From bugmaster at FreeBSD.org Mon Feb 2 03:06:55 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Feb 2 03:08:17 2009 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200902021106.n12B6rdX094469@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 3 problems total. From lopez.on.the.lists at yellowspace.net Mon Feb 2 03:07:37 2009 From: lopez.on.the.lists at yellowspace.net (Lorenzo Perone) Date: Mon Feb 2 03:09:53 2009 Subject: Multi-IP Jails (7.1-REL) In-Reply-To: <20090128081831.V3757@maildrop.int.zabbadoz.net> References: <200901280751.n0S7pQhn053569@post.behrens.de> <20090128081831.V3757@maildrop.int.zabbadoz.net> Message-ID: Bjoern, this is great news :) looking forward to csupping/installing RELENG_7 with your patches included! Kudos && big thanks, Lorenzo On 28.01.2009, at 09:20, Bjoern A. Zeeb wrote: > I am about to re-gen my patch from last week (wasn't publicly > announced) but I am running it. So if you can wait another few hours, > you'll get the MFC candidate patch for RELENG_7. From mike at sentex.net Mon Feb 2 12:26:37 2009 From: mike at sentex.net (Mike Tancsa) Date: Mon Feb 2 12:26:43 2009 Subject: HEADS UP: multi-IPv4/v6/no-IP jails merge to 7-STABLE ahead In-Reply-To: <20090128150840.E45963@maildrop.int.zabbadoz.net> References: <20090128150840.E45963@maildrop.int.zabbadoz.net> Message-ID: <200902022003.n12K3PLO087346@lava.sentex.ca> At 10:22 AM 1/28/2009, Bjoern A. Zeeb wrote: >Hi, > >I have a possible MFC candidate patch at: > http://people.freebsd.org/~bz/20090128-02-jail7-mfc.diff Hi Bjoern, Will this patch allow for the creation of tun interfaces inside of a jail ? Ideally I was hoping to run OpenVPN inside various jails which uses the tun device. ---Mike >to merge the multi-IPv4/v6/no-IP jails to 7-STABLE. My plan would be >to do so during the weekend of 6-8th February 2009. > >In addition to what the patch says at the beginning (__FreeBSD_version >bump), the patch also has the regenerated compat/freebsd32 sysctl >stuff in it so that people can apply, compile and run it directly. >For the merge this would be a second commit. > >For committers who want to review that I have done the merge right, it >is an svn diff with mergeinfo included. > >For details about the patch, features, .. see the original commit >message and follow-up a few days later (both in one post): >http://lists.freebsd.org/pipermail/freebsd-jail/2008-December/000631.html > >Since then a few bug fixes went in, some older PRs were handled, ... > >Now is the time for you to try and review it for 7-STABLE, etc. > > >/bz > >-- >Bjoern A. Zeeb The greatest risk is not taking one. >_______________________________________________ >freebsd-stable@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-stable >To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" From bzeeb-lists at lists.zabbadoz.net Mon Feb 2 13:00:15 2009 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Mon Feb 2 13:00:22 2009 Subject: HEADS UP: multi-IPv4/v6/no-IP jails merge to 7-STABLE ahead In-Reply-To: <200902022003.n12K3PLO087346@lava.sentex.ca> References: <20090128150840.E45963@maildrop.int.zabbadoz.net> <200902022003.n12K3PLO087346@lava.sentex.ca> Message-ID: <20090202205422.Q93725@maildrop.int.zabbadoz.net> On Mon, 2 Feb 2009, Mike Tancsa wrote: > At 10:22 AM 1/28/2009, Bjoern A. Zeeb wrote: >> Hi, >> >> I have a possible MFC candidate patch at: >> http://people.freebsd.org/~bz/20090128-02-jail7-mfc.diff > > > Hi Bjoern, > Will this patch allow for the creation of tun interfaces inside of a > jail ? Ideally I was hoping to run OpenVPN inside various jails which uses > the tun device. Nope, you'll have to wait for vimages for that. /bz -- Bjoern A. Zeeb The greatest risk is not taking one. From bzeeb-lists at lists.zabbadoz.net Sat Feb 7 10:20:08 2009 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Sat Feb 7 10:20:20 2009 Subject: HEADS UP: multi-IPv4/v6/no-IP jails now in 7-STABLE Message-ID: <20090207174104.Y93725@maildrop.int.zabbadoz.net> Hi, what has started a long time ago with patches from various people, was started, abandoned, resumed finally found an end. I am happy to hereby announce that the multi-IPv4/v6/no-IP jails work has been merged to 7-STABLE and thus can be used in FreeBSD 7 without the need to maintain or apply patches from now on. This also means that the updated jails will be included in 7.2 release. This update gives you (short selection): - zero, one or multi-IP jails. - IPv4 and IPv6 support. - cpuset support for jails. - jail names and states to ease administration. - 32bit compat on 64bit, jail v1 compat, .. You'll find a longer summary about all the new features and how to use them in a posting from December (you should really read it): http://lists.freebsd.org/pipermail/freebsd-jail/2008-December/000631.html Since the above posting, multiple PRs had been addressed and fixes include - SIOCGIFADDR ioctl handling which fixes the "samba inside jails problem" - no more arp and ndp information disclosure - updated rc.conf framework (fully backward compatible in 7), see man 5 rc.conf and /etc/defaults/rc.conf. - various documentation/man page updates - ... I'd like to thank everyone who had helped to make this possible! If you like the work, mayhap even use it for your business, or just want to support FreeBSD, you may want to visit http://www.freebsdfoundation.org/ and help donating some money. Enjoy your new jails! (and don't try to escape - you sure won't succeed;) /bz -- Bjoern A. Zeeb The greatest risk is not taking one. From 000.fbsd at quip.cz Sun Feb 8 08:36:44 2009 From: 000.fbsd at quip.cz (Miroslav Lachman) Date: Sun Feb 8 08:36:51 2009 Subject: HEADS UP: multi-IPv4/v6/no-IP jails now in 7-STABLE In-Reply-To: <20090207174104.Y93725@maildrop.int.zabbadoz.net> References: <20090207174104.Y93725@maildrop.int.zabbadoz.net> Message-ID: <498F0A16.7050108@quip.cz> Bjoern A. Zeeb wrote: > Hi, > > what has started a long time ago with patches from various people, was > started, abandoned, resumed finally found an end. > > I am happy to hereby announce that the