jail.conf ignoring exec.fib?
freebsd at qeng-ho.org
Tue Aug 20 17:02:58 UTC 2013
On 20/08/2013 12:50, Karl Pielorz wrote:
> --On 20 August 2013 08:27 +0100 Arthur Chance <freebsd at qeng-ho.org> wrote:
>> In the source the exec.fib parameter is given as an integer, so the
>> quotes probably shouldn't be there, but I'm not sure whether it matters.
> I tried it just as 'exec.fib = 1;' originally, and it makes no
> difference :(
>> There's definitely a setfib call in the source that's done if exec.fib
>> exists. All I can think of right now is that you try firing up the jail
>> using the -v verbose flag. This should show everything the jail command
>> does as the jail is created.
> Ok, I tried that and got:
> root# jail -v -c jail
> jail: run command: /sbin/mount -t devfs -oruleset=4 . /usr2/jails/jail/dev
> jail: jail_set(JAIL_CREATE) persist name=jail devfs_ruleset=4 jid=100
> path=/usr2/jails/jail host.hostname=jail.somedomain.com
> ip4.addr=22.214.171.124 allow.raw_sockets
> jail: created
> jail: run command in jail: /bin/sh /etc/rc
> Setting hostname: jail.somedomain.com
> ELF ldconfig path: /lib /usr/lib /usr/lib/compat /usr/local/lib
> 32-bit compatibility ldconfig path: /usr/lib32
> Creating and/or trimming log files.
> ln: /dev/log: Operation not permitted
> Starting syslogd.
> Clearing /tmp (X related).
> Updating motd:.
> Starting cron.
> Tue Aug 20 11:39:20 UTC 2013
> jail: jail_set(JAIL_UPDATE) jid=100 nopersist
> Certainly more detail, but no mention of fib's :( - I tried it both
> with, and without quotes around the FIB value. You can also see I have
> raw sockets available for debugging.
I can't test this directly, as I'm running a generic kernel so only have
one fib. However, if I add the invalid (under GENERIC) "exec.fib = 1;"
to my jail.conf and try launching the jail with -v I get (slightly cut)
testjail: run command: /sbin/mount -t devfs -oruleset=4 .
testjail: jail_set(JAIL_CREATE) persist name=testjail enforce_statfs=2
testjail: run command in jail: /bin/sh /etc/rc
jail: testjail: setfib: Invalid argument
jail: testjail: /bin/sh /etc/rc: failed
so it certainly has tried the setfib and knows it has failed.
And that's just made me think of something else - I have a horrible
feeling that jexec will attach to the jail using whatever fib it's
running under, i.e. the fib from the host environment. Do you have (or
can you enable) ssh running in the jail? If so, log into the jail that
way, and see what
shows then, because you'll be running under the environment created by
In the dungeons of Mordor, Sauron bred Orcs with LOLcats to create a
new race of servants. Called Uruk-Oh-Hai in the Black Speech, they
were cruel and delighted in torturing spelling and grammar.
_Lord of the Rings 2.0, the Web Edition_
More information about the freebsd-questions