From nvass9573 at gmx.com Sun Oct 4 10:00:31 2009 From: nvass9573 at gmx.com (Nikos Vassiliadis) Date: Sun Oct 4 10:00:36 2009 Subject: can't find routing entry for network routes Message-ID: <4AC87222.4030704@gmx.com> Hi, It seems that some[1] routing requests fail when done in a vnet environment: r1# ifconfig epair0b 10.90/24 r1# traceroute 10.6 traceroute: findsaddr: write: No such process r1# route -n get 10.6 route: writing to routing socket: No such process [1] every host routing entry, is manipulated correctly. Every non-host routing entry, fails. Example: #correct behavior r1# route add 1.1.1.1 10.0.0.9 add host 1.1.1.1: gateway 10.0.0.9 r1# route get 1.1.1.1 route to: 1.1.1.1 destination: 1.1.1.1 gateway: 10.0.0.9 interface: epair0b flags: recvpipe sendpipe ssthresh rtt,msec mtu weight expire 0 0 0 0 1500 1 0 #wrong behavior r1# route add 1.1.1.0/24 10.0.0.9 add net 1.1.1.0: gateway 10.0.0.9 r1# route get 1.1.1.2 route: writing to routing socket: No such process r1# route get 1.1.1.0/24 route: writing to routing socket: No such process Any help? Thanks, Nikos From bzeeb-lists at lists.zabbadoz.net Sun Oct 4 11:42:21 2009 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Sun Oct 4 11:42:30 2009 Subject: can't find routing entry for network routes In-Reply-To: <4AC87222.4030704@gmx.com> References: <4AC87222.4030704@gmx.com> Message-ID: <20091004111741.J26486@maildrop.int.zabbadoz.net> On Sun, 4 Oct 2009, Nikos Vassiliadis wrote: Hi, > It seems that some[1] routing requests fail when > done in a vnet environment: > r1# ifconfig epair0b 10.90/24 > r1# traceroute 10.6 > traceroute: findsaddr: write: No such process > r1# route -n get 10.6 > route: writing to routing socket: No such process .... > > Any help? I have outstanding patches that I haven't comitted yet to not interfere with bugfixing of non-experimental things like the new arp/nd6 code that will be shipped with 8.0-RELEASE while vnets are still considered to be not really supported for that release (see the warning upon boot). Also the solution isn't possibly the right or best one but it works for the moment. Can you try the following patch: http://people.freebsd.org/~bz/20090901-10-vimage-jailed_no_vnet.diff If you are on FreeBSD 8.0-RC1 you'll possibly also need http://people.freebsd.org/~bz/20090906-01-V_llatbl.diff which is in HEAD but not yet MFCed to stable/8. /bz -- Bjoern A. Zeeb It will not break if you know what you are doing. From nvass9573 at gmx.com Sun Oct 4 18:00:17 2009 From: nvass9573 at gmx.com (Nikos Vassiliadis) Date: Sun Oct 4 18:00:23 2009 Subject: can't find routing entry for network routes In-Reply-To: <20091004111741.J26486@maildrop.int.zabbadoz.net> References: <4AC87222.4030704@gmx.com> <20091004111741.J26486@maildrop.int.zabbadoz.net> Message-ID: <4AC8E291.7030409@gmx.com> Bjoern A. Zeeb wrote: > On Sun, 4 Oct 2009, Nikos Vassiliadis wrote: > > Hi, Hello Bjoern > I have outstanding patches that I haven't comitted yet to not > interfere with bugfixing of non-experimental things like the new > arp/nd6 code that will be shipped with 8.0-RELEASE while vnets are > still considered to be not really supported for that release (see the > warning upon boot). I see. > Also the solution isn't possibly the right or best one but it works > for the moment. Can you try the following patch: > > http://people.freebsd.org/~bz/20090901-10-vimage-jailed_no_vnet.diff Yes, it helps. Just a quick question though, I am trying to use some routing daemons, routed from base and quagga. The protocols (RIPv2, OSPF) I am trying to use rely on joining multicast groups. Is joining multicast groups out of the question for the time being? Nikos From julian at elischer.org Mon Oct 5 20:28:50 2009 From: julian at elischer.org (Julian Elischer) Date: Mon Oct 5 20:28:57 2009 Subject: Per Jail Memory Limits In-Reply-To: <4ACA4216.9060008@tomjudge.com> References: <4ACA0549.7030404@tomjudge.com> <4ACA2E0F.5010800@elischer.org> <4ACA3146.9090402@tomjudge.com> <6201873e0910051142q58e7563fqc7735261ea9ab3c6@mail.gmail.com> <4ACA4216.9060008@tomjudge.com> Message-ID: <4ACA5704.2070404@elischer.org> Tom Judge wrote: > Adam Vande More wrote: >> On Mon, Oct 5, 2009 at 12:47 PM, Tom Judge > > wrote: >> >> Julian Elischer wrote: >> >> Tom Judge wrote: >> >> Hi, >> >> Does anyone know of a patch that will add per jail memory >> limits so that a jail can't swallow the resources of the >> entire box? >> >> >> Thanks >> >> Tom >> _______________________________________________ >> freebsd-current@freebsd.org >> mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-current >> To unsubscribe, send any mail to >> "freebsd-current-unsubscribe@freebsd.org >> " >> >> >> >> not yet.. >> >> >> I started to port this to 7.1 today: >> >> http://wiki.freebsd.org/JailResourceLimits >> >> >> What are the peoples opinions on this patch? >> >> >> Tom >> >> >> If you're soliciting opinions if this will be used and is needed, I >> would love to see this functionality. This is the main reason I've >> had to chose XEN over jails. If you need some help testing, let me know. >> >> -- >> Adam Vande More > Hi Adam, > > I have a patch against 7.1 here: > http://svn.tomjudge.com/freebsd/patches/jail-resource-limits/jail-limits.patch probably the person who should work with this in -current is james (CC'd) > > > I will try to bring the patch up to current when I get a chance but I > have no real need to do this as we use 7.1 in production. > > Notes: > > * CPU limiting is not support is not supported unless you use > shecd_4bsd. > * I have not tested this on any system yet, just compile tested, I am > putting it though its paces right now. > > Tom > > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" From bzeeb-lists at lists.zabbadoz.net Tue Oct 6 10:50:08 2009 From: bzeeb-lists at lists.zabbadoz.net (Bjoern A. Zeeb) Date: Tue Oct 6 10:50:20 2009 Subject: Per Jail Memory Limits In-Reply-To: <4ACA5704.2070404@elischer.org> References: <4ACA0549.7030404@tomjudge.com> <4ACA2E0F.5010800@elischer.org> <4ACA3146.9090402@tomjudge.com> <6201873e0910051142q58e7563fqc7735261ea9ab3c6@mail.gmail.com> <4ACA4216.9060008@tomjudge.com> <4ACA5704.2070404@elischer.org> Message-ID: <20091006104529.B5956@maildrop.int.zabbadoz.net> On Mon, 5 Oct 2009, Julian Elischer wrote: > Tom Judge wrote: >> Adam Vande More wrote: >>> On Mon, Oct 5, 2009 at 12:47 PM, Tom Judge >> > wrote: >>> >>> Julian Elischer wrote: >>> >>> Tom Judge wrote: >>> >>> Hi, >>> >>> Does anyone know of a patch that will add per jail memory >>> limits so that a jail can't swallow the resources of the >>> entire box? >>> >>> >>> Thanks >>> >>> Tom >>> >>> not yet.. >>> >>> >>> I started to port this to 7.1 today: >>> >>> http://wiki.freebsd.org/JailResourceLimits >>> >>> >>> What are the peoples opinions on this patch? >>> >>> >>> Tom >>> >>> >>> If you're soliciting opinions if this will be used and is needed, I would >>> love to see this functionality. This is the main reason I've had to chose >>> XEN over jails. If you need some help testing, let me know. >>> >>> -- >>> Adam Vande More >> Hi Adam, >> >> I have a patch against 7.1 here: >> http://svn.tomjudge.com/freebsd/patches/jail-resource-limits/jail-limits.patch > > > > probably the person who should work with this in -current is james (CC'd) Probably the person who should be contacted is trasz who worked on hierachical resource limit per .., jail in p4. Though this is slightly different. I think it's ok if people need those things to update the pathes but I doubt any will probably ever make it into FreeBSD as those things are kind of contrary to the V_ plans. BTW, I think the patch referenced is not the latest I had seen and I thought that we also had one for 7.x or even for 8 already floating around. Maybe some investigation on list archives etc. might be helpful before starting to hack things. Maybe also check the links on http://wiki.freebsd.org/Jails >> >> >> I will try to bring the patch up to current when I get a chance but I have >> no real need to do this as we use 7.1 in production. >> >> Notes: >> >> * CPU limiting is not support is not supported unless you use >> shecd_4bsd. >> * I have not tested this on any system yet, just compile tested, I am >> putting it though its paces right now. >> >> Tom -- Bjoern A. Zeeb It will not break if you know what you are doing. From remodeler at alentogroup.org Wed Oct 7 01:15:02 2009 From: remodeler at alentogroup.org (remodeler) Date: Wed Oct 7 01:15:08 2009 Subject: can't find routing entry for network routes Message-ID: <20091007002615.M76095@alentogroup.org> I am having the same problem as Nikos I am trying to implement a vnet-enabled service jail on FreeBSD 8.0 HEAD. I have thoroughly studied the "Network stack virtualization" document written by Marko. I received troubleshooting help over several days last from Julian Elischer when I raised the issue in this thread on the freebsd-net list. I am running a GENERIC kernel on amd64, with the additional options vimage, netgraph, ng_ether, and ng_eiface. I successfully applied the patch Bjoern provided: http://people.freebsd.org/~bz/20090901-10-vimage-jailed_no_vnet.diff I tested with this