From owner-freebsd-jail@freebsd.org Mon Dec 5 00:31:22 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C5173C67CD5 for ; Mon, 5 Dec 2016 00:31:22 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mailman.ysv.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id A400611E for ; Mon, 5 Dec 2016 00:31:22 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mailman.ysv.freebsd.org (Postfix) id A35BBC67CD4; Mon, 5 Dec 2016 00:31:22 +0000 (UTC) Delivered-To: jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A30C4C67CD3 for ; Mon, 5 Dec 2016 00:31:22 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-pg0-x241.google.com (mail-pg0-x241.google.com [IPv6:2607:f8b0:400e:c05::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 74D4B11B for ; Mon, 5 Dec 2016 00:31:22 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-pg0-x241.google.com with SMTP id 3so14595477pgd.0 for ; Sun, 04 Dec 2016 16:31:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-transfer-encoding; bh=K05N0dyntNQeIolrdiwys39+f5fIR7lwic2DPrvHp5Q=; b=BC6oTAjJK7M+VLt6Kz7cYCGVePcuyVmlBR7FQr3Bc8Cmzq5F7Ec2H+hMxbOzagL8Mw t83F9WdKAWmd+jO24EXVl5dDIjSj1ZVxNYN+d5asOzWZemAVIUZRlH/gsvRlLGpW4r0Z Wi1+5mgra/s2vrKmsl5T8KTU5DNP0jq1AvaMePcoGDbCyAKHYi+9YQGdhFH+eBoTHJdM Ku4trICHjEUn23062RKOVCep1YafwJtnK3f8OHVYnP8WKHvktUVkBevJI4RyzqdTJJJg wXHsjfe+YKuYPruMi1Wcu3ee4CjumjKRabwaP7KmC+oeejrfyVy3XlmGxStSN17Ley1N fAtA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-transfer-encoding; bh=K05N0dyntNQeIolrdiwys39+f5fIR7lwic2DPrvHp5Q=; b=buWp4OuRz9XC96ijEt/OwbnAa8yMptalYnYTSyoSiY3NqbvmcP84PKWplSIXg7ZrEN c2Mutve6U30+RjH/3Yx7pfISBftHHv8dFAp5nFNesFe1W/GIDJ7wID/wxOg0tI5hAFAc FRIFpelR70GCDyeyVzW237LEnSFVY7iOkDGQNUEwu5vJu0igX1SctR1r7DdnYBlLNPOY nFZH7Ts0oksip8K+h0iPDdBLqgILRis3+G2lQRARcIm873JnES6a3BYEAxP6Nu3e1QLB ojNzYPs7WBrQZ3kyMuxfsTKIw+EPfXTbFxaMPpKVxxgIfzsYE8cKAWkAUyX//AkbDeYZ sfbQ== X-Gm-Message-State: AKaTC00v2vqkhZZt4zuZnZLyZ6iXu3BoMKLZdCRAmLZ/0TE+qgAf6NzRUB5N+1bzEkPOyA== X-Received: by 10.98.69.133 with SMTP id n5mr55403273pfi.160.1480897882148; Sun, 04 Dec 2016 16:31:22 -0800 (PST) Received: from [192.168.1.103] ([120.29.76.121]) by smtp.googlemail.com with ESMTPSA id a7sm22367714pfl.87.2016.12.04.16.31.20 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 04 Dec 2016 16:31:21 -0800 (PST) Message-ID: <5844B557.7050304@gmail.com> Date: Mon, 05 Dec 2016 08:31:19 +0800 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: marcel CC: jail@freebsd.org Subject: Re: Closing ports in jail with ipfw References: <20161117233607.3430afd4@marcel-laptop.lan> In-Reply-To: <20161117233607.3430afd4@marcel-laptop.lan> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Dec 2016 00:31:22 -0000 marcel wrote: > Hi there, > > I've created a jail and when I do a nmap on his IP, I can see that port > 25 and 22 are open but I don't want. So i've tried to create an IPFW > rule by adding 'ipwf -q add 00290 deny all from router to jail' to my > host ipfw conf file and applied it but ports jail are still open. How > can I close or open the ports of my jail ? > > Thanks ! You can not run nmap on the host targeting the jails ip. Doing so only shows you open ports on the host. You have to run nmap from a computer on a different public ip address targeting the public ip address assigned to the jail. If jail is using a non-routeable ip address, nmap is useless in looking for jail open ports. From owner-freebsd-jail@freebsd.org Wed Dec 7 00:28:52 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 756A9C6BCA0 for ; Wed, 7 Dec 2016 00:28:52 +0000 (UTC) (envelope-from freebsd@coombscloud.com) Received: from mini.coombscloud.com (mini.coombscloud.com [67.42.252.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mini.coombscloud.com", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5579479E for ; Wed, 7 Dec 2016 00:28:51 +0000 (UTC) (envelope-from freebsd@coombscloud.com) Received: from localhost (localhost [127.0.0.1]) by mini.coombscloud.com (Postfix) with ESMTP id D20001D6A22F; Tue, 6 Dec 2016 17:20:26 -0700 (MST) X-Virus-Scanned: amavisd-new at mydomain = coombscloud.com Received: from mini.coombscloud.com ([127.0.0.1]) by localhost (mini.coombscloud.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FgwRtvjes6Nq; Tue, 6 Dec 2016 17:20:22 -0700 (MST) Received: from [192.168.11.214] (209-180-88-130.dia.static.qwest.net [209.180.88.130]) by mini.coombscloud.com (Postfix) with ESMTPSA id 2FFEA1D6A1FF; Tue, 6 Dec 2016 17:20:22 -0700 (MST) From: Kirk Coombs Mime-Version: 1.0 (Mac OS X Mail 10.1 \(3251\)) Subject: Failure to add new files when updating jails with ezjail-admin Message-Id: <90E6EB87-40FD-42EB-A45E-A5CBAF488BB9@coombscloud.com> Date: Tue, 6 Dec 2016 17:20:21 -0700 To: freebsd-jail@freebsd.org X-Mailer: Apple Mail (2.3251) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Dec 2016 00:28:52 -0000 It looks like a similar question may have been asked on this list some = time ago = (https://lists.freebsd.org/pipermail/freebsd-jail/2014-June/002577.html = ),= but there were no replies. I am new to jails, so perhaps I am just = doing something wrong. I am running FreeBSD 10.3, with several jails built using ezjail-admin = using the instructions at = https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-ezjail.ht= ml = . I also enabled ZFS in ezjail.conf. The basejail was created from = binaries using =E2=80=9Cezjail-admin install,=E2=80=9D and contains the = sources (-s), man pages (-m), and a ports tree (-P). I for a couple of patch releases, I have updated the basejail with = binary updates using freebsd-update by executing =E2=80=9Cezjail-admin = update -u.=E2=80=9D Each time, I have observed that it seems to update = the existing files fine, but does not add the new files that are part of = the update. For example, the update for 10.3-RELEASE-p13 updated many = files, removed some files, and added several files. However, = "ezjail-admin update -u=E2=80=9D does not appear to be able to add the = new files into the basejail. For example, invocation "ezjail-admin = update -u=E2=80=9D to update to 10.3-RELEASE-p13 ended in some errors = for adding the new files (sorry, I didn=E2=80=99t capture the output of = that invocation). However, these errors are repeated with subsequent = invocations of "ezjail-admin update -u,=E2=80=9D which is reproduced = below: $ sudo ezjail-admin update -u Password: Looking up update.FreeBSD.org mirrors... 4 mirrors found. Fetching metadata signature for 10.3-RELEASE from update6.freebsd.org... = done. Fetching metadata index... done. Inspecting system... done. Preparing to download files... done. No updates needed to update system to 10.3-RELEASE-p13. No updates are available to install. Run '/usr/sbin/freebsd-update fetch' first. Looking up update.FreeBSD.org mirrors... 4 mirrors found. Fetching metadata signature for 10.3-RELEASE from update5.freebsd.org... = done. Fetching metadata index... done. Inspecting system... done. Preparing to download files... done. The following files will be added as part of updating to = 10.3-RELEASE-p13: /usr/share/zoneinfo/Asia/Barnaul /usr/share/zoneinfo/Asia/Famagusta /usr/share/zoneinfo/Asia/Tomsk /usr/share/zoneinfo/Asia/Yangon /usr/share/zoneinfo/Europe/Astrakhan /usr/share/zoneinfo/Europe/Kirov /usr/share/zoneinfo/Europe/Ulyanovsk /usr/src/contrib/libarchive/libarchive/test/test_write_disk_secure744.c /usr/src/contrib/libarchive/libarchive/test/test_write_disk_secure745.c /usr/src/contrib/libarchive/libarchive/test/test_write_disk_secure746.c /usr/src/contrib/ntp/README.pullrequests /usr/src/contrib/ntp/lib/isc/tsmemcmp.c /usr/src/contrib/ntp/scripts/build/genAuthors.in /usr/src/contrib/ntp/sntp/m4/sntp_problemtests.m4 /usr/src/contrib/ntp/tests/libntp/run-tsafememcmp.c /usr/src/contrib/ntp/tests/libntp/tsafememcmp.c /usr/src/contrib/tzdata/CONTRIBUTING /usr/src/contrib/tzdata/LICENSE /usr/src/contrib/tzdata/Makefile /usr/src/contrib/tzdata/NEWS /usr/src/contrib/tzdata/README /usr/src/contrib/tzdata/Theory /usr/src/contrib/tzdata/backzone /usr/src/contrib/tzdata/checklinks.awk /usr/src/contrib/tzdata/checktab.awk /usr/src/contrib/tzdata/leapseconds.awk /usr/src/contrib/tzdata/version /usr/src/contrib/tzdata/zoneinfo2tdf.pl The following files will be updated as part of updating to = 10.3-RELEASE-p13: /var/db/mergemaster.mtree Installing updates...mkdir: /usr/jails/newjail//boot: No such file or = directory mtree: /usr/jails/newjail//boot/kernel: No such file or directory mtree: /usr/jails/newjail//boot/kernel.old: No such file or directory touch: /usr/jails/newjail//boot/kernel.old/.freebsd-update: No such file = or directory Could not create kernel backup directory $ The output is the same now matter how many times I invoke "ezjail-admin = update -u,=E2=80=9D so the new files are clearly not being inserted into = the basejail. Any suggestions? =E2=80=94Kirk Coombs= From owner-freebsd-jail@freebsd.org Wed Dec 7 01:26:34 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9D45EC69FDE for ; Wed, 7 Dec 2016 01:26:34 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 635969DF for ; Wed, 7 Dec 2016 01:26:33 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id CD81E28529; Wed, 7 Dec 2016 02:26:24 +0100 (CET) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id D652F284BF; Wed, 7 Dec 2016 02:26:23 +0100 (CET) Subject: Re: Failure to add new files when updating jails with ezjail-admin To: Kirk Coombs , freebsd-jail@freebsd.org References: <90E6EB87-40FD-42EB-A45E-A5CBAF488BB9@coombscloud.com> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: <5847653F.2080502@quip.cz> Date: Wed, 7 Dec 2016 02:26:23 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:42.0) Gecko/20100101 Firefox/42.0 SeaMonkey/2.39 MIME-Version: 1.0 In-Reply-To: <90E6EB87-40FD-42EB-A45E-A5CBAF488BB9@coombscloud.