From bugmaster at FreeBSD.org Mon Jan 5 11:06:54 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Jan 5 11:08:23 2009 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200901051106.n05B6sTu002827@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid s kern/89528 jail [jail] [patch] impossible to kill a jail o kern/72498 jail [libc] [jail] timestamp code on jailed SMP machine gen o kern/68192 jail [quotas] [jail] Cannot use quotas on jailed systems o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 6 problems total. From Albert.Shih at obspm.fr Tue Jan 6 14:57:25 2009 From: Albert.Shih at obspm.fr (Albert Shih) Date: Tue Jan 6 14:57:32 2009 Subject: Nagios & Jail In-Reply-To: <20081218172218.GE3080@home.opsec.eu> References: <20081217210542.GA25347@obspm.fr> <20081218172218.GE3080@home.opsec.eu> Message-ID: <20090106145716.GE94159@obspm.fr> Le 18/12/2008 ? 18:22:18+0100, Kurt Jaeger a ?crit > Hi! > > > I've a problem with check_ping. > > > > [root@]# /usr/local/libexec/nagios/check_ping -H some_host -w 3000.0,80% -c 5000.0,100% -p 5 > > CRITICAL - You need more args!!! > > Could not open pipe: > > > Anyone have succefully install a nagios server in a jail ? First : Happy new years. > > Yes, and I think it's not a problem with ICMP sockets, but with > the version of check_ping and what it's calling. > > Please try > > ./check_ping -v -v -v -H 212.71.195.58 -w 300.0,80% -c 500.0,100% -p 5 > > and tell us which version of ping it is calling. > Thanks for your answers. In fact I found the problem : When I compile nagios-plugin ports in a jail the ?configure? don't find syntax of ping : checking for ping... /sbin/ping checking for ping6... /sbin/ping6 checking for ICMP ping syntax... configure: WARNING: unable to find usable ping syntax But if I compile the same ports in a ?normal? server (both are amd64). checking for ping... /sbin/ping checking for ping6... /sbin/ping6 checking for ICMP ping syntax... /sbin/ping -n -c %d %s checking for ICMPv6 ping syntax... /sbin/ping6 -n -c %d %s So if I use the check_ping produce by compiling in a no-jail server on a jail-server it's working. I think it's a bug about the nagios-plugins ports. What you think ? In fact that's not very important because I'm going to use check_fping Thanks again for your answer. Regards. JAS -- Albert SHIH SIO batiment 15 Observatoire de Paris Meudon 5 Place Jules Janssen 92195 Meudon Cedex T?l?phone : 01 45 07 76 26 Heure local/Local time: Mar 6 jan 2009 15:48:55 CET From bzeeb-lists at lists.zabbadoz.net Tue Jan 6 15:10:08 2009 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Tue Jan 6 15:10:38 2009 Subject: Nagios & Jail In-Reply-To: <20090106145716.GE94159@obspm.fr> References: <20081217210542.GA25347@obspm.fr> <20081218172218.GE3080@home.opsec.eu> <20090106145716.GE94159@obspm.fr> Message-ID: <20090106150352.B45399@maildrop.int.zabbadoz.net> On Tue, 6 Jan 2009, Albert Shih wrote: > In fact I found the problem : > > When I compile nagios-plugin ports in a jail the ?configure? don't find > syntax of ping : > > checking for ping... /sbin/ping > checking for ping6... /sbin/ping6 > checking for ICMP ping syntax... configure: WARNING: unable to find usable ping syntax > > But if I compile the same ports in a ?normal? server (both are amd64). > > checking for ping... /sbin/ping > checking for ping6... /sbin/ping6 > checking for ICMP ping syntax... /sbin/ping -n -c %d %s > checking for ICMPv6 ping syntax... /sbin/ping6 -n -c %d %s > > So if I use the check_ping produce by compiling in a no-jail server on a > jail-server it's working. > > I think it's a bug about the nagios-plugins ports. What you think ? I think most of all configure stuff out there is ... ok, if you compile the port inside a jail and permit raw sockets, does it work then -- either by using the rc.conf option and restarting the jail with rc.d/jail or using sysctl security.jail.allow_raw_sockets=1 ? It smells it tries to execute a ping command and that does not succeed. /bz -- Bjoern A. Zeeb The greatest risk is not taking one. From Albert.Shih at obspm.fr Tue Jan 6 16:03:36 2009 From: Albert.Shih at obspm.fr (Albert Shih) Date: Tue Jan 6 16:03:42 2009 Subject: Nagios & Jail In-Reply-To: <20090106150352.B45399@maildrop.int.zabbadoz.net> References: <20081217210542.GA25347@obspm.fr> <20081218172218.GE3080@home.opsec.eu> <20090106145716.GE94159@obspm.fr> <20090106150352.B45399@maildrop.int.zabbadoz.net> Message-ID: <20090106160333.GA99388@obspm.fr> Le 06/01/2009 ? 15:06:37+0000, Bjoern A. Zeeb a ?crit > On Tue, 6 Jan 2009, Albert Shih wrote: > > > In fact I found the problem : > > > > When I compile nagios-plugin ports in a jail the ?configure? don't find > > syntax of ping : > > > > checking for ping... /sbin/ping > > checking for ping6... /sbin/ping6 > > checking for ICMP ping syntax... configure: WARNING: unable to find usable ping syntax > > > > But if I compile the same ports in a ?normal? server (both are amd64). > > > > checking for ping... /sbin/ping > > checking for ping6... /sbin/ping6 > > checking for ICMP ping syntax... /sbin/ping -n -c %d %s > > checking for ICMPv6 ping syntax... /sbin/ping6 -n -c %d %s > > > > So if I use the check_ping produce by compiling in a no-jail server on a > > jail-server it's working. > > > > I think it's a bug about the nagios-plugins ports. What you think ? > > I think most of all configure stuff out there is ... ok, if you > compile the port inside a jail and permit raw sockets, does it work > then -- > either by using the rc.conf option and restarting the jail with > rc.d/jail or using sysctl security.jail.allow_raw_sockets=1 ? You mean I MUST restart the jail after I change the sysctl value ? Because after I change it, I can make a ping from inside the jail without restarting the jail. Well I'm going to make a new jail to check that (all other jail is in production). > > It smells it tries to execute a ping command and that does not > succeed. Yes. I agree. Regards. -- Albert SHIH SIO batiment 15 Observatoire de Paris Meudon 5 Place Jules Janssen 92195 Meudon Cedex Heure local/Local time: Mar 6 jan 2009 17:02:12 CET From bzeeb-lists at lists.zabbadoz.net Tue Jan 6 16:15:09 2009 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Tue Jan 6 16:15:15 2009 Subject: Nagios & Jail In-Reply-To: <20090106160333.GA99388@obspm.fr> References: <20081217210542.GA25347@obspm.fr> <20081218172218.GE3080@home.opsec.eu> <20090106145716.GE94159@obspm.fr> <20090106150352.B45399@maildrop.int.zabbadoz.net> <20090106160333.GA99388@obspm.fr> Message-ID: <20090106160922.B45399@maildrop.int.zabbadoz.net> On Tue, 6 Jan 2009, Albert Shih wrote: > Le 06/01/2009 ? 15:06:37+0000, Bjoern A. Zeeb a ?crit >> On Tue, 6 Jan 2009, Albert Shih wrote: >> >>> In fact I found the problem : >>> >>> When I compile nagios-plugin ports in a jail the ?configure? don't find >>> syntax of ping : >>> >>> checking for ping... /sbin/ping >>> checking for ping6... /sbin/ping6 >>> checking for ICMP ping syntax... configure: WARNING: unable to find usable ping syntax >>> >>> But if I compile the same ports in a ?normal? server (both are amd64). >>> >>> checking for ping... /sbin/ping >>> checking for ping6... /sbin/ping6 >>> checking for ICMP ping syntax... /sbin/ping -n -c %d %s >>> checking for ICMPv6 ping syntax... /sbin/ping6 -n -c %d %s >>> >>> So if I use the check_ping produce by compiling in a no-jail server on a >>> jail-server it's working. >>> >>> I think it's a bug about the nagios-plugins ports. What you think ? >> >> I think most of all configure stuff out there is ... ok, if you >> compile the port inside a jail and permit raw sockets, does it work >> then -- >> either by using the rc.conf option and restarting the jail with >> rc.d/jail or using sysctl security.jail.allow_raw_sockets=1 ? > > You mean I MUST restart the jail after I change the sysctl value ? Because > after I change it, I can make a ping from inside the jail without > restarting the jail. > > Well I'm going to make a new jail to check that (all other jail is in > production). No, if you manually change the sysctl it's all fine and production immediately. If you change the option .. wait; my fault, raw sockets is not supported by the rc framework in contrast to other things, so there is no option there. I confused this with jail_socket_unixiproute_only in which case just changing it in rc.conf would not be sufficient. /bz -- Bjoern A. Zeeb The greatest risk is not taking one. From bsemene at cyanide-studio.com Thu Jan 8 10:07:07 2009 From: bsemene at cyanide-studio.com (Bastien Semene) Date: Thu Jan 8 10:07:14 2009 Subject: Importing sources to build the basejail. Message-ID: <4965CB78.8000105@cyanide-studio.com> Hi, I'm new to the list and unfortunately I come with a problem. My problem is that jails cannot start pseudo terminals. I found the "software" problem but I think the origin is out there. The host OS (FreeBSD 7.0) has been installed by a procedure from my server provider, but it doesn't contain the src. So I imported the src from another FreeBSD 7.0 server. It worked for making world and building the basejail but generated the following error and maybe others I can't see for the moment. So I wish to find a safe way to import sources to build a correct basejail. If anyone can point me a place where to find it or some advices I'll be glad. Thank you. -- Bastien Semene Administrateur R?seau & Syst?me admin@cyanide-studio.com +33 (0)1 47 86 30 80 +33 (0)6 74 91 57 08 Cyanide S.A. 5, Boulevard des Bouvets 92000 Nanterre - FRANCE From bzeeb-lists at lists.zabbadoz.net Thu Jan 8 11:04:20 2009 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Thu Jan 8 11:04:27 2009 Subject: jail startup script for multi-IPs + ifconfig *sigh* stuff Message-ID: <20090108104801.H45399@maildrop.int.zabbadoz.net> Hi, I have a barely tested patch to rc.d/jail for HEAD (or the multi-IP jail patch on 7) with the defaults/rc.conf and a for sure enhanceable rc.conf.5 patch here: http://people.freebsd.org/~bz/20090108-02-rc-jail.diff For everyone who wants to grab the entire rc.d/jail file, fetch it from http://people.freebsd.org/~bz/jail This entire patch is only needed for thos people who like to get their IPs configured/deconfigured upon jail start/stop and you see what a mess of extra code this gives -- I am sure someone could improve the sh(1) code but ... I do NOT like this and neither do other people who will need to approve this to go in. I have been trying to support (most, all but the _netmask) from the old version so you can still only give a single IP, or an IP list (of mixed address families) but you can now also leave the IP part entirely empty and start a no-IP jail or add a _multi with n starting at 0 (like with _alias) and give the IPs on an extra line each. If you want to give an interface you can still use the jaiL_interface or jail__interface but you can also give an interface per address now in that you prefix the address with "ifName|" (yes a pipe and no blanks!). If you want to give a netmask you can suffix an address with one of those: - "/" -- prefix notation, no spaces allowed - " netmask a.b.c.d" -- netmask with a space between the adress and the work "netmask" and a full dot-quad mask. You are not allowed to be clever and wirte "netmask a.b.c" - " prefixlen n" -- similar to netmask but for v6 Obviously netmask will not work for a v6 address and prefixlen not for v4 as what you give is directly passed to ifconfig. If you give "interface" but no "netmask" '/32' is assumed for v4 and '/128' for v6. Anything I missed? What I want to know from you: 1) does you current rc.conf setup work if you just replace /etc/rc.d/jail? (keep a backup of the old - outside of that directory!) 