From bugmaster at FreeBSD.org Mon Nov 2 11:06:58 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Nov 2 11:08:42 2009 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200911021106.nA2B6vdm033645@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 4 problems total. From bugmaster at FreeBSD.org Mon Nov 9 11:06:56 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Nov 9 11:08:35 2009 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200911091106.nA9B6uoM079039@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 4 problems total. From vagif at zeynalov.com Sun Nov 15 23:29:31 2009 From: vagif at zeynalov.com (Vagif Zeynalov) Date: Sun Nov 15 23:29:38 2009 Subject: Broadcast under Jail problems Message-ID: Hi All! I use the mediatomb package as the UPNP/DLNA media server under under jail. But after upgrade from 7.0 Release to the 7.2 Current, the mediatomb doesn't work any more. Two days ago I've upgraded to the 8.0RC3, and problem still present. I think it is some security issue, but I have not any idea how to open broadcasting for a jailed process. Without jail the mediatomb works fine. May be someone already experienced the same problem and know how to fix it? Jail's settings: ========= jail_set_hostname_allow="NO" jail_socket_unixiproute_only="YES" jail_sysvipc_allow="YES" jail_allow_raw_sockets="YES" jail_upnp_rootdir="$jail_dir/upnp" jail_upnp_hostname="upnp.local" jail_upnp_interface="sk0" jail_upnp_ip="sk0|192.168.22.103/24,lo0|127.0.0.2/8,msk0|192.168.23.103/24" jail_upnp_exec_start="/bin/sh /etc/rc" jail_upnp_exec_stop="/bin/sh /etc/rc.shutdown" jail_upnp_devfs_enable="YES" jail_upnp_fdescfs_enable="NO" jail_upnp_procfs_enable="YES" jail_upnp_mount_enable="NO" jail_upnp_devfs_ruleset="10" jail_upnp_mount_enable="YES" jail_upnp_fstab="$jail_config_dir/upnp.fstab" jail_upnp_flags="-l -U root" ...I can provide more details if it will be necessary... Thank you, Vagif. From bzeeb-lists at lists.zabbadoz.net Mon Nov 16 07:10:08 2009 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Mon Nov 16 07:10:15 2009 Subject: Broadcast under Jail problems In-Reply-To: References: Message-ID: <20091116070634.S37440@maildrop.int.zabbadoz.net> On Mon, 16 Nov 2009, Vagif Zeynalov wrote: Hi, > ...I can provide more details if it will be necessary... error ogs from the application would be interesting to see which (sys)call return which error so that we can narrow it down. /bz -- Bjoern A. Zeeb It will not break if you know what you are doing. From bugmaster at FreeBSD.org Mon Nov 16 11:06:56 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Nov 16 11:08:37 2009 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200911161106.nAGB6tZU011211@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 4 problems total. From vagif at zeynalov.com Mon Nov 16 13:15:12 2009 From: vagif at zeynalov.com (Vagif Zeynalov) Date: Mon Nov 16 13:15:19 2009 Subject: Broadcast under Jail problems In-Reply-To: <20091116070634.S37440@maildrop.int.zabbadoz.net> References: <20091116070634.S37440@maildrop.int.zabbadoz.net> Message-ID: >> ...I can provide more details if it will be necessary... > > error ogs from the application would be interesting to see which > (sys)call return which error so that we can narrow it down. > You know, to make the answer I just rebuild the mediatomb on the clear jail machine and... the problem has been disappeared! It's very strange, because I already did it before few times. Whatever, sorry guys for disturb. ;-)) I have to investigate, what did I change at last night in the system. Regards, Vagif From Lars.Scheithauer at fh-heidelberg.de Tue Nov 17 09:38:49 2009 From: Lars.Scheithauer at fh-heidelberg.de (Scheithauer, Lars (FH)) Date: Tue Nov 17 09:38:55 2009 Subject: Networking from jail Message-ID: <26040005B7F3AA41A0345BCE386CA09701C62A79@FHCLUSRV-EX.dcs.fh-heidelberg.de> Hi everyone! I'm having a little trouble with my jail's networking and I'm not sure what to make of it. My jailhost has an IP of x.y.z.48, my test jail is x.y.z.49. The jailhost has both IP-adresses, the jail has just it's own: Jail# ifconfig bce0: flags=8843 metric 0 mtu 1500 options=1bb ether xx:xx:xx:xx:xx:10 inet x.y.z.60 netmask 0xffffffc0 broadcast x.y.z.63 media: Ethernet autoselect (1000baseSX ) status: active [...] Host# ifconfig bce0: flags=8843 metric 0 mtu 1500 options=1bb ether xx:xx:xx:xx:xx:10 inet x.y.z.61 netmask 0xffffffc0 broadcast x.y.z.63 inet x.y.z.60 netmask 0xffffffc0 broadcast x.y.z.63 media: Ethernet autoselect (1000baseSX ) status: active [...] I am able to access the ssh-server running on the jail, and I am able to access the proxyserver of our network via telnet and get some pages of the internet. However, if I want to install something from the ports, the jail is unable to fetch it: Jail# cd /usr/ports/ftp/wget Jail# make ===> Vulnerability check disabled, database not found ===> Found saved configuration for wget-1.11.4_1 => wget-1.11.4.tar.bz2 doesn't seem to exist in /usr/ports/distfiles/. => Attempting to fetch from http://ftp.gnu.org/gnu/wget/. fetch: http://ftp.gnu.org/gnu/wget/wget-1.11.4.tar.bz2: Operation timed out => Attempting to fetch from ftp://ftp.gnu.org/gnu/wget/. [...] I've set the appropriate environment variables HTTP_PROXY, HTTPS_PROXY and FTP_PROXY. If I test the connection with netcat, I get the following error message: # nc -zvw 1 -x 'proxy.example.com:8080' www.freebsd.org 80 nc: read failed (0/3): Broken pipe The funny thing is, that I have no problem installing ports from the Host-system. From what I can tell, all the config files are correct: Jail# cat /etc/rc.conf sshd_enable="YES" ifconfig_bce0="inet x.y.z.60 netmask 255.255.255.192" defaultrouter="x.y.z.62" hostname="jail.example.com" Host# cat /etc/rc.conf sshd_enable="NO" ifconfig_bce0="inet x.y.z.61 netmask 255.255.255.192" defaultrouter="x.y.z.62" hostname="host.example.com" ipv6_enable="NO" jail_enable="YES" jail_set_hostname_allow="NO" jail_list="jail" jail_jail_hostname="jail" jail_jail_ip="x.y.z.60" jail_jail_rootdir="my/jail/root" jail_jail_devfs_enable="YES" Any ideas? Best Regards, Lars From Lars.Scheithauer at fh-heidelberg.de Tue Nov 17 09:49:04 2009 From: Lars.Scheithauer at fh-heidelberg.de (Scheithauer, Lars (FH)) Date: Tue Nov 17 09:49:10 2009 Subject: Networking from jail - errata In-Reply-To: <26040005B7F3AA41A0345BCE386CA09701C62A79@FHCLUSRV-EX.dcs.fh-heidelberg.de> References: <26040005B7F3AA41A0345BCE386CA09701C62A79@FHCLUSRV-EX.dcs.fh-heidelberg.de> Message-ID: <26040005B7F3AA41A0345BCE386CA09701C62A7A@FHCLUSRV-EX.dcs.fh-heidelberg.de> Quick note: Forgot to replace two values. Jail - x.y.z.61 Host - x.y.z.60 Router - x.y.z.62 -----Urspr?ngliche Nachricht----- Von: owner-freebsd-jail@freebsd.org [mailto:owner-freebsd-jail@freebsd.org] Im Auftrag von Scheithauer, Lars (FH) Gesendet: Dienstag, 17. November 2009 10:19 An: freebsd-jail@freebsd.org Betreff: Networking from jail Hi everyone! I'm having a little trouble with my jail's networking and I'm not sure what to make of it. My jailhost has an IP of x.y.z.48, my test jail is x.y.z.49. The jailhost has both IP-adresses, the jail has just it's own: Jail# ifconfig bce0: flags=8843 metric 0 mtu 1500 options=1bb ether xx:xx:xx:xx:xx:10 inet x.y.z.60 netmask 0xffffffc0 broadcast x.y.z.63 media: Ethernet autoselect (1000baseSX ) status: active [...] Host# ifconfig bce0: flags=8843 metric 0 mtu 1500 options=1bb ether xx:xx:xx:xx:xx:10 inet x.y.z.61 netmask 0xffffffc0 broadcast x.y.z.63 inet x.y.z.60 netmask 0xffffffc0 broadcast x.y.z.63 media: Ethernet autoselect (1000baseSX ) status: active [...] I am able to access the ssh-server running on the jail, and I am able to access the proxyserver of our network via telnet and get some pages of the internet. However, if I want to install something from the ports, the jail is unable to fetch it: Jail# cd /usr/ports/ftp/wget Jail# make ===> Vulnerability check disabled, database not found ===> Found saved configuration for wget-1.11.4_1 => wget-1.11.4.tar.bz2 doesn't seem to exist in /usr/ports/distfiles/. => Attempting to fetch from http://ftp.gnu.org/gnu/wget/. fetch: http://ftp.gnu.org/gnu/wget/wget-1.11.4.tar.bz2: Operation timed out => Attempting to fetch from ftp://ftp.gnu.org/gnu/wget/. [...] I've set the appropriate environment variables HTTP_PROXY, HTTPS_PROXY and FTP_PROXY. If I test the connection with netcat, I get the following error message: # nc -zvw 1 -x 'proxy.example.com:8080' www.freebsd.org 80 nc: read failed (0/3): Broken pipe The funny thing is, that I have no problem installing ports from the Host-system. From what I can tell, all the config files are correct: Jail# cat /etc/rc.conf sshd_enable="YES" ifconfig_bce0="inet x.y.z.60 netmask 255.255.255.192" defaultrouter="x.y.z.62" hostname="jail.example.com" Host# cat /etc/rc.conf sshd_enable="NO" ifconfig_bce0="inet x.y.z.61 netmask 255.255.255.192" defaultrouter="x.y.z.62" hostname="host.example.com" ipv6_enable="NO" jail_enable="YES" jail_set_hostname_allow="NO" jail_list="jail" jail_jail_hostname="jail" jail_jail_ip="x.y.z.60" jail_jail_rootdir="my/jail/root" jail_jail_devfs_enable="YES" Any ideas? Best Regards, Lars _______________________________________________ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" From bzeeb-lists at lists.zabbadoz.net Tue Nov 17 10:45:08 2009 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Tue