From owner-freebsd-jail@FreeBSD.ORG Sun Mar 31 14:32:46 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 674EB392 for ; Sun, 31 Mar 2013 14:32:46 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from m2.gritton.org (gritton.org [199.192.164.235]) by mx1.freebsd.org (Postfix) with ESMTP id 177CDEFC for ; Sun, 31 Mar 2013 14:32:45 +0000 (UTC) Received: from glorfindel.gritton.org (c-174-52-130-157.hsd1.ut.comcast.net [174.52.130.157]) (authenticated bits=0) by m2.gritton.org (8.14.5/8.14.5) with ESMTP id r2VEQvcQ059792; Sun, 31 Mar 2013 08:26:58 -0600 (MDT) (envelope-from jamie@FreeBSD.org) Message-ID: <515847AF.8070808@FreeBSD.org> Date: Sun, 31 Mar 2013 08:26:55 -0600 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.2.24) Gecko/20120129 Thunderbird/3.1.16 MIME-Version: 1.0 To: Dirk Engling Subject: Re: rc.d/jail and jail.conf References: <515721F8.9090202@erdgeist.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Mar 2013 14:32:46 -0000 On 03/30/13 14:59, Dirk Engling wrote: > On Sat, 30 Mar 2013, Nicolas de Bari Embriz Garcia Rojas wrote: > >> If I am right you can define the order of start for jails in the >> jail2_list (rc.conf), something like: >> >> jail2_list="jail1 jail2" > > Thanks, I suppose it mimicks the way rc.d/jail has handled it. I just > wondered if there's a way to have this order automatically determined by > a dependency graph, it's a minor request, though. jail(8) itself does the dependency graph. So the jail2 startup needs to run a single jail command instead of one for each jail. - Jamie From owner-freebsd-jail@FreeBSD.ORG Sun Mar 31 15:12:45 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id ECFA4835; Sun, 31 Mar 2013 15:12:45 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) by mx1.freebsd.org (Postfix) with ESMTP id ADF30FBA; Sun, 31 Mar 2013 15:12:45 +0000 (UTC) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 5F83328437; Sun, 31 Mar 2013 17:12:43 +0200 (CEST) Received: from [192.168.1.2] (ip-89-177-49-222.net.upcbroadband.cz [89.177.49.222]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 6FC7A28435; Sun, 31 Mar 2013 17:12:42 +0200 (CEST) Message-ID: <5158526A.4020400@quip.cz> Date: Sun, 31 Mar 2013 17:12:42 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.1.19) Gecko/20110420 Lightning/1.0b1 SeaMonkey/2.0.14 MIME-Version: 1.0 To: Jamie Gritton Subject: Re: rc.d/jail and jail.conf References: <515721F8.9090202@erdgeist.org> <515847AF.8070808@FreeBSD.org> In-Reply-To: <515847AF.8070808@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Mar 2013 15:12:46 -0000 Jamie Gritton wrote: > On 03/30/13 14:59, Dirk Engling wrote: >> On Sat, 30 Mar 2013, Nicolas de Bari Embriz Garcia Rojas wrote: >> >>> If I am right you can define the order of start for jails in the >>> jail2_list (rc.conf), something like: >>> >>> jail2_list="jail1 jail2" >> >> Thanks, I suppose it mimicks the way rc.d/jail has handled it. I just >> wondered if there's a way to have this order automatically determined by >> a dependency graph, it's a minor request, though. > > jail(8) itself does the dependency graph. So the jail2 startup needs to > run a single jail command instead of one for each jail. So it means jail2 should be fixed, because it runs jail -c -i -J /var/run/jail_${_j}.id ${_j} for each jail from jail2_list="jailA jailB" Is there a way to disable jail defined in jail.conf? (to avoid jail2_list in rc.conf) And what happens if there is jail2_list="jailA jailB" in rc.conf and jailB is defined in jail.conf as dependency of jailA? I guess rc.d/jail2 will try to start jailB again. It will be started as dependency of jailA by first jail command starting jailA. Or new jail(8) doesn't start the "depend" jail automatically and just check its existence? I didn't try it yet. Miroslav Lachman From owner-freebsd-jail@FreeBSD.ORG Sun Mar 31 16:28:14 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id D7517A78 for ; Sun, 31 Mar 2013 16:28:14 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from m2.gritton.org (gritton.org [199.192.164.235]) by mx1.freebsd.org (Postfix) with ESMTP id B84BA30C for ; Sun, 31 Mar 2013 16:28:14 +0000 (UTC) Received: from glorfindel.gritton.org (c-174-52-130-157.hsd1.ut.comcast.net [174.52.130.157]) (authenticated bits=0) by m2.gritton.org (8.14.5/8.14.5) with ESMTP id r2VGSAcY060607; Sun, 31 Mar 2013 10:28:10 -0600 (MDT) (envelope-from jamie@FreeBSD.org) Message-ID: <51586419.5090207@FreeBSD.org> Date: Sun, 31 Mar 2013 10:28:09 -0600 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.2.24) Gecko/20120129 Thunderbird/3.1.16 MIME-Version: 1.0 To: Miroslav Lachman <000.fbsd@quip.cz> Subject: Re: rc.d/jail and jail.conf References: <515721F8.9090202@erdgeist.org> <515847AF.8070808@FreeBSD.org> <5158526A.4020400@quip.cz> In-Reply-To: <5158526A.4020400@quip.cz> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Mar 2013 16:28:14 -0000 On 03/31/13 09:12, Miroslav Lachman wrote: > Jamie Gritton wrote: >> On 03/30/13 14:59, Dirk Engling wrote: >>> On Sat, 30 Mar 2013, Nicolas de Bari Embriz Garcia Rojas wrote: >>> >>>> If I am right you can define the order of start for jails in the >>>> jail2_list (rc.conf), something like: >>>> >>>> jail2_list="jail1 jail2" >>> >>> Thanks, I suppose it mimicks the way rc.d/jail has handled it. I just >>> wondered if there's a way to have this order automatically determined by >>> a dependency graph, it's a minor request, though. >> >> jail(8) itself does the dependency graph. So the jail2 startup needs to >> run a single jail command instead of one for each jail. > > So it means jail2 should be fixed, because it runs > jail -c -i -J /var/run/jail_${_j}.id ${_j} > for each jail from jail2_list="jailA jailB" Yes it does. > Is there a way to disable jail defined in jail.conf? (to avoid > jail2_list in rc.conf) I'm not sure what you're asking. You want a jail in jail.conf that's not started up? > And what happens if there is jail2_list="jailA jailB" in rc.conf and > jailB is defined in