vnet jails and rc-scripts

Teske, Devin Devin.Teske at fisglobal.com
Tue Feb 26 14:14:46 UTC 2013 

I too have no idea what "security.jail.param.*" is for (that's different than the proposed "security.jail.vnet").
--
Devin


________________________________
From: Andreas Nilsson [andrnils at gmail.com]
Sent: Tuesday, February 26, 2013 12:56 AM
To: Teske, Devin
Cc: Mailinglists FreeBSD
Subject: Re: vnet jails and rc-scripts




On Mon, Feb 25, 2013 at 6:42 PM, Teske, Devin <Devin.Teske at fisglobal.com<mailto:Devin.Teske at fisglobal.com>> wrote:
My vimage package, available here:

http://druidbsd.sourceforge.net/download.shtml#vimage<https://urldefense.proofpoint.com/v1/url?u=http://druidbsd.sourceforge.net/download.shtml%23vimage&k=%2FbkpAUdJWZuiTILCq%2FFnQg%3D%3D%0A&r=LTzUWWrRnz2iN3PtHDubWRSAh9itVJ%2BMUcNBCQ4tyeo%3D%0A&m=wZ08hZJzwkEioYsJo3noXlMWGOjHzP%2FBdZKxx1S2kT0%3D%0A&s=7d0b161083ed0e42ce398af3935d5f951550bdb597c45f2200d6d9ca338ca387>

...has a solution around that and you can read about it here:

http://druidbsd.cvs.sourceforge.net/viewvc/druidbsd/pkgbase/freebsd/RELENG_8_3/sysutils/vimage/src/rc.conf.d/vimage?revision=1.1&view=markup<https://urldefense.proofpoint.com/v1/url?u=http://druidbsd.cvs.sourceforge.net/viewvc/druidbsd/pkgbase/freebsd/RELENG_8_3/sysutils/vimage/src/rc.conf.d/vimage?revision%3D1.1%26amp%3Bview%3Dmarkup&k=%2FbkpAUdJWZuiTILCq%2FFnQg%3D%3D%0A&r=LTzUWWrRnz2iN3PtHDubWRSAh9itVJ%2BMUcNBCQ4tyeo%3D%0A&m=wZ08hZJzwkEioYsJo3noXlMWGOjHzP%2FBdZKxx1S2kT0%3D%0A&s=09b6a6b097b21f15a0fc0b93b02ed8338e4fabd7ac20115276cc5c13a107485b>

Interesting!

Network scripts, ipfw, and other "nojail" services are started fine with my setup.

Note that in my notes, we have a PR for adding a sysctl MIB (security.jail.vnet) for distinguishing vnet jails from non-vnet jails (from within the jail):

http://www.freebsd.org/cgi/query-pr.cgi?pr=conf/149050<https://urldefense.proofpoint.com/v1/url?u=http://www.freebsd.org/cgi/query-pr.cgi?pr%3Dconf/149050&k=%2FbkpAUdJWZuiTILCq%2FFnQg%3D%3D%0A&r=LTzUWWrRnz2iN3PtHDubWRSAh9itVJ%2BMUcNBCQ4tyeo%3D%0A&m=wZ08hZJzwkEioYsJo3noXlMWGOjHzP%2FBdZKxx1S2kT0%3D%0A&s=9fc1073f7d7b4692b900b545115aa5de61efe2910bde35e3644eec4d9b3f075c>

I think this is the best approach long-term). In essence, ultimately teach rcorder(8) about the difference between a jail and a vnet jail.

I agree.

However I still don't get the purpose of the security.jail.param.*. Are the to be set in loader.conf/sysctl.conf to influence default config of jails, or are the supposed to be per-jail ( from inside jail ) carriers of config? The PR seems to indicate it's not really clear.

Also, man jail says:
"The current set of available parameters can be
     retrieved via ``sysctl -d security.jail.param''.  Any parameters not set
     will be given default values, often based on the current environment.
     The core parameters are:
"
and then lists some. For example jid. I take that to mean that the value  of security.jail.param.jid from inside jail should return the jid of the jail. I just get 0. And security.jail.param.path is 1024, which is not at all the path of the jail... There seems to be quite a discrepancy between manpage and implementation.

As another note: running named in a jail prohibits the use of chrooted named, as named rc-script takes jail to mean "cannot mount stuff", irregardless of the settings of allow.mount and allow.mount.devfs.

Perhasps another PR or two is needed ;)

Best regards
Andreas


--
Devin

________________________________________
From: owner-freebsd-jail at freebsd.org<mailto:owner-freebsd-jail at freebsd.org> [owner-freebsd-jail at freebsd.org<mailto:owner-freebsd-jail at freebsd.org>] on behalf of Andreas Nilsson [andrnils at gmail.com<mailto:andrnils at gmail.com>]
Sent: Monday, February 25, 2013 8:55 AM
To: Mailinglists FreeBSD
Subject: vnet jails and rc-scripts

Hello,

while trying to set up a couple of vnet jails I ran into some problems:

1. The networking scripts are not run.

2. The firewall script ( ipfw ) is not run.

Both are skipped since they have the nojail keyword. Is the only solution
to remove that keyword to get them running from rc in a jail?

With vnet jails it seems that a lot network related scripts should be
allowed to run. Is there any work being done address this?

Also, what is the sysctl security.jail.param.vnet supposed to tell me?
Running it on the host gives 0
Running it in vnet jail gives 0
Running it in normal jail gives 0
which to me seems counter intuitive, as I would have expected it to be 1 in
the vnet jail.

Best regards
Andreas
_______________________________________________
freebsd-jail at freebsd.org<mailto:freebsd-jail at freebsd.org> mailing list
https://urldefense.proofpoint.com/v1/url?u=http://lists.freebsd.org/mailman/listinfo/freebsd-jail&k=%2FbkpAUdJWZuiTILCq%2FFnQg%3D%3D%0A&r=Mrjs6vR4%2Faj2Ns9%2FssHJjg%3D%3D%0A&m=gcdnBfFT9%2FgDP4aiNb3SH%2B2HC58tTrjf3m0lz7RvTbo%3D%0A&s=2b3714f7bc212f52b740f1794fc5de6ca2cb7804242aa0c82db70297855aff70
To unsubscribe, send any mail to "freebsd-jail-unsubscribe at freebsd.org<mailto:freebsd-jail-unsubscribe at freebsd.org>"

_____________
The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.

_____________
The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.

More information about the freebsd-jail mailing list