Re: Allowing network interface changes in jails

we want to allow "vnet=inherit" and "give me power to mangle with my parent's vnet". *sigh*. Jamie? Help? -- Bjoern A. Zeeb r15:7

Re: Allowing network interface changes in jails

On Tue, 15 Jul 2025, Doug Rabson wrote: On Tue, 15 Jul 2025 at 16:26, James Gritton wrote: On 2025-07-15 06:53, Bjoern A. Zeeb wrote: On Tue, 15 Jul 2025, Doug Rabson wrote: On Mon, 14 Jul 2025 at 16:54, James Gritton wrote: On 2025-07-14 03:53, Doug Rabson wrote: I tried setting

Re: Allowing network interface changes in jails

use of jails is reasonable as long as you trust the code which will run in the jail. I think I can work around this and arrange for the interface create and add to happen on the host. -- Bjoern A. Zeeb r15:7

Re: Allowing network interface changes in jails

But I have been too long out of that code to remember all the subtleties and implications. My guess is that at least prison_check_af() should allow if vnet is not disabled (that is new or inherited). I'll Cc: Jamie and see if he remembers as the

Re: Allowing network interface changes in jails

@foo:/ # ifconfig bridge create ifconfig: SIOCIFCREATE2 (bridge): Invalid argument root@foo:/ # exit root@bhyve-freebsd:~ # kldload if_bridge root@bhyve-freebsd:~ # jexec 1 root@foo:/ # ifconfig bridge create bridge0 Tata. -- Bjoern A. Zeeb r15:7

Re: What's going on with vnets and epairs w/ addresses?

n for most of the PCBs to be sharing a single cred?). In particular we can perhaps solve two problems at once. I haven't heard back after I sent the test program there; I hope that can be solved independently first and any optimisations can then come. Any thoughts? Are there some fundamental reasons this can't work? -- Bjoern A. Zeeb r15:7

Re: What's going on with vnets and epairs w/ addresses?

On Sun, 18 Dec 2022, Zhenlei Huang wrote: On Dec 18, 2022, at 3:23 AM, Bjoern A. Zeeb wrote: On Sat, 17 Dec 2022, Gleb Smirnoff wrote: Zhenlei, On Fri, Dec 16, 2022 at 06:30:57PM +0800, Zhenlei Huang wrote: Z> I managed to repeat this issue on CURRENT/14 with this small snip: Z

Re: What's going on with vnets and epairs w/ addresses?

we discussed better options for creating or attaching interfaces to jails that if_vmove. Until they are ready the most easy workaround to deal with annoying epair(4) come back problem is to remove it manually before destroying a jail, like I did in 80fc25025ff. Ok, move an em0 or cxl0 into the ja

Re: What's going on with vnets and epairs w/ addresses?

orking-et-cetera.84200/> Best regards, Zhenlei On Dec 14, 2022, at 7:03 AM, Bjoern A. Zeeb mailto:b...@freebsd.org>> wrote: Hi, I have used scripts like the below for almost a decade and a half (obviously doing more than that in the middle). I haven't used them much lately bu

Re: prison_flag() check in hot path of in_pcblookup()

al Address Foreign Address(state) tcp4 0 0 192.0.2.2.12345192.0.2.1.7ESTABLISHED + sleep 60 ^C -- Bjoern A. Zeeb r15:7

What's going on with vnets and epairs w/ addresses?

otherwise. ifconfig ${ep}a destroy # echo $? # Add this is here only as things are funny ... # jls -av jid dying # ifconfig -l # end -------- -- Bjoern A. Zeeb r15:7

Re: prison_flag() check in hot path of in_pcblookup()

case "theoretically possible or not"? -- Bjoern A. Zeeb r15:7

Re: prison_flag() check in hot path of in_pcblookup()

o walk the entire chain even after finding a perfect match. I'm curious why this check is needed. Can you explain it to me? It originated in this commit: commit 413628a7e3d23a897cd959638d325395e4c9691b Author: Bjoern A. Zeeb Date: Sat Nov 29 14:32:14 2008 + MFp4: Bring in updated ja