Nov 17 10:45:14 2009 Subject: Networking from jail - errata In-Reply-To: <26040005B7F3AA41A0345BCE386CA09701C62A7A@FHCLUSRV-EX.dcs.fh-heidelberg.de> References: <26040005B7F3AA41A0345BCE386CA09701C62A79@FHCLUSRV-EX.dcs.fh-heidelberg.de> <26040005B7F3AA41A0345BCE386CA09701C62A7A@FHCLUSRV-EX.dcs.fh-heidelberg.de> Message-ID: <20091117103601.G37440@maildrop.int.zabbadoz.net> On Tue, 17 Nov 2009, Scheithauer, Lars (FH) wrote: Hi, > Quick note: > Forgot to replace two values. > Jail - x.y.z.61 > Host - x.y.z.60 > Router - x.y.z.62 > > > -----Urspr?ngliche Nachricht----- > Von: owner-freebsd-jail@freebsd.org [mailto:owner-freebsd-jail@freebsd.org] Im Auftrag von Scheithauer, Lars (FH) > Gesendet: Dienstag, 17. November 2009 10:19 > An: freebsd-jail@freebsd.org > Betreff: Networking from jail > > Hi everyone! > > I'm having a little trouble with my jail's networking and I'm not sure > what to make of it. > > My jailhost has an IP of x.y.z.48, my test jail is x.y.z.49. The > jailhost has both IP-adresses, the jail has just it's own: > > Jail# ifconfig > bce0: flags=8843 metric 0 mtu > 1500 > > options=1bb TSO4> > ether xx:xx:xx:xx:xx:10 > inet x.y.z.60 netmask 0xffffffc0 broadcast x.y.z.63 > media: Ethernet autoselect (1000baseSX ) > status: active > [...] > Host# ifconfig > bce0: flags=8843 metric 0 mtu > 1500 > > options=1bb TSO4> > ether xx:xx:xx:xx:xx:10 > inet x.y.z.61 netmask 0xffffffc0 broadcast x.y.z.63 > inet x.y.z.60 netmask 0xffffffc0 broadcast x.y.z.63 > media: Ethernet autoselect (1000baseSX ) > status: active > [...] > > I am able to access the ssh-server running on the jail, and I am able to > access the proxyserver of our network via telnet and get some pages of > the internet. However, if I want to install something from the ports, > the jail is unable to fetch it: > > Jail# cd /usr/ports/ftp/wget > Jail# make > ===> Vulnerability check disabled, database not found > ===> Found saved configuration for wget-1.11.4_1 > => wget-1.11.4.tar.bz2 doesn't seem to exist in /usr/ports/distfiles/. > => Attempting to fetch from http://ftp.gnu.org/gnu/wget/. > fetch: http://ftp.gnu.org/gnu/wget/wget-1.11.4.tar.bz2: Operation timed > out > => Attempting to fetch from ftp://ftp.gnu.org/gnu/wget/. > [...] > > I've set the appropriate environment variables HTTP_PROXY, HTTPS_PROXY > and FTP_PROXY. If I test the connection with netcat, I get the following > error message: > # nc -zvw 1 -x 'proxy.example.com:8080' www.freebsd.org 80 > nc: read failed (0/3): Broken pipe The usual thing I am interested at that point is - does name resolution work properly from within the jail? /etc/resolv.conf setup correctly etc? > The funny thing is, that I have no problem installing ports from the > Host-system. From what I can tell, all the config files are correct: > > Jail# cat /etc/rc.conf > sshd_enable="YES" > ifconfig_bce0="inet x.y.z.60 netmask 255.255.255.192" > defaultrouter="x.y.z.62" > hostname="jail.example.com" That's not going to work, really (the ifconfig, defaultrouter, and unless you changed the defaults on the host system not even the hostname). You should actually remove those. > Host# cat /etc/rc.conf > sshd_enable="NO" > ifconfig_bce0="inet x.y.z.61 netmask 255.255.255.192" > defaultrouter="x.y.z.62" > hostname="host.example.com" > ipv6_enable="NO" > jail_enable="YES" > jail_set_hostname_allow="NO" > jail_list="jail" > jail_jail_hostname="jail" > jail_jail_ip="x.y.z.60" > jail_jail_rootdir="my/jail/root" > jail_jail_devfs_enable="YES" That doesn't really match your ifconfig output from above; something on the host system would have to set the IP address of the host. I would expect something like (you may have mixed jail and host addresses so properly sort this): # host system IP address ifconfig_bce0=inet x.y.z.61 netmask 255.255.255.192" # jail IP address ifconfig_bce0_alias0=inet x.y.z.60 netmask 255.255.255.255" Note that the alias has a /32 netmask. /bz -- Bjoern A. Zeeb It will not break if you know what you are doing. From Lars.Scheithauer at fh-heidelberg.de Tue Nov 17 11:18:44 2009 From: Lars.Scheithauer at fh-heidelberg.de (Scheithauer, Lars (FH)) Date: Tue Nov 17 11:18:51 2009 Subject: AW: Networking from jail - errata In-Reply-To: <20091117103601.G37440@maildrop.int.zabbadoz.net> References: <26040005B7F3AA41A0345BCE386CA09701C62A79@FHCLUSRV-EX.dcs.fh-heidelberg.de><26040005B7F3AA41A0345BCE386CA09701C62A7A@FHCLUSRV-EX.dcs.fh-heidelberg.de> <20091117103601.G37440@maildrop.int.zabbadoz.net> Message-ID: <26040005B7F3AA41A0345BCE386CA09701C62A7D@FHCLUSRV-EX.dcs.fh-heidelberg.de> Hi Bjoern, thanks for the clarification, I changed the values according to your suggestions. However, it did not resolve the problem. I've checked the proxy logfiles and it seems, that the Makefile(s) don't try to access the proxy at all while fetching files. Is there any reason, why the Makefile(s) should not use the *_PROXY-variables on the jails? Best Regards, Lars -----Urspr?ngliche Nachricht----- Von: owner-freebsd-jail@freebsd.org [mailto:owner-freebsd-jail@freebsd.org] Im Auftrag von Bjoern A. Zeeb Gesendet: Dienstag, 17. November 2009 11:41 An: Scheithauer, Lars (FH) Cc: freebsd-jail@freebsd.org Betreff: Re: Networking from jail - errata On Tue, 17 Nov 2009, Scheithauer, Lars (FH) wrote: Hi, > Quick note: > Forgot to replace two values. > Jail - x.y.z.61 > Host - x.y.z.60 > Router - x.y.z.62 > > > -----Urspr?ngliche Nachricht----- > Von: owner-freebsd-jail@freebsd.org [mailto:owner-freebsd-jail@freebsd.org] Im Auftrag von Scheithauer, Lars (FH) > Gesendet: Dienstag, 17. November 2009 10:19 > An: freebsd-jail@freebsd.org > Betreff: Networking from jail > > Hi everyone! > > I'm having a little trouble with my jail's networking and I'm not sure > what to make of it. > > My jailhost has an IP of x.y.z.48, my test jail is x.y.z.49. The > jailhost has both IP-adresses, the jail has just it's own: > > Jail# ifconfig > bce0: flags=8843 metric 0 mtu > 1500 > > options=1bb TSO4> > ether xx:xx:xx:xx:xx:10 > inet x.y.z.60 netmask 0xffffffc0 broadcast x.y.z.63 > media: Ethernet autoselect (1000baseSX ) > status: active > [...] > Host# ifconfig > bce0: flags=8843 metric 0 mtu > 1500 > > options=1bb TSO4> > ether xx:xx:xx:xx:xx:10 > inet x.y.z.61 netmask 0xffffffc0 broadcast x.y.z.63 > inet x.y.z.60 netmask 0xffffffc0 broadcast x.y.z.63 > media: Ethernet autoselect (1000baseSX ) > status: active > [...] > > I am able to access the ssh-server running on the jail, and I am able to > access the proxyserver of our network via telnet and get some pages of > the internet. However, if I want to install something from the ports, > the jail is unable to fetch it: > > Jail# cd /usr/ports/ftp/wget > Jail# make > ===> Vulnerability check disabled, database not found > ===> Found saved configuration for wget-1.11.4_1 > => wget-1.11.4.tar.bz2 doesn't seem to exist in /usr/ports/distfiles/. > => Attempting to fetch from http://ftp.gnu.org/gnu/wget/. > fetch: http://ftp.gnu.org/gnu/wget/wget-1.11.4.tar.bz2: Operation timed > out > => Attempting to fetch from ftp://ftp.gnu.org/gnu/wget/. > [...] > > I've set the appropriate environment variables HTTP_PROXY, HTTPS_PROXY > and FTP_PROXY. If I test the connection with netcat, I get the following > error message: > # nc -zvw 1 -x 'proxy.example.com:8080' www.freebsd.org 80 > nc: read failed (0/3): Broken pipe The usual thing I am interested at that point is - does name resolution work properly from within the jail? /etc/resolv.conf setup correctly etc? > The funny thing is, that I have no problem installing ports from the > Host-system. From what I can tell, all the config files are correct: > > Jail# cat /etc/rc.conf > sshd_enable="YES" > ifconfig_bce0="inet x.y.z.60 netmask 255.255.255.192" > defaultrouter="x.y.z.62" > hostname="jail.example.com" That's not going to work, really (the ifconfig, defaultrouter, and unless you changed the defaults on the host system not even the hostname). You should actually remove those. > Host# cat /etc/rc.conf > sshd_enable="NO" > ifconfig_bce0="inet x.y.z.61 netmask 255.255.255.192" > defaultrouter="x.y.z.62" > hostname="host.example.com" > ipv6_enable="NO" > jail_enable="YES" > jail_set_hostname_allow="NO" > jail_list="jail" > jail_jail_hostname="jail" > jail_jail_ip="x.y.z.60" > jail_jail_rootdir="my/jail/root" > jail_jail_devfs_enable="YES" That doesn't really match your ifconfig output from above; something on the host system would have to set the IP address of the host. I would expect something like (you may have mixed jail and host addresses so properly sort this): # host system IP address ifconfig_bce0=inet x.y.z.61 netmask 255.255.255.192" # jail IP address ifconfig_bce0_alias0=inet x.y.z.60 netmask 255.255.255.255" Note that the alias has a /32 netmask. /bz -- Bjoern A. Zeeb It will not break if you know what you are doing. From bzeeb-lists at lists.zabbadoz.net Tue Nov 17 11:30:07 2009 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Tue Nov 17 11:30:21 2009 Subject: AW: Networking from jail - errata In-Reply-To: <26040005B7F3AA41A0345BCE386CA09701C62A7D@FHCLUSRV-EX.dcs.fh-heidelberg.de> References: <26040005B7F3AA41A0345BCE386CA09701C62A79@FHCLUSRV-EX.dcs.fh-heidelberg.de><26040005B7F3AA41A0345BCE386CA09701C62A7A@FHCLUSRV-EX.dcs.fh-heidelberg.de> <20091117103601.G37440@maildrop.int.zabbadoz.net> <26040005B7F3AA41A0345BCE386CA09701C62A7D@FHCLUSRV-EX.dcs.fh-heidelberg.de> Message-ID: <20091117112535.L37440@maildrop.int.zabbadoz.net> On Tue, 17 Nov 2009, Scheithauer, Lars (FH) wrote: Hi, > thanks for the clarification, I changed the values according to your suggestions. However, it did not resolve the problem. Did you aslo check resolv.conf inside the jail? Does host www.freebsd.org work? > I've checked the proxy logfiles and it seems, that the Makefile(s) don't try to access the proxy at all while fetching files. Is there any reason, why the Makefile(s) should not use the *_PROXY-variables on the jails? I assume the proxy is squid and that the proxy itself works? What if you set the http_proxy variables to an IP address rather than the name (don't use 127.0.0.1 as address, just to rule that out as well). /bz -- Bjoern A. Zeeb It will not break if you know what you are doing. From Lars.Scheithauer at fh-heidelberg.de Tue Nov 17 11:40:56 2009 From: Lars.Scheithauer at fh-heidelberg.de (Scheithauer, Lars (FH)) Date: Tue Nov 17 11:41:02 2009 Subject: AW: AW: Networking from jail - errata In-Reply-To: <20091117112535.L37440@maildrop.int.zabbadoz.net> References: <26040005B7F3AA41A0345BCE386CA09701C62A79@FHCLUSRV-EX.dcs.fh-heidelberg.de><26040005B7F3AA41A0345BCE386CA09701C62A7A@FHCLUSRV-EX.dcs.fh-heidelberg.de> <20091117103601.G37440@maildrop.int.zabbadoz.net> <26040005B7F3AA41A0345BCE386CA09701C62A7D@FHCLUSRV-EX.dcs.fh-heidelberg.de> <20091117112535.L37440@maildrop.int.zabbadoz.net> Message-ID: <26040005B7F3AA41A0345BCE386CA09701C62A80@FHCLUSRV-EX.dcs.fh-heidelberg.de> Hi Bjoern, I did, but the error was somewhere else. I set the proxy through set http_proxy="http://proxy.example.com:8080" while the correct version would be setenv http_proxy http://proxy.example.com:8080 In both cases, "echo $http_proxy" returns the correct entry. Could you explain the difference between set and setenv? Best Regards, Lars -----Urspr?ngliche Nachricht----- Von: Bjoern A. Zeeb [mailto:bzeeb-lists@lists.zabbadoz.net] Gesendet: Dienstag, 17. November 2009 12:28 An: Scheithauer, Lars (FH) Cc: freebsd-jail@freebsd.org Betreff: Re: AW: Networking from jail - errata On Tue, 17 Nov 2009, Scheithauer, Lars (FH) wrote: Hi, > thanks for the clarification, I changed the values according to your suggestions. However, it did not resolve the problem. Did you aslo check resolv.conf inside the jail? Does host www.freebsd.org work? > I've checked the proxy logfiles and it seems, that the Makefile(s) don't try to access the proxy at all while fetching files. Is there any reason, why the Makefile(s) should not use the *_PROXY-variables on the jails? I assume the proxy is squid and that the proxy itself works? What if you set the http_proxy variables to an IP address rather than the name (don't use 127.0.0.1 as address, just to rule that out as well). /bz -- Bjoern A. Zeeb It will not break if you know what you are doing. From 000.fbsd at quip.cz Tue Nov 17 14:12:58 2009 From: 000.fbsd at quip.cz (Miroslav Lachman) Date: Tue Nov 17 14:13:04 2009 Subject: AW: AW: Networking from jail - errata In-Reply-To: <26040005B7F3AA41A0345BCE386CA09701C62A80@FHCLUSRV-EX.dcs.fh-heidelberg.de> References: <26040005B7F3AA41A0345BCE386CA09701C62A79@FHCLUSRV-EX.dcs.fh-heidelberg.de><26040005B7F3AA41A0345BCE386CA09701C62A7A@FHCLUSRV-EX.dcs.fh-heidelberg.de> <20091117103601.G37440@maildrop.int.zabbadoz.net> <26040005B7F3AA41A0345BCE386CA09701C62A7D@FHCLUSRV-EX.dcs.fh-heidelberg.de> <20091117112535.L37440@maildrop.int.zabbadoz.net> <26040005B7F3AA41A0345BCE386CA09701C62A80@FHCLUSRV-EX.dcs.fh-heidelberg.de> Message-ID: <4B02AF65.6080007@quip.cz> Scheithauer, Lars (FH) wrote: > Hi Bjoern, > > I did, but the error was somewhere else. I set the proxy through > set http_proxy="http://proxy.example.com:8080" > while the correct version would be > setenv http_proxy http://proxy.example.com:8080 > > In both cases, "echo $http_proxy" returns the correct entry. Could you explain the difference between set and setenv? The differenc is, that 'set' is for shell variables (in scope of current shell) and 'setenv' is for environment variables. If you use 'set' and then try to print the value from forked shell script, it will be empty. If you use 'setenv', the shell script will print the value. See 'man tcsh' (if you are using tcsh as your login shell) Miroslav Lachman From Lars.Scheithauer at fh-heidelberg.de Wed Nov 18 13:45:55 2009 From: Lars.Scheithauer at fh-heidelberg.de (Scheithauer, Lars (FH)) Date: Wed Nov 18 13:46:02 2009 Subject: Problem with Apache in Jail Message-ID: <26040005B7F3AA41A0345BCE386CA09701C62A8E@FHCLUSRV-EX.dcs.fh-heidelberg.de> Hi everyone, I've started to install an apache22 in a freebsd-jail and have a problem. The jail has a public ip address, so from what I know, I wouldn't have to forward any packages to it. I can reach the apache22 server by ip-address, but not by its DNS - the connection gets "disrupted". I can successfully nslookup the DNS and if I watch the traffic of the browser via wireshark, I see that it sends packages to the server, but the server doesn't send any packages back. I also do not find any traces of the connection attempt in the apache-logs. The config-files of the apache are correct and read (tested by entering some false configs and the server refused to start afterwards - and as said I'm able to access it by its ip). Now, is there any way that this could be caused by the jail? Best Regards, Lars From sociologieopzaterdag at gmail.com Wed Nov 18 13:56:57 2009 From: sociologieopzaterdag at gmail.com (jelmer) Date: Wed Nov 18 13:57:05 2009 Subject: Broadcast under Jail problems Message-ID: <4c7a12550911180533y6bed77f5m222725c6a3ca87be@mail.gmail.com> (create a virtual network interface, and use packet filter) # ifconfig lo1 create # ifconfig lo1 inet 10.0.1.1 netmask 255.255.255.0 # touch /etc/start_if.lo1 # echo "ifconfig lo1 create" >> /etc/start_if.lo1 # cp /usr/share/examples/pf/pf.conf /etc/ (existance of pf.conf is just necessary, later I setup a complete one) (allow networking for jails - required for the installation of ports) * # echo 'nat on bge0 from lo1:network to any -> (bge0)' >> /etc/pf.conf # pfctl -d # pfctl -e -f /etc/pf.conf # echo ' and use this in rc.conf interfaces="lo0 bge0" cloned_interfaces="lo1" ifconfig_re0="inet netmask 255.255.255.128 -rxcsum -txcsum" ifconfig_re0_alias0="inet netmask 255.255.255.128" ifconfig_lo1="inet 10.0.1.1 netmask 255.255.255.0" ifconfig_lo1_alias0="inet 10.0.1.2/24" ifconfig_lo1_alias1="inet 10.0.1.3/32" On Tue, Nov 17, 2009 at 1:00 PM, wrote: > Send freebsd-jail mailing list submissions to > freebsd-jail@freebsd.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > or, via email, send a message with subject or body 'help' to > freebsd-jail-request@freebsd.org > > You can reach the person managing the list at > freebsd-jail-owner@freebsd.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of freebsd-jail digest..." > > > Today's Topics: > > 1. Re: Broadcast under Jail problems (Vagif Zeynalov) > 2. Networking from jail (Scheithauer, Lars (FH)) > 3. Networking from jail - errata (Scheithauer, Lars (FH)) > 4. Re: Networking from jail - errata (Bjoern A. Zeeb) > 5. AW: Networking from jail - errata (Scheithauer, Lars (FH)) > 6. Re: AW: Networking from jail - errata (Bjoern A. Zeeb) > 7. AW: AW: Networking from jail - errata (Scheithauer, Lars (FH)) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 16 Nov 2009 16:14:59 +0300 > From: "Vagif Zeynalov" > Subject: Re: Broadcast under Jail problems > To: "Bjoern A. Zeeb" > Cc: freebsd-jail@freebsd.org > Message-ID: > Content-Type: text/plain; format=flowed; charset="iso-8859-1"; > reply-type=response > > > >> ...I can provide more details if it will be necessary... > > > > error ogs from the application would be interesting to see which > > (sys)call return which error so that we can narrow it down. > > > > You know, to make the answer I just rebuild the mediatomb on the clear jail > machine and... the problem has been disappeared! > It's very strange, because I already did it before few times. > > Whatever, sorry guys for disturb. ;-)) > I have to investigate, what did I change at last night in the system. > > Regards, > Vagif > > > > ------------------------------ > > Message: 2 > Date: Tue, 17 Nov 2009 10:18:59 +0100 > From: "Scheithauer, Lars (FH)" > Subject: Networking from jail > To: > Message-ID: > < > 26040005B7F3AA41A0345BCE386CA09701C62A79@FHCLUSRV-EX.dcs.fh-heidelberg.de> > > Content-Type: text/plain; charset="us-ascii" > > Hi everyone! > > I'm having a little trouble with my jail's networking and I'm not sure > what to make of it. > > My jailhost has an IP of x.y.z.48, my test jail is x.y.z.49. The > jailhost has both IP-adresses, the jail has just it's own: > > Jail# ifconfig > bce0: flags=8843 metric 0 mtu > 1500 > > options=1bb TSO4> > ether xx:xx:xx:xx:xx:10 > inet x.y.z.60 netmask 0xffffffc0 broadcast x.y.z.63 > media: Ethernet autoselect (1000baseSX ) > status: active > [...] > Host# ifconfig > bce0: flags=8843 metric 0 mtu > 1500 > > options=1bb TSO4> > ether xx:xx:xx:xx:xx:10 > inet x.y.z.61 netmask 0xffffffc0 broadcast x.y.z.63 > inet x.y.z.60 netmask 0xffffffc0 broadcast x.y.z.63 > media: Ethernet autoselect (1000baseSX ) > status: active > [...] > > I am able to access the ssh-server running on the jail, and I am able to > access the proxyserver of our network via telnet and