multi-IPv4/v6/no-IP jails work > has been merged to 7-STABLE and thus can be used in FreeBSD 7 without > the need to maintain or apply patches from now on. > > This also means that the updated jails will be included in 7.2 release. > > This update gives you (short selection): > - zero, one or multi-IP jails. > - IPv4 and IPv6 support. > - cpuset support for jails. > - jail names and states to ease administration. - 32bit compat on 64bit, > jail v1 compat, .. > > You'll find a longer summary about all the new features and how to use > them in a posting from December (you should really read it): > http://lists.freebsd.org/pipermail/freebsd-jail/2008-December/000631.html > > Since the above posting, multiple PRs had been addressed and fixes include > - SIOCGIFADDR ioctl handling which fixes the "samba inside jails problem" > - no more arp and ndp information disclosure > - updated rc.conf framework (fully backward compatible in 7), see > man 5 rc.conf and /etc/defaults/rc.conf. > - various documentation/man page updates > - ... Many thanks for your hard work on Jails!! I am planning to test 7-STABLE in next few days. Can you explain more details about "32bit compat on 64bit, jail v1 compat, .."? Is it possible to run 32bit jail in 64bit host and build & run 32bit ports (marked as i386 only) in it? What is needet to setup 32bit jail in 64bit host? Thanks again Miroslav Lachman From bzeeb-lists at lists.zabbadoz.net Sun Feb 8 08:50:09 2009 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Sun Feb 8 08:50:16 2009 Subject: HEADS UP: multi-IPv4/v6/no-IP jails now in 7-STABLE In-Reply-To: <498F0A16.7050108@quip.cz> References: <20090207174104.Y93725@maildrop.int.zabbadoz.net> <498F0A16.7050108@quip.cz> Message-ID: <20090208164325.I93725@maildrop.int.zabbadoz.net> On Sun, 8 Feb 2009, Miroslav Lachman wrote: Hi, > Can you explain more details about "32bit compat on 64bit, jail v1 compat, > .."? > Is it possible to run 32bit jail in 64bit host and build & run 32bit ports > (marked as i386 only) in it? What is needet to setup 32bit jail in 64bit > host? Running a 32bit userland on a 64bit machine inside a jail had been possible for quite a while; you'll find the instructions for a "perfect" setup with a bit of search. What the above means is that your i386 jail binary will work on amd64 and that your old jail binary from before the update will work on the kernel after the update. jls will not btw. /bz -- Bjoern A. Zeeb The greatest risk is not taking one. From 000.fbsd at quip.cz Sun Feb 8 09:24:16 2009 From: 000.fbsd at quip.cz (Miroslav Lachman) Date: Sun Feb 8 09:24:23 2009 Subject: HEADS UP: multi-IPv4/v6/no-IP jails now in 7-STABLE In-Reply-To: <20090208164325.I93725@maildrop.int.zabbadoz.net> References: <20090207174104.Y93725@maildrop.int.zabbadoz.net> <498F0A16.7050108@quip.cz> <20090208164325.I93725@maildrop.int.zabbadoz.net> Message-ID: <498F153C.7070606@quip.cz> Bjoern A. Zeeb wrote: > On Sun, 8 Feb 2009, Miroslav Lachman wrote: > > Hi, > >> Can you explain more details about "32bit compat on 64bit, jail v1 >> compat, .."? >> Is it possible to run 32bit jail in 64bit host and build & run 32bit >> ports (marked as i386 only) in it? What is needet to setup 32bit jail >> in 64bit host? > > > Running a 32bit userland on a 64bit machine inside a jail had been > possible for quite a while; you'll find the instructions for a > "perfect" setup with a bit of search. I know it was discussed few times in this list (eg. "Compilation question 64bit, 32 bit" at 2008-10-16), but I think there was not any "perfect" setup instructions and I am unable to find it with google (maybe I ask google by wrong questions ;]), so can you point me to the right place? > What the above means is that your i386 jail binary will work on amd64 and > that your old jail binary from before the update will work on the kernel > after the update. jls will not btw. As Alexander Leidinger replied in the mentioned thread, it does not seems too simple (in case of ports infrastructure) to use 32bit jail as pure 32bit environment to compile i386 only ports. I will try it next week and post back any results / questions. And in case of success, I will write it on Jails wiki page. Miroslav Lachman From bzeeb-lists at lists.zabbadoz.net Sun Feb 8 13:30:09 2009 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Sun Feb 8 13:30:16 2009 Subject: jail MFC might have broken more ports/contrib code Message-ID: <20090208212042.L93725@maildrop.int.zabbadoz.net> Hi, from the commit to head I am aware of 4 ports that broke due to the update of struct jail, etc. as they are compiling or are tied to C code. I have either submitted PRs for those (again) or contacted the author or maintainer either before (for head) or today. These ports are: - py25-freebsd - mod_jail - p5-BSD-Jail-Object - jailutils In case you are aware of any other port that broke let me know (in case you cannot fix it yourself) and I will happily assist updating it so that it will work with either version of jails. portmgr is doing a private ports run for this as well to possibly identify other ports that broke but they won't catch scripts that no longer can parse jls output or similar things. My offer for help is also valid in case you have out-of src and ports code that needs updating. (In case its a closed source project you will consider a donation to the freebsd foundation;) /bz -- Bjoern A. Zeeb The greatest risk is not taking one. From andrew.hotlab at hotmail.com Sun Feb 8 18:30:23 2009 From: andrew.hotlab at hotmail.com (Andrew Hotlab) Date: Sun Feb 8 18:30:30 2009 Subject: HEADS UP: multi-IPv4/v6/no-IP jails now in 7-STABLE In-Reply-To: <20090208164325.I93725@maildrop.int.zabbadoz.net> References: <20090207174104.Y93725@maildrop.int.zabbadoz.net> <498F0A16.7050108@quip.cz> <20090208164325.I93725@maildrop.int.zabbadoz.net> Message-ID: > Date: Sun, 8 Feb 2009 16:45:42 +0000> From: bzeeb-lists@lists.zabbadoz.net> >> Can you explain more details about "32bit compat on 64bit, jail v1 compat, >> .."?