From bugmaster at FreeBSD.org Mon Mar 2 03:07:36 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Mar 2 03:11:36 2009 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200903021106.n22B6sI5057347@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/132092 jail [jail] jail can listen on *:port when jail_socket_unix o bin/131800 jail rpcbind(8) fails to start in jail o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 5 problems total. From bz at FreeBSD.org Mon Mar 2 11:22:11 2009 From: bz at FreeBSD.org (bz@FreeBSD.org) Date: Mon Mar 2 11:22:22 2009 Subject: bin/131800: rpcbind(8) fails to start in jail Message-ID: <200903021922.n22JM8BT042958@freefall.freebsd.org> Synopsis: rpcbind(8) fails to start in jail Responsible-Changed-From-To: freebsd-jail->freebsd-bugs Responsible-Changed-By: bz Responsible-Changed-When: Mon Mar 2 19:20:13 UTC 2009 Responsible-Changed-Why: http://www.freebsd.org/cgi/query-pr.cgi?pr=131800 From 000.fbsd at quip.cz Wed Mar 4 05:55:57 2009 From: 000.fbsd at quip.cz (Miroslav Lachman) Date: Wed Mar 4 05:56:04 2009 Subject: HEADS UP: multi-IPv4/v6/no-IP jails now in 7-STABLE In-Reply-To: <20090207174104.Y93725@maildrop.int.zabbadoz.net> References: <20090207174104.Y93725@maildrop.int.zabbadoz.net> Message-ID: <49AE885F.9030905@quip.cz> Bjoern A. Zeeb wrote: > Hi, > > what has started a long time ago with patches from various people, was > started, abandoned, resumed finally found an end. > > I am happy to hereby announce that the multi-IPv4/v6/no-IP jails work > has been merged to 7-STABLE and thus can be used in FreeBSD 7 without > the need to maintain or apply patches from now on. > > This also means that the updated jails will be included in 7.2 release. > > This update gives you (short selection): > - zero, one or multi-IP jails. > - IPv4 and IPv6 support. > - cpuset support for jails. > - jail names and states to ease administration. - 32bit compat on 64bit, > jail v1 compat, .. > > You'll find a longer summary about all the new features and how to use > them in a posting from December (you should really read it): > http://lists.freebsd.org/pipermail/freebsd-jail/2008-December/000631.html > > Since the above posting, multiple PRs had been addressed and fixes include > - SIOCGIFADDR ioctl handling which fixes the "samba inside jails problem" > - no more arp and ndp information disclosure > - updated rc.conf framework (fully backward compatible in 7), see > man 5 rc.conf and /etc/defaults/rc.conf. > - various documentation/man page updates > - ... I am now using your new multi-IP Jail (7-STABLE) for a few weeks without any problems. Thanks for your good work! I am interested in new features - jail name and cpuset support. I can use it manually, but there is no support in /etc/rc.d/jail. Do you have any plan to add these features in to rc.d/jail + rc.conf? Or better said - If I make a patch, are you willing to clean + commit it? :) (I know, you do not want more complexity in rc.d/jail script...) I also done one patch half year ago http://www.freebsd.org/cgi/query-pr.cgi?pr=124248 Can you accept it, or reject it, so the PR can be closed? (I can make newer patch for 7-STABLE or 8-CURRENT if you want it) Miroslav Lachman From bzeeb-lists at lists.zabbadoz.net Wed Mar 4 10:20:08 2009 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Wed Mar 4 10:20:15 2009 Subject: HEADS UP: multi-IPv4/v6/no-IP jails now in 7-STABLE In-Reply-To: <49AE885F.9030905@quip.cz> References: <20090207174104.Y93725@maildrop.int.zabbadoz.net> <49AE885F.9030905@quip.cz> Message-ID: <20090304181500.D96785@maildrop.int.zabbadoz.net> On Wed, 4 Mar 2009, Miroslav Lachman wrote: > I am now using your new multi-IP Jail (7-STABLE) for a few weeks without any > problems. Thanks for your good work! > I am interested in new features - jail name and cpuset support. I can use it > manually, but there is no support in /etc/rc.d/jail. Do you have any plan to > add these features in to rc.d/jail + rc.conf? Or better said - If I make a > patch, are you willing to clean + commit it? :) (I know, you do not want more > complexity in rc.d/jail script...) I think there is no need to add anything... for cpuset you have to do it manually afterwards; you could probably use jail__exec_afterstart or what its name was for that. For jail names just add -n name to jail__flags Check /etc/defaults/rc.conf and man rc.conf for those names and examples/descriptions. /bz -- Bjoern A. Zeeb The greatest risk is not taking one. From kagekonjou at gmail.com Sun Mar 8 11:22:47 2009 From: kagekonjou at gmail.com (Kage) Date: Sun Mar 8 11:22:53 2009 Subject: Problem using bz's multi-IP/IPv6/No-IP Jail Patch (7-STABLE) Message-ID: Greetings, So I'm having an issue using 7-STABLE, specifically with bz's multi-IP/IPv6 patch. First and foremost, all IPs attempted to be used (both v4 and v6) are aliased properly in ifconfig. Secondly, assigning multiple IPs to a jail is no problem, as jls -v reflects the multiples assigned correctly. However, within the jail, ifconfig reflects only the first IP listed in rc.conf. What am I missing, or what do I need to do to? Cheers! Example rc.conf entry: ifconfig_vr0_alias10="inet 12.34.56.78 netmask 255.255.255.255" ifconfig_vr0_alias11="inet 12.34.56.79 netmask 255.255.255.255" ifconfig_vr0_alias12="inet 12.34.56.80 netmask 255.255.255.255" jail_kage_rootdir="/usr/jails/kage" jail_kage_hostname="kage.foo" jail_kage_ip="12.34.56.78,12.34.56.79,12.34.56.80" Example jls: 5 kage.foo /usr/jails/kage ALIVE 6 12.34.56.78 12.34.56.79 12.34.56.80 Example ifconfig within that jail: [root@kage:/usr/local/etc/apache22] ifconfig vr0: flags=8843 metric 0 mtu 1500 options=2808 ether 00:1d:92:0d:77:8a inet 12.34.56.78 netmask 0xffffffff broadcast 12.34.56.1 media: Ethernet autoselect (100baseTX ) status: active lo0: flags=8049 metric 0 mtu 16384 [root@kage:/usr/local/etc/apache22] -- ~ Kage From kagekonjou at gmail.com Sun Mar 8 14:05:19 2009 From: kagekonjou at gmail.com (Kage) Date: Sun Mar 8 14:05:26 2009 Subject: Problem using bz's multi-IP/IPv6/No-IP Jail Patch (7-STABLE) In-Reply-To: References: Message-ID: Encountering more issues now. Binding just an IPv6 address to a jail shows up in jls -v, but when I run ifconfig -a in the jail, I get an error I've never encountered, and doesn't show up on any Google search: [root@nub:/etc] jls -v JID Hostname Path Name State CPUSetID IP Address(es) 9 jail.template.tld /usr/jails/TEMPLATE ALIVE 10 2610:150:c248:dead:beef:c0ff:eec0:deaa [root@jail:/] ifconfig -a ifconfig: socket(family 2,SOCK_DGRAM): Protocol not supported On Sun, Mar 8, 2009 at 2:22 PM, Kage wrote: > Greetings, > > So I'm having an issue using 7-STABLE, specifically with bz's > multi-IP/IPv6 patch. ?First and foremost, all IPs attempted to be used > (both v4 and v6) are aliased properly in ifconfig. ?Secondly, > assigning multiple IPs to a jail is no problem, as jls -v reflects the > multiples assigned correctly. ?However, within the jail, ifconfig > reflects only the first IP listed in rc.conf. ?What am I missing, or > what do I need to do to? > > Cheers! > > > Example rc.conf entry: > > ifconfig_vr0_alias10="inet 12.34.56.78 netmask 255.255.255.255" > ifconfig_vr0_alias11="inet 12.34.56.79 netmask 255.255.255.255" > ifconfig_vr0_alias12="inet 12.34.56.80 netmask 255.255.255.255" > > jail_kage_rootdir="/usr/jails/kage" > jail_kage_hostname="kage.foo" > jail_kage_ip="12.34.56.78,12.34.56.79,12.34.56.80" > > Example jls: > > ? ? 5 ?kage.foo ? ? ? ? ? ? ? ? /usr/jails/kage > ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?ALIVE > ? ? ? ?6 > ? ? ? ?12.34.56.78 > ? ? ? ?12.34.56.79 > ? ? ? ?12.34.56.80 > > > Example ifconfig within that jail: > > [root@kage:/usr/local/etc/apache22] ifconfig > vr0: flags=8843 metric 0 mtu 1500 > ? ? ? ?options=2808 > ? ? ? ?ether 00:1d:92:0d:77:8a > ? ? ? ?inet 12.34.56.78 netmask 0xffffffff broadcast 12.34.56.1 > ? ? ? ?media: Ethernet autoselect (100baseTX ) > ? ? ? ?status: active > lo0: flags=8049 metric 0 mtu 16384 > [root@kage:/usr/local/etc/apache22] > > > -- > ~ Kage > -- ~ Kage From kagekonjou at gmail.com Sun Mar 8 14:18:10 2009 From: kagekonjou at gmail.com (Kage) Date: Sun Mar 8 14:18:15 2009 Subject: Problem using bz's multi-IP/IPv6/No-IP Jail Patch (7-STABLE) In-Reply-To: References: Message-ID: In case this helps solve my problem: [root@nub:/etc] cat sysctl.conf kern.maxfiles=131072 kern.maxfilesperproc=4096 kern.maxprocperuid=1024 kern.ipc.somaxconn=4096 net.inet.ip.rtexpire=60 net.inet.ip.rtminexpire=10 net.inet.icmp.icmplim=200 net.inet.tcp.drop_synfin=1 net.inet.tcp.blackhole=2 net.inet.tcp.msl=10000 net.inet.tcp.finwait2_timeout=10000 net.inet.tcp.fast_finwait2_recycle=1 net.inet.udp.blackhole=1 security.bsd.see_other_uids=0 On Sun, Mar 8, 2009 at 5:05 PM, Kage wrote: > Encountering more issues now. ?Binding just an IPv6 address to a jail > shows up in jls -v, but when I run ifconfig -a in the jail, I get an > error I've never encountered, and doesn't show up on any Google > search: > > [root@nub:/etc] jls -v > ? JID ?Hostname ? ? ? ? ? ? ? ? ? ? ?Path > ? ? ? ?Name ? ? ? ? ? ? ? ? ? ? ? ? ?State > ? ? ? ?CPUSetID > ? ? ? ?IP Address(es) > ? ? 