Re: how to determine primary (source) IP address in jail

On 28 Feb 2019, at 10:58, Miroslav Lachman wrote: Is there some easy way to determine the primary (source) address which is used in jail with multiple IP addresses? I came to this problem with running local_unbound in jail. Unbound refuses queries originating in this jail because the do not c

Re: init in a jail

On 11 Feb 2019, at 17:23, James Gritton wrote: On 2019-02-11 08:48, Michael W. Lucas wrote: Sadly, my google-fu has turned up thousands of man pages but no real discussion on this. According to init(8), you can run init inside a jail. If init is run in a jail, the security level of the "

Re: icmp (IPv4) issues with VIMAGE JAILs and IPv6

On 28 Jan 2019, at 12:44, O. Hartmann wrote: I ran into severe problems on CURRENT ( FreeBSD 13.0-CURRENT #193 r343521: Mon Jan 28 10:26:36 CET 2019 amd64), VIMAGE enabled host with jails utilizing IPv6. and you forget to mention in the subject that it seems to be an ipfw problem and thus m

Re: enforce_statfs showing leading path

On 9 Jan 2019, at 9:42, Alexander Leidinger via freebsd-jail wrote: Hi, I’ll be a bit verbose also for mwlucas. You see the dataset name of zfs without stripping. The mount point is correctly stripped. I don't remember how this looks on ufs. /dev/ada0p19 on / (ufs, local, journaled soft-upda

Re: Issue with 127.0.0.1 when reconfiguring running Jail

On 6 Aug 2018, at 16:32, Support SimpleRezo wrote: Hi ! I'm fancing an issue when i'm using "jail -m ip4.addr=..." for reconfiguring ip4.addr of a running jail: accessing or binding 127.0.0.1 is not redirect anymore by kernel to the jail IP. Is it expected? Do I missing something there? Th

Re: Time for those old global jail sysctls to go

On 22 Mar 2018, at 4:13, James Gritton wrote: I've got a revision in the works to remove the security.jail.foo_allowed sysctls: The old jail system had sysctls to set jail permissions for all jails (e.g. security.jail.mount_allowed), which were superseded

Re: IPSEC in VNET Jails

On 29 Nov 2017, at 11:40, Kristof Provost wrote: On 29 Nov 2017, at 12:16, Matthias Meyser wrote: Hi i use a IPSEC Tunnel inside a VNET jail without problems. Annoyingly /etc/rc.d/ipsec dos not run in VNET jails. This is fixed in head see https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211

Re: testing 11.0-RC1 vnet jails with ipfilter

On 17 Aug 2016, at 1:05, Ernie Luzar wrote: In light of 11.0 release being published soon there should be something posted to the release notes talking about this with sample code for a combined rule #5. This would give vnet users a copy & paste solution to use until jail(8) gets updated in 11

Re: testing 11.0-RC1 vnet jails with ipfilter

On 16 Aug 2016, at 21:08, CyberLeo Kitsana wrote: On 08/16/2016 03:21 PM, Ernie Luzar wrote: Issuing "ipf -FS -Fa" command from within the vnet jail gives this message, "open device:no such file or directory. User kernel version check failed. According to ipf(8), the ipfilter utilities touch

Re: testing 11.0-RC1 vnet jails with ipfilter

On 16 Aug 2016, at 12:47, krad wrote: is ipfilter supported in vnet jails? Last time I looked and tried pf didnt work (kernel panics), and only ipfw was supported. In 11-RC* it is present for all 3 firewalls; like VIMAGE due to memory footprint you might have to compile the firewall into th

Re: testing 11.0-RC1 vnet jails with ipfilter

On 15 Aug 2016, at 15:37, Ernie Luzar wrote: Hello list; Running 11.0-RC1 with only option vimage compiled into the generic kernel. I can run ipfilter on the host and start vnet jails containing no firewalls just fine. But when I try to also have ipfilter run in the vnet jail nothing happe

