB5-5F80C7EAFD3C@gmail.com> Hi guys. I have a dev server for our developers that holds around 40 jails, each jail has php, mysql, python etc. The server is now 7.0 and was wondering what is the best practice to maintain security patches and kernel updates and I came out with the following idea : 1.- freebsd-update fetch install ( host system) 2.- rebuild kernel ( I have a custom kernel ) 3.- ezjail-update -b ( update basejail for all jails ) 4.- run in cron portaudit on the jails for thirty party security updates 5.- run portupgrade in case of a security update or for apps upgrade on the jails. I red in some forums that if you run freebsd-update you will need to do a portuprade -fa to reinstall all the thirty party apps because freebsd-update could upgrade or remove some libraries linked to that programs, is this true ?, will be better to run a cvsup and instead ? That are some points of my idea but reading on internet I finished more confuse about how will be the best way to do this. any ideas will more appreciate. Thanks. From reddvinylene at gmail.com Thu Aug 20 20:34:25 2009 From: reddvinylene at gmail.com (Redd Vinylene) Date: Thu Aug 20 20:34:31 2009 Subject: Best practice to update jails In-Reply-To: <9C042ACE-8677-4104-BBB5-5F80C7EAFD3C@gmail.com> References: <20090820121309.122740@gmx.net> <9C042ACE-8677-4104-BBB5-5F80C7EAFD3C@gmail.com> Message-ID: On Thu, Aug 20, 2009 at 8:50 PM, Jose Amengual wrote: > Hi guys. > > I have a dev server for our developers that holds around 40 jails, each > jail has php, mysql, python etc. > > The server is now 7.0 and was wondering what is the best practice to > maintain security patches and kernel updates and I came out with the > following idea : > > 1.- freebsd-update fetch install ( host system) > 2.- rebuild kernel ( I have a custom kernel ) > 3.- ezjail-update -b ( update basejail for all jails ) > 4.- run in cron portaudit on the jails for thirty party security updates > 5.- run portupgrade in case of a security update or for apps upgrade on the > jails. > > I red in some forums that if you run freebsd-update you will need to do a > portuprade -fa to reinstall all the thirty party apps because freebsd-update > could upgrade or remove some libraries linked to that programs, is this > true ?, will be better to run a cvsup and instead ? > > That are some points of my idea but reading on internet I finished more > confuse about how will be the best way to do this. > > any ideas will more appreciate. > > Thanks. > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > Hi, here's how I do it, hope it helps: http://pastie.org/590295 Redd Vinylene -- http://www.home.no/reddvinylene From reddvinylene at gmail.com Thu Aug 20 21:28:43 2009 From: reddvinylene at gmail.com (Redd Vinylene) Date: Thu Aug 20 21:28:55 2009 Subject: Best practice to update jails In-Reply-To: References: <20090820121309.122740@gmx.net> <9C042ACE-8677-4104-BBB5-5F80C7EAFD3C@gmail.com> Message-ID: On Thu, Aug 20, 2009 at 10:57 PM, Jose Amengual wrote: > any reason of why you do not use freebsd-update ? > > Thanks. I think most people prefer to build from source. I do, at least. -- http://www.home.no/reddvinylene From andrew.hotlab at hotmail.com Fri Aug 21 17:59:11 2009 From: andrew.hotlab at hotmail.com (Andrew Hotlab) Date: Fri Aug 21 17:59:17 2009 Subject: Best practice to update jails In-Reply-To: References: <20090820121309.122740@gmx.net> <9C042ACE-8677-4104-BBB5-5F80C7EAFD3C@gmail.com> Message-ID: > Date: Thu, 20 Aug 2009 23:28:39 +0200 > From: reddvinylene@gmail.com > To: jose.amengual@gmail.com; freebsd-jail@freebsd.org; freebsd-virtualization@freebsd.org > CC: > Subject: Re: Best practice to update jails > > On Thu, Aug 20, 2009 at 10:57 PM, Jose Amengual wrote: > >> any reason of why you do not use freebsd-update ? >> >> Thanks. > > > I think most people prefer to build from source. I do, at least. > We manage some jail host system both for production and development (since 6.2-RELEASE), and we found the best support in the "build-from-source" upgrade method. Here the main steps we follow for a release-step upgrade (since we have a few hosts to manage, we are using a dedicated build server, but the first three