patch, and also the lines in the other patch Bjoern provided that are not in HEAD: http://people.freebsd.org/~bz/20090906-01-V_llatbl.diff i.e., +#include + CURVNET_RESTORE(); + CURVNET_SET_QUIET(TD_TO_VNET(curthread)); +vnet_lltable_init(const void *unused __unused) +{ + + /* Manually do what SLIST_HEAD_INITIALIZER would do. */ + V_lltables.slh_first = NULL; +} + +VNET_SYSINIT(vnet_lltable_init, SI_SUB_PSEUDO, SI_ORDER_ANY, vnet_lltable_init, + NULL); Trying to apply a ruleset after mounting devfs in a jail, I get: devfs -m /jail/j/ns/dev rule -s 8 applyset devfs rule: ioctl DEVFSIO_SAPPLY: No such process Attempting to apply a default route to the ngeth0 interface bound to the jail, I get: route: writing to routing socket: Network is unreachable add net default: gateway 00:23:54:08:2b:f7: Network is unreachable netstat -r gives: netstat: kvm not available: /dev/mem: Permission denied Routing tables rt_tables: symbol not in namelist I have /dev/mem mounted in the jail. I've seen reference to mem not being accessible in the jail, in some of the discussions on running x-server in the jail. Julian mentioned that it looked like I need to make /dev/mem accessible in the jail. I do not know how to do that; it also seems that if I had a routing socket, I could live without reading memory for netstat output. I understand each jail has its own FIB. I thought jails opened a routing socket during their creation by default. I need to add a default route to use the jail: vimage ns route add default -link 00:0a:0b:0c:2b:f7 But no combination I've tried succeeds. Any help appreciated :-> From julian at elischer.org Wed Oct 7 01:37:48 2009 From: julian at elischer.org (Julian Elischer) Date: Wed Oct 7 01:37:55 2009 Subject: can't find routing entry for network routes In-Reply-To: <20091007002615.M76095@alentogroup.org> References: <20091007002615.M76095@alentogroup.org> Message-ID: <4ACBF0ED.2070905@elischer.org> remodeler wrote: > I am having the same problem as Nikos I am trying to implement a vnet-enabled > service jail on FreeBSD 8.0 HEAD. I have thoroughly studied the "Network stack > virtualization" document written by Marko. I received troubleshooting help > over several days last from Julian Elischer when I raised the issue in this > thread on the freebsd-net list. I am running a GENERIC kernel on amd64, with > the additional options vimage, netgraph, ng_ether, and ng_eiface. please recap with a script that fails i.e. a script I can try run, and show how the output differs from what you would expect. (I don't have your previous emails at hand) > > I successfully applied the patch Bjoern provided: > > http://people.freebsd.org/~bz/20090901-10-vimage-jailed_no_vnet.diff > > I tested with this patch, and also the lines in the other patch Bjoern > provided that are not in HEAD: > > http://people.freebsd.org/~bz/20090906-01-V_llatbl.diff > > i.e., > +#include > + CURVNET_RESTORE(); > + CURVNET_SET_QUIET(TD_TO_VNET(curthread)); > > +vnet_lltable_init(const void *unused __unused) > +{ > + > + /* Manually do what SLIST_HEAD_INITIALIZER would do. */ > + V_lltables.slh_first = NULL; > +} > + > +VNET_SYSINIT(vnet_lltable_init, SI_SUB_PSEUDO, SI_ORDER_ANY, vnet_lltable_init, > + NULL); > > Trying to apply a ruleset after mounting devfs in a jail, I get: > > devfs -m /jail/j/ns/dev rule -s 8 applyset > devfs rule: ioctl DEVFSIO_SAPPLY: No such process > > Attempting to apply a default route to the ngeth0 interface bound to the jail, > I get: > > route: writing to routing socket: Network is unreachable > add net default: gateway 00:23:54:08:2b:f7: Network is unreachable > > netstat -r gives: > > netstat: kvm not available: /dev/mem: Permission denied > Routing tables > rt_tables: symbol not in namelist > > I have /dev/mem mounted in the jail. I've seen reference to mem not being > accessible in the jail, in some of the discussions on running x-server in the > jail. Julian mentioned that it looked like I need to make /dev/mem accessible > in the jail. I do not know how to do that; it also seems that if I had a > routing socket, I could live without reading memory for netstat output. I > understand each jail has its own FIB. I thought jails opened a routing socket > during their creation by default. > > I need to add a default route to use the jail: > > vimage ns route add default -link 00:0a:0b:0c:2b:f7 > > But no combination I've tried succeeds. Any help appreciated :-> > _______________________________________________ > freebsd-virtualization@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-virtualization > To unsubscribe, send