2) does this work for all the features *sigh* you need? 3) does it work with whatever management tool you use for jails? 4) any other comments? In case there are bugs or problems, let me know - I'll update and repost links. /bz PS: special thanks to Ruben van Staveren who had maintained a (slightly) different version supporting v4/v6 ifconfig all the time! -- Bjoern A. Zeeb The greatest risk is not taking one. From michel at douyere.com Thu Jan 8 11:21:03 2009 From: michel at douyere.com (Michel) Date: Thu Jan 8 11:21:11 2009 Subject: Importing sources to build the basejail. In-Reply-To: <4965CB78.8000105@cyanide-studio.com> References: <4965CB78.8000105@cyanide-studio.com> Message-ID: <200901081152.57292.michel@douyere.com> Le jeudi 8 janvier 2009, Bastien Semene a ?crit?: > Hi, > > I'm new to the list and unfortunately I come with a problem. > > My problem is that jails cannot start pseudo terminals. I found the > "software" problem but I think the origin is out there. > The host OS (FreeBSD 7.0) has been installed by a procedure from my > server provider, but it doesn't contain the src. > So I imported the src from another FreeBSD 7.0 server. It worked for > making world and building the basejail but generated the following error > and maybe others I can't see for the moment. > > So I wish to find a safe way to import sources to build a correct > basejail. If anyone can point me a place where to find it or some > advices I'll be glad. > Thank you. Try : sysinstall > Configure > Distributions > src Michel From bzeeb-lists at lists.zabbadoz.net Fri Jan 9 13:15:07 2009 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Fri Jan 9 13:15:17 2009 Subject: Problems with Samba -- svn commit: r186948 - in head/sys: netinet netinet6 (fwd) Message-ID: <20090109131142.O45399@maildrop.int.zabbadoz.net> Hi, in case anyone had trouble for example with Samba inside a jail (and had to set interfaces = ...) you may want to update to this on HEAD or grab the patch form the PR if you are running the multi-IP jail patch. I'll include this in the next (upcoming) patchset. /bz -- Bjoern A. Zeeb The greatest risk is not taking one. ---------- Forwarded message ---------- Date: Fri, 9 Jan 2009 13:06:57 +0000 (UTC) From: Bjoern A. Zeeb To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r186948 - in head/sys: netinet netinet6 Author: bz Date: Fri Jan 9 13:06:56 2009 New Revision: 186948 URL: http://svn.freebsd.org/changeset/base/186948 Log: Make SIOCGIFADDR and related, as well as SIOCGIFADDR_IN6 and related jail-aware. Up to now we returned the first address of the interface for SIOCGIFADDR w/o an ifr_addr in the query. This caused problems for programs querying for an address but running inside a jail, as the address returned usually did not belong to the jail. Like for v6, if there was an ifr_addr given on v4, you could probe for more addresses on the interfaces that you were not allowed to see from inside a jail. Return an error (EADDRNOTAVAIL) in that case now unless the address is on the given interface and valid for the jail. PR: kern/114325 Reviewed by: rwatson MFC after: 4 weeks Modified: head/sys/netinet/in.c head/sys/netinet6/in6.c Modified: head/sys/netinet/in.c ============================================================================== --- head/sys/netinet/in.c Fri Jan 9 12:38:41 2009 (r186947) +++ head/sys/netinet/in.c Fri Jan 9 13:06:56 2009 (r186948) @@ -41,7 +41,9 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include +#include #include #include @@ -261,13 +263,19 @@ in_control(struct socket *so, u_long cmd LIST_FOREACH(iap, INADDR_HASH(dst.s_addr), ia_hash) if (iap->ia_ifp == ifp && iap->ia_addr.sin_addr.s_addr == dst.s_addr) { - ia = iap; + if (td == NULL || prison_check_ip4( + td->td_ucred, &dst)) + ia = iap; break; } if (ia == NULL) TAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) { iap = ifatoia(ifa); if (iap->ia_addr.sin_family == AF_INET) { + if (td != NULL && + !prison_check_ip4(td->td_ucred, + &iap->ia_addr.sin_addr)) + continue; ia = iap; break; } Modified: head/sys/netinet6/in6.c ============================================================================== --- head/sys/netinet6/in6.c Fri Jan 9 12:38:41 2009 (r186947) +++ head/sys/netinet6/in6.c Fri Jan 9 13:06:56 2009 (r186948) @@ -68,6 +68,7 @@ __FBSDID("$FreeBSD$"); #include #include +#include #include #include #include @@ -329,6 +330,9 @@ in6_control(struct socket *so, u_long cm error = in6_setscope(&sa6->sin6_addr, ifp, NULL); if (error != 0) return (error); + if (td != NULL && !prison_check_ip6(td->td_ucred, + &sa6->sin6_addr)) + return (EADDRNOTAVAIL); ia = in6ifa_ifpwithaddr(ifp, &sa6->sin6_addr); } else ia = NULL; From bz at FreeBSD.org Fri Jan 9 22:45:57 2009 From: bz at FreeBSD.org (bz@FreeBSD.org) Date: Fri Jan 9 22:46:03 2009 Subject: kern/72498: [libc] [jail] timestamp code on jailed SMP machine generates incorrect results Message-ID: <200901092245.n09MjuZF035323@freefall.freebsd.org> Synopsis: [libc] [jail] timestamp code on jailed SMP machine generates incorrect results State-Changed-From-To: open->feedback State-Changed-By: bz State-Changed-When: Fri Jan 9 22:45:13 UTC 2009 State-Changed-Why: Submitter asked for information. Responsible-Changed-From-To: freebsd-jail->bz Responsible-Changed-By: bz Responsible-Changed-When: Fri Jan 9 22:45:13 UTC 2009 Responsible-Changed-Why: Track it. http://www.freebsd.org/cgi/query-pr.cgi?pr=72498 From bz at FreeBSD.org Fri Jan 9 22:46:49 2009 From: bz at FreeBSD.org (bz@FreeBSD.org) Date: Fri Jan 9 22:46:56 2009 Subject: kern/68192: [quotas] [jail] Cannot use quotas on jailed systems Message-ID: <200901092246.n09Mknr8035373@freefall.freebsd.org> Synopsis: [quotas] [jail] Cannot use quotas on jailed systems Responsible-Changed-From-To: freebsd-jail->bz Responsible-Changed-By: bz Responsible-Changed-When: Fri Jan 9 22:46:23 UTC 2009 Responsible-Changed-Why: Sounds like a documentation issue. http://www.freebsd.org/cgi/query-pr.cgi?pr=68192 From bz at FreeBSD.org Sat Jan 10 13:20:05 2009 From: bz at FreeBSD.org (Bjoern A. Zeeb) Date: Sat Jan 10 13:20:12 2009 Subject: kern/89528: [jail] [patch] impossible to kill a jail Message-ID: <200901102120.n0ALK4Ts094874@freefall.freebsd.org> The following reply was made to PR kern/89528; it has been noted by GNATS. From: "Bjoern A. Zeeb" To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/89528: [jail] [patch] impossible to kill a jail Date: Sat, 10 Jan 2009 21:11:01 +0000 (UTC) Before I am going to look it up another few times, this is the commit referenced by Andrew Thompson at Fri, 7 Dec 2007 20:21:09 +1300. Can also be looked up as SVN r174280 these days. -- Bjoern A. Zeeb The greatest risk is not taking one. ---------- Forwarded message ---------- Date: Wed, 5 Dec 2007 01:22:03 +0000 (UTC) From: Andrew Thompson To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/sys/kern kern_conf.c thompsa 2007-12-05 01:22:03 UTC FreeBSD src repository Modified files: sys/kern kern_conf.c Log: Apply a workaround for the unkillable jail problem where some devices created within the jail are never freed. si_cred is only used by the MAC framework so make the cred reference conditional on it being compiled in, this is not a fix and will need to be reviewed for any new consumers of si_cred. This will quell some user complaint when using jails with a default kernel. Reviewed by: rwatson MFC after: 3 days Revision Changes Path 1.209 +2 -0 src/sys/kern/kern_conf.c Index: sys/kern/kern_conf.c =================================================================== --- sys/kern/kern_conf.c (revision 174279) +++ sys/kern/kern_conf.c (revision 174280) @@ -608,9 +608,11 @@ make_dev_credv(int flags, struct cdevsw *devsw, in } dev->si_flags |= SI_NAMED; +#ifdef MAC if (cr != NULL) dev->si_cred = crhold(cr); else +#endif dev->si_cred = NULL; dev->si_uid = uid; dev->si_gid = gid; From bz at FreeBSD.org Sat Jan 10 15:15:23 2009 From: bz at FreeBSD.org (bz@FreeBSD.org) Date: Sat Jan 10 15:15:30 2009 Subject: kern/89528: [jail] [patch] impossible to kill a jail Message-ID: <200901102315.n0ANFNmq084239@freefall.freebsd.org> Synopsis: [jail] [patch] impossible to kill a jail Responsible-Changed-From-To: freebsd-jail->bz Responsible-Changed-By: bz Responsible-Changed-When: Sat Jan 10 23:15:03 UTC 2009 Responsible-Changed-Why: Take again to track possible follow-ups. http://www.freebsd.org/cgi/query-pr.cgi?pr=89528 From bugmaster at FreeBSD.org Mon Jan 12 03:06:56 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Jan 12 03:08:22 2009 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200901121106.n0CB6sq2092029@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 3 problems total. From invite+z=f_92yc at facebookmail.com Fri Jan 16 03:04:32 2009 From: invite+z=f_92yc at facebookmail.com (Dima Antipov) Date: Fri Jan 16 03:04:38 2009 Subject: =?utf-8?q?D=C3=A9couvrez_mon_profil_Facebook?= Message-ID: Bonjour Freebsd-jail, J'ai cr?? mon profil Facebook sur lequel je peux publier mes photos, mes vid?os et des ?v?nements. Je souhaite vous ajouter ? mes amis pour que vous puissiez y acc?der. Pour cela, vous devez d'abord vous inscrire ? Facebook ! Vous pourrez ensuite cr?er votre propre profil. Merci, Dima Pour vous inscrire ? Facebook, suivez le lien ci-dessous : http://www.facebook.com/p.php?i=1186987124&k=Z5CXZXV5P4VGUCEGQ1Y2PUS&r From bugmaster at FreeBSD.org Mon Jan 19 03:07:00 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Jan 19 03:08:13 2009 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200901191107.n0JB705t063003@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 3 problems total. From stef-list at memberwebs.com Mon Jan 19 17:40:19 2009 From: stef-list at memberwebs.com (Stef) Date: Mon Jan 19 17:40:31 2009 Subject: bsnmp module for monitoring jails: bsnmp-jails Message-ID: <20090120011951.D26228C282E@mx.npubs.com> I hope it's okay to announce this here. I thought folks might be interested... I've released a bsnmp module for monitoring jails via SNMP. Stuff like network traffic, disk space, CPU utilization etc... FreeBSD port attached, available here: http://memberwebs.com/stef/software/bsnmp-jails/ Cheers, Stef Walter From 000.fbsd at quip.cz Tue Jan 20 04:00:54 2009 From: 000.fbsd at quip.cz (Miroslav Lachman) Date: Tue Jan 20 04:01:01 2009 Subject: bsnmp module for monitoring jails: bsnmp-jails In-Reply-To: <20090120011951.D26228C282E@mx.npubs.com> References: <20090120011951.D26228C282E@mx.npubs.com> Message-ID: <4975B8F3.7010008@quip.cz> Stef wrote: > I hope it's okay to announce this here. I thought folks might be > interested... > > I've released a bsnmp module for monitoring jails via SNMP. Stuff like > network traffic, disk