steps might be executed on the host machine itself): 1. sync sources from a local cvsup-mirror to the build host; 2. make binaries on the build host (once per architecture we are supporting); 3. mount /usr/src and /usr/obj via NFS on all systems to be upgraded; 4. run mergemaster in pre-buildworld mode (once for the host and once for each jail with the -D flag); 5. install the new kernel on the host we are upgrading; 6. reboot the host with the new kernel in single user mode; 7. install the new userland for the host and for the basejail (we are using the ezjail framework); 8. run mergemaster on the host to align its configuration files to the new release; 9. boot into multi user mode; 10. run mergemaster with the -D flag to update each jail?s configuration files; 11. run "make delete-old" and "make delete-old-libs" on both host and jail systems (using the DESTDIR variable). In our environment, this type of upgrade process has proved to be the most effective and reliable, both for tracking the errata branch and for upgrading between minor and major releases. Obviously it needs you quite knowledgeable about the build(7) process, but IMO time spent studying is always time spent well! :) Andrew _________________________________________________________________ With Windows Live, you can organize, edit, and share your photos. http://www.microsoft.com/middleeast/windows/windowslive/products/photo-gallery-edit.aspx From Alexander at Leidinger.net Sat Aug 22 16:40:13 2009 From: Alexander at Leidinger.net (Alexander Leidinger) Date: Sat Aug 22 16:40:19 2009 Subject: Best practice to update jails In-Reply-To: <9C042ACE-8677-4104-BBB5-5F80C7EAFD3C@gmail.com> References: <20090820121309.122740@gmx.net> <9C042ACE-8677-4104-BBB5-5F80C7EAFD3C@gmail.com> Message-ID: <20090822184001.00006882@unknown> On Thu, 20 Aug 2009 11:50:49 -0700 Jose Amengual wrote: > The server is now 7.0 and was wondering what is the best practice to > maintain security patches and kernel updates and I came out with the > following idea : > > 1.- freebsd-update fetch install ( host system) > 2.- rebuild kernel ( I have a custom kernel ) > 3.- ezjail-update -b ( update basejail for all jails ) > 4.- run in cron portaudit on the jails for thirty party security > updates 5.- run portupgrade in case of a security update or for apps > upgrade on the jails. > > I red in some forums that if you run freebsd-update you will need to > do a portuprade -fa to reinstall all the thirty party apps because > freebsd-update could upgrade or remove some libraries linked to > that programs, is this true ?, will be better to run a cvsup and > instead ? Not if you stay with the same major version of FreeBSD. If you update from 7 to 8, this may be possible (I don't know, I don't use freebsd-update, as I either run patched systems, or at least compile my own kernels), but if you update from 7.x to 7.y, then this would be an ABI change, which is very very very very much a no no in a stable-branch (only an important security fix would be allowed to do something like this, and only if nobody finds another way to do such a fix without changing the ABI). So if you stay on the same major version you can use your procedure, but read the release notes before, such a big impact change is announced on a stable branch. It may be the case that we had something like this once, but I do not remember which major version was affected. Bye, Alexander. From jose.amengual at gmail.com Mon Aug 24 03:11:55 2009 From: jose.amengual at gmail.com (Jose Amengual) Date: Mon Aug 24 03:12:01 2009 Subject: Best practice to update jails In-Reply-To: <20090822184001.00006882@unknown> References: <20090820121309.122740@gmx.net> <9C042ACE-8677-4104-BBB5-5F80C7EAFD3C@gmail.com> <20090822184001.00006882@unknown> Message-ID: I was thinking in maintaining the same branch 7.x, I know that a mayor upgrade could brake to many things, so I will use another procedure for that. But looks like it will be better to update using cvsup like I allways did. Thanks. On 22-Aug-09, at 9:40 AM, Alexander Leidinger wrote: > On Thu, 20 Aug 2009 11:50:49 -0700 Jose Amengual > wrote: > >> The server is now 7.0 and was wondering what is the best practice to >> maintain security patches and kernel updates and I came out with the >> following idea : >> >> 1.