Request for VIMAGE testing in 11.0-ALPHA6 and later

w. If you find problems please file a bug report and make sure to set "vimage" in the Keywords field but feel also free to post to freebsd-virtualisation@ which I'll be monitoring. Thanks a lot to everyone! Bjoern -- Bjoern A. Zeeb

Re: jails in different private subnets on the same host

> On 18 May 2016, at 14:00 , Grzegorz Junka wrote: > > Is it possible to have two jails on the same host each one in a different > private subnet, e.g. 192.168.1.0 and 10.33.1.0, and have routing between them > working without issues? > > I know it's possible to run jails with IPs in those tw

Re: Unresponsive jails issues

> On 16 May 2016, at 12:55 , Grzegorz Junka wrote: > > I have a server running 13 jails for various system services. Recently I > added two jails to run simple go applications for testing. They open a > network socket and nginx, which is in another jail, and which round robin > balances reque

Re: VNET jails not going away

> On 24 Feb 2016, at 19:20 , Mail Lists wrote: > > > > Hi, > > I have the same/similar problem, it's quite annoying, with R10.1 and R10.2: > jail -r shuts down the (vnet-)jail, jls does not list them anymore, but with > jls -d, they are still there - > apparently in a 'dying state' ? > > I

Re: (VNET) jails not going away

Hi, sorry for the cross-post, Reply-To: set. > On 22 Feb 2016, at 13:41 , Bjoern A. Zeeb > wrote: > > Hi, > > has anyone else experienced VNET jails to not fully go away anymore on a > recent HEAD kernel (or possibly an older kernel)? > > I have test cases wi

VNET jails not going away

Hi, has anyone else experienced VNET jails to not fully go away anymore on a recent HEAD kernel (or possibly an older kernel)? I have test cases with which I can have them in DYING state (see jls -av) for ever or at least more than half a day. I am in the process of trying to find the cause

VNET teardown changes (part I)

Hi, sorry for the cross-post; Reply-To set. I extracted a patch from projects VNET which tries to get the VNET teardown more robust (and in a next step plug the remaining [TCP] memory leaks). If anyone has an interest in testing some parts on a non-production setup (you have been warned) please

Re: How to implement jail-aware SysV IPC (with my nasty patch)

> On 15 Jun 2015, at 17:10 , kikuc...@uranus.dti.ne.jp wrote: > > On Mon, 15 Jun 2015 09:53:53 +, "Bjoern A. Zeeb" > wrote: >> Hi, >> >> removed hackers, added virtualization. >> >> >>> On 12 Jun 2015, at 01:17 , kikuc..

Re: How to implement jail-aware SysV IPC (with my nasty patch)

Hi, removed hackers, added virtualization. > On 12 Jun 2015, at 01:17 , kikuc...@uranus.dti.ne.jp wrote: > > Hello, > > I’m (still) trying to figure out how jail-aware SysV IPC mechanism should be. The best way probably is to finally get the “common” VIMAGE framework into HEAD to allow easy

Re: Current state of VIMAGE on 10-STABLE?

dated due to a couple of years of stack changes. The one for TCP just emerged as well, and is in reviews (I guess without the VIMAGE parts but that will be the easy thing to add if the harder problem is indeed solved :-) — Bjoern A. Zeeb Charles Haddon S

Re: VNET performance

ore traffic through by doing pinning games. I wonder what a vale switch for vnets could achieve. — Bjoern A. Zeeb "Come on. Learn, goddamn it.", WarGames, 1983 ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailm

Re: kern/68189 and kern/169751: what jails are allowed to see in a routing socket

lpful still. I would not be able to "trust" (the little that is possible anyway) raw_sockets anymore if they suddently could fiddle with the routing table - even read-only, should that really be enough. I would explicitly advertise it as 'do not use - will go away again' feature