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Dec 2016 01:26:34 -0000 Kirk Coombs wrote on 2016/12/07 01:20: > > The following files will be added as part of updating to 10.3-RELEASE-p13: > /usr/share/zoneinfo/Asia/Barnaul > /usr/share/zoneinfo/Asia/Famagusta > /usr/share/zoneinfo/Asia/Tomsk > /usr/share/zoneinfo/Asia/Yangon > /usr/share/zoneinfo/Europe/Astrakhan > /usr/share/zoneinfo/Europe/Kirov > /usr/share/zoneinfo/Europe/Ulyanovsk Files below are sources, these should not be in jails > /usr/src/contrib/libarchive/libarchive/test/test_write_disk_secure744.c > /usr/src/contrib/libarchive/libarchive/test/test_write_disk_secure745.c > /usr/src/contrib/libarchive/libarchive/test/test_write_disk_secure746.c > /usr/src/contrib/ntp/README.pullrequests > /usr/src/contrib/ntp/lib/isc/tsmemcmp.c > /usr/src/contrib/ntp/scripts/build/genAuthors.in > /usr/src/contrib/ntp/sntp/m4/sntp_problemtests.m4 > /usr/src/contrib/ntp/tests/libntp/run-tsafememcmp.c > /usr/src/contrib/ntp/tests/libntp/tsafememcmp.c > /usr/src/contrib/tzdata/CONTRIBUTING > /usr/src/contrib/tzdata/LICENSE > /usr/src/contrib/tzdata/Makefile > /usr/src/contrib/tzdata/NEWS > /usr/src/contrib/tzdata/README > /usr/src/contrib/tzdata/Theory > /usr/src/contrib/tzdata/backzone > /usr/src/contrib/tzdata/checklinks.awk > /usr/src/contrib/tzdata/checktab.awk > /usr/src/contrib/tzdata/leapseconds.awk > /usr/src/contrib/tzdata/version > /usr/src/contrib/tzdata/zoneinfo2tdf.pl > > The following files will be updated as part of updating to 10.3-RELEASE-p13: > /var/db/mergemaster.mtree > Installing updates...mkdir: /usr/jails/newjail//boot: No such file or directory > mtree: /usr/jails/newjail//boot/kernel: No such file or directory > mtree: /usr/jails/newjail//boot/kernel.old: No such file or directory > touch: /usr/jails/newjail//boot/kernel.old/.freebsd-update: No such file or directory > Could not create kernel backup directory Jails are not using own kernel thus don;t need /boot/kernel directory > The output is the same now matter how many times I invoke "ezjail-admin update -u,” so the new files are clearly not being inserted into the basejail. > > Any suggestions? I don't like ezjail I am rolling jails by hand (few simple shell scripts) so I can't talk about ezjail... but if freebsd-update failed because /boot/kernel was not found inside jail, you can try to create this directory (empty directory) and run update again. Miroslav Lachman From owner-freebsd-jail@freebsd.org Wed Dec 7 01:39:03 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DCBD3C6A603 for ; Wed, 7 Dec 2016 01:39:03 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-pf0-x241.google.com (mail-pf0-x241.google.com [IPv6:2607:f8b0:400e:c00::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id ACD13102E for ; Wed, 7 Dec 2016 01:39:03 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-pf0-x241.google.com with SMTP id 144so19529353pfv.0 for ; Tue, 06 Dec 2016 17:39:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-transfer-encoding; bh=Wp+QE9FXz5T+mQzyW/UZmsL5098GgH3WVkbswdcx0u4=; b=GzuEHg9s5jj7XiFT4yfohccHw2Nl1pSWJ7KK3QGeGJ4e98sVyCp9u3nD/ZZTFlnSiJ ZmC5wTFn6lQKMB+GVg58Bk1oeitWar/JCR9tv3cyojep12KPxyTbL0nBra13QrnECkKk V4BhrhfgyYF+wBqQjQn3s5Z/lxuiIdmGHmEATiwgT1r+9zEQzwaXG8Ne7I2HWnzpc6o4 Mw5SFjMzBs/ABySO/t6M9I4X/a98Jea52qCGqVtpKjI5FCwcnVLu1FVyGwdCDO94w1Sy SPC59G6lp3HMko8JzJIxNvPMPOVz4kj0Bz2yD9XWjqU9cF517eej3jJCq61QZuoDzCvM r9+A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-transfer-encoding; bh=Wp+QE9FXz5T+mQzyW/UZmsL5098GgH3WVkbswdcx0u4=; b=SCIWi++ngt+2GO4h6mA2CSOZKEI7U24TEk+zPN43PzegIcLi2wGNyRZXSc6DtJSdj1 5DBCOZTQub531kNeY+kzJ4pJG0PLtu1BPTxsh++K8d9U2RxFW6vt8zK1BFwYO9hvYsRE SFCWCyJmwaTCzLP+1y2Iu/3R6/iidF+zeZAnbcExNFlelqkIljruDLLCJYHt+bSycPGE HPTbAycxDnbpgidgg1mOrSmG68smY+GGvBHg+KtAw/CkktMZpPLIBjia5T8DTthHuQeK YBhUmaQ06KZK2IWjuSIAPNx3cGNHU1yxxVzwSqSz9CGfX/2EkaOZAoePJm42/3kSKv6v lmkA== X-Gm-Message-State: AKaTC01vFmFX4ua3def6mucl1UxPyPxwwe4D/Q9rPrUssBTgOIPRlgmnAt+9r6v6h4qaqw== X-Received: by 10.84.146.140 with SMTP id g12mr143673229pla.157.1481074743337; Tue, 06 Dec 2016 17:39:03 -0800 (PST) Received: from [192.168.1.103] ([120.29.76.197]) by smtp.googlemail.com with ESMTPSA id 64sm37601179pfu.17.2016.12.06.17.39.01 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 06 Dec 2016 17:39:02 -0800 (PST) Message-ID: <5847683B.8080703@gmail.com> Date: Wed, 07 Dec 2016 09:39:07 +0800 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: Miroslav Lachman <000.fbsd@quip.cz> CC: Kirk Coombs , freebsd-jail@freebsd.org Subject: Re: Failure to add new files when updating jails with ezjail-admin References: <90E6EB87-40FD-42EB-A45E-A5CBAF488BB9@coombscloud.com> <5847653F.2080502@quip.cz> In-Reply-To: <5847653F.2080502@quip.cz> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Dec 2016 01:39:04 -0000 Miroslav Lachman wrote: > Kirk Coombs wrote on 2016/12/07 01:20: > >> >> The following files will be added as part of updating to >> 10.3-RELEASE-p13: >> /usr/share/zoneinfo/Asia/Barnaul >> /usr/share/zoneinfo/Asia/Famagusta >> /usr/share/zoneinfo/Asia/Tomsk >> /usr/share/zoneinfo/Asia/Yangon >> /usr/share/zoneinfo/Europe/Astrakhan >> /usr/share/zoneinfo/Europe/Kirov >> /usr/share/zoneinfo/Europe/Ulyanovsk > > Files below are sources, these should not be in jails > >> /usr/src/contrib/libarchive/libarchive/test/test_write_disk_secure744.c >> /usr/src/contrib/libarchive/libarchive/test/test_write_disk_secure745.c >> /usr/src/contrib/libarchive/libarchive/test/test_write_disk_secure746.c >> /usr/src/contrib/ntp/README.pullrequests >> /usr/src/contrib/ntp/lib/isc/tsmemcmp.c >> /usr/src/contrib/ntp/scripts/build/genAuthors.in >> /usr/src/contrib/ntp/sntp/m4/sntp_problemtests.m4 >> /usr/src/contrib/ntp/tests/libntp/run-tsafememcmp.c >> /usr/src/contrib/ntp/tests/libntp/tsafememcmp.c >> /usr/src/contrib/tzdata/CONTRIBUTING >> /usr/src/contrib/tzdata/LICENSE >> /usr/src/contrib/tzdata/Makefile >> /usr/src/contrib/tzdata/NEWS >> /usr/src/contrib/tzdata/README >> /usr/src/contrib/tzdata/Theory >> /usr/src/contrib/tzdata/backzone >> /usr/src/contrib/tzdata/checklinks.awk >> /usr/src/contrib/tzdata/checktab.awk >> /usr/src/contrib/tzdata/leapseconds.awk >> /usr/src/contrib/tzdata/version >> /usr/src/contrib/tzdata/zoneinfo2tdf.pl >> >> The following files will be updated as part of updating to >> 10.3-RELEASE-p13: >> /var/db/mergemaster.mtree >> Installing updates...mkdir: /usr/jails/newjail//boot: No such file or >> directory >> mtree: /usr/jails/newjail//boot/kernel: No such file or directory >> mtree: /usr/jails/newjail//boot/kernel.old: No such file or directory >> touch: /usr/jails/newjail//boot/kernel.old/.freebsd-update: No such >> file or directory >> Could not create kernel backup directory > > Jails are not using own kernel thus don;t need /boot/kernel directory > >> The output is the same now matter how many times I invoke >> "ezjail-admin update -u,” so the new files are clearly not being >> inserted into the basejail. >> >> Any suggestions? > > I don't like ezjail I am rolling jails by hand (few simple shell > scripts) so I can't talk about ezjail... but if freebsd-update failed > because /boot/kernel was not found inside jail, you can try to create > this directory (empty directory) and run update again. > > Miroslav Lachman qjail which is a fork of ezjail doesn't use the freebsd-update method to update its sharedfs directory tree which ezjail calls basejail. Give it a try. You may want to look at jail-primer port for background info on jails. From owner-freebsd-jail@freebsd.org Wed Dec 7 19:39:22 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5E002C6C11B for ; Wed, 7 Dec 2016 19:39:22 +0000 (UTC) (envelope-from freebsd@coombscloud.com) Received: from mini.coombscloud.com (mini.coombscloud.com [67.42.252.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mini.coombscloud.com", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2AF6DF33 for ; Wed, 7 Dec 2016 19:39:21 +0000 (UTC) (envelope-from freebsd@coombscloud.com) Received: from localhost (localhost [127.0.0.1]) by mini.coombscloud.com (Postfix) with ESMTP id 2BBFA1D75179; Wed, 7 Dec 2016 12:39:15 -0700 (MST) X-Virus-Scanned: amavisd-new at mydomain = coombscloud.com Received: from mini.coombscloud.com ([127.0.0.1]) by localhost (mini.coombscloud.