any mail to "freebsd-virtualization-unsubscribe@freebsd.org" From remodeler at alentogroup.org Wed Oct 7 04:50:08 2009 From: remodeler at alentogroup.org (remodeler) Date: Wed Oct 7 04:50:15 2009 Subject: can't find routing entry for network routes In-Reply-To: <4ACBF0ED.2070905@elischer.org> References: <20091007002615.M76095@alentogroup.org> <4ACBF0ED.2070905@elischer.org> Message-ID: <20091007043721.M28730@alentogroup.org> On Tue, 06 Oct 2009 18:37:49 -0700, Julian Elischer wrote > please recap with a script that fails Thank you for your response Julian. I very much respect the work everyone has done on netgraph / vimage / jails, and also the help extended to me. Kernel options in addition to amd64 GENERIC are geom_journal, ufs_gjournal, geom_mirror, geom_eli, vimage, netgraph, netgraph_bridge, netgraph_ether, and netgraph_eiface. Additional devices are crypto. World and kernel are in sync. I have been testing by csup'ing from head, but I have the same errors in 8.0 beta1, beta3, and rc1. # make a bridge and connect the physical ethernet interface to it ngctl mkpeer msk0: bridge lower link0 ngctl name msk0:lower bridge0 ngctl connect msk0: bridge0: upper link1 # Start Name Server Jail jail -c -l -U root -n ns host.hostname=ns.my.org path=\ /jail/j/ns vnet persist mount -t procfs proc /jail/j/ns/proc mount -t devfs dev /jail/j/ns/dev devfs -m /jail/j/ns/dev rule -s 4 applyset mount -t fdescfs null /jail/j/ns/dev/fd ngctl mkpeer eiface ether ether ngctl connect ngeth0: bridge0: ether link2 ifconfig ngeth0 vnet ns vimage ns ifconfig lo0 localhost vimage ns ifconfig ngeth0 link 02:0a:0b:0c:01:01 vimage ns ifconfig ngeth0 172.26.64.10 vimage ns route add default -link 00:23:54:08:2b:f7 This results in an error on applying the devfs ruleset, so I see all of root's /dev in the jail. I receive an error on the route command. I get identical errors when I specify / as the path and omit the mounts/devfs command. My expectation is that this would leave me with two network stacks, msk0 and ngeth0, with msk0 connected to the ng_bridge by its upper and lower hooks and ngeth0 by its ether hook. I would expect network connectivity over the bridge, and to be able to manipulate the vnet jail's FIB from the host to add a default route. Most of what I expect happens: # ngctl list There are 5 total nodes: Name: bridge0 Type: bridge ID: 00000004 Num hooks: 3 Name: ipfw Type: ipfw ID: 00000001 Num hooks: 0 Name: ngeth0 Type: eiface ID: 00000008 Num hooks: 1 Name: ngctl1633 Type: socket ID: 0000000a Num hooks: 0 Name: msk0 Type: ether ID: 00000002 Num hooks: 2 # vimage -l ns # jls JID IP Address Hostname Path 1 - ns.my.org /jail/j/ns but the devfs ruleset command fails (executed on the host): # devfs -m /jail/j/ns/dev rule -s 4 applyset devfs rule: ioctl DEVFSIO_SAPPLY: No such process and in the jail: ns# # devfs -m /jail/j/ns/dev rule -s 4 applyset #: Command not found. ns# fs rule: ioctl DEVFSIO_SAPPLY: No such processdevfs rule: ioctl DEVFSIO_SAPPLY: No such process adding the route from the host: # vimage ns route add default -link 00:23:54:08:2b:f7 route: writing to routing socket: Network is unreachable add net default: gateway 00:23:54:08:2b:f7: Network is unreachable and from the jail: ns# route add default -link 00:23:54:08:2b:f7 route: writing to routing socket: Network is unreachable add net default: gateway 00:23:54:08:2b:f7: Network is unreachable I get the same error for netstat -r from the host and the jail: # netstat -r netstat: kvm not available: /dev/mem: Permission denied Routing tables rt_tables: symbol not in namelist Before I compiled in Bjorn's patches, netstat -r worked properly on the host. The host has network connectivity. If I boot without starting the jail, everything works as I expect on the host (haven't tested that very far since the patches). Thank you. From julian at elischer.org Wed Oct 7 05:20:52 2009 From: julian at elischer.org (Julian Elischer) Date: Wed Oct 7 05:20:58 2009 Subject: can't find routing entry for network routes In-Reply-To: <20091007043721.M28730@alentogroup.org> References: <20091007002615.M76095@alentogroup.org> <4ACBF0ED.2070905@elischer.org> <20091007043721.M28730@alentogroup.org> Message-ID: <4ACC2536.9030701@elischer.org> remodeler wrote: > On Tue, 06 Oct 2009 18:37:49 -0700, Julian Elischer wrote > >> please recap with a script that fails > > Thank you for your response Julian. I very much respect the work everyone has > done on netgraph / vimage / jails, and also the help extended to me. > > Kernel options in addition to amd64 GENERIC are