- freebsd-update fetch install ( host system) >> 2.- rebuild kernel ( I have a custom kernel ) >> 3.- ezjail-update -b ( update basejail for all jails ) >> 4.- run in cron portaudit on the jails for thirty party security >> updates 5.- run portupgrade in case of a security update or for apps >> upgrade on the jails. >> >> I red in some forums that if you run freebsd-update you will need to >> do a portuprade -fa to reinstall all the thirty party apps because >> freebsd-update could upgrade or remove some libraries linked to >> that programs, is this true ?, will be better to run a cvsup and >> instead ? > > Not if you stay with the same major version of FreeBSD. If you update > from 7 to 8, this may be possible (I don't know, I don't use > freebsd-update, as I either run patched systems, or at least compile > my own kernels), but if you update from 7.x to 7.y, then this would be > an ABI change, which is very very very very much a no no in a > stable-branch (only an important security fix would be allowed to do > something like this, and only if nobody finds another way to do such > a fix without changing the ABI). > > So if you stay on the same major version you can use your procedure, > but read the release notes before, such a big impact change is > announced on a stable branch. It may be the case that we had something > like this once, but I do not remember which major version was > affected. > > Bye, > Alexander. > > > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail- > unsubscribe@freebsd.org" From bugmaster at FreeBSD.org Mon Aug 24 11:06:59 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Aug 24 11:08:40 2009 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200908241106.n7OB6wHn048634@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 4 problems total. From tlott at gamesnet.de Mon Aug 24 15:27:54 2009 From: tlott at gamesnet.de (Tobias Lott) Date: Mon Aug 24 15:28:01 2009 Subject: Accessing Unix-Sockets from Jails Message-ID: <20090824171716.4722c136@sub.han.vpn.gamesnet.de> Good Day Just a short Question, I've noticed that I can access any Domain Socket which is on the Host System within any Jail. OpenLDAP for example. jail1% ldapsearch -b dc=example,dc=com # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 32 No such object # numResponses: 1 Reason why there is no Object is just cause I haven't imported the ldif yet. Its definitely not using tcp since slapd is bound to localhost (on Host FreeBSD) Anyway is that by Design or a Bug? uname output: FreeBSD quad.han.vpn.gamesnet.de 8.0-BETA2 FreeBSD 8.0-BETA2 #0 r196198: Fri Aug 14 00:22:42 CEST 2009 root@quad.han.vpn.gamesnet.de:/usr/obj/usr/src/sys/QUAD i386 Cheers -- Tobias Lott From stef-list at memberwebs.com Mon Aug 24 16:13:02 2009 From: stef-list at memberwebs.com (Stef Walter) Date: Mon Aug 24 16:13:08 2009 Subject: Accessing Unix-Sockets from Jails References: <20090824171716.4722c136@sub.han.vpn.gamesnet.de> Message-ID: Tobias Lott wrote: > Good Day > > Just a short Question, I've noticed that I can access any Domain Socket > which is on the Host System within any Jail. OpenLDAP for example. > > jail1% ldapsearch -b dc=example,dc=com FWIW... slapd binds to 0.0.0.0 by default. Check 'sockstat -4' outside the jail to get a definitive answer on where it's listening. ldapsearch connects via TCP to localhost by default. Unless you've gone out of your way to change the defaults, it's unlikely that unix domain sockets are involved in this connection. Cheers, Stef From simon at FreeBSD.org Tue Aug 25 18:26:59 2009 From: simon at FreeBSD.org (Simon L. Nielsen) Date: Tue Aug 25 18:27:06 2009 Subject: Best practice to update jails In-Reply-To: References: <20090820121309.122740@gmx.net> <9C042ACE-8677-4104-BBB5-5F80C7EAFD3C@gmail.com> Message-ID: <20090825182656.GA1446@arthur.nitro.dk> [Don't cc virtualization - no reason for cross post] On 2009.08.20 22:10:36 +0200, Redd Vinylene wrote: > On Thu, Aug 20, 2009 at 8:50 PM, Jose Amengual wrote: > > > I have a dev server for our developers that holds around 40 jails, each > > jail has php, mysql, python etc. > > > > The server is now 7.0 and was wondering what is the best practice to > > maintain security patches and kernel updates and I came out with the > > following idea : > > > > 1.