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lJ2Jv7PAkIme; Wed, 7 Dec 2016 12:39:11 -0700 (MST) Received: from [192.168.11.214] (209-180-88-130.dia.static.qwest.net [209.180.88.130]) by mini.coombscloud.com (Postfix) with ESMTPSA id A98851D75163; Wed, 7 Dec 2016 12:39:11 -0700 (MST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 10.1 \(3251\)) Subject: Re: Failure to add new files when updating jails with ezjail-admin From: Kirk Coombs In-Reply-To: <5847683B.8080703@gmail.com> Date: Wed, 7 Dec 2016 12:39:10 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <367EE20D-4169-43A3-A8EF-D2859C9E006F@coombscloud.com> References: <90E6EB87-40FD-42EB-A45E-A5CBAF488BB9@coombscloud.com> <5847653F.2080502@quip.cz> <5847683B.8080703@gmail.com> To: freebsd-jail@freebsd.org X-Mailer: Apple Mail (2.3251) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Dec 2016 19:39:22 -0000 > On Dec 6, 2016, at 6:39 PM, Ernie Luzar wrote: >=20 > Miroslav Lachman wrote: >> Kirk Coombs wrote on 2016/12/07 01:20: >>>=20 >>> The following files will be added as part of updating to = 10.3-RELEASE-p13: >>> /usr/share/zoneinfo/Asia/Barnaul >>> /usr/share/zoneinfo/Asia/Famagusta >>> /usr/share/zoneinfo/Asia/Tomsk >>> /usr/share/zoneinfo/Asia/Yangon >>> /usr/share/zoneinfo/Europe/Astrakhan >>> /usr/share/zoneinfo/Europe/Kirov >>> /usr/share/zoneinfo/Europe/Ulyanovsk >> Files below are sources, these should not be in jails >>> = /usr/src/contrib/libarchive/libarchive/test/test_write_disk_secure744.c >>> = /usr/src/contrib/libarchive/libarchive/test/test_write_disk_secure745.c >>> = /usr/src/contrib/libarchive/libarchive/test/test_write_disk_secure746.c >>> /usr/src/contrib/ntp/README.pullrequests >>> /usr/src/contrib/ntp/lib/isc/tsmemcmp.c >>> /usr/src/contrib/ntp/scripts/build/genAuthors.in >>> /usr/src/contrib/ntp/sntp/m4/sntp_problemtests.m4 >>> /usr/src/contrib/ntp/tests/libntp/run-tsafememcmp.c >>> /usr/src/contrib/ntp/tests/libntp/tsafememcmp.c >>> /usr/src/contrib/tzdata/CONTRIBUTING >>> /usr/src/contrib/tzdata/LICENSE >>> /usr/src/contrib/tzdata/Makefile >>> /usr/src/contrib/tzdata/NEWS >>> /usr/src/contrib/tzdata/README >>> /usr/src/contrib/tzdata/Theory >>> /usr/src/contrib/tzdata/backzone >>> /usr/src/contrib/tzdata/checklinks.awk >>> /usr/src/contrib/tzdata/checktab.awk >>> /usr/src/contrib/tzdata/leapseconds.awk >>> /usr/src/contrib/tzdata/version >>> /usr/src/contrib/tzdata/zoneinfo2tdf.pl >>>=20 >>> The following files will be updated as part of updating to = 10.3-RELEASE-p13: >>> /var/db/mergemaster.mtree >>> Installing updates...mkdir: /usr/jails/newjail//boot: No such file = or directory >>> mtree: /usr/jails/newjail//boot/kernel: No such file or directory >>> mtree: /usr/jails/newjail//boot/kernel.old: No such file or = directory >>> touch: /usr/jails/newjail//boot/kernel.old/.freebsd-update: No such = file or directory >>> Could not create kernel backup directory >> Jails are not using own kernel thus don;t need /boot/kernel directory >>> The output is the same now matter how many times I invoke = "ezjail-admin update -u,=E2=80=9D so the new files are clearly not being = inserted into the basejail. >>>=20 >>> Any suggestions? >> I don't like ezjail I am rolling jails by hand (few simple shell = scripts) so I can't talk about ezjail... but if freebsd-update failed = because /boot/kernel was not found inside jail, you can try to create = this directory (empty directory) and run update again. >> Miroslav Lachman >=20 >=20 > qjail which is a fork of ezjail doesn't use the freebsd-update method = to update its sharedfs directory tree which ezjail calls basejail. Give = it a try. You may want to look at jail-primer port for background info = on jails. >=20 >=20 Thanks, I=E2=80=99ll take a look at those suggestions.= From owner-freebsd-jail@freebsd.org Thu Dec 8 14:22:48 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5016BC6DCD4 for ; Thu, 8 Dec 2016 14:22:48 +0000 (UTC) (envelope-from fbstable@cps-intl.org) Received: from berkeley.cps-intl.org (websense.cps-intl.org [81.137.176.89]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 11C6B695 for ; Thu, 8 Dec 2016 14:22:47 +0000 (UTC) (envelope-from fbstable@cps-intl.org) Received: from [172.16.0.79] (helo=bdLL65j) by berkeley.cps-intl.org with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128) (Exim 4.80.1 (FreeBSD)) (envelope-from ) id 1cEzat-000APn-PL for freebsd-jail@freebsd.org; Thu, 08 Dec 2016 14:22:44 +0000 From: SK To: freebsd-jail Message-ID: Date: Thu, 8 Dec 2016 14:22:25 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-SA-Exim-Connect-IP: 172.16.0.79 X-SA-Exim-Mail-From: fbstable@cps-intl.org X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on berkeley.lan.cps-intl.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=10.0 tests=ALL_TRUSTED autolearn=ham autolearn_force=no version=3.4.0 Subject: ZFS and Jail :: nullfs mount :: nothing visible from host X-SA-Exim-Version: 4.2 X-SA-Exim-Scanned: Yes (on berkeley.cps-intl.org) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Dec 2016 14:22:48 -0000 Hello I am trying to set up a bunch of jails (vimage, vtnet) on FreeBSD 11 Stable. I have created a tank/Jail dataset, and created mroot and other staff inside that (regular folders) The jails are using those folders using nullfs -- so far so good. I also have a few zfs datasets, like tank/users, tank/emails and so on which are null-mounted inside the jail a typical fstab.jail looks like below # Device MountPoint FSType Options Dump Pass /jails/mroot /jails/testJail nullfs ro 0 0 /jails/RWs/testJail /jails/testJail/RWs nullfs rw 0 0 ### zfs nullmount /tank/users /JailS/RWs/testJail/users nullfs rw 0 0 /tank/emails /JailS/RWs/testJail/emails nullfs rw 0 0 ### for Bash etc #Device MountPoint FSType Options Dump Pass fdesc /dev/fd fdescfs rw 0 0 proc /proc procfs rw 0 0 Now, I am able to write files into /mails and /users, and they are visible from within the jail. From the host -- these datasets are all empty! ls -lah /tank/users shows no files in them, even though from within the jail I can see that there are many folders available. This makes managing them from the host a bit difficult. And I have not been able to find any good documentation that can outline how I can setup zfs so I can manage it from within the jails. What I would really like to do is to have the zfs inside the jail, and be able to create snapshots, use other features, etc. Failing to do that, I should at least be able to do it from the host. But I cannot find any good pointer (I had been searching for quite some time now -- maybe my search skills are not that good) which can help in setting things up that way. I found one document that hinted that I might be able to achieve this using ezjail, but I would prefer to do it the "raw" way, i.e., use the base features with as little from ports as possible. I am using vtnet/vimage, so all my jails are currently on a different subnet than the lan and they are working alright except for this disc management issue. Final goal is to have samba running on one final jail, using zfs and managing zfs features from within the jail, so that I can create datasets as needed and take snapshots, make clones, etc. So far I have tried to follow as many google results as possible using jail, zfs, mountpoint, nullfs, manage zfs and so on. There were a few sites coming up again and again but they were talking about ezjail (not that I have anything against it, but I would prefer to be able to use the base system as it is -- might help me learn a few things that ezjail will hide from me :D) Any good how-to/documentation/pointer will be greatly appreciated. Thanks and regards SK From owner-freebsd-jail@freebsd.org Thu Dec 8 14:29:43 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1A978C6DDA8 for ; Thu, 8 Dec 2016 14:29:43 +0000 (UTC) (envelope-from fbstable@cps-intl.org) Received: from berkeley.cps-intl.org (websense.cps-intl.org [81.137.176.89]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D01FE805 for ; Thu, 8 Dec 2016 14:29:42 +0000 (UTC) (envelope-from fbstable@cps-intl.org) Received: from [172.16.0.79] (helo=bdLL65j) by berkeley.cps-intl.org with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128) (Exim 4.80.1 (FreeBSD)) (envelope-from ) id 1cEzOE-000ACN-VE for freebsd-jail@freebsd.org; Thu, 08 Dec 2016 14:09:39 +0000 To: freebsd-jail From: SK Message-ID: <36d0b13a-7212-2922-d4b1-0adbb550207b@cps-intl.org> Date: Thu, 8 Dec 2016 14:09:20 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-SA-Exim-Connect-IP: 172.16.0.79 X-SA-Exim-Mail-From: fbstable@cps-intl.org X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on berkeley.lan.cps-intl.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=10.0 tests=ALL_TRUSTED autolearn=ham autolearn_force=no version=3.4.0 Subject: ZFS and Jail :: nullfs mount :: nothing visible from host X-SA-Exim-Version: 4.2 X-SA-Exim-Scanned: Yes (on berkeley.cps-intl.org) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Dec 2016 14:29:43 -0000 Hello I am trying to set up a bunch of jails (vimage, vtnet) on FreeBSD 11 Stable. I have created a tank/Jail dataset, and created mroot and other staff inside that (regular folders) The jails are using those folders using nullfs -- so far so good. I also have a few zfs datasets, like tank/users, tank/emails and so on which are null-mounted inside the jail a typical fstab.jail looks like below # Device MountPoint FSType Options Dump Pass /jails/mroot /jails/testJail nullfs ro 0 0 /jails/RWs/testJail /jails/testJail/RWs nullfs rw 0 0 ### zfs nullmount /tank/users /JailS/RWs/testJail/users nullfs rw 0 0 /tank/emails /JailS/RWs/testJail/emails nullfs rw 0 0 ### for Bash etc #Device MountPoint FSType Options Dump Pass fdesc /dev/fd fdescfs rw 0 0 proc /proc procfs rw 0 0 Now, I am able to write files into /mails and /users, and they are visible from within the jail. From the host -- these datasets are all empty! ls -lah /tank/users shows no files in them, even though from within the jail I can see that there are many folders available. This makes managing them from the host a bit difficult. And I have not been able to find any good documentation that can outline how I can setup zfs so I can manage it from within the