jail.conf as dependency of jailA? I guess rc.d/jail2 > will try to start jailB again. > It will be started as dependency of jailA by first jail command starting > jailA. > Or new jail(8) doesn't start the "depend" jail automatically and just > check its existence? > I didn't try it yet. It will start jailB as part of starting jailA, and then it will try to start jailB again on its own. So yes, it needs work. - Jamie From owner-freebsd-jail@FreeBSD.ORG Sun Mar 31 17:09:32 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 9D610FC; Sun, 31 Mar 2013 17:09:32 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) by mx1.freebsd.org (Postfix) with ESMTP id 5F4BC6AE; Sun, 31 Mar 2013 17:09:32 +0000 (UTC) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 6523F28431; Sun, 31 Mar 2013 19:09:30 +0200 (CEST) Received: from [192.168.1.2] (ip-89-177-49-222.net.upcbroadband.cz [89.177.49.222]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 3A8B52842D; Sun, 31 Mar 2013 19:09:29 +0200 (CEST) Message-ID: <51586DC8.7030500@quip.cz> Date: Sun, 31 Mar 2013 19:09:28 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.1.19) Gecko/20110420 Lightning/1.0b1 SeaMonkey/2.0.14 MIME-Version: 1.0 To: Jamie Gritton Subject: Re: rc.d/jail and jail.conf References: <515721F8.9090202@erdgeist.org> <515847AF.8070808@FreeBSD.org> <5158526A.4020400@quip.cz> <51586419.5090207@FreeBSD.org> In-Reply-To: <51586419.5090207@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Mar 2013 17:09:32 -0000 Jamie Gritton wrote: > On 03/31/13 09:12, Miroslav Lachman wrote: >> Jamie Gritton wrote: >>> On 03/30/13 14:59, Dirk Engling wrote: >>>> On Sat, 30 Mar 2013, Nicolas de Bari Embriz Garcia Rojas wrote: >>>> >>>>> If I am right you can define the order of start for jails in the >>>>> jail2_list (rc.conf), something like: >>>>> >>>>> jail2_list="jail1 jail2" >>>> >>>> Thanks, I suppose it mimicks the way rc.d/jail has handled it. I just >>>> wondered if there's a way to have this order automatically >>>> determined by >>>> a dependency graph, it's a minor request, though. >>> >>> jail(8) itself does the dependency graph. So the jail2 startup needs to >>> run a single jail command instead of one for each jail. >> >> So it means jail2 should be fixed, because it runs >> jail -c -i -J /var/run/jail_${_j}.id ${_j} >> for each jail from jail2_list="jailA jailB" > > Yes it does. > >> Is there a way to disable jail defined in jail.conf? (to avoid >> jail2_list in rc.conf) > > I'm not sure what you're asking. You want a jail in jail.conf that's not > started up? Yes, I am asking if there can be some variable or parametr in jail.conf for jail which we don't want to start by jail command, but leave its configuration in jail.conf. I am not saying I need it right now, but I can imagine a scenario where it can be useful. In the old style with rc.conf, we can have defined for example 5 jails (jailA to jailE) and then enabled only some of them to start at boot time by defining jail_list="jailA jailB jailC". With syntax of new jail.conf one must delete or comment out the whole jailD and jailE definitions to stop loading them at boot time. Am I right? So is it possible to add some keyword to jail.conf jails definition? Something like "disabled" or "noautostart" or anything else... foo { disabled; host.hostname = "foo.com"; ip4.addr = 10.1.1.1, 10.1.1.2, 10.1.1.3; } Then one can easily disable jail "foo" without a need to remove its configuration. >> And what happens if there is jail2_list="jailA jailB" in rc.conf and >> jailB is defined in jail.conf as dependency of jailA? I guess rc.d/jail2 >> will try to start jailB again. >> It will be started as dependency of jailA by first jail command starting >> jailA. >> Or new jail(8) doesn't start the "depend" jail automatically and just >> check its existence? >> I didn't try it yet. > > It will start jailB as part of starting jailA, and then it will try to > start jailB again on its own. So yes, it needs work. Thank you for explanation. Miroslav Lachman From owner-freebsd-jail@FreeBSD.ORG Sun Mar 31 18:31:21 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id AC07E1D2 for ; Sun, 31 Mar 2013 18:31:21 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from m2.gritton.org (gritton.org [199.192.164.235]) by mx1.freebsd.org (Postfix) with ESMTP id 8C1E699A for ; Sun, 31 Mar 2013 18:31:20 +0000 (UTC) Received: from glorfindel.gritton.org (c-174-52-130-157.hsd1.ut.comcast.net [174.52.130.157]) (authenticated bits=0) by m2.gritton.org (8.14.5/8.14.5) with ESMTP id r2VIVHxN062001; Sun, 31 Mar 2013 12:31:18 -0600 (MDT) (envelope-from jamie@FreeBSD.org) Message-ID: <515880F3.1050300@FreeBSD.org> Date: Sun, 31 Mar 2013 12:31:15 -0600 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.2.24) Gecko/20120129 Thunderbird/3.1.16 MIME-Version: 1.0 To: Miroslav Lachman <000.fbsd@quip.cz> Subject: Re: rc.d/jail and jail.conf References: <515721F8.9090202@erdgeist.org> <515847AF.8070808@FreeBSD.org> <5158526A.4020400@quip.cz> <51586419.5090207@FreeBSD.org> <51586DC8.7030500@quip.cz> In-Reply-To: <51586DC8.7030500@quip.cz> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Mar 2013 18:31:21 -0000 On 03/31/13 11:09, Miroslav Lachman wrote: > Jamie Gritton wrote: >> On 03/31/13 09:12, Miroslav Lachman wrote: >> >>> Is there a way to disable jail defined in jail.conf? (to avoid >>> jail2_list in rc.conf) >> >> I'm not sure what you're asking. You want a jail in jail.conf that's not >> started up? > > Yes, I am asking if there can be some variable or parametr in jail.conf > for jail which we don't want to start by jail command, but leave its > configuration in jail.conf. > I am not saying I need it right now, but I can imagine a scenario where > it can be useful. > > In the old style with rc.conf, we can have defined for example 5 jails > (jailA to jailE) and then enabled only some of them to start at boot > time by defining jail_list="jailA jailB jailC". > > With syntax of new jail.conf one must delete