Re: IPv6 multicast sent to jail

On Wed, 5 Sep 2012, Curtis Villamizar wrote: In message "Bjoern A. Zeeb" writes: On Sat, 25 Aug 2012, Jamie Gritton wrote: ... Curtis Offhand, it does sound like a bug. I imagine the solution would be to reject the join - at least the easy solution to be done first until some

Re: Fixed Jail ID for ZFS -> need proper mgmt?

d to it? Yes, really bad and TCP is not the only thing in theory. Assume your management does not make sure the same users gets the same jail; you elak a lot of (possibly security related) information. Would also make it quite hard in terms of auditing etc. to get this right unless done knowingl

Re: Fixed Jail ID for ZFS -> need proper mgmt?

set. Perfect; all we need. -- Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/

Re: Fixed Jail ID for ZFS -> need proper mgmt?

On Tue, 4 Sep 2012, Pawel Jakub Dawidek wrote: On Tue, Sep 04, 2012 at 11:33:06AM +0200, Martin Matuska wrote: On 4. 9. 2012 10:55, Bjoern A. Zeeb wrote: 2) in the case of (1) it should be possible to address jails by name as ZFS would be handled automatically and we would not need another

Fixed Jail ID for ZFS -> need proper mgmt?

"). Do we have documentation for the ZFS features in the man pages or elsewhere btw? If not we should add it. Does this make sense? /bz -- Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin fo

Re: IPv6 multicast sent to jail

r raw sockets myabe? /bz -- Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-

Re: [patch] etc/rc.d/jail: allow extra parameters for each jails

l not prevent jamie's recent/next work for rc.d/jail. I'll commit this if there is no objection. Why not just use his work? -- Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new

Re: [jail] Allowing root privledged users to renice

if (!jail_allow_renice) > + return (EPERM); I think sysctls are a bad idea given jails have per-jail flags these days. Maybe also only allow re-nicing to be nicer but not less nice? /bz -- Bjoern A. Zeeb You have to have visions!

Re: New jail(8) committed

On 26. Apr 2012, at 20:07 , Jamie Gritton wrote: Hi, > I've finally put my jail(8) changes into HEAD. I meant to say this yesterday already but time flies. *YEAH!!!* Thanks a lot. /bz -- Bjoern A. Zeeb You have to have visions! It does not matter

Re: New jail(8) committed

t ezjail will pick up supporting the new config stuff and use that while still providing its own provisioning. /bz -- Bjoern A. Zeeb You have to have visions! It does not matter how good you are. It matters what good you do!

Re: intra-jail communication slow

s (usually used in "localhost" case) to normal inet socket communications etc. which may affect your overall feeling of "speed". Knowing details and numbers etc might help here to rule out a jail specific problem. /bz -- Bjoern A. Zeeb You h

Re: Jail source address selection broken, patch for ping

re more patching of code. It would be different if it was a VLAN per jail in which case you'd probably not have the problem in first place;) /bz -- Bjoern A. Zeeb You have to have visions! It does not matter

Re: Jail source address selection broken, patch for ping

ming > skills :-) It's also available here but it's considered a work-around and prove of concept that this really was the issue: http://people.freebsd.org/~bz/20120407-01-ping-source-addr.diff /bz -- Bjoern A. Zeeb You have to have visions!

Re: kern/165769: [rc][jai][ipv6] IPv6 Initialization on external iface is too slow for jail

igure the IP addresses for you. See jail_exec_prestart in man 5 rc.conf. /bz -- Bjoern A. Zeeb You have to have visions! It does not matter how good you are. It matters what good you do! ___ freebsd-jail@freebsd.org mail

Re: Practical limit to number of jails on a given host?

want to do. > And finally, has anyone run into trouble with a large number of IP > addresses for the jails? ISTR that way back when, the IP addresses > associated with a particular interface were stored in a linked list, so > as you added more you would start seeing O(N) slowdown on a lot of