9 ?jail.template.tld ? ? ? ? ? ? /usr/jails/TEMPLATE > ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?ALIVE > ? ? ? ?10 > ? ? ? ?2610:150:c248:dead:beef:c0ff:eec0:deaa > > [root@jail:/] ifconfig -a > ifconfig: socket(family 2,SOCK_DGRAM): Protocol not supported > > > On Sun, Mar 8, 2009 at 2:22 PM, Kage wrote: >> Greetings, >> >> So I'm having an issue using 7-STABLE, specifically with bz's >> multi-IP/IPv6 patch. ?First and foremost, all IPs attempted to be used >> (both v4 and v6) are aliased properly in ifconfig. ?Secondly, >> assigning multiple IPs to a jail is no problem, as jls -v reflects the >> multiples assigned correctly. ?However, within the jail, ifconfig >> reflects only the first IP listed in rc.conf. ?What am I missing, or >> what do I need to do to? >> >> Cheers! >> >> >> Example rc.conf entry: >> >> ifconfig_vr0_alias10="inet 12.34.56.78 netmask 255.255.255.255" >> ifconfig_vr0_alias11="inet 12.34.56.79 netmask 255.255.255.255" >> ifconfig_vr0_alias12="inet 12.34.56.80 netmask 255.255.255.255" >> >> jail_kage_rootdir="/usr/jails/kage" >> jail_kage_hostname="kage.foo" >> jail_kage_ip="12.34.56.78,12.34.56.79,12.34.56.80" >> >> Example jls: >> >> ? ? 5 ?kage.foo ? ? ? ? ? ? ? ? /usr/jails/kage >> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?ALIVE >> ? ? ? ?6 >> ? ? ? ?12.34.56.78 >> ? ? ? ?12.34.56.79 >> ? ? ? ?12.34.56.80 >> >> >> Example ifconfig within that jail: >> >> [root@kage:/usr/local/etc/apache22] ifconfig >> vr0: flags=8843 metric 0 mtu 1500 >> ? ? ? ?options=2808 >> ? ? ? ?ether 00:1d:92:0d:77:8a >> ? ? ? ?inet 12.34.56.78 netmask 0xffffffff broadcast 12.34.56.1 >> ? ? ? ?media: Ethernet autoselect (100baseTX ) >> ? ? ? ?status: active >> lo0: flags=8049 metric 0 mtu 16384 >> [root@kage:/usr/local/etc/apache22] >> >> >> -- >> ~ Kage >> > > > > -- > ~ Kage > -- ~ Kage From bzeeb-lists at lists.zabbadoz.net Sun Mar 8 15:30:07 2009 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Sun Mar 8 15:30:26 2009 Subject: Problem using bz's multi-IP/IPv6/No-IP Jail Patch (7-STABLE) In-Reply-To: References: Message-ID: <20090308222441.Y96785@maildrop.int.zabbadoz.net> On Sun, 8 Mar 2009, Kage wrote: > Encountering more issues now. Binding just an IPv6 address to a jail > shows up in jls -v, but when I run ifconfig -a in the jail, I get an > error I've never encountered, and doesn't show up on any Google > search: > > [root@nub:/etc] jls -v > JID Hostname Path > Name State > CPUSetID > IP Address(es) > 9 jail.template.tld /usr/jails/TEMPLATE > ALIVE > 10 > 2610:150:c248:dead:beef:c0ff:eec0:deaa > > [root@jail:/] ifconfig -a > ifconfig: socket(family 2,SOCK_DGRAM): Protocol not supported Is your world inside the jails in sync with the kernel? > > On Sun, Mar 8, 2009 at 2:22 PM, Kage wrote: >> Greetings, >> >> So I'm having an issue using 7-STABLE, specifically with bz's >> multi-IP/IPv6 patch. ?First and foremost, all IPs attempted to be used >> (both v4 and v6) are aliased properly in ifconfig. ?Secondly, >> assigning multiple IPs to a jail is no problem, as jls -v reflects the >> multiples assigned correctly. ?However, within the jail, ifconfig >> reflects only the first IP listed in rc.conf. ?What am I missing, or >> what do I need to do to? >> >> Cheers! >> >> >> Example rc.conf entry: >> >> ifconfig_vr0_alias10="inet 12.34.56.78 netmask 255.255.255.255" >> ifconfig_vr0_alias11="inet 12.34.56.79 netmask 255.255.255.255" >> ifconfig_vr0_alias12="inet 12.34.56.80 netmask 255.255.255.255" >> >> jail_kage_rootdir="/usr/jails/kage" >> jail_kage_hostname="kage.foo" >> jail_kage_ip="12.34.56.78,12.34.56.79,12.34.56.80" >> >> Example jls: >> >> ? ? 5 ?kage.foo ? ? ? ? ? ? ? ? /usr/jails/kage >> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?ALIVE >> ? ? ? ?6 >> ? ? ? ?12.34.56.78 >> ? ? ? ?12.34.56.79 >> ? ? ? ?12.34.56.80 >> >> >> Example ifconfig within that jail: >> >> [root@kage:/usr/local/etc/apache22] ifconfig >> vr0: flags=8843 metric 0 mtu 1500 >> ? ? ? ?options=2808 >> ? ? ? ?ether 00:1d:92:0d:77:8a >> ? ? ? ?inet 12.34.56.78 netmask 0xffffffff broadcast 12.34.56.1 Now that broadcast address doesn't make any sense at all. Does it look the same outside the jail? Can you send ifconfig -a from inside and outside jails, unmangled and unedited along with a jls -va? Are you running 7-STABLE now or 7.x + patch? >> ? ? ? ?media: Ethernet autoselect (100baseTX ) >> ? ? ? ?status: active >> lo0: flags=8049 metric 0 mtu 16384 >> [root@kage:/usr/local/etc/apache22] >> >> >> -- >> ~ Kage >> > > > > -- Bjoern A. Zeeb The greatest risk is not taking one. From kagekonjou at gmail.com Sun Mar 8 16:20:09 2009 From: kagekonjou at gmail.com (Kage) Date: Sun Mar 8 16:20:17 2009 Subject: Problem using bz's multi-IP/IPv6/No-IP Jail Patch (7-STABLE) In-Reply-To: <20090308222441.Y96785@maildrop.int.zabbadoz.net> References: <20090308222441.Y96785@maildrop.int.zabbadoz.net> Message-ID: On Sun, Mar 8, 2009 at 6:26 PM, Bjoern A. Zeeb wrote: > On Sun, 8 Mar 2009, Kage wrote: > >> Encountering more issues now. ?Binding just an IPv6 address to a jail >> shows up in jls -v, but when I run ifconfig -a in the jail, I get an >> error I've never encountered, and doesn't show up on any Google >> search: >> >> [root@nub:/etc] jls -v >> ?JID ?Hostname ? ? ? ? ? ? ? ? ? ? ?Path >> ? ? ? Name ? ? ? ? ? ? ? ? ? ? ? ? ?State >> ? ? ? CPUSetID >> ? ? ? IP Address(es) >> ? ?9 ?jail.template.tld ? ? ? ? ? ? /usr/jails/TEMPLATE >> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ALIVE >> ? ? ? 10 >> ? ? ? 2610:150:c248:dead:beef:c0ff:eec0:deaa >> >> [root@jail:/] ifconfig -a >> ifconfig: socket(family 2,SOCK_DGRAM): Protocol not supported > > Is your world inside the jails in sync with the kernel? Explain, please? >> >> On Sun, Mar 8, 2009 at 2:22 PM, Kage wrote: >>> >>> Greetings, >>> >>> So I'm having an issue using 7-STABLE, specifically with bz's >>> multi-IP/IPv6 patch. ?First and foremost, all IPs attempted to be used >>> (both v4 and v6) are aliased properly in ifconfig. ?Secondly, >>> assigning multiple IPs to a jail is no problem, as jls -v reflects the >>> multiples assigned correctly. ?However, within the jail, ifconfig >>> reflects only the first IP listed in rc.conf. ?What am I missing, or >>> what do I need to do to? >>> >>> Cheers! >>> >>> >>> Example rc.conf entry: >>> >>> ifconfig_vr0_alias10="inet 12.34.56.78 netmask 255.255.255.255" >>> ifconfig_vr0_alias11="inet 12.34.56.79 netmask 255.255.255.255" >>> ifconfig_vr0_alias12="inet 12.34.56.80 netmask 255.255.255.255" >>> >>> jail_kage_rootdir="/usr/jails/kage" >>> jail_kage_hostname="kage.foo" >>> jail_kage_ip="12.34.56.78,12.34.56.79,12.34.56.80" >>> >>> Example jls: >>> >>> ? ? 5 ?kage.foo ? ? ? ? ? ? ? ? /usr/jails/kage >>> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?ALIVE >>> ? ? ? ?6 >>> ? ? ? ?12.34.56.78 >>> ? ? ? ?12.34.56.79 >>> ? ? ? ?12.34.56.80 >>> >>> >>> Example ifconfig within that jail: >>> >>> [root@kage:/usr/local/etc/apache22] ifconfig >>> vr0: flags=8843 metric 0 mtu 1500 >>> ? ? ? ?options=2808 >>> ? ? ? ?ether 00:1d:92:0d:77:8a >>> ? ? ? ?inet 12.34.56.78 netmask 0xffffffff broadcast 12.34.56.1 > > > Now that broadcast address doesn't make any sense at all. > Does it look the same outside the jail? Looks the same inside and out for the IP that shows up in jails > Can you send ifconfig -a from inside and outside jails, unmangled > and unedited along with a jls -va? I'll give two examples, hold please... (edited slightly for sake of privacy of other users hosted on this box, and to keep this E-Mail brief) (Inside Host) ----- [root@nub:/etc] ifconfig -a (snip) inet 64.32.24.218 netmask 0xffffffff broadcast 64.32.24.218 (snip) inet 208.98.30.200 netmask 0xffffff00 broadcast 208.98.30.255 (snip) inet6 2610:150:c248::2 prefixlen 48 (etc.) [root@nub:/etc] jls -va JID Hostname Path Name State CPUSetID IP Address(es) (snip) 6 kage.vitund.com /usr/jails/kage ALIVE 7 64.32.24.218 208.98.30.200 (snip) 4 irc.hackthissite.org /usr/jails/irc ALIVE 5 64.32.24.217 2610:150:c248:dead:c0ff:eec0:deba:be00 (snip) [root@nub:/etc] rc.conf chunk: ipv6_enable="YES" ipv6_defaultrouter="2610:150:c248::1" ipv6_network_interfaces="vr0" ipv6_ifconfig_vr0="2610:150:c248::2 prefixlen 48" (Inside Jail: kage) [root@kage:/] ifconfig -a vr0: flags=8843 metric 0 mtu 1500 options=2808 ether 00:1d:92:0d:77:8a inet 64.32.24.218 netmask 0xffffffff broadcast 64.32.24.218 media: Ethernet autoselect (100baseTX ) status: active lo0: flags=8049 metric 0 mtu 16384 [root@kage:/] (Inside Jail: irc) [root@irc:/] ifconfig -a vr0: flags=8843 metric 0 mtu 1500 options=2808 ether 00:1d:92:0d:77:8a inet 64.32.24.217 netmask 0xffffffff broadcast 64.32.24.217 media: Ethernet autoselect (100baseTX ) status: active lo0: flags=8049 metric 0 mtu 16384 [root@irc:/] > Are you running 7-STABLE now or 7.x + patch? 