space, CPU utilization etc... > > FreeBSD port attached, available here: > > http://memberwebs.com/stef/software/bsnmp-jails/ Thank you for your announcement and your work! I will test it as soon as possible. Is there some limitation of FreeBSD version (6.x / 7.x / 8.x; i386 / amd64) or is it compatible with "all"? Miroslav Lachman From stef-list at memberwebs.com Tue Jan 20 19:26:11 2009 From: stef-list at memberwebs.com (Stef) Date: Tue Jan 20 19:26:18 2009 Subject: bsnmp module for monitoring jails: bsnmp-jails References: <20090120011951.D26228C282E@mx.npubs.com> <4975B8F3.7010008@quip.cz> Message-ID: <20090121032610.548568C2A3D@mx.npubs.com> Miroslav Lachman wrote: > Stef wrote: >> I've released a bsnmp module for monitoring jails via SNMP. Stuff like >> network traffic, disk space, CPU utilization etc... >> >> FreeBSD port attached, available here: >> >> http://memberwebs.com/stef/software/bsnmp-jails/ > > Thank you for your announcement and your work! I will test it as soon as > possible. > > Is there some limitation of FreeBSD version (6.x / 7.x / 8.x; i386 / > amd64) or is it compatible with "all"? I hope it's compatible with all of the above. If you find problems with later OS's or other architectures, I'd be happy to help find the problems, or include patches. When it was initially developed, 6.3 was the latest stable release of FreeBSD. It's been deployed on a dozen production 6.3-RELEASE i386 servers (each with lots of jails). Cheers, Stef From 000.fbsd at quip.cz Wed Jan 21 04:49:00 2009 From: 000.fbsd at quip.cz (Miroslav Lachman) Date: Wed Jan 21 04:49:08 2009 Subject: bsnmp module for monitoring jails: bsnmp-jails In-Reply-To: <20090121032610.548568C2A3D@mx.npubs.com> References: <20090120011951.D26228C282E@mx.npubs.com> <4975B8F3.7010008@quip.cz> <20090121032610.548568C2A3D@mx.npubs.com> Message-ID: <497719E9.1080107@quip.cz> Stef wrote: > Miroslav Lachman wrote: > >>Stef wrote: >> >>>I've released a bsnmp module for monitoring jails via SNMP. Stuff like >>>network traffic, disk space, CPU utilization etc... >>> >>>FreeBSD port attached, available here: >>> >>>http://memberwebs.com/stef/software/bsnmp-jails/ >> >>Thank you for your announcement and your work! I will test it as soon as >>possible. >> >>Is there some limitation of FreeBSD version (6.x / 7.x / 8.x; i386 / >>amd64) or is it compatible with "all"? > > > I hope it's compatible with all of the above. If you find problems with > later OS's or other architectures, I'd be happy to help find the > problems, or include patches. > > When it was initially developed, 6.3 was the latest stable release of > FreeBSD. It's been deployed on a dozen production 6.3-RELEASE i386 > servers (each with lots of jails). I added link to your website on http://wiki.freebsd.org/Jails Do you plan to submit PR with port? Let me know if you submit it, so I can update the wiki page. Miroslav Lachman From bzeeb-lists at lists.zabbadoz.net Wed Jan 21 05:20:14 2009 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Wed Jan 21 05:20:21 2009 Subject: bsnmp module for monitoring jails: bsnmp-jails In-Reply-To: <497719E9.1080107@quip.cz> References: <20090120011951.D26228C282E@mx.npubs.com> <4975B8F3.7010008@quip.cz> <20090121032610.548568C2A3D@mx.npubs.com> <497719E9.1080107@quip.cz> Message-ID: <20090121131105.P45399@maildrop.int.zabbadoz.net> On Wed, 21 Jan 2009, Miroslav Lachman wrote: Hi, > Stef wrote: >> Miroslav Lachman wrote: >> >>> Stef wrote: >>> >>>> I've released a bsnmp module for monitoring jails via SNMP. Stuff like >>>> network traffic, disk space, CPU utilization etc... >>>> >>>> FreeBSD port attached, available here: >>>> >>>> http://memberwebs.com/stef/software/bsnmp-jails/ >>> >>> Thank you for your announcement and your work! I will test it as soon as >>> possible. >>> >>> Is there some limitation of FreeBSD version (6.x / 7.x / 8.x; i386 / >>> amd64) or is it compatible with "all"? >> >> >> I hope it's compatible with all of the above. If you find problems with >> later OS's or other architectures, I'd be happy to help find the >> problems, or include patches. >> >> When it was initially developed, 6.3 was the latest stable release of >> FreeBSD. It's been deployed on a dozen production 6.3-RELEASE i386 >> servers (each with lots of jails). > > I added link to your website on http://wiki.freebsd.org/Jails > Do you plan to submit PR with port? Let me know if you submit it, so I can > update the wiki page. I see a few problems with the module (and I haven't investigated a lot yet): - the entire pcap stuff in there - the inode and cpu usage stuff in there This is all going to break on the assumption that jails do use things exlusively. For example there can be 10 jails all sharing the same IP. There can be jails all sharing the same fs, nullfs mounts, ... And to my understanding the cpu usage reported is at best a snapshot guess but no clean statics value. I admit that those things (apart from traffic which really belongs elsewhere) can become interesting with resource limit patches where we get get proper values from elsewhere w/o having to do guess-math. - no support for jails in HEAD (and soon in 7) - does the MIB list the IP address(es)? - private copies of xprison structures - ... I have the feeling that this will need a bit of polishing and separation of things... I hope Shteryana may join in here ... -- Bjoern A. Zeeb The greatest risk is not taking one. From stef-list at memberwebs.com Wed Jan 21 08:00:25 2009 From: stef-list at memberwebs.com (Stef) Date: Wed Jan 21 08:00:32 2009 Subject: bsnmp module for monitoring jails: bsnmp-jails References: <20090120011951.D26228C282E@mx.npubs.com> <4975B8F3.7010008@quip.cz> <20090121032610.548568C2A3D@mx.npubs.com> <497719E9.1080107@quip.cz> <20090121131105.P45399@maildrop.int.zabbadoz.net> Message-ID: <20090121160023.960DC8C2862@mx.npubs.com> Bjoern A. Zeeb wrote: > I see a few problems with the module (and I haven't investigated a lot > yet): Hi. BTW, thanks for the work you've put into jails on HEAD. Really looking forward to that. The bsnmp-jails module certainly could be improved a lot. As my clients migrate to newer versions of FreeBSD, that would happen naturally. Or if anyone interested wants to participate, please do. I'm open to better ideas, code and implementations. bsnmp-jails was born out of necessity. Some answers to your points below, but this doesn't mean that I don't think they're valid. > - the entire pcap stuff in there Yes, at first glance not the most efficient. It'd be awesome if there were kernel counters for this. But the big benefit to using pcap is that allows us to exclude certain traffic (see jailNetworkFilter config) such as local site traffic, from the counters. > This is all going to break on the assumption that jails do use things > exlusively. For example there can be 10 jails all sharing the same IP. > There can be jails all sharing the same fs, nullfs mounts, ... Certainly. Jails can be configured in a multitude of ways. Obviously, one can even use them as a chroot. I don't think bsnmp-jails makes sense for every possible use of jail(2). The module doesn't follow mounts when calculating disks and files. In the future I'm thinking of moving to ZFS for my jails, one fs per jail, and that'd make it far quicker and easier to calculate disks and file usage. That is, if the top level path of a jail is a mount point, then bsnmp-jail could just use info straight from that mount point instead of walking the tree inefficiently. > And to my understanding the cpu usage reported is at best a snapshot > guess but no clean statics value. I'm centainly no expert at this, however I've thought that the CPU usage is one of the more accurate parts of bsnmp-jail. It monitors ki_childtime + ki_runtime for all the processes. In addition when a process that has a parent outside the jail exits (ie: a daemon restarting), it keeps track of that process's ki_childtime + ki_runtime and keeps it in the counters. The above opens a small window of time when CPU usage may be missed. The time between the last monitoring cycle (3 seconds by default) and the when a daemon process exits, may be missed. In reality this happens very rarely and the CPU statistics have been usable. > I admit that those things (apart from traffic which really belongs > elsewhere) can become interesting with resource limit patches where we > get get proper values from elsewhere w/o having to do guess-math. Yes, it goes without saying, that kernel counters for CPU usage on the xprison structure then that'd make things far simpler and more accurate. > - no support for jails in HEAD (and soon in 7) So far only two versions of xprison structure are supported. The original single IP, and those patches that have been floating around. But it'd be easy to add support for the new jails. > - does the MIB list the IP address(es)? Nope, but it could be done easily, given the need. > - private copies of xprison structures Not sure I understand what you mean here. bsnmp-jail tracks jails by hostname, not by jid, since those are volatile. It also has to do strange gymnastics to get around the 'phantom jail' effect on FreeBSD 6.x (and other versions?) where a jail hangs around in the kernel due to TCP TIME_WAIT. > I have the feeling that this will need a bit of polishing and > separation of things... Yup certainly, and it's my hope that it will become more useful over time. Thanks for your advice. Cheers, Stef From syrinx at FreeBSD.org Wed Jan 21 12:18:52 2009 From: syrinx at FreeBSD.org (Shteryana Shopova) Date: Wed Jan 21 12:19:23 2009 Subject: bsnmp module for monitoring jails: bsnmp-jails In-Reply-To: <20090121160023.960DC8C2862@mx.npubs.com> References: <20090120011951.D26228C282E@mx.npubs.com> <4975B8F3.7010008@quip.cz> <20090121032610.548568C2A3D@mx.npubs.com> <497719E9.1080107@quip.cz> <20090121131105.P45399@maildrop.int.zabbadoz.net> <20090121160023.960DC8C2862@mx.npubs.com> Message-ID: <61b573980901211147y48188ec1t2606faa420c67f40@mail.gmail.com> Hi, Just to elaborate Bjoern's opinion - * traffic monitoring per ip/flow might not be of interest to jails only and I believe it belongs to a separate module * in terms of jail resource monitoring (and limits) I believe the direction to go is using jtune (Cris Jones'es SoC 2006 patch) even if we have to live with #ifdef JTUNE inside bsnmp_jails until it hits the tree (which I hope it will at one point) * the module badly needs to list the IP addresses of a jail - which I believe should be done in a separate table - e.g indexed by jail id and IP address - the question here is how to handle IPv4 vs IPv6 - separate tables or a common table adding a InetAddress column as index - the latter will not work with bsnmptools until they're fixed to support it; I am also guessing we need a RowStatus column so that one can assign IP addresses to a jail via SNMP Furthermore - * there is no way to create or destroy a jail via snmp-jail - jailEntry is missing a RowStatus column maybe? * I am missing a column for the jail's root * jailname, number of IPv4, IPv6'es in terms of jails in CURRENT? * SNMP equivalents for the controls under security.jail sysctl MIB? * I don't