Re: * Re: * Re: Getting Jail v2 working with 9-stable

gt; > I don't know if VIMAGE is supported yet on SPARC platform. Maybe someone > wants to chime in that's more familiar with which-platforms VIMAGE is > supported. VIMAGE should be arch independent. -- Bjoern A. Zeeb You have to have visions

Re: mtr doesn't work in a jail even with security.jail.allow_raw_sockets: 1

totally fails even with >> security.jail.allow_raw_sockets: 1 which version of freebsd? Anything newer than incl. 8.0 the systls are not what you want anymore; it's per jail flags. /bz -- Bjoern A. Zeeb You have to have visions! It does not matter how good yo

Re: Passing additional options to jail(8) via rc.conf

On Sep 20, 2011, at 5:25 PM, Moritz Wilhelmy wrote: > On Tue, Sep 20, 2011 at 16:54:33 +0000, Bjoern A. Zeeb wrote: >> On Sep 20, 2011, at 3:21 PM, Moritz Wilhelmy wrote: >> >>> Please keep me in CC, I am not subscribed to freebsd-jail. >> >> Which is your p

Re: Passing additional options to jail(8) via rc.conf

On Sep 20, 2011, at 3:21 PM, Moritz Wilhelmy wrote: > Please keep me in CC, I am not subscribed to freebsd-jail. Which is your problem as the real solution is being discussed there and is really looking for more eyes. Search for Jamie's posts in the list archive. -- Bjoern

Re: ip settings not work for jail 'service' type

d onestop" > > 3) > service jail start example And does inetd run at that point? Did it log anything to your logfiles? > > 4) > ftp 192.0.2.10 > (no connection) > > I somewhere was mistaken or it shouldn't work? Thanks > _________

Re: pf or ipfw within a jail?

On May 6, 2011, at 8:28 PM, Mickey Harvey wrote: > Is it possible to run pf or ipfw within a jail? I am running 8.2 and have > vimage compiled in the kernel. ipfw might work then; pf not yet. ipfilter in a far distant future. -- Bjoern A. Zeeb You have t

Re: ipv6 loopback behaviour inside jail

On Wed, 30 Mar 2011, Rob Evers wrote: P.S. I can supply any further information needed. Which verison of FreeBSD are you running? -- Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family

Re: FTPD not working properly on jail

On Wed, 8 Dec 2010, Redd Vinylene wrote: On Wed, Dec 8, 2010 at 4:52 PM, Bjoern A. Zeeb < bzeeb-li...@lists.zabbadoz.net> wrote: a) have you tried without SSL? b) have you tried ftpd from base? It pretty much smells like a bug in vsftpd. Out of curiosity - which version of freebsd i

Re: FTPD not working properly on jail

n vsftpd. Out of curiosity - which version of freebsd is that? /bz -- Bjoern A. Zeeb Welcome a new stage of life. Going to jail sucks -- All my daemons like it! http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails.html _

Re: loopback in jail

of the jail for the given address family. /bz -- Bjoern A. Zeeb Welcome a new stage of life. Going to jail sucks -- All my daemons like it! http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails.html

Re: Mutiple ipv4 and ipv6.

refix with 2001:db8: (which are the example/docmentation prefixes) or, if you want, send them to me privately. /bz -- Bjoern A. Zeeb Welcome a new stage of life. Going to jail sucks -- All my daemons like it! http://www.freebsd.org/doc/en_US.ISO8859-1

Re: sysvipc in jails + CURRENT

t change back up. I think that you are right, that there is a bug here, as 4) and 5) should be working the other way round I think. Anyway, the summary is: if you don't change the default a jail -c enforce_statfs=1 ... should just work fine. Hope this help

Re: selective jail restriction controlling in rc.conf

#1308 I think your comments (and patches) are better sent there, rather than to sta...@. Gruesse, Bjern -- Bjoern A. ZeebFrom August on I will have a life. It's now up to you to do the maths and count to 64. -- Bondorf, Germany, 14th