7-STABLE. >>> ? ? ? ?media: Ethernet autoselect (100baseTX ) >>> ? ? ? ?status: active >>> lo0: flags=8049 metric 0 mtu 16384 >>> [root@kage:/usr/local/etc/apache22] >>> >>> >>> -- >>> ~ Kage >>> >> >> >> >> > > -- > Bjoern A. Zeeb ? ? ? ? ? ? ? ? ? ? ?The greatest risk is not taking one. -- ~ Kage From ruben at verweg.com Mon Mar 9 03:19:31 2009 From: ruben at verweg.com (Ruben van Staveren) Date: Mon Mar 9 03:19:38 2009 Subject: Problem using bz's multi-IP/IPv6/No-IP Jail Patch (7-STABLE) In-Reply-To: References: <20090308222441.Y96785@maildrop.int.zabbadoz.net> Message-ID: On 9 Mar 2009, at 0:20, Kage wrote: >> Is your world inside the jails in sync with the kernel? > > Explain, please? After upgrading your sources, did you rebuild both userland and kernel and installed the new userland in all your jails too ? Regards, Ruben From bugmaster at FreeBSD.org Mon Mar 9 10:15:10 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Mar 9 10:16:32 2009 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200903091715.n29HF7C0045293@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/132092 jail [jail] jail can listen on *:port when jail_socket_unix o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 4 problems total. From jamie at FreeBSD.org Mon Mar 9 11:35:44 2009 From: jamie at FreeBSD.org (Jamie Gritton) Date: Mon Mar 9 11:36:15 2009 Subject: Problem using bz's multi-IP/IPv6/No-IP Jail Patch (7-STABLE) In-Reply-To: References: Message-ID: <49B55CA2.7090300@FreeBSD.org> Kage wrote: > Encountering more issues now. Binding just an IPv6 address to a jail > shows up in jls -v, but when I run ifconfig -a in the jail, I get an > error I've never encountered, and doesn't show up on any Google > search: > > [root@nub:/etc] jls -v > JID Hostname Path > Name State > CPUSetID > IP Address(es) > 9 jail.template.tld /usr/jails/TEMPLATE > ALIVE > 10 > 2610:150:c248:dead:beef:c0ff:eec0:deaa > > [root@jail:/] ifconfig -a > ifconfig: socket(family 2,SOCK_DGRAM): Protocol not supported Recent patches reject sockets in jails that have no addresses in the socket's family. So if you jail has no IPv6 addresses, you won't be able to create any IPv6 sockets. Likewise your case: if that jail has no IPv4 addresses, then it's an IPv4-less jail, and IPv4 sockets won't work (Protocol not supported). For actual network connections, this makes sense: you won't be able to bind or connect with this socket, as there are no IPv4 addresses in the system. But ifconfig is a different situation. It just needs a socket of some sort, and AF_INET has always worked, because any networked system always has IPv4 support. But in an IPv4-less system (which an IPv4-less jail not acts like), this default isn't useful. Something will need to be fixed. I'm not sure if that something is ifconfig or the kernel. - Jamie From kagekonjou at gmail.com Mon Mar 9 19:20:52 2009 From: kagekonjou at gmail.com (Kage) Date: Mon Mar 9 19:21:02 2009 Subject: Problem using bz's multi-IP/IPv6/No-IP Jail Patch (7-STABLE) In-Reply-To: References: <20090308222441.Y96785@maildrop.int.zabbadoz.net> Message-ID: What of the userland do I need to copy to the jails? I didn't copy anything to the jails, so that's probably my issue. What step(s) did I miss? I only did the exact steps listed in the FreeBSD books, which were basically: cvsup, buildworld, buildkernel, installkernel, reboot, mergemaster, installworld, mergemaster, reboot I did nothing to the jails. What'd I miss? :/ On Mon, Mar 9, 2009 at 6:19 AM, Ruben van Staveren wrote: > > On 9 Mar 2009, at 0:20, Kage wrote: > >>> Is your world inside the jails in sync with the kernel? >> >> Explain, please? > > After upgrading your sources, did you rebuild both userland and kernel and > installed the new userland in all your jails too ? > > Regards, > ? ? ? ?Ruben > -- ~ Kage From freddy.dsx at free.fr Tue Mar 10 02:05:14 2009 From: freddy.dsx at free.fr (freddy.dsx@free.fr) Date: Tue Mar 10 02:05:21 2009 Subject: Problem using bz's multi-IP/IPv6/No-IP Jail Patch (7-STABLE) In-Reply-To: References: <20090308222441.Y96785@maildrop.int.zabbadoz.net> Message-ID: <20090310085444.GN17739@mini.bsdsx.fr> Le Mon, Mar 09, 2009 at 10:20:50PM -0400, Kage ?crivait: > What of the userland do I need to copy to the jails? I didn't copy > anything to the jails, so that's probably my issue. > > What step(s) did I miss? I only did the exact steps listed in the > FreeBSD books, which were basically: cvsup, buildworld, buildkernel, > installkernel, reboot, mergemaster, installworld, mergemaster, reboot > > I did nothing to the jails. What'd I miss? :/ http://www.cyberciti.biz/faq/how-to-upgrade-freebsd-jail-vps/ From bzeeb-lists at lists.zabbadoz.net Tue Mar 10 04:05:08 2009 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Tue Mar 10 04:05:15 2009 Subject: Problem using bz's multi-IP/IPv6/No-IP Jail Patch (7-STABLE) In-Reply-To: <49B55CA2.7090300@FreeBSD.org> References: <49B55CA2.7090300@FreeBSD.org> Message-ID: <20090310110332.Q96785@maildrop.int.zabbadoz.net> On Mon, 9 Mar 2009, Jamie Gritton wrote: > Kage wrote: > >> Encountering more issues now. Binding just an IPv6 address to a jail >> shows up in jls -v, but when I run ifconfig -a in the jail, I get an >> error I've never encountered, and doesn't show up on any Google >> search: >> >> [root@nub:/etc] jls -v >> JID Hostname Path >> Name State >> CPUSetID >> IP Address(es) >> 9 jail.template.tld /usr/jails/TEMPLATE >> ALIVE >> 10 >> 2610:150:c248:dead:beef:c0ff:eec0:deaa >> >> [root@jail:/] ifconfig -a >> ifconfig: socket(family 2,SOCK_DGRAM): Protocol not supported > > Recent patches reject sockets in jails that have no addresses in the > socket's family. So if you jail has no IPv6 addresses, you won't be > able to create any IPv6 sockets. Likewise your case: if that jail has > no IPv4 addresses, then it's an IPv4-less jail, and IPv4 sockets won't > work (Protocol not supported). For actual network connections, this > makes sense: you won't be able to bind or connect with this socket, as > there are no IPv4 addresses in the system. > > But ifconfig is a different situation. It just needs a socket of some > sort, and AF_INET has always worked, because any networked system always > has IPv4 support. But in an IPv4-less system (which an IPv4-less jail > not acts like), this default isn't useful. Something will need to be > fixed. I'm not sure if that something is ifconfig or the kernel. I'd suggest fixing ifconfig if (easily) possible; that would avoid us running into it again in a few months/year(s) when it might be possible to compile an INET6 but no INET kernel. -- Bjoern A. Zeeb The greatest risk is not taking one. From kagekonjou at gmail.com Tue Mar 10 05:52:23 2009 From: kagekonjou at gmail.com (Kage) Date: Tue Mar 10 05:52:31 2009 Subject: Problem using bz's multi-IP/IPv6/No-IP Jail Patch (7-STABLE) In-Reply-To: <20090310085444.GN17739@mini.bsdsx.fr> References: <20090308222441.Y96785@maildrop.int.zabbadoz.net> <20090310085444.GN17739@mini.bsdsx.fr> Message-ID: Double-sigh. I feel dumb, haha. Thanks, I'll proceed with this, and if things don't work, I'll post to this thread again. Thanks, guys! On Tue, Mar 10, 2009 at 4:54 AM, wrote: > Le Mon, Mar 09, 2009 at 10:20:50PM -0400, Kage ?crivait: > >> What of the userland do I need to copy to the jails? ?I didn't copy >> anything to the jails, so that's probably my issue. >> >> What step(s) did I miss? ?I only did the exact steps listed in the >> FreeBSD books, which were basically: cvsup, buildworld, buildkernel, >> installkernel, reboot, mergemaster, installworld, mergemaster, reboot >> >> I did nothing to the jails. ?What'd I miss? :/ > > > http://www.cyberciti.biz/faq/how-to-upgrade-freebsd-jail-vps/ > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > -- ~ Kage http://vitund.com http://hackthissite.org From kagekonjou at gmail.com Tue Mar 10 06:22:05 2009 From: kagekonjou at gmail.com (Kage) Date: Tue Mar 10 06:22:11 2009 Subject: Problem using bz's multi-IP/IPv6/No-IP Jail Patch (7-STABLE) In-Reply-To: References: <20090308222441.Y96785@maildrop.int.zabbadoz.net> <20090310085444.GN17739@mini.bsdsx.fr> Message-ID: Dumb question, perhaps... Do I need to re-run make buildworld again since I've already done it once for the upgrade (ie. does build/installkernel remove the work done by installworld or something odd?), or can I simply just run installworld immediately on all my jails without running buildworld again? Thanks! On Tue, Mar 10, 2009 at 8:52 AM, Kage wrote: > Double-sigh. ?I feel dumb, haha. ?Thanks, I'll proceed with this, and > if things don't work, I'll post to this thread again. ?Thanks, guys! > > On Tue, Mar 10, 2009 at 4:54 AM, ? wrote: >> Le Mon, Mar 09, 2009 at 10:20:50PM -0400, Kage ?crivait: >> >>> What of the userland do I need to copy to the jails? ?I didn't copy >>> anything to the jails, so that's probably my issue. >>> >>> What step(s) did I miss? ?I only did the exact steps listed in the >>> FreeBSD books, which were basically: cvsup, buildworld, buildkernel, >>> installkernel, reboot, mergemaster, installworld, mergemaster, reboot >>> >>> I did nothing to the jails. ?What'd I miss? :/ >> >> >> http://www.cyberciti.biz/faq/how-to-upgrade-freebsd-jail-vps/ >> _______________________________________________ >> freebsd-jail@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-jail >> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" >> > > > > -- > ~ Kage > http://vitund.com > http://hackthissite.org > -- ~ Kage http://vitund.com http://hackthissite.org From kagekonjou at gmail.com Tue Mar 10 06:37:03 2009 From: kagekonjou at gmail.com (Kage) Date: Tue Mar 10 06:37:10 2009 Subject: Problem using bz's multi-IP/IPv6/No-IP Jail Patch (7-STABLE) In-Reply-To: References: <20090308222441.Y96785@maildrop.int.zabbadoz.net> <20090310085444.GN17739@mini.bsdsx.fr> Message-ID: Sorry for the continual E-Mails. I did a test of just installworld on a temp jail. Multiple IPv4 works perfectly, but IPv6 still does not show up in ifconfig and cannot be binded to. Suggestions? On Tue, Mar 10, 2009 at 9:22 AM, Kage wrote: > Dumb question, perhaps... Do I need to re-run make buildworld again > since I've already done it once for the upgrade (ie. does > build/installkernel remove the work done by installworld or something > odd?), or can I simply just run installworld immediately on all my > jails without running buildworld again? ?Thanks! > > On Tue, Mar 10, 2009 at 8:52 AM, Kage wrote: >> Double-sigh. ?I feel dumb, haha. ?Thanks, I'll proceed with this, and >> if things don't work, I'll post to this thread again. ?Thanks, guys! >> >> On Tue, Mar 10, 2009 at 4:54 AM, ? wrote: >>> Le Mon, Mar 09, 2009 at 10:20:50PM -0400, Kage ?crivait: >>> >>>> What of the userland do I need to copy to the jails? ?I didn't copy >>>> anything to the jails, so that's probably my