>> Is it possible to run 32bit jail in 64bit host and build & run 32bit ports >> (marked as i386 only) in it? What is needet to setup 32bit jail in 64bit >> host?> > Running a 32bit userland on a 64bit machine inside a jail had been> possible for quite a while; you'll find the instructions for a> "perfect" setup with a bit of search.> I think this thread might be helpful:http://lists.freebsd.org/pipermail/freebsd-arch/2009-January/008845.htmlGreetings.Andrew _________________________________________________________________ News, entertainment and everything you care about at Live.com. Get it now! http://www.live.com/getstarted.aspx From bugmaster at FreeBSD.org Mon Feb 9 03:06:55 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Feb 9 03:08:27 2009 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200902091106.n19B6r1n009160@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 3 problems total. From 000.fbsd at quip.cz Tue Feb 10 13:17:25 2009 From: 000.fbsd at quip.cz (Miroslav Lachman) Date: Tue Feb 10 13:17:31 2009 Subject: kern/122270: [jail] [patch] jail numbers keep incrementing In-Reply-To: <200804112132.m3BLWb6x089521@freefall.freebsd.org> References: <200804112132.m3BLWb6x089521@freefall.freebsd.org> Message-ID: <4991EEE0.2050202@quip.cz> delphij@FreeBSD.org wrote: > Synopsis: [jail] [patch] jail numbers keep incrementing > > State-Changed-From-To: open->patched > State-Changed-By: delphij > State-Changed-When: Fri Apr 11 21:32:08 UTC 2008 > State-Changed-Why: > Committed against -HEAD, MFC reminder. > > > Responsible-Changed-From-To: freebsd-jail->delphij > Responsible-Changed-By: delphij > Responsible-Changed-When: Fri Apr 11 21:32:08 UTC 2008 > Responsible-Changed-Why: > Take. > > http://www.freebsd.org/cgi/query-pr.cgi?pr=122270 Is it really commited to 7_RELENG? I am running 7.1-RELEASE and JID is still incrementing after each stop + start. In my test case, I started with 3 jails (JID 1, 2, 3), then I stopped jail with JID 2, start it again (now it has JID 4), stop + start and JID is 5, stop + start again and JID is 6... Miroslav Lachman From bzeeb-lists at lists.zabbadoz.net Tue Feb 10 14:05:08 2009 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Tue Feb 10 14:05:15 2009 Subject: kern/122270: [jail] [patch] jail numbers keep incrementing In-Reply-To: <4991EEE0.2050202@quip.cz> References: <200804112132.m3BLWb6x089521@freefall.freebsd.org> <4991EEE0.2050202@quip.cz> Message-ID: <20090210220131.M3338@maildrop.int.zabbadoz.net> On Tue, 10 Feb 2009, Miroslav Lachman wrote: >> http://www.freebsd.org/cgi/query-pr.cgi?pr=122270 > > Is it really commited to 7_RELENG? I am running 7.1-RELEASE and JID is still > incrementing after each stop + start. > In my test case, I started with 3 jails (JID 1, 2, 3), then I stopped jail > with JID 2, start it again (now it has JID 4), stop + start and JID is 5, > stop + start again and JID is 6... It had been backed out because it gave various people various problems and lead to races with startup/shutdown of jails an mgmt tools. But that's been looong ago. /bz -- Bjoern A. Zeeb The greatest risk is not taking one. From 000.fbsd at quip.cz Tue Feb 10 14:36:15 2009 From: 000.fbsd at quip.cz (Miroslav Lachman) Date: Tue Feb 10 14:36:21 2009 Subject: kern/122270: [jail] [patch] jail numbers keep incrementing In-Reply-To: <20090210220131.M3338@maildrop.int.zabbadoz.net> References: <200804112132.m3BLWb6x089521@freefall.freebsd.org> <4991EEE0.2050202@quip.cz> <20090210220131.M3338@maildrop.int.zabbadoz.net> Message-ID: <49920159.9090400@quip.cz> Bjoern A. Zeeb wrote: > On Tue, 10 Feb 2009, Miroslav Lachman wrote: > >>> http://www.freebsd.org/cgi/query-pr.cgi?pr=122270 >> >> >> Is it really commited to 7_RELENG? I am running 7.1-RELEASE and JID is >> still incrementing after each stop + start. >> In my test case, I started with 3 jails (JID 1, 2, 3), then I stopped >> jail with JID 2, start it again (now it has JID 4), stop + start and >> JID is 5, stop + start again and JID is 6... > > > It had been backed out because it gave various people various problems > and lead to races with startup/shutdown of jails an mgmt tools. > But that's been looong ago. Thank you for your quick reply. I think that it would be nice to add related informations to (closed) PRs. This is not the first time when something was backed out or not MFCd but PR stated that it is commited. Miroslav Lachman From 000.fbsd at quip.cz Wed Feb 11 03:22:18 2009 From: 000.fbsd at quip.cz (Miroslav Lachman) Date: Wed Feb 11 03:22:27 2009 Subject: HEADS UP: multi-IPv4/v6/no-IP jails now in 7-STABLE In-Reply-To: <20090207174104.Y93725@maildrop.int.zabbadoz.net> References: <20090207174104.Y93725@maildrop.int.zabbadoz.net> Message-ID: <4992B4E6.1040607@quip.cz> I have a question about INADDR_ANY in relation to new multi-IP jails. It was discussed some time ago as PR 84215 [wildcard ip (INADDR_ANY) should not bind inside a jail] http://www.freebsd.org/cgi/query-pr.cgi?pr=84215 and it seemed fixed, but manpage for jail is still saying: "Similarly, it might be a good idea to add an address alias flag such that daemons listening on all IPs (INADDR_ANY) will not bind on that address, which would facilitate building a safe host environment such that host daemons do not impose on services offered from within jails." Can you please clarify the current state? Miroslav Lachman From bzeeb-lists at lists.zabbadoz.net Wed Feb 11 14:35:10 2009 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Wed Feb 11 14:35:16 2009 Subject: HEADS UP: multi-IPv4/v6/no-IP jails now in 7-STABLE In-Reply-To: <4992B4E6.1040607@quip.cz> References: <20090207174104.Y93725@maildrop.int.zabbadoz.net> <4992B4E6.1040607@quip.cz> Message-ID: <20090211223202.W53478@maildrop.int.zabbadoz.net> On Wed, 11 Feb 2009, Miroslav Lachman wrote: > I have a question about INADDR_ANY in relation to new multi-IP jails. > It was discussed some time ago as PR 84215 [wildcard ip (INADDR_ANY) should > not bind inside a jail] http://www.freebsd.org/cgi/query-pr.cgi?pr=84215 and > it seemed fixed, but manpage for jail is still saying: > > "Similarly, it might be