geom_journal, ufs_gjournal, > geom_mirror, geom_eli, vimage, netgraph, netgraph_bridge, netgraph_ether, and > netgraph_eiface. Additional devices are crypto. World and kernel are in sync. > I have been testing by csup'ing from head, but I have the same errors in 8.0 > beta1, beta3, and rc1. > > # make a bridge and connect the physical ethernet interface to it > ngctl mkpeer msk0: bridge lower link0 > ngctl name msk0:lower bridge0 > ngctl connect msk0: bridge0: upper link1 > > # Start Name Server Jail > jail -c -l -U root -n ns host.hostname=ns.my.org path=\ > /jail/j/ns vnet persist > mount -t procfs proc /jail/j/ns/proc > mount -t devfs dev /jail/j/ns/dev > devfs -m /jail/j/ns/dev rule -s 4 applyset can you show rule set 4? > mount -t fdescfs null /jail/j/ns/dev/fd gosh someone that uses that? wow > ngctl mkpeer eiface ether ether ?? something missing here. mkpeer take 4 args > ngctl connect ngeth0: bridge0: ether link2 # I haven't checked teh man pages but I'd imagine something like: ngctl mkpeer msk0: bridge lower lower ngctl name msk0:lower bridge ngctl connect bridge: msk0 upper upper ngctl mkpeer bridge: eiface upper2 ether > ifconfig ngeth0 vnet ns > vimage ns ifconfig lo0 localhost use jexec instead I think. 'vimage' will go away. it is teh 'old' interface. > vimage ns ifconfig ngeth0 link 02:0a:0b:0c:01:01 > vimage ns ifconfig ngeth0 172.26.64.10 > vimage ns route add default -link 00:23:54:08:2b:f7 ?? why a link address? > > This results in an error on applying the devfs ruleset, I don't know why that would be. can you do that line on somewhere else, like /mnt? Or does it only fail on the root of the jail? > so I see all of root's > /dev in the jail. I receive an error on the route command. I get identical > errors when I specify / as the path and omit the mounts/devfs command. try using a normal IP address as the default route.. > > My expectation is that this would leave me with two network stacks, msk0 and > ngeth0, with msk0 connected to the ng_bridge by its upper and lower hooks and > ngeth0 by its ether hook. I would expect network connectivity over the bridge, > and to be able to manipulate the vnet jail's FIB from the host to add a > default route. Most of what I expect happens: > > # ngctl list > There are 5 total nodes: > Name: bridge0 Type: bridge ID: 00000004 Num hooks: 3 > Name: ipfw Type: ipfw ID: 00000001 Num hooks: 0 > Name: ngeth0 Type: eiface ID: 00000008 Num hooks: 1 > Name: ngctl1633 Type: socket ID: 0000000a Num hooks: 0 > Name: msk0 Type: ether ID: 00000002 Num hooks: 2 > > # vimage -l > ns > > # jls > JID IP Address Hostname Path > 1 - ns.my.org /jail/j/ns > > but the devfs ruleset command fails (executed on the host): > > # devfs -m /jail/j/ns/dev rule -s 4 applyset > devfs rule: ioctl DEVFSIO_SAPPLY: No such process > > and in the jail: > > ns# # devfs -m /jail/j/ns/dev rule -s 4 applyset > #: Command not found. > ns# fs rule: ioctl DEVFSIO_SAPPLY: No such processdevfs rule: ioctl > DEVFSIO_SAPPLY: No such process > > adding the route from the host: > > # vimage ns route add default -link 00:23:54:08:2b:f7 > route: writing to routing socket: Network is unreachable > add net default: gateway 00:23:54:08:2b:f7: Network is unreachable > > and from the jail: > > ns# route add default -link 00:23:54:08:2b:f7 > route: writing to routing socket: Network is unreachable > add net default: gateway 00:23:54:08:2b:f7: Network is unreachable try adding the IP address of your gateway on the 172 net. (you haven't shown this). > > I get the same error for netstat -r from the host and the jail: > > # netstat -r > netstat: kvm not available: /dev/mem: Permission denied > Routing tables > rt_tables: symbol not in namelist it is possible that the kvm is not available to you becasue f hte jail, but it works for me on -current. > > Before I compiled in Bjorn's patches, netstat -r worked properly on the host. > The host has network connectivity. If I boot without starting the jail, > everything works as I expect on the host (haven't tested that very far since > the patches). I get the imporession you want the jail to be on the 172 net but you don't actually HAVE a 172 net. Is that true? > > Thank you. > > > _______________________________________________ > freebsd-virtualization@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-virtualization > To unsubscribe, send any mail to "freebsd-virtualization-unsubscribe@freebsd.org" From remodeler at alentogroup.org Wed Oct 7 22:31:03 2009 From: remodeler at alentogroup.org (remodeler) Date: Wed Oct 7 22:31:10 2009 Subject: can't find routing entry for network routes In-Reply-To: <4ACCE73A.5000502@elischer.org> References: <20091007002615.M76095@alentogroup.org> <4ACBF0ED.2070905@elischer.org> <20091007043721.M28730@alentogroup.org> <4ACC2536.9030701@elischer.org> <4ACCE73A.5000502@elischer.org> Message-ID: <20091007222310.M23322@alentogroup.org> Julian Elischer wrote: > note the group permissions. I rebuilt to 8_RELENG and permissions on /dev/kmem default to 540. Netstat works in the virtual jail, and I did not have a route to a gateway on the jail's subnet assigned to ngeth0. Adding a route to the gateway on the physical ethernet interface allowed me to add a default route in the jail. > ?? why a link address? I was afraid the netgraph bridge wouldn't associate the IP address to the physical interface's MAC. I see ng does have arplikeness built-in ;) I sincerely appreciate all of the help, Julian. I am very excited about 8.0 - stack smashing protection, virtualization, trustedbsd. It's a great OS. You mentioned that netgraph is mostly used by higher level applications - commercial apps? What products use netgraph? I will contribute my inernal doc on virtualizing a FreeBSD server with netgraph when everything stabilizes. I have a technical writer available to edit my internal documentation, and I can release the docs under a BSD license. From remodeler at alentogroup.org Wed Oct 7 23:30:42 2009 From: remodeler at alentogroup.org (remodeler) Date: Wed Oct 7 23:30:49 2009 Subject: can't find routing entry for network routes In-Reply-To: <4ACD1A29.4070207@elischer.org> References: <20091007002615.M76095@alentogroup.org> <4ACBF0ED.2070905@elischer.org> <20091007043721.M28730@alentogroup.org> <4ACC2536.9030701@elischer.org> <4ACCE73A.5000502@elischer.org> <20091007222310.M23322@alentogroup.org> <4ACD1A29.4070207@elischer.org> Message-ID: <20091007234005.M40001@alentogroup.org> Julian Elischer wrote: > so does this mean it's all working for you? Yes. Thank you. Will netgraph let you create a gif or other tunneling socket and plug it in directly to the graph? Would the alternative be piping a userland tunneling socket and ng_socket? From julian at elischer.org Thu Oct 8 00:21:35 2009 From: julian at elischer.org (Julian Elischer) Date: Thu Oct 8 00:21:42 2009 Subject: can't find routing entry for network routes In-Reply-To: <20091007234005.M40001@alentogroup.org> References: <20091007002615.M76095@alentogroup.org> <4ACBF0ED.2070905@elischer.org> <20091007043721.M28730@alentogroup.org> <4ACC2536.9030701@elischer.org> <4ACCE73A.5000502@elischer.org> <20091007222310.M23322@alentogroup.org> <4ACD1A29.4070207@elischer.org> <20091007234005.M40001@alentogroup.org> Message-ID: <4ACD3091.9000709@elischer.org> remodeler wrote: > Julian Elischer wrote: > >> so does this mean it's all working for you? > > Yes. Thank you. > > Will netgraph let you create a gif or other tunneling socket and plug it in > directly to the graph? Would the alternative be piping a userland tunneling > socket and ng_socket? there is an ng_gif node but I've never used it. look in /usr/src/sys/netgraph to see what exists. They are supposed to all have man pages. I like mpd for tunneling.. it is a higher level user of netgraph. > _______________________________________________ > freebsd-virtualization@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-virtualization > To unsubscribe, send any mail to "freebsd-virtualization-unsubscribe@freebsd.org" From julian at elischer.org Thu Oct 8 17:01:26 2009 From: julian at elischer.org (Julian Elischer) Date: Thu Oct 8 17:01:32 2009 Subject: can't find routing entry for network routes In-Reply-To: References: <20091007002615.M76095@alentogroup.org> <4ACBF0ED.2070905@elisch er.org> <20091007043721.M28730@alentogroup.org> <4ACC2536.9030701@elischer. org> <4ACCE73A.5000502@elischer.org> <20091007222310.M23322@alentogroup.org > <4ACD1A29.4070207@elischer.org><20091007234005.M40001@alentogroup.org> <4ACD3091.9000709@elischer.org> Message-ID: <4ACE1AE8.60409@elischer.org> Ahrenholz, Jeffrey M wrote: >>> Will netgraph let you create a gif or other tunneling >> socket and plug >>> it in directly to the graph? Would the alternative be piping a >>> userland tunneling socket and ng_socket? >> there is an ng_gif node but I've never used it. >> >> look in /usr/src/sys/netgraph to see what exists. They are >> supposed to all have man pages. >> >> I like mpd for tunneling.. >> it is a higher level user of netgraph. > > Another good one is ng_ksocket(4), which you can use to directly connect the netgraph systems of two different kernels across the network. It behaves like a bare-bones tunnel where the netgraph