From owner-freebsd-jail@FreeBSD.ORG Mon Jun 21 11:06:58 2010 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1C8911065723 for ; Mon, 21 Jun 2010 11:06:58 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 0ACF88FC17 for ; Mon, 21 Jun 2010 11:06:58 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o5LB6vRm098287 for ; Mon, 21 Jun 2010 11:06:57 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o5LB6vKm098285 for freebsd-jail@FreeBSD.org; Mon, 21 Jun 2010 11:06:57 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 21 Jun 2010 11:06:57 GMT Message-Id: <201006211106.o5LB6vKm098285@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jun 2010 11:06:58 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/147162 jail [jail] [panic] Page Fault / Kernel panic when jail sta s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 7 problems total. From owner-freebsd-jail@FreeBSD.ORG Tue Jun 22 08:54:16 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DC24E106566B for ; Tue, 22 Jun 2010 08:54:16 +0000 (UTC) (envelope-from askjuise@gmail.com) Received: from mail-qy0-f182.google.com (mail-qy0-f182.google.com [209.85.216.182]) by mx1.freebsd.org (Postfix) with ESMTP id 926858FC1D for ; Tue, 22 Jun 2010 08:54:16 +0000 (UTC) Received: by qyk11 with SMTP id 11so1716402qyk.13 for ; Tue, 22 Jun 2010 01:54:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=ovaaklxolbDbKUoyTZZAcsflAPmOAbqJRIXlTGcVgDA=; b=h1EeInVtucmdGD5JGq/W8LVXpsD4K2+ysz4um/pmqhQhvl4rjSOBhSIUwZwnENcLpD p93AUpqsP7HKoAAUiOzanIoAPTDy1slfVAIii3j2vrBLK0lSr3GoY0KZPu2JU2Du8p8i IOu+JDgyE3t/75nC3viByNjL17LC5WoVV04dA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=Kf1HUXqZRZt/oLrHN5QswcnC/roT9+6kH0ixi99oU6cRp9eo6aWtGOMe3+fsM8bHZK qC7n6S0ezXXlGfVXxKmZCUin1KxKIA7q1n+d5++mvieV90JoplGVp8dFEsn2V23eCuuj KI3gCKzA0njkuavQJJTHEuVxzRI/21Uc+H0T0= MIME-Version: 1.0 Received: by 10.224.86.14 with SMTP id q14mr4088360qal.89.1277196854247; Tue, 22 Jun 2010 01:54:14 -0700 (PDT) Received: by 10.229.142.74 with HTTP; Tue, 22 Jun 2010 01:54:14 -0700 (PDT) Date: Tue, 22 Jun 2010 17:54:14 +0900 Message-ID: From: Alexander Petrovsky To: freebsd-jail@freebsd.org Content-Type: multipart/mixed; boundary=0016364d2b4bce493304899a90c4 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Some changes in /etc/rc.d/jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jun 2010 08:54:16 -0000 --0016364d2b4bce493304899a90c4 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi! In the my work process I want use jail-configs like this: /etc/rc.conf jail_enable=3D"YES" jjail_v2_enable=3D"YES" jail_sysvipc_allow=3D"YES" jail_set_hostname_allow=3D"YES" jail_list=3D"jail01" ail_jail01_name=3D"jail01" jail_jail01_hostname=3D"jail01.juise.ru" jail_jail01_rootdir=3D"/usr/jail/work/jail01" jail_jail01_vnet_enable=3D"YES" jail_jail01_mount_enable=3D"YES" jail_jail01_devfs_enable=3D"YES" jail_jail01_devfs_ruleset=3D"jail" jail_jail01_exec_prestart0=3D"mdconfig -a -t vnode -f /usr/jail/images/jai= l01 -u 1" jail_jail01_exec_prestart1=3D"ifconfig epair0 create" jail_jail01_exec_prestart2=3D"ifconfig epair0b up" jail_jail01_exec_prestart3=3D"ifconfig bridge0 addm epair0b" jail_jail01_exec_poststart0=3D"ifconfig epair0a vnet jail01" jail_jail01_exec_poststop0=3D"ifconfig epair0b destroy" jail_jail01_exec_poststop1=3D"mdconfig -d -u 1" /etc/fstab.jail01: # Device Mountpoint FStype Options Dump Pass# /dev/md1 /usr/jail/work/jail01 ufs rw 0 0 /usr/jail/base /usr/jail/work/jail01 unionfs rw 0 0 For use _vnet_enable and _name I use the following patch: s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail But the current /etc/rc.d/jail doesn't support execute _exec_prestart FIRST= , _exec_prestart executed after execute mount function, and so I made some changes in the /etc/rc.d/jail. In attach: full.diff - my patch + BERARD David patch (142972) custom.diff - only my patch --=20 =D0=9F=D0=B5=D1=82=D1=80=D0=BE=D0=B2=D1=81=D0=BA=D0=B8=D0=B9 =D0=90=D0=BB= =D0=B5=D0=BA=D1=81=D0=B0=D0=BD=D0=B4=D1=80 / Alexander Petrovsky, ICQ: 350342118 Jabber: juise@jabber.ru Phone: +7 914 8 820 815 --0016364d2b4bce493304899a90c4 Content-Type: text/x-patch; charset=US-ASCII; name="custom.diff" Content-Disposition: attachment; filename="custom.diff" Content-Transfer-Encoding: base64 X-Attachment-Id: f_gaqhhkfx0 LS0tIG9yaWcuOAkyMDEwLTA2LTIzIDAxOjUyOjExLjAwMDAwMDAwMCArMDkwMAorKysgamFpbF9l CTIwMTAtMDYtMjMgMDI6MjY6NDkuMDAwMDAwMDAwICswOTAwCkBAIC0xLDYgKzEsNiBAQAogIyEv YmluL3NoCiAjCi0jICRGcmVlQlNEJAorIyAkRnJlZUJTRDogc3JjL2V0Yy9yYy5kL2phaWwsdiAx LjQzLjIuMS4yLjEgMjAwOS8xMC8yNSAwMToxMDoyOSBrZW5zbWl0aCBFeHAgJAogIwogCiAjIFBS T1ZJREU6IGphaWwKQEAgLTU3Myw2ICs1NzMsMTUgQEAgamFpbF9zdGFydCgpCiAJCWVsc2UKIAkJ CV9zZXRmaWI9IiIKIAkJZmkKKwkKKyAgICAgICAgICAgICAgICBpPTAKKyAgICAgICAgICAgICAg ICB3aGlsZSA6IDsgZG8KKyAgICAgICAgICAgICAgICAgICAgICAgIGV2YWwgb3V0PVwiXCR7X2V4 ZWNfcHJlc3RhcnQke2l9Oi0nJ31cIgorICAgICAgICAgICAgICAgICAgICAgICAgWyAteiAiJG91 dCIgXSAmJiBicmVhaworICAgICAgICAgICAgICAgICAgICAgICAgJHtvdXR9CisgICAgICAgICAg