a good idea to add an address alias flag such that > daemons listening on all IPs (INADDR_ANY) will not bind on that address, > which would facilitate building a safe host environment such that host > daemons do not impose on services offered from within jails." > > Can you please clarify the current state? http://lists.freebsd.org/pipermail/freebsd-jail/2008-November/000623.html -- Bjoern A. Zeeb The greatest risk is not taking one. From bzeeb-lists at lists.zabbadoz.net Thu Feb 12 05:05:10 2009 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Thu Feb 12 05:05:23 2009 Subject: [RFC] Skeleton jail (rc.d feature proposal) In-Reply-To: <499244E6.9030205@delphij.net> References: <499244E6.9030205@delphij.net> Message-ID: <20090212122419.Q53478@maildrop.int.zabbadoz.net> On Tue, 10 Feb 2009, Xin LI wrote: Hi, PreS: I added freebsd-jail@ to Cc:. > Ok, some local users has prodded me in committing the "skeleton jail" > feature, I find it useful myself but not sure if it's appropriate to > commit it against -HEAD, so I'd like to explain it, try to present it in > a better way, and request for comments. I have seen lots of "skeleton jail" features the last years working with lots of different parties and I have a private one myself tied into some other stuff which is even more meagre than most. It's 2 files and 7 lines of sh and that's only because I am lazy. I have seen everything from sh scripts to install worlds/distribution for a jail, to the same and then remove stuff, unionfs tries and nullfs mounts. From mergemaster setups populating worlds for jail from private trees to restores from master images. Some were really nice, others were .. improvable. They all helped the people in their environment but few could use what the others had done in their environment. > The rc.d infrastructure would automatically mount the following > directories from the template (when not specified, /) as read-only: > > bin > lib > libexec > sbin > usr/bin > usr/include > usr/lib > usr/libdata > usr/libexec > usr/sbin > usr/share I do not have the following two on most/any of my machines: > usr/src > usr/obj The correct way to do this I think would leave rc.d/jail untouched and (pre-)populate an /etc/fstab. and use that. Considering that my last commit messages already said that Simon and I have big worries about all the features in /etc/rc.d/jail and would rather remove than than keep them and that this is basically two things: 1) pre-seed a jail hierachy and etc from a source tree 2) mount some nullfs into the jail on start, unmount on stop (I hope I didn't miss anything else) I am wondering if this large patch cannot be reduced to a few line sh script to seed the jail + fstab, not needing to fiddle with base for that. 1 #/bin/sh 2 # $1 is DESTDIR of the jail 3 # $2 is the jail name as in rc.conf 4 # $3 is the skel root to mount from 5 # other arguments are rw nullfs mounts 6 cd /usr/src 7 make hierachy DESTDIR=$1 8 make distribution DESTDIR=$1 9 for d in bin lib libexec ..; do 10 echo "$3/${d} $1/$3 nullfs ro 0 0" >> /etc/fstab.$2 11 done 12 shift; shift; shift 13 for d in bin lib libexec ..; do 14 echo "$3/${d} $1/$3 nullfs rw 0 0" >> /etc/fstab.$2 15 done 16 echo "Add jail_$2_mount_enable='YES' to /etc/rc.conf" This is untested and doesn't have error checking etc. I would even put it in a Makefile instead of doing it in sh. A lot more flexible than anything in base will ever be. Just my 5ct. /bz -- Bjoern A. Zeeb The greatest risk is not taking one. From anders.hagman at netplex.se Sat Feb 14 14:03:07 2009 From: anders.hagman at netplex.se (Anders Hagman) Date: Sat Feb 14 14:03:15 2009 Subject: BIND in jail problem Message-ID: <499733EC.3040706@netplex.se> Hi I'm trying to use BIND inside a jail and have passed the chroot problem and have a running named without chroot. The problem is that the jail does not have the address 127.0.0.1 or does not use the info in resolv.conf. When I use the host command I get: [root@ippbx1 ~]# host ippbx1 ;; reply from unexpected source: 172.16.101.3#53, expected 127.0.0.1#53 /etc/resolv.conf domain kalmar.se search kalmar.se nameserver 127.0.0.1 tcpdump: 21:33:49.569332 IP (tos 0x0, ttl 64, id 31390, offset 0, flags [none], proto UDP (17), length 52) 172.16.101.3.62278 > 172.16.101.3.53: 28477+ A? ippbx1. (24) 21:33:49.569890 IP (tos 0x0, ttl 64, id 31393, offset 0, flags [none], proto UDP (17), length 52) 172.16.101.3.53 > 172.16.101.3.62278: 28477 ServFail 0/0/0 (24 As you can see the destination address is 172.16.101.3 despite the name server address in resolv.conf. The host command does not add the domain as it should and sends the query as "A? ippbx1" instead of "A? ippbx1.kalmar.se". The host command expects to get an answer from 127.0.0.1. Changing the nameserver address in resolv.conf to 172.16.101.3 does not change anything. Using the FQDN does not help because it's still the wrong expected address. The only thing that works is: host ippbx1.kalmar.se 172.16.101.3. Using ping give a different picture: [root@ippbx1 ~]# ping ippbx1 ping: cannot resolve ippbx1: Host name lookup failure /etc/resolv.conf domain kalmar.se search kalmar.se nameserver 172.16.101.3 tcpdump: 21:47:39.143152 IP (tos 0x0, ttl 64, id 31817, offset 0, flags [none], proto UDP (17), length 62) 172.16.101.3.60878 > 127.0.0.1.53: 35805+ A? ippbx1.kalmar.se. (34) 21:47:39.143165 IP (tos 0x0, ttl 64, id 31818, offset 0, flags [none], proto ICMP (1), length 56) 127.0.0.1 > 172.16.101.3: ICMP 127.0.0.1 udp port 53 unreachable, length 36 ping does add the domain to the query but does not read the address from resolv.conf and sends the query to 127.0.0.1. And 127.0.0.1 is the host 0 machine and does not run BIND. uname -a FreeBSD ippbx1.kalmar.se 7.1-RELEASE FreeBSD 7.1-RELEASE #0 named -v BIND 9.4.2-P2 named.conf: zone "kalmar.se" { type master; file "master/kalmar"; }; zone "101.16.172.in-addr.arpa" { type master; file "master/kalmar.rev"; }; zone file kalmar: $TTL 3h @ SOA ippbx1.kalmar.se. root.ippbx1.kalmar.se. 42 1d 12h 1w 3h ; Serial, Refresh, Retry, Expire, Neg. cache TTL