From owner-freebsd-jail@FreeBSD.ORG Mon Feb 23 14:48:24 2015 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B53A69A3; Mon, 23 Feb 2015 14:48:24 +0000 (UTC) Received: from pmta1.delivery8.ore.mailhop.org (pmta1.delivery8.ore.mailhop.org [54.191.158.99]) by mx1.freebsd.org (Postfix) with ESMTP id 9522DD51; Mon, 23 Feb 2015 14:48:21 +0000 (UTC) Received: from smtp3.ore.mailhop.org (172.31.36.112) by pmta1.delivery1.ore.mailhop.org id htcups20r84e; Mon, 23 Feb 2015 14:47:48 +0000 (envelope-from ) Received: from c-73-34-117-227.hsd1.co.comcast.net ([73.34.117.227] helo=ilsoft.org) by smtp3.ore.mailhop.org with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.82) (envelope-from ) id 1YPuIw-000553-GN; Mon, 23 Feb 2015 14:48:14 +0000 Received: from fb864.hippie.lan (fb864.hippie.lan [172.22.42.242]) by ilsoft.org (8.14.9/8.14.9) with ESMTP id t1NEmCqq002182; Mon, 23 Feb 2015 07:48:13 -0700 (MST) (envelope-from ian@freebsd.org) X-Mail-Handler: DuoCircle Outbound SMTP X-Originating-IP: 73.34.117.227 X-Report-Abuse-To: abuse@duocircle.com (see https://support.duocircle.com/support/solutions/articles/5000540958-duocircle-standard-smtp-abuse-information for abuse reporting information) X-MHO-User: U2FsdGVkX18pbTXQXku9xM8pFlbEPGAF Message-ID: <1424702892.56366.31.camel@freebsd.org> Subject: Call for review: overriding osrelease and osreldate in jails From: Ian Lepore To: "freebsd-arch@FreeBSD.org" , freebsd-jail@FreeBSD.org Date: Mon, 23 Feb 2015 07:48:12 -0700 Content-Type: text/plain; charset="us-ascii" X-Mailer: Evolution 3.12.8 FreeBSD GNOME Team Port Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Feb 2015 14:48:24 -0000 I've added the ability to specify the values returned by sysctl (and thus by uname) for kern.osrelease and kern.osreldate within a jail. The changes are available for review: https://reviews.freebsd.org/D1948 This allows things like running an 8.4 jail on a 10.1 system such that within the jail the version is reliably spoofed as 8.4. While the uname values can be overridden with env vars, the env vars can be wiped out by scripts that use env(1). Changing the values returned by sysctl is more reliable. -- Ian From owner-freebsd-jail@FreeBSD.ORG Fri Feb 27 09:28:58 2015 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C46F0BBC for ; Fri, 27 Feb 2015 09:28:58 +0000 (UTC) Received: from smtp.unix-experience.fr (195-154-176-227.rev.poneytelecom.eu [195.154.176.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7EEF1DCB for ; Fri, 27 Feb 2015 09:28:57 +0000 (UTC) Received: from smtp.unix-experience.fr (unknown [192.168.200.21]) by smtp.unix-experience.fr (Postfix) with ESMTP id B97542F49B for ; Fri, 27 Feb 2015 09:21:03 +0000 (UTC) X-Virus-Scanned: scanned by unix-experience.fr Received: from smtp.unix-experience.fr ([192.168.200.21]) by smtp.unix-experience.fr (smtp.unix-experience.fr [192.168.200.21]) (amavisd-new, port 10024) with ESMTP id vxo_OTPlAyzk for ; Fri, 27 Feb 2015 09:21:01 +0000 (UTC) Received: from mail.unix-experience.fr (repo.unix-experience.fr [192.168.200.30]) by smtp.unix-experience.fr (Postfix) with ESMTPSA id 8A7252F47F for ; Fri, 27 Feb 2015 09:21:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=unix-experience.fr; s=uxselect; t=1425028861; bh=Rp0GbnEAAtKi13eKdWt5SUyU9z2Ne8akqnDimqpWPtM=; h=Date:From:Subject:To; b=X6qldnmP+fSUAe0PR7AcqviAC/YijLClOVps72MEPL8L0xwbOVZUiKyGH9mb9Uu+z Or9tgN0NSHqeAAxg2IsISgY4a73wmpI+/Oihlq8YPI9ANkc6H9hNHmV09bSTxD0OOI i9onPaG871Mu1XQI+4EueKAi4ODx3+T8E/wlFq78= Mime-Version: 1.0 Date: Fri, 27 Feb 2015 09:21:01 +0000 Message-ID: X-Mailer: RainLoop/1.8.0.250 From: "=?utf-8?B?TG/Dr2MgQmxvdA==?