Re: new jail(8) ignoring devfs_ruleset?

On 05/09/13 03:17, Jeremie Le Hen wrote: On Thu, Mar 21, 2013 at 06:46:57PM -0600, Jamie Gritton wrote: It's not fixed anywhere yet - it sometimes works in current, and sometimes doesn't. I've been meaning to patch it up, but it the problem is what I think it is, the patching

Re: new jail(8) ignoring devfs_ruleset?

On 05/09/13 22:42, Dewayne Geraghty wrote: An ugly workaround to complete the jail closure, when relying on jail.conf, is to: jail -r $JAILNAME umount /$LOCATION_OF_JAILS/$JAILNAME/dev || true The only problem with devfs I'm aware of is it not catching the right ruleset when starting in the r

Re: jail already exists

On 05/22/13 15:38, Tomasz Jaroszyk wrote: I use 9.1-PRERELEASE and have problem with jails. Sometimes one of them after shutdown do not want start again. szafir% sudo jail -rc reverse jail: "reverse" not found jail: reverse: jail 320 already exists szafir% pgrep -j 320 szafir% I guess some file

Re: Problem using bz's multi-IP/IPv6/No-IP Jail Patch (7-STABLE)

Kage wrote: Encountering more issues now. Binding just an IPv6 address to a jail shows up in jls -v, but when I run ifconfig -a in the jail, I get an error I've never encountered, and doesn't show up on any Google search: [r...@nub:/etc] jls -v JID Hostname Path

Re: Problem using bz's multi-IP/IPv6/No-IP Jail Patch (7-STABLE)

I wrote: Kage wrote: Encountering more issues now. Binding just an IPv6 address to a jail shows up in jls -v, but when I run ifconfig -a in the jail, I get an error I've never encountered, and doesn't show up on any Google search: [r...@nub:/etc] jls -v JID Hostname P

Re: Problem using bz's multi-IP/IPv6/No-IP Jail Patch (7-STABLE)

I wrote: Here's a patch for ifconfig. It allows "ifconfig -a" and a few other similar informative ifconfig options to run inside an IPv4-less jail (of course trying to set anything still fails). Outside of a jail, you should see no change. Apply it inside your /usr/src tree, and install it bot

Re: New jail framework - the userland side

Poul-Henning Kamp wrote: In message <49fe5387.3020...@freebsd.org>, Jamie Gritton writes: Hi all. I recently added some new jail-related system calls to extend the current jail system with an nmount-inspired name=value interface. I think this is a great move in the right directi

Re: Hierarchical jails

There's still a change to offer your input on the new jails before they go in! OK, given the lack of response so far, it's less "still a chance" than "please?". Current plans are to have this in place for 8.0, with connections to the ongoing Vimage work. Hopefully the silence is approval, and c

Re: Hierarchical jails

Julian Elischer wrote: Jamie Gritton wrote: prison0 contains three fields that were system globals: pr_root, pr_host, and pr_securelevel. I've kept the globals rootvnode and hostname, and take care that when one is changed the other changes too (not yet true for hostname - read on). But

Re: Hierarchical jails

Jilles Tjoelker wrote: On Thu, May 14, 2009 at 11:12:50AM -0600, Jamie Gritton wrote: There's still a change to offer your input on the new jails before they go in! OK, given the lack of response so far, it's less "still a chance" than "please?". Current plans

Re: sysctl variables not propagating to children jails

Bjoern A. Zeeb wrote: On Tue, 9 Jun 2009, Edwin Shao wrote: Hi, In the most recent -current, I've noticed that sysctl variables no longer propagate to jails and thus it is impossible to allow raw sockets, allow mounting, etc. This might be related to

Re: Switching /etc/rc.d/jail to new syntax (+ new features)

Alexander Leidinger wrote: at http://www.leidinger.net/FreeBSD/current-patches/jail.diff I have a patch to switch the jail rc script to the new jail (8-current) syntax. This includes new config options for a jail (see etc/defaults/rc.conf after patching). The patch also contains my X-in-a-jail s

Re: Switching /etc/rc.d/jail to new syntax (+ new features)

Alexander Leidinger wrote: Quoting Jamie Gritton (from Mon, 29 Jun 2009 11:30:49 -0600): Alexander Leidinger wrote: at http://www.leidinger.net/FreeBSD/current-patches/jail.diff I have a patch to switch the jail rc script to the new jail (8-current) syntax. This includes new config