issue. >>>> >>>> What step(s) did I miss? ?I only did the exact steps listed in the >>>> FreeBSD books, which were basically: cvsup, buildworld, buildkernel, >>>> installkernel, reboot, mergemaster, installworld, mergemaster, reboot >>>> >>>> I did nothing to the jails. ?What'd I miss? :/ >>> >>> >>> http://www.cyberciti.biz/faq/how-to-upgrade-freebsd-jail-vps/ >>> _______________________________________________ >>> freebsd-jail@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-jail >>> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" >>> >> >> >> >> -- >> ~ Kage >> http://vitund.com >> http://hackthissite.org >> > > > > -- > ~ Kage > http://vitund.com > http://hackthissite.org > -- ~ Kage http://vitund.com http://hackthissite.org From jamie at FreeBSD.org Thu Mar 12 14:38:48 2009 From: jamie at FreeBSD.org (Jamie Gritton) Date: Thu Mar 12 14:38:54 2009 Subject: Problem using bz's multi-IP/IPv6/No-IP Jail Patch (7-STABLE) In-Reply-To: <49B55CA2.7090300@FreeBSD.org> References: <49B55CA2.7090300@FreeBSD.org> Message-ID: <49B980E1.30203@FreeBSD.org> I wrote: > Kage wrote: > >> Encountering more issues now. Binding just an IPv6 address to a jail >> shows up in jls -v, but when I run ifconfig -a in the jail, I get an >> error I've never encountered, and doesn't show up on any Google >> search: >> >> [root@nub:/etc] jls -v >> JID Hostname Path >> Name State >> CPUSetID >> IP Address(es) >> 9 jail.template.tld /usr/jails/TEMPLATE >> ALIVE >> 10 >> 2610:150:c248:dead:beef:c0ff:eec0:deaa >> >> [root@jail:/] ifconfig -a >> ifconfig: socket(family 2,SOCK_DGRAM): Protocol not supported > > Recent patches reject sockets in jails that have no addresses in the > socket's family. So if you jail has no IPv6 addresses, you won't be > able to create any IPv6 sockets. Likewise your case: if that jail has > no IPv4 addresses, then it's an IPv4-less jail, and IPv4 sockets won't > work (Protocol not supported). For actual network connections, this > makes sense: you won't be able to bind or connect with this socket, as > there are no IPv4 addresses in the system. > > But ifconfig is a different situation. It just needs a socket of some > sort, and AF_INET has always worked, because any networked system always > has IPv4 support. But in an IPv4-less system (which an IPv4-less jail > not acts like), this default isn't useful. Something will need to be > fixed. I'm not sure if that something is ifconfig or the kernel. Here's a patch for ifconfig. It allows "ifconfig -a" and a few other similar informative ifconfig options to run inside an IPv4-less jail (of course trying to set anything still fails). Outside of a jail, you should see no change. Apply it inside your /usr/src tree, and install it both in the root system (under /sbin) and in your jails (/usr/jails/TEMPLATE or wherever). Just in case I broke something, keep a copy of the old one :-). But I've tested it on my own system so I don't expect anything to be broken. This is under review and I expect to be able to commit it to Current shortly, then MFC it a week or so after that. If you have any trouble with it, feel free to ask me - I'm the one who broke ifconfig in the first place. - Jamie -------------- next part -------------- Index: sbin/ifconfig/ifgroup.c =================================================================== --- isbin/ifconfig/fgroup.c (revision 189318) +++ sbin/ifconfig/ifgroup.c (working copy) @@ -131,9 +131,9 @@ int len, cnt = 0; int s; - s = socket(AF_INET, SOCK_DGRAM, 0); + s = socket(AF_LOCAL, SOCK_DGRAM, 0); if (s == -1) - err(1, "socket(AF_INET,SOCK_DGRAM)"); + err(1, "socket(AF_LOCAL,SOCK_DGRAM)"); bzero(&ifgr, sizeof(ifgr)); strlcpy(ifgr.ifgr_name, groupname, sizeof(ifgr.ifgr_name)); if (ioctl(s, SIOCGIFGMEMB, (caddr_t)&ifgr) == -1) { Index: sbin/ifconfig/ifclone.c =================================================================== --- sbin/ifconfig/ifclone.c (revision 189318) +++ sbin/ifconfig/ifclone.c (working copy) @@ -54,9 +54,9 @@ int idx; int s; - s = socket(AF_INET, SOCK_DGRAM, 0); + s = socket(AF_LOCAL, SOCK_DGRAM, 0); if (s == -1) - err(1, "socket(AF_INET,SOCK_DGRAM)"); + err(1, "socket(AF_LOCAL,SOCK_DGRAM)"); memset(&ifcr, 0, sizeof(ifcr)); Index: sbin/ifconfig/ifconfig.c =================================================================== --- sbin/ifconfig/ifconfig.c (revision 189318) +++ sbin/ifconfig/ifconfig.c (working copy) @@ -441,22 +441,23 @@ DEF_CMD("ifdstaddr", 0, setifdstaddr); static int -ifconfig(int argc, char *const *argv, int iscreate, const struct afswtch *afp) +ifconfig(int argc, char *const *argv, int iscreate, const struct afswtch *uafp) { - const struct afswtch *nafp; + const struct afswtch *afp, *nafp; const struct cmd *p; struct callback *cb; int s; strncpy(ifr.ifr_name, name, sizeof ifr.ifr_name); + afp = uafp != NULL ? uafp : af_getbyname("inet"); top: - if (afp == NULL) - afp = af_getbyname("inet"); ifr.ifr_addr.sa_family = afp->af_af == AF_LINK || afp->af_af == AF_UNSPEC ? - AF_INET : afp->af_af; + AF_LOCAL : afp->af_af; - if ((s = socket(ifr.ifr_addr.sa_family, SOCK_DGRAM, 0)) < 0) + if ((s = socket(ifr.ifr_addr.sa_family, SOCK_DGRAM, 0)) < 0 && + (uafp != NULL || errno != EPROTONOSUPPORT || + (s = socket(AF_LOCAL, SOCK_DGRAM, 0)) < 0)) err(1, "socket(family %u,SOCK_DGRAM", ifr.ifr_addr.sa_family); while (argc > 0) { @@ -803,11 +804,12 @@ if (afp == NULL) { allfamilies = 1; - afp = af_getbyname("inet"); - } else + ifr.ifr_addr.sa_family = AF_LOCAL; + } else { allfamilies = 0; - - ifr.ifr_addr.sa_family = afp->af_af == AF_LINK ? AF_INET : afp->af_af; + ifr.ifr_addr.sa_family = + afp->af_af == AF_LINK ? AF_LOCAL : afp->af_af; + } strncpy(ifr.ifr_name, name, sizeof(ifr.ifr_name)); s = socket(ifr.ifr_addr.sa_family, SOCK_DGRAM, 0); From dez at accid.net Fri Mar 13 10:31:30 2009 From: dez at accid.net (Desmond Vicks) Date: Fri Mar 13 10:31:37 2009 Subject: which patch to use with 7.1-RELEASE? Message-ID: <49BA948B.40302@accid.net> Hi list, I have a 7.1-RELEASE machine here and would like to get it going with multi-ip jails. Problem is I'm finding it difficult to work out which patch I should use with the RELEASE branch. Can somebody please point it out for me? I know that the multi-ip jail patch is 7-STABLE branch, but I really need to be tracking RELEASE on this box. Thanks for your help -- Dez From alexey at renatasystems.org Sat Mar 14 03:49:35 2009 From: alexey at renatasystems.org (Alexey V. Degtyarev) Date: Sat Mar 14 03:49:42 2009 Subject: which patch to use with 7.1-RELEASE? In-Reply-To: <49BA948B.40302@accid.net> References: <49BA948B.40302@accid.net> Message-ID: <20090314102250.GJ15853@hs-4.renatasystems.org> Hi Desmond and everyone, I have been searching the same, and was unable to point any explicit patch for 7.1-RELEASE, but trying the nearest to release's date patch seems to works fine for me: http://people.freebsd.org/~bz/bz_jail7-20081126-02-at153644.diff execution of `patch -p6 < ./bz_jail7-20081126-02-at153644.diff' get all the hunks to be succeed, and my jails are multi-ip'ed now. Please correct me anybody if I was wrong. > I have a 7.1-RELEASE machine here and would like to get it going with > multi-ip jails. > > Problem is I'm finding it difficult to work out which patch I should use > with the RELEASE branch. Can somebody please point it out for me? > > I know that the multi-ip jail patch is 7-STABLE branch, but I really need > to be tracking RELEASE on this box. -- Alexey V. Degtyarev From bugmaster at FreeBSD.org Mon Mar 16 04:06:59 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Mar 16 04:08:28 2009 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200903161106.n2GB6v5L043295@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/132092 jail [jail] jail can listen on *:port when jail_socket_unix o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 4 problems total. From nbari at k9.cx Tue Mar 17 01:19:59 2009 From: nbari at k9.cx (Nicolas de Bari Embriz Garcia Rojas) Date: Tue Mar 17 01:20:06 2009 Subject: maxproc per jail Message-ID: Hi all, it is posible to limite the maxproc per jail ? or how to put a protection to the main host in case the root user of a jail try to make a fork bom. regards. -- > nbari -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 163 bytes Desc: This is a digitally signed message part Url : http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20090317/e1525ba9/PGP.pgp From jille at quis.cx Tue Mar 17 08:02:09 2009 From: jille at quis.cx (Jille Timmermans) Date: Tue Mar 17 08:02:16 2009 Subject: maxproc per jail In-Reply-To: References: Message-ID: <49BFB7A5.2030505@quis.cx> Nicolas de Bari Embriz Garcia Rojas schreef: > Hi all, it is posible to limite the maxproc per jail ? No, I wrote a patch once; I will take a look whether I still have it somewhere. But the patch only limits the number of processes, not memory nor open files. The best thing to do (I think) is create some rlimit for jails. -- Jille > > or how to put a protection to the main host in case the root user of a > jail try to make a fork bom. > > regards. > > -- > > nbari > From nbari at k9.cx Tue Mar 17 10:29:23 2009 From: nbari at k9.cx (Nicolas de Bari Embriz Garcia Rojas) Date: Tue Mar 17 10:29:29 2009 Subject: maxproc per jail In-Reply-To: <49BFB7A5.2030505@quis.cx> References: <49BFB7A5.2030505@quis.cx> Message-ID: <65CE8B12-4C88-47A3-85A0-915708881925@k9.cx> Hi, thanks for the answer just on question how to setup rlimit for jails ? any ideas regards. -- > nbari On Mar 17, 2009, at 8:45 AM, Jille Timmermans wrote: > Nicolas de Bari Embriz Garcia Rojas schreef: >> Hi all, it is posible to limite the