IN NS ippbx1.kalmar.se. ippbx1 IN A 172.16.101.3 zone file kalmar.rev: $TTL 3h @ SOA ippbx1.kalmar.se. root.ippbx1.kalmar.se. 42 1d 12h 1w 3h ; Serial, Refresh, Retry, Expire, Neg. cache TTL IN NS ippbx1.kalmar.se. 3 IN PTR ippbx1.kalmar.se. Why do I what to run BIND inside a jail? Well I'm building a IP-PBX lab and want to run six autonomous jails with DNS, DHCP, NTP and asterisk inside. DHCP and Asterisk works but DNS is vital for the lab. BR Anders H From scheidell at secnap.net Sat Feb 14 14:28:14 2009 From: scheidell at secnap.net (Michael Scheidell) Date: Sat Feb 14 14:28:20 2009 Subject: BIND in jail problem Message-ID: <01f701c98ef3$838c2cd7$0d01460a@secnap.com> 172 16 101 3 is what you should be listening on abduction use in resolve cong. -----Original Message----- From: Anders Hagman Sent: Saturday, February 14, 2009 5:03 PM To: freebsd-jail@freebsd.org Subject: BIND in jail problem Hi I'm trying to use BIND inside a jail and have passed the chroot problem and have a running named without chroot. The problem is that the jail does not have the address 127.0.0.1 or does not use the info in resolv.conf. When I use the host command I get: [root@ippbx1 ~]# host ippbx1 ;; reply from unexpected source: 172.16.101.3#53, expected 127.0.0.1#53 /etc/resolv.conf domain kalmar.se search kalmar.se nameserver 127.0.0.1 tcpdump: 21:33:49.569332 IP (tos 0x0, ttl 64, id 31390, offset 0, flags [none], proto UDP (17), length 52) 172.16.101.3.62278 > 172.16.101.3.53: 28477+ A? ippbx1. (24) 21:33:49.569890 IP (tos 0x0, ttl 64, id 31393, offset 0, flags [none], proto UDP (17), length 52) 172.16.101.3.53 > 172.16.101.3.62278: 28477 ServFail 0/0/0 (24 As you can see the destination address is 172.16.101.3 despite the name server address in resolv.conf. The host command does not add the domain as it should and sends the query as "A? ippbx1" instead of "A? ippbx1.kalmar.se". The host command expects to get an answer from 127.0.0.1. Changing the nameserver address in resolv.conf to 172.16.101.3 does not change anything. Using the FQDN does not help because it's still the wrong expected address. The only thing that works is: host ippbx1.kalmar.se 172.16.101.3. Using ping give a different picture: [root@ippbx1 ~]# ping ippbx1 ping: cannot resolve ippbx1: Host name lookup failure /etc/resolv.conf domain kalmar.se search kalmar.se nameserver 172.16.101.3 tcpdump: 21:47:39.143152 IP (tos 0x0, ttl 64, id 31817, offset 0, flags [none], proto UDP (17), length 62) 172.16.101.3.60878 > 127.0.0.1.53: 35805+ A? ippbx1.kalmar.se. (34) 21:47:39.143165 IP (tos 0x0, ttl 64, id 31818, offset 0, flags [none], proto ICMP (1), length 56) 127.0.0.1 > 172.16.101.3: ICMP 127.0.0.1 udp port 53 unreachable, length 36 ping does add the domain to the query but does not read the address from resolv.conf and sends the query to 127.0.0.1. And 127.0.0.1 is the host 0 machine and does not run BIND. uname -a FreeBSD ippbx1.kalmar.se 7.1-RELEASE FreeBSD 7.1-RELEASE #0 named -v BIND 9.4.2-P2 named.conf: zone "kalmar.se" { type master; file "master/kalmar"; }; zone "101.16.172.in-addr.arpa" { type master; file "master/kalmar.rev"; }; zone file kalmar: $TTL 3h @ SOA ippbx1.kalmar.se. root.ippbx1.kalmar.se. 42 1d 12h 1w 3h ; Serial, Refresh, Retry, Expire, Neg. cache TTL IN NS ippbx1.kalmar.se. ippbx1 IN A 172.16.101.3 zone file kalmar.rev: $TTL 3h @ SOA ippbx1.kalmar.se. root.ippbx1.kalmar.se. 42 1d 12h 1w 3h ; Serial, Refresh, Retry, Expire, Neg. cache TTL IN NS ippbx1.kalmar.se. 3 IN PTR ippbx1.kalmar.se. Why do I what to run BIND inside a jail? Well I'm building a IP-PBX lab and want to run six autonomous jails with DNS, DHCP, NTP and asterisk inside. DHCP and Asterisk works but DNS is vital for the lab. BR Anders H _______________________________________________ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ From bzeeb-lists at lists.zabbadoz.net Sat Feb 14 14:40:08 2009 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Sat Feb 14 14:40:29 2009 Subject: BIND in jail problem In-Reply-To: <499733EC.3040706@netplex.se> References: <499733EC.3040706@netplex.se> Message-ID: <20090214221759.L53478@maildrop.int.zabbadoz.net> On Sat, 14 Feb 2009, Anders Hagman wrote: Hi, I am inclined to say that something is not right with your setup and I am not able to reproduce any of the symptoms on 7-STABLE pre-jail-MFC but that's not going to help. Those named inside jail things come up regularly and either end without any results as people stop to reply or a pilot error quickly identified. It might be hard to resolve the problem in mail or might need lots of mails so I'd suggest to take your reply off-list, and we'll post a summary with the results once things are solved. > I'm trying to use BIND inside a jail and have passed the chroot > problem and have a running named without chroot. what does netstat -an | grep '\.53' say inside your jail? > The problem is that the jail does not have the address 127.0.0.1 or does not that's becoming a FAQ and later jail2 man pages say: :: All connections to/from the loopback address (127.0.0.1 for IPv4, ::1 :: for IPv6) will be changed to be to/from the primary address of the jail :: for the given address family. so for your jail (I assume a stock 7.1-RELEASE) ignore the IPv6 part and the "primary" part as there is only one IP (which is the primary IP in that case). > use the info in resolv.conf. > > When I use the host command I get: > > [root@ippbx1 ~]# host ippbx1 > ;; reply from unexpected source: 172.16.101.3#53, expected 127.0.0.1#53 > > /etc/resolv.conf > domain kalmar.se > search kalmar.se man resolv.conf says: :: The domain and search keywords are mutually exclusive. If more than one :: instance of these keywords is present, the last instance will override. so you can remove the domain line. > nameserver 127.0.0.1 > > tcpdump: > 21:33:49.569332 IP (tos 0x0, ttl 64, id 31390, offset 0, flags [none], proto > UDP (17), length 52) 172.16.101.3.62278 > 172.16.101.3.53: 28477+ A? ippbx1. > (24) > > 21:33:49.569890 IP (tos 0x0, ttl 64, id 31393, offset 0, flags [none], proto > UDP (17), length 52) 172.16.101.3.53 > 172.16.101.3.62278: 28477 ServFail > 0/0/0 (24 This looks fine from the IP point of view as if 172.16.101.3 is our jail IP is correct. > As you can see the destination address is 172.16.101.3 despite the name > server address in resolv.conf. The host command does not add the domain as it > should and sends the query as "A? ippbx1" instead of "A? ippbx1.kalmar.se". > The host command expects to get an answer from 127.0.0.1. I am not yet sure where this comes from but if that's really a problem change it to nameserver 172.16.101.3 as this is what it is effectively anyway. > Changing the nameserver address in resolv.conf to 172.16.101.3 does not > change anything. Using the FQDN does not help because it's still the wrong > expected address. Now that does not make any sense. You changed the IP but it still reporting the "reply from unexpected source: ... expected .."