jails. What I would really like to do is to have the zfs inside the jail, and be able to create snapshots, use other features, etc. Failing to do that, I should at least be able to do it from the host. But I cannot find any good pointer (I had been searching for quite some time now -- maybe my search skills are not that good) which can help in setting things up that way. I found one document that hinted that I might be able to achieve this using ezjail, but I would prefer to do it the "raw" way, i.e., use the base features with as little from ports as possible. I am using vtnet/vimage, so all my jails are currently on a different subnet than the lan and they are working alright except for this disc management issue. Final goal is to have samba running on one final jail, using zfs and managing zfs features from within the jail, so that I can create datasets as needed and take snapshots, make clones, etc. So far I have tried to follow as many google results as possible using jail, zfs, mountpoint, nullfs, manage zfs and so on. There were a few sites coming up again and again but they were talking about ezjail (not that I have anything against it, but I would prefer to be able to use the base system as it is -- might help me learn a few things that ezjail will hide from me :D) Any good how-to/documentation/pointer will be greatly appreciated. Thanks and regards SK From owner-freebsd-jail@freebsd.org Thu Dec 8 16:14:19 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C8AA1C6D477 for ; Thu, 8 Dec 2016 16:14:19 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8F9C3DE3 for ; Thu, 8 Dec 2016 16:14:19 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id C4906284FB; Thu, 8 Dec 2016 17:14:09 +0100 (CET) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 20D4E28488; Thu, 8 Dec 2016 17:14:09 +0100 (CET) Subject: Re: ZFS and Jail :: nullfs mount :: nothing visible from host To: SK , freebsd-jail References: From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: <584986D0.3040109@quip.cz> Date: Thu, 8 Dec 2016 17:14:08 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:42.0) Gecko/20100101 Firefox/42.0 SeaMonkey/2.39 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Dec 2016 16:14:19 -0000 SK wrote on 2016/12/08 15:22: > So far I have tried to follow as many google results as possible using > jail, zfs, mountpoint, nullfs, manage zfs and so on. There were a few > sites coming up again and again but they were talking about ezjail (not > that I have anything against it, but I would prefer to be able to use > the base system as it is -- might help me learn a few things that ezjail > will hide from me :D) If you want to manage ZFS dataset from withing a jail, then you need to use zfs set jailed=on property (see man zfs). But this data set cannot be mounted as nullfs, it should be dedicated to the jail. You don't need ezjail because ezjail cannot do anything more than you can do. It is just a shell script wrapper. Miroslav Lachman From owner-freebsd-jail@freebsd.org Thu Dec 8 16:42:13 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D60F0C6DF8B for ; Thu, 8 Dec 2016 16:42:13 +0000 (UTC) (envelope-from fbstable@cps-intl.org) Received: from berkeley.cps-intl.org (websense.cps-intl.org [81.137.176.89]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6ED96F6 for ; Thu, 8 Dec 2016 16:42:12 +0000 (UTC) (envelope-from fbstable@cps-intl.org) Received: from [172.16.0.79] (helo=bdLL65j) by berkeley.cps-intl.org with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128) (Exim 4.80.1 (FreeBSD)) (envelope-from ) id 1cF1lU-000Cgv-Oy; Thu, 08 Dec 2016 16:41:49 +0000 To: Miroslav Lachman <000.fbsd@quip.cz>, freebsd-jail References: <584986D0.3040109@quip.cz> From: SK Message-ID: <2b6346f8-ed02-0e6d-bd89-106098e7eb2d@cps-intl.org> Date: Thu, 8 Dec 2016 16:41:29 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 In-Reply-To: <584986D0.3040109@quip.cz> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-SA-Exim-Connect-IP: 172.16.0.79 X-SA-Exim-Mail-From: fbstable@cps-intl.org X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on berkeley.lan.cps-intl.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=10.0 tests=ALL_TRUSTED,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Subject: Re: ZFS and Jail :: nullfs mount :: nothing visible from host X-SA-Exim-Version: 4.2 X-SA-Exim-Scanned: Yes (on berkeley.cps-intl.org) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Dec 2016 16:42:13 -0000 On 08/12/2016 16:14, Miroslav Lachman wrote: > SK wrote on 2016/12/08 15:22: > >> So far I have tried to follow as many google results as possible using >> jail, zfs, mountpoint, nullfs, manage zfs and so on. There were a few >> sites coming up again and again but they were talking about ezjail (not >> that I have anything against it, but I would prefer to be able to use >> the base system as it is -- might help me learn a few things that ezjail >> will hide from me :D) > > If you want to manage ZFS dataset from withing a jail, then you need > to use zfs set jailed=on property (see man zfs). But this data set > cannot be mounted as nullfs, it should be dedicated to the jail. > > You don't need ezjail because ezjail cannot do anything more than you > can do. It is just a shell script wrapper. > > Miroslav Lachman > Hi Miroslav Thank you for your response. I tried setting it up like that (use zfs set jailed=on), and that did not work. I could not even run zfs from within the jail. Maybe I did something wrong -- so I am setting up a test box where I can try them all out. I also came across these links https://clinta.github.io/freebsd-jails-the-hard-way/ http://aaron.baugher.biz/unix/freebsd-jails-zfs-1 I will give these a try. However, neither confirms (or maybe I missed it) if I can manage/manupulate the zfs datasets from within the jail -- and that seems to be the logical approach based on various emails on the mailing lists. So, what I am really after is some kind of a pointer/direction, maybe even a rough sketch of a how-to, that would help in getting started at least. I am not new to jails -- it is just that so far most of my jails were on UFS systems and I never encountered this issue of data mismatch between what the Jail can see and what the host can see. Thanks again SK From owner-freebsd-jail@freebsd.org Thu Dec 8 17:03:18 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CFAD0C6D903 for ; Thu, 8 Dec 2016 17:03:18 +0000 (UTC) (envelope-from Alexander@leidinger.net) Received: from mailgate.Leidinger.net (mailgate.leidinger.net [IPv6:2a00:1828:2000:375::1:5]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 940A5FEB for ; Thu, 8 Dec 2016 17:03:18 +0000 (UTC) (envelope-from Alexander@leidinger.net) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=leidinger.net; s=outgoing-alex; t=1481216556; bh=uU2qdsE/Qia+MQXDPPOvDslGOvRKyL0PvD6UT+L1CWs=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=xRDtO7Z9xG51cHQ8T0N40g4lJgpoA1LEdsU0NXjTo5nMW54Yx7jyBASd4su1ZAiyn zViqLr26yUnD4lYqZY6BSDkZj7UTBJ7X8BzdQqGM7t5pU4RvF4NVR1t7LaI0ocnRYA Nlfj8z2QUgkFImo3AtS5iIR7pxUSwDIRB5ZKNyDLsGT6yi1JMC8q7umVOY/G2ciFTt ynMQ9nyzgAkTND5D0hUYg3lUyFPk1GKC6VAqTN6abzwheESue+avjn42oQzq8++Owp TyTaofGXuYyNTc13lB0SPwmAVIIMKq0kF2xY4A2tUatYlfQzyem9SjJfRDRJ34/4Ja kPQVm3S+ekoIw== DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=leidinger.net; s=outgoing-alex; t=1481216588; bh=uU2qdsE/Qia+MQXDPPOvDslGOvRKyL0PvD6UT+L1CWs=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=VN8QHjuYkXHGit6VvLkjuZSZrH7jpw+XONw81SOYyMxPvnv28ee0KQ/ulzCsmYdJh Llqwd1PtbC5xK9qBkJVW5AQS1zKqPBuBchcfI06l5aW7H99RVsRZhQA78Kgagbshq8 821pW3PB/TVTglDmP0h1yvVI7TNW+VAurDvJP97S/kzJORlIdXMYncJ/0cc4SKkjX4 odxREj4QJ77IGsiE9cv85h2HvzWUFug5uhsg/3Nju3D4EZvjFZzbXR4UvXBrwl2Dw5 e9ri2kGL8zVXpYzqcTU05ggWFUHYAdnqnJK3uskgqPVnBRV/9UIT4ImdGm8Q91WvAF Nida5k/FOV+xQ== Date: Thu, 08 Dec 2016 18:02:35 +0100 Message-ID: <20161208180235.Horde.fO_9WNB99V3gW75Y-XtE_Lt@webmail.leidinger.net> From: Alexander Leidinger To: SK Cc: freebsd-jail Subject: Re: ZFS and Jail :: nullfs mount :: nothing visible from host References: <584986D0.3040109@quip.cz> <2b6346f8-ed02-0e6d-bd89-106098e7eb2d@cps-intl.org> In-Reply-To: <2b6346f8-ed02-0e6d-bd89-106098e7eb2d@cps-intl.org> User-Agent: Horde Application Framework 5 Content-Type: multipart/signed; boundary="=_KV9YkJCSAEG6pkovZ9aM5FQ"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Dec 2016 17:03:18 -0000 This message is in MIME format and has been PGP signed. --=_KV9YkJCSAEG6pkovZ9aM5FQ Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Quoting SK (from Thu, 8 Dec 2016 16:41:29 +0000): > Thank you for your response. I tried setting it up like that (use=20=20 >=20zfs set jailed=3Don), and that did not work. I could not even run zfs= =20=20 >=20from within the jail. Maybe I did something wrong -- so I am setting=20= =20 >=20up a test box where I can try them all out. You need to have the zfs device visible in the jail, for this you need=20= =20 to=20use a devfs rule at jail-start which makes it visible in the jail. See http://www.leidinger.net/blog/2011/05/19/how-i-setup-a-jail-host=20=20 in=20the part "Ad=C2=ADdi=C2=ADtional devfs rules for Jails"=20=20 (devfsrules_jail_withzfs). Bye, Alexander. --=20 http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_KV9YkJCSAEG6pkovZ9aM5FQ Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- iQIcBAABAgAGBQJYSZIrAAoJEKrxQhqFIICEV4QP/iGO3fyX1FcdWNZU/UzvpXlz