ICAgICAgICAgICAgICBpPSQoKGkgKyAxKSkKKyAgICAgICAgICAgICAgICBkb25lCisJCiAJCWlm IGNoZWNreWVzbm8gX21vdW50OyB0aGVuCiAJCQlpbmZvICJNb3VudGluZyBmc3RhYiBmb3IgamFp bCAke19qYWlsfSAoJHtfZnN0YWJ9KSIKIAkJCWlmIFsgISAtZiAiJHtfZnN0YWJ9IiBdOyB0aGVu CkBAIC02MjcsMTQgKzYzNiw2IEBAIGphaWxfc3RhcnQoKQogCQlmaQogCQlfdG1wX2phaWw9JHtf dG1wX2Rpcn0vamFpbC4kJAogCi0JCWk9MAotCQl3aGlsZSA6IDsgZG8KLQkJCWV2YWwgb3V0PVwi XCR7X2V4ZWNfcHJlc3RhcnQke2l9Oi0nJ31cIgotCQkJWyAteiAiJG91dCIgXSAmJiBicmVhawot CQkJJHtvdXR9Ci0JCQlpPSQoKGkgKyAxKSkKLQkJZG9uZQotCiAJCWV2YWwgJHtfc2V0ZmlifSBq YWlsICR7X2ZsYWdzfSAtaSAke19yb290ZGlyfSAke19ob3N0bmFtZX0gXAogCQkJXCIke19hZGRy bH1cIiAke19leGVjX3N0YXJ0fSA+ICR7X3RtcF9qYWlsfSAyPiYxCiAK --0016364d2b4bce493304899a90c4 Content-Type: text/x-patch; charset=US-ASCII; name="full.diff" Content-Disposition: attachment; filename="full.diff" Content-Transfer-Encoding: base64 X-Attachment-Id: f_gaqhht4f1 LS0tIG9yaWcuOAkyMDEwLTA2LTIzIDAxOjUyOjExLjAwMDAwMDAwMCArMDkwMAorKysgbmV3CTIw MTAtMDYtMjMgMDE6NTA6MTAuMDAwMDAwMDAwICswOTAwCkBAIC0xLDYgKzEsNiBAQAogIyEvYmlu L3NoCiAjCi0jICRGcmVlQlNEJAorIyAkRnJlZUJTRDogc3JjL2V0Yy9yYy5kL2phaWwsdiAxLjQz LjIuMS4yLjEgMjAwOS8xMC8yNSAwMToxMDoyOSBrZW5zbWl0aCBFeHAgJAogIwogCiAjIFBST1ZJ REU6IGphaWwKQEAgLTM4LDYgKzM4LDcgQEAgaW5pdF92YXJpYWJsZXMoKQogCV9mZGVzY2Rpcj0i JHtfZGV2ZGlyfS9mZCIKIAlfcHJvY2Rpcj0iJHtfcm9vdGRpcn0vcHJvYyIKIAlldmFsIF9ob3N0 bmFtZT1cIlwkamFpbF8ke19qfV9ob3N0bmFtZVwiCisJZXZhbCBfbmFtZT1cIlwkamFpbF8ke19q fV9uYW1lXCIKIAlldmFsIF9pcD1cIlwkamFpbF8ke19qfV9pcFwiCiAJZXZhbCBfaW50ZXJmYWNl PVwiXCR7amFpbF8ke19qfV9pbnRlcmZhY2U6LSR7amFpbF9pbnRlcmZhY2V9fVwiCiAJZXZhbCBf ZXhlYz1cIlwkamFpbF8ke19qfV9leGVjXCIKQEAgLTk1LDYgKzk2LDggQEAgaW5pdF92YXJpYWJs ZXMoKQogCQlmaQogCWZpCiAKKyAgICAgICAgIyBKQUlMIG5ldyBzdHlsZQorICAgICAgICBldmFs IF92Mj1cIlwke2phaWxfdjJfZW5hYmxlOi0iTk8ifVwiCiAJIyBUaGUgZGVmYXVsdCBqYWlsIHJ1 bGVzZXQgd2lsbCBiZSB1c2VkIGJ5IHJjLnN1YnIgaWYgbm9uZSBpcyBzcGVjaWZpZWQuCiAJZXZh bCBfcnVsZXNldD1cIlwke2phaWxfJHtfan1fZGV2ZnNfcnVsZXNldDotJHtqYWlsX2RldmZzX3J1 bGVzZXR9fVwiCiAJZXZhbCBfZGV2ZnM9XCJcJHtqYWlsXyR7X2p9X2RldmZzX2VuYWJsZTotJHtq YWlsX2RldmZzX2VuYWJsZX19XCIKQEAgLTExMCwxOCArMTEzLDI2IEBAIGluaXRfdmFyaWFibGVz KCkKIAlldmFsIF9mc3RhYj1cIlwke2phaWxfJHtfan1fZnN0YWI6LSR7amFpbF9mc3RhYn19XCIK IAlbIC16ICIke19mc3RhYn0iIF0gJiYgX2ZzdGFiPSIvZXRjL2ZzdGFiLiR7X2p9IgogCWV2YWwg X2ZsYWdzPVwiXCR7amFpbF8ke19qfV9mbGFnczotJHtqYWlsX2ZsYWdzfX1cIgotCVsgLXogIiR7 X2ZsYWdzfSIgXSAmJiBfZmxhZ3M9Ii1sIC1VIHJvb3QiCisgICAgICAgIGlmIGNoZWNreWVzbm8g X3YyOyB0aGVuCisgICAgICAgICAgICAgICAgWyAteiAiJHtfZmxhZ3N9IiBdICYmIF9mbGFncz0i LWwgLVUgcm9vdCAtYyIKKyAgICAgICAgZWxzZQorICAgICAgICAgICAgICAgIFsgLXogIiR7X2Zs YWdzfSIgXSAmJiBfZmxhZ3M9Ii1sIC1VIHJvb3QiCisgICAgICAgIGZpCiAJZXZhbCBfY29uc29s ZWxvZz1cIlwke2phaWxfJHtfan1fY29uc29sZWxvZzotJHtqYWlsX2NvbnNvbGVsb2d9fVwiCiAJ WyAteiAiJHtfY29uc29sZWxvZ30iIF0gJiYgX2NvbnNvbGVsb2c9Ii92YXIvbG9nL2phaWxfJHtf an1fY29uc29sZS5sb2ciCiAJZXZhbCBfZmliPVwiXCR7amFpbF8ke19qfV9maWI6LSR7amFpbF9m aWJ9fVwiCisgICAgICAgIGV2YWwgX3ZuZXQ9XCJcJHtqYWlsXyR7X2p9X3ZuZXRfZW5hYmxlOi0i Tk8ifVwiCiAKIAkjIERlYnVnZ2luZyBhaWQKIAkjCisgICAgICAgIGRlYnVnICIkX2ogdjIgZW5h YmxlOiAkX3YyIgogCWRlYnVnICIkX2ogZGV2ZnMgZW5hYmxlOiAkX2RldmZzIgogCWRlYnVnICIk X2ogZmRlc2NmcyBlbmFibGU6ICRfZmRlc2NmcyIKIAlkZWJ1ZyAiJF9qIHByb2NmcyBlbmFibGU6 ICRfcHJvY2ZzIgogCWRlYnVnICIkX2ogbW91bnQgZW5hYmxlOiAkX21vdW50IgorICAgICAgICBk ZWJ1ZyAiJF9qIHZuZXQgZW5hYmxlOiAkX3ZuZXQiCiAJZGVidWcgIiRfaiBob3N0bmFtZTogJF9o b3N0bmFtZSIKKyAgICAgICAgZGVidWcgIiRfaiBuYW1lOiAkX25hbWUiCiAJZGVidWcgIiRfaiBp cDogJF9pcCIKIAlqYWlsX3Nob3dfYWRkcmVzc2VzICR7X2p9CiAJZGVidWcgIiRfaiBpbnRlcmZh Y2U6ICRfaW50ZXJmYWNlIgpAQCAtMTM2LDYgKzE0Nyw3IEBAIGluaXRfdmFyaWFibGVzKCkKIAlp PTAKIAl3aGlsZSA6IDsgZG8KIAkJZXZhbCBvdXQ9XCJcJHtfZXhlY19wcmVzdGFydCR7aX06LScn fVwiCisKIAkJaWYgWyAteiAiJG91dCIgXTsgdGhlbgogCQkJYnJlYWsKIAkJZmkKQEAgLTE0NCw3 ICsxNTYsNiBAQCBpbml0X3ZhcmlhYmxlcygpCiAJZG9uZQogCiAJZGVidWcgIiRfaiBleGVjIHN0 YXJ0OiAkX2V4ZWNfc3RhcnQiCi0KIAlpPTEKIAl3aGlsZSA6IDsgZG8KIAkJZXZhbCBvdXQ9XCJc JHtfZXhlY19hZnRlcnN0YXJ0JHtpfTotJyd9XCIKQEAgLTE1MiwxMSArMTYzLDkgQEAgaW5pdF92 YXJpYWJsZXMoKQogCQlpZiBbIC16ICIkb3V0IiBdOyB0aGVuCiAJCQlicmVhazsKIAkJZmkKLQog CQlkZWJ1ZyAiJF9qIGV4ZWMgYWZ0ZXIgc3RhcnQgIyR7aX06ICR7b3V0fSIKIAkJaT0kKChpICsg MSkpCiAJZG9uZQotCiAJaT0wCiAJd2hpbGUgOiA7IGRvCiAJCWV2YWwgb3V0PVwiXCR7X2V4ZWNf cG9zdHN0YXJ0JHtpfTotJyd9XCIKQEAgLTE2Niw3ICsxNzUsNiBAQCBpbml0X3ZhcmlhYmxlcygp CiAJCWRlYnVnICIkX2ogZXhlYyBwb3N0LXN0YXJ0ICMke2l9OiAke291dH0iCiAJCWk9JCgoaSAr IDEpKQogCWRvbmUKLQogCWk9MAogCXdoaWxlIDogOyBkbwogCQlldmFsIG91dD1cIlwke19leGVj X3ByZXN0b3Ake2l9Oi0nJ31cIgpAQCAtMjM2LDcgKzI0NCw2IEBAIGlzX2N1cnJlbnRfbW91bnRw b2ludCgpCiAJbG9jYWwgX2RpciBfZGlyMgogCiAJX2Rpcj0kMQotCiAJX2Rpcj1gZWNobyAkX2Rp ciB8IHNlZCAtRWUgJ3MjLy8rIy8jZycgLWUgJ3MjLyQjIydgCiAJWyAhIC1kICIke19kaXJ9IiBd ICYmIHJldHVybiAxCiAJX2RpcjI9YGRmICR7X2Rpcn0gfCB0YWlsICsyIHwgYXdrICd7IHByaW50 ICQ2IH0nYApAQCAtNTczLDYgKzU4MCwxNSBAQCBqYWlsX3N0YXJ0KCkKIAkJZWxzZQogCQkJX3Nl dGZpYj0iIgogCQlmaQorCisgICAgICAgICAgICAgICAgaT0wCisgICAgICAgICAgICAgICAgd2hp