Jail parameter patch: disable/new/inherit

There's a patch to Current at http://gritton.org/freebsd/triple.diff that makes some small changes to the new parameter based jail system. I invite any interested in the future direction of jails to review it before it goes in (hopefully in the next day or two). This patch deals with jailed subsy

Re: 8.0 still allow creating ipv6 udp socket in jail without ipv6 ip

Bjoern A. Zeeb wrote: On Wed, 29 Jul 2009, Mykola Dzham wrote: Bjoern A. Zeeb wrote: On Sat, 25 Jul 2009, Mykola Dzham wrote: After r188146 creating tcp ipv6 socket in jail without ipv6 ip is not allowed, but udp socket is allowed. I cannot really follow what you are trying to say as wrt IPv

Re: Tutorial for Hierarchical Jails?

Edwin Shao wrote: Hello, Does anyone have a walkthrough for how to get hierarchical jails to work? I've been playing around with it for a couple of days and it simply is not working. I would like to know if anyone has gotten it to work, and if so, how? The error I tend to get within a jail (star

Re: Tutorial for Hierarchical Jails?

Edwin Shao wrote: When I try to change the parameter, nothing happens: rescue /etc> sudo sysctl security.jail.param.children.max=1 security.jail.param.children.max: 0 -> 0 rescue /etc> sudo sysctl security.jail.param.children.max security.jail.param.children.max: 0 Am I doing this incorrectly?

Re: Tutorial for Hierarchical Jails?

The sysctls not only don't get written to, they don't have any useful information to read either. They only describe the existence and format of the various jail parameters. Sorry, but there;s no way to set a default children.max parameter or inherit it from the parent. We've decided to set the de

Re: Tutorial for Hierarchical Jails?

"security.jail.allow_raw_sockets=1", but no child jail can ping out: neko# ping google.com <http://google.com> ping: socket: Operation not permitted What is happening in this case? Thank you for your time again. On Tue, Sep 29, 2009 at 12:16 AM, Jamie Gritton <mailto:ja..

Re: Tutorial for Hierarchical Jails?

e, Sep 29, 2009 at 7:08 AM, Jamie Gritton <mailto:ja...@freebsd.org>> wrote: Does the base system have security.jail.allow_raw_sockets=1? You need to have that, or set the jail's allow.raw_sockets. You can't set the jail's permissions from within the jail itsel

Re: jail(8) allow.socket_af, unknown oid

The sysctls that describe available jail parameters don't always have a type that sysctl(8) understands. In particular, the boolean parameters are given a sysctl type of "B", and sysctl(8) will ignore them. These aren't useful sysctls in any normal way - they never have a meaningful value. The ex

Re: jail(8) allow.socket_af, unknown oid

/26/10 11:48, Glen Barber wrote: Thanks for the explanation. Would there be opposition about a patch for jail(8) noting which sysctls are tunable by sysctl(8) and which are not? On 5/26/10 12:57 PM, Jamie Gritton wrote: On 05/25/10 11:54, Glen Barber wrote: The jail(8) man page

Re: jid's not refreshing after jail shutdown

On 06/14/10 07:36, Jacob Whatley wrote: On 8.0 Release, our system is setup so that we specify the jid when a jail is built, which we make numerical (ie, 1001, 1002, etc..). This works great for consistency and for setup scripts. However, we are running into a problem that after shutting down a

Re: docs/96807: document security.jail.list sysctl in jail(8)

Actually, I suspect the change was made intentionally. security.jail.list is obsoleted by jail_get(2), which can show jail parameters that the struct xprison doesn't include. So using either jail_get(2) or jailparam_get(3) programatically, or jls from the command line is a better solution than sec

Thoughts on jail.config

The rc system is becoming increasingly unable to handle the newer jail features. We've held off patching /etc/rc.d/jail for new parameters, with the promise of something better. Here's my outline of what I hope will be in fact better than what we have now. I'm working on extending jail(8) to us

Re: Thoughts on jail.config

On 06/24/10 06:43, Alexander Leidinger wrote: On Wed, 23 Jun 2010 13:48:28 -0600 Jamie Gritton wrote: > The rc system is becoming increasingly unable to handle the newer jail features. We've held off patching /etc/rc.d/jail for new parameters, with the promise of something better. H

Re: Thoughts on jail.config

On 06/28/10 08:24, Alexander Leidinger wrote: Quoting Jamie Gritton (from Thu, 24 Jun 2010 10:30:42 -0600): On 06/24/10 06:43, Alexander Leidinger wrote: >> Jails that exist outside of the config file's knowledge are a tricky point, and the problems are really only on a shutd