Re: Thoughts on jail.config

unctionality in that one program. One functionality I forgot about but was asked for in the past was "jail reboot" so that an admin could "restart" a jail completly from within the jail. The question is whether we may want a "jailinit" (an init running inside the jail) f

Re: kern/147162: [jail] [panic] Page Fault / Kernel panic when jail starts on boot

The following reply was made to PR kern/147162; it has been noted by GNATS. From: "Bjoern A. Zeeb" To: bug-follo...@freebsd.org, tom.dewa...@abvv.be Cc: Subject: Re: kern/147162: [jail] [panic] Page Fault / Kernel panic when jail starts on boot Date: Thu, 3 Jun 2010 14:39:59 +

Re: Panic on 8-STABLE in pfctl with options VIMAGE on a DELL PowerEdge R300 (bge)

The panic does not occur with the same kernel compiled without options VIMAGE. FAQ from virtualization@ ; pf support for VIMAGE only basically exists here: http://svn.freebsd.org/base/user/eri/pf45/head/ but is not fully ready either. /bz -- Bjoern A. Zeeb It will not break if you know

Re: configuration of multiple IPs for a jail

e sysctl and kernel is probably the right thing. /bz -- Bjoern A. Zeeb It will not break if you know what you are doing. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send

Re: conf/142972: [jail] [patch] Support JAILv2 and vnet in rc.d/jail

about a possible framework here, so we can discuss all the features, formats, needs, ... everyone has and concentrate on the final soultion rather than working on hacks on top of hacks that have long gotton to the point that they are not a feasible anymore. /bz -- Bjoern A. Zeeb It will not

Re: kern/142341: [jail] Jail escape when cwd is moved from the host system

The following reply was made to PR kern/142341; it has been noted by GNATS. From: "Bjoern A. Zeeb" To: bug-follo...@freebsd.org, ve...@kajtaz.net Cc: Subject: Re: kern/142341: [jail] Jail escape when cwd is moved from the host system Date: Tue, 5 Jan 2010 19:36:36 + (UTC) Hi,

Re: Jail on 2 interfaces?

id_interface="bge0" jail_squid_ip="192.168.177.62/32" jail_squid_ip_multi0="192.168.177.63/32" jail_squid_ip_multi1="em0|192.168.177.62/32" Below is a patch against HEAD to document the $interface|$ip syntax. That wasn't done on

Re: Jail on 2 interfaces?

fect that you want by using a simple one-ip jail and writing firewall rules to redirect traffic into it, and NAT traffic coming out of it. Using firewall NAT with jails is something I often see and usually never understand unless people only have a single IP and want to share that between lots of

Re: Jail on 2 interfaces?

s you can see, I removed the ifconfig_em0_alias0 line. If you want to keep that and mix things then you could do: jail_squid_ip="bge0|192.168.177.62/32" jail_squid_ip_multi0="192.168.176.62/32" again without the jail_squid_interface=".." line. HTH /bz -- Bjoern A. Z

Re: ioctl call freebsd < 7.2 in jail

On Fri, 18 Dec 2009, Axel Scheepers wrote: hi, "Bjoern A. Zeeb" writes: I think I remember the patch; I guess it was the "samba patch". I can extract it for you; not sure if it'll work easily w/o the other infrastructure but I'll see what I can do. I can see

Re: ioctl call freebsd < 7.2 in jail

t it for you; not sure if it'll work easily w/o the other infrastructure but I'll see what I can do. I can see no chance that it'll ever make it into 7.1 as an Errata Notice though, so you would have to keep patching your system yourself. /bz -- Bjoern A. Zeeb It will

Re: ezjail with vimage

On Mon, 7 Dec 2009, Miroslav Lachman wrote: Bjoern A. Zeeb wrote: On Mon, 7 Dec 2009, Miroslav Lachman wrote: Hi Miroslav, The last time I wrote with Bjoern A. Zeeb about jailname, cpuset etc. support in rc.conf (back in March 2009) he stated that "there is no need to add anything&quo