=" Subject: fib issue with VLAN To: freebsd-jail@freebsd.org Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Feb 2015 09:28:59 -0000 Hello,=0Ai'm trying to implement jails over multiples networks, using VLA= Ns, with different default routes. The network stack is simple=0A=0Aigb0-= 3 into lagg0=0Avlan 10-30 over lagg0=0Ajails over VLANs using a fib for e= ach VLAN (but no fib set on the VLAN iface itself)=0A=0AWhereas it works = for a week on my server, after a reboot, the outgoing packets aren't rout= ed to lagg and then outgoing requests doesn't work (like DNS requests), i= don't find why.=0A=0AThe fib is correctly set=0A=0A/etc/rc.local:=0Asetf= ib 1 route add -net 192.168.136.0/24 -iface vlan136=0Asetfib 1 route add = default 192.168.136.254=0A=0Aroot@jh1:~ # setfib 1 netstat -rnfinet=0ARou= ting tables (fib: 1)=0A=0AInternet:=0ADestination=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0 Gateway=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0 Flags=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Netif Expire=0A= default=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= 192.168.136.254=C2=A0=C2=A0=C2=A0 UGS=C2=A0=C2=A0=C2=A0=C2=A0 vlan136=0A= 192.168.136.0/24=C2=A0=C2=A0 ac:16:2d:96:e5:04=C2=A0 US=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 vlan136=0A=0Aand the jails are correctly configured:=0A=0Aro= ot@jh1:~ # cat /var/run/jail.idevmysql.conf=0A# Generated by rc.d/jail at= 2015-02-27 10:38:05=0Adevmysql {=0A=C2=A0=C2=A0 =C2=A0host.hostname =3D = "devmysql.local.net";=0A=C2=A0=C2=A0 =C2=A0path =3D "/jails/dev/devmysql"= ;=0A=C2=A0=C2=A0 =C2=A0ip4.addr +=3D "vlan136|192.168.136.50/32";=0A=C2= =A0=C2=A0 =C2=A0exec.fib =3D "1";=0A=C2=A0=C2=A0 =C2=A0allow.raw_sockets = =3D 0;=0A=C2=A0=C2=A0 =C2=A0exec.clean;=0A=C2=A0=C2=A0 =C2=A0exec.system_= user =3D "root";=0A=C2=A0=C2=A0 =C2=A0exec.jail_user =3D "root";=0A=C2=A0= =C2=A0 =C2=A0exec.start +=3D "/bin/sh /etc/rc";=0A=C2=A0=C2=A0 =C2=A0exec= .stop =3D "";=0A=C2=A0=C2=A0 =C2=A0exec.consolelog =3D "/var/log/jail_ide= vmysql_console.log";=0A=C2=A0=C2=A0 =C2=A0mount.fstab =3D "/etc/fstab.ide= vmysql";=0A=C2=A0=C2=A0 =C2=A0mount.devfs;=0A=C2=A0=C2=A0 =C2=A0mount.fde= scfs;=0A=C2=A0=C2=A0 =C2=A0mount +=3D=C2=A0 "procfs /jails/dev/idevmysql/= proc procfs rw 0 0";=0A=C2=A0=C2=A0 =C2=A0allow.mount;=0A=C2=A0=C2=A0 =C2= =A0allow.set_hostname =3D 0;=0A=C2=A0=C2=A0 =C2=A0allow.sysvipc =3D 0;=0A= }=0A=0ARouting is also enabled:=0A=0Aroot@jh1:~ # sysctl net.inet.ip.forw= arding=0Anet.inet.ip.forwarding: 1=0A=0AIf we are trying to contact the j= ail from an external host, for example with ansible, the SSH connection w= orks very well but it seems outgoing initiated connections are staying on= vlan136 but not forwarded to lagg0.=0AHave you got any idea ?=0A=0AThank= s in advance=0ARegards,=0A=0ALo=C3=AFc Blot,=0AUNIX Systems, Network and = Security Engineer=0Ahttp://www.unix-experience.fr (http://www.unix-experi= ence.fr) From owner-freebsd-jail@FreeBSD.ORG Fri Feb 27 17:07:51 2015 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 83893BB0 for ; Fri, 27 Feb 2015 17:07:51 +0000 (UTC) Received: from mx1.scaleengine.net (beauharnois2.bhs1.scaleengine.net [142.4.218.15]) by mx1.freebsd.org (Postfix) with ESMTP id 419D6842 for ; Fri, 27 Feb 2015 17:07:50 +0000 (UTC) Received: from [192.168.1.2] (Seawolf.HML3.ScaleEngine.net [209.51.186.28]) (Authenticated sender: allanjude.freebsd@scaleengine.com) by mx1.scaleengine.net (Postfix) with ESMTPSA id BFD77984D8 for ; Fri, 27 Feb 2015 17:07:42 +0000 (UTC) Message-ID: <54F0A46F.7070707@freebsd.org> Date: Fri, 27 Feb 2015 12:07:59 -0500 From: Allan Jude User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: freebsd-jail@freebsd.org Subject: Re: fib issue