bGUgOiA7IGRvCisgICAgICAgICAgICAgICAgICAgICAgICBldmFsIG91dD1cIlwke19leGVjX3By ZXN0YXJ0JHtpfTotJyd9XCIKKyAgICAgICAgICAgICAgICAgICAgICAgIFsgLXogIiRvdXQiIF0g JiYgYnJlYWsKKyAgICAgICAgICAgICAgICAgICAgICAgICR7b3V0fQorICAgICAgICAgICAgICAg ICAgICAgICAgaT0kKChpICsgMSkpIAorICAgICAgICAgICAgICAgIGRvbmUKKwogCQlpZiBjaGVj a3llc25vIF9tb3VudDsgdGhlbgogCQkJaW5mbyAiTW91bnRpbmcgZnN0YWIgZm9yIGphaWwgJHtf amFpbH0gKCR7X2ZzdGFifSkiCiAJCQlpZiBbICEgLWYgIiR7X2ZzdGFifSIgXTsgdGhlbgpAQCAt NTgwLDYgKzU5Niw3IEBAIGphaWxfc3RhcnQoKQogCQkJZmkKIAkJCWphaWxfbW91bnRfZnN0YWIK IAkJZmkKKwogCQlpZiBjaGVja3llc25vIF9kZXZmczsgdGhlbgogCQkJIyBJZiBkZXZmcyBpcyBh bHJlYWR5IG1vdW50ZWQgaGVyZSwgc2tpcCBpdC4KIAkJCWRmIC10IGRldmZzICIke19kZXZkaXJ9 IiA+L2Rldi9udWxsCkBAIC02MjcsMTkgKzY0NCwyOCBAQCBqYWlsX3N0YXJ0KCkKIAkJZmkKIAkJ X3RtcF9qYWlsPSR7X3RtcF9kaXJ9L2phaWwuJCQKIAotCQlpPTAKLQkJd2hpbGUgOiA7IGRvCi0J CQlldmFsIG91dD1cIlwke19leGVjX3ByZXN0YXJ0JHtpfTotJyd9XCIKLQkJCVsgLXogIiRvdXQi IF0gJiYgYnJlYWsKLQkJCSR7b3V0fQotCQkJaT0kKChpICsgMSkpCi0JCWRvbmUKLQotCQlldmFs ICR7X3NldGZpYn0gamFpbCAke19mbGFnc30gLWkgJHtfcm9vdGRpcn0gJHtfaG9zdG5hbWV9IFwK LQkJCVwiJHtfYWRkcmx9XCIgJHtfZXhlY19zdGFydH0gPiAke190bXBfamFpbH0gMj4mMQorICAg ICAgICAgICAgICAgIGlmIGNoZWNreWVzbm8gX3YyOyB0aGVuCisgICAgICAgICAgICAgICAgICAg ICAgICBfc3RhcnRfY21kPSIke19zZXRmaWJ9IGphaWwgLUogJHtfdG1wX2phaWx9ICR7X2ZsYWdz fSBwYXRoPSR7X3Jvb3RkaXJ9IGhvc3QuaG9zdG5hbWU9JHtfaG9zdG5hbWV9IFwKKyAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgbmFtZT1cIiR7X25hbWV9XCIiCisgICAgICAgICAgICAg ICAgICAgICAgICBpZiBjaGVja3llc25vIF92bmV0OyB0aGVuCisgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgIF9zdGFydF9jbWQ9IiR7X3N0YXJ0X2NtZH0gdm5ldCIKKyAgICAgICAgICAg ICAgICAgICAgICAgIGVsc2UKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgX3N0YXJ0 X2NtZD0iJHtfc3RhcnRfY21kfSBpcDQuYWRkcj1cIiR7X2FkZHJsfVwiIgorICAgICAgICAgICAg ICAgICAgICAgICAgZmkKKyAgICAgICAgICAgICAgICAgICAgICAgICBfc3RhcnRfY21kPSIke19z dGFydF9jbWR9IGNvbW1hbmQ9JHtfZXhlY19zdGFydH0iCisgICAgICAgICAgICAgICAgICAgICAg ICBldmFsICR7X3N0YXJ0X2NtZH0gPiAvZGV2L251bGwgMj4mMQorICAgICAgICAgICAgICAgIGVs c2UKKyAgICAgICAgICAgICAgICAgICAgICAgIGV2YWwgJHtfc2V0ZmlifSBqYWlsICR7X2ZsYWdz fSAtaSAke19yb290ZGlyfSAke19ob3N0bmFtZX0gXAorICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICBcIiR7X2FkZHJsfVwiICR7X2V4ZWNfc3RhcnR9ID4gJHtfdG1wX2phaWx9IDI+JjEK KyAgICAgICAgICAgICAgICBmaQogCiAJCWlmIFsgIiQ/IiAtZXEgMCBdIDsgdGhlbgotCQkJX2ph aWxfaWQ9JChoZWFkIC0xICR7X3RtcF9qYWlsfSkKKyAgICAgICAgICAgICAgICAgICAgICAgIGlm IGNoZWNreWVzbm8gX3YyOyB0aGVuCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIF9q YWlsX2lkPSQoYXdrIC1GICc9fCAnICd7cHJpbnQgJDJ9JyAke190bXBfamFpbH0pCisgICAgICAg ICAgICAgICAgICAgICAgICBlbHNlCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIF9q YWlsX2lkPSQoaGVhZCAtMSAke190bXBfamFpbH0pCisgICAgICAgICAgICAgICAgICAgICAgICBm aQorCiAJCQlpPTEKIAkJCXdoaWxlIDogOyBkbwogCQkJCWV2YWwgb3V0PVwiXCR7X2V4ZWNfYWZ0 ZXJzdGFydCR7aX06LScnfVwiCg== --0016364d2b4bce493304899a90c4-- From owner-freebsd-jail@FreeBSD.ORG Tue Jun 22 11:08:34 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D09631065679 for ; Tue, 22 Jun 2010 11:08:34 +0000 (UTC) (envelope-from david@nfrance.com) Received: from smtp-3.nfrance.com (smtp-3.nfrance.com [80.247.228.94]) by mx1.freebsd.org (Postfix) with ESMTP id 670898FC18 for ; Tue, 22 Jun 2010 11:08:33 +0000 (UTC) Received: from beaver.polymorf.fr (ns2.polymorf.fr [80.247.227.220]) (authenticated bits=0) by smtp-3.nfrance.com (8.13.8/8.13.6) with ESMTP id o5MB8VMS054708; Tue, 22 Jun 2010 13:08:31 +0200 (CEST) (envelope-from david@nfrance.com) Date: Tue, 22 Jun 2010 13:08:23 +0200 From: David =?iso-8859-1?Q?B=C9RARD?= To: Alexander Petrovsky Message-ID: <20100622110822.GA81602@beaver.polymorf.fr> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: X-Disclaimer: No electrons were harmed in the transmission of this email X-Operating-System: FreeBSD 8.0-RELEASE-p3 User-Agent: Mutt/1.5.20 (2009-06-14) Cc: freebsd-jail@freebsd.org Subject: Re: Some changes in /etc/rc.d/jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jun 2010 11:08:34 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi ! Alexander Petrovsky wrote: > But the current /etc/rc.d/jail doesn't support execute _exec_prestart FIRST, > _exec_prestart executed after execute mount function, and so I made some > changes in the /etc/rc.d/jail. I don't think it's a god idea to move '_exec_prestart' to the top. If someone use '_exec_prestart' to manipulate files in a jail mount point. Maybe it can be better to make a new '_exec_earlyprestart' loop to resolve your problem. I had some networking issue with my patch, because vnet networking start too late, you can find a new version of this patch (with example) at : http://wiki.polymorf.fr/index.php/Howto:FreeBSD_jail_vnet Best regards, - -- David BERARD - --------------------------------------- NFrance Conseil, Toulouse, France david(at)nfrance.com GPG|PGP KeyId 0x7FC68EB8 GPG|PGP Key http://tinyurl.com/gpgdavid - --------------------------------------- * No electrons were harmed in * * the