or comment out the whole > jailD and jailE definitions to stop loading them at boot time. > Am I right? There is a way, though not in the jail.conf file itself. When you run "jail -c" it will start all of the jails in the file. But if you list one or more jails on the command line, e.g. "jail -c jailA jailB", then it will only start those jails. > So is it possible to add some keyword to jail.conf jails definition? > Something like "disabled" or "noautostart" or anything else... > > foo { > disabled; > host.hostname = "foo.com"; > ip4.addr = 10.1.1.1, 10.1.1.2, 10.1.1.3; > } > > Then one can easily disable jail "foo" without a need to remove its > configuration. That seems reasonable, but using a jail list in rc.conf may suffice. - Jamie From owner-freebsd-jail@FreeBSD.ORG Sun Mar 31 18:45:19 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 32C8769D for ; Sun, 31 Mar 2013 18:45:19 +0000 (UTC) (envelope-from erdgeist@erdgeist.org) Received: from elektropost.org (elektropost.org [217.13.206.130]) by mx1.freebsd.org (Postfix) with ESMTP id 8355F9EC for ; Sun, 31 Mar 2013 18:45:18 +0000 (UTC) Received: (qmail 21761 invoked from network); 31 Mar 2013 18:45:09 -0000 Received: from elektropost.org (HELO elektropost.org) (erdgeist@erdgeist.org) by elektropost.org with CAMELLIA256-SHA encrypted SMTP; 31 Mar 2013 18:45:09 -0000 Message-ID: <51588435.2010400@erdgeist.org> Date: Sun, 31 Mar 2013 20:45:09 +0200 From: Dirk Engling User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130307 Thunderbird/17.0.4 MIME-Version: 1.0 To: Miroslav Lachman <000.fbsd@quip.cz> Subject: Re: rc.d/jail and jail.conf References: <515721F8.9090202@erdgeist.org> <51574D3F.9040300@quip.cz> In-Reply-To: <51574D3F.9040300@quip.cz> X-Enigmail-Version: 1.5.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Mar 2013 18:45:19 -0000 On 30.03.13 21:38, Miroslav Lachman wrote: > jail_myjail_flags="-l -U root -n myjail" When trying to pass a my hostname (foo.com) as jailname like that, jail(8) will complain jail: jail "foo" not found as it does not allow periods in the jailname. This seems like an unfortunate limitation, as I tend to name my jails after the fqdn they are being started as. FYI, the name=myjail form did not work, because rc.d/jail uses the path hostname [ip[,...]] command ... synopsis of the jail command, which fails, if it sees name=value params. So I guess, I am out of luck here, because users used to think of their jails as what they saw in the hostname field on jls. If I am writing tools that use jail_getid to map the jailname to the jid, it will never match that hostname and I also can not copy the hostname to the jailname. Is there a reason for '.' being the only excluded character in the jailname? erdgeist From owner-freebsd-jail@FreeBSD.ORG Sun Mar 31 18:58:25 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 41DE1B23 for ; Sun, 31 Mar 2013 18:58:25 +0000 (UTC) (envelope-from erdgeist@erdgeist.org) Received: from elektropost.org (elektropost.org [217.13.206.130]) by mx1.freebsd.org (Postfix) with ESMTP id 93F94A67 for ; Sun, 31 Mar 2013 18:58:24 +0000 (UTC) Received: (qmail 23218 invoked from network); 31 Mar 2013 18:58:21 -0000 Received: from elektropost.org (HELO elektropost.org) (erdgeist@erdgeist.org) by elektropost.org with CAMELLIA256-SHA encrypted SMTP; 31 Mar 2013 18:58:21 -0000 Message-ID: <5158874C.2060701@erdgeist.org> Date: Sun, 31 Mar 2013 20:58:20 +0200 From: Dirk Engling User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130307 Thunderbird/17.0.4 MIME-Version: 1.0 To: Jamie Gritton Subject: Re: rc.d/jail and jail.conf References: <515721F8.9090202@erdgeist.org> <515847AF.8070808@FreeBSD.org> <5158526A.4020400@quip.cz> <51586419.5090207@FreeBSD.org> <51586DC8.7030500@quip.cz> <515880F3.1050300@FreeBSD.org> In-Reply-To: <515880F3.1050300@FreeBSD.org> X-Enigmail-Version: 1.5.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Mar 2013 18:58:25 -0000 On 31.03.13 20:31, Jamie Gritton wrote: > That seems reasonable, but using a jail list in rc.conf may suffice. It is less error prone to just use 'jail_list=*' in rc.conf and disable jails per config block, and then issue a warning like 'Skipping disabled jail(s) foo, bar, baz'. (Although I see this from a perspective of jails being virtual hosts that should be configurable by automated tools, too.) erdgeist From owner-freebsd-jail@FreeBSD.ORG Sun Mar 31 19:04:33 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 35887D07 for ; Sun, 31 Mar 2013 19:04:33 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from m2.gritton.org (gritton.org [199.192.164.235]) by mx1.freebsd.org (Postfix) with ESMTP id 15659A8E for ; Sun, 31 Mar 2013 19:04:32 +0000 (UTC) Received: from glorfindel.gritton.org (c-174-52-130-157.hsd1.ut.comcast.net [174.52.130.157]) (authenticated bits=0) by m2.gritton.org (8.14.5/8.14.5) with ESMTP id r2VJ4Sgb062877; Sun, 31 Mar 2013 13:04:29 -0600 (MDT) (envelope-from jamie@FreeBSD.org) Message-ID: <515888BA.8060804@FreeBSD.org> Date: Sun, 31 Mar 2013 13:04:26 -0600 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.2.24) Gecko/20120129 Thunderbird/3.1.16 MIME-Version: 1.0 To: Dirk Engling Subject: Re: rc.d/jail and jail.conf References: <515721F8.9090202@erdgeist.org> <515847AF.8070808@FreeBSD.org> <5158526A.4020400@quip.cz> <51586419.5090207@FreeBSD.org> <51586DC8.7030500@quip.cz> <515880F3.1050300@FreeBSD.org> <5158874C.2060701@erdgeist.org> In-Reply-To: <5158874C.2060701@erdgeist.