get some pages of > the internet. However, if I want to install something from the ports, > the jail is unable to fetch it: > > Jail# cd /usr/ports/ftp/wget > Jail# make > ===> Vulnerability check disabled, database not found > ===> Found saved configuration for wget-1.11.4_1 > => wget-1.11.4.tar.bz2 doesn't seem to exist in /usr/ports/distfiles/. > => Attempting to fetch from http://ftp.gnu.org/gnu/wget/. > fetch: http://ftp.gnu.org/gnu/wget/wget-1.11.4.tar.bz2: Operation timed > out > => Attempting to fetch from ftp://ftp.gnu.org/gnu/wget/. > [...] > > I've set the appropriate environment variables HTTP_PROXY, HTTPS_PROXY > and FTP_PROXY. If I test the connection with netcat, I get the following > error message: > # nc -zvw 1 -x 'proxy.example.com:8080' www.freebsd.org 80 > nc: read failed (0/3): Broken pipe > > The funny thing is, that I have no problem installing ports from the > Host-system. From what I can tell, all the config files are correct: > > Jail# cat /etc/rc.conf > sshd_enable="YES" > ifconfig_bce0="inet x.y.z.60 netmask 255.255.255.192" > defaultrouter="x.y.z.62" > hostname="jail.example.com" > > Host# cat /etc/rc.conf > sshd_enable="NO" > ifconfig_bce0="inet x.y.z.61 netmask 255.255.255.192" > defaultrouter="x.y.z.62" > hostname="host.example.com" > ipv6_enable="NO" > jail_enable="YES" > jail_set_hostname_allow="NO" > jail_list="jail" > jail_jail_hostname="jail" > jail_jail_ip="x.y.z.60" jail_jail_rootdir="my/jail/root" > jail_jail_devfs_enable="YES" > > Any ideas? > > Best Regards, > Lars > > > ------------------------------ > > Message: 3 > Date: Tue, 17 Nov 2009 10:48:59 +0100 > From: "Scheithauer, Lars (FH)" > Subject: Networking from jail - errata > To: > Message-ID: > < > 26040005B7F3AA41A0345BCE386CA09701C62A7A@FHCLUSRV-EX.dcs.fh-heidelberg.de> > > Content-Type: text/plain; charset="iso-8859-1" > > Quick note: > Forgot to replace two values. > Jail - x.y.z.61 > Host - x.y.z.60 > Router - x.y.z.62 > > > -----Urspr?ngliche Nachricht----- > Von: owner-freebsd-jail@freebsd.org [mailto:owner-freebsd-jail@freebsd.org] > Im Auftrag von Scheithauer, Lars (FH) > Gesendet: Dienstag, 17. November 2009 10:19 > An: freebsd-jail@freebsd.org > Betreff: Networking from jail > > Hi everyone! > > I'm having a little trouble with my jail's networking and I'm not sure > what to make of it. > > My jailhost has an IP of x.y.z.48, my test jail is x.y.z.49. The > jailhost has both IP-adresses, the jail has just it's own: > > Jail# ifconfig > bce0: flags=8843 metric 0 mtu > 1500 > > options=1bb TSO4> > ether xx:xx:xx:xx:xx:10 > inet x.y.z.60 netmask 0xffffffc0 broadcast x.y.z.63 > media: Ethernet autoselect (1000baseSX ) > status: active > [...] > Host# ifconfig > bce0: flags=8843 metric 0 mtu > 1500 > > options=1bb TSO4> > ether xx:xx:xx:xx:xx:10 > inet x.y.z.61 netmask 0xffffffc0 broadcast x.y.z.63 > inet x.y.z.60 netmask 0xffffffc0 broadcast x.y.z.63 > media: Ethernet autoselect (1000baseSX ) > status: active > [...] > > I am able to access the ssh-server running on the jail, and I am able to > access the proxyserver of our network via telnet and get some pages of > the internet. However, if I want to install something from the ports, > the jail is unable to fetch it: > > Jail# cd /usr/ports/ftp/wget > Jail# make > ===> Vulnerability check disabled, database not found > ===> Found saved configuration for wget-1.11.4_1 > => wget-1.11.4.tar.bz2 doesn't seem to exist in /usr/ports/distfiles/. > => Attempting to fetch from http://ftp.gnu.org/gnu/wget/. > fetch: http://ftp.gnu.org/gnu/wget/wget-1.11.4.tar.bz2: Operation timed > out > => Attempting to fetch from ftp://ftp.gnu.org/gnu/wget/. > [...] > > I've set the appropriate environment variables HTTP_PROXY, HTTPS_PROXY > and FTP_PROXY. If I test the connection with netcat, I get the following > error message: > # nc -zvw 1 -x 'proxy.example.com:8080' www.freebsd.org 80 > nc: read failed (0/3): Broken pipe > > The funny thing is, that I have no problem installing ports from the > Host-system. From what I can tell, all the config files are correct: > > Jail# cat /etc/rc.conf > sshd_enable="YES" > ifconfig_bce0="inet x.y.z.60 netmask 255.255.255.192" > defaultrouter="x.y.z.62" > hostname="jail.example.com" > > Host# cat /etc/rc.conf > sshd_enable="NO" > ifconfig_bce0="inet x.y.z.61 netmask 255.255.255.192" > defaultrouter="x.y.z.62" > hostname="host.example.com" > ipv6_enable="NO" > jail_enable="YES" > jail_set_hostname_allow="NO" > jail_list="jail" > jail_jail_hostname="jail" > jail_jail_ip="x.y.z.60" > jail_jail_rootdir="my/jail/root" > jail_jail_devfs_enable="YES" > > Any ideas? > > Best Regards, > Lars > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > > > ------------------------------ > > Message: 4 > Date: Tue, 17 Nov 2009 10:40:54 +0000 (UTC) > From: "Bjoern A. Zeeb" > Subject: Re: Networking from jail - errata > To: "Scheithauer, Lars (FH)" > Cc: freebsd-jail@freebsd.org > Message-ID: <20091117103601.G37440@maildrop.int.zabbadoz.net> > Content-Type: text/plain; charset="iso-8859-1" > > On Tue, 17 Nov 2009, Scheithauer, Lars (FH) wrote: > > Hi, > > > Quick note: > > Forgot to replace two values. > > Jail - x.y.z.61 > > Host - x.y.z.60 > > Router - x.y.z.62 > > > > > > -----Urspr?ngliche Nachricht----- > > Von: owner-freebsd-jail@freebsd.org [mailto: > owner-freebsd-jail@freebsd.org] Im Auftrag von Scheithauer, Lars (FH) > > Gesendet: Dienstag, 17. November 2009 10:19 > > An: freebsd-jail@freebsd.org > > Betreff: Networking from jail > > > > Hi everyone! > > > > I'm having a little trouble with my jail's networking and I'm not sure > > what to make of it. > > > > My jailhost has an IP of x.y.z.48, my test jail is x.y.z.49. The > > jailhost has both IP-adresses, the jail has just it's own: > > > > Jail# ifconfig > > bce0: flags=8843 metric 0 mtu > > 1500 > > > > options=1bb > TSO4> > > ether xx:xx:xx:xx:xx:10 > > inet x.y.z.60 netmask 0xffffffc0 broadcast x.y.z.63 > > media: Ethernet autoselect (1000baseSX ) > > status: active > > [...] > > Host# ifconfig > > bce0: flags=8843 metric 0 mtu > > 1500 > > > > options=1bb > TSO4> > > ether xx:xx:xx:xx:xx:10 > > inet x.y.z.61 netmask 0xffffffc0 broadcast x.y.z.63 > > inet x.y.z.60 netmask 0xffffffc0 broadcast x.y.z.63 > > media: Ethernet autoselect (1000baseSX ) > > status: active > > [...] > > > > I am able to access the ssh-server running on the jail, and I am able to > > access the proxyserver of our network via telnet and get some pages of > > the internet. However, if I want to install something from the ports, > > the jail is unable to fetch it: > > > > Jail# cd /usr/ports/ftp/wget > > Jail# make > > ===> Vulnerability check disabled, database not found > > ===> Found saved configuration for wget-1.11.4_1 > > => wget-1.11.4.tar.bz2 doesn't seem to exist in /usr/ports/distfiles/. > > => Attempting to fetch from http://ftp.gnu.org/gnu/wget/. > > fetch: http://ftp.gnu.org/gnu/wget/wget-1.11.4.tar.bz2: Operation timed > > out > > => Attempting to fetch from ftp://ftp.gnu.org/gnu/wget/. > > [...] > > > > I've set the appropriate environment variables HTTP_PROXY, HTTPS_PROXY > > and FTP_PROXY. If I test the connection with netcat, I get the following > > error message: > > # nc -zvw 1 -x 'proxy.example.com:8080' www.freebsd.org 80 > > nc: read failed (0/3): Broken pipe > > The usual thing I am interested at that point is - does name > resolution work properly from within the jail? /etc/resolv.conf setup > correctly etc? > > > > > The funny thing is, that I have no problem installing ports from the > > Host-system. From what I can tell, all the config files are correct: > > > > Jail# cat /etc/rc.conf > > sshd_enable="YES" > > ifconfig_bce0="inet x.y.z.60 netmask 255.255.255.192" > > defaultrouter="x.y.z.62" > > hostname="jail.example.com" > > That's not going to work, really (the ifconfig, defaultrouter, and > unless you changed the defaults on the host system not even the > hostname). You should actually remove those. > > > > Host# cat /etc/rc.conf > > sshd_enable="NO" > > ifconfig_bce0="inet x.y.z.61 netmask 255.255.255.192" > > defaultrouter="x.y.z.62" > > hostname="host.example.com" > > ipv6_enable="NO" > > jail_enable="YES" > > jail_set_hostname_allow="NO" > > jail_list="jail" > > jail_jail_hostname="jail" > > jail_jail_ip="x.y.z.60" > > jail_jail_rootdir="my/jail/root" > > jail_jail_devfs_enable="YES" > > That doesn't really match your ifconfig output from above; something > on the host system would have to set the IP address of the host. I > would expect something like (you may have mixed jail and host > addresses so properly sort this): > > # host system IP address > ifconfig_bce0=inet x.y.z.61 netmask 255.255.255.192" > # jail IP address > ifconfig_bce0_alias0=inet x.y.z.60 netmask 255.255.255.255" > > Note that the alias has a /32 netmask. > > > /bz > > -- > Bjoern A. Zeeb It will not break if you know what you are doing. > > ------------------------------ > > Message: 5 > Date: Tue, 17 Nov 2009 12:18:40 +0100 > From: "Scheithauer, Lars (FH)" > Subject: AW: Networking from jail - errata > To: > Cc: "Bjoern A. Zeeb" > Message-ID: > < > 26040005B7F3AA41A0345BCE386CA09701C62A7D@FHCLUSRV-EX.dcs.fh-heidelberg.de> > > Content-Type: text/plain; charset="iso-8859-1" > > Hi Bjoern, > > thanks for the clarification, I changed the values according to your > suggestions. However, it did not resolve the