g3ES1DeEJ42ialwkrDIugsZajCRn8dzW2YNYFvFxGfGbLLwWWDDpko3/CR8YFqjd gN8Ydyc4JGzBiohcLL/5pBo2wRpODOJ80kYwR3rJtHpQRtlJ7a5RgE5cxBZd2JsV iY4cd78QMWgepzsWzAKj9YXF45D5atUuzXEzResflFgXbvki+Gr9WIf3Ggllp20Y 3vS+aIg8lxOIgU3CXbYlmz2HO+zjHGBCvXVLj430gy29rwhrsUYskNybhNmnQ3me T4HlVJyzZIYa9LrwPisYjsXzINIbN1Dwk22DZ1FEJIvyxDbCMe+k5VvEGvGBlwF+ IHlkGmDIfY3ILAxyQZK3a3aGh2XLUiRIHwWk5pNfyF+is42eP2KYUTtBKk4Z5y8f rSyArXC6fydz8G0wors/71eWbonPILUB7pqpdRFVfxlL/Fm6zLsRBRAX7fopMbp4 Bknq3YJcC5y59sZVkaX9dn8yqO9gcAwuufnAeaxPBv5whkwA8YGp6BZ5vRriXWPX ealNJcAIP1GuWZg3fCYq58vq0AqbWRBazxjnz/ti3KfSgHqz7B3ceEIMADOdPQtM 2t0N5wm4GW+zGYRczUD5AYpexyNqQbUsnBX3TcWiVKXysOzbyXhync4DuRowLWLe FRN1l+CYajE95ziRKJ9f =sATs -----END PGP SIGNATURE----- --=_KV9YkJCSAEG6pkovZ9aM5FQ-- From owner-freebsd-jail@freebsd.org Thu Dec 8 17:11:39 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 70428C6E03A for ; Thu, 8 Dec 2016 17:11:39 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 013DE192B for ; Thu, 8 Dec 2016 17:11:38 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 3C079284C0; Thu, 8 Dec 2016 18:11:36 +0100 (CET) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id DC7D1284BC; Thu, 8 Dec 2016 18:11:34 +0100 (CET) Subject: Re: ZFS and Jail :: nullfs mount :: nothing visible from host To: SK , freebsd-jail References: <584986D0.3040109@quip.cz> <2b6346f8-ed02-0e6d-bd89-106098e7eb2d@cps-intl.org> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: <58499446.3050403@quip.cz> Date: Thu, 8 Dec 2016 18:11:34 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:42.0) Gecko/20100101 Firefox/42.0 SeaMonkey/2.39 MIME-Version: 1.0 In-Reply-To: <2b6346f8-ed02-0e6d-bd89-106098e7eb2d@cps-intl.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Dec 2016 17:11:39 -0000 SK wrote on 2016/12/08 17:41: > On 08/12/2016 16:14, Miroslav Lachman wrote: >> SK wrote on 2016/12/08 15:22: >> >>> So far I have tried to follow as many google results as possible using >>> jail, zfs, mountpoint, nullfs, manage zfs and so on. There were a few >>> sites coming up again and again but they were talking about ezjail (not >>> that I have anything against it, but I would prefer to be able to use >>> the base system as it is -- might help me learn a few things that ezjail >>> will hide from me :D) >> >> If you want to manage ZFS dataset from withing a jail, then you need >> to use zfs set jailed=on property (see man zfs). But this data set >> cannot be mounted as nullfs, it should be dedicated to the jail. >> >> You don't need ezjail because ezjail cannot do anything more than you >> can do. It is just a shell script wrapper. >> >> Miroslav Lachman >> > Hi Miroslav > > Thank you for your response. I tried setting it up like that (use zfs > set jailed=on), and that did not work. I could not even run zfs from > within the jail. Maybe I did something wrong -- so I am setting up a > test box where I can try them all out. > > I also came across these links > https://clinta.github.io/freebsd-jails-the-hard-way/ > http://aaron.baugher.biz/unix/freebsd-jails-zfs-1 > > I will give these a try. However, neither confirms (or maybe I missed > it) if I can manage/manupulate the zfs datasets from within the jail -- > and that seems to be the logical approach based on various emails on the > mailing lists. So, what I am really after is some kind of a > pointer/direction, maybe even a rough sketch of a how-to, that would > help in getting started at least. I am not new to jails -- it is just > that so far most of my jails were on UFS systems and I never encountered > this issue of data mismatch between what the Jail can see and what the > host can see. Did you read man page carefully? Do you have /dev/zfs visible inside jails /dev/? If not, you need to create your own rule inside /etc/devfs.rules Jails A ZFS dataset can be attached to a jail by using the "zfs jail" subcom‐ mand. You cannot attach a dataset to one jail and the children of the same dataset to another jails. To allow management of the dataset from within a jail, the jailed property has to be set and the jail needs access to the /dev/zfs device. The quota property cannot be changed from within a jail. See jail(8) for information on how to allow mounting ZFS datasets from within a jail. A ZFS dataset can be detached from a jail using the "zfs unjail" subcom‐ mand. After a dataset is attached to a jail and the jailed property is set, a jailed file system cannot be mounted outside the jail, since the jail administrator might have set the mount point to an unacceptable value. What are jails properties? Do you have something like this? enforce_statfs=1 allow.mount=1 allow.mount.zfs=1 allow.mount.procfs=1 allow.mount.devfs=1 Then you need to run zfs jail $JID tank/jail/testJail (put the real UID of running jail and path to dedicated dataset) Miroslav Lachman From owner-freebsd-jail@freebsd.org Thu Dec 8 17:41:33 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2E302C6E93C for ; Thu, 8 Dec 2016 17:41:33 +0000 (UTC) (envelope-from fbstable@cps-intl.org) Received: from berkeley.cps-intl.org (websense.cps-intl.org [81.137.176.89]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E01F4E47 for ; Thu, 8 Dec 2016 17:41:32 +0000 (UTC) (envelope-from fbstable@cps-intl.org) Received: from [172.16.0.79] (helo=bdLL65j) by berkeley.cps-intl.org with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128) (Exim 4.80.1 (FreeBSD)) (envelope-from ) id 1cF2hE-000Dcx-3d; Thu, 08 Dec 2016 17:41:28 +0000 To: Alexander Leidinger , Miroslav Lachman <000.fbsd@quip.cz> References: <584986D0.3040109@quip.cz> <2b6346f8-ed02-0e6d-bd89-106098e7eb2d@cps-intl.org> <20161208180235.Horde.fO_9WNB99V3gW75Y-XtE_Lt@webmail.leidinger.net> Cc: freebsd-jail From: SK Message-ID: Date: Thu, 8 Dec 2016 17:41:09 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 In-Reply-To: <20161208180235.Horde.fO_9WNB99V3gW75Y-XtE_Lt@webmail.leidinger.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-SA-Exim-Connect-IP: 172.16.0.79 X-SA-Exim-Mail-From: fbstable@cps-intl.org X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on berkeley.lan.cps-intl.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=10.0 tests=ALL_TRUSTED,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Subject: Re: ZFS and Jail :: nullfs mount :: nothing visible from host X-SA-Exim-Version: 4.2 X-SA-Exim-Scanned: Yes (on berkeley.cps-intl.org) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Dec 2016 17:41:33 -0000 On 08/12/2016 17:02, Alexander Leidinger wrote: > Quoting SK (from Thu, 8 Dec 2016 16:41:29 +0000): > >> Thank you for your response. I tried setting it up like that (use zfs >> set jailed=on), and that did not work. I could not even run zfs from >> within the jail. Maybe I did something wrong -- so I am setting up a >> test box where I can try them all out. > > You need to have the zfs device visible in the jail, for this you need > to use a devfs rule at jail-start which makes it visible in the jail. > > See http://www.leidinger.net/blog/2011/05/19/how-i-setup-a-jail-host > in the part "Ad­di­tional devfs rules for Jails" > (devfsrules_jail_withzfs). > > Bye, > Alexander. Dear Miroslav, Alexander Thank you both for the pointers. As soon as the test machine finishes compiling the world (I am using vimage, need custom kernel), I will give that a try. However, I did set up the things Miroslav suggested, along with tweaking the sysctl variables for jail zfs mount, and also setting the zfs jailed=on -- but on the existing system that had no effect whatsoever (even after a restart). So, I am thinking this might be due to the fact that all jails are nullfs mounted, hence the test box. I will update once I get the chance to play with the information you two kindly provided and let you know how it goes. Thanks and regards SK From owner-freebsd-jail@freebsd.org Thu Dec 8 19:13:40 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8F5F8C6C3DC for ; Thu, 8 Dec 2016 19:13:40 +0000 (UTC) (envelope-from fbstable@cps-intl.org) Received: from berkeley.cps-intl.org (websense.cps-intl.org [81.137.176.89]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 446B415B for ; Thu, 8 Dec 2016 19:13:39 +0000 (UTC) (envelope-from fbstable@cps-intl.org) Received: from [172.16.0.79] (helo=bdLL65j) by berkeley.cps-intl.org with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128) (Exim 4.80.1 (FreeBSD)) (envelope-from ) id 1cF48M-000Ea4-La; Thu, 08 Dec 2016 19:13:35 +0000 To: Miroslav Lachman <000.fbsd@quip.cz>, freebsd-jail References: <584986D0.3040109@quip.cz> <2b6346f8-ed02-0e6d-bd89-106098e7eb2d@cps-intl.org> <58499446.3050403@quip.cz> From: SK Message-ID: Date: Thu, 8 Dec 2016 19:13:15 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 In-Reply-To: <58499446.3050403@quip.cz> X-SA-Exim-Connect-IP: 172.16.0.79 X-SA-Exim-Mail-From: fbstable@cps-intl.org X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on berkeley.lan.cps-intl.