Re: Thoughts on jail.config

On 06/28/10 08:41, Rodrigo Mosconi wrote: An idea: if it works like a "jaild"? A daemon management the start-up, shutdown, console redirection? All the admins task could be done by a "jailctl"? I don't know what work a daemon would have to do. I only see it running tasks on startup, and then

Re: Thoughts on jail.config

On 06/29/10 04:21, Bjoern A. Zeeb wrote: One functionality I forgot about but was asked for in the past was "jail reboot" so that an admin could "restart" a jail completly from within the jail. The question is whether we may want a "jailinit" (an init running inside the jail) for that or if we w

Re: selective jail restriction controlling in rc.conf

On 07/04/10 10:10, Harald Schmalzbauer wrote: Dear freebsd-jail fellows, I haven't know of that list yet, nor am I subscribesd, but I did some work for me to extend rc.d/jail to acclompish with some of my needs and I'd like to share it. I don't have much knowledge to join seriouse developement,

Re: libjail issues.

On 07/15/10 04:12, Stanislav Uzunchev wrote: I have found something very strange to me... It is a problem with static allocating size of buffer where jail param is going to be coppied, using jail_getv function from the libjails. Well for example: buff[size]; jail_getv(0, "name", "1", "host.host

First stab at a new jail(8)

I've got code for a config-based jail(8) at http://people.freebsd.org/~jamie/jail.tbz . It drops in under /usr/src/usr.sbin, but is a big enough change from the current sources that I didn't bother with a diff. I haven't yet updated the man page for it, so I'll give a quick overview here...

Re: jail_attach does not chdir to new root?

On 11/03/10 00:56, Nikos Vassiliadis wrote: Out of curiosity, why jail_attach() does not chdir() to the new root? It seems like something worth mentioning in jail(2). I wasn't involved in the early jail stuff, but I'll venture it was because chroot(2) also doesn't chdir to the new root, and j

Re: rc.d/jail issues

hat fixed up, I plan on putting it in HEAD. After that, I still have a todo list mostly of suggestions from others. Feel free to give me any "todo" suggestions, or any other feedback :-). - Jamie On 01/27/11 10:18, Dirk Engling wrote: On Thu, 27 Jan 2011, Jamie Gritton wrote: That&

Re: rc.d/jail issues

That's where it's headed. I've been slow on progress lately, but I'm working on a jail(8) that takes a config file instead of rc shell variables, and takes care of dependency issues among other things. - Jamie On 01/27/11 08:42, Dirk Engling wrote: On Thu, 27 Jan 2011, Paul Schenkeveld wrote:

Re: rc.d/jail issues

No - this is entirely a user-space project. Those are both things I'd like to add to jails after I get through the mess on the ofhter side of the kernel divide. - Jamie On 01/27/11 13:30, Kostik Belousov wrote: On Thu, Jan 27, 2011 at 10:37:22AM -0700, Jamie Gritton wrote: It's

Re: [jail][vnet] wlandebug inside jail, operation not permitted

This is by design. The "root" in a jail isn't quite a full-featured root, and in particular can't do anything that affects the hardware in ways beyond normal non-administrative use. - Jamie On 02/16/11 09:34, Monthadar Al Jaberi wrote: Hej, I have created a jail with "jail -c jid=1 vnet persis

Re: New jail(8) with configuration files, not yet in head

Oh, never good when "(null)" shows up. I'll see what I'm trying to run that isn't there. - Jamie On 07/04/11 15:36, Brandon Gooch wrote: I did however notice a minor nit in the output when removing a jail. Here's the scenario: ... Now, when I go to remove the jail: # jail -r ports Stopping

Re: New jail(8) with configuration files, not yet in head

This is code that notes error return codes from processes run under the jail (e.g. the exec.start script). But in this case, it's reporting an error from a process that was part of the jail's shutdown. The reason the command is "(null)" is this wasn't a command started from jail(8) itself. I've f

Re: New jail(8) with configuration files, not yet in head

The delay you're seeing is $rcshutdown_timeout (default 30 seconds) which will kill rc.shutdown if it doesn't successfully stop all the jail's processes. After that, it will forcibly kill all (jailed) processes. jail(8) has a similar thing going where after any stop scripts have run, it will send