problem. > > I've checked the proxy logfiles and it seems, that the Makefile(s) don't > try to access the proxy at all while fetching files. Is there any reason, > why the Makefile(s) should not use the *_PROXY-variables on the jails? > > Best Regards, > Lars > > > > -----Urspr?ngliche Nachricht----- > Von: owner-freebsd-jail@freebsd.org [mailto:owner-freebsd-jail@freebsd.org] > Im Auftrag von Bjoern A. Zeeb > Gesendet: Dienstag, 17. November 2009 11:41 > An: Scheithauer, Lars (FH) > Cc: freebsd-jail@freebsd.org > Betreff: Re: Networking from jail - errata > > On Tue, 17 Nov 2009, Scheithauer, Lars (FH) wrote: > > Hi, > > > Quick note: > > Forgot to replace two values. > > Jail - x.y.z.61 > > Host - x.y.z.60 > > Router - x.y.z.62 > > > > > > -----Urspr?ngliche Nachricht----- > > Von: owner-freebsd-jail@freebsd.org [mailto: > owner-freebsd-jail@freebsd.org] Im Auftrag von Scheithauer, Lars (FH) > > Gesendet: Dienstag, 17. November 2009 10:19 > > An: freebsd-jail@freebsd.org > > Betreff: Networking from jail > > > > Hi everyone! > > > > I'm having a little trouble with my jail's networking and I'm not sure > > what to make of it. > > > > My jailhost has an IP of x.y.z.48, my test jail is x.y.z.49. The > > jailhost has both IP-adresses, the jail has just it's own: > > > > Jail# ifconfig > > bce0: flags=8843 metric 0 mtu > > 1500 > > > > options=1bb > TSO4> > > ether xx:xx:xx:xx:xx:10 > > inet x.y.z.60 netmask 0xffffffc0 broadcast x.y.z.63 > > media: Ethernet autoselect (1000baseSX ) > > status: active > > [...] > > Host# ifconfig > > bce0: flags=8843 metric 0 mtu > > 1500 > > > > options=1bb > TSO4> > > ether xx:xx:xx:xx:xx:10 > > inet x.y.z.61 netmask 0xffffffc0 broadcast x.y.z.63 > > inet x.y.z.60 netmask 0xffffffc0 broadcast x.y.z.63 > > media: Ethernet autoselect (1000baseSX ) > > status: active > > [...] > > > > I am able to access the ssh-server running on the jail, and I am able to > > access the proxyserver of our network via telnet and get some pages of > > the internet. However, if I want to install something from the ports, > > the jail is unable to fetch it: > > > > Jail# cd /usr/ports/ftp/wget > > Jail# make > > ===> Vulnerability check disabled, database not found > > ===> Found saved configuration for wget-1.11.4_1 > > => wget-1.11.4.tar.bz2 doesn't seem to exist in /usr/ports/distfiles/. > > => Attempting to fetch from http://ftp.gnu.org/gnu/wget/. > > fetch: http://ftp.gnu.org/gnu/wget/wget-1.11.4.tar.bz2: Operation timed > > out > > => Attempting to fetch from ftp://ftp.gnu.org/gnu/wget/. > > [...] > > > > I've set the appropriate environment variables HTTP_PROXY, HTTPS_PROXY > > and FTP_PROXY. If I test the connection with netcat, I get the following > > error message: > > # nc -zvw 1 -x 'proxy.example.com:8080' www.freebsd.org 80 > > nc: read failed (0/3): Broken pipe > > The usual thing I am interested at that point is - does name > resolution work properly from within the jail? /etc/resolv.conf setup > correctly etc? > > > > > The funny thing is, that I have no problem installing ports from the > > Host-system. From what I can tell, all the config files are correct: > > > > Jail# cat /etc/rc.conf > > sshd_enable="YES" > > ifconfig_bce0="inet x.y.z.60 netmask 255.255.255.192" > > defaultrouter="x.y.z.62" > > hostname="jail.example.com" > > That's not going to work, really (the ifconfig, defaultrouter, and > unless you changed the defaults on the host system not even the > hostname). You should actually remove those. > > > > Host# cat /etc/rc.conf > > sshd_enable="NO" > > ifconfig_bce0="inet x.y.z.61 netmask 255.255.255.192" > > defaultrouter="x.y.z.62" > > hostname="host.example.com" > > ipv6_enable="NO" > > jail_enable="YES" > > jail_set_hostname_allow="NO" > > jail_list="jail" > > jail_jail_hostname="jail" > > jail_jail_ip="x.y.z.60" > > jail_jail_rootdir="my/jail/root" > > jail_jail_devfs_enable="YES" > > That doesn't really match your ifconfig output from above; something > on the host system would have to set the IP address of the host. I > would expect something like (you may have mixed jail and host > addresses so properly sort this): > > # host system IP address > ifconfig_bce0=inet x.y.z.61 netmask 255.255.255.192" > # jail IP address > ifconfig_bce0_alias0=inet x.y.z.60 netmask 255.255.255.255" > > Note that the alias has a /32 netmask. > > > /bz > > -- > Bjoern A. Zeeb It will not break if you know what you are doing. > > > ------------------------------ > > Message: 6 > Date: Tue, 17 Nov 2009 11:27:40 +0000 (UTC) > From: "Bjoern A. Zeeb" > Subject: Re: AW: Networking from jail - errata > To: "Scheithauer, Lars (FH)" > Cc: freebsd-jail@freebsd.org > Message-ID: <20091117112535.L37440@maildrop.int.zabbadoz.net> > Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed > > On Tue, 17 Nov 2009, Scheithauer, Lars (FH) wrote: > > Hi, > > > thanks for the clarification, I changed the values according to your > suggestions. However, it did not resolve the problem. > > Did you aslo check resolv.conf inside the jail? > Does host www.freebsd.org work? > > > > I've checked the proxy logfiles and it seems, that the Makefile(s) don't > try to access the proxy at all while fetching files. Is there any reason, > why the Makefile(s) should not use the *_PROXY-variables on the jails? > > I assume the proxy is squid and that the proxy itself works? > What if you set the http_proxy variables to an IP address rather than > the name (don't use 127.0.0.1 as address, just to rule that out as > well). > > /bz > > -- > Bjoern A. Zeeb It will not break if you know what you are doing. > > > ------------------------------ > > Message: 7 > Date: Tue, 17 Nov 2009 12:40:51 +0100 > From: "Scheithauer, Lars (FH)" > Subject: AW: AW: Networking from jail - errata > To: "Bjoern A. Zeeb" > Cc: freebsd-jail@freebsd.org > Message-ID: > < > 26040005B7F3AA41A0345BCE386CA09701C62A80@FHCLUSRV-EX.dcs.fh-heidelberg.de> > > Content-Type: text/plain; charset="iso-8859-1" > > Hi Bjoern, > > I did, but the error was somewhere else. I set the proxy through > set http_proxy="http://proxy.example.com:8080" > while the correct version would be > setenv http_proxy http://proxy.example.com:8080 > > In both cases, "echo $http_proxy" returns the correct entry. Could you > explain the difference between set and setenv? > > Best Regards, > Lars > > > > -----Urspr?ngliche Nachricht----- > Von: Bjoern A. Zeeb [mailto:bzeeb-lists@lists.zabbadoz.net] > Gesendet: Dienstag, 17. November 2009 12:28 > An: Scheithauer, Lars (FH) > Cc: freebsd-jail@freebsd.org > Betreff: Re: AW: Networking from jail - errata > > On Tue, 17 Nov 2009, Scheithauer, Lars (FH) wrote: > > Hi, > > > thanks for the clarification, I changed the values according to your > suggestions. However, it did not resolve the problem. > > Did you aslo check resolv.conf inside the jail? > Does host www.freebsd.org work? > > > > I've checked the proxy logfiles and it seems, that the Makefile(s) don't > try to access the proxy at all while fetching files. Is there any reason, > why the Makefile(s) should not use the *_PROXY-variables on the jails? > > I assume the proxy is squid and that the proxy itself works? > What if you set the http_proxy variables to an IP address rather than > the name (don't use 127.0.0.1 as address, just to rule that out as > well). > > /bz > > -- > Bjoern A. Zeeb It will not break if you know what you are doing. > > > ------------------------------ > > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > > > End of freebsd-jail Digest, Vol 120, Issue 2 > ******************************************** > From 000.fbsd at quip.cz Wed Nov 18 14:44:12 2009 From: 000.fbsd at quip.cz (Miroslav Lachman) Date: Wed Nov 18 14:44:18 2009 Subject: Problem with Apache in Jail In-Reply-To: <26040005B7F3AA41A0345BCE386CA09701C62A8E@FHCLUSRV-EX.dcs.fh-heidelberg.de> References: <26040005B7F3AA41A0345BCE386CA09701C62A8E@FHCLUSRV-EX.dcs.fh-heidelberg.de> Message-ID: <4B040838.8020103@quip.cz> Scheithauer, Lars (FH) wrote: > Hi everyone, > > I've started to install an apache22 in a freebsd-jail and have a > problem. The jail has a public ip address, so from what I know, I > wouldn't have to forward any packages to it. I can reach the apache22 > server by ip-address, but not by its DNS - the connection gets > "disrupted". I can successfully nslookup the DNS and if I watch the > traffic of the browser via wireshark, I see that it sends packages to > the server, but the server doesn't send any packages back. I also do not > find any traces of the connection attempt in the apache-logs. > > The config-files of the apache are correct and read (tested by entering > some false configs and the server refused to start afterwards - and as > said I'm able to access it by its ip). > > > > Now, is there any way that this could be caused by the jail? You did not post what version and architecture you are using... But I am runing several jails with Apache or Lighttpd without any issues (on 6.3 i386 and 7.2 i386 + amd64). So I expect some misconfiguration on your side. Are you sure you have correct DNS entries pointing to right IP and you have working resolv.conf inside jail? What about /etc/hosts? Miroslav Lachman From Lars.Scheithauer at fh-heidelberg.de Wed Nov 18 15:11:21 2009 From: Lars.Scheithauer at fh-heidelberg.de (Scheithauer, Lars (FH)) Date: Wed Nov 18 15:11:27 2009 Subject: AW: Problem with Apache