transmission of this email * -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAkwgmaYACgkQYIAREn/GjrgOTQCgti0uI3PijCCKcZBW1ajBprDV VH0AnjMVy3mEVUDaRy7vXmRW/QfrLcY6 =GeKY -----END PGP SIGNATURE----- From owner-freebsd-jail@FreeBSD.ORG Tue Jun 22 14:15:05 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CE7F7106566C for ; Tue, 22 Jun 2010 14:15:05 +0000 (UTC) (envelope-from mosconi@mosconi.mat.br) Received: from mail-gw0-f54.google.com (mail-gw0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id 94E928FC21 for ; Tue, 22 Jun 2010 14:15:05 +0000 (UTC) Received: by gwaa20 with SMTP id a20so910401gwa.13 for ; Tue, 22 Jun 2010 07:15:04 -0700 (PDT) MIME-Version: 1.0 Received: by 10.229.215.145 with SMTP id he17mr3472307qcb.95.1277216104105; Tue, 22 Jun 2010 07:15:04 -0700 (PDT) Sender: mosconi@mosconi.mat.br Received: by 10.229.34.147 with HTTP; Tue, 22 Jun 2010 07:15:03 -0700 (PDT) In-Reply-To: <20100622110822.GA81602@beaver.polymorf.fr> References: <20100622110822.GA81602@beaver.polymorf.fr> Date: Tue, 22 Jun 2010 11:15:03 -0300 X-Google-Sender-Auth: QQwpN6jp2GNYdTbrgGPhxz2qTeY Message-ID: From: Rodrigo Mosconi To: freebsd-jail@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: Some changes in /etc/rc.d/jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jun 2010 14:15:05 -0000 Interesting your how-to, but on my system the PF and IPFilter crash my kernel when I try to start 2010/6/22 David B=C9RARD : > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi ! > > Alexander Petrovsky wrote: >> But the current /etc/rc.d/jail doesn't support execute _exec_prestart FI= RST, >> _exec_prestart executed after execute mount function, and so I made some >> changes in the /etc/rc.d/jail. > > I don't think it's a god idea to move '_exec_prestart' to the top. > If someone use '_exec_prestart' to manipulate files in a jail mount point= . > > Maybe it can be better to make a new '_exec_earlyprestart' loop to resolv= e your > problem. > > I had some networking issue with my patch, because vnet networking start = too > late, you can find a new version of this patch (with example) at : > =A0 =A0 =A0 =A0http://wiki.polymorf.fr/index.php/Howto:FreeBSD_jail_vnet > > Best regards, > > - -- > David BERARD > - --------------------------------------- > NFrance Conseil, Toulouse, France > david(at)nfrance.com > GPG|PGP KeyId 0x7FC68EB8 > GPG|PGP Key http://tinyurl.com/gpgdavid > - --------------------------------------- > * =A0 =A0 No electrons were harmed in =A0 =A0 * > * =A0 =A0the transmission of this email =A0 * > -----BEGIN PGP SIGNATURE----- > > iEYEARECAAYFAkwgmaYACgkQYIAREn/GjrgOTQCgti0uI3PijCCKcZBW1ajBprDV > VH0AnjMVy3mEVUDaRy7vXmRW/QfrLcY6 > =3DGeKY > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > From owner-freebsd-jail@FreeBSD.ORG Wed Jun 23 15:18:33 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9E9F7106564A; Wed, 23 Jun 2010 15:18:33 +0000 (UTC) (envelope-from citrin@citrin.ru) Received: from mail-chaos.rambler.ru (mail-chaos.rambler.ru [81.19.68.130]) by mx1.freebsd.org (Postfix) with ESMTP id 575B78FC08; Wed, 23 Jun 2010 15:18:33 +0000 (UTC) Received: from [192.168.2.104] (gw2.masterhost.ru [87.242.97.5]) (Authenticated sender: citrin@citrin.ru) by mail-chaos.rambler.ru (Postfix) with ESMTPSA id 8885317024; Wed, 23 Jun 2010 19:07:22 +0400 (MSD) Message-ID: <4C22232A.9020200@citrin.ru> Date: Wed, 23 Jun 2010 19:07:22 +0400 From: Anton Yuzhaninov User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100415 Thunderbird/3.0.4 MIME-Version: 1.0 To: jamie@freebsd.org X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org Subject: docs/96807: document security.jail.list sysctl in jail(8) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jun 2010 15:18:33 -0000 After this PR: http://www.freebsd.org/cgi/query-pr.cgi?pr=96807 security.jail.list sysctl description was added to jail(8). but in this commit: http://svn.freebsd.org/changeset/base/192896 this text was deleted (probably accidentally). Please return security.jail.list description to jail(8) man page. -- Anton Yuzhaninov From owner-freebsd-jail@FreeBSD.ORG Wed Jun 23 16:31:30 2010 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2CEF31065670 for ; Wed, 23 Jun 2010 16:31:30 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from gritton.org (gritton.org [208.92.232.93]) by mx1.freebsd.org (Postfix) with ESMTP id D01478FC12 for ; Wed, 23 Jun 2010 16:31:29 +0000 (UTC) Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net [198.65.168.24]) (authenticated bits=0) by gritton.org (8.14.3/8.14.3) with ESMTP id o5NGVItJ011891; Wed, 23 Jun 2010 10:31:19 -0600 (MDT) (envelope-from jamie@FreeBSD.org) Message-ID: <4C223642.9000107@FreeBSD.org> Date: Wed, 23 Jun 2010 10:28:50 -0600 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.9.1.5) Gecko/20100103 Thunderbird/3.0 MIME-Version: 1.0 To: Anton Yuzhaninov References: <4C22232A.9020200@citrin.ru> In-Reply-To: <4C22232A.9020200@citrin.ru> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@FreeBSD.org Subject: Re: docs/96807: document security.jail.list sysctl in jail(8) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jun 2010 16:31:30 -0000 Actually, I suspect the change was made intentionally. security.jail.list is obsoleted by jail_get(2), which can show jail parameters that the struct xprison doesn't include. So using either jail_get(2) or jailparam_get(3) programatically, or jls from the command line is a better solution than security.jail.list. For similar reasons, I removed mention of such MIBs as security.jail.mount_allowed, which while they still exist serve only to (incompletely) duplication the function of certain jail parameters. - Jamie On 06/23/10 09:07, Anton Yuzhaninov wrote: > After this PR: http://www.freebsd.org/cgi/query-pr.cgi?pr=96807 > security.jail.list sysctl description was added to jail(8). > > but in this commit: > http://svn.freebsd.org/changeset/base/192896 > this text was deleted (probably accidentally). > > Please return security.jail.list description to jail(8) man page. From owner-freebsd-jail@FreeBSD.ORG Wed Jun 23 19:50:55 2010 Return-Path: Delivered-To: jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D3FDC1065678; Wed, 23 Jun 2010 19:50:55 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from gritton.org (gritton.org [208.92.232.93]) by mx1.freebsd.org (Postfix) with ESMTP id 7AEFE8FC15; Wed, 23 Jun 2010 19:50:55 +0000 (UTC) Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net [198.65.168.24]) (authenticated bits=0) by gritton.org (8.14.3/8.14.3) with ESMTP id o5NJor7M015105; Wed, 23 Jun 2010 13:50:54 -0600 (MDT) (envelope-from jamie@FreeBSD.org) Message-ID: <4C22650C.40309@FreeBSD.org> Date: Wed, 23 Jun 2010 13:48:28 -0600 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.9.1.5) Gecko/20100103 Thunderbird/3.0 MIME-Version: 1.0 To: jail@FreeBSD.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "Bjoern A. Zeeb" , "Simon L. Nielsen" Subject: Thoughts on jail.config X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jun 2010 19:50:55 -0000 The rc system is becoming increasingly unable to handle the newer jail features. We've held off patching /etc/rc.d/jail for new parameters, with the promise of something better. Here's my outline of what I hope will be in fact better than what we have now. I'm working on extending jail(8) to use a configuration file that would have everything currently in a $jail_XXX variable in rc.conf. /etc/rc.d/jail would ideally be reduced to a single "jail -c" call for startup and "jail -r" for shutdown, though I'm not sure if thing will go quite that far. I'm using the state of the art in config files, the C-style already used by apmd and devd in /etc, as well as many non-core programs. Each section would be a jail name, and within the sections would be the jail parameters, or pseudo-parameters known by the program. foo { host.hostname = "foo.bar"; path = "/usr/jail/foo"; ip4.addr = "11.22.33.44"; } The "name" parameter is implicit. Adding an actual name explicitly in the definition may work if you want it different for some reason, though I haven't yet worked out how well that would work. You can also have default parameters, defined at the top level or in a pseudo-jail called "*". The reason for that is you can also have defaults that apply only to some jails, as a hierarchical feature. So you could have a section "foo.*" that would have parameters for any jail under "foo". Parameters can include other parameters as shell-style variables. This use useful for defining defaults based on the jail name. A common use I expect is: path = "/usr/jail/$name"; This would allow you to set up default parameters as templates. This variable substitution also works the other way. Consider the global variable: $prefix = "10.1.1"; foo { ip4.addr = "$prefix.3" } Note difference to the previous example. The variable is defined as "$prefix = ...", not as "prefix = ...". That means it won't be included as a jail parameter (since there is no parameter called "prefix"). When this setup, you should be able to fully specify a jail with most of the work done on the global end, and the per-jail parameters needing only the parts that actually vary between jails. In addition to the known jail parameters, there are pseudo-parameters that don't get passed to jail_set(2), but have some use in setting up the jail on the userland side. The current jail(8) already has the "command" pseudo-parameter, that specifies something to run (typically "sh /etc/rc") after the jail is created. I have done very little work with these pseudo-parameters so far, and they're still mostly up in the air. From recent conversation on the jail list, I've added "depend", which can specify that a jail is not to start until another jail has been set up. The other pseudo-parameters come from what /etc/rc.d/jail currently does. Many of these have to do with commands