Re: New jail(8) with configuration files, not yet in head

It's clear now that this won't be happening in 9.0. So none of this is in danger of getting pushed through in a hurry. - Jamie On 07/18/11 13:08, Paul Schenkeveld wrote: Hi, On Sun, Jul 03, 2011 at 11:24:57PM -0600, Jamie Gritton wrote: I'm hoping to get the latest versio

Re: debugging frequent kernel panics on 8.2-RELEASE

On 08/20/11 19:19, Steven Hartland wrote: - Original Message - From: "Andriy Gapon" on 20/08/2011 23:24 Steven Hartland said the following: - Original Message - From: "Steven Hartland" Looking through the code I believe I may have noticed a scenario which could trigger the pr

Re: debugging frequent kernel panics on 8.2-RELEASE

On 08/21/11 05:01, Steven Hartland wrote: - Original Message - From: "Jamie Gritton" The problem isn't with the conditional locking of tpr in prison_deref. That locking is actually correct, and there's no race condition. Are you sure? I do think that unlock

Re: bin/165515: [jail][patch] "jail: unknown parameter: allow.nomount" when starting jail

The allow.mount parameter recently changed in a subtle way - it's now a node (to e.g. allow.mount.devfs) as well as a parameter in its own right. This confused libjail which knows how to handle such parameters as long as they're not boolean. I'm including my proposed fix to libjail. This this fix

Re: bin/165515: [jail][patch] "jail: unknown parameter: allow.nomount" when starting jail

The following reply was made to PR bin/165515; it has been noted by GNATS. From: Jamie Gritton To: Glen Barber Cc: freebsd-gnats-sub...@freebsd.org, freebsd-jail@FreeBSD.org, Martin Matuska Subject: Re: bin/165515: [jail][patch] "jail: unknown parameter: allow.nomount" whe

Re: bin/165515: [jail][patch] "jail: unknown parameter: allow.nomount" when starting jail

On 02/28/12 17:30, Martin Matuska wrote: On 28.2.2012 23:36, Jamie Gritton wrote: The allow.mount parameter recently changed in a subtle way - it's now a node (to e.g. allow.mount.devfs) as well as a parameter in its own right. This confused libjail which knows how to handle such paramete

Re: bin/165515: [jail][patch] "jail: unknown parameter: allow.nomount" when starting jail

The following reply was made to PR bin/165515; it has been noted by GNATS. From: Jamie Gritton To: Martin Matuska Cc: Glen Barber , freebsd-gnats-sub...@freebsd.org, freebsd-jail@FreeBSD.org Subject: Re: bin/165515: [jail][patch] "jail: unknown parameter: allow.nomount" whe

Re: jail name is interpreted as jid when numeric

It might seem clear with the dot-separated names that asd.asd.1 isn't the same as jail 1. But looking from the viewpoint of asd.asd, that jail would simply be "1". As jails may be referred to by either number or name, it made sense to exclude jails whose name was a number, except in the special ca

New jail(8) committed

I've finally put my jail(8) changes into HEAD. This new version of jail can create jails from a configuration file - see jail.conf(5) for the format, as well as some additions to jail(8). This doesn't mean you *have* to use jail.conf, but it's a better way to manage jails than the existing rc

Re: New jail(8) committed

asn't sufficient. I'll make sure I've got the right numbers in there (10.0 until it's actually MFC'd). - Jamie On 04/27/12 10:17, Subbsd wrote: On Fri, Apr 27, 2012 at 12:07 AM, Jamie Gritton wrote: I've finally put my jail(8) changes into HEAD. http://svnweb.

Re: New jail(8) committed

eral parser for C-style config files, and I looked for such a library when I started on this. But such a library doesn't seem to exist.Perhaps it's time to make one. - Jamie On 04/27/12 22:14, Dirk Engling wrote: On 26.04.12 22:07, Jamie Gritton wrote: I've finally put my jail(8)

Re: New jail(8) committed

I don't know about wrapping a utility around it, but it would be nice to have in a library. If it could be made to work for not only jail, but apmd and devd as well, then we could make some existing code cleaner. - Jamie On 04/28/12 10:52, Devin Teske wrote: On Apr 28, 2012, at 7:38 AM,

Re: New jail(8) committed

On 04/28/12 00:08, Jason Hellenthal wrote: On Sat, Apr 28, 2012 at 06:14:07AM +0200, Dirk Engling wrote: On 26.04.12 22:07, Jamie Gritton wrote: I've finally put my jail(8) changes into HEAD. This new version of jail can create jails from a configuration file - see jail.conf(5) fo