- freebsd-update fetch install ( host system) > > 2.- rebuild kernel ( I have a custom kernel ) > > 3.- ezjail-update -b ( update basejail for all jails ) > > 4.- run in cron portaudit on the jails for thirty party security updates > > 5.- run portupgrade in case of a security update or for apps upgrade on the > > jails. > > > > I red in some forums that if you run freebsd-update you will need to do a > > portuprade -fa to reinstall all the thirty party apps because freebsd-update > > could upgrade or remove some libraries linked to that programs, is this > > true ?, will be better to run a cvsup and instead ? There is no difference wrt. ports on freebsd-update and make world. For major versions you need to recompile all ports, for minor versions you don't. Personally I use ezjail to manage a similar development setup, and I recently upgraded 7.1 -> 7.2 using 'ezjail-admin install' (or something like that). I quite often upgrade the host system and wait with the jails so you don't have to do it all in one go (though it might be simpler in). Other people mention that "most people" use use based solutions - I'm far from sure about that, at least unless you are running a modified FreeBSD or not -RELEASE, there is generally not any reason to compile it all yourself. > here's how I do it, hope it helps: http://pastie.org/590295 This does make installworld into the jail from the host - it should be mentioned that you should never do this if you use the jails for security isolation as the jail root would likely be able to perform a symlink attack. I haven't every actually looked at how it could be done, but installworld isn't make to be "secure" against such things. -- Simon L. Nielsen From ltning at anduin.net Tue Aug 25 18:52:27 2009 From: ltning at anduin.net (=?iso-8859-1?Q?Eirik_=D8verby?=) Date: Tue Aug 25 18:52:33 2009 Subject: Best practice to update jails In-Reply-To: <9C042ACE-8677-4104-BBB5-5F80C7EAFD3C@gmail.com> References: <20090820121309.122740@gmx.net> <9C042ACE-8677-4104-BBB5-5F80C7EAFD3C@gmail.com> Message-ID: On 20. aug. 2009, at 20.50, Jose Amengual wrote: > Hi guys. > > I have a dev server for our developers that holds around 40 jails, > each jail has php, mysql, python etc. > > The server is now 7.0 and was wondering what is the best practice to > maintain security patches and kernel updates and I came out with the > following idea : > > 1.- freebsd-update fetch install ( host system) > 2.- rebuild kernel ( I have a custom kernel ) > 3.- ezjail-update -b ( update basejail for all jails ) > 4.- run in cron portaudit on the jails for thirty party security > updates > 5.- run portupgrade in case of a security update or for apps upgrade > on the jails. sysutils/jailctl uses a pre-built /usr/obj to upgrade jails using installworld etc. Newer versions (not yet in ports) support using 'template jails'. The latter is what we use. Basically the update procedure goes like this: freebsd-update the template jail, freebsd-update the host, reboot. I have found freebsd- update to be an incredibly time-saver compared to buildworld/ installworld, and the IDS function included - despite not being a really efficient IDS tripwire-style - is extremely useful for us in determining which of our multiple-dozen jails need updates of binaries or configuration. /Eirik > I red in some forums that if you run freebsd-update you will need to > do a portuprade -fa to reinstall all the thirty party apps because > freebsd-update could upgrade or remove some libraries linked to > that programs, is this true ?, will be better to run a cvsup and > instead ? > > That are some points of my idea but reading on internet I finished > more confuse about how will be the best way to do this. > > any ideas will more appreciate. > > Thanks. > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail- > unsubscribe@freebsd.org" > From bazerka at beardz.net Wed Aug 26 12:18:06 2009 From: bazerka at beardz.net (Jase Thew) Date: Wed Aug 26 12:18:12 2009 Subject: Best practice to update jails In-Reply-To: References: <20090820121309.122740@gmx.net> <9C042ACE-8677-4104-BBB5-5F80C7EAFD3C@gmail.com> Message-ID: <4A95243B.4000100@beardz.net> On 25/08/2009 19:36, Eirik ?verby wrote: > On 20. aug. 2009, at 20.50, Jose Amengual wrote: > >> Hi guys. >> >> I have a dev server for our developers that holds around 40 jails, >> each jail has php, mysql, python etc. >> >> The server is now 7.0 and was wondering what is the best practice to >> maintain security patches and kernel updates and I came out with the >> following idea : >> >> 1.