Re: ezjail with vimage

On Mon, 7 Dec 2009, Miroslav Lachman wrote: Hi Miroslav, The last time I wrote with Bjoern A. Zeeb about jailname, cpuset etc. support in rc.conf (back in March 2009) he stated that "there is no need to add anything" because it can be done by jail_NAME_flags. AFAIK current sy

Re: [patch] Improved jail fstab functionality inside rc.d (needs testers and review)

On Sun, 29 Nov 2009, Merijn Verstraaten wrote: My apologies if these are the wrong lists for this sort of thing but it was unclear to me where else to go with additions like this. You may try freebsd-jail@ Make sure to get a review from simon@ for this. /bz -- Bjoern A. Zeeb It

Re: AW: Networking from jail - errata

bles to an IP address rather than the name (don't use 127.0.0.1 as address, just to rule that out as well). /bz -- Bjoern A. Zeeb It will not break if you know what you are doing. ___ freebsd-jail@freebsd.org mailing list http://lists.free

Re: Networking from jail - errata

fconfig output from above; something on the host system would have to set the IP address of the host. I would expect something like (you may have mixed jail and host addresses so properly sort this): # host system IP address ifconfig_bce0=inet x.y.z.61

Re: Broadcast under Jail problems

On Mon, 16 Nov 2009, Vagif Zeynalov wrote: Hi, ...I can provide more details if it will be necessary... error ogs from the application would be interesting to see which (sys)call return which error so that we can narrow it down. /bz -- Bjoern A. Zeeb It will not break if you know

Re: Setting the jail identifier from /etc/rc.conf

o jail with the same hostname yet? Or maybe we should at least provide a config tunable for this? Redirect to freebsd-jail@ ; you may even find the answers to those int he mail archive (unless those had been private threads I was on Cc: on;-) -- Bjoern A. Zeeb It will not break if you kno

Re: Per Jail Memory Limits

real need to do this as we use 7.1 in production. Notes: * CPU limiting is not support is not supported unless you use shecd_4bsd. * I have not tested this on any system yet, just compile tested, I am putting it though its paces right now. Tom -- Bjoern A. Zeeb It will not br

Re: Tutorial for Hierarchical Jails?

ldren.max: 0 Am I doing this incorrectly? Yes. It's a parameter to jail(8). The security.jail.param sysctls can be seen as a list of possible options valid to jail(8). See man 8 jail for the exact details. /bz -- Bjoern A. Zeeb What was I talking about and who

Re: Not getting an IPv6 in a jail

face index. I took it from the "scopeid 0x5". In case your interface index changes you will need to adjust the address. I cannot say if it'll work but it would be worth a try. /bz -- Bjoern A. Zeeb What was I talking about and who are you again? _

Re: 8.0 still allow creating ipv6 udp socket in jail without ipv6 ip

On Wed, 29 Jul 2009, Mykola Dzham wrote: Hi, Bjoern A. Zeeb wrote: On Sat, 25 Jul 2009, Mykola Dzham wrote: Hi, After r188146 creating tcp ipv6 socket in jail without ipv6 ip is not allowed, but udp socket is allowed. I cannot really follow what you are trying to say as wrt IPv4 and IPv6

Re: 8.0 still allow creating ipv6 udp socket in jail without ipv6 ip

the jail. This should be addressed by the following patch: http://people.freebsd.org/~bz/20090727-01-jail8-legacy.diff Can you give it a try and report if that fixes your problem? Regards, Bjoern -- Bjoern A. Zeeb The greatest risk is not taking one. __

Re: Multicast in jail?

ven make educated guesses about the real reason. But you first will have to understand all implications, that need a proper design plan and after that thoughtout implementation. Alternatively I wouldn't wonder if enabling raw sockets would give what you want or you'll wa

Re: Can't login Jailed system

how I logged in the jailed system a month ago. Can anyone shred some lights on me? Try to jexec 5 /bin/sh (5 is the jailID from the jls output) and check with ps if sshd is running inside the jail, and check the usual things are up and there. /bz -- Bjoern A. Zeeb