? > The only thing that works is: host ippbx1.kalmar.se > 172.16.101.3. > > Using ping give a different picture: You enabled raw sockets for jails? > [root@ippbx1 ~]# ping ippbx1 > ping: cannot resolve ippbx1: Host name lookup failure > > /etc/resolv.conf > domain kalmar.se > search kalmar.se > nameserver 172.16.101.3 > > > tcpdump: > 21:47:39.143152 IP (tos 0x0, ttl 64, id 31817, offset 0, flags [none], proto > UDP (17), length 62) 172.16.101.3.60878 > 127.0.0.1.53: 35805+ A? > ippbx1.kalmar.se. (34) > 21:47:39.143165 IP (tos 0x0, ttl 64, id 31818, offset 0, flags [none], proto > ICMP (1), length 56) 127.0.0.1 > 172.16.101.3: ICMP 127.0.0.1 udp port 53 > unreachable, length 36 > > > ping does add the domain to the query but does not read the address from > resolv.conf and sends the query to 127.0.0.1. And 127.0.0.1 is the host 0 > machine and does not run BIND. I start wondering if you are editing the correct resolve.conf inside the correct jail and run your commands inside the same jail? /bz -- Bjoern A. Zeeb The greatest risk is not taking one. From davidn04 at gmail.com Sat Feb 14 14:44:10 2009 From: davidn04 at gmail.com (David N) Date: Sat Feb 14 14:44:16 2009 Subject: BIND in jail problem In-Reply-To: <499733EC.3040706@netplex.se> References: <499733EC.3040706@netplex.se> Message-ID: <4d7dd86f0902141417xb626f20h2c694fb3861f751f@mail.gmail.com> 2009/2/15 Anders Hagman : > Hi > > I'm trying to use BIND inside a jail and have passed the chroot > problem and have a running named without chroot. > > The problem is that the jail does not have the address 127.0.0.1 or does not > use the info in resolv.conf. > > When I use the host command I get: > > [root@ippbx1 ~]# host ippbx1 > ;; reply from unexpected source: 172.16.101.3#53, expected 127.0.0.1#53 > > /etc/resolv.conf > domain kalmar.se > search kalmar.se > nameserver 127.0.0.1 > > tcpdump: > 21:33:49.569332 IP (tos 0x0, ttl 64, id 31390, offset 0, flags [none], proto > UDP (17), length 52) 172.16.101.3.62278 > 172.16.101.3.53: 28477+ A? ippbx1. > (24) > > 21:33:49.569890 IP (tos 0x0, ttl 64, id 31393, offset 0, flags [none], proto > UDP (17), length 52) 172.16.101.3.53 > 172.16.101.3.62278: 28477 ServFail > 0/0/0 (24 > > As you can see the destination address is 172.16.101.3 despite the name > server address in resolv.conf. The host command does not add the domain as > it should and sends the query as "A? ippbx1" instead of "A? > ippbx1.kalmar.se". The host command expects to get an answer from 127.0.0.1. > > Changing the nameserver address in resolv.conf to 172.16.101.3 does not > change anything. Using the FQDN does not help because it's still the wrong > expected address. The only thing that works is: host ippbx1.kalmar.se > 172.16.101.3. > > Using ping give a different picture: > > [root@ippbx1 ~]# ping ippbx1 > ping: cannot resolve ippbx1: Host name lookup failure > > /etc/resolv.conf > domain kalmar.se > search kalmar.se > nameserver 172.16.101.3 > > > tcpdump: > 21:47:39.143152 IP (tos 0x0, ttl 64, id 31817, offset 0, flags [none], proto > UDP (17), length 62) 172.16.101.3.60878 > 127.0.0.1.53: 35805+ A? > ippbx1.kalmar.se. (34) > 21:47:39.143165 IP (tos 0x0, ttl 64, id 31818, offset 0, flags [none], proto > ICMP (1), length 56) 127.0.0.1 > 172.16.101.3: ICMP 127.0.0.1 udp port 53 > unreachable, length 36 > > > ping does add the domain to the query but does not read the address from > resolv.conf and sends the query to 127.0.0.1. And 127.0.0.1 is the host 0 > machine and does not run BIND. > > > uname -a > FreeBSD ippbx1.kalmar.se 7.1-RELEASE FreeBSD 7.1-RELEASE #0 > named -v > BIND 9.4.2-P2 > > named.conf: > zone "kalmar.se" { type master; file "master/kalmar"; }; > zone "101.16.172.in-addr.arpa" { type master; file "master/kalmar.rev"; }; > > zone file kalmar: > > $TTL 3h > @ SOA ippbx1.kalmar.se. root.ippbx1.kalmar.se. 42 1d 12h 1w 3h > ; Serial, Refresh, Retry, Expire, Neg. cache TTL > > IN NS ippbx1.kalmar.se. > ippbx1 IN A 172.16.101.3 > > zone file kalmar.rev: > > $TTL 3h > @ SOA ippbx1.kalmar.se. root.ippbx1.kalmar.se. 42 1d 12h 1w 3h > ; Serial, Refresh, Retry, Expire, Neg. cache TTL > IN NS ippbx1.kalmar.se. > 3 IN PTR ippbx1.kalmar.se. > > > Why do I what to run BIND inside a jail? Well I'm building a IP-PBX lab > and want to run six autonomous jails with DNS, DHCP, NTP and asterisk > inside. > DHCP and Asterisk works but DNS is vital for the lab. > > BR > Anders H > > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > Hi, You also need in your name.conf options { allow-query { 10.0.0.0/8; }; <-- replace with your own network listen-on { 10.1.20.1; }; <-- replace with your jail IP forwarders { xx.xx.xx.xx; xx.xx.xx.xx; }; <-- replace with your upstream DNS servers (supplied by ISP) }; in the resolve.conf should be your domain and DNS server(s) IP addresses, not 127.0.0.1, there is no localhost inside the jails, so it wont work. Regards From bugmaster at FreeBSD.org Mon Feb 16 03:06:55 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Feb 16 03:08:25 2009 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200902161106.n1GB6rhG096170@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 3 problems