like the fact the the module includes pre-generated jails_oid.h, jails_tree.h and jails_tree.c - we have a bsd.snmpmod.mk for this, which puts all files in place (e.g MIB, def) I can try summing up my ideas in a MIB and publishing it for discussion these days but unfotunatelly I don't have the time to do any coding on this right now. One last thought, we certainly want a bsnmp_jails (the notation so far is to use underscore in the name) module as part of base but it should cover as wide as usage scenarios of jail(8) as possible. cheers, Shteryana P.P. Please keep me in the CC list as I am not subscribed to (this) list From kensmith at FreeBSD.org Sun Jan 25 14:50:30 2009 From: kensmith at FreeBSD.org (Lawrence Auster) Date: Sun Jan 25 14:50:58 2009 Subject: Jewish Lobby Gives Obama His Marching Orders Message-ID: <20090125222911.LCWW2948.fed1rmmtao101.cox.net@fed1rmimpo02.cox.net> Jewish Lobby Gives Obama His Marching Orders By Michael Collins Piper THE POWERFUL JEWISH LOBBY in Washington is already issuing marching orders to President-elect Barack Obama. One of the most influential voices of the lobby has published an array of “working papers” designed to tell the president how he must maintain the “special relationship” between the United States and Israel, increase pressure on a variety of Arab and Muslim states that are perceived as dangers to Israel, and generally assure that Israel’s interests will always be first and foremost in the conduct of U.S. foreign policy, not only in the Middle East but around the globe. The Jewish Institute for National Security Affairs (JINSA), a particularly vocal force in the Jewish lobby, published an entire edition of its Journal of International Security Affairs (dated fall 2008), sending the official word to Obama. JINSA was founded by one Stephen Bryen who—along with a host of other well known names connected to JINSA—was once investigated by the FBI on charges of espionage for Israel. A variety of articles in the journal addressing “Middle East Policy and the Next President” and “Iran, Iraq and Beyond,” make it clear that JINSA—best known as a nest of the infamous “neo-conservatives” who misdirected U.S. foreign policy during the outgoing Bush administration, sparking the war in Iraq and continuing to clamor for action against Iran—wants Obama to pursue Bush-style policies. AIPAC is particularly obsessed with using U.S. military and economic power to force Arab and Muslim nations to “reform” from within. Talk of “democracy” flows freely within AIPAC’s assorted essays, demanding that Israel’s neighbors conform to the Western version of democracy. But when the Palestinian people voted the Hamas movement into power in the Palestinian Authority in the occupied West Bank and the Gaza strip, AIPAC and other elements in the Jewish lobby immediately began calling for the United States to reject that freely elected government. Now, of course, Hamas is largely only in control of the beleaguered Gaza—which many refer to as “ghetto”— and the Palestinian statehood movement has been eviscerated, at least for now. This makes AIPAC and the lobby for Israel quite happy, for Israel has long encouraged U.S. policies—and helped create conditions—that have the effect of “divide and conquer” in the Arab and Muslim world. Israel is not like any other nation in the world, in that it seems to thrive best (and enjoys the benefits of) having its neighbors quarreling among themselves and rent within. Other nations prefer neighbors that are peaceful and internally secure. Israel wants its neighbors in chaos, because this prevents them from waging war against Israel, either individually or united. And although in the wake of the debacle in Iraq, which led many Israelis and their allies in the United States to suddenly proclaim that the Iraq war should never have been waged, the fact is that Israel and its U.S.-based agents-in-place were the prime movers behind that war and it was Israeli intelligence that was providing what critics now recognize was the “bad intelligence” that led the Bush administration to “mistakenly” conclude that Iraq was working toward an assembly of nuclear weapons to rival that of Israel. The Israelis and their American spokesmen evidently now believe that if they tell the “big lie” often enough—the lie that Israel’s interests played no part in orchestrating the debacle in Iraq—that it will make Americans forget that Israel was the foremost advocate of the war in the first place. However, the evisceration of Iraq by the United States is part and parcel of a long-standing Israeli national security policy aimed toward “balkanizing” the Muslim world. Yet, AIPAC, in its journal, is now working to perpetuate the myth of Iraqi nuclear weapons and suggesting that Iraq’s weapons were transported into Syria, another nation which has been on the “wish list for war” of Israel and its lobby in America. And AIPAC makes it clear that the destruction of Iran’s nuclear development program is a “must.” AIPAC is not the only Israeli lobby unit sending the message to the new president. Commentary magazine, long affiliated with the American Jewish Committee, has—in recent issues—been trumpeting a similar bellicose refrain directed at Obama. The editorial director of the Jewish lobby journal is John Podhoretz, a longtime close personal and political associate of the ubiquitous William Kristol, editor of the Weekly Standard magazine, which is the most infamous voice of the neo-conservative, hard-line pro-Israel elements operating in the media, in the think tanks, and in official policy making and national security and intelligence circles in Washington. Their fathers, Irving Kristol and Norman Podhoretz, are two of the founding fathers of the neoconservative network, both Trotskyite Marxists who announced their “conversion” to conservatism during the latter days of the Cold War, banging the drum for intensified U.S. support for Israel. A complete overview of the neo-conservative power structure and its rather bizarre origins in the days when American Jewish communists like Kristol and Podhoretz turned on the Soviet Union when then- Soviet chief Josef Stalin began moving against Jewish and Zionist elements inside Russia can be found in The High Priests of War and The Judas Goats, two works by this author. Whether President Obama intends real change, as he promised, or whether he will advance the Israeli agenda (which saw its power expand exponentially in the Republican administration of George W. Bush) remains to be seen. But “the lobby” is making its voice heard and Obama knows that he better not ignore it. A journalist specializing in media critique, Michael Collins Piper is the author of The High Priests of War, The New Jerusalem, Dirty Secrets, The Judas Goats, The Golem, Target Traficant and My First Days in the White House All are available from AFP. Source : http://www.americanfreepress.net/html/jewish_lobby_164.html ------------------------------------------------------------------------------------------------- Obama -- The Judas Goat 1/25/2009 By David Duke Judas Goat\ A goat that leads other goats or sheep to slaughter. Also, one who entices into danger and betrays others. The name is an allusion to Judas Iscariot, who betrayed Jesus for 30 pieces of slaughter. (From Merriam Webster’s Dictionary) Barack Hussein Obama is a Judas Goat. Extremist Jews guided Barack Hussein Obama’s career from day one, even all the way back to Harvard Law School. Radical Zionist hitman, David Axelrod previously orchestrated the Jewish-financed and organized defeat of perceived anti-Zionist Sen. Charles Percy. He is the man who ran Obama’s campaign for President and who is his chief handler. Obama’s campaign was overwhelmingly financed by the most powerful Zionist bankers in the world. His campaign’s largest contribution source was the Zionist international banking firm of Goldman Sachs. (FEC campaign records). In both Obama’s Senate and Presidential campaign he prostrated himself before AIPAC (American Israel Public Affairs Committee) promising even more money and blood for Israel’s terrorism than even the supine John McCain, and even more money and blood than the previous Shabbez Goy in the White House, George Bush. Before the Israeli terrorism and mass murder in Gaza, he went to Israel and said that he supported Israel’s p lanned murderous terrorism against the men, women and children of Gaza. His first act as President-elect was to appoint a rabid Zionist, Israeli dual citizen who served in the Israeli Army as his Chief of Staff, Rahm Emmanuel. As thousands of women and children in Gaza were killed or maimed, Obama remained silent. Within a few days as President Obama supported indiscriminate American missile strikes in villages of our ally Pakistan, a clear continuation of Bush’s policies. He completely supports the theft of trillions of American taxpayer dollars to the Zionist international bankers. Eighty percent of American Jews voted for Obama, and all the main leaders of the Jewish Supremacist state of Israel have proclaimed Obama as the perfect man for U.S. President. What better for the Zionists to have their own servant perceived as a clean break from the Jewish extremist-controlled Bush administration? What better than for the Zionists than to have their Shabbez Goy be treated by the world’s press and even by much of the anti-Zionist community as a man of “real change?” What better for the Zionists than for the world to think that Obama will be a change from the Zionist-controlled policies when he willing to do anything that Israel demands? What better for the Zionist murderers to have their craven puppet be looked at by the whole world as a man of honor and integrity and fairness. In the slaughterhouse, the Judas Goat is often painted with bright colors, adorned with strong, sweet scents to lure the sheep to their pens and to their death. Obama, the Judas Goat of our time, is looked upon by millions of Zionist-propagandized sheep as the man who will lead them to salvation. Instead, he leads America, Palestine and the world to the bloody altar of Jewish Supremacism. Any supposed anti-Zionist who praises Barack Obama is actually aiding this Judas Goat to lead us all to slaughter. Every person who truly opposes Jewish extremism must speak out and expose the Judas Goat named Barack Obama! -- Dr. David Duke Former Member of the House of Representatives State of Louisiana United States of America It is up to you the people of the United States who can still think freely, and up to all of the people of the world who are able to see through the deceptions of the Zionist-influenced Global media -- to get this simple, powerful message to everyone on earth. Email this message to your friends, post it on forums and websites and put links to it on every website, facebook or other media in the world. Go and seek out media and Internet sites not controlled by Zionist power. Make youtube videos of this message, (use the short audio and find good illustrative pictures) and post it untill your fingers are worn and tired, print it and mail it to newspapers or any media outlet that has still