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=10.0 tests=ALL_TRUSTED,HTML_MESSAGE, T_FILL_THIS_FORM_SHORT autolearn=ham autolearn_force=no version=3.4.0 Subject: Re: ZFS and Jail :: nullfs mount :: nothing visible from host X-SA-Exim-Version: 4.2 X-SA-Exim-Scanned: Yes (on berkeley.cps-intl.org) Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Dec 2016 19:13:40 -0000 On 08/12/2016 17:11, Miroslav Lachman wrote: > > What are jails properties? Do you have something like this? > > enforce_statfs=1 allow.mount=1 allow.mount.zfs=1 allow.mount.procfs=1 > allow.mount.devfs=1 > > Then you need to run > zfs jail $JID tank/jail/testJail (put the real UID of running jail > and path to dedicated dataset) > > Miroslav Lachman > Dear Miroslav, Alexander @Alexander : I checked out your link. It is interesting, but you are using ezjail which I am trying to avoid. I have nothing against it, but I think making it working without too many additional layer of obfuscation will help me learn it better. So, thanks again, and sorry I cannot use that solution right now. @Miroslav : as I mentioned earlier, I did have those parameters but that didn't seem to do any good on the main system since I was using nullfs for mounting jails. However, on the new system I used purely zfs and things have improved slightly. Current status the main system (host) has gT as the pool/dataset, where the root is mounted. I have created two more datasets # zfs list NAME USED AVAIL REFER MOUNTPOINT gT 10.3G 199G 9.51G legacy gT/JailS 832M 199G 20K /JailS gT/JailS/testJail 546K 199G 827M /JailS/testJail Initially they were not visible from within the jail, but as I ran zfs jail testJail gT/JailS/testJail they were visible from inside. HOWEVER, I am unable to do any manipulation whatsoever from within the jail. root@testJail:/ # zfs list NAME USED AVAIL REFER MOUNTPOINT gT 10.3G 199G 9.51G legacy gT/JailS 832M 199G 20K /JailS gT/JailS/testJail 546K 199G 827M /JailS/testJail root@testJail:/ # zfs snapshot gT/JailS/testJail@test *cannot create snapshots : permission denied* root@testJail:/ # zfs create gT/JailS/testJail/test *cannot create 'gT/JailS/testJail/test': permission denied* root@testJail:/ # exit Even after the jail was able to see the dataset, the following sysctl was still zero security.jail.mount_zfs_allowed: 0 I changed it to one, but that didn't seem to have the desired effect (should have I restarted?) below are some of the relevant settings. If you require any other information, I'll try to send them as soon as I can. # cat /etc/jail.conf ============== ### common items host.hostname = "${name}"; path = "/JailS/${name}"; exec.start += "ifconfig ${ePairIF}b vnet ${name}" ; exec.clean; exec.system_user = "root"; exec.jail_user = "root"; exec.consolelog = "/var/log/jail_${name}_console.log"; command = "/sbin/ifconfig ${ePairIF}b inet ${jailIP} netmask 255.255.255.240" ; command += "route add -inet default ${gWay}" ; mount.fstab = "/etc/fstab.${name}"; devfs_ruleset = "4"; mount.devfs; mount.fdescfs; mount.procfs; allow.mount; allow.set_hostname = 0; allow.sysvipc = 1; allow.raw_sockets = 1; vnet; vnet="new"; $bridegIF = "bridge1" ; $gWay = "10.7.3.1" ; testJail { enforce_statfs = 1 ; allow.mount = 1; allow.mount.zfs = 1; allow.mount.procfs = 1 ; allow.mount.devfs = 1 ; $ePairIF = "epair0" ; $jailIP = "10.7.3.4" ; vnet.interface = ${ePairIF}b ; exec.start = "/bin/sh /etc/rc" ; exec.stop = "/bin/sh /etc/rc.shutdown" ; persist ; } ################## # cat /etc/devfs.rules ============= [devfsrules_jail=4] add include $devfsrules_hide_all add include $devfsrules_unhide_basic add include $devfsrules_unhide_login add path zfs unhide # zfs status at the moment root@testJail:/ # zfs list NAME USED AVAIL REFER MOUNTPOINT gT 10.3G 199G 9.51G legacy gT/JailS 832M 199G 20K /JailS gT/JailS/testJail 546K 199G 827M /JailS/testJail root@testJail:/ # zfs snapshot gT/JailS/testJail@test cannot create snapshots : permission denied root@testJail:/ # zfs create gT/JailS/testJail/test cannot create 'gT/JailS/testJail/test': permission denied root@testJail:/ # exit exit Thanks and regards SK From owner-freebsd-jail@freebsd.org Thu Dec 8 20:42:45 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0BCC7C6E68B for ; Thu, 8 Dec 2016 20:42:45 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C54981DE7 for ; Thu, 8 Dec 2016 20:42:43 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 83D4328483; Thu, 8 Dec 2016 21:42:40 +0100 (CET) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 908B228475; Thu, 8 Dec 2016 21:42:39 +0100 (CET) Subject: Re: ZFS and Jail :: nullfs mount :: nothing visible from host To: SK , freebsd-jail References: <584986D0.3040109@quip.cz> <2b6346f8-ed02-0e6d-bd89-106098e7eb2d@cps-intl.org> <58499446.3050403@quip.cz> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: <5849C5BF.7020005@quip.cz> Date: Thu, 8 Dec 2016 21:42:39 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:42.0) Gecko/20100101 Firefox/42.0 SeaMonkey/2.39 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Dec 2016 20:42:45 -0000 SK wrote on 2016/12/08 20:13: > Initially they were not visible from within the jail, but as I ran > zfs jail testJail gT/JailS/testJail > they were visible from inside. You can add zfs jail testJail gT/JailS/testJail to your jail.conf post exec so it will be executed automatically. > HOWEVER, I am unable to do any manipulation whatsoever from within the jail. > root@testJail:/ # zfs list > NAME USED AVAIL REFER MOUNTPOINT > gT 10.3G 199G 9.51G legacy > gT/JailS 832M 199G 20K /JailS > gT/JailS/testJail 546K 199G 827M /JailS/testJail > root@testJail:/ # zfs snapshot gT/JailS/testJail@test > *cannot create snapshots : permission denied* > root@testJail:/ # zfs create gT/JailS/testJail/test > *cannot create 'gT/JailS/testJail/test': permission denied* > root@testJail:/ # exit zfs list is good start. I never used zfs from within jail so I cannot comment on permission denied. I don't know what more must be done. > Even after the jail was able to see the dataset, the following sysctl > was still zero > security.jail.mount_zfs_allowed: 0 I think you don't need this sysctl, you just need to set proper jail options like allow.mount allow.mount.zfs and enforce_statfs (per jail) > I changed it to one, but that didn't seem to have the desired effect > (should have I restarted?) No restart needed. Sysctls are runtime configurable. If you need to preserve some sysctl settings after reboot you must put them in to /etc/sysctl.conf > below are some of the relevant settings. If you require any other > information, I'll try to send them as soon as I can. Send us `sysctl security.jail` from host and from jail too. From owner-freebsd-jail@freebsd.org Fri Dec 9 10:13:00 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 437E6C6E393 for ; Fri, 9 Dec 2016 10:13:00 +0000 (UTC) (envelope-from fbstable@cps-intl.org) Received: from berkeley.cps-intl.org (websense.cps-intl.org [81.137.176.89]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D4A0D22B for ; Fri, 9 Dec 2016 10:12:59 +0000 (UTC) (envelope-from fbstable@cps-intl.org) Received: from [172.16.0.79] (helo=bdLL65j) by berkeley.cps-intl.org with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128) (Exim 4.80.1 (FreeBSD)) (envelope-from ) id 1cFIAe-000N11-S4; Fri, 09 Dec 2016 10:12:54 +0000 To: Miroslav Lachman <000.fbsd@quip.cz>, freebsd-jail References: <584986D0.3040109@quip.cz> <2b6346f8-ed02-0e6d-bd89-106098e7eb2d@cps-intl.org> <58499446.3050403@quip.cz> <5849C5BF.7020005@quip.cz> From: SK Message-ID: Date: Fri, 9 Dec 2016 10:12:32 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 In-Reply-To: <5849C5BF.7020005@quip.cz> X-SA-Exim-Connect-IP: 172.16.0.79 X-SA-Exim-Mail-From: fbstable@cps-intl.org X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on berkeley.lan.cps-intl.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=10.0 tests=ALL_TRUSTED,HTML_MESSAGE autolearn=ham autolearn_force=no version=3.4.0 Subject: Re: ZFS and Jail :: nullfs mount :: nothing visible from host X-SA-Exim-Version: 4.2 X-SA-Exim-Scanned: Yes (on berkeley.cps-intl.org) Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Dec 2016 10:13:00 -0000 On 08/12/2016 20:42, Miroslav Lachman wrote: > SK wrote on 2016/12/08 20:13: > >> Initially they were not visible from within the jail, but as I ran >> zfs jail testJail gT/JailS/testJail >> they were visible from inside. > > You can add zfs jail testJail gT/JailS/testJail to your jail.conf post > exec so it will be executed automatically. > Good morning Miroslav, apologies for the delayed response -- went home last night since the brain was going into "sleep" mode :P done that, with a variable so they fit right into whatever jail it is run from :D. Thanks for the pointer. >> root@testJail:/ # zfs create gT/JailS/testJail/test >> *cannot create 'gT/JailS/testJail/test': permission denied* >> root@testJail:/ # exit > > zfs list is good start. I never used zfs from within jail so I cannot > comment on permission denied. I don't know what more must be done. > I'm not sure which list you are referring to. I could not find any zfs list in FreeBSD mailing list lists > > Send us `sysctl security.jail` from host and from jail too. > > Giving the sysctl values later in the email, just one other thing in case someone does not want to see them but would still be interested on what I am trying to achieve. Right now, as it stands, I can make do with what I have achieved -- i.e., I can manage the zfs datasets from /outside/ of jail while the newly created datasets are still visible /inside/ the jail. But, what I would really like to have a) ONLY the relevant datasets for a jail are visible and can be manipulated from within the jail. I do not mind if they are visible from host (in fact, I might prefer that -- not manipulate, just see and maybe take snapshot of what is there -- helps in centralizing backups). But the Jails /must not/ see each others' datasets b) if that is not achievable, maybe not