restrictions between host and jail

[Tommy Pham]

--- Miroslav Lachman <000.fbsd at quip.cz> wrote:

> Tommy Pham wrote:
> > Hi,
> > 
> > Could someone please explain to me the difference between host and
> jail
> > when the security.jail settings are as follow:
> > 
> > security.jail.mount_allowed: 1
> > security.jail.chflags_allowed: 1
> > security.jail.allow_raw_sockets: 1
> > security.jail.enforce_statfs: 2
> > security.jail.sysvipc_allowed: 1
> > security.jail.socket_unixiproute_only: 1
> > security.jail.set_hostname_allowed: 1
> > 
> > I also have devfs (with various rulesets), fdescfs, procfs enabled
> for
> > the jail.
> > 
> > I'm trying to run glassfish inside the jail but I'm having a
> problem
> > about it being delayed at start-up.  I don't have this problem in
> the
> > host environment.  I've post a about glassfish resource requirement
> at
> > glassfish's forum but I didn't get any response.
> > 
> > I've tried running glassfish with all variations of configurations
> in
> > security.jail and jail's filesystem (devfs, procfs, fdescfs) and
> still
> > unable to find the cause in the delayed start-up.  Glassfish takes
> less
> > 30 seconds to start in host while in jail, takes 5+ minutes.  When
> I
> > run asadmin list-domains, I get "Unauthorized access" in jail
> > environment.  I didn't get this error in host.
> 
> I don't know glassfish, but can it be caused by some problems with 
> domain name resolution? (empty or wrong /etc/resolv.conf or
> /etc/hosts 
> in jail)
> 
> Miroslav Lachman
> 

Hi Miroslav,

Thanks for the reply.  That's what I thought at first too but I can do
nslookup by host and IP properly.  The files are set correctly.  Funny
thing is that the initial glassfish startup after build is ok (within
30 secs) regardless of security.jail and fs settings in rc.conf.  I've
tested just just about every case scenario for weeks now :(...

Thanks,
Tommy