Re: New jail(8) committed

On 04/29/12 17:37, Mr Dandy wrote: Looks like the new functionality lost abilities of old /etc/rc.d/jail to carry out multiple quantity of prestart/stop instruction Old cool feature: jail_example_exec_afterstart0="" jail_example_exec_afterstart1="" .. In new style it doesn't work: exec.start0 =

Re: jail still broken on 9-STABLE

I gave a pretty long MFC period to the new jail stuff since it's such a big change. - Jamie On 05/15/12 03:09, Christer Solskogen wrote: jail: unknown parameter: allow.nomount :-( ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/m

Re: Breakage on 9

I've got a fix that's going in as soon as it's confirmed. I'm including the patch here. Backing out r235624 will work, unless you happen to be on a box where r235624 was necessary. I had said something before about the long MFC, but that turned out to be wrong. That was for the new jail(8) code,

Re: ifconfig not seeing IPv6 in x86 jail

A PR sounds appropriate if it's not doing what it should. Just to be sure: this is an x86 jail on an x86 system? I want to make sure it's a jail issue and not a 32-bit emulation issue. - Jamie On 06/12/12 06:32, Mars G. Miro wrote: Hi Guys I've just noticed this now, and I usually build jails

Re: [patch] etc/rc.d/jail: allow extra parameters for each jails

On 08/17/12 04:28, Bjoern A. Zeeb wrote: On Thu, 16 Aug 2012, Jun Kuriyama wrote: Hi, Here is a patch which I'm using for years in my production environment. I usually changes parameters documented in jail(8) for each jails, but current rc.d/jail has no feature to pass extra parameters at st

Re: IPv6 multicast sent to jail

On 08/19/12 11:35, Curtis Villamizar wrote: I'm trying to run isc-dhcpd using dhcpd -6 in a jail. No luck. The following code is run in the jail and doesn't fail. if (inet_pton(AF_INET6, All_DHCP_Relay_Agents_and_Servers, &mreq.ipv6mr_multiaddr)<= 0) {

Re: misc/170832: jail v2 loses a binding of ip which sets after ips with /"network prefix"

On 08/21/12 12:49, Oleg Ginzburg wrote: Number: 170832 Category: misc Synopsis: jail v2 loses a binding of ip which sets after ips with /"network prefix" Confidential: no Severity: non-critical Priority: low Responsible:freebsd-bugs State: open Quar

Re: IPv6 multicast sent to jail

On 08/25/12 14:15, Curtis Villamizar wrote: In message<503402fe.9080...@freebsd.org> Jamie Gritton writes: On 08/19/12 11:35, Curtis Villamizar wrote: I'm trying to run isc-dhcpd using dhcpd -6 in a jail. No luck. The following code is run in the jail and doesn't fai

Re: Quotas inside jails

On 08/30/12 17:05, Darek M wrote: On Thu, Aug 30, 2012 at 5:32 PM, John Nielsen wrote: On Aug 30, 2012, at 2:52 PM, Darek M wrote: playing around with setting quotas inside a jail. Configured and tested them on the host, configured a quota for a jail user, but it isn't being enforced. I at

Re: Quotas inside jails

On 08/31/12 14:41, Scott Lambert wrote: On Thu, Aug 30, 2012 at 07:05:30PM -0400, Darek M wrote: On Thu, Aug 30, 2012 at 5:32 PM, John Nielsen wrote: Another way to set hard quotas for jails is to give each one its own filesystem of fixed size. This is trivially easy with zfs--just create a z

Re: Fixed Jail ID for ZFS -> need proper mgmt?

On 09/04/12 02:55, Bjoern A. Zeeb wrote: Hi, I had been talking to someone about jail management and it turns out people are using jail jid=42 to always have a fixed jail ID. The reason as I understood is that ZFS datasets are associated by jail id for delegation? [I admit having no clue about t

Re: Fixed Jail ID for ZFS -> need proper mgmt?

On 09/04/12 04:20, Bjoern A. Zeeb wrote: On Tue, 4 Sep 2012, Pawel Jakub Dawidek wrote: On Tue, Sep 04, 2012 at 11:33:06AM +0200, Martin Matuska wrote: On 4. 9. 2012 10:55, Bjoern A. Zeeb wrote: 2) in the case of (1) it should be possible to address jails by name as ZFS would be handled autom

Re: Quotas inside jails

On 09/04/12 12:40, Darek M wrote: On Fri, Aug 31, 2012 at 3:05 PM, Jamie Gritton wrote: On 08/30/12 17:05, Darek M wrote: I'm curious whether the "security.jail.param.allow.quotas" sysctl is my missing link, and if so, why it is immutable. The security.jail.param.* sysc

Re: Fixed Jail ID for ZFS -> need proper mgmt?