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Mar 2013 19:04:33 -0000 On 03/31/13 12:58, Dirk Engling wrote: > On 31.03.13 20:31, Jamie Gritton wrote: > >> That seems reasonable, but using a jail list in rc.conf may suffice. > > It is less error prone to just use 'jail_list=*' in rc.conf and disable > jails per config block, and then issue a warning like 'Skipping disabled > jail(s) foo, bar, baz'. > > (Although I see this from a perspective of jails being virtual hosts > that should be configurable by automated tools, too.) If you don't mind some slightly difficult error messages, you can always "disable" a jail with exec.prestart="false". jail(8) requires all commands to succeed, and in particular won't even create a jail when one of the prestart commands fails. - Jamie From owner-freebsd-jail@FreeBSD.ORG Sun Mar 31 19:14:27 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 49EE6D86 for ; Sun, 31 Mar 2013 19:14:27 +0000 (UTC) (envelope-from erdgeist@erdgeist.org) Received: from elektropost.org (elektropost.org [217.13.206.130]) by mx1.freebsd.org (Postfix) with ESMTP id 98595ABA for ; Sun, 31 Mar 2013 19:14:26 +0000 (UTC) Received: (qmail 25008 invoked from network); 31 Mar 2013 19:14:24 -0000 Received: from elektropost.org (HELO elektropost.org) (erdgeist@erdgeist.org) by elektropost.org with AES256-SHA encrypted SMTP; 31 Mar 2013 19:14:24 -0000 Date: Sun, 31 Mar 2013 21:14:23 +0200 (CEST) From: Dirk Engling To: Jamie Gritton Subject: Re: rc.d/jail and jail.conf In-Reply-To: <515888BA.8060804@FreeBSD.org> Message-ID: References: <515721F8.9090202@erdgeist.org> <515847AF.8070808@FreeBSD.org> <5158526A.4020400@quip.cz> <51586419.5090207@FreeBSD.org> <51586DC8.7030500@quip.cz> <515880F3.1050300@FreeBSD.org> <5158874C.2060701@erdgeist.org> <515888BA.8060804@FreeBSD.org> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Mar 2013 19:14:27 -0000 On Sun, 31 Mar 2013, Jamie Gritton wrote: > If you don't mind some slightly difficult error messages, you can always > "disable" a jail with exec.prestart="false". jail(8) requires all > commands to succeed, and in particular won't even create a jail when one > of the prestart commands fails. This violates POLA, but failing with exec.prestart="echo skipping jail; exit 1" might work. Even though this is not a good marker from a scripting perspective. erdgeist From owner-freebsd-jail@FreeBSD.ORG Sun Mar 31 20:01:15 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 55D587D0 for ; Sun, 31 Mar 2013 20:01:15 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) by mx1.freebsd.org (Postfix) with ESMTP id 1958ED4F for ; Sun, 31 Mar 2013 20:01:14 +0000 (UTC) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 1F06F28439; Sun, 31 Mar 2013 22:01:13 +0200 (CEST) Received: from [192.168.1.2] (ip-89-177-49-222.net.upcbroadband.cz [89.177.49.222]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 0C0AF28437; Sun, 31 Mar 2013 22:01:12 +0200 (CEST) Message-ID: <51589607.7040401@quip.cz> Date: Sun, 31 Mar 2013 22:01:11 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.1.19) Gecko/20110420 Lightning/1.0b1 SeaMonkey/2.0.14 MIME-Version: 1.0 To: Dirk Engling Subject: Re: rc.d/jail and jail.conf References: <515721F8.9090202@erdgeist.org> <51574D3F.9040300@quip.cz> <51588435.2010400@erdgeist.org> In-Reply-To: <51588435.2010400@erdgeist.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Mar 2013 20:01:15 -0000 Dirk Engling wrote: > On 30.03.13 21:38, Miroslav Lachman wrote: > >> jail_myjail_flags="-l -U root -n myjail" > > When trying to pass a my hostname (foo.com) as jailname like that, > jail(8) will complain > > jail: jail "foo" not found > > as it does not allow periods in the jailname. This seems like an > unfortunate limitation, as I tend to name my jails after the fqdn they > are being started as. > > FYI, the name=myjail form did not work, because rc.d/jail uses the > > path hostname [ip[,...]] command ... > > synopsis of the jail command, which fails, if it sees name=value params. I am sorry for misinform you with name=myjail in rc.conf, I didn't try it because I am using an old way with -n jailname on my older boxes and I am planing to use new syntax only with jail.conf (after problem with mounting of devfs will be fixed). > So I guess, I am out of luck here, because users used to think of their > jails as what they saw in the hostname field on jls. If I am writing > tools that use jail_getid to map the jailname to the jid, it will never > match that hostname and I also can not copy the hostname to the jailname. > > Is there a reason for '.' being the only excluded character in the jailname? I understand what you are talking about, but jails in these days are something different from what jails were at the begining in 4.x days and users must accept that jailname is something different than hostname. In these days, you can have jails with many IP addresses or without IP address. Hostname needn't to be unique etc. Dot (.) is not allowed in jailname because of hierarchical jails, where dot is used as hierarchy separator. So jailname foo.bar.baz means foo is top level jail, bar is its child and baz is child in bar. Plain jls without any options should be used just for backward compatibility with old scripts, because its output is insufficient for todays jails. (only one IP is shown and no jailname) jls -v or jls -s is better with new jails. Miroslav Lachman From owner-freebsd-jail@FreeBSD.ORG Sun Mar 31 20:58:37 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id DD95EE5 for ; Sun, 31 Mar 2013 20:58:37 +0000 (UTC) (envelope-from erdgeist@erdgeist.org) Received: from elektropost.org (elektropost.org [217.13.206.130]) by mx1.freebsd.org (Postfix) with ESMTP id 5728CED0 for ; Sun, 31 Mar 2013 20:58:37 +0000 (UTC) Received: (qmail 36355 invoked from network); 31 Mar 2013 20:58:34 -0000 Received: from elektropost.org (HELO elektropost.org) (erdgeist@erdgeist.org) by elektropost.org with CAMELLIA256-SHA encrypted SMTP; 31 Mar 2013 20:58:34 -0000 Message-ID: <5158A379.2030702@erdgeist.org> Date: Sun, 31 Mar 2013 22:58:33 +0200 From: Dirk Engling User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130307 Thunderbird/17.0.4 MIME-Version: 1.0 To: Miroslav Lachman <000.fbsd@quip.cz> Subject: Re: rc.d/jail and jail.conf References: <515721F8.9090202@erdgeist.org> <51574D3F.9040300@quip.cz> <51588435.2010400@erdgeist.org> <51589607.7040401@quip.cz> In-Reply-To: <51589607.7040401@quip.cz> X-Enigmail-Version: 1.5.