with VLAN References: In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="jDJchsJlw2QIwvFGhnqClbgcp8WgpHsSs" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Feb 2015 17:07:51 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --jDJchsJlw2QIwvFGhnqClbgcp8WgpHsSs Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 2015-02-27 04:21, Lo=C3=AFc Blot wrote: > Hello, > i'm trying to implement jails over multiples networks, using VLANs, wit= h different default routes. The network stack is simple >=20 > igb0-3 into lagg0 > vlan 10-30 over lagg0 > jails over VLANs using a fib for each VLAN (but no fib set on the VLAN = iface itself) >=20 > Whereas it works for a week on my server, after a reboot, the outgoing = packets aren't routed to lagg and then outgoing requests doesn't work (li= ke DNS requests), i don't find why. >=20 > The fib is correctly set >=20 > /etc/rc.local: > setfib 1 route add -net 192.168.136.0/24 -iface vlan136 > setfib 1 route add default 192.168.136.254 >=20 > root@jh1:~ # setfib 1 netstat -rnfinet > Routing tables (fib: 1) >=20 > Internet: > Destination Gateway Flags Netif Expire > default 192.168.136.254 UGS vlan136 > 192.168.136.0/24 ac:16:2d:96:e5:04 US vlan136 >=20 > and the jails are correctly configured: >=20 > root@jh1:~ # cat /var/run/jail.idevmysql.conf > # Generated by rc.d/jail at 2015-02-27 10:38:05 > devmysql { > host.hostname =3D "devmysql.local.net"; > path =3D "/jails/dev/devmysql"; > ip4.addr +=3D "vlan136|192.168.136.50/32"; > exec.fib =3D "1"; > allow.raw_sockets =3D 0; > exec.clean; > exec.system_user =3D "root"; > exec.jail_user =3D "root"; > exec.start +=3D "/bin/sh /etc/rc"; > exec.stop =3D ""; > exec.consolelog =3D "/var/log/jail_idevmysql_console.log"; > mount.fstab =3D "/etc/fstab.idevmysql"; > mount.devfs; > mount.fdescfs; > mount +=3D "procfs /jails/dev/idevmysql/proc procfs rw 0 0"; > allow.mount; > allow.set_hostname =3D 0; > allow.sysvipc =3D 0; > } >=20 > Routing is also enabled: >=20 > root@jh1:~ # sysctl net.inet.ip.forwarding > net.inet.ip.forwarding: 1 >=20 > If we are trying to contact the jail from an external host, for example= with ansible, the SSH connection works very well but it seems outgoing i= nitiated connections are staying on vlan136 but not forwarded to lagg0. > Have you got any idea ? >=20 > Thanks in advance > Regards, >=20 > Lo=C3=AFc Blot, > UNIX Systems, Network and Security Engineer > http://www.unix-experience.fr (http://www.unix-experience.fr) > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"= >=20 the lines from your rc.conf that create the lagg and vlan interfaces may be helpful (pastebin them maybe if it is a lot of text), as well as the ifconfig output. I don't see you using any fib other than 1 for a jail, so it is hard to understand your setup. --=20 Allan Jude --jDJchsJlw2QIwvFGhnqClbgcp8WgpHsSs Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJU8KRyAAoJEJrBFpNRJZKfB5kP/RVA8RKrMtZLVBudjL5jK/qR 5/dmjET4YwGbkPHCy4RAq3E9u+O0LFpcCbHRCpGvL4ZTAr0ED3I3p1zYP8gnhhng p+Qgpawgp9w2a0lnx669BmnkvHJaJ0ZFtUuFBAneOEuqznQm4osbPZVq+9O5m3MZ gqjzxE42QG2maRHA0jMNlsvzUWMs/DYIEHJS9CNFNtlKEbGP9m+WYmU5qnelkxpP 9GQxH4XggTRI13x/v9NsW//uY3g/UOsskmJ7PoinTccCEtG9vzkzNGI4CdFgtqgw fXSdmPtufA1eSlkO5gOjPom98h/rv4fKFwn+WgV7Hs6R8vyOy2Kgl/SouuccrCN1 V2duGvAnaQchfUcVJlDNX2Cgox6qQ/nyBWFZSbgdT7QoD8An3dsp7S/n7tONF3TI hd2TJArCHamoKi9qB/0dWEwxnHRd8cdAt86x3jBgaNGvuy6tEPHYq+uH8gMOSEJN TU0xEikG3tPmG/g546q3p5cC2qDKefTnp70knp9nVN0jg0Kofrm/PQlp0NcGJYs4 R9rkECaBabve64jl1gFl4X0oWoV4Cye85IujWVUIueLcPobzF3PcWOsF8MgxApOj FbY7uk8rmVLOlBidMLEhVKYSav3vv4JoSBvhybgKTh7pfj7u5cFpVyTsk1IrWVQ+ Xaz8R2oHqqKLqtTlv5Lo =hAWs -----END PGP SIGNATURE----- --jDJchsJlw2QIwvFGhnqClbgcp8WgpHsSs--