run at different stages in the setup. Here's the current shell settings I have able to pull from that file: Commands: exec_prestart: run outside jail before create exec_start: single command run inside jail upon creation same as "command" parameter exec_afterstart: run inside jail after create, each in its own "jexec" exec_poststart: run outside jail after create (after exec_afterstart) exec_prestop: run outside jail before destroy exec_stop: run inside jail before destroy exec_poststop: run outside jail after destroy Other: interface: interface to create/destroy all jail's IPs on fib: setfib ID devfs_enable: mount a /dev devfs_ruleset: /dev ruleset fdescfs_enable: mount a /dev/fs procfs_enable: mount a /proc mount_enable: mount arbitrary filesystems fstab: filesystems to mount consolelog: where to redirect start/stop command output Some of these parameters could use some cleaning up, and are only the way they are because of the constraints of the sh-based rc system. Notably "fib" may be better worked into the kernel as a true jail parameter. I wouldn't expect a one-for-one transfer of all these parameters from /etc/rc.d/jail into jail(8), but I'd want to provide their functionality in whatever way works best. This is where I start to need input. What works best? I was rather surprised at the proliferation of exec_* specifiers in the rc system (including the recent request for yet another), and I'm not sure what the real needs are for such things. The various filesystem parameters could probably be (mostly) merged into a single per-jail fstab, or perhaps a "mount" pseudo-parameter. Doubtless this config file format will grow with time, but I'd like it to get as clean a start as possible. Right now I don't have code I can share. I've made the code to read the config files, but not to do anything with them yet. But as I firm up just what configuration options will exist, something runnable should soon follow. I'm interested in hearing the needs of jail users, to make sure I do the right thing. - Jamie From owner-freebsd-jail@FreeBSD.ORG Wed Jun 23 21:08:17 2010 Return-Path: Delivered-To: jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6DF52106566B; Wed, 23 Jun 2010 21:08:17 +0000 (UTC) (envelope-from mosconi@mosconi.mat.br) Received: from mail-gw0-f54.google.com (mail-gw0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id EE12A8FC1E; Wed, 23 Jun 2010 21:08:16 +0000 (UTC) Received: by gwb11 with SMTP id 11so1245902gwb.13 for ; Wed, 23 Jun 2010 14:08:16 -0700 (PDT) MIME-Version: 1.0 Received: by 10.229.238.211 with SMTP id kt19mr4668946qcb.21.1277325813016; Wed, 23 Jun 2010 13:43:33 -0700 (PDT) Sender: mosconi@mosconi.mat.br Received: by 10.229.34.147 with HTTP; Wed, 23 Jun 2010 13:43:32 -0700 (PDT) In-Reply-To: <4C22650C.40309@FreeBSD.org> References: <4C22650C.40309@FreeBSD.org> Date: Wed, 23 Jun 2010 17:43:32 -0300 X-Google-Sender-Auth: kecAMfXyki8Ua0I8lH5Wh2RWASM Message-ID: From: Rodrigo Mosconi To: Jamie Gritton Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: jail@freebsd.org, "Bjoern A. Zeeb" Subject: Re: Thoughts on jail.config X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jun 2010 21:08:17 -0000 Just a comment: IF a jail is a VNET jail, that jail doesnt need the ip4/ip6 addresses 2010/6/23 Jamie Gritton : > The rc system is becoming increasingly unable to handle the newer jail > features. =A0We've held off patching /etc/rc.d/jail for new parameters, > with the promise of something better. =A0Here's my outline of what I hope > will be in fact better than what we have now. > > I'm working on extending jail(8) to use a configuration file that would > have everything currently in a $jail_XXX variable in rc.conf. > /etc/rc.d/jail would ideally be reduced to a single "jail -c" call for > startup and "jail -r" for shutdown, though I'm not sure if thing will go > quite that far. > > I'm using the state of the art in config files, the C-style already used > by apmd and devd in /etc, as well as many non-core programs. =A0Each sect= ion > would be a jail name, and within the sections would be the jail parameter= s, > or pseudo-parameters known by the program. > > =A0 =A0foo { > =A0 =A0 =A0 =A0 host.hostname =3D "foo.bar"; > =A0 =A0 =A0 =A0 path =3D "/usr/jail/foo"; > =A0 =A0 =A0 =A0 ip4.addr =3D "11.22.33.44"; > =A0 =A0} > > The "name" parameter is implicit. =A0Adding an actual name explicitly in > the definition may work if you want it different for some reason, though > I haven't yet worked out how well that would work. > > You can also have default parameters, defined at the top level or in a > pseudo-jail called "*". =A0The reason for that is you can also have > defaults that apply only to some jails, as a hierarchical feature. =A0So > you could have a section "foo.