- freebsd-update fetch install ( host system) >> 2.- rebuild kernel ( I have a custom kernel ) >> 3.- ezjail-update -b ( update basejail for all jails ) >> 4.- run in cron portaudit on the jails for thirty party security updates >> 5.- run portupgrade in case of a security update or for apps upgrade >> on the jails. > > sysutils/jailctl uses a pre-built /usr/obj to upgrade jails using > installworld etc. Newer versions (not yet in ports) support using > 'template jails'. The latter is what we use. > > Basically the update procedure goes like this: freebsd-update the > template jail, freebsd-update the host, reboot. I have found > freebsd-update to be an incredibly time-saver compared to > buildworld/installworld, and the IDS function included - despite not > being a really efficient IDS tripwire-style - is extremely useful for > us in determining which of our multiple-dozen jails need updates of > binaries or configuration. > > /Eirik ezjail can also utilise a pre-built /usr/obj to upgrade the base jail and already uses a templating system, fwiw. Jase. From stef-list at memberwebs.com Wed Aug 26 19:24:16 2009 From: stef-list at memberwebs.com (Stef Walter) Date: Wed Aug 26 19:24:23 2009 Subject: crontab hanging won't die on SIGTERM in jail References: <4A7AE4D4.2090600@secnap.net> <20090806161117.90CA23039807@mx.npubs.com> Message-ID: Stef Walter wrote: > Michael Scheidell wrote: >> anyone having problems during an in jail shutdown with crontab hanging? >> I have seen this in 6.4 and 7.1, on i386 and amd64. >> I don't remember problems with 6.3 > > I see this same problem in certain jails. A jail that has this problem > does it consistently, jails without the problem (on the same machine, > same FreeBSD userland/kernel) don't have the problem consistently. Turns out (for me) the bug was in jailutils, and occurred when the jail had been restarted from inside the jail using the jkill (or appropriately configured reboot) command. I've released a new version of jailutils (1.6) that fixes this problem. Cheers, Stef From scheidell at secnap.net Wed Aug 26 19:32:05 2009 From: scheidell at secnap.net (Michael Scheidell) Date: Wed Aug 26 19:32:12 2009 Subject: crontab hanging won't die on SIGTERM in jail In-Reply-To: References: <4A7AE4D4.2090600@secnap.net> <20090806161117.90CA23039807@mx.npubs.com> Message-ID: <4A958DD0.2050606@secnap.net> you the jailutils guy? thanks, good stuff. (been meaning to ask why certain options that work outside of jail don't work inside also) thanks for finding this. really flustered. (but sigkill works also!) Stef Walter wrote: > Stef Walter wrote: > >> Michael Scheidell wrote: >> >>> anyone having problems during an in jail shutdown with crontab hanging? >>> I have seen this in 6.4 and 7.1, on i386 and amd64. >>> I don't remember problems with 6.3 >>> >> I see this same problem in certain jails. A jail that has this problem >> does it consistently, jails without the problem (on the same machine, >> same FreeBSD userland/kernel) don't have the problem consistently. >> > > Turns out (for me) the bug was in jailutils, and occurred when the jail > had been restarted from inside the jail using the jkill (or > appropriately configured reboot) command. > > I've released a new version of jailutils (1.6) that fixes this problem. > > Cheers, > > Stef > > -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ From bugmaster at FreeBSD.org Mon Aug 31 11:07:10 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Aug 31 11:08:39 2009 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200908311107.n7VB79tx070614@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 4 problems total.