in Jail In-Reply-To: <4B040838.8020103@quip.cz> References: <26040005B7F3AA41A0345BCE386CA09701C62A8E@FHCLUSRV-EX.dcs.fh-heidelberg.de> <4B040838.8020103@quip.cz> Message-ID: <26040005B7F3AA41A0345BCE386CA09701C62A8F@FHCLUSRV-EX.dcs.fh-heidelberg.de> Hi Miroslav, the system is a FreeBSD 8.0-rc3 with apache22. nslookup is working fine - I did not enter the vhosts name into the /etc/hosts before, but even adding it doesn't change the problem. Any other ideas I might check out? Best Regards, Lars -----Urspr?ngliche Nachricht----- Von: Miroslav Lachman [mailto:000.fbsd@quip.cz] Gesendet: Mittwoch, 18. November 2009 15:44 An: Scheithauer, Lars (FH) Cc: freebsd-jail@freebsd.org Betreff: Re: Problem with Apache in Jail Scheithauer, Lars (FH) wrote: > Hi everyone, > > I've started to install an apache22 in a freebsd-jail and have a > problem. The jail has a public ip address, so from what I know, I > wouldn't have to forward any packages to it. I can reach the apache22 > server by ip-address, but not by its DNS - the connection gets > "disrupted". I can successfully nslookup the DNS and if I watch the > traffic of the browser via wireshark, I see that it sends packages to > the server, but the server doesn't send any packages back. I also do not > find any traces of the connection attempt in the apache-logs. > > The config-files of the apache are correct and read (tested by entering > some false configs and the server refused to start afterwards - and as > said I'm able to access it by its ip). > > > > Now, is there any way that this could be caused by the jail? You did not post what version and architecture you are using... But I am runing several jails with Apache or Lighttpd without any issues (on 6.3 i386 and 7.2 i386 + amd64). So I expect some misconfiguration on your side. Are you sure you have correct DNS entries pointing to right IP and you have working resolv.conf inside jail? What about /etc/hosts? Miroslav Lachman From Lars.Scheithauer at fh-heidelberg.de Thu Nov 19 14:04:13 2009 From: Lars.Scheithauer at fh-heidelberg.de (Scheithauer, Lars (FH)) Date: Thu Nov 19 14:04:19 2009 Subject: AW: Problem with Apache in Jail In-Reply-To: <26040005B7F3AA41A0345BCE386CA09701C62A8F@FHCLUSRV-EX.dcs.fh-heidelberg.de> References: <26040005B7F3AA41A0345BCE386CA09701C62A8E@FHCLUSRV-EX.dcs.fh-heidelberg.de><4B040838.8020103@quip.cz> <26040005B7F3AA41A0345BCE386CA09701C62A8F@FHCLUSRV-EX.dcs.fh-heidelberg.de> Message-ID: <26040005B7F3AA41A0345BCE386CA09701C62A94@FHCLUSRV-EX.dcs.fh-heidelberg.de> On a follow-up: I just recognized, that I may access the vhost correctly from the server itself via lynx, but I am still unable to access any vhost from the outside (I can access the default by ip, though). -----Urspr?ngliche Nachricht----- Von: owner-freebsd-jail@freebsd.org [mailto:owner-freebsd-jail@freebsd.org] Im Auftrag von Scheithauer, Lars (FH) Gesendet: Mittwoch, 18. November 2009 16:11 An: Miroslav Lachman Cc: freebsd-jail@freebsd.org Betreff: AW: Problem with Apache in Jail Hi Miroslav, the system is a FreeBSD 8.0-rc3 with apache22. nslookup is working fine - I did not enter the vhosts name into the /etc/hosts before, but even adding it doesn't change the problem. Any other ideas I might check out? Best Regards, Lars -----Urspr?ngliche Nachricht----- Von: Miroslav Lachman [mailto:000.fbsd@quip.cz] Gesendet: Mittwoch, 18. November 2009 15:44 An: Scheithauer, Lars (FH) Cc: freebsd-jail@freebsd.org Betreff: Re: Problem with Apache in Jail Scheithauer, Lars (FH) wrote: > Hi everyone, > > I've started to install an apache22 in a freebsd-jail and have a > problem. The jail has a public ip address, so from what I know, I > wouldn't have to forward any packages to it. I can reach the apache22 > server by ip-address, but not by its DNS - the connection gets > "disrupted". I can successfully nslookup the DNS and if I watch the > traffic of the browser via wireshark, I see that it sends packages to > the server, but the server doesn't send any packages back. I also do not > find any traces of the connection attempt in the apache-logs. > > The config-files of the apache are correct and read (tested by entering > some false configs and the server refused to start afterwards - and as > said I'm able to access it by its ip). > > > > Now, is there any way that this could be caused by the jail? You did not post what version and architecture you are using... But I am runing several jails with Apache or Lighttpd without any issues (on 6.3 i386 and 7.2 i386 + amd64). So I expect some misconfiguration on your side. Are you sure you have correct DNS entries pointing to right IP and you have working resolv.conf inside jail? What about /etc/hosts? Miroslav Lachman _______________________________________________ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" From bsemene at cyanide-studio.com Thu Nov 19 17:14:20 2009 From: bsemene at cyanide-studio.com (Bastien Semene) Date: Thu Nov 19 17:15:35 2009 Subject: AW: Problem with Apache in Jail In-Reply-To: <26040005B7F3AA41A0345BCE386CA09701C62A94@FHCLUSRV-EX.dcs.fh-heidelberg.de> References: <26040005B7F3AA41A0345BCE386CA09701C62A8E@FHCLUSRV-EX.dcs.fh-heidelberg.de><4B040838.8020103@quip.cz> <26040005B7F3AA41A0345BCE386CA09701C62A8F@FHCLUSRV-EX.dcs.fh-heidelberg.de> <26040005B7F3AA41A0345BCE386CA09701C62A94@FHCLUSRV-EX.dcs.fh-heidelberg.de> Message-ID: <4B057741.7000700@cyanide-studio.com> Hi Lars, How did you installed the jail system ? Have you a firewall activated, what does the logs say ? What a telnet says ? In my access.log I have the following line (401 because it needs authentication) : x.y.z.a - - [19/Nov/2009:17:47:36 +0100] "HEAD / HTTP/1.1" 401 - "-" "-" telnet w/ HTTP : $ telnet freebsd.org 80 Trying 69.147.83.40... Connected to freebsd.org. Escape character is '^]'. HEAD / HTTP/1.1 Host: www.freebsd.org HTTP/1.1 301 Moved Permanently Location: http://www.freebsd.org/ Date: Thu, 19 Nov 2009 16:44:54 GMT Server: httpd/1.4.x Gualala Connection closed by foreign host. Best Regards, Scheithauer, Lars (FH) a ?crit : > On a follow-up: > I just recognized, that I may access the vhost correctly from the server itself via lynx, but I am still unable to access any vhost from the outside (I can access the default by ip, though). > > > > > -----Urspr?ngliche Nachricht----- > Von: owner-freebsd-jail@freebsd.org [mailto:owner-freebsd-jail@freebsd.org] Im Auftrag von Scheithauer, Lars (FH) > Gesendet: Mittwoch, 18. November 2009 16:11 > An: Miroslav Lachman > Cc: freebsd-jail@freebsd.org > Betreff: AW: Problem with Apache in Jail > > Hi Miroslav, > > the system is a FreeBSD 8.0-rc3 with apache22. > > nslookup is working fine - I did not enter the vhosts name into the /etc/hosts before, but even adding it doesn't change the problem. > > Any other ideas I might check out? > > Best Regards, > Lars > > > > -----Urspr?ngliche Nachricht----- > Von: Miroslav Lachman [mailto:000.fbsd@quip.cz] > Gesendet: Mittwoch, 18. November 2009 15:44 > An: Scheithauer, Lars (FH) > Cc: freebsd-jail@freebsd.org > Betreff: Re: Problem with Apache in Jail > > Scheithauer, Lars (FH) wrote: > >> Hi everyone, >> >> I've started to install an apache22 in a freebsd-jail and have a >> problem. The jail has a public ip address, so from what I know, I >> wouldn't have to forward any packages to it. I can reach the apache22 >> server by ip-address, but not by its DNS - the connection gets >> "disrupted". I can successfully nslookup the DNS and if I watch the >> traffic of the browser via wireshark, I see that it sends packages to >> the server, but the server doesn't send any packages back. I also do not >> find any traces of the connection attempt in the apache-logs. >> >> The config-files of the apache are correct and read (tested by entering >> some false configs and the server refused to start afterwards - and as >> said I'm able to access it by its ip). >> >> >> >> Now, is there any way that this could be caused by the jail? >> > > You did not post what version and architecture you are using... > But I am runing several jails with Apache or Lighttpd without any issues > (on 6.3 i386 and 7.2 i386 + amd64). > So I expect some misconfiguration on your side. > > Are you sure you have correct DNS entries pointing to right IP and you > have working resolv.conf inside jail? What about /etc/hosts? > > Miroslav Lachman > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > > -- Bastien Semene Administrateur R?seau & Syst?me admin@cyanide-studio.com +33 (0)1 47 86 30 80 Cyanide S.A. 5, Boulevard des Bouvets 92000 Nanterre - FRANCE From Lars.Scheithauer at fh-heidelberg.de Fri Nov 20 06:49:37 2009 From: Lars.Scheithauer at fh-heidelberg.de (Scheithauer, Lars (FH)) Date: Fri Nov 20 06:49:44 2009 Subject: AW: AW: Problem with Apache in Jail In-Reply-To: <4B057741.7000700@cyanide-studio.com> References: <26040005B7F3AA41A0345BCE386CA09701C62A8E@FHCLUSRV-EX.dcs.fh-heidelberg.de><4B040838.8020103@quip.cz> <26040005B7F3AA41A0345BCE386CA09701C62A8F@FHCLUSRV-EX.dcs.fh-heidelberg.de><26040005B7F3AA41A0345BCE386CA09701C62A94@FHCLUSRV-EX.dcs.fh-heidelberg.de> <4B057741.7000700@cyanide-studio.com> Message-ID: <26040005B7F3AA41A0345BCE386CA09701C62A98@FHCLUSRV-EX.dcs.fh-heidelberg.de> Hi Bastien, I've set up the jail after this guide[1] of the FreeBSD handbook. A firewall is not active (yet), since I first wanted the jail to work. If I telnet