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Mar 2013 20:58:37 -0000 On 31.03.13 22:01, Miroslav Lachman wrote: >> So I guess, I am out of luck here, because users used to think of their >> jails as what they saw in the hostname field on jls. If I am writing >> tools that use jail_getid to map the jailname to the jid, it will never >> match that hostname and I also can not copy the hostname to the jailname. > > I understand what you are talking about, but jails in these days are > something different from what jails were at the begining in 4.x days and > users must accept that jailname is something different than hostname. > In these days, you can have jails with many IP addresses or without IP > address. Hostname needn't to be unique etc. > > Dot (.) is not allowed in jailname because of hierarchical jails, > where dot is used as hierarchy separator. Humm, this seems a strange thing to answer to my question. Once you see jails as virtual servers (which I understand is not the only way to do, but the biased way I and most jail users I talk to happen to deploy them in huge quantities), the natural approach to name them is via their hostname. I find it hard to grasp to tell them "don't" ;) And still I find the choice of '.' as a separator unfortunate, '/' springs in mind, but there might have been reasons. I also understand that the hostname is not an unique identifier anymore, still for many (if not most) setups the mapping is bijective. My problem now is that referring to a jail (in a sense of virtual host) becomes unintuitive. I want to do stuff with my vhost "example.com" but have to call it "example" or "example_com". Even worse with "www.example.com" which now needs to be an ambigous "www" or some other mapping of '.' to something else. If I want to write tools that accept intuitive jail identifiers, I would have to implement heuristics that match the hostname once the identifier contains '.' and I can't find a hierarchical jail with that name. > Plain jls without any options should be used just for backward > compatibility with old scripts, because its output is insufficient for > todays jails. (only one IP is shown and no jailname) > > jls -v or jls -s is better with new jails. Maybe it would be easier for me to understand if I knew, how those jails "in these days" are supposed to work, what the overall vision is for users to integrate them in their workflow. Besides a wish list that doubles as todo list in https://wiki.freebsd.org/Jails and an attempted handbook section rewrite, there seems to be little in that regard. Maybe I just missed out on the discussions or could not find the relevant documents? Maybe meeting at a BSDcon over a beer would help ;) Regards, erdgeist From owner-freebsd-jail@FreeBSD.ORG Mon Apr 1 02:02:06 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id B87694DF for ; Mon, 1 Apr 2013 02:02:06 +0000 (UTC) (envelope-from freebsd@psconsult.nl) Received: from mx1.psconsult.nl (unknown [IPv6:2001:7b8:30f:e0::5059:ee8a]) by mx1.freebsd.org (Postfix) with ESMTP id 72721CE4 for ; Mon, 1 Apr 2013 02:02:06 +0000 (UTC) Received: from mx1.psconsult.nl (mx1.hvnu.psconsult.nl [46.44.189.154]) by mx1.psconsult.nl (8.14.5/8.14.4) with ESMTP id r3121xxM012932 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 1 Apr 2013 04:02:04 +0200 (CEST) (envelope-from freebsd@psconsult.nl) Received: (from paul@localhost) by mx1.psconsult.nl (8.14.5/8.14.4/Submit) id r3121wrR012931 for freebsd-jail@freebsd.org; Mon, 1 Apr 2013 04:01:58 +0200 (CEST) (envelope-from freebsd@psconsult.nl) X-Authentication-Warning: mx1.psconsult.nl: paul set sender to freebsd@psconsult.nl using -f Date: Mon, 1 Apr 2013 04:01:58 +0200 From: Paul Schenkeveld To: freebsd-jail@freebsd.org Subject: Re: rc.d/jail and jail.conf Message-ID: <20130401020158.GA5500@psconsult.nl> References: <515847AF.8070808@FreeBSD.org> <5158526A.4020400@quip.cz> <51586419.5090207@FreeBSD.org> <51586DC8.7030500@quip.cz> <515880F3.1050300@FreeBSD.org> <5158874C.2060701@erdgeist.org> <515888BA.8060804@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Apr 2013 02:02:06 -0000 On Sun, Mar 31, 2013 at 09:14:23PM +0200, Dirk Engling wrote: > > On Sun, 31 Mar 2013, Jamie Gritton wrote: > > > If you don't mind some slightly difficult error messages, you can always > > "disable" a jail with exec.prestart="false". jail(8) requires all > > commands to succeed, and in particular won't even create a jail when one > > of the prestart commands fails. > > This violates POLA, but failing with > > exec.prestart="echo skipping jail; exit 1" > > might work. Even though this is not a good marker from a scripting > perspective. Will this prevent all preparations from happening, i.e. will filesystems be mounted for jails disabled this way? Although this may work, I think that this looks dirty. I'd really prefer a "disabled" or "noauto" keyword instead. -- Paul Schenkeveld From owner-freebsd-jail@FreeBSD.ORG Mon Apr 1 02:24:29 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 32C1DBFA for ; Mon, 1 Apr 2013 02:24:29 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from m2.gritton.org (gritton.org [199.192.164.235]) by mx1.freebsd.org (Postfix) with ESMTP id 10F79E42 for ; Mon, 1 Apr 2013 02:24:28 +0000 (UTC) Received: from glorfindel.gritton.org (c-174-52-130-157.hsd1.ut.comcast.net [174.52.130.157]) (authenticated bits=0) by m2.gritton.org (8.14.5/8.14.5) with ESMTP id r312ORHS067851; Sun, 31 Mar 2013 20:24:27 -0600 (MDT) (envelope-from jamie@FreeBSD.org) Message-ID: <5158EFDA.7060406@FreeBSD.org> Date: Sun, 31 Mar 2013 20:24:26 -0600 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.2.24) Gecko/20120129 Thunderbird/3.1.16 MIME-Version: 1.0 To: Paul Schenkeveld Subject: Re: rc.d/jail and jail.conf References: <515847AF.8070808@FreeBSD.org> <5158526A.4020400@quip.cz> <51586419.5090207@FreeBSD.org> <51586DC8.7030500@quip.cz> <515880F3.1050300@FreeBSD.org> <5158874C.2060701@erdgeist.org> <515888BA.8060804@FreeBSD.org> <20130401020158.GA5500@psconsult.nl> In-Reply-To: <20130401020158.GA5500@psconsult.nl> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Apr 2013 02:24:29 -0000 On 03/31/13 20:01, Paul Schenkeveld wrote: > On Sun, Mar 31, 2013 at 09:14:23PM +0200, Dirk Engling wrote: >> >> On Sun, 31 Mar 2013, Jamie Gritton wrote: >> >>> If you don't mind some slightly difficult error messages, you can always >>> "disable" a jail with exec.prestart="false". jail(8) requires all >>> commands to succeed, and in particular won't even create a jail when one >>> of the prestart commands fails. >> >> This violates POLA, but failing with >> >> exec.prestart="echo skipping jail; exit 1" >> >> might work. Even though this is not a good marker from a scripting >> perspective. > > Will this prevent all preparations from happening, i.e. will filesystems > be mounted for jails disabled this way? It will unroll anything that's been done, or at least try to. So filesystems will be mounted, and then unmounted. > Although this may work, I think that this looks dirty. I'd really prefer > a "disabled" or "noauto" keyword instead. Oh it's definitely dirty - just something I threw out there as a hack. - Jamie From owner-freebsd-jail@FreeBSD.ORG Mon Apr 1 02:24:56 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 672FCC25 for ; Mon, 1 Apr 2013 02:24:56 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from m2.gritton.org (gritton.org [199.192.164.235]) by mx1.freebsd.org (Postfix) with ESMTP id 499E3E46 for ; Mon, 1 Apr 2013 02:24:56 +0000 (UTC) Received: from glorfindel.gritton.org (c-174-52-130-157.hsd1.ut.comcast.net [174.52.130.157]) (authenticated bits=0) by m2.gritton.org (8.14.5/8.14.5) with ESMTP id r312OqhG067860; Sun, 31 Mar 2013 20:24:53 -0600 (MDT) (envelope-from jamie@FreeBSD.org) Message-ID: <5158EFF4.9060604@FreeBSD.org> Date: Sun, 31 Mar 2013 20:24:52 -0600 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.2.24) Gecko/20120129 Thunderbird/3.1.16 MIME-Version: 1.0 To: Dirk Engling Subject: Re: rc.d/jail and jail.conf References: <515721F8.9090202@erdgeist.org> <51574D3F.9040300@quip.cz> <51588435.2010400@erdgeist.org> <51589607.7040401@quip.cz> <5158A379.2030702@erdgeist.org> In-Reply-To: <5158A379.2030702@erdgeist.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Apr 2013 02:24:56 -0000 On 03/31/13 14:58, Dirk Engling wrote: > On 31.03.13 22:01, Miroslav Lachman wrote: > >>> So I guess, I am out of luck here, because users used to think of their >>> jails as what they saw in the hostname field on jls. If I am writing >>> tools that use jail_getid to map the jailname to the jid, it will never >>> match that hostname and I also can not copy the hostname to the jailname. >> >> I understand what you are talking about, but jails in these days are >> something different from what jails were at the begining in 4.x days and >> users must accept that jailname is something different than hostname. > >> In these days, you can have jails with many IP addresses or without IP >> address. Hostname needn't to be unique etc. >> >> Dot (.) is not allowed in jailname because of hierarchical jails, >> where dot is used as hierarchy separator. > > Humm, this seems a strange thing to answer to my question. Once you see > jails as virtual servers (which I understand is not the only way to do, > but the biased way I and most jail users I talk to happen to deploy them > in huge quantities), the natural approach to name them is via their > hostname. I find it hard to grasp to tell them "don't" ;) > > And still I find the choice of '.' as a separator unfortunate, '/' > springs in mind, but there might have been reasons. It just seemed like the natural thing to do. Possibly inspired by sysctl, but honestly I don't recall. I hadn't considered that jails would be named after the hostname, probably because I'd never done that with my own jails or non-jail virtualization. - Jamie From owner-freebsd-jail@FreeBSD.ORG Mon Apr 1 03:23:46 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 4A4AB3DB for ; Mon, 1 Apr 2013 03:23:46 +0000 (UTC) (envelope-from army.of.root@gmail.com) Received: from mail-bk0-x22a.google.com (mail-bk0-x22a.google.com [IPv6:2a00:1450:4008:c01::22a]) by mx1.freebsd.org (Postfix) with ESMTP id D03031F9 for ; Mon, 1 Apr 2013 03:23:45 +0000 (UTC) Received: by mail-bk0-f42.google.com with SMTP id jc3so776456bkc.1 for ; Sun, 31 Mar 2013 20:23:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:message-id:date:from:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=7ti74Ns1ONFWfiXXpMJSas4FMok5MaotrHJ0Ci+5lmw=; b=CxHoMW3VUgWRW/k/JXv4kDd1q08FaCQQcJZ+QFS7baBsMu3GpZNTu+l6+SiioEEv8w ZtmtoTM3S+a7VLCrnTnqQIu0RdJ+KuS9Sc9qxlt/ZTbcw+B8zhqpNrpU7ZGfhernfZP0 7yqxf1o8mjFTPMA1PK0A4hPLtYqk1PM1oYitPjqGgs6v7+staOk/w2u/8rg52UGNyhBA V+XcGRkEVOXtFlH4k8Fpge1nD4iX3zJeUTEjOwGv3SrMZGO+2+WUJIzb2qU2srf409Cb qGJY6X8z6cKaIOkbWtLGeZFiLV9Ldn6QZLkYKufnq9Xk6XzQwq4CLhikwNiStCUa8a1h ZJfg== X-Received: by 10.205.122.80 with SMTP id gf16mr4313964bkc.130.1364786624908; Sun, 31 Mar 2013 20:23:44 -0700 (PDT) Received: from titanium-2.local (p4FFFEA41.dip.t-dialin.net. [79.255.234.65]) by mx.google.com with ESMTPS id fs20sm2556174bkc.8.2013.03.31.20.23.43 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 31 Mar 2013 20:23:43 -0700 (PDT) Message-ID: <5158FDBD.4020803@googlemail.com> Date: Mon, 01 Apr 2013 05:23:41 +0200 From: "army.of.root" User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130307 Thunderbird/17.0.4 MIME-Version: 1.0 To: Paul Schenkeveld Subject: Re: rc.d/jail and jail.conf References: <515847AF.8070808@FreeBSD.org> <5158526A.4020400@quip.cz> <51586419.5090207@FreeBSD.org> <51586DC8.7030500@quip.cz> <515880F3.1050300@FreeBSD.org> <5158874C.2060701@erdgeist.org> <515888BA.8060804@FreeBSD.org> <20130401020158.GA5500@psconsult.nl> In-Reply-To: <20130401020158.GA5500@psconsult.nl> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Apr 2013 03:23:46 -0000 On 2013-04-1 04:01 , Paul Schenkeveld wrote: > On Sun, Mar 31, 2013 at 09:14:23PM +0200, Dirk Engling