On 09/04/12 14:37, Bjoern A. Zeeb wrote: On Tue, 4 Sep 2012, Jamie Gritton wrote: It's true that a jail left in the DYING state can't be re-created normally. But it can with the "-d" flag or the "allow.dying" parameter. In that case, an existing but dying jail w

Re: IPv6 multicast sent to jail

On 09/05/12 16:51, Bjoern A. Zeeb wrote: On Wed, 5 Sep 2012, Curtis Villamizar wrote: In message "Bjoern A. Zeeb" writes: On Sat, 25 Aug 2012, Jamie Gritton wrote: ... Curtis Offhand, it does sound like a bug. I imagine the solution would be to reject the join - at leas

Re: Upgrading FBSD-7.0 --> 7.4 and Jail won't start

On 09/08/12 12:15, Jack Stone wrote: uname -a FreeBSD mail.sagedata.net 7.0-RELEASE-p9 FreeBSD 7.0-RELEASE-p9 #2: Sun Jan 18 19:59:27 CST 2009 r...@mail.sagedata.net:/usr/obj/usr/src/sys/SMP i386 Have been running and upgrading host+jail for years and through several versions of FreeBSD. However

Re: Boot-time jails (new jail)

When it says rc.conf(5) it means the file and not the man page. And "the file" is /etc/defaults/rc.conf and not /etc/rc.conf. So it should just say "Please refer to the ``jail_*'' variables in /etc/defaults/rc.conf." - Jamie On 09/21/12 01:11, Matt Burke wrote: Am I missing something, or if yo

Recent jail problems [was: ICMP RAW socket error]

On 11/09/12 03:38, Beeblebrox wrote: My jail used to work fine but it seems a recent update broke some things. My kernel/world has INET6 disblad and there are already 2 threads re the error that setting causes with jails. Now this error - is it a bug or am I missing something? My /etc/sysctl.con

Re: Recent jail problems [was: ICMP RAW socket error]

On 11/25/12 02:46, Beeblebrox wrote: I'm probably overlooking certain things with this question, but there seems to be a number of places to make jail-specific adjustments / settings. The options available are: host /etc/rc.conf host /etc/sysctl.conf host /etc/devfs.rules host /etc/jail.conf Q1

kern/68189 and kern/169751: what jails are allowed to see in a routing socket

I've been looking at PR kern/169751, which was noting that routing sockets don't work inside a jail. It made the point that setting security.jail.socket_unixiproute_only or security.jail.allow_raw_sockets didn't help things. It would seem kind of a given from the "unixiproute" name that a rou

Re: kern/68189 and kern/169751: what jails are allowed to see in a routing socket

On 01/03/13 02:36, Bjoern A. Zeeb wrote: On Wed, 2 Jan 2013, Jamie Gritton wrote: I've been looking at PR kern/169751, which was noting that routing sockets don't work inside a jail. It made the point that setting security.jail.socket_unixiproute_only or security.jail.allow_raw_sock

Re: problem stoping jails with jail(8), jail.conf and mount.fstab

On 02/12/13 07:47, Harald Schmalzbauer wrote: Hello, on 9.1-R, I highly appreciate the new jail(8) and jail.conf capabilities. Thanks for that extension! But I have one problem: If I want to stop a jail with 'jaill -r jailname', I get "umount: unmount of /.jail.jailname failed: Device busy"

Re: Marking some FS as jailable

On 02/14/13 06:27, Baptiste Daroussin wrote: On Tue, Feb 12, 2013 at 10:06:29PM -0700, Jamie Gritton wrote: On 02/12/13 12:40, Baptiste Daroussin wrote: I would like to mark some filesystem as jailable, here is the one I need: linprocfs, tmpfs and fdescfs, I was planning to do it with adding

Re: Marking some FS as jailable

On 02/14/13 07:56, Baptiste Daroussin wrote: On Thu, Feb 14, 2013 at 07:40:58AM -0700, Jamie Gritton wrote: On 02/14/13 06:27, Baptiste Daroussin wrote: On Tue, Feb 12, 2013 at 10:06:29PM -0700, Jamie Gritton wrote: On 02/12/13 12:40, Baptiste Daroussin wrote: I would like to mark some

Re: new jail(8) ignoring devfs_ruleset?