allow the jails to see the complete dataset hierarchy -- just make them feel that they are where they are in a root, but still be able to create datasets that would magically show up in the respective jails. This way, the total control is from the host itself, where no one has access to, but the datasets are restricted to different jails. Now, for the sysctl values, here they come ##### From host itself security.jail.param.sysvshm.: 0 security.jail.param.sysvsem.: 0 security.jail.param.sysvmsg.: 0 security.jail.param.allow.mount.zfs: 0 security.jail.param.allow.mount.tmpfs: 0 security.jail.param.allow.mount.linsysfs: 0 security.jail.param.allow.mount.linprocfs: 0 security.jail.param.allow.mount.procfs: 0 security.jail.param.allow.mount.nullfs: 0 security.jail.param.allow.mount.fdescfs: 0 security.jail.param.allow.mount.devfs: 0 security.jail.param.allow.mount.: 0 security.jail.param.allow.socket_af: 0 security.jail.param.allow.quotas: 0 security.jail.param.allow.chflags: 0 security.jail.param.allow.raw_sockets: 0 security.jail.param.allow.sysvipc: 0 security.jail.param.allow.set_hostname: 0 security.jail.param.ip6.saddrsel: 0 security.jail.param.ip6.: 0 security.jail.param.ip4.saddrsel: 0 security.jail.param.ip4.: 0 security.jail.param.cpuset.id: 0 security.jail.param.host.hostid: 0 security.jail.param.host.hostuuid: 64 security.jail.param.host.domainname: 256 security.jail.param.host.hostname: 256 security.jail.param.host.: 0 security.jail.param.children.max: 0 security.jail.param.children.cur: 0 security.jail.param.dying: 0 security.jail.param.vnet: 0 security.jail.param.persist: 0 security.jail.param.devfs_ruleset: 0 security.jail.param.enforce_statfs: 0 security.jail.param.osrelease: 32 security.jail.param.osreldate: 0 security.jail.param.securelevel: 0 security.jail.param.path: 1024 security.jail.param.name: 256 security.jail.param.parent: 0 security.jail.param.jid: 0 security.jail.devfs_ruleset: 0 security.jail.enforce_statfs: 1 security.jail.mount_zfs_allowed: 1 security.jail.mount_tmpfs_allowed: 0 security.jail.mount_linsysfs_allowed: 0 security.jail.mount_linprocfs_allowed: 0 security.jail.mount_procfs_allowed: 0 security.jail.mount_nullfs_allowed: 0 security.jail.mount_fdescfs_allowed: 0 security.jail.mount_devfs_allowed: 0 security.jail.mount_allowed: 1 security.jail.chflags_allowed: 0 security.jail.allow_raw_sockets: 0 security.jail.sysvipc_allowed: 0 security.jail.socket_unixiproute_only: 1 security.jail.set_hostname_allowed: 1 security.jail.jail_max_af_ips: 255 security.jail.vnet: 0 security.jail.jailed: 0 #### and from inside the jail root@testJail:/ # sysctl security.jail security.jail.param.sysvshm.: 0 security.jail.param.sysvsem.: 0 security.jail.param.sysvmsg.: 0 security.jail.param.allow.mount.zfs: 0 security.jail.param.allow.mount.tmpfs: 0 security.jail.param.allow.mount.linsysfs: 0 security.jail.param.allow.mount.linprocfs: 0 security.jail.param.allow.mount.procfs: 0 security.jail.param.allow.mount.nullfs: 0 security.jail.param.allow.mount.fdescfs: 0 security.jail.param.allow.mount.devfs: 0 security.jail.param.allow.mount.: 0 security.jail.param.allow.socket_af: 0 security.jail.param.allow.quotas: 0 security.jail.param.allow.chflags: 0 security.jail.param.allow.raw_sockets: 0 security.jail.param.allow.sysvipc: 0 security.jail.param.allow.set_hostname: 0 security.jail.param.ip6.saddrsel: 0 security.jail.param.ip6.: 0 security.jail.param.ip4.saddrsel: 0 security.jail.param.ip4.: 0 security.jail.param.cpuset.id: 0 security.jail.param.host.hostid: 0 security.jail.param.host.hostuuid: 64 security.jail.param.host.domainname: 256 security.jail.param.host.hostname: 256 security.jail.param.host.: 0 security.jail.param.children.max: 0 security.jail.param.children.cur: 0 security.jail.param.dying: 0 security.jail.param.vnet: 0 security.jail.param.persist: 0 security.jail.param.devfs_ruleset: 0 security.jail.param.enforce_statfs: 0 security.jail.param.osrelease: 32 security.jail.param.osreldate: 0 security.jail.param.securelevel: 0 security.jail.param.path: 1024 security.jail.param.name: 256 security.jail.param.parent: 0 security.jail.param.jid: 0 security.jail.devfs_ruleset: 4 security.jail.enforce_statfs: 1 security.jail.mount_zfs_allowed: 1 security.jail.mount_tmpfs_allowed: 0 security.jail.mount_linsysfs_allowed: 0 security.jail.mount_linprocfs_allowed: 0 security.jail.mount_procfs_allowed: 1 security.jail.mount_nullfs_allowed: 0 security.jail.mount_fdescfs_allowed: 0 security.jail.mount_devfs_allowed: 1 security.jail.mount_allowed: 1 security.jail.chflags_allowed: 0 security.jail.allow_raw_sockets: 1 security.jail.sysvipc_allowed: 1 security.jail.socket_unixiproute_only: 1 security.jail.set_hostname_allowed: 0 security.jail.jail_max_af_ips: 255 security.jail.vnet: 1 security.jail.jailed: 1 root@testJail:/ # exit From owner-freebsd-jail@freebsd.org Fri Dec 9 11:11:58 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CC0B3C5CC0F for ; Fri, 9 Dec 2016 11:11:58 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8F9A31F6C for ; Fri, 9 Dec 2016 11:11:57 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id E56A528475; Fri, 9 Dec 2016 12:11:54 +0100 (CET) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 252592847F; Fri, 9 Dec 2016 12:11:54 +0100 (CET) Subject: Re: ZFS and Jail :: nullfs mount :: nothing visible from host To: SK , freebsd-jail References: <584986D0.3040109@quip.cz> <2b6346f8-ed02-0e6d-bd89-106098e7eb2d@cps-intl.org> <58499446.3050403@quip.cz> <5849C5BF.7020005@quip.cz> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: <584A9179.9060508@quip.cz> Date: Fri, 9 Dec 2016 12:11:53 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:42.0) Gecko/20100101 Firefox/42.0 SeaMonkey/2.39 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Dec 2016 11:11:58 -0000 SK wrote on 2016/12/09 11:12: >> zfs list is good start. I never used zfs from within jail so I cannot >> comment on permission denied. I don't know what more must be done. >> > I'm not sure which list you are referring to. I could not find any zfs > list in FreeBSD mailing list lists I mean your command "zfs list", because normally "zfs list" inside jail print: "no datasets available" :) > But, what I would really like to have > > a) ONLY the relevant datasets for a jail are visible and can be > manipulated from within the jail. I do not mind if they are visible from > host (in fact, I might prefer that -- not manipulate, just see and maybe > take snapshot of what is there -- helps in centralizing backups). But > the Jails /must not/ see each others' datasets zfs create gT/JailS/testJail zfs set jailed=on gT/JailS/testJail << Did you set this property? # (populate & start jail) zfs jail testJail gT/JailS/testJail > b) if that is not achievable, maybe not allow the jails to see the > complete dataset hierarchy -- just make them feel that they are where > they are in a root, but still be able to create datasets that would > magically show up in the respective jails. This way, the total control > is from the host itself, where no one has access to, but the datasets > are restricted to different jails. What is visible is controlled by enforce_statfs values. If you create /tank/jail/alpha and set this path to you first jail no other jail will know about it. > Now, for the sysctl values, here they come sysctls seem OK, I am out of ideas now. maybe I will have time next week to try this on my test setup. Miroslav Lachman From owner-freebsd-jail@freebsd.org Fri Dec 9 11:37:18 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EA454C5D322 for ; Fri, 9 Dec 2016 11:37:18 +0000 (UTC) (envelope-from fbstable@cps-intl.org) Received: from berkeley.cps-intl.org (websense.cps-intl.org [81.137.176.89]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A3DE8A98 for ; Fri, 9 Dec 2016 11:37:18 +0000 (UTC) (envelope-from fbstable@cps-intl.org) Received: from [172.16.0.79] (helo=bdLL65j) by berkeley.cps-intl.org with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128) (Exim 4.80.1 (FreeBSD)) (envelope-from ) id 1cFJUA-000ONF-Ct; Fri, 09 Dec 2016 11:37:07 +0000 To: Miroslav Lachman <000.fbsd@quip.cz>, freebsd-jail References: <584986D0.3040109@quip.cz> <2b6346f8-ed02-0e6d-bd89-106098e7eb2d@cps-intl.org> <58499446.3050403@quip.cz> <5849C5BF.7020005@quip.cz> <584A9179.9060508@quip.cz> From: SK Message-ID: Date: Fri, 9 Dec 2016 11:36:45 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 In-Reply-To: <584A9179.9060508@quip.cz> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-SA-Exim-Connect-IP: 172.16.0.79 X-SA-Exim-Mail-From: fbstable@cps-intl.org X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on berkeley.lan.cps-intl.