wrote: >> >> On Sun, 31 Mar 2013, Jamie Gritton wrote: >> >>> If you don't mind some slightly difficult error messages, you can always >>> "disable" a jail with exec.prestart="false". jail(8) requires all >>> commands to succeed, and in particular won't even create a jail when one >>> of the prestart commands fails. >> >> This violates POLA, but failing with >> >> exec.prestart="echo skipping jail; exit 1" >> >> might work. Even though this is not a good marker from a scripting >> perspective. > > Will this prevent all preparations from happening, i.e. will filesystems > be mounted for jails disabled this way? I've been fooling around with the new-jails. I perceive lifecycle management of jails as a common need. External-to-jail state is often associated with the state of the jail, e.g. firewall rules, mounts, app level stuff, error handling, fail over etc. * if I have N operations as prestart and their equivalent N inverse operations as poststop, and prestart operation X (X>1) fails, the state produced by 1..X is maintained. The inverse operations for 1..X are *not* executed. ___ | This is not a criticism, the design is just quite simple. But the | use-cases often look like this (I imagine) * The same happens if the jail dies by it's own hand, the poststop operations are not executed. To alter this, it would require some kind of supervisor or event generation (devd?) to trigger the lifecycle hooks. This could become a bit tedious cleaning up on long running many-jail hosts as the number of stacked linprocfs/devfs/nullfs mounts raises :) Especially if the prestart operations are not idempotent. I assume the pre/post-start/stop exec's are not a core concern of this interface overhaul. I do a lot of automation and integration stuff and programmability-friendliness is much appreciated. (I am a non-Developer in the FreeBSD context) I find the new jail interface quite awesome! Thanks for the great work! Best regards > > Although this may work, I think that this looks dirty. I'd really prefer > a "disabled" or "noauto" keyword instead. Maybe the various init systems have some hints about this. They've been dealing with dependencies and starting thinks a lot longer. > > -- Paul Schenkeveld From owner-freebsd-jail@FreeBSD.ORG Mon Apr 1 03:53:21 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id C35356CE for ; Mon, 1 Apr 2013 03:53:21 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 0BF702EB for ; Mon, 1 Apr 2013 03:53:20 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id r313rBX0089259; Mon, 1 Apr 2013 14:53:11 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Mon, 1 Apr 2013 14:53:11 +1100 (EST) From: Ian Smith To: Dirk Engling Subject: Re: rc.d/jail and jail.conf In-Reply-To: <5158A379.2030702@erdgeist.org> Message-ID: <20130401140510.Y56386@sola.nimnet.asn.au> References: <515721F8.9090202@erdgeist.org> <51574D3F.9040300@quip.cz> <51588435.2010400@erdgeist.org> <51589607.7040401@quip.cz> <5158A379.2030702@erdgeist.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Apr 2013 03:53:21 -0000 On Sun, 31 Mar 2013 22:58:33 +0200, Dirk Engling wrote: > On 31.03.13 22:01, Miroslav Lachman wrote: > > >> So I guess, I am out of luck here, because users used to think of their > >> jails as what they saw in the hostname field on jls. If I am writing > >> tools that use jail_getid to map the jailname to the jid, it will never > >> match that hostname and I also can not copy the hostname to the jailname. > > > > I understand what you are talking about, but jails in these days are > > something different from what jails were at the begining in 4.x days and > > users must accept that jailname is something different than hostname. > > > In these days, you can have jails with many IP addresses or without IP > > address. Hostname needn't to be unique etc. > > > > Dot (.) is not allowed in jailname because of hierarchical jails, > > where dot is used as hierarchy separator. > > Humm, this seems a strange thing to answer to my question. Once you see > jails as virtual servers (which I understand is not the only way to do, > but the biased way I and most jail users I talk to happen to deploy them > in huge quantities), the natural approach to name them is via their > hostname. I find it hard to grasp to tell them "don't" ;) > > And still I find the choice of '.' as a separator unfortunate, '/' > springs in mind, but there might have been reasons. '/' would be just as problematic if you wanted to use jailnames as directories anywhere. ':' maybe? but likely too late for that .. > I also understand that the hostname is not an unique identifier anymore, > still for many (if not most) setups the mapping is bijective. > > My problem now is that referring to a jail (in a sense of virtual host) > becomes unintuitive. I want to do stuff with my vhost "example.com" but > have to call it "example" or "example_com". Even worse with > "www.example.com" which now needs to be an ambigous "www" or some other > mapping of '.' to something else. > > If I want to write tools that accept intuitive jail identifiers, I would > have to implement heuristics that match the hostname once the identifier > contains '.' and I can't find a hierarchical jail with that name. Consistent mapping of a fqdn's '.' to '_' might be more POSLA (slightly less astonishment :) for these users? Of course if they do want to use hierarchical jails they still need to know what '.' means and does, but then I guess people setting up and running jails-within-jails are going to need to have their heads screwed on pretty tightly anyway .. > > Plain jls without any options should be used just for backward > > compatibility with old scripts, because its output is insufficient for > > todays jails. (only one IP is shown and no jailname) > > > > jls -v or jls -s is better with new jails. > > Maybe it would be easier for me to understand if I knew, how those jails > "in these days" are supposed to work, what the overall vision is for > users