maxproc per jail ? > No, I wrote a patch once; I will take a look whether I still have it > somewhere. > But the patch only limits the number of processes, not memory nor > open files. > The best thing to do (I think) is create some rlimit for jails. > > -- Jille >> or how to put a protection to the main host in case the root user >> of a jail try to make a fork bom. >> regards. >> -- >> > nbari -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 163 bytes Desc: This is a digitally signed message part Url : http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20090317/edb39b7b/PGP.pgp From nbari at k9.cx Tue Mar 17 12:41:48 2009 From: nbari at k9.cx (Nicolas de Bari Embriz Garcia Rojas) Date: Tue Mar 17 12:41:54 2009 Subject: maxproc per jail In-Reply-To: <49BFF9AB.7030406@quis.cx> References: <49BFB7A5.2030505@quis.cx> <65CE8B12-4C88-47A3-85A0-915708881925@k9.cx> <49BFF9AB.7030406@quis.cx> Message-ID: <86EEC660-5154-42E2-BF93-9A7794E0CFB7@k9.cx> A friend suggested to schg the rc.conf and login.conf of the jail and put the root user in a login class with some strict perms. maybe can be a solution. regards. -- > nbari On Mar 17, 2009, at 1:27 PM, Jille Timmermans wrote: > Nicolas de Bari Embriz Garcia Rojas schreef: >> Hi, thanks for the answer just on question how to setup rlimit for >> jails >> ? any ideas > I'm sorry for leaving that unclear; there is no rlimit for jails atm. > But if someone wants to create a root-proof protection, I think that > is > the way to go. (being able to limit everything that rlimit can limit > for > single processes now) > > I unfortunately can't find the patch I mentioned, must have lost that > during some disk-crash. > > So, I am afraid there is nothing I can do to help you. > > -- Jille >> >> regards. >> -- >>> nbari >> >> On Mar 17, 2009, at 8:45 AM, Jille Timmermans wrote: >> >>> Nicolas de Bari Embriz Garcia Rojas schreef: >>>> Hi all, it is posible to limite the maxproc per jail ? >>> No, I wrote a patch once; I will take a look whether I still have it >>> somewhere. >>> But the patch only limits the number of processes, not memory nor >>> open >>> files. >>> The best thing to do (I think) is create some rlimit for jails. >>> >>> -- Jille >>>> or how to put a protection to the main host in case the root user >>>> of >>>> a jail try to make a fork bom. >>>> regards. >>>> -- >>>>> nbari >> -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 163 bytes Desc: This is a digitally signed message part Url : http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20090317/65dc2c35/PGP.pgp From jille at quis.cx Tue Mar 17 12:44:36 2009 From: jille at quis.cx (Jille Timmermans) Date: Tue Mar 17 12:44:43 2009 Subject: maxproc per jail In-Reply-To: <65CE8B12-4C88-47A3-85A0-915708881925@k9.cx> References: <49BFB7A5.2030505@quis.cx> <65CE8B12-4C88-47A3-85A0-915708881925@k9.cx> Message-ID: <49BFF9AB.7030406@quis.cx> Nicolas de Bari Embriz Garcia Rojas schreef: > Hi, thanks for the answer just on question how to setup rlimit for jails > ? any ideas I'm sorry for leaving that unclear; there is no rlimit for jails atm. But if someone wants to create a root-proof protection, I think that is the way to go. (being able to limit everything that rlimit can limit for single processes now) I unfortunately can't find the patch I mentioned, must have lost that during some disk-crash. So, I am afraid there is nothing I can do to help you. -- Jille > > regards. > -- >> nbari > > On Mar 17, 2009, at 8:45 AM, Jille Timmermans wrote: > >> Nicolas de Bari Embriz Garcia Rojas schreef: >>> Hi all, it is posible to limite the maxproc per jail ? >> No, I wrote a patch once; I will take a look whether I still have it >> somewhere. >> But the patch only limits the number of processes, not memory nor open >> files. >> The best thing to do (I think) is create some rlimit for jails. >> >> -- Jille >>> or how to put a protection to the main host in case the root user of >>> a jail try to make a fork bom. >>> regards. >>> -- >>> > nbari > From jille at quis.cx Tue Mar 17 12:55:11 2009 From: jille at quis.cx (Jille Timmermans) Date: Tue Mar 17 12:55:18 2009 Subject: maxproc per jail In-Reply-To: <86EEC660-5154-42E2-BF93-9A7794E0CFB7@k9.cx> References: <49BFB7A5.2030505@quis.cx> <65CE8B12-4C88-47A3-85A0-915708881925@k9.cx> <49BFF9AB.7030406@quis.cx> <86EEC660-5154-42E2-BF93-9A7794E0CFB7@k9.cx> Message-ID: <49C0001D.3090105@quis.cx> Nicolas de Bari Embriz Garcia Rojas schreef: > A friend suggested to schg the rc.conf and login.conf of the jail and > put the root user in a login class with some strict perms. maybe can be > a solution. login.conf sets rlimit; but root ignores them, so that isn't of much use. (I'm not 100% sure, you can give it a try) You can also try sysctl security.bsd.suser_enabled=0; but that will also disable root outside the jail. Patching the kernel to ignore root in jails is not very hard I think. Writing that, it might also be easy to patch the kernel so that root-in-jail doesn't override rlimits. -- Jille > > regards. > -- >> nbari > > On Mar 17, 2009, at 1:27 PM, Jille Timmermans wrote: > >> Nicolas de Bari Embriz Garcia Rojas schreef: >>> Hi, thanks for the answer just on question how to setup rlimit for jails >>> ? any ideas >> I'm sorry for leaving that unclear; there is no rlimit for jails atm. >> But if someone wants to create a root-proof protection, I think that is >> the way to go. (being able to limit everything that rlimit can limit for >> single processes now) >> >> I unfortunately can't find the patch I mentioned, must have lost that >> during some disk-crash. >> >> So, I am afraid there is nothing I can do to help you. >> >> -- Jille >>> >>> regards. >>> -- >>>> nbari >>> >>> On Mar 17, 2009, at 8:45 AM, Jille Timmermans wrote: >>> >>>> Nicolas de Bari Embriz Garcia Rojas schreef: >>>>> Hi all, it is posible to limite the maxproc per jail ? >>>> No, I wrote a patch once; I will take a look whether I still have it >>>> somewhere. >>>> But the patch only limits the number of processes, not memory nor open >>>> files. >>>> The best thing to do (I think) is create some rlimit for jails. >>>> >>>> -- Jille >>>>> or how to put a protection to the main host in case the root user of >>>>> a jail try to make a fork bom. >>>>> regards. >>>>> -- >>>>>> nbari >>> > From espartano.mail at gmail.com Tue Mar 17 13:48:40 2009 From: espartano.mail at gmail.com (Espartano) Date: Tue Mar 17 13:48:45 2009 Subject: maxproc per jail In-Reply-To: References: Message-ID: On Tue, Mar 17, 2009 at 1:48 AM, Nicolas de Bari Embriz Garcia Rojas wrote: > Hi all, it is posible to limite the maxproc per jail ? > > or how to put a protection to the main host in case the root user of a jail > try to make ?a fork bom. > may be you can protect your computer using cpu's limits, you should visit this page: http://wiki.freebsd.org/JailResourceLimits take a look that the patch is for FreeBSD RELENG_6, I don't know if the patch work fine with FreeBSD 7, I have never used this patch. > regards. > > -- >> nbari > > -- "Linux is for people who hate Windows, BSD is for people who love UNIX". "Social Engineer -> Because there is no patch for human stupidity" "The Unix Guru's View of Sex unzip ; strip ; touch ; grep ; finger ; mount ; fsck ; more ; yes ; umount ; sleep." "Documentation is like sex: when it is good, it is very, very good; and when it is bad, it is better than nothing." From felipe.cts1 at gmail.com Wed Mar 18 12:10:14 2009 From: felipe.cts1 at gmail.com (Felipe Carlo) Date: Wed Mar 18 12:10:20 2009 Subject: Problems with Jails and Samba3 Message-ID: <53bb3b9d0903181210n451b155an5abcda0c276b28a4@mail.gmail.com> Hello, I am new in this mailing-list, and I have one problem with Samba in a Jail. When I try to start the samba I have this message: # /usr/local/etc/rc.d/samba.sh start %%WINBIND%%#: not found %%WINBIND%%#winbindd_enable=YES: not found .: Can't open %%RC_SUBR%%: No such file or directory This is the rc.conf of the jail: # cat /etc/rc.conf hostname="teste3" network_interfaces="" sshd_enable="YES" rpcbind_enable="NO" sendmail_enable="NONE" samba_enable="YES" nmbd_enable="YES" smbd_enable="YES" winbindd_enable="YES" What I can do to fix this?? Thank you !!! Regards, -- Felipe Carlo Trepichio dos Santos From bzeeb-lists at lists.zabbadoz.net Wed Mar 18 12:20:08 2009 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Wed Mar 18 12:20:22 2009 Subject: Problems with Jails and Samba3 In-Reply-To: <53bb3b9d0903181210n451b155an5abcda0c276b28a4@mail.gmail.com> References: <53bb3b9d0903181210n451b155an5abcda0c276b28a4@mail.gmail.com> Message-ID: <20090318191633.G67075@maildrop.int.zabbadoz.net> On Wed, 18 Mar 2009, Felipe Carlo wrote: > Hello, > > I am new in this mailing-list, and I have one problem with Samba in a Jail. > > When I try to start the samba I have this message: > > # /usr/local/etc/rc.d/samba.sh start > %%WINBIND%%#: not found > %%WINBIND%%#winbindd_enable=YES: not found > .: Can't open %%RC_SUBR%%: No such file or directory > > This is the rc.conf of the jail: > > # cat /etc/rc.conf > hostname="teste3" > network_interfaces="" > sshd_enable="YES" > rpcbind_enable="NO" > sendmail_enable="NONE" > samba_enable="YES" > nmbd_enable="YES" > smbd_enable="YES" > winbindd_enable="YES" > > What I can do to fix this?? > > Thank you !!! That sounds like the port has a problem. I'd try to mail ports@ and the port maintainer. You'll find it listed here: http://www.freebsd.org/cgi/ports.cgi?query=samba-3.0&stype=name&sektion=all /bz -- Bjoern A. Zeeb The greatest risk is not taking one. From spry at anarchy.in.the.ph Wed