not fallen under the propaganda of the Zionists. Let the world know the truth. Person by person, in the USA, Canada, UK, France, Germany, Italy, japan, Russia, China, Africa, Palestine, South America and across the whole world this Judas Goat must be exposed for what he is, so that when begin s to do his evil for Israel, the whole world will know exactly what is going on and resist! Source : http://www.davidduke.com/general/obama-the-judas-goat_7317.html ------------------------ Why is the President of Israel, the terrorist who just oversaw the Zionist mass murder and maiming of thousands of Palestinians so happy that Obama is President of the USA? by David Duke Read the excerpt from the Israeli News about how President Perez and Israel think that Obama’s becoming U.S. President is great day for Israel. "Israel’s President Shimon Peres ecstatic over the election of Obama" Ronen Medzini Israel News Jan. 21 “Today is a great day not only for the United States of America, but for the entire world,” President Shimon Peres wrote in a letter addressed to Barack Obama on the day of his inauguration as president of the United States. “Obama was elected by the United States, but as a matter of fact, he was chosen by the whole of humankind,” Why is Peres so ecstatic? Why shouldn’t he be, he knows that Obama is completely in the grip of the extremist Jewish Zionists in America, and he knows that the greater Obama’s popularity and idol worship, the more Obama can do for the International Zionist Cause. Any thinking and caring human being who realizes that the Zionist-controlled American foreign policy has been a disaster for the robbed and murdered people of Palestine, Lebanon, Iraq and a catastrophe for the 50,000 American wounded in Iraq and Afghanistan, as well as an economic catastrophe for the hardworking Americans who pay trillions to finance these wars for Israel -- must wake up the fact that supporting Obama and increasing his popularity will only aid Zionist terrorism, war, and their murder and oppression of the Palestinians. It will also hasten the economic suffering of billions of people around the world as his popularity enables him to more easily aid the Zionist International Bankers steal the wealth of the United States, Europe and the world. Obama is totally in the bloodstained and green ink- stained hands of the Zionists. The hard truth is that the more good will and support Obama has also gives more power to support the Zionist agenda! Mark my words. The Obama Presidency will be disaster for America and for the world. Obama was put into office by the Zionists. His top two cohorts for years have been the radical Jews David Axelrod and Rahm Emmanuel. Both have long records of radical Zionism and have been attack dogs against anyone perceived as having the slightest opposition to Israel. One such victim was Sen. Charles Percy, who both men worked to defeat and destroy because he dared to only be 99 percent rather than 100 percent pro-Israel. Rahm Emmanuel, a dual citizen of Israel who went to fight for Israel, he has a long pedigree of Jewish extremism. His father served in the Irgun Terrorist Gang and he himself is named after an Irgun terrorist. Zionist leaders in Chicago actually call Obama “the first Jewish President” and boast that Jews were key players in Obama’s every step up the ladder to President. from the very earliest days, extremist Jews were the largest contributors to his campaign. In the beginning of his Presidential bid, three Hollywood Jews that constantly make movies about Jewish suffering, but never about the Zionist terrorism and theft against the Palestinian people, Steven Spielberg, David Geffen, and Jeffrey Katzenberg raised 1.2 million for Obama in a single Hollywood party. By the time Obama’s campaign was in full swing, he had huge support from the criminal Zionist International Banking firms such as Goldman Sachs and Lehman brothers. Goldman Sachs was Obama’s biggest single contributor, and his vast war chest came not from American manufacturing firms like GM or even American oil companies, (not one was in his top twenty) it was overwhelmingly dominated by Zionist international bankers, the same ones whose thievery and fraud are giving the world this economic depression. For those looking for meaningful social and political change, do you really think it will come from this man who has already been bought heart, head and soul by the most powerful czars of the international financial establishment and the biggest globalists in the world? I know that many are desperate for change, so desperate that you want to believe anything. But in the face of these facts can’t you see that Obama will be even more dangerous to freedom and justice than even George Bush and his band of Neocons were. What better way to wipe out George Bush’s hated legacy and make the world believe that America has really changed than with the election of Obama. But, all the real Zionist power, Zionist media power, and Zionist financial power in America is still in place, even stronger than ever. Many Americans and others around the world who want to do good are now telling us how wonderful Obama will be as president. What a great change it will be from the old policies. This is because of the Zionist-Controlled media hype, promoting Obama. The fact is that these poor sods are ignorantly helping the radical Zionist agenda in Israel and around the world. Every day that you don’t help expose Obama for the Zionist servant that he actually is, his popularity will be a greater danger to peace and freedom. If the Zionist terrorist Shimon Perez is happy about the coronation of Obama, then why in the hell should you be? –David Duke Source : http://www.davidduke.com/general/7303_7303.html ------------------------------------- You or someone using your email adress is currently subscribed to the Lawrence Auster Newletter. If you wish to unsubscribe from our mailing list, please let us know by calling "to 1 212 865 1284 Thanks, Lawrence Auster, 238 W 101 St Apt. 3B New York, NY 10025 Contact: lawrence.auster@att.net ------------------------------------- From kensmith at FreeBSD.org Sun Jan 25 14:50:39 2009 From: kensmith at FreeBSD.org (Lawrence Auster) Date: Sun Jan 25 14:51:16 2009 Subject: Jewish Lobby Gives Obama His Marching Orders Message-ID: <20090125222911.LCWV2948.fed1rmmtao101.cox.net@fed1rmimpo01.cox.net> Jewish Lobby Gives Obama His Marching Orders By Michael Collins Piper THE POWERFUL JEWISH LOBBY in Washington is already issuing marching orders to President-elect Barack Obama. One of the most influential voices of the lobby has published an array of “working papers” designed to tell the president how he must maintain the “special relationship” between the United States and Israel, increase pressure on a variety of Arab and Muslim states that are perceived as dangers to Israel, and generally assure that Israel’s interests will always be first and foremost in the conduct of U.S. foreign policy, not only in the Middle East but around the globe. The Jewish Institute for National Security Affairs (JINSA), a particularly vocal force in the Jewish lobby, published an entire edition of its Journal of International Security Affairs (dated fall 2008), sending the official word to Obama. JINSA was founded by one Stephen Bryen who—along with a host of other well known names connected to JINSA—was once investigated by the FBI on charges of espionage for Israel. A variety of articles in the journal addressing “Middle East Policy and the Next President” and “Iran, Iraq and Beyond,” make it clear that JINSA—best known as a nest of the infamous “neo-conservatives” who misdirected U.S. foreign policy during the outgoing Bush administration, sparking the war in Iraq and continuing to clamor for action against Iran—wants Obama to pursue Bush-style policies. AIPAC is particularly obsessed with using U.S. military and economic power to force Arab and Muslim nations to “reform” from within. Talk of “democracy” flows freely within AIPAC’s assorted essays, demanding that Israel’s neighbors conform to the Western version of democracy. But when the Palestinian people voted the Hamas movement into power in the Palestinian Authority in the occupied West Bank and the Gaza strip, AIPAC and other elements in the Jewish lobby immediately began calling for the United States to reject that freely elected government. Now, of course, Hamas is largely only in control of the beleaguered Gaza—which many refer to as “ghetto”— and the Palestinian statehood movement has been eviscerated, at least for now. This makes AIPAC and the lobby for Israel quite happy, for Israel has long encouraged U.S. policies—and helped create conditions—that have the effect of “divide and conquer” in the Arab and Muslim world. Israel is not like any other nation in the world, in that it seems to thrive best (and enjoys the benefits of) having its neighbors quarreling among themselves and rent within. Other nations prefer neighbors that are peaceful and internally secure. Israel wants its neighbors in chaos, because this prevents them from waging war against Israel, either individually or united. And although in the wake of the debacle in Iraq, which led many Israelis and their allies in the United States to suddenly proclaim that the Iraq war should never have been waged, the fact is that Israel and its U.S.-based agents-in-place were the prime movers behind that war and it was Israeli intelligence that was providing what critics now recognize was the “bad intelligence” that led the Bush administration to “mistakenly” conclude that Iraq was working toward an assembly of nuclear weapons to rival that of Israel. The Israelis and their American spokesmen evidently now believe that if they tell the “big lie” often enough—the lie that Israel’s interests played no part in orchestrating the debacle in Iraq—that it will make Americans forget that Israel was the foremost advocate of the war in the first place. However, the evisceration of Iraq by the United States is part and parcel of a long-standing Israeli national security policy aimed toward “balkanizing” the Muslim world. Yet, AIPAC, in its journal, is now working to perpetuate the myth of Iraqi nuclear weapons and suggesting that Iraq’s weapons were transported into Syria, another nation which has been on the “wish list for war” of Israel and its lobby in America. And AIPAC makes it clear that the destruction of Iran’s nuclear development program is a “must.” AIPAC is not the only Israeli lobby unit sending the message to the new president. Commentary magazine, long affiliated with the American Jewish Committee, has—in recent issues—been trumpeting a similar bellicose refrain directed at Obama. The editorial director of the Jewish lobby journal is John Podhoretz, a longtime close personal and political associate of the ubiquitous William Kristol, editor of the Weekly Standard magazine, which is the most infamous voice of the neo-conservative, hard-line pro-Israel elements operating in the media, in the think tanks, and in official policy making and national security and intelligence circles in Washington. Their