On 02/15/13 09:27, Harald Schmalzbauer wrote: Hello, like already posted, on 9.1-R, I highly appreciate the new jail(8) and jail.conf capabilities. Thanks for that extension! Accidentally I saw that "devfs_ruleset" seems to be ignored. If I list /dev/ I see all the hosts disk devices etc. I s

Re: new jail(8) ignoring devfs_ruleset?

On 02/18/13 01:54, Harald Schmalzbauer wrote: schrieb Jamie Gritton am 16.02.2013 00:40 (localtime): On 02/15/13 09:27, Harald Schmalzbauer wrote: Hello, like already posted, on 9.1-R, I highly appreciate the new jail(8) and jail.conf capabilities. Thanks for that extension

Re: new jail(8) ignoring devfs_ruleset?

On 02/18/13 09:29, Mateusz Guzik wrote: On Mon, Feb 18, 2013 at 09:26:42AM -0700, Jamie Gritton wrote: On 02/18/13 01:54, Harald Schmalzbauer wrote: schrieb Jamie Gritton am 16.02.2013 00:40 (localtime): On 02/15/13 09:27, Harald Schmalzbauer wrote: Hello, like already posted, on 9.1

Re: new jail(8) ignoring devfs_ruleset?

On 02/18/13 09:29, Mateusz Guzik wrote: On Mon, Feb 18, 2013 at 09:26:42AM -0700, Jamie Gritton wrote: On 02/18/13 01:54, Harald Schmalzbauer wrote: schrieb Jamie Gritton am 16.02.2013 00:40 (localtime): On 02/15/13 09:27, Harald Schmalzbauer wrote: Hello, like already posted, on 9.1-R

Re: vnet jails and rc-scripts

On 02/26/13 01:56, Andreas Nilsson wrote: However I still don't get the purpose of the security.jail.param.*. Are the to be set in loader.conf/sysctl.conf to influence default config of jails, or are the supposed to be per-jail ( from inside jail ) carriers of config? The PR seems to indicate it

Re: vnet jails and rc-scripts

On 02/27/13 01:30, Andreas Nilsson wrote: On Wed, Feb 27, 2013 at 5:44 AM, Jamie Gritton mailto:ja...@freebsd.org>> wrote: On 02/26/13 01:56, Andreas Nilsson wrote: However I still don't get the purpose of the security.jail.param.*. Are the to be set in

Re: IPv4 addresses clash / jails not working after reboot…

On 03/07/13 05:29, Yoann Gini wrote: Le 7 mars 2013 à 10:58, Boris Samorodov a écrit : 07.03.2013 12:48, Yoann Gini пишет: I need to share this IP, I’ve only one and I would like to avoid playing with NAT… One IP may be shared but for different services (ports). That what I’ve unders

Re: jail.conf & cpuset.id

On 03/17/13 05:59, Nicolas de Bari Embriz Garcia Rojas wrote: Hi, all, I am start using the jail.conf for running my jails, in rc.local I have this line jail -c this to start my jails at boot time (any better ideas) Now checking the man pages for the jail I found a option that cough my attenti

Re: new jail(8) ignoring devfs_ruleset?

On 03/21/13 17:59, Miroslav Lachman wrote: Jeremie Le Hen wrote: On Mon, Feb 18, 2013 at 09:54:42AM +0100, Harald Schmalzbauer wrote: schrieb Jamie Gritton am 16.02.2013 00:40 (localtime): On 02/15/13 09:27, Harald Schmalzbauer wrote: Hello, like already posted, on 9.1-R, I highly

Re: new jail(8) ignoring devfs_ruleset?