total. From anders.hagman at netplex.se Mon Feb 16 12:55:13 2009 From: anders.hagman at netplex.se (Anders Hagman) Date: Mon Feb 16 12:55:21 2009 Subject: BIND in jail problem In-Reply-To: <499733EC.3040706@netplex.se> References: <499733EC.3040706@netplex.se> Message-ID: <4999D2A2.4000107@netplex.se> Hi responding to my own mail with a solution: If you spell right resolv and not reslov everything works. [root@ippbx1 ~]# mv /etc/reslov.conf /etc/resolv.conf [root@ippbx1 ~]# host ippbx1 ippbx1.kalmar.se has address 172.16.101.3 Working with bash helps you spell. ;-> > Hi > > I'm trying to use BIND inside a jail and have passed the chroot > problem and have a running named without chroot. > > The problem is that the jail does not have the address 127.0.0.1 or does > not use the info in resolv.conf. > > When I use the host command I get: > > [root@ippbx1 ~]# host ippbx1 > ;; reply from unexpected source: 172.16.101.3#53, expected 127.0.0.1#53 > > /etc/resolv.conf > domain kalmar.se > search kalmar.se > nameserver 127.0.0.1 > > tcpdump: > 21:33:49.569332 IP (tos 0x0, ttl 64, id 31390, offset 0, flags [none], > proto UDP (17), length 52) 172.16.101.3.62278 > 172.16.101.3.53: 28477+ > A? ippbx1. (24) > > 21:33:49.569890 IP (tos 0x0, ttl 64, id 31393, offset 0, flags [none], > proto UDP (17), length 52) 172.16.101.3.53 > 172.16.101.3.62278: 28477 > ServFail 0/0/0 (24 > > As you can see the destination address is 172.16.101.3 despite the name > server address in resolv.conf. The host command does not add the domain > as it should and sends the query as "A? ippbx1" instead of "A? > ippbx1.kalmar.se". The host command expects to get an answer from > 127.0.0.1. > > Changing the nameserver address in resolv.conf to 172.16.101.3 does not > change anything. Using the FQDN does not help because it's still the > wrong expected address. The only thing that works is: host > ippbx1.kalmar.se 172.16.101.3. > > Using ping give a different picture: > > [root@ippbx1 ~]# ping ippbx1 > ping: cannot resolve ippbx1: Host name lookup failure > > /etc/resolv.conf > domain kalmar.se > search kalmar.se > nameserver 172.16.101.3 > > > tcpdump: > 21:47:39.143152 IP (tos 0x0, ttl 64, id 31817, offset 0, flags [none], > proto UDP (17), length 62) 172.16.101.3.60878 > 127.0.0.1.53: 35805+ A? > ippbx1.kalmar.se. (34) > 21:47:39.143165 IP (tos 0x0, ttl 64, id 31818, offset 0, flags [none], > proto ICMP (1), length 56) 127.0.0.1 > 172.16.101.3: ICMP 127.0.0.1 udp > port 53 unreachable, length 36 > > > ping does add the domain to the query but does not read the address from > resolv.conf and sends the query to 127.0.0.1. And 127.0.0.1 is the host > 0 machine and does not run BIND. > > > uname -a > FreeBSD ippbx1.kalmar.se 7.1-RELEASE FreeBSD 7.1-RELEASE #0 > named -v > BIND 9.4.2-P2 > > named.conf: > zone "kalmar.se" { type master; file "master/kalmar"; }; > zone "101.16.172.in-addr.arpa" { type master; file "master/kalmar.rev"; }; > > zone file kalmar: > > $TTL 3h > @ SOA ippbx1.kalmar.se. root.ippbx1.kalmar.se. 42 1d 12h 1w 3h > ; Serial, Refresh, Retry, Expire, Neg. cache TTL > > IN NS ippbx1.kalmar.se. > ippbx1 IN A 172.16.101.3 > > zone file kalmar.rev: > > $TTL 3h > @ SOA ippbx1.kalmar.se. root.ippbx1.kalmar.se. 42 1d 12h 1w 3h > ; Serial, Refresh, Retry, Expire, Neg. cache TTL > IN NS ippbx1.kalmar.se. > 3 IN PTR ippbx1.kalmar.se. > > > Why do I what to run BIND inside a jail? Well I'm building a IP-PBX lab > and want to run six autonomous jails with DNS, DHCP, NTP and asterisk > inside. > DHCP and Asterisk works but DNS is vital for the lab. > > BR > Anders H > > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > From linimon at FreeBSD.org Tue Feb 17 19:48:21 2009 From: linimon at FreeBSD.org (linimon@FreeBSD.org) Date: Tue Feb 17 19:48:27 2009 Subject: bin/131800: [jail] rpcbind(8) fails to start in jail Message-ID: <200902180348.n1I3mK8b048715@freefall.freebsd.org> Old Synopsis: rpcbind fails to start in jail New Synopsis: [jail] rpcbind(8) fails to start in jail Responsible-Changed-From-To: freebsd-bugs->freebsd-jail Responsible-Changed-By: linimon Responsible-Changed-When: Wed Feb 18 03:47:51 UTC 2009 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=131800 From bz at FreeBSD.org Wed Feb 18 02:30:04 2009 From: bz at FreeBSD.org (Bjoern A. Zeeb) Date: Wed Feb 18 02:30:09 2009 Subject: bin/131800: [jail] rpcbind(8) fails to start in jail Message-ID: <200902181030.n1IAU30H092167@freefall.freebsd.org> The following reply was made to PR bin/131800; it has been noted by GNATS. From: "Bjoern A. Zeeb" To: bug-followup@FreeBSD.org, rob@debank.tv Cc: Subject: Re: bin/131800: [jail] rpcbind(8) fails to start in jail Date: Wed, 18 Feb 2009 10:23:02 +0000 (UTC) Hi, this jail behaviour will soon change again that opening an IPv6 socket will be possible w/o the IP though this currently matches the behavior of the base system. The problem here seems to be that (without looking at the code) rpcbind is not checking return codes properly. /bz -- Bjoern A. Zeeb The greatest risk is not taking one. From delphij at delphij.net Thu Feb 19 17:16:31 2009 From: delphij at delphij.net (Xin LI) Date: Thu Feb 19 17:16:44 2009 Subject: [RFC] Skeleton jail (rc.d feature proposal) In-Reply-To: <20090212122419.Q53478@maildrop.int.zabbadoz.net> References: <499244E6.9030205@delphij.net> <20090212122419.Q53478@maildrop.int.zabbadoz.net> Message-ID: <499E0463.2070608@delphij.