to the server from the inside (DNS and IP), I can get a valid response. If I telnet to the servers ip from the outside, too. However, as soon as I try to get the files of a specific hostname, I get a timeout (more specifically, I can connect to the server, but it won't give any single packet back, according to wireshark). I don't get the problem and honestly don't know where to look anymore. If it would be an apache config problem, it should not work from the inside, too. If it's a jail problem, I don't know what else to activate (even tried to allow raw sockets). The problem is also persistent with the apache20-installation. For the logfiles: I do get an entry, if I get something back from the server. If I don't get anything back from the server, I don't get an entry. Best regards, Lars _______________________________________________________________________ [1] http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-application.html -----Urspr?ngliche Nachricht----- Von: owner-freebsd-jail@freebsd.org [mailto:owner-freebsd-jail@freebsd.org] Im Auftrag von Bastien Semene Gesendet: Donnerstag, 19. November 2009 17:50 Cc: freebsd-jail@freebsd.org Betreff: Re: AW: Problem with Apache in Jail Hi Lars, How did you installed the jail system ? Have you a firewall activated, what does the logs say ? What a telnet says ? In my access.log I have the following line (401 because it needs authentication) : x.y.z.a - - [19/Nov/2009:17:47:36 +0100] "HEAD / HTTP/1.1" 401 - "-" "-" telnet w/ HTTP : $ telnet freebsd.org 80 Trying 69.147.83.40... Connected to freebsd.org. Escape character is '^]'. HEAD / HTTP/1.1 Host: www.freebsd.org HTTP/1.1 301 Moved Permanently Location: http://www.freebsd.org/ Date: Thu, 19 Nov 2009 16:44:54 GMT Server: httpd/1.4.x Gualala Connection closed by foreign host. Best Regards, Scheithauer, Lars (FH) a ?crit : > On a follow-up: > I just recognized, that I may access the vhost correctly from the server itself via lynx, but I am still unable to access any vhost from the outside (I can access the default by ip, though). > > > > > -----Urspr?ngliche Nachricht----- > Von: owner-freebsd-jail@freebsd.org [mailto:owner-freebsd-jail@freebsd.org] Im Auftrag von Scheithauer, Lars (FH) > Gesendet: Mittwoch, 18. November 2009 16:11 > An: Miroslav Lachman > Cc: freebsd-jail@freebsd.org > Betreff: AW: Problem with Apache in Jail > > Hi Miroslav, > > the system is a FreeBSD 8.0-rc3 with apache22. > > nslookup is working fine - I did not enter the vhosts name into the /etc/hosts before, but even adding it doesn't change the problem. > > Any other ideas I might check out? > > Best Regards, > Lars > > > > -----Urspr?ngliche Nachricht----- > Von: Miroslav Lachman [mailto:000.fbsd@quip.cz] > Gesendet: Mittwoch, 18. November 2009 15:44 > An: Scheithauer, Lars (FH) > Cc: freebsd-jail@freebsd.org > Betreff: Re: Problem with Apache in Jail > > Scheithauer, Lars (FH) wrote: > >> Hi everyone, >> >> I've started to install an apache22 in a freebsd-jail and have a >> problem. The jail has a public ip address, so from what I know, I >> wouldn't have to forward any packages to it. I can reach the apache22 >> server by ip-address, but not by its DNS - the connection gets >> "disrupted". I can successfully nslookup the DNS and if I watch the >> traffic of the browser via wireshark, I see that it sends packages to >> the server, but the server doesn't send any packages back. I also do not >> find any traces of the connection attempt in the apache-logs. >> >> The config-files of the apache are correct and read (tested by entering >> some false configs and the server refused to start afterwards - and as >> said I'm able to access it by its ip). >> >> >> >> Now, is there any way that this could be caused by the jail? >> > > You did not post what version and architecture you are using... > But I am runing several jails with Apache or Lighttpd without any issues > (on 6.3 i386 and 7.2 i386 + amd64). > So I expect some misconfiguration on your side. > > Are you sure you have correct DNS entries pointing to right IP and you > have working resolv.conf inside jail? What about /etc/hosts? > > Miroslav Lachman > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > > -- Bastien Semene Administrateur R?seau & Syst?me admin@cyanide-studio.com +33 (0)1 47 86 30 80 Cyanide S.A. 5, Boulevard des Bouvets 92000 Nanterre - FRANCE _______________________________________________ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" From smithi at nimnet.asn.au Fri Nov 20 08:12:36 2009 From: smithi at nimnet.asn.au (Ian Smith) Date: Fri Nov 20 08:12:43 2009 Subject: AW: AW: Problem with Apache in Jail In-Reply-To: <26040005B7F3AA41A0345BCE386CA09701C62A98@FHCLUSRV-EX.dcs.fh-heidelberg.de> References: <26040005B7F3AA41A0345BCE386CA09701C62A8E@FHCLUSRV-EX.dcs.fh-heidelberg.de><4B040838.8020103@quip.cz> <26040005B7F3AA41A0345BCE386CA09701C62A8F@FHCLUSRV-EX.dcs.fh-heidelberg.de><26040005B7F3AA41A0345BCE386CA09701C62A94@FHCLUSRV-EX.dcs.fh-heidelberg.de> <4B057741.7000700@cyanide-studio.com> <26040005B7F3AA41A0345BCE386CA09701C62A98@FHCLUSRV-EX.dcs.fh-heidelberg.de> Message-ID: <20091120180647.A65262@sola.nimnet.asn.au> On Fri, 20 Nov 2009, Scheithauer, Lars (FH) wrote: > Hi Bastien, > > I've set up the jail after this guide[1] of the FreeBSD handbook. I'm only replying to this suspecting it may not be a jail issue, but perhaps more likely a DNS issue, as Miroslav was earlier pointing to? > A firewall is not active (yet), since I first wanted the jail to work. > > If I telnet to the server from the inside (DNS and IP), I can get a > valid response. If I telnet to the servers ip from the outside, too. > However, as soon as I try to get the files of a specific hostname, I > get a timeout (more specifically, I can connect to the server, but it > won't give any single packet back, according to wireshark). So are you sure that (from outside your environment) the vhost hostname resolves to its IP address ok? Does it have a unique public IP address? If so, does reverse resolution of that address point to that hostname? >From (right) outside your net, does that IP address respond to pings? By IP address as well as by hostname? Does your apache config specify name-based and/or IP-based virtual hosts? There can lurk some dragons .. > I don't get the problem and honestly don't know where to look > anymore. If it would be an apache config problem, it should not work > from the inside, too. If it's a jail problem, I don't know what else > to activate (even tried to allow raw sockets). The problem is also > persistent with the apache20-installation. If this is a jail issue I've no idea at all, but if the DNS results obtained from inside and outside your network perimeter differ, that may explain some of what you're seeing. I guess an outside DNS query followed by an attemped HTTP connect tracked on tcpdump, perhaps in verbose packet-display mode (eg -nXs0) should provide more solid clues? > For the logfiles: I do get an entry, if I get something back from the > server. If I don't get anything back from the server, I don't get an > entry. Make sure that you're logging both the vhost concerned and the 'default' config used if no vhost entry is satisfied, perhaps you'll see something there? I specify error.log to catch any of these during vhost setup. You may need to share more of your apache configuration in the hope that someone may spot something, once you confirm there are no DNS issues. Just some ideas .. cheers, Ian From Lars.Scheithauer at fh-heidelberg.de Fri Nov 20 09:07:33 2009 From: Lars.Scheithauer at fh-heidelberg.de (Scheithauer, Lars (FH)) Date: Fri Nov 20 09:07:39 2009 Subject: AW: AW: AW: Problem with Apache in Jail In-Reply-To: <20091120180647.A65262@sola.nimnet.asn.au> References: <26040005B7F3AA41A0345BCE386CA09701C62A8E@FHCLUSRV-EX.dcs.fh-heidelberg.de><4B040838.8020103@quip.cz> <26040005B7F3AA41A0345BCE386CA09701C62A8F@FHCLUSRV-EX.dcs.fh-heidelberg.de><26040005B7F3AA41A0345BCE386CA09701C62A94@FHCLUSRV-EX.dcs.fh-heidelberg.de> <4B057741.7000700@cyanide-studio.com> <26040005B7F3AA41A0345BCE386CA09701C62A98@FHCLUSRV-EX.dcs.fh-heidelberg.de> <20091120180647.A65262@sola.nimnet.asn.au> Message-ID: <26040005B7F3AA41A0345BCE386CA09701C62A99@FHCLUSRV-EX.dcs.fh-heidelberg.de> Hi Ian, > So are you sure that (from outside your environment) the vhost hostname > resolves to its IP address ok? Does it have a unique public IP address? > If so, does reverse resolution of that address point to that hostname? Yes: # host campus2.fh-heidelberg.de campus2.fh-heidelberg.de is an alias for www2.fh-heidelberg.de. www2.fh-heidelberg.de has address 193.197.74.48 # host 193.197.74.48 48.74.197.193.in-addr.arpa domain name pointer www2.fh-heidelberg.de. > From (right) outside your net, does that IP address respond to pings? > By IP address as well as by hostname? Yes. > Does your apache config specify name-based and/or IP-based virtual > hosts? There can lurk some dragons .. I did try name-based, but it's currently just a catch-all (see below). > If this is a jail issue I've no idea at all, but if the DNS results > obtained from inside and outside your network perimeter differ, that may > explain some of what you're seeing. I guess an outside DNS query > followed by an attemped HTTP connect tracked on tcpdump, perhaps in > verbose packet-display mode (eg -nXs0) should provide more