Re: Switching /etc/rc.d/jail to new syntax (+ new features)

On Sat, 27 Jun 2009, Alexander Leidinger wrote: On Sat, 27 Jun 2009 10:47:47 + (UTC) "Bjoern A. Zeeb" wrote: On Sat, 27 Jun 2009, Alexander Leidinger wrote: at http://www.leidinger.net/FreeBSD/current-patches/jail.diff I have a patch to switch the jail rc script to the n

Re: Switching /etc/rc.d/jail to new syntax (+ new features)

arams="enforce_statfs=2" This config option can also take other jail parameters like allow.sysvipc and other ones described in the jail man-page (additional parameters need to be space separated). Feedback welcome. 1) it break various things that will no longer work 2) it's not a poper soluti

Re: sysctl variables not propagating to children jails

e problems afterwards, cry again, loud and in here - in case that will fix the problem a short note will be welcome as well;-) /bz -- Bjoern A. Zeeb The greatest risk is not taking one. ___ freebsd-jail@freebsd.org mailing list

Re: kern/133265: [jail] is there a solution how to run nfs client in jail environment?

The following reply was made to PR kern/133265; it has been noted by GNATS. From: "Bjoern A. Zeeb" To: bug-follo...@freebsd.org, p...@fincombank.com Cc: Subject: Re: kern/133265: [jail] is there a solution how to run nfs client in jail environment? Date: Mon, 8 Jun 2009 17:18:35

Re: sysvipc in jails + CURRENT

could try updating the jail by hand using the new syntax and switch sysvipc on. The bug will probably be fixed latest somewhen next week and I just got back and have a huge backlog and Jamie will be back in a few days I think. /bz -- Bjoern A. Zeeb The greatest risk is not

Re: sysvipc in jails + CURRENT

sysvipc_allowed security.jail.sysvipc_allowed: 1 - I'll look into that; possibly the default option is not properly taken into account for the new jail framework. /bz -- Bjoern A. Zeeb The greatest risk is not taking one. ___ free

Re: bind()/sendto() behavior in RELENG_7

even if the IP wasn't there. Right? 3) Now you switched on IPv6 as well 2) no longer works? 4) can you give me the output of sysctl net.inet6.ip6.v6only ? /bz -- Bjoern A. Zeeb The greatest risk is not taking one. ___

Re: HEADS UP: multi-IPv4/v6/no-IP jails now in 7-STABLE

et, ssh, or nc to test outgoing connections in each direction. Does source address selection work here as expected? 4) jails do not support MC. You'll have to wait for full-blown network stack virtualization. -- Bjoern A. Zeeb

Re: changing cpuset of jail from inside of jail - is it feature?

On Fri, 24 Apr 2009, Miroslav Lachman wrote: Bjoern A. Zeeb wrote: [...] Ok, I am not sure what is going wrong here; well I know but I don't know if it's intended in cpuset. Trying to talk to the right people but they seen to be AWOL atm. If you are brave, you could

Re: changing cpuset of jail from inside of jail - is it feature?

On Wed, 22 Apr 2009, Miroslav Lachman wrote: Hi, Bjoern A. Zeeb wrote: On Wed, 22 Apr 2009, Miroslav Lachman wrote: Hi, I am running system FreeBSD 7.1-STABLE amd64 GENERIC (Wed Feb 11 09:56:08 CET 2009) hosting few jails. The machine has dual core CPU and some jails are set to run only

Re: changing cpuset of jail from inside of jail - is it feature?

itself or is it a bug? It seems to me as undesirable. it is (undesirable) and it seems to be a bug as even if you do host# cpuset -l 0 -r -j 25 you can get back to 0,1 from within the jail. I'll check how/why this is possible. /bz PS: moving this to freebsd-jail@ -- Bjoern A.

  1   2   3   >