*" that would have parameters for any jail > under "foo". > > Parameters can include other parameters as shell-style variables. =A0This > use useful for defining defaults based on the jail name. =A0A common use = I > expect is: > > =A0 =A0path =3D "/usr/jail/$name"; > > This would allow you to set up default parameters as templates. =A0This > variable substitution also works the other way. =A0Consider the global > variable: > > =A0 =A0$prefix =3D "10.1.1"; > > =A0 =A0foo { > =A0 =A0 =A0 =A0ip4.addr =3D "$prefix.3" > =A0 =A0} > > Note difference to the previous example. =A0The variable is defined as > "$prefix =3D ...", not as "prefix =3D ...". =A0That means it won't be inc= luded > as a jail parameter (since there is no parameter called "prefix"). > > When this setup, you should be able to fully specify a jail with most of > the work done on the global end, and the per-jail parameters needing > only the parts that actually vary between jails. > > In addition to the known jail parameters, there are pseudo-parameters > that don't get passed to jail_set(2), but have some use in setting up > the jail on the userland side. =A0The current jail(8) already has the > "command" pseudo-parameter, that specifies something to run (typically > "sh /etc/rc") after the jail is created. > > I have done very little work with these pseudo-parameters so far, and > they're still mostly up in the air. =A0From recent conversation on the > jail list, I've added "depend", which can specify that a jail is not to > start until another jail has been set up. > > The other pseudo-parameters come from what /etc/rc.d/jail currently > does. =A0Many of these have to do with commands run at different stages i= n > the setup. =A0Here's the current shell settings I have able to pull from > that file: > > Commands: > > =A0exec_prestart: run outside jail before create > =A0exec_start: single command run inside jail upon creation > =A0same as "command" parameter > =A0exec_afterstart: run inside jail after create, each in its own "jexec" > =A0exec_poststart: run outside jail after create (after exec_afterstart) > =A0exec_prestop: run outside jail before destroy > =A0exec_stop: run inside jail before destroy > =A0exec_poststop: run outside jail after destroy > > Other: > > =A0interface: interface to create/destroy all jail's IPs on > =A0fib: setfib ID > =A0devfs_enable: mount a /dev > =A0devfs_ruleset: /dev ruleset > =A0fdescfs_enable: mount a /dev/fs > =A0procfs_enable: mount a /proc > =A0mount_enable: mount arbitrary filesystems > =A0fstab: filesystems to mount > =A0consolelog: where to redirect start/stop command output > > Some of these parameters could use some cleaning up, and are only the > way they are because of the constraints of the sh-based rc system. > Notably "fib" may be better worked into the kernel as a true jail > parameter. =A0I wouldn't expect a one-for-one transfer of all these > parameters from /etc/rc.d/jail into jail(8), but I'd want to provide > their functionality in whatever way works best. > > This is where I start to need input. =A0What works best? =A0I was rather > surprised at the proliferation of exec_* specifiers in the rc system > (including the recent request for yet another), and I'm not sure what > the real needs are for such things. =A0The various filesystem parameters > could probably be (mostly) merged into a single per-jail fstab, or > perhaps a "mount" pseudo-parameter. =A0Doubtless this config file format > will grow with time, but I'd like it to get as clean a start as > possible. > > Right now I don't have code I can share. =A0I've made the code to read th= e > config files, but not to do anything with them yet. =A0But as I firm up > just what configuration options will exist, something runnable should > soon follow. > > I'm interested in hearing the needs of jail users, to make sure I do the > right thing. > > - Jamie > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > From owner-freebsd-jail@FreeBSD.ORG Thu Jun 24 12:43:19 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 158CC106566C; Thu, 24 Jun 2010 12:43:19 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from mail.ebusiness-leidinger.de (mail.ebusiness-leidinger.de [217.11.53.44]) by mx1.freebsd.org (Postfix) with ESMTP id C349C8FC1B; Thu, 24 Jun 2010 12:43:18 +0000 (UTC) Received: from outgoing.leidinger.net (pD9E2C63A.dip.t-dialin.net [217.226.198.58]) by mail.ebusiness-leidinger.de (Postfix) with ESMTPSA id 504B4844042; Thu, 24 Jun 2010 14:43:16 +0200 (CEST) Received: from unknown (unknown [192.168.2.110]) by outgoing.leidinger.net (Postfix) with ESMTP id 7FF3F5619; Thu, 24 Jun 2010 14:43:13 +0200 (CEST) Date: Thu, 24 Jun 2010 14:43:12 +0200 From: Alexander Leidinger To: freebsd-jail@freebsd.org, jamie@FreeBSD.org Message-ID: <20100624144312.00003d9f@unknown> In-Reply-To: <4C22650C.40309@FreeBSD.org> References: <4C22650C.40309@FreeBSD.org> X-Mailer: Claws Mail 3.7.2cvs15 (GTK+ 2.16.0; i586-pc-mingw32msvc) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-EBL-MailScanner-Information: Please contact the ISP for more information X-EBL-MailScanner-ID: 