On 03/21/13 18:20, Miroslav Lachman wrote: Jamie Gritton wrote: On 03/21/13 17:59, Miroslav Lachman wrote: Jeremie Le Hen wrote: On Mon, Feb 18, 2013 at 09:54:42AM +0100, Harald Schmalzbauer wrote: schrieb Jamie Gritton am 16.02.2013 00:40 (localtime): On 02/15/13 09:27, Harald Schmalzbauer

Re: numeric jail name in jail.conf

On 03/22/13 05:25, Nicolas de Bari Embriz Garcia Rojas wrote: Hi, when using a numeric names for a jails something like: 10 { exec.start = "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc.shutdown"; } 20 { exec.start = "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc

Re: rc.d/jail and jail.conf

On 03/30/13 14:59, Dirk Engling wrote: On Sat, 30 Mar 2013, Nicolas de Bari Embriz Garcia Rojas wrote: If I am right you can define the order of start for jails in the jail2_list (rc.conf), something like: jail2_list="jail1 jail2" Thanks, I suppose it mimicks the way rc.d/jail has handled it

Re: rc.d/jail and jail.conf

On 03/31/13 09:12, Miroslav Lachman wrote: Jamie Gritton wrote: On 03/30/13 14:59, Dirk Engling wrote: On Sat, 30 Mar 2013, Nicolas de Bari Embriz Garcia Rojas wrote: If I am right you can define the order of start for jails in the jail2_list (rc.conf), something like: jail2_list="

Re: rc.d/jail and jail.conf

On 03/31/13 11:09, Miroslav Lachman wrote: Jamie Gritton wrote: On 03/31/13 09:12, Miroslav Lachman wrote: >> Is there a way to disable jail defined in jail.conf? (to avoid jail2_list in rc.conf) I'm not sure what you're asking. You want a jail in jail.conf that's not

Re: rc.d/jail and jail.conf

On 03/31/13 12:58, Dirk Engling wrote: On 31.03.13 20:31, Jamie Gritton wrote: That seems reasonable, but using a jail list in rc.conf may suffice. It is less error prone to just use 'jail_list=*' in rc.conf and disable jails per config block, and then issue a warning like 'Sk

Re: rc.d/jail and jail.conf

On 03/31/13 20:01, Paul Schenkeveld wrote: On Sun, Mar 31, 2013 at 09:14:23PM +0200, Dirk Engling wrote: On Sun, 31 Mar 2013, Jamie Gritton wrote: If you don't mind some slightly difficult error messages, you can always "disable" a jail with exec.prestart="false&qu

Re: rc.d/jail and jail.conf

On 03/31/13 14:58, Dirk Engling wrote: On 31.03.13 22:01, Miroslav Lachman wrote: So I guess, I am out of luck here, because users used to think of their jails as what they saw in the hostname field on jls. If I am writing tools that use jail_getid to map the jailname to the jid, it will never

Re: rc.d/jail and jail.conf

On 03/31/13 21:53, Ian Smith wrote: > On Sun, 31 Mar 2013 22:58:33 +0200, Dirk Engling wrote: >> Maybe meeting at a BSDcon over a beer would help ;) > > Unlikely to hurt, anyway :) Perhaps I need to plan on going to BSDCan after all... - Jamie ___ fre

Re: jail(8) vs. rc.d/jail features - fstab, zfs, vnet

On 04/11/13 12:48, Dirk Engling wrote: Dear jail hackers, in my ongoing quest to understand the direction jail development is heading, I noticed that per-jail-fstabs are not (anymore?, yet?) supported by the new jail(8)-rc.d/jail2-combo. Are there official plans to drop the support? A nice new

Re: IPv4 addresses clash / jails not working after reboot…

On 04/12/13 10:53, Łukasz Wąsikowski wrote: W dniu 2013-03-08 00:22, Jamie Gritton pisze: You're allowed to have the same address in multiple jails, but only in the case of jails that have one address (i.e. one IPv4 address in this case). Jails with multiple IP addresses can't sh

Re: jail(8) vs. rc.d/jail features - fstab, zfs, vnet

On 04/13/13 23:32, Dirk Engling wrote: On 12.04.13 01:58, Jamie Gritton wrote: similar parameter for zfs, or we could create another set of exec.* parameters, which would be more flexible in the long run. But as you hinted at with "postprestart", there doesn't seem to be a go

Re: automatic garbage collection of stuff mounted (etc.) by jailed root

On 04/22/13 03:17, Mateusz Guzik wrote: Hello, This is something that imho could be done by GSoC student. It is possible to allow jailed root to mount various filesystems. But once all processes are dead, mounts done by jailed root that he didn't clean up are still hanging around. As time pass

Re: automatic garbage collection of stuff mounted (etc.) by jailed root

On 04/22/13 11:39, Miroslav Lachman wrote: Jamie Gritton wrote: On 04/22/13 03:17, Mateusz Guzik wrote: [...] Again, the goal is to have jails clean up automatically after anything jailed root was permitted to do. Thoughts? This already happens when jails are created using a jail.conf

  1   2   >