Tutorial for Hierarchical Jails?
Edwin Shao
edwin.shao at gmail.com
Thu Oct 1 18:42:42 UTC 2009
The base system has allow_raw_sockets, the first level jail also has
allow_raw_sockets and has the exact same configuration as the base system (I
use puppet to manage config files.) I can't set allow_raw_sockets anyway for
the second-level jail without manually invoking the jail command.
On Tue, Sep 29, 2009 at 7:08 AM, Jamie Gritton <jamie at freebsd.org> wrote:
> Does the base system have security.jail.allow_raw_sockets=1? You need to
> have that, or set the jail's allow.raw_sockets. You can't set the jail's
> permissions from within the jail itself. If you have multiple jail
> levels, then both jails need to allow raw sockets - a jail can't allow a
> child jail to do what it can't do itself.
>
> - Jamie
>
>
> Edwin Shao wrote:
>
>> One other thing that is odd: hierarchical jails don't seem to inherit some
>> sysctls such as allow_raw_socket.
>>
>> In the host (jail), rc.conf has jail_set_allow_raw_sockets="YES" and
>> sysctl.conf has "security.jail.allow_raw_sockets=1", but no child jail can
>> ping out:
>> neko# ping google.com <http://google.com>
>> ping: socket: Operation not permitted
>>
>> What is happening in this case?
>> Thank you for your time again.
>>
>>
>> On Tue, Sep 29, 2009 at 12:16 AM, Jamie Gritton <jamie at freebsd.org<mailto:
>> jamie at freebsd.org>> wrote:
>>
>> The sysctls not only don't get written to, they don't have any useful
>> information to read either. They only describe the existence and format
>> of the various jail parameters. Sorry, but there;s no way to set a
>> default children.max parameter or inherit it from the parent. We've
>> decided to set the default to the most secure/restrictive in many
>> cases.
>> Once we've come up with a new jail configuration interface, this won't
>> be such a hassle.
>>
>> The devfs errors are probably something that will have to be addressed
>> in a later revision - I haven't looked in the devfs direction so I'm
>> not
>> sure about that. The mount error may be related to the first jail's
>> allow.mount parameter (whose default comes from
>> security.jail.mount_allowed).
>>
>> - Jamie
>>
>> Edwin Shao wrote:
>>
>> Thanks, that worked for me.
>>
>> * Using jail to change children.max on the parent does not
>> affect `sysctl security.jail.param.children.max` in the child.
>> Also security.jail.param.children.cur never changes either. Not
>> sure if that's intended behavior.
>> * Is there any way to persist the
>> security.jail.param.children.max parameter without entering the
>> jail command every time? * I get the following output when I
>> create a jail inside a jail:
>>
>> hyper ~> ezjail-admin start neko
>> Configuring jails:.
>> Starting jails:devfs rule: ioctl DEVFSIO_RGETNEXT: Operation not
>> permitted
>> devfs rule: ioctl DEVFSIO_RGETNEXT: Operation not permitted
>> /etc/rc.d/jail: WARNING: devfs_set_ruleset: you must specify a
>> ruleset number
>> devfs rule: ioctl DEVFSIO_SAPPLY: Operation not permitted
>> ln: log: Operation not permitted
>> mount: proc : Operation not permitted
>> neko.
>>
>> I'm using the same configuration values as in the parent's jail,
>> which work. Everything seems to work alright inside the jail, so
>> I assume the errors are safe to ignore?
>>
>> Thanks again!
>> - Edwin
>>
>> On Mon, Sep 28, 2009 at 9:11 PM, Bjoern A. Zeeb
>> <bzeeb-lists at lists.zabbadoz.net
>> <mailto:bzeeb-lists at lists.zabbadoz.net>
>> <mailto:bzeeb-lists at lists.zabbadoz.net
>> <mailto:bzeeb-lists at lists.zabbadoz.net>>> wrote:
>>
>> On Mon, 28 Sep 2009, Edwin Shao wrote:
>>
>> Hi Jamie,
>> When I try to change the parameter, nothing happens:
>> rescue /etc> sudo sysctl security.jail.param.children.max=1
>> security.jail.param.children.max: 0 -> 0
>>
>> rescue /etc> sudo sysctl security.jail.param.children.max
>> security.jail.param.children.max: 0
>>
>> Am I doing this incorrectly?
>>
>>
>> Yes. It's a parameter to jail(8). The security.jail.param
>> sysctls can
>> be seen as a list of possible options valid to jail(8). See
>> man 8 jail
>> for the exact details.
>>
>> /bz
>>
>> -- Bjoern A. Zeeb What was I talking about and
>> who are you again?
>>
>>
>>
>>
More information about the freebsd-jail
mailing list