504B4844042.A68CE X-EBL-MailScanner: Found to be clean X-EBL-MailScanner-SpamCheck: not spam, spamhaus-ZEN, SpamAssassin (not cached, score=0.277, required 6, autolearn=disabled, ALL_TRUSTED -1.00, J_CHICKENPOX_46 0.60, J_CHICKENPOX_53 0.60, TW_ZJ 0.08) X-EBL-MailScanner-From: alexander@leidinger.net X-EBL-MailScanner-Watermark: 1277988196.50631@q6UCskCqBT33MR0SA4DrLA X-EBL-Spam-Status: No Cc: Subject: Re: Thoughts on jail.config X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jun 2010 12:43:19 -0000 On Wed, 23 Jun 2010 13:48:28 -0600 Jamie Gritton wrote: > The rc system is becoming increasingly unable to handle the newer jail > features. We've held off patching /etc/rc.d/jail for new parameters, > with the promise of something better. Here's my outline of what I > hope will be in fact better than what we have now. I'm not sure from your explanation if your new setup allows ezjail to mangage jails as easy as it is now. If the new jail command will have an option to specify a config file, and the jail command only operates on the jails of this config file and ignores other jails which are already running (e.g. on a shutdown request), your new system looks like it is easy to use with ezjail. Another point which interests me is how your new way of doing things will handle things like allow.raw_sockets. Assume I have some kernel modification which adds allow.XXX, do I need to modify the parsing of the jail command to handle this, or will this work transparently without userland modifications? Bye, Alexander. From owner-freebsd-jail@FreeBSD.ORG Thu Jun 24 16:33:10 2010 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7CBBC1065672 for ; Thu, 24 Jun 2010 16:33:10 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from gritton.org (gritton.org [208.92.232.93]) by mx1.freebsd.org (Postfix) with ESMTP id 2B2638FC1B for ; Thu, 24 Jun 2010 16:33:09 +0000 (UTC) Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net [198.65.168.24]) (authenticated bits=0) by gritton.org (8.14.3/8.14.3) with ESMTP id o5OGX8PF028520; Thu, 24 Jun 2010 10:33:08 -0600 (MDT) (envelope-from jamie@FreeBSD.org) Message-ID: <4C238832.2050803@FreeBSD.org> Date: Thu, 24 Jun 2010 10:30:42 -0600 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.9.1.5) Gecko/20100103 Thunderbird/3.0 MIME-Version: 1.0 To: freebsd-jail@FreeBSD.org References: <4C22650C.40309@FreeBSD.org> <20100624144312.00003d9f@unknown> In-Reply-To: <20100624144312.00003d9f@unknown> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Alexander Leidinger Subject: Re: Thoughts on jail.config X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jun 2010 16:33:10 -0000 On 06/24/10 06:43, Alexander Leidinger wrote: > On Wed, 23 Jun 2010 13:48:28 -0600 Jamie Gritton > wrote: > >> The rc system is becoming increasingly unable to handle the newer jail >> features. We've held off patching /etc/rc.d/jail for new parameters, >> with the promise of something better. Here's my outline of what I >> hope will be in fact better than what we have now. > > I'm not sure from your explanation if your new setup allows ezjail to > mangage jails as easy as it is now. If the new jail command will have > an option to specify a config file, and the jail command only operates > on the jails of this config file and ignores other jails which are > already running (e.g. on a shutdown request), your new system looks > like it is easy to use with ezjail. Yes, you'll be able to specify a config file via the command line, with a default of /etc/jail.conf. Jails that exist outside of the config file's knowledge are a tricky point, and the problems are really only on a shutdown request. While I haven't coded this part of things yet, I've considered that I'll need two different kinds of blanket shutdowns: one for all the jails in the config file, and another for all jails in the system. The latter would be the most sensible to use during system shutdown, when it doesn't make sense to leave any jails running. But orderly shutdown is part of the config spec (e.g. running "/bin/sh /etc/rc.shutdown"), and it may be best to assume that if the jails were created outside of the rc system, they'll be removed in the same way. So in short, I think it will be compatible with ezjail. > Another point which interests me is how your new way of doing things > will handle things like allow.raw_sockets. Assume I have some kernel > modification which adds allow.XXX, do I need to modify the parsing of > the jail command to handle this, or will this work transparently > without userland modifications? That will work transparently, as does the current jail(8) command line. The only time you'd need to modify userland tools for a new jail parameter is if that parameter has a data type the tools don't understand. Most parameters operate on numbers or strings, but for example IP addresses are passed in binary and userland needs to know how to convert them to/from strings. - Jamie