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=10.0 tests=ALL_TRUSTED autolearn=ham autolearn_force=no version=3.4.0 Subject: Re: ZFS and Jail :: nullfs mount :: nothing visible from host X-SA-Exim-Version: 4.2 X-SA-Exim-Scanned: Yes (on berkeley.cps-intl.org) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Dec 2016 11:37:19 -0000 Thanks Miroslav, I get the picture now. Please see my reply inline >>> zfs list is good start. I never used zfs from within jail so I cannot >>> comment on permission denied. I don't know what more must be done. >>> >> I'm not sure which list you are referring to. I could not find any zfs >> list in FreeBSD mailing list lists > > I mean your command "zfs list", because normally "zfs list" inside > jail print: "no datasets available" :) > OK, considering that I have the setup as I explained before, and have run zfs jail testJail gT/JailS/testJail, I can see the complete dataset along with the ones that are NOT part of the jail. So, whatever dataset the host can see, I can see from inside the jail. However, I cannot do anything with the dataset from inside the jail. > >> But, what I would really like to have >> >> a) ONLY the relevant datasets for a jail are visible and can be >> manipulated from within the jail. I do not mind if they are visible from >> host (in fact, I might prefer that -- not manipulate, just see and maybe >> take snapshot of what is there -- helps in centralizing backups). But >> the Jails /must not/ see each others' datasets > > > zfs create gT/JailS/testJail > zfs set jailed=on gT/JailS/testJail << Did you set this property? Now this is an interesting bit. I tried this, and as soon as I ran the command, the dataset vanished :P Not only that, I could not run jail any more. Given that gT/JailS is mounted on /JailS and the path parameter in jail.conf is /JailS/testJail, I am not surprised that the jail did not run (it initially complained about not being able to mount /dev, as it cannot find /JailS/testJail/dev) As a workaround, I removed mount.devfs, mount.procfs (that complained too), mount.fdesc (complained too), and then the jail ran But now that I do not have devfs, I could not do anything with zfs -- I could not even see them. So, manipulation from within the jail or outside the jail was no longer possible. > > # (populate & start jail) > > zfs jail testJail gT/JailS/testJail > >> b) if that is not achievable, maybe not allow the jails to see the >> complete dataset hierarchy -- just make them feel that they are where >> they are in a root, but still be able to create datasets that would >> magically show up in the respective jails. This way, the total control >> is from the host itself, where no one has access to, but the datasets >> are restricted to different jails. > > What is visible is controlled by enforce_statfs values. If you create > /tank/jail/alpha and set this path to you first jail no other jail > will know about it. This I believe is where I am stuck at the moment. How do you set this path to the jail? Apparently running zfs jail testJail gT/JailS/testJail did not stop the testJail from seeing gT/Data or gT/JailS/Moving -- in fact, they became visible after that script was run. Any suggestion/pointers is greatly welcome. Out of a little bit of frustration (since I was unable to find any proper documentation on jail.conf -- there is nothing under /etc/default, there is nothing on the man page -- I could not even figure out how to define a zfs as the root/fs for the jail!), I have started looking into ezjail now -- given that everyone seem to claim it can do what I had been unable to do through command line. If my sense and intelligence is well enough, I might be able to find out how it is done. Thanks again for all your help and support, it is truly appreciated. Have a nice weekend. SK > >> Now, for the sysctl values, here they come > > sysctls seem OK, I am out of ideas now. maybe I will have time next > week to try this on my test setup. > > Miroslav Lachman From owner-freebsd-jail@freebsd.org Fri Dec 9 12:03:26 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 28B72C694C2 for ; Fri, 9 Dec 2016 12:03:26 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C31571A96 for ; Fri, 9 Dec 2016 12:03:25 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 3C0DF2840C; Fri, 9 Dec 2016 13:03:23 +0100 (CET) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 1371E28422; Fri, 9 Dec 2016 13:03:22 +0100 (CET) Subject: Re: ZFS and Jail :: nullfs mount :: nothing visible from host To: SK , freebsd-jail References: <584986D0.3040109@quip.cz> <2b6346f8-ed02-0e6d-bd89-106098e7eb2d@cps-intl.org> <58499446.3050403@quip.cz> <5849C5BF.7020005@quip.cz> <584A9179.9060508@quip.cz> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: <584A9D89.4040003@quip.cz> Date: Fri, 9 Dec 2016 13:03:21 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:42.0) Gecko/20100101 Firefox/42.0 SeaMonkey/2.39 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Dec 2016 12:03:26 -0000 SK wrote on 2016/12/09 12:36: > Thanks Miroslav, I get the picture now. Please see my reply inline >> I mean your command "zfs list", because normally "zfs list" inside >> jail print: "no datasets available" :) >> > OK, considering that I have the setup as I explained before, and have > run zfs jail testJail gT/JailS/testJail, I can see the complete dataset > along with the ones that are NOT part of the jail. So, whatever dataset > the host can see, I can see from inside the jail. However, I cannot do > anything with the dataset from inside the jail. I am not sure, maybe it is not possible to hide them when you need to manage zfs inside jail. If you can live with not managing zfs inside but from the host, then you can use enforce_statfs=2. Then you will see just a root dataset inside jail. enforce_statfs=0 ~ you will see all datasets and partitions from the host enforce_statfs=1 ~ you will see all related to this jail (parents, devfs etc) enforce_statfs=2 ~ only root mount is visible >>> But, what I would really like to have >>> >>> a) ONLY the relevant datasets for a jail are visible and can be >>> manipulated from within the jail. I do not mind if they are visible from >>> host (in fact, I might prefer that -- not manipulate, just see and maybe >>> take snapshot of what is there -- helps in centralizing backups). But >>> the Jails /must not/ see each others' datasets >> >> >> zfs create gT/JailS/testJail >> zfs set jailed=on gT/JailS/testJail << Did you set this property? > Now this is an interesting bit. I tried this, and as soon as I ran the > command, the dataset vanished :P > > Not only that, I could not run jail any more. Given that gT/JailS is > mounted on /JailS and the path parameter in jail.conf is > /JailS/testJail, I am not surprised that the jail did not run (it > initially complained about not being able to mount /dev, as it cannot > find /JailS/testJail/dev) > > As a workaround, I removed mount.devfs, mount.procfs (that complained > too), mount.fdesc (complained too), and then the jail ran > > But now that I do not have devfs, I could not do anything with zfs -- I > could not even see them. So, manipulation from within the jail or > outside the jail was no longer possible. Interesting. All documentation says jailed=on must be set. >> # (populate & start jail) >> >> zfs jail testJail gT/JailS/testJail >> >>> b) if that is not achievable, maybe not allow the jails to see the >>> complete dataset hierarchy -- just make them feel that they are where >>> they are in a root, but still be able to create datasets that would >>> magically show up in the respective jails. This way, the total control >>> is from the host itself, where no one has access to, but the datasets >>> are restricted to different jails. >> >> What is visible is controlled by enforce_statfs values. If you create >> /tank/jail/alpha and set this path to you first jail no other jail >> will know about it. > This I believe is where I am stuck at the moment. How do you set this > path to the jail? Apparently running zfs jail testJail gT/JailS/testJail > did not stop the testJail from seeing gT/Data or gT/JailS/Moving -- in > fact, they became visible after that script was run. > > Any suggestion/pointers is greatly welcome. > > Out of a little bit of frustration (since I was unable to find any > proper documentation on jail.conf -- there is nothing under > /etc/default, there is nothing on the man page -- I could not even > figure out how to define a zfs as the root/fs for the jail!), I have > started looking into ezjail now -- given that everyone seem to claim it > can do what I had been unable to do through command line. If my sense > and intelligence is well enough, I might be able to find out how it is > done. "Everybody" say "use ezjail" because it was the first tool to manipulate jails available for the masses. I tried it after I learned all things about jails the hard way and then I realised ezjail is doing strange things in some cases. I know it evolved, but I you need to use some tool there are some better tools (in my opinion) which were developed with ZFS features from the start. You can try iocage or cbsd. They also can manage bhyve guests. Miroslav Lachman From owner-freebsd-jail@freebsd.org Fri Dec 9 12:21:35 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 58D29C69F27 for ; Fri, 9 Dec 2016 12:21:35 +0000 (UTC) (envelope-from fbstable@cps-intl.org) Received: from berkeley.cps-intl.org (websense.cps-intl.org [81.137.176.89]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D19193EB for ; Fri, 9 Dec 2016 12:21:34 +0000 (UTC) (envelope-from fbstable@cps-intl.org) Received: from [172.16.0.79] (helo=bdLL65j) by berkeley.cps-intl.org with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128) (Exim 4.80.1 (FreeBSD)) (envelope-from ) id 1cFKB5-000P3q-NV; Fri, 09 Dec 2016 12:21:28 +0000 To: Miroslav Lachman <000.fbsd@quip.cz>, freebsd-jail References: <584986D0.3040109@quip.cz> <2b6346f8-ed02-0e6d-bd89-106098e7eb2d@cps-intl.org> <58499446.3050403@quip.cz> <5849C5BF.7020005@quip.cz> <584A9179.9060508@quip.cz> <584A9D89.4040003@quip.cz> From: SK Message-ID: <3851c5d9-7646-b670-357e-ae937fcc7e8f@cps-intl.org> Date: Fri, 9 