vnet jails and rc-scripts

Tue Feb 26 08:56:38 UTC 2013

On Mon, Feb 25, 2013 at 6:42 PM, Teske, Devin <Devin.Teske at fisglobal.com>wrote:

> My vimage package, available here:
>
> http://druidbsd.sourceforge.net/download.shtml#vimage
>
> ...has a solution around that and you can read about it here:
>
>
> http://druidbsd.cvs.sourceforge.net/viewvc/druidbsd/pkgbase/freebsd/RELENG_8_3/sysutils/vimage/src/rc.conf.d/vimage?revision=1.1&view=markup
>
> Interesting!

> Network scripts, ipfw, and other "nojail" services are started fine with
> my setup.
>
> Note that in my notes, we have a PR for adding a sysctl MIB
> (security.jail.vnet) for distinguishing vnet jails from non-vnet jails
> (from within the jail):
>
> http://www.freebsd.org/cgi/query-pr.cgi?pr=conf/149050
>
> I think this is the best approach long-term). In essence, ultimately teach
> rcorder(8) about the difference between a jail and a vnet jail.
>

I agree.

However I still don't get the purpose of the security.jail.param.*. Are the
to be set in loader.conf/sysctl.conf to influence default config of jails,
or are the supposed to be per-jail ( from inside jail ) carriers of config?
The PR seems to indicate it's not really clear.

Also, man jail says:
"The current set of available parameters can be
     retrieved via ``sysctl -d security.jail.param''.  Any parameters not
set
     will be given default values, often based on the current environment.
     The core parameters are:
"
and then lists some. For example jid. I take that to mean that the value
 of security.jail.param.jid from inside jail should return the jid of the
jail. I just get 0. And security.jail.param.path is 1024, which is not at
all the path of the jail... There seems to be quite a discrepancy between
manpage and implementation.

As another note: running named in a jail prohibits the use of chrooted
named, as named rc-script takes jail to mean "cannot mount stuff",
irregardless of the settings of allow.mount and allow.mount.devfs.

Perhasps another PR or two is needed ;)

Best regards
Andreas

> --
> Devin
>
> ________________________________________
> From: owner-freebsd-jail at freebsd.org [owner-freebsd-jail at freebsd.org] on
> behalf of Andreas Nilsson [andrnils at gmail.com]
> Sent: Monday, February 25, 2013 8:55 AM
> To: Mailinglists FreeBSD
> Subject: vnet jails and rc-scripts
>
> Hello,
>
> while trying to set up a couple of vnet jails I ran into some problems:
>
> 1. The networking scripts are not run.
>
> 2. The firewall script ( ipfw ) is not run.
>
> Both are skipped since they have the nojail keyword. Is the only solution
> to remove that keyword to get them running from rc in a jail?
>
> With vnet jails it seems that a lot network related scripts should be
> allowed to run. Is there any work being done address this?
>
> Also, what is the sysctl security.jail.param.vnet supposed to tell me?
> Running it on the host gives 0
> Running it in vnet jail gives 0
> Running it in normal jail gives 0
> which to me seems counter intuitive, as I would have expected it to be 1 in
> the vnet jail.
>
> Best regards
> Andreas
> _______________________________________________
> freebsd-jail at freebsd.org mailing list
>
> https://urldefense.proofpoint.com/v1/url?u=http://lists.freebsd.org/mailman/listinfo/freebsd-jail&k=%2FbkpAUdJWZuiTILCq%2FFnQg%3D%3D%0A&r=Mrjs6vR4%2Faj2Ns9%2FssHJjg%3D%3D%0A&m=gcdnBfFT9%2FgDP4aiNb3SH%2B2HC58tTrjf3m0lz7RvTbo%3D%0A&s=2b3714f7bc212f52b740f1794fc5de6ca2cb7804242aa0c82db70297855aff70
> To unsubscribe, send any mail to "freebsd-jail-unsubscribe at freebsd.org"
>
> _____________
> The information contained in this message is proprietary and/or
> confidential. If you are not the intended recipient, please: (i) delete the
> message and all copies; (ii) do not disclose, distribute or use the message
> in any manner; and (iii) notify the sender immediately. In addition, please
> be aware that any message addressed to our domain is subject to archiving
> and review by persons other than the intended recipient. Thank you.
>