solid clues? Ooooookay, now this really makes sense. Sending packets to the URL don't even reach the jailhost (I can't directly dump the jail's packages), but sending to its IP do... And I can see packets leaving my client... This is persistent across different browsers. Any ideas how that is possible? > Make sure that you're logging both the vhost concerned and the 'default' > config used if no vhost entry is satisfied, perhaps you'll see something > there? I specify error.log to catch any of these during vhost setup. I do, see below. > You may need to share more of your apache configuration in the hope that > someone may spot something, once you confirm there are no DNS issues. ---------->>> /usr/local/etc/apache22/httpd.conf <<<---------- ServerRoot "/usr/local" Listen 80 ## modules # [...] ## MAIN CONFIG ServerAdmin support@fh-heidelberg.de ServerName www2.fh-heidelberg.de:80 DocumentRoot "/usr/local/www/apache22/data" ## disable all access, then allow specific services AllowOverride None Order deny,allow Deny from all ## main site, currently just with a testpage Options Indexes FollowSymLinks AllowOverride All Order allow,deny Allow from all DirectoryIndex index.html ## prevent htaccess to be read Order allow,deny Deny from all Satisfy All ## LOGGING ErrorLog "/var/log/httpd-error.log" logLevel debug LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio CustomLog "/var/log/httpd-access.log" combined ## aliases and redirects ScriptAlias /cgi-bin/ "/usr/local/www/apache22/cgi-bin/" ## cgi-bin AllowOverride None Options None Order allow,deny Allow from all DefaultType text/plain TypesConfig etc/apache22/mime.types AddType application/x-compress .Z AddType application/x-gzip .gz .tgz #AddHandler cgi-script .cgi #AddHandler type-map var ## Virtual hosts #Include etc/apache22/extra/httpd-vhosts.conf Include etc/apache22/vhosts/* Include etc/apache22/Includes/*.conf ----->>> /usr/local/etc/apache22/vhosts/campus2.fh-heidelberg.de <<<----- ## catch all NameVirtualHost *:80 ServerAdmin support@fh-heidelberg.de DocumentRoot "/usr/local/www/apache22/campus2.fh-heidelberg.de" ServerName campus2.fh-heidelberg.de ErrorLog "/var/log/apache2/campus2.fh-heidelberg.de_error.log" CustomLog "/var/log/apache2/campus2.fh-heidelberg.de_access.log" common Best Regards, Lars From smithi at nimnet.asn.au Fri Nov 20 12:31:35 2009 From: smithi at nimnet.asn.au (Ian Smith) Date: Fri Nov 20 12:31:42 2009 Subject: AW: AW: AW: Problem with Apache in Jail In-Reply-To: <26040005B7F3AA41A0345BCE386CA09701C62A99@FHCLUSRV-EX.dcs.fh-heidelberg.de> References: <26040005B7F3AA41A0345BCE386CA09701C62A8E@FHCLUSRV-EX.dcs.fh-heidelberg.de><4B040838.8020103@quip.cz> <26040005B7F3AA41A0345BCE386CA09701C62A8F@FHCLUSRV-EX.dcs.fh-heidelberg.de><26040005B7F3AA41A0345BCE386CA09701C62A94@FHCLUSRV-EX.dcs.fh-heidelberg.de> <4B057741.7000700@cyanide-studio.com> <26040005B7F3AA41A0345BCE386CA09701C62A98@FHCLUSRV-EX.dcs.fh-heidelberg.de> <20091120180647.A65262@sola.nimnet.asn.au> <26040005B7F3AA41A0345BCE386CA09701C62A99@FHCLUSRV-EX.dcs.fh-heidelberg.de> Message-ID: <20091120224250.L65262@sola.nimnet.asn.au> On Fri, 20 Nov 2009, Scheithauer, Lars (FH) wrote: > > So are you sure that (from outside your environment) the vhost > hostname > > resolves to its IP address ok? Does it have a unique public IP > address? > > If so, does reverse resolution of that address point to that hostname? > > Yes: > # host campus2.fh-heidelberg.de > campus2.fh-heidelberg.de is an alias for www2.fh-heidelberg.de. > www2.fh-heidelberg.de has address 193.197.74.48 > # host 193.197.74.48 > 48.74.197.193.in-addr.arpa domain name pointer www2.fh-heidelberg.de. Hi Lars. Same results from here. > > From (right) outside your net, does that IP address respond to pings? > > By IP address as well as by hostname? > > Yes. NOT from here, but I can ping its neighbouring DNS server, noticed from: ;; ADDITIONAL SECTION: dns1.belwue.de. 25303 IN A 129.143.2.10 dns3.belwue.de. 65090 IN A 131.246.119.18 dnsfh.fh-heidelberg.de. 81442 IN A 193.197.74.49 smithi on sola% ping 193.197.74.48 PING 193.197.74.48 (193.197.74.48): 56 data bytes ^C --- 193.197.74.48 ping statistics --- 7 packets transmitted, 0 packets received, 100% packet loss smithi on sola% ping 193.197.74.49 PING 193.197.74.49 (193.197.74.49): 56 data bytes 64 bytes from 193.197.74.49: icmp_seq=0 ttl=44 time=359.907 ms 64 bytes from 193.197.74.49: icmp_seq=1 ttl=44 time=365.433 ms 64 bytes from 193.197.74.49: icmp_seq=2 ttl=44 time=363.339 ms ^C --- 193.197.74.49 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 359.907/362.893/365.433/2.278 ms So it's not clear that any outside traffic is reaching .48, or if so, that its responses are getting out, given there's no local firewall. Which could be the whole problem - this might have nothing to do with apache at all? HTTP requests to .48 IP send setup packets which are not acknowledged, so it's never getting far enough to care which hostname was requested. Is .49 on the same box? Same interface? Maybe a netstat -nr outside and inside the jail might indicate something? Where's your gateway? So .. upstream firewall? Improper routing, either upstream or return route from that box (or the jail?) for that IP? Stabs in the dark .. > > Does your apache config specify name-based and/or IP-based virtual > > hosts? There can lurk some dragons .. > > I did try name-based, but it's currently just a catch-all (see below). On the face of it, it should answer for either hostname, and likely will when it gets packets through and/or gets responses back :) > > If this is a jail issue I've no idea at all, but if the DNS results I'd best stress that; I've never setup a jail, though I've been lurking. > > obtained from inside and outside your network perimeter differ, that > may > > explain some of what you're seeing. I guess an outside DNS query > > followed by an attemped HTTP connect tracked on tcpdump, perhaps in > > verbose packet-display mode (eg -nXs0) should provide more solid > clues? > > Ooooookay, now this really makes sense. > Sending packets to the URL don't even reach the jailhost (I can't > directly dump the jail's packages), but sending to its IP do... And I > can see packets leaving my client... This is persistent across different > browsers. Any ideas how that is possible? No. http://193.197.74.48/ is just the same from here of course, and all I see is setup packets leaving and no response. No upstream firewall/s? You can't run tcpdump inside a jail as root? > > Make sure that you're logging both the vhost concerned and the > 'default' > > config used if no vhost entry is satisfied, perhaps you'll see > something > > there? I specify error.log to catch any of these during vhost setup. > > I do, see below. Sure. It's not getting that far, seen from here at least. Sorry, I'm out of ideas, and have to go out. I'll leave the tail alone in case somebody else might catch a clue from it. Good luck, Ian > > You may need to share more of your apache configuration in the hope > that > > someone may spot something, once you confirm there are no DNS issues. > > ---------->>> /usr/local/etc/apache22/httpd.conf <<<---------- > ServerRoot "/usr/local" > Listen 80 > > ## modules > # [...] > > ## MAIN CONFIG > ServerAdmin support@fh-heidelberg.de > ServerName www2.fh-heidelberg.de:80 > DocumentRoot "/usr/local/www/apache22/data" > > ## disable all access, then allow specific services > > AllowOverride None > Order deny,allow > Deny from all > > > ## main site, currently just with a testpage > > Options Indexes FollowSymLinks > AllowOverride All > Order allow,deny > Allow from all > > > > DirectoryIndex index.html > > > ## prevent htaccess to be read > > Order allow,deny > Deny from all > Satisfy All > > > > > ## LOGGING > ErrorLog "/var/log/httpd-error.log" > logLevel debug > > > LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" > \"%{User-Agent}i\"" combined > LogFormat "%h %l %u %t \"%r\" %>s %b" common > > > LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" > \"%{User-Agent}i\" %I %O" combinedio > > > CustomLog "/var/log/httpd-access.log" combined > > > ## aliases and redirects > > ScriptAlias /cgi-bin/ "/usr/local/www/apache22/cgi-bin/" > > > ## cgi-bin > > AllowOverride None > Options None > Order allow,deny > Allow from all > > > DefaultType text/plain > > > TypesConfig etc/apache22/mime.types > > AddType application/x-compress .Z > AddType application/x-gzip .gz .tgz > > #AddHandler cgi-script .cgi > #AddHandler type-map var > > > ## Virtual hosts > #Include etc/apache22/extra/httpd-vhosts.conf > Include etc/apache22/vhosts/* > Include etc/apache22/Includes/*.conf > > > ----->>> /usr/local/etc/apache22/vhosts/campus2.fh-heidelberg.de > <<<----- > ## catch all > NameVirtualHost *:80 > > > ServerAdmin support@fh-heidelberg.de > DocumentRoot "/usr/local/www/apache22/campus2.fh-heidelberg.de" > ServerName campus2.fh-heidelberg.de > ErrorLog > "/var/log/apache2/campus2.fh-heidelberg.de_error.log" > CustomLog > "/var/log/apache2/campus2.fh-heidelberg.de_access.log" common > > > > > Best Regards, > Lars > From bugmaster at FreeBSD.org Mon Nov 23 11:06:59 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Nov 23 11:08:37 2009 Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org Message-ID: <200911231106.nANB6wDp070172@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 4 problems total.