Mar 18 18:43:45 2009 From: spry at anarchy.in.the.ph (Mars G Miro) Date: Wed Mar 18 18:43:51 2009 Subject: Problems with Jails and Samba3 In-Reply-To: <20090318191633.G67075@maildrop.int.zabbadoz.net> References: <53bb3b9d0903181210n451b155an5abcda0c276b28a4@mail.gmail.com> <20090318191633.G67075@maildrop.int.zabbadoz.net> Message-ID: On Thu, Mar 19, 2009 at 3:19 AM, Bjoern A. Zeeb wrote: > On Wed, 18 Mar 2009, Felipe Carlo wrote: > >> Hello, >> >> I am new in this mailing-list, and I have one problem with Samba in a >> Jail. >> >> When I try to start the samba I have this message: >> >> # /usr/local/etc/rc.d/samba.sh start >> %%WINBIND%%#: not found >> %%WINBIND%%#winbindd_enable=YES: not found >> .: Can't open %%RC_SUBR%%: No such file or directory >> >> This is the rc.conf of the jail: >> >> # cat /etc/rc.conf >> hostname="teste3" >> network_interfaces="" >> sshd_enable="YES" >> rpcbind_enable="NO" >> sendmail_enable="NONE" >> samba_enable="YES" >> nmbd_enable="YES" >> smbd_enable="YES" >> winbindd_enable="YES" >> >> What I can do to fix this?? >> >> Thank you !!! > > That sounds like the port has a problem. I'd try to mail ports@ and > the port maintainer. You'll find it listed here: > http://www.freebsd.org/cgi/ports.cgi?query=samba-3.0&stype=name&sektion=all > I don't think so. I have a perfectly running samba3.0.X (even authenticates to AD) in a jail w/ the multi-IP patch and it has been rock solid since Jan 29. To the OP: It's either there's something wrong w/ your jail or samba3 config itself. > /bz > > -- > Bjoern A. Zeeb ? ? ? ? ? ? ? ? ? ? ?The greatest risk is not taking one. > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > -- cheers mars ----- Rita Rudner - "Before I met my husband, I'd never fallen in love. I'd stepped in it a few times." From bzeeb-lists at lists.zabbadoz.net Thu Mar 19 00:25:08 2009 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Thu Mar 19 00:25:14 2009 Subject: Problems with Jails and Samba3 In-Reply-To: References: <53bb3b9d0903181210n451b155an5abcda0c276b28a4@mail.gmail.com> <20090318191633.G67075@maildrop.int.zabbadoz.net> Message-ID: <20090319072032.C67075@maildrop.int.zabbadoz.net> On Thu, 19 Mar 2009, Mars G Miro wrote: > On Thu, Mar 19, 2009 at 3:19 AM, Bjoern A. Zeeb > wrote: >> On Wed, 18 Mar 2009, Felipe Carlo wrote: >> >>> Hello, >>> >>> I am new in this mailing-list, and I have one problem with Samba in a >>> Jail. >>> >>> When I try to start the samba I have this message: >>> >>> # /usr/local/etc/rc.d/samba.sh start >>> %%WINBIND%%#: not found >>> %%WINBIND%%#winbindd_enable=YES: not found >>> .: Can't open %%RC_SUBR%%: No such file or directory .... >> >> That sounds like the port has a problem. I'd try to mail ports@ and >> the port maintainer. You'll find it listed here: >> http://www.freebsd.org/cgi/ports.cgi?query=samba-3.0&stype=name&sektion=all >> > > I don't think so. > > I have a perfectly running samba3.0.X (even authenticates to AD) in a > jail w/ the multi-IP patch and it has been rock solid since Jan 29. > > To the OP: It's either there's something wrong w/ your jail or samba3 > config itself. Yes but see above; it seems the %%FOO%% weren't sustituted upon package build or port install. -- Bjoern A. Zeeb The greatest risk is not taking one. From 000.fbsd at quip.cz Thu Mar 19 05:26:16 2009 From: 000.fbsd at quip.cz (Miroslav Lachman) Date: Thu Mar 19 05:26:22 2009 Subject: maxproc per jail In-Reply-To: References: Message-ID: <49C0156E.30701@quip.cz> Espartano wrote: > On Tue, Mar 17, 2009 at 1:48 AM, Nicolas de Bari Embriz Garcia Rojas > wrote: > >>Hi all, it is posible to limite the maxproc per jail ? >> >>or how to put a protection to the main host in case the root user of a jail >>try to make a fork bom. >> > > > may be you can protect your computer using cpu's limits, you should > visit this page: > > http://wiki.freebsd.org/JailResourceLimits > > take a look that the patch is for FreeBSD RELENG_6, I don't know if > the patch work fine with FreeBSD 7, I have never used this patch. It is outdated and AFAIK no longer maintained. (FreeBSD 7.1 is shipped with different scheduler than before) Miroslav Lachman From jamie at FreeBSD.org Fri Mar 20 07:00:59 2009 From: jamie at FreeBSD.org (Jamie Gritton) Date: Fri Mar 20 07:01:31 2009 Subject: Problem using bz's multi-IP/IPv6/No-IP Jail Patch (7-STABLE) In-Reply-To: <49B980E1.30203@FreeBSD.org> References: <49B55CA2.7090300@FreeBSD.org> <49B980E1.30203@FreeBSD.org> Message-ID: <49C39368.4090208@FreeBSD.org> I wrote: > Here's a patch for ifconfig. It allows "ifconfig -a" and a few other > similar informative ifconfig options to run inside an IPv4-less jail > (of course trying to set anything still fails). Outside of a jail, you > should see no change. Apply it inside your /usr/src tree, and install > it both in the root system (under /sbin) and in your jails > (/usr/jails/TEMPLATE or wherever). Just in case I broke something, keep > a copy of the old one :-). But I've tested it on my own system so I > don't expect anything to be broken. The patch went in as r189864 on CURRENT and r189970 on STABLE. But the fix brought up some other issues, and now the STABLE patch has been reverted. It may come back in time for 7.2 if everything looks good in CURRENT, but that's not a sure thing given the release schedule. - Jamie From felipe.cts1 at gmail.com Fri Mar 20 12:18:01 2009 From: felipe.cts1 at gmail.com (Felipe Carlo) Date: Fri Mar 20 12:18:08 2009 Subject: Problems with Jails and Samba3 In-Reply-To: <20090319072032.C67075@maildrop.int.zabbadoz.net> References: <53bb3b9d0903181210n451b155an5abcda0c276b28a4@mail.gmail.com> <20090318191633.G67075@maildrop.int.zabbadoz.net> <20090319072032.C67075@maildrop.int.zabbadoz.net> Message-ID: <53bb3b9d0903201217g7d84bb7aif976779b7437f488@mail.gmail.com> Hello, I updated my ports and install the Samba 3.3.x version but the problem still continue. This is my smb.conf : # This is the main Samba configuration file. You should read the # smb.conf(5) manual page in order to understand the options listed # here. Samba has a huge number of configurable options (perhaps too # many!) most of which are not shown in this example # # For a step to step guide on installing, configuring and using samba, # read the Samba-HOWTO-Collection. This may be obtained from: # http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf # # Many working examples of smb.conf files can be found in the # Samba-Guide which is generated daily and can be downloaded from: # http://www.samba.org/samba/docs/Samba-Guide.pdf # # Any line which starts with a ; (semi-colon) or a # (hash) # is a comment and is ignored. In this example we will use a # # for commentry and a ; for parts of the config file that you # may wish to enable # # NOTE: Whenever you modify this file you should run the command "testparm" # to check that you have not made any basic syntactic errors. # #======================= Global Settings ===================================== [global] # workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH workgroup = TEST # server string is the equivalent of the NT Description field server string = Samba Server Test # Security mode. Defines in which mode Samba will operate. Possible # values are share, user, server, domain and ads. Most people will want # user level security. See the Samba-HOWTO-Collection for details. security = user # This option is important for security. It allows you to restrict # connections to machines which are on your local network. The # following example restricts access to two C class networks and # the "loopback" interface. For more examples of the syntax see # the smb.conf man page hosts allow = xxx.xxx.xxx.xxx # If you want to automatically load your printer list rather # than setting them up individually then you'll need this load printers = no # you may wish to override the location of the printcap file ; printcap name = /etc/printcap # on SystemV system setting printcap name to lpstat should allow # you to automatically obtain a printer list from the SystemV spool # system ; printcap name = lpstat # It should not be necessary to specify the print system type unless # it is non-standard. Currently supported print systems include: # bsd, cups, sysv, plp, lprng, aix, hpux, qnx ;# printing = cups # Uncomment this if you want a guest account, you must add this to /etc/passwd # otherwise the user "nobody" is used ; guest account = pcguest # this tells Samba to use a separate log file for each machine # that connects log file = /var/log/samba/log.%m # Put a capping on the size of the log files (in Kb). max log size = 50 # Use password server option only with security = server # The argument list may include: # password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name] # or to auto-locate the domain controller/s # password server = * ; password server = # Use the realm option only with security = ads # Specifies the Active Directory realm the host is part of ; realm = MY_REALM # Backend to store user information in. New installations should # use either tdbsam or ldapsam. smbpasswd is available for backwards # compatibility. tdbsam requires no further configuration. ; passdb backend = tdbsam # Using the following line enables you to customise your configuration # on a per machine basis. The %m gets replaced with the netbios name # of the machine that is connecting. # Note: Consider carefully the location in the configuration file of # this line. The included file is read at that point. ; include = /usr/local/etc/smb.conf.