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Bjoern, Bjoern A. Zeeb wrote: [...] > I do not have the following two on most/any of my machines: > >> usr/src >> usr/obj I agree. > The correct way to do this I think would leave rc.d/jail untouched and > (pre-)populate an /etc/fstab. and use that. I do not think this is a very good approach for this use case. Making it an rc.conf option, enables the following tasks as a one-liner change: - Enabling/Disabling skeleton jail (how will the system perform if I have the template directories read-only?); - Switching template root (what will happen if switch from 7.1 userland to 7.2 userland?); - Change mount points within all jails. I do admit that all these can be done with scripts though. Cheers, - -- Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10 (FreeBSD) iEYEARECAAYFAkmeBGIACgkQi+vbBBjt66A4GgCgsBo4b6PNTVDX3/3SCyv/ezXI 6+wAn2KZFdazhFjyyf0RPFHP6+8YpyPS =rHFi -----END PGP SIGNATURE----- From quakelee at geekcn.org Thu Feb 19 18:20:11 2009 From: quakelee at geekcn.org (Chao Shin) Date: Thu Feb 19 18:20:29 2009 Subject: [RFC] Skeleton jail (rc.d feature proposal) In-Reply-To: <499E0463.2070608@delphij.net> References: <499244E6.9030205@delphij.net> <20090212122419.Q53478@maildrop.int.zabbadoz.net> <499E0463.2070608@delphij.net> Message-ID: ? Fri, 20 Feb 2009 09:16:19 +0800?Xin LI ??: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, Bjoern, > > Bjoern A. Zeeb wrote: > [...] >> I do not have the following two on most/any of my machines: >> >>> usr/src >>> usr/obj > > I agree. > >> The correct way to do this I think would leave rc.d/jail untouched and >> (pre-)populate an /etc/fstab. and use that. > > I do not think this is a very good approach for this use case. > > Making it an rc.conf option, enables the following tasks as a one-liner > change: > - Enabling/Disabling skeleton jail (how will the system perform if I > have the template directories read-only?); > - Switching template root (what will happen if switch from 7.1 userland > to 7.2 userland?); > - Change mount points within all jails. > > I do admit that all these can be done with scripts though. > > Cheers, > - -- > Xin LI http://www.delphij.net/ > FreeBSD - The Power to Serve! > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.10 (FreeBSD) > > iEYEARECAAYFAkmeBGIACgkQi+vbBBjt66A4GgCgsBo4b6PNTVDX3/3SCyv/ezXI > 6+wAn2KZFdazhFjyyf0RPFHP6+8YpyPS > =rHFi > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to > "freebsd-current-unsubscribe@freebsd.org" I think I like Li Xin's way. I have set a jail host in my company with Li Xin's patch, it didn't change the usage of original jail system, just add a make target in /usr/src/Makefile, I can use skeleton jail and original jail in one jail host. They have not much differents in rc.conf, if want skeleton, I just add two options with normal settings. It is compatible way with orignal design. quakelee -- The Power to Serve From simon at FreeBSD.org Fri Feb 20 11:23:16 2009 From: simon at FreeBSD.org (Simon L. Nielsen) Date: Fri Feb 20 11:26:43 2009 Subject: [RFC] Skeleton jail (rc.d feature proposal) In-Reply-To: <499244E6.9030205@delphij.net> References: <499244E6.9030205@delphij.net> Message-ID: <20090220192312.GD1064@arthur.nitro.dk> On 2009.02.10 19:24:22 -0800, Xin LI wrote: > Ok, some local users has prodded me in committing the "skeleton jail" > feature, I find it useful myself but not sure if it's appropriate to > commit it against -HEAD, so I'd like to explain it, try to present it in This complicates an already complicated etc/rc.d/jail script so I think this is a very bad idea. rc.d/jail is already interesting enough security wise as it is IMO. If anyone wants this very much think it should be done in an "external" (to etc/rc.d/jail) jail management system/script. Personally I have been very happy with ezjail, and I think having a script like that "externally" is a much better way to go. If that means importing ezjail or making something like it I don't know. -- Simon L. Nielsen From bugmaster at FreeBSD.org Mon Feb 23 03:06:55 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Feb 23 03:08:20 2009 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200902231106.n1NB6sjK055548@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o bin/131800 jail [jail] rpcbind(8) fails to start in jail o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 4 problems total. From bz at FreeBSD.org Mon Feb 23 07:30:04 2009 From: bz at FreeBSD.org (Bjoern A. Zeeb) Date: Mon Feb 23 07:30:11 2009 Subject: bin/131800: [jail] rpcbind(8) fails to start in jail Message-ID: <200902231530.n1NFU3O8059805@freefall.freebsd.org> The following reply was made to PR bin/131800; it has been noted by GNATS. From: "Bjoern A. Zeeb" To: bug-followup@FreeBSD.org, rob@debank.tv Cc: Subject: Re: bin/131800: [jail] rpcbind(8) fails to start in jail Date: Mon, 23 Feb 2009 15:22:12 +0000 (UTC) From the jail side this should have been fixed with the latest MFC from jamie@ . But this really is an rpcbind bug. -- Bjoern A. Zeeb The greatest risk is not taking one. From rob at debank.tv Mon Feb 23 19:50:05 2009 From: rob at debank.tv (rob@debank.tv) Date: Mon Feb 23 19:50:11 2009 Subject: bin/131800: [jail] rpcbind(8) fails to start in jail Message-ID: <200902240350.n1O3o4G8022433@freefall.freebsd.org> The following reply was made to PR bin/131800; it has been noted by GNATS. From: rob@debank.tv To: "Bjoern A. Zeeb" Cc: bug-followup@freebsd.org, rob@debank.tv Subject: Re: bin/131800: [jail] rpcbind(8) fails to start in jail Date: Tue, 24 Feb 2009 16:28:13 +1300 (NZDT) > From the jail side this should have been fixed with the latest MFC > from jamie@ . > > But this really is an rpcbind bug. > > -- > Bjoern A. Zeeb The greatest risk is not taking one. > Hi Bjoern, I can confirm it now works again without editing the /etc/netconfig file, should we leave the p.r. open for reference to the rpcbind problem? Thanks, Rob Evers -- A: Because it reverses the logical flow of conversation. Q: Why is top posting frowned upon? From linimon at FreeBSD.org Wed Feb 25 17:38:42 2009 From: linimon at FreeBSD.org (linimon@FreeBSD.org) Date: Wed Feb 25 17:38:54 2009 Subject: kern/132092: [jail] jail can listen on *:port when jail_socket_unixiproute_only set to NO Message-ID: <200902260138.n1Q1cfOF078870@freefall.freebsd.org> Old Synopsis: jail can listen on *:port when jail_socket_unixiproute_only set to NO New Synopsis: [jail] jail can listen on *:port when jail_socket_unixiproute_only set to NO Responsible-Changed-From-To: freebsd-bugs->freebsd-jail Responsible-Changed-By: linimon Responsible-Changed-When: Thu Feb 26 01:38:20 UTC 2009 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=132092