data is sent directly over UDP or TCP. > > -Jeff in fact mpd knows how to use ksockets to do just that when it usws tcp or udp as a transport mechanism for it's ppp stream. I have also used ksockets directly and used ipsec to encrypt the outer layer.. From jeffrey.m.ahrenholz at boeing.com Thu Oct 8 17:03:55 2009 From: jeffrey.m.ahrenholz at boeing.com (Ahrenholz, Jeffrey M) Date: Thu Oct 8 17:04:02 2009 Subject: can't find routing entry for network routes In-Reply-To: <4ACD3091.9000709@elischer.org> References: <20091007002615.M76095@alentogroup.org> <4ACBF0ED.2070905@elisch er.org> <20091007043721.M28730@alentogroup.org> <4ACC2536.9030701@elischer. org> <4ACCE73A.5000502@elischer.org> <20091007222310.M23322@alentogroup.org > <4ACD1A29.4070207@elischer.org><20091007234005.M40001@alentogroup.org> <4ACD3091.9000709@elischer.org> Message-ID: > > Will netgraph let you create a gif or other tunneling > socket and plug > > it in directly to the graph? Would the alternative be piping a > > userland tunneling socket and ng_socket? > > there is an ng_gif node but I've never used it. > > look in /usr/src/sys/netgraph to see what exists. They are > supposed to all have man pages. > > I like mpd for tunneling.. > it is a higher level user of netgraph. Another good one is ng_ksocket(4), which you can use to directly connect the netgraph systems of two different kernels across the network. It behaves like a bare-bones tunnel where the netgraph data is sent directly over UDP or TCP. -Jeff From jorn_rikkers at hotmail.com Wed Oct 21 07:47:50 2009 From: jorn_rikkers at hotmail.com (Jorn Rikkers) Date: Wed Oct 21 07:47:56 2009 Subject: setting MROUTING option in kernel causes reboot on delete vimage Message-ID: Hi, I'm trying to run a multicast simulation with CORE and XORP, using vimage. I've recompiled my kernel with the MROUTING option set. Unfortunately the system crashes after deleting a vimage, even when remove it just after creation. e.g vimage -c e0_n0 vimage -d e0_n0 # system crash -> reboot I've used the vimage_7_20090505.tgz source with the folowing build config file #-------------------------- include??? GENERIC ident??? ??? CORE options??? IPSEC device????? crypto options??? VIMAGE options??? IPFIREWALL options??? IPFIREWALL_DEFAULT_TO_ACCEPT??? #allow everything by default options??? MROUTING nooptions??? SCTP #-------------------------- I've tried to determine the cause by looking at the backtrace of the crash, but without success. Could somebody help me with this? See the backtrace below. thanks, Jorn Rikkers $ sudo kgdb kernel.debug /var/crash/vmcore.6 Password: GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB.? Type "show warranty" for details. This GDB was configured as "i386-marcel-freebsd"... Unread portion of the kernel message buffer: <6>eth0: promiscuous mode disabled Fatal trap 12: page fault while in kernel mode cpuid = 0; apic id = 00 fault virtual address??? = 0x1c74 fault code??? ??? = supervisor read, page not present instruction pointer??? = 0x20:0xc091113d stack pointer??? ??????? = 0x28:0xe7b9eb20 frame pointer??? ??????? = 0x28:0xe7b9eb44 code segment??? ??? = base 0x0, limit 0xfffff, type 0x1b ??? ??? ??? = DPL 0, pres 1, def32 1, gran 1 processor eflags??? = interrupt enabled, resume, IOPL = 0 current process??? ??? = 3654 (vimage) trap number??? ??? = 12 panic: page fault cpuid = 0 Uptime: 53m59s Physical memory: 2034 MB Dumping 179 MB: 164 148 132 116 100 84 68 52 36 20 4 Reading symbols from /boot/kernel/acpi.ko...Reading symbols from /boot/kernel/acpi.ko.symbols...done. done. Loaded symbols for /boot/kernel/acpi.ko Reading symbols from /boot/kernel/linux.ko...Reading symbols from /boot/kernel/linux.ko.symbols...done. done. Loaded symbols for /boot/kernel/linux.ko Reading symbols from /usr/local/modules/fuse.ko...done. Loaded symbols for /usr/local/modules/fuse.ko Reading symbols from /boot/kernel/ng_socket.ko...Reading symbols from /boot/kernel/ng_socket.ko.symbols...done. done. Loaded symbols for /boot/kernel/ng_socket.ko Reading symbols from /boot/kernel/netgraph.ko...Reading symbols from /boot/kernel/netgraph.ko.symbols...done. done. Loaded symbols for /boot/kernel/netgraph.ko Reading symbols from /boot/kernel/ng_ether.ko...Reading symbols from /boot/kernel/ng_ether.ko.symbols...done. done. Loaded symbols for /boot/kernel/ng_ether.ko Reading symbols from /boot/kernel/ng_iface.ko...Reading symbols from /boot/kernel/ng_iface.ko.symbols...done. done. Loaded symbols for /boot/kernel/ng_iface.ko Reading symbols from /boot/kernel/ng_eiface.ko...Reading symbols from /boot/kernel/ng_eiface.ko.symbols...done. done. Loaded symbols for /boot/kernel/ng_eiface.ko Reading symbols from /boot/kernel/ng_ksocket.ko...Reading symbols from /boot/kernel/ng_ksocket.ko.symbols...done. done. Loaded symbols for /boot/kernel/ng_ksocket.ko Reading symbols from /boot/kernel/ng_pipe.ko...Reading symbols from /boot/kernel/ng_pipe.ko.symbols...done. done. Loaded symbols for /boot/kernel/ng_pipe.ko #0? doadump () at pcpu.h:196 196??? ??? __asm __volatile("movl %%fs:0,%0" : "=r" (td)); (kgdb) backtrace #0? doadump () at pcpu.h:196 #1? 