%m # Most people will find that this option gives better performance. # See the chapter 'Samba performance issues' in the Samba HOWTO Collection # and the manual pages for details. # You may want to add the following on a Linux system: ; socket options = SO_RCVBUF=8192 SO_SNDBUF=8192 # Configure Samba to use multiple interfaces # If you have multiple network interfaces then you must list them # here. See the man page for details. ; interfaces = 192.168.12.2/24 192.168.13.2/24 # Browser Control Options: # set local master to no if you don't want Samba to become a master # browser on your network. Otherwise the normal election rules apply ; local master = no # OS Level determines the precedence of this server in master browser # elections. The default value should be reasonable ; os level = 33 # Domain Master specifies Samba to be the Domain Master Browser. This # allows Samba to collate browse lists between subnets. Don't use this # if you already have a Windows NT domain controller doing this job ; domain master = yes # Preferred Master causes Samba to force a local browser election on startup # and gives it a slightly higher chance of winning the election ; preferred master = yes # Enable this if you want Samba to be a domain logon server for # Windows95 workstations. ; domain logons = yes # if you enable domain logons then you may want a per-machine or # per user logon script # run a specific logon batch file per workstation (machine) ; logon script = %m.bat # run a specific logon batch file per username ; logon script = %U.bat # Where to store roving profiles (only for Win95 and WinNT) # %L substitutes for this servers netbios name, %U is username # You must uncomment the [Profiles] share below ; logon path = \\%L\Profiles\%U # Windows Internet Name Serving Support Section: # WINS Support - Tells the NMBD component of Samba to enable it's WINS Server ; wins support = yes # WINS Server - Tells the NMBD components of Samba to be a WINS Client # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both ; wins server = w.x.y.z # WINS Proxy - Tells Samba to answer name resolution queries on # behalf of a non WINS capable client, for this to work there must be # at least one WINS Server on the network. The default is NO. ; wins proxy = yes # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names # via DNS nslookups. The default is NO. dns proxy = no # Charset settings ; display charset = koi8-r ; unix charset = koi8-r ; dos charset = cp866 # Use extended attributes to store file modes ; store dos attributes = yes ; map hidden = no ; map system = no ; map archive = no # Use inherited ACLs for directories ; nt acl support = yes ; inherit acls = yes ; map acl inherit = yes # These scripts are used on a domain controller or stand-alone # machine to add or delete corresponding unix accounts ; add user script = /usr/sbin/useradd %u ; add group script = /usr/sbin/groupadd %g ; add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u ; delete user script = /usr/sbin/userdel %u ; delete user from group script = /usr/sbin/deluser %u %g ; delete group script = /usr/sbin/groupdel %g #============================ Share Definitions ============================== [homes] comment = Home Directories path = /home/ browseable = yes writable = yes # Un-comment the following and create the netlogon directory for Domain Logons ; [netlogon] ; comment = Network Logon Service ; path = /usr/local/samba/lib/netlogon ; guest ok = yes ; writable = no ; share modes = no # Un-comment the following to provide a specific roving profile share # the default is to use the user's home directory ;[Profiles] ; path = /usr/local/samba/profiles ; browseable = no ; guest ok = yes # NOTE: If you have a BSD-style print system there is no need to # specifically define each individual printer [printers] comment = All Printers path = /var/spool/samba browseable = no # Set public = yes to allow user 'guest account' to print guest ok = no writable = no printable = yes # This one is useful for people to share files ;[tmp] ; comment = Temporary file space ; path = /tmp ; read only = no ; public = yes # A publicly accessible directory, but read only, except for people in # the "staff" group ;[public] ; comment = Public Stuff ; path = /home/samba ; public = yes ; writable = yes ; printable = no ; write list = @staff # Other examples. # # A private printer, usable only by fred. Spool data will be placed in fred's # home directory. Note that fred must have write access to the spool directory, # wherever it is. ;[fredsprn] ; comment = Fred's Printer ; valid users = fred ; path = /homes/fred ; printer = freds_printer ; public = no ; writable = no ; printable = yes # A private directory, usable only by fred. Note that fred requires write # access to the directory. ;[fredsdir] ; comment = Fred's Service ; path = /usr/somewhere/private ; valid users = fred ; public = no ; writable = yes ; printable = no # a service which has a different directory for each machine that connects # this allows you to tailor configurations to incoming machines. You could # also use the %U option to tailor it by user name. # The %m gets replaced with the machine name that is connecting. ;[pchome] ; comment = PC Directories ; path = /usr/pc/%m ; public = no ; writable = yes # A publicly accessible directory, read/write to all users. Note that all files # created in the directory by users will be owned by the default user, so # any user with access can delete any other user's files. Obviously this # directory must be writable by the default user. Another user could of course # be specified, in which case all files would be owned by that user instead. ;[public] ; path = /usr/somewhere/else/public ; public = yes ; only guest = yes ; writable = yes ; printable = no # The following two entries demonstrate how to share a directory so that two # users can place files there that will be owned by the specific users. In this # setup, the directory should be writable by both users and should have the # sticky bit set on it to prevent abuse. Obviously this could be extended to # as many users as required. ;[myshare] ; comment = Mary's and Fred's stuff ; path = /usr/somewhere/shared ; valid users = mary fred ; public = no ; writable = yes ; printable = no ; create mask = 0765 I didn't make much changes in the original smb.conf because I'm testing the jails first before put in a real server in the university. Thank you very much !!! Best Regards, 2009/3/19 Bjoern A. Zeeb > On Thu, 19 Mar 2009, Mars G Miro wrote: > > On Thu, Mar 19, 2009 at 3:19 AM, Bjoern A. Zeeb >> wrote: >> >>> On Wed, 18 Mar 2009, Felipe Carlo wrote: >>> >>> Hello, >>>> >>>> I am new in this mailing-list, and I have one problem with Samba in a >>>> Jail. >>>> >>>> When I try to start the samba I have this message: >>>> >>>> # /usr/local/etc/rc.d/samba.sh start >>>> %%WINBIND%%#: not found >>>> %%WINBIND%%#winbindd_enable=YES: not found >>>> .: Can't open %%RC_SUBR%%: No such file or directory >>>> >>> .... > >> >>> That sounds like the port has a problem. I'd try to mail ports@ and >>> the port maintainer. You'll find it listed here: >>> >>> http://www.freebsd.org/cgi/ports.cgi?query=samba-3.0&stype=name&sektion=all >>> >>> >> I don't think so. >> >> I have a perfectly running samba3.0.X (even authenticates to AD) in a >> jail w/ the multi-IP patch and it has been rock solid since Jan 29. >> >> To the OP: It's either there's something wrong w/ your jail or samba3 >> config itself. >> > > Yes but see above; it seems the %%FOO%% weren't sustituted upon > package build or port install. > > -- > Bjoern A. Zeeb The greatest risk is not taking one. > -- Felipe Carlo Trepichio dos Santos From bugmaster at FreeBSD.org Mon Mar 23 04:06:59 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Mar 23 04:08:28 2009 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200903231106.n2NB6wIl004047@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/132092 jail [jail] jail can listen on *:port when jail_socket_unix o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 4 problems total. From stef-list at memberwebs.com Mon Mar 23 16:50:31 2009 From: stef-list at memberwebs.com (Stef Walter) Date: Mon Mar 23 16:50:37 2009 Subject: New 7.2 compatible versions of jailutils and bsnmp-jails Message-ID: <20090323232804.36215EFB6E7@mx.npubs.com> I've rolled new versions of jailutils and bsnmp-jails which are compatible with the (awesome) jail changes in FreeBSD 7.2 and HEAD: http://memberwebs.com/stef/freebsd/jails/jailutils/ http://memberwebs.com/stef/software/bsnmp-jails/ Cheers, Stef Walter From peter at pean.org Tue Mar 24 04:11:08 2009 From: peter at pean.org (=?ISO-8859-1?Q?Peter_Ankerst=E5l?=) Date: Tue Mar 24 04:11:15 2009 Subject: Patching for multi-ip. Message-ID: <81C2AAEA-525A-447D-8753-070248650C7D@pean.org> Hi, Im running FreeBSD 7.1-RELEASE-p2 and want to upgrade my jail for multi-ip-support. But I cant find an easy way to to this? Is the simplest way just to build a new world with RELENG_7? I would really appreciate a guide or simple directions to get this without building world. Thanks. -- Peter Ankerst?l peter@pean.org http://www.pean.org/ From peter at pean.org Tue Mar 24 04:26:48 2009 From: peter at pean.org (=?ISO-8859-1?Q?Peter_Ankerst=E5l?