to integrate them in their workflow. Besides a wish list that > doubles as todo list in > > https://wiki.freebsd.org/Jails > > and an attempted handbook section rewrite, there seems to be little in > that regard. Maybe I just missed out on the discussions or could not > find the relevant documents? > > Maybe meeting at a BSDcon over a beer would help ;) Unlikely to hurt, anyway :) cheers, Ian From owner-freebsd-jail@FreeBSD.ORG Mon Apr 1 11:06:45 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id F2E6C8A6 for ; Mon, 1 Apr 2013 11:06:45 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id E27B6335 for ; Mon, 1 Apr 2013 11:06:45 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r31B6jCn033697 for ; Mon, 1 Apr 2013 11:06:45 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r31B6jrE033695 for freebsd-jail@FreeBSD.org; Mon, 1 Apr 2013 11:06:45 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 1 Apr 2013 11:06:45 GMT Message-Id: <201304011106.r31B6jrE033695@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Apr 2013 11:06:46 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/176112 jail [jail] [panic] kernel panic when starting jails o kern/176092 jail [jail] [panic] Starting a jail on my releng/9.1 kernel o kern/174902 jail [jail] jail should provide validator for jail names o kern/174436 jail [jail] Jails with numbers as names don't work o bin/173469 jail [jail] regression: security.jail.sysvipc_allowed=1 no o kern/169751 jail [jail] reading routing information does not work in ja o bin/167911 jail new jail(8) problem with removal, ifconfg -alias and k o kern/159918 jail [jail] inter-jail communication failure o kern/156111 jail [jail] procstat -b not supported in jail o misc/155765 jail [patch] `buildworld' does not honors WITHOUT_JAIL o conf/154246 jail [jail] [patch] Bad symlink created if devfs mount poin o conf/149050 jail [jail] rcorder ``nojail'' too coarse for Jail+VNET s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid 17 problems total. From owner-freebsd-jail@FreeBSD.ORG Mon Apr 1 18:40:11 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 3374E66F for ; Mon, 1 Apr 2013 18:40:11 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from m2.gritton.org (gritton.org [199.192.164.235]) by mx1.freebsd.org (Postfix) with ESMTP id F08FB8FA for ; Mon, 1 Apr 2013 18:40:10 +0000 (UTC) Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net [198.65.168.24]) (authenticated bits=0) by m2.gritton.org (8.14.5/8.14.5) with ESMTP id r31Ie0NZ079417; Mon, 1 Apr 2013 12:40:01 -0600 (MDT) (envelope-from jamie@FreeBSD.org) Message-ID: <5159D47B.3070006@FreeBSD.org> Date: Mon, 01 Apr 2013 12:39:55 -0600 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:9.0) Gecko/20120126 Thunderbird/9.0 MIME-Version: 1.0 To: Ian Smith Subject: Re: rc.d/jail and jail.conf References: <515721F8.9090202@erdgeist.org> <51574D3F.9040300@quip.cz> <51588435.2010400@erdgeist.org> <51589607.7040401@quip.cz> <5158A379.2030702@erdgeist.org> <20130401140510.Y56386@sola.nimnet.asn.au> In-Reply-To: <20130401140510.Y56386@sola.nimnet.asn.au> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Apr 2013 18:40:11 -0000 On 03/31/13 21:53, Ian Smith wrote: > On Sun, 31 Mar 2013 22:58:33 +0200, Dirk Engling wrote: >> Maybe meeting at a BSDcon over a beer would help ;) > > Unlikely to hurt, anyway :) Perhaps I need to plan on going to BSDCan after all... - Jamie From owner-freebsd-jail@FreeBSD.ORG Sat Apr 6 20:54:52 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 32330F94; Sat, 6 Apr 2013 20:54:52 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from ffe16.ukr.net (ffe16.ukr.net [195.214.192.51]) by mx1.freebsd.org (Postfix) with ESMTP id E2D969C; Sat, 6 Apr 2013 20:54:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ukr.net; s=ffe; h=Date:Message-Id:From:To:Subject:Cc:Content-Type:Content-Transfer-Encoding:MIME-Version; bh=ow8wf/SxFBYVLzwwVH0q9Z76TYRH5uA/dOQP7D8/BNw=; b=Wc6l0rDBfD5ih0K5eoqYYkksWKCyBWXuwa3170L1TCzsGNsqDaPCe+BvjryhPA+GfJ/jXynghVzjV6xyaVkR+QWjqlVI/nyNKE8nuqObeNhznBU77BUBjmT0Zd4Ruhlc7c4W2kEfjC16B49fnKoA+k44K/kVd6xq1iAAqHdljRk=; Received: from mail by ffe16.ukr.net with local ID 1UOZon-000Izc-VI ; Sat, 06 Apr 2013 23:34:33 +0300 MIME-Version: 1.0 Content-Disposition: inline Content-Transfer-Encoding: binary Content-Type: text/plain; charset="windows-1251" Subject: Problems with network on host with jail. To: freebsd-jail@freebsd.org From: "wishmaster" X-Mailer: freemail.ukr.net 4.0 Message-Id: <65534.1365280473.6122751498602086400@ffe16.ukr.net> Date: Sat, 06 Apr 2013 23:34:33 +0300 Cc: freebsd-net@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Apr 2013 20:54:52 -0000 Hi. Since I setuped Jail for www stuff in server there are network problems. Router has 3 NIC's in bridge with aliases. cloned_interfaces="bridge0" ifconfig_bridge0="addm rl1 addm rl2 addm rl3 up" ifconfig_rl1="up -wol" ifconfig_rl2="up -wol" ifconfig_rl3="up -wol" ifconfig_bridge0_alias0="inet 10.11.1.1 netmask 255.255.255.0" ifconfig_bridge0_alias1="inet 10.12.1.1 netmask 255.255.255.0" ifconfig_bridge0_alias2="inet 10.13.1.1 netmask 255.255.255.0" ifconfig_bridge0_alias3="inet 10.14.1.1 netmask 255.255.255.192" ifconfig_bridge0_alias4="inet 10.15.1.1 netmask 255.255.255.0" Also I use PF for filtering traffic. There are a lot of rules. In two words: it is unable to reach any host in LAN and also any IP addresses on router, allowed access to Internet only. In other words Jail in original DMZ zone with IP 10.15.1.1. In random time (about one incident per-(2|3)days) the strange situations is occur: I am unable to ping/ftp/http from jail or from LAN any host in Internet. From/to router - it's ok. Restarting PF and jail seems to have no effect, only router's reboot. >From pftop I see traffic, coming from jail or LAN but in the other way - no. Anybody can give me some help in debugging this situation and figure out the problem? OS: FreeBSD 9.1-STABLE #0: Fri Feb 22 20:51:16 EET 2013 i386 Cheers, Vitaliy