0xc07e6ca7 in boot (howto=260) at ../../../kern/kern_shutdown.c:418 #2? 0xc07e6f79 in panic (fmt=Variable "fmt" is not available. ) at ../../../kern/kern_shutdown.c:574 #3? 0xc0ac8a4c in trap_fatal (frame=0xe7b9eae0, eva=7284) ??? at ../../../i386/i386/trap.c:939 #4? 0xc0ac8cd0 in trap_pfault (frame=0xe7b9eae0, usermode=0, eva=7284) ??? at ../../../i386/i386/trap.c:852 #5? 0xc0ac967c in trap (frame=0xe7b9eae0) at ../../../i386/i386/trap.c:530 #6? 0xc0aadd6b in calltrap () at ../../../i386/i386/exception.s:159 #7? 0xc091113d in X_ip6_mrouter_done () at ../../../netinet6/ip6_mroute.c:566 #8? 0xc08dfbfd in vnet_mroute_idetach (unused=0x0) ??? at ../../../netinet/ip_mroute.c:3150 #9? 0xc0802de9 in vnet_mod_destructor (vml=0x0) ??? at ../../../kern/kern_vimage.c:850 #10 0xc08041d2 in vi_td_ioctl (cmd=2352769381, vi_req=0xc655a000, ??? td=0xc6d1c240) at ../../../kern/kern_vimage.c:782 #11 0xc0884535 in ifioctl (so=0xc6f06d20, cmd=2352769381, ??? data=0xc655a000 "\002", td=0xc6d1c240) at ../../../net/if.c:2141 #12 0xc08289d2 in soo_ioctl (fp=0xc6f00720, cmd=2352769381, data=0xc655a000, ??? active_cred=0xc6897500, td=0xc6d1c240) at ../../../kern/sys_socket.c:198 #13 0xc0821735 in kern_ioctl (td=0xc6d1c240, fd=3, com=2352769381, ??? data=0xc655a000 "\002") at file.h:269 #14 0xc0821894 in ioctl (td=0xc6d1c240, uap=0xe7b9ecfc) ---Type to continue, or q to quit--- ??? at ../../../kern/sys_generic.c:571 #15 0xc0ac9025 in syscall (frame=0xe7b9ed38) at ../../../i386/i386/trap.c:1090 #16 0xc0aaddd0 in Xint0x80_syscall () at ../../../i386/i386/exception.s:255 #17 0x00000033 in ?? () Previous frame inner to this frame (corrupt stack?) (kgdb) _________________________________________________________________ RU Live de place to be voor Messengerfans http://www.rulive.nl/ From julian at elischer.org Thu Oct 29 18:51:48 2009 From: julian at elischer.org (Julian Elischer) Date: Thu Oct 29 18:51:54 2009 Subject: vnet text for release notes for FreeBSD 8.0 Message-ID: <4AE9E442.6050100@elischer.org> I guess we need to make a quick note for inclusion with the 8.0 release notes: I'm going to put a coupel of sentences here as straw-man starting point, and hopefully we can work on it together. In addition some recipes for some interesting things to do might be good. Maybe as a separate document on the web we can point to. ----straw man-- FreeBSD 8.0- includes a "technology demonstration" version of the Virtual network stack work that has been done over the last few years. Thi sis not meant to be used in production yet but is sufficient to allow FreeBSD users to experiment with the feature and get an idea of it's capabilities. The feature, originally known as "vimage" is now integrated into the jail framework, and is controlled from the jail utility. A new jail that is created withh the 'vnet' keyword in the command will be allocated a separate network stack. The new network stack will have it's own lo0 interface and can be assigned any of the existing real interfaces or virtual interfaces. In addition it can have its own instance of ipfw, and its own completely separate routing tables. Processes in the new jail can only communicate with (network wise) processes outside the jail via unix domain sockets in shared filesystem space, or via external (or virtualized) networking infrastructure. This allows processes on the same machine to exist on completely disjoint network segments, or for one machine to have multiple interfaces on the same network segment with no confusion. (in different vnets). Virtualized features in 8.0 include: * raw sockets, * routing sockets * IPv4 udp, tcp and sctp * IPv6 udp, tcp and sctp * ipsec * ipfw * netgraph * divert sockets * routing tables * interfaces (real and virtual) In future releases of FreeBSD more features will be virtualized including pf. In addition work will be done to address weaknesses the currently virtualized modules. for some examples if vnet based configurations see:
"give it a try!" ----end straw man---- is scpt fully virtualized in 8.0? did I miss anything. julian