=) Date: Tue Mar 24 04:26:54 2009 Subject: Patching for multi-ip. In-Reply-To: <20090324111821.G67075@maildrop.int.zabbadoz.net> References: <81C2AAEA-525A-447D-8753-070248650C7D@pean.org> <20090324111821.G67075@maildrop.int.zabbadoz.net> Message-ID: <7EB59922-E445-4807-8C93-1DE41CBEB0CA@pean.org> > On Tue, 24 Mar 2009, Peter Ankerst?l wrote: > > Hi, > >> Im running FreeBSD 7.1-RELEASE-p2 and want to upgrade my jail for >> multi-ip-support. >> But I cant find an easy way to to this? Is the simplest way just to >> build a new world with >> RELENG_7? I would really appreciate a guide or simple directions to >> get this without >> building world. > > there is no way w/o building a world and a kernel or waiting another > few days for 7.2-{BETA,RC*,RELEASE} which will have all this. > Ok, thank you! -- Peter Ankerst?l peter@pean.org http://www.pean.org/ From bzeeb-lists at lists.zabbadoz.net Tue Mar 24 04:35:40 2009 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Tue Mar 24 04:35:46 2009 Subject: Patching for multi-ip. In-Reply-To: <81C2AAEA-525A-447D-8753-070248650C7D@pean.org> References: <81C2AAEA-525A-447D-8753-070248650C7D@pean.org> Message-ID: <20090324111821.G67075@maildrop.int.zabbadoz.net> On Tue, 24 Mar 2009, Peter Ankerst?l wrote: Hi, > Im running FreeBSD 7.1-RELEASE-p2 and want to upgrade my jail for > multi-ip-support. > But I cant find an easy way to to this? Is the simplest way just to build a > new world with > RELENG_7? I would really appreciate a guide or simple directions to get this > without > building world. there is no way w/o building a world and a kernel or waiting another few days for 7.2-{BETA,RC*,RELEASE} which will have all this. -- Bjoern A. Zeeb The greatest risk is not taking one. From peter at pean.org Tue Mar 24 10:56:37 2009 From: peter at pean.org (=?ISO-8859-1?Q?Peter_Ankerst=E5l?=) Date: Tue Mar 24 10:57:48 2009 Subject: New 7.2 compatible versions of jailutils and bsnmp-jails In-Reply-To: <20090323232804.36215EFB6E7@mx.npubs.com> References: <20090323232804.36215EFB6E7@mx.npubs.com> Message-ID: <98B67F85-CFB1-4105-97BD-BD02F59CCE86@pean.org> On Mar 24, 2009, at 12:28 AM, Stef Walter wrote: > I've rolled new versions of jailutils and bsnmp-jails which are > compatible with the (awesome) jail changes in FreeBSD 7.2 and HEAD: > > My knowledge about snmp is somewhat limited but I'm using cacti for the moment. Is there a simple way to use this module with cacti? -- Peter Ankerst?l peter@pean.org http://www.pean.org/ From stef-list at memberwebs.com Tue Mar 24 20:37:10 2009 From: stef-list at memberwebs.com (Stef Walter) Date: Tue Mar 24 20:37:19 2009 Subject: New 7.2 compatible versions of jailutils and bsnmp-jails References: <20090323232804.36215EFB6E7@mx.npubs.com> <98B67F85-CFB1-4105-97BD-BD02F59CCE86@pean.org> Message-ID: <20090325031621.B7FCFEFB6F6@mx.npubs.com> Peter Ankerst?l wrote: > My knowledge about snmp is somewhat limited but I'm using cacti for the > moment. > Is there a simple way to use this module with cacti? My knowledge of cacti is very limited. But I imagine you could add a new SNMP counter using the OID here: http://memberwebs.com/stef/software/bsnmp-jails/bsnmp-jails.8.html Or the MIB's here: http://memberwebs.com/stef/software/bsnmp-jails/JAILS-MIB.txt You can also use rrdbot-get (from the rrdbotd package) to list the table, and get the relevant OIDs: http://memberwebs.com/stef/software/rrdbot/rrdbot-get.1.html http://memberwebs.com/stef/software/rrdbot/rrdbot-get.1.html Sorry this isn't more helpful. Cheers, Stef From peter at pean.org Tue Mar 24 23:19:14 2009 From: peter at pean.org (=?ISO-8859-1?Q?Peter_Ankerst=E5l?=) Date: Tue Mar 24 23:19:21 2009 Subject: New 7.2 compatible versions of jailutils and bsnmp-jails In-Reply-To: <20090325031621.B7FCFEFB6F6@mx.npubs.com> References: <20090323232804.36215EFB6E7@mx.npubs.com> <98B67F85-CFB1-4105-97BD-BD02F59CCE86@pean.org> <20090325031621.B7FCFEFB6F6@mx.npubs.com> Message-ID: <8E55FD43-EB8F-4C24-A54D-9CD860ECC79C@pean.org> On Mar 25, 2009, at 4:16 AM, Stef Walter wrote: > Peter Ankerst?l wrote: >> My knowledge about snmp is somewhat limited but I'm using cacti for >> the >> moment. >> Is there a simple way to use this module with cacti? > > My knowledge of cacti is very limited. But I imagine you could add a > new > SNMP counter using the OID here: > > http://memberwebs.com/stef/software/bsnmp-jails/bsnmp-jails.8.html > > Or the MIB's here: > > http://memberwebs.com/stef/software/bsnmp-jails/JAILS-MIB.txt > > You can also use rrdbot-get (from the rrdbotd package) to list the > table, and get the relevant OIDs: > > http://memberwebs.com/stef/software/rrdbot/rrdbot-get.1.html > > http://memberwebs.com/stef/software/rrdbot/rrdbot-get.1.html > > Sorry this isn't more helpful. > > Cheers, > > Stef > Thanks, Ive looked at the cacti-documentation page and it doesnt seem that hard to add new data soruce when you have the OID and so on.. But I have one question "jails.jailTable.jailEntry.jailInOctets.X" Lets say I want to create a graph for a specific jail. How do i know X and doesnt it change over time? (lets say I add a new jail, or start them in a different order) -- Peter Ankerst?l peter@pean.org http://www.pean.org/ From stef-list at memberwebs.com Wed Mar 25 14:51:09 2009 From: stef-list at memberwebs.com (Stef Walter) Date: Wed Mar 25 14:51:15 2009 Subject: New 7.2 compatible versions of jailutils and bsnmp-jails References: <20090323232804.36215EFB6E7@mx.npubs.com> <98B67F85-CFB1-4105-97BD-BD02F59CCE86@pean.org> <20090325031621.B7FCFEFB6F6@mx.npubs.com> <8E55FD43-EB8F-4C24-A54D-9CD860ECC79C@pean.org> Message-ID: <20090325215107.C491EEFB6E8@mx.npubs.com> Peter Ankerst?l wrote: > Thanks, Ive looked at the cacti-documentation page and it doesnt seem that > hard to add new data soruce when you have the OID and so on.. But I have > one question "jails.jailTable.jailEntry.jailInOctets.X" Lets say I want > to create > a graph for a specific jail. How do i know X and doesnt it change over > time? > (lets say I add a new jail, or start them in a different order) That was exactly the problem I faced with cacti, mrtg and other pollers, and that's one reason why I wrote my own (the other major reason is performance). It's called rrdbotd: http://memberwebs.com/stef/software/rrdbot/ It lets you poll a URL that looks like: snmp://public@example.com/jailInOctets?jailHost=jail.example.com See 'TABLE QUERIES' here: http://memberwebs.com/stef/software/rrdbot/rrdbot.conf.5.html http://memberwebs.com/stef/software/rrdbot/rrdbot-get.1.html In addition rrdbotd can do crazy stuff like track the same jail as it moves across multiple machines. See 'MULTIPLE AGENTS'. We use quick failover migration of jails. Cheers, Stef Walter From bugmaster at FreeBSD.org Mon Mar 30 04:06:56 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Mar 30 04:08:25 2009 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200903301106.n2UB6s3t054787@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/132092 jail [jail] jail can listen on *:port when jail_socket_unix o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 4 problems total. From scheidell at secnap.net Tue Mar 31 07:54:53 2009 From: scheidell at secnap.net (Michael Scheidell) Date: Tue Mar 31 07:54:59 2009 Subject: anyone using ssl accellorator cards in jail? Message-ID: <49D22ADE.6070005@secnap.net> would I need a card for each jail? each IP? What os? FBSD 6.4 or 7.1? what are your experiences? what about Self signed certs and those cards? having 'issues' I suspect with 30 ish https hosts on one jail, with multiple readers. trying to speed things up. -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2009 Hot Company Award, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _________________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _________________________________________________________________________ From peter at pean.org Tue Mar 31 09:53:43 2009 From: peter at pean.org (=?ISO-8859-1?Q?Peter_Ankerst=E5l?=) Date: Tue Mar 31 09:53:49 2009 Subject: New 7.2 compatible versions of jailutils and bsnmp-jails In-Reply-To: <20090325215107.C491EEFB6E8@mx.npubs.com> References: <20090323232804.36215EFB6E7@mx.npubs.com> <98B67F85-CFB1-4105-97BD-BD02F59CCE86@pean.org> <20090325031621.B7FCFEFB6F6@mx.npubs.com> <8E55FD43-EB8F-4C24-A54D-9CD860ECC79C@pean.org> <20090325215107.C491EEFB6E8@mx.npubs.com> Message-ID: <0E9FFDD0-E87F-44D8-8900-61A701AF0426@pean.org> On Mar 25, 2009, at 10:51 PM, Stef Walter wrote: > > > > It lets you poll a URL that looks like: > > snmp://public@example.com/jailInOctets?jailHost=jail.example.com > > > See 'TABLE QUERIES' here: > > http://memberwebs.com/stef/software/rrdbot/rrdbot.conf.5.html > > http://memberwebs.com/stef/software/rrdbot/rrdbot-get.1.html > > Damn, I cant figure out how to get the MIB-file working. Where should I place the .txt? and client-side, server-side, both? path? -- Peter Ankerst?l peter@pean.org http://www.pean.org/ From stef-list at memberwebs.com Tue Mar 31 20:40:31 2009 From: stef-list at memberwebs.com (Stef Walter) Date: Tue Mar 31 20:40:36 2009 Subject: New 7.2 compatible versions of jailutils and bsnmp-jails References: <20090323232804.36215EFB6E7@mx.npubs.com> <98B67F85-CFB1-4105-97BD-BD02F59CCE86@pean.org> <20090325031621.B7FCFEFB6F6@mx.npubs.com> <8E55FD43-EB8F-4C24-A54D-9CD860ECC79C@pean.org> <20090325215107.C491EEFB6E8@mx.npubs.com> <0E9FFDD0-E87F-44D8-8900-61A701AF0426@pean.org> Message-ID: <20090401031337.601FCEFB6EE@mx.npubs.com> Peter Ankerst?l wrote: > Damn, I cant figure out how to get the MIB-file working. Where should I > place the > .txt? and client-side, server-side, both? path? On the client side, either in /usr/local/share/mib or /usr/local/share/snmp/mibs ... depending on the SNMP software you're using. You should see a bunch of *-MIB.txt files in either of those locations. If you'd like to join us on rrdbot@googlegroups.com, this discussion is probably more on topic there. Cheers, Stef