fathers, Irving Kristol and Norman Podhoretz, are two of the founding fathers of the neoconservative network, both Trotskyite Marxists who announced their “conversion” to conservatism during the latter days of the Cold War, banging the drum for intensified U.S. support for Israel. A complete overview of the neo-conservative power structure and its rather bizarre origins in the days when American Jewish communists like Kristol and Podhoretz turned on the Soviet Union when then- Soviet chief Josef Stalin began moving against Jewish and Zionist elements inside Russia can be found in The High Priests of War and The Judas Goats, two works by this author. Whether President Obama intends real change, as he promised, or whether he will advance the Israeli agenda (which saw its power expand exponentially in the Republican administration of George W. Bush) remains to be seen. But “the lobby” is making its voice heard and Obama knows that he better not ignore it. A journalist specializing in media critique, Michael Collins Piper is the author of The High Priests of War, The New Jerusalem, Dirty Secrets, The Judas Goats, The Golem, Target Traficant and My First Days in the White House All are available from AFP. Source : http://www.americanfreepress.net/html/jewish_lobby_164.html ------------------------------------------------------------------------------------------------- Obama -- The Judas Goat 1/25/2009 By David Duke Judas Goat\ A goat that leads other goats or sheep to slaughter. Also, one who entices into danger and betrays others. The name is an allusion to Judas Iscariot, who betrayed Jesus for 30 pieces of slaughter. (From Merriam Webster’s Dictionary) Barack Hussein Obama is a Judas Goat. Extremist Jews guided Barack Hussein Obama’s career from day one, even all the way back to Harvard Law School. Radical Zionist hitman, David Axelrod previously orchestrated the Jewish-financed and organized defeat of perceived anti-Zionist Sen. Charles Percy. He is the man who ran Obama’s campaign for President and who is his chief handler. Obama’s campaign was overwhelmingly financed by the most powerful Zionist bankers in the world. His campaign’s largest contribution source was the Zionist international banking firm of Goldman Sachs. (FEC campaign records). In both Obama’s Senate and Presidential campaign he prostrated himself before AIPAC (American Israel Public Affairs Committee) promising even more money and blood for Israel’s terrorism than even the supine John McCain, and even more money and blood than the previous Shabbez Goy in the White House, George Bush. Before the Israeli terrorism and mass murder in Gaza, he went to Israel and said that he supported Israel’s p lanned murderous terrorism against the men, women and children of Gaza. His first act as President-elect was to appoint a rabid Zionist, Israeli dual citizen who served in the Israeli Army as his Chief of Staff, Rahm Emmanuel. As thousands of women and children in Gaza were killed or maimed, Obama remained silent. Within a few days as President Obama supported indiscriminate American missile strikes in villages of our ally Pakistan, a clear continuation of Bush’s policies. He completely supports the theft of trillions of American taxpayer dollars to the Zionist international bankers. Eighty percent of American Jews voted for Obama, and all the main leaders of the Jewish Supremacist state of Israel have proclaimed Obama as the perfect man for U.S. President. What better for the Zionists to have their own servant perceived as a clean break from the Jewish extremist-controlled Bush administration? What better than for the Zionists than to have their Shabbez Goy be treated by the world’s press and even by much of the anti-Zionist community as a man of “real change?” What better for the Zionists than for the world to think that Obama will be a change from the Zionist-controlled policies when he willing to do anything that Israel demands? What better for the Zionist murderers to have their craven puppet be looked at by the whole world as a man of honor and integrity and fairness. In the slaughterhouse, the Judas Goat is often painted with bright colors, adorned with strong, sweet scents to lure the sheep to their pens and to their death. Obama, the Judas Goat of our time, is looked upon by millions of Zionist-propagandized sheep as the man who will lead them to salvation. Instead, he leads America, Palestine and the world to the bloody altar of Jewish Supremacism. Any supposed anti-Zionist who praises Barack Obama is actually aiding this Judas Goat to lead us all to slaughter. Every person who truly opposes Jewish extremism must speak out and expose the Judas Goat named Barack Obama! -- Dr. David Duke Former Member of the House of Representatives State of Louisiana United States of America It is up to you the people of the United States who can still think freely, and up to all of the people of the world who are able to see through the deceptions of the Zionist-influenced Global media -- to get this simple, powerful message to everyone on earth. Email this message to your friends, post it on forums and websites and put links to it on every website, facebook or other media in the world. Go and seek out media and Internet sites not controlled by Zionist power. Make youtube videos of this message, (use the short audio and find good illustrative pictures) and post it untill your fingers are worn and tired, print it and mail it to newspapers or any media outlet that has still not fallen under the propaganda of the Zionists. Let the world know the truth. Person by person, in the USA, Canada, UK, France, Germany, Italy, japan, Russia, China, Africa, Palestine, South America and across the whole world this Judas Goat must be exposed for what he is, so that when begin s to do his evil for Israel, the whole world will know exactly what is going on and resist! Source : http://www.davidduke.com/general/obama-the-judas-goat_7317.html ------------------------ Why is the President of Israel, the terrorist who just oversaw the Zionist mass murder and maiming of thousands of Palestinians so happy that Obama is President of the USA? by David Duke Read the excerpt from the Israeli News about how President Perez and Israel think that Obama’s becoming U.S. President is great day for Israel. "Israel’s President Shimon Peres ecstatic over the election of Obama" Ronen Medzini Israel News Jan. 21 “Today is a great day not only for the United States of America, but for the entire world,” President Shimon Peres wrote in a letter addressed to Barack Obama on the day of his inauguration as president of the United States. “Obama was elected by the United States, but as a matter of fact, he was chosen by the whole of humankind,” Why is Peres so ecstatic? Why shouldn’t he be, he knows that Obama is completely in the grip of the extremist Jewish Zionists in America, and he knows that the greater Obama’s popularity and idol worship, the more Obama can do for the International Zionist Cause. Any thinking and caring human being who realizes that the Zionist-controlled American foreign policy has been a disaster for the robbed and murdered people of Palestine, Lebanon, Iraq and a catastrophe for the 50,000 American wounded in Iraq and Afghanistan, as well as an economic catastrophe for the hardworking Americans who pay trillions to finance these wars for Israel -- must wake up the fact that supporting Obama and increasing his popularity will only aid Zionist terrorism, war, and their murder and oppression of the Palestinians. It will also hasten the economic suffering of billions of people around the world as his popularity enables him to more easily aid the Zionist International Bankers steal the wealth of the United States, Europe and the world. Obama is totally in the bloodstained and green ink- stained hands of the Zionists. The hard truth is that the more good will and support Obama has also gives more power to support the Zionist agenda! Mark my words. The Obama Presidency will be disaster for America and for the world. Obama was put into office by the Zionists. His top two cohorts for years have been the radical Jews David Axelrod and Rahm Emmanuel. Both have long records of radical Zionism and have been attack dogs against anyone perceived as having the slightest opposition to Israel. One such victim was Sen. Charles Percy, who both men worked to defeat and destroy because he dared to only be 99 percent rather than 100 percent pro-Israel. Rahm Emmanuel, a dual citizen of Israel who went to fight for Israel, he has a long pedigree of Jewish extremism. His father served in the Irgun Terrorist Gang and he himself is named after an Irgun terrorist. Zionist leaders in Chicago actually call Obama “the first Jewish President” and boast that Jews were key players in Obama’s every step up the ladder to President. from the very earliest days, extremist Jews were the largest contributors to his campaign. In the beginning of his Presidential bid, three Hollywood Jews that constantly make movies about Jewish suffering, but never about the Zionist terrorism and theft against the Palestinian people, Steven Spielberg, David Geffen, and Jeffrey Katzenberg raised 1.2 million for Obama in a single Hollywood party. By the time Obama’s campaign was in full swing, he had huge support from the criminal Zionist International Banking firms such as Goldman Sachs and Lehman brothers. Goldman Sachs was Obama’s biggest single contributor, and his vast war chest came not from American manufacturing firms like GM or even American oil companies, (not one was in his top twenty) it was overwhelmingly dominated by Zionist international bankers, the same ones whose thievery and fraud are giving the world this economic depression. For those looking for meaningful social and political change, do you really think it will come from this man who has already been bought heart, head and soul by the most powerful czars of the international financial establishment and the biggest globalists in the world? I know that many are desperate for change, so desperate that you want to believe anything. But in the face of these facts can’t you see that Obama will be even more dangerous to freedom and justice than even George Bush and his band of Neocons were. What better way to wipe out George Bush’s hated legacy and make the world believe that America has really changed than with the election of Obama. But, all the real Zionist power, Zionist media power, and Zionist financial power in America is still in place, even stronger than ever. Many Americans and others around the world who want to do good are now telling us how wonderful Obama will be as president. What a great change it will be from the old policies. This is because of the Zionist-Controlled media hype, promoting Obama. The fact is that these poor sods are ignorantly helping the radical Zionist agenda in Israel and around the world. Every day that you don’t help expose Obama for the Zionist servant that he actually is, his popularity will be a greater danger to peace and freedom. If the Zionist terrorist Shimon Perez is happy about the coronation of Obama, then why in the hell should you be? –David Duke Source : http://www.davidduke.com/general/7303_7303.html ------------------------------------- You or someone using your email adress is currently subscribed to the Lawrence Auster Newletter. If you wish to unsubscribe from our mailing list, please let us know by calling "to 1 212 865 1284 Thanks, Lawrence Auster, 238 W 101 St Apt. 3B New York, NY 10025 Contact: lawrence.auster@att.net ------------------------------------- From bugmaster at FreeBSD.org Mon Jan 26 03:06:59 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Jan 26 03:08:13 2009 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200901261106.n0QB6vsm024298@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 3 problems total. From kagekonjou at gmail.com Tue Jan 27 16:36:51 2009 From: kagekonjou at gmail.com (Kage) Date: Tue Jan 27 16:36:58 2009 Subject: Multi-IP Jails (7.1-REL) Message-ID: Hey, I need a solution for making jails use multiple IPs, be it a /stable/, good patch, or a hacked solution via ipfw (preferred), or pf. The one stipulation is that the jails must be able to connect out, and MUST connect out via one of the IPs assigned to that jail. Can anyone help me please? Thanks. -- ~ Kage http://vitund.com http://hackthissite.org From glen.j.barber at gmail.com Tue Jan 27 17:09:21 2009 From: glen.j.barber at gmail.com (Glen Barber) Date: Tue Jan 27 17:09:28 2009 Subject: Multi-IP Jails (7.1-REL) In-Reply-To: References: Message-ID: <4ad871310901271640u54c59366g7bb295a35e911d3f@mail.gmail.com> On Tue, Jan 27, 2009 at 7:09 PM, Kage wrote: > Hey, > > I need a solution for making jails use multiple IPs, be it a > /stable/, good patch, or a hacked solution via ipfw (preferred), or > pf. The one stipulation is that the jails must be able to connect > out, and MUST connect out via one of the IPs assigned to that jail. > Can anyone help me please? Thanks. > You could use pf to redirect aliased ip addresses (in the host's rc.conf) to specific jails, but this more of a hack than what you're looking for, I'm sure. Either way, it'll work. -- Glen Barber From frank at ilse.behrens.de Tue Jan 27 23:51:36 2009 From: frank at ilse.behrens.de (Frank Behrens) Date: Tue Jan 27 23:51:42 2009 Subject: Multi-IP Jails (7.1-REL) In-Reply-To: Message-ID: <200901280751.n0S7pQhn053569@post.behrens.de> Kage wrote on 27 Jan 2009 19:09: > I need a solution for making jails use multiple IPs, be it a > /stable/, good patch, or a hacked solution via ipfw (preferred), or > pf. The one stipulation is that the jails must be able to connect > out, and MUST connect out via one of the IPs assigned to that jail. Did you search on the jail mailing list? You should find Bjoern's excellent patches for RELENG_7 and the anouncement for HEAD: http://lists.freebsd.org/pipermail/freebsd-jail/2008-November/000615.html http://lists.freebsd.org/pipermail/freebsd-jail/2008-December/000631.html -- Frank Behrens, Osterwieck, Germany PGP-key 0x5B7C47ED on public servers available. From bzeeb-lists at lists.zabbadoz.net Wed Jan 28 00:25:08 2009 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Wed Jan 28 00:25:17 2009 Subject: Multi-IP Jails (7.1-REL) In-Reply-To: <200901280751.n0S7pQhn053569@post.behrens.de> References: <200901280751.n0S7pQhn053569@post.behrens.de> Message-ID: <20090128081831.V3757@maildrop.int.zabbadoz.net> On Wed, 28 Jan 2009, Frank Behrens wrote: Good morning, > Kage wrote on 27 Jan 2009 19:09: >> I need a solution for making jails use multiple IPs, be it a >> /stable/, good patch, or a hacked solution via ipfw (preferred), or >> pf. The one stipulation is that the jails must be able to connect >> out, and MUST connect out via one of the IPs assigned to that jail. > > Did you search on the jail mailing list? You should find Bjoern's > excellent patches for RELENG_7 and the anouncement for HEAD: > > http://lists.freebsd.org/pipermail/freebsd-jail/2008-November/000615.html > http://lists.freebsd.org/pipermail/freebsd-jail/2008-December/000631.html I am about to re-gen my patch from last week (wasn't publicly announced) but I am running it. So if you can wait another few hours, you'll get the MFC candidate patch for RELENG_7. /bz -- Bjoern A. Zeeb The greatest risk is not taking one. From bzeeb-lists at lists.zabbadoz.net Wed Jan 28 07:25:08 2009 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Wed Jan 28 07:25:14 2009 Subject: HEADS UP: multi-IPv4/v6/no-IP jails merge to 7-STABLE ahead Message-ID: <20090128150840.E45963@maildrop.int.zabbadoz.net> Hi, I have a possible MFC candidate patch at: http://people.freebsd.org/~bz/20090128-02-jail7-mfc.diff to merge the multi-IPv4/v6/no-IP jails to 7-STABLE. My plan would be to do so during the weekend of 6-8th February 2009. In addition to what the patch says at the beginning (__FreeBSD_version bump), the patch also has the regenerated compat/freebsd32 sysctl stuff in it so that people can apply, compile and run it directly. For the merge this would be a second commit. For committers who want to review that I have done the merge right, it is an svn diff with mergeinfo included. For details about the patch, features, .. see the original commit message and follow-up a few days later (both in one post): http://lists.freebsd.org/pipermail/freebsd-jail/2008-December/000631.html Since then a few bug fixes went in, some older PRs were handled, ... Now is the time for you to try and review it for 7-STABLE, etc. /bz -- Bjoern A. Zeeb The greatest risk is not taking one. From bzeeb-lists at lists.zabbadoz.net Wed Jan 28 09:35:08 2009 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Wed Jan 28 09:35:20 2009 Subject: HEADS UP: multi-IPv4/v6/no-IP jails merge to 7-STABLE ahead In-Reply-To: <20090128150840.E45963@maildrop.int.zabbadoz.net> References: <20090128150840.E45963@maildrop.int.zabbadoz.net> Message-ID: <20090128172923.S45963@maildrop.int.zabbadoz.net> On Wed, 28 Jan 2009, Bjoern A. Zeeb wrote: > Hi, > > I have a possible MFC candidate patch at: > http://people.freebsd.org/~bz/20090128-02-jail7-mfc.diff > > to merge the multi-IPv4/v6/no-IP jails to 7-STABLE. My plan would be > to do so during the weekend of 6-8th February 2009. > > In addition to what the patch says at the beginning (__FreeBSD_version > bump), the patch also has the regenerated compat/freebsd32 sysctl > stuff in it so that people can apply, compile and run it directly. > For the merge this would be a second commit. > > For committers who want to review that I have done the merge right, it > is an svn diff with mergeinfo included. > > For details about the patch, features, .. see the original commit > message and follow-up a few days later (both in one post): > http://lists.freebsd.org/pipermail/freebsd-jail/2008-December/000631.html > > Since then a few bug fixes went in, some older PRs were handled, ... > > Now is the time for you to try and review it for 7-STABLE, etc. One more thing that I had forgotten and was pointed at: sys/kern/kern_jail.c includes the __FBSDID() line. I just manually edited the patch to contain the proper CVS (not SVN) value. You may a) want to check that things apply cleanly and/or b) to sure to manually apply the hunk from the .rej. /bz -- Bjoern A. Zeeb The greatest risk is not taking one. From steinex at nognu.de Wed Jan 28 12:52:35 2009 From: steinex at nognu.de (Frank Steinborn) Date: Wed Jan 28 12:52:42 2009 Subject: Problem with ezjail: Manually restarted jails don't come up again Message-ID: <20090128202556.GA30226@haydn.nognu.de> Hi folks, I have a strange problem on my 7.1-RELEASE with ezjail here. I have 5 jails configured with ezjail, and they run flawlessy - they come up on boot without problems. However, if i stop a jail (via /usr/local/etc/rc.d/ezjail.sh stop ) and then want to restart it via the rc-script, it stalls here: # /usr/local/etc/rc.d/ezjail.sh start mldonkey.local Configuring jails:. Starting jails: If I check with jls and 'pgrep -lfj ', i see that there are processes inside the hanging jail running, including /etc/rc. I guess the jails are hanging somewhere in the boot-process, and i guess it's /etc/rc. I even doubt that this is an ezjail-only problem, but this is just a guess. Any hints? Thanks, Frank From bzeeb-lists at lists.zabbadoz.net Wed Jan 28 13:05:07 2009 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Wed Jan 28 13:05:13 2009 Subject: Problem with ezjail: Manually restarted jails don't come up again In-Reply-To: <20090128202556.GA30226@haydn.nognu.de> References: <20090128202556.GA30226@haydn.nognu.de> Message-ID: <20090128210100.P45963@maildrop.int.zabbadoz.net> On Wed, 28 Jan 2009, Frank Steinborn wrote: ... > jails are hanging somewhere in the boot-process, and i guess it's > /etc/rc. > > I even doubt that this is an ezjail-only problem, but this is just a > guess. > > Any hints? if it's network services hanging on startup, check firewall and resolve.conf inside the jail or wait a few minutes to let possible dns queries timeout. Also tpcdumping on the nase system for the jail IP might give a clue in that case. If it's something else that's hanging you can find out easily looking at jail startup logs and/or the last process started inside the jail... /bz -- Bjoern A. Zeeb The greatest risk is not taking one. From scheidell at secnap.net Wed Jan 28 13:13:07 2009 From: scheidell at secnap.net (Michael Scheidell) Date: Wed Jan 28 13:13:17 2009 Subject: Problem with ezjail: Manually restarted jails don't come up again In-Reply-To: <20090128202556.GA30226@haydn.nognu.de> References: <20090128202556.GA30226@haydn.nognu.de> Message-ID: <4980C658.10505@secnap.net> I installed the jail utilities (forgot which ones) has a 'jkill' utility. I then added a /etc/rc.conf.d/ezjail with a pre-stop() command that calls a jkill. then all works fine. Frank Steinborn wrote: > Hi folks, > > I have a strange problem on my 7.1-RELEASE with ezjail here. I have 5 > jails configured with ezjail, and they run flawlessy - they come up on > boot without problems. > > However, if i stop a jail (via /usr/local/etc/rc.d/ezjail.sh stop > ) and then want to restart it via the rc-script, it stalls here: > > # /usr/local/etc/rc.d/ezjail.sh start mldonkey.local > Configuring jails:. > Starting jails: > > If I check with jls and 'pgrep -lfj ', i see that there are processes > inside the hanging jail running, including /etc/rc. I guess the > jails are hanging somewhere in the boot-process, and i guess it's > /etc/rc. > > I even doubt that this is an ezjail-only problem, but this is just a > guess. > > Any hints? > > Thanks, > Frank > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * King of Spam Filters, SC Magazine 2008 * Information Security Award 2008, Info Security Products Guide * CRN Magazine Top 40 Emerging Security Vendors * Finalist 2009 Network Products Guide Hot Companies _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ From steinex at nognu.de Wed Jan 28 13:22:54 2009 From: steinex at nognu.de (Frank Steinborn) Date: Wed Jan 28 13:23:07 2009 Subject: Problem with ezjail: Manually restarted jails don't come up again In-Reply-To: <20090128210100.P45963@maildrop.int.zabbadoz.net> References: <20090128202556.GA30226@haydn.nognu.de> <20090128210100.P45963@maildrop.int.zabbadoz.net> Message-ID: <20090128212431.GB30226@haydn.nognu.de> On Wed, Jan 28, 2009 at 09:02:35PM +0000, Bjoern A. Zeeb wrote: > if it's network services hanging on startup, check firewall and > resolve.conf inside the jail or wait a few minutes to let possible dns > queries timeout. > Also tpcdumping on the nase system for the jail IP might give a clue > in that case. > > If it's something else that's hanging you can find out easily looking > at jail startup logs and/or the last process started inside the > jail... > > /bz I guess i found a possible answer to my problem: The jail is running mldonkey, which is started via /etc/rc.conf. If I don't start it, the jail comes up as expected. These are the last two processes spawned in the jail: 37947 p3 T+J 0:00.01 su -l mldonkey -c /bin/sh -c ^I"/usr/local/bin/mlnet ^I ^I ^I>> /dev/null 2>&1 &" 37948 p3 TJ 0:00.01 -su -c /bin/sh -c ^I"/usr/local/bin/mlnet ^I ^I ^I>> /dev/null 2>&1 &" (zsh) It's suspicious that there are ^I's in there. And as a side-note: Other jails have the same problem, with completely different services to start up. What to do about it? If I start mldonkey manually when the jail came up, it works as expected, but this is really suboptimal... From fbsd.questions at rachie.is-a-geek.net Wed Jan 28 14:08:04 2009 From: fbsd.questions at rachie.is-a-geek.net (Mel) Date: Wed Jan 28 14:08:11 2009 Subject: Problem with ezjail: Manually restarted jails don't come up again In-Reply-To: <20090128202556.GA30226@haydn.nognu.de> References: <20090128202556.GA30226@haydn.nognu.de> Message-ID: <200901281250.40205.fbsd.questions@rachie.is-a-geek.net> On Wednesday 28 January 2009 11:25:56 Frank Steinborn wrote: > # /usr/local/etc/rc.d/ezjail.sh start mldonkey.local > Configuring jails:. > Starting jails: > > If I check with jls and 'pgrep -lfj ', i see that there are processes > inside the hanging jail running, including /etc/rc. I guess the > jails are hanging somewhere in the boot-process, and i guess it's > /etc/rc. Install sysutils/pstree. On the host, type pstree|less. Search for the rc process, then see what's running 'underneath' it. Those scripts/services are hanging and take it from there. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. From steinex at nognu.de Wed Jan 28 14:38:37 2009 From: steinex at nognu.de (Frank Steinborn) Date: Wed Jan 28 14:38:44 2009 Subject: Problem with ezjail: Manually restarted jails don't come up again In-Reply-To: <200901281250.40205.fbsd.questions@rachie.is-a-geek.net> References: <20090128202556.GA30226@haydn.nognu.de> <200901281250.40205.fbsd.questions@rachie.is-a-geek.net> Message-ID: <20090128223902.GA2183@haydn.nognu.de> On Wed, Jan 28, 2009 at 12:50:40PM -0900, Mel wrote: > On Wednesday 28 January 2009 11:25:56 Frank Steinborn wrote: > > > # /usr/local/etc/rc.d/ezjail.sh start mldonkey.local > > Configuring jails:. > > Starting jails: > > > > If I check with jls and 'pgrep -lfj ', i see that there are processes > > inside the hanging jail running, including /etc/rc. I guess the > > jails are hanging somewhere in the boot-process, and i guess it's > > /etc/rc. > > Install sysutils/pstree. On the host, type pstree|less. Search for the rc > process, then see what's running 'underneath' it. Those scripts/services are > hanging and take it from there. Please see my reply to Bjoern, the two processes shown there are the ones hanging under /etc/rc... I don't have a clue why this happens, if i start the rc-script for this port manually, it works without a hitch. And even more noteable: On reboot, all comes up without a problem too. From fbsd.questions at rachie.is-a-geek.net Wed Jan 28 16:23:34 2009 From: fbsd.questions at rachie.is-a-geek.net (Mel) Date: Wed Jan 28 16:23:47 2009 Subject: Problem with ezjail: Manually restarted jails don't come up again In-Reply-To: <20090128212431.GB30226@haydn.nognu.de> References: <20090128202556.GA30226@haydn.nognu.de> <20090128210100.P45963@maildrop.int.zabbadoz.net> <20090128212431.GB30226@haydn.nognu.de> Message-ID: <200901281523.33379.fbsd.questions@rachie.is-a-geek.net> On Wednesday 28 January 2009 12:24:31 Frank Steinborn wrote: > On Wed, Jan 28, 2009 at 09:02:35PM +0000, Bjoern A. Zeeb wrote: > > if it's network services hanging on startup, check firewall and > > resolve.conf inside the jail or wait a few minutes to let possible dns > > queries timeout. > > Also tpcdumping on the nase system for the jail IP might give a clue > > in that case. > > > > If it's something else that's hanging you can find out easily looking > > at jail startup logs and/or the last process started inside the > > jail... > > > > /bz > > I guess i found a possible answer to my problem: The jail is running > mldonkey, which is started via /etc/rc.conf. If I don't start it, the > jail comes up as expected. These are the last two processes spawned in > the jail: > > 37947 p3 T+J 0:00.01 su -l mldonkey -c /bin/sh -c > ^I"/usr/local/bin/mlnet ^I ^I ^I>> /dev/null 2>&1 &" > 37948 p3 TJ 0:00.01 -su -c /bin/sh -c ^I"/usr/local/bin/mlnet ^I > ^I ^I>> /dev/null 2>&1 &" (zsh) ^^^ Why is zsh shell involved? -- Mel Problem with today's modular software: they start with the modules and never get to the software part. From steinex at nognu.de Wed Jan 28 17:09:04 2009 From: steinex at nognu.de (Frank Steinborn) Date: Wed Jan 28 17:09:11 2009 Subject: Problem with ezjail: Manually restarted jails don't come up again In-Reply-To: <200901281523.33379.fbsd.questions@rachie.is-a-geek.net> References: <20090128202556.GA30226@haydn.nognu.de> <20090128210100.P45963@maildrop.int.zabbadoz.net> <20090128212431.GB30226@haydn.nognu.de> <200901281523.33379.fbsd.questions@rachie.is-a-geek.net> Message-ID: <20090129010926.GA6652@haydn.nognu.de> On Wed, Jan 28, 2009 at 03:23:33PM -0900, Mel wrote: > On Wednesday 28 January 2009 12:24:31 Frank Steinborn wrote: > > I guess i found a possible answer to my problem: The jail is running > > mldonkey, which is started via /etc/rc.conf. If I don't start it, the > > jail comes up as expected. These are the last two processes spawned in > > the jail: > > > > 37947 p3 T+J 0:00.01 su -l mldonkey -c /bin/sh -c > > ^I"/usr/local/bin/mlnet ^I ^I ^I>> /dev/null 2>&1 &" > > 37948 p3 TJ 0:00.01 -su -c /bin/sh -c ^I"/usr/local/bin/mlnet ^I > > ^I ^I>> /dev/null 2>&1 &" (zsh) > ^^^ > Why is zsh shell involved? This was it. I should not have used the root-account inside the jails with zsh. I now use the toor account on zsh and put the shell of root back to csh everywhere. However, I don't understand why zsh is invoked, since all rc.d-scripts have shebang lines telling them to use /bin/sh? I'm a bit confused, maybe can someone give a bit light on this... However, it works now. Thanks, Frank From stef-list at memberwebs.com Fri Jan 30 12:29:27 2009 From: stef-list at memberwebs.com (Stef) Date: Fri Jan 30 12:29:34 2009 Subject: bsnmp module for monitoring jails: bsnmp-jails References: <20090120011951.D26228C282E@mx.npubs.com> <4975B8F3.7010008@quip.cz> <20090121032610.548568C2A3D@mx.npubs.com> <497719E9.1080107@quip.cz> <20090121131105.P45399@maildrop.int.zabbadoz.net> <20090121160023.960DC8C2862@mx.npubs.com> <61b573980901211147y48188ec1t2606faa420c67f40@mail.gmail.com> Message-ID: <20090130200901.AA7CA8C2850@mx.npubs.com> Shteryana Shopova wrote: > Just to elaborate Bjoern's opinion - I hope I didn't give the impression I was trying to demand bsnmp-jails be included in FreeBSD. Although I do agree that something like this would be beneficial to have in the base system. All good points. I'll keep these on record. When work gets done on bsnmp-jails (not that much of a priority for me presently) I'll try to move in the directions you've outlined. Cheers and all the best, Stef From kagekonjou at gmail.com Sat Jan 31 15:11:58 2009 From: kagekonjou at gmail.com (Kage) Date: Sat Jan 31 15:12:04 2009 Subject: Jail Resource Limits (7.1-REL) Message-ID: So, after some googling, I discovered http://wiki.freebsd.org/JailResourceLimits, which is great, except it's for RELENG_6, and I run 7.1-RELEASE. Is there an existing solution I can use that is similar to this? I really, REALLY like this patch's functionality, and would love to use it on my jails. Thanks! -- ~ Kage http://vitund.com http://hackthissite.org From fbsd.questions at rachie.is-a-geek.net Sat Jan 31 16:09:29 2009 From: fbsd.questions at rachie.is-a-geek.net (Mel) Date: Sat Jan 31 16:09:41 2009 Subject: Problem with ezjail: Manually restarted jails don't come up again In-Reply-To: <20090129010926.GA6652@haydn.nognu.de> References: <20090128202556.GA30226@haydn.nognu.de> <200901281523.33379.fbsd.questions@rachie.is-a-geek.net> <20090129010926.GA6652@haydn.nognu.de> Message-ID: <200901311509.28014.fbsd.questions@rachie.is-a-geek.net> On Wednesday 28 January 2009 16:09:26 Frank Steinborn wrote: > On Wed, Jan 28, 2009 at 03:23:33PM -0900, Mel wrote: > > On Wednesday 28 January 2009 12:24:31 Frank Steinborn wrote: > > > 37948 p3 TJ 0:00.01 -su -c /bin/sh -c ^I"/usr/local/bin/mlnet ^I > > > ^I ^I>> /dev/null 2>&1 &" (zsh) > > > > ^^^ > > Why is zsh shell involved? > > This was it. I should not have used the root-account inside the jails > with zsh. I now use the toor account on zsh and put the shell of root > back to csh everywhere. > > However, I don't understand why zsh is invoked, since all rc.d-scripts > have shebang lines telling them to use /bin/sh? I'm a bit confused, > maybe can someone give a bit light on this... su invokes $SHELL of the target user, from su(8): By default, the environment is unmodified with the exception of USER, HOME, and SHELL. HOME and SHELL are set to the target login's default values. USER is set to the target login, unless the target login has a user ID of 0, in which case it is unmodified. The invoked shell is the one belonging to the target login. This is the traditional behavior of su. So: su root -c /bin/sh expands to ${SHELL} /bin/sh -- Mel Problem with today's modular software: they start with the modules and never get to the software part. From c2thunes at brewtab.com Sat Jan 31 17:32:52 2009 From: c2thunes at brewtab.com (Christopher Thunes) Date: Sat Jan 31 17:32:59 2009 Subject: Jail Resource Limits (7.1-REL) In-Reply-To: References: Message-ID: <4984F766.1010307@brewtab.com> I had the memory limits in place for 7.0-RELEASE, but there were some stability problems associated with them that I haven't had the time (nor the expertise most likely) to sort out. CPU limits will be more difficult to port with the ULE scheduler now default in 7.1 and will need someone more knowledgeable than me to sort out. If you are interested in the patches for memory limits in 7.0, you can find them here http://wiki.freebsd.org/Jails. Unfortunately, I haven't tried them on 7.1 and have no idea if they would even apply clean, compile, or run. - Chris Thunes Kage wrote: > So, after some googling, I discovered > http://wiki.freebsd.org/JailResourceLimits, which is great, except > it's for RELENG_6, and I run 7.1-RELEASE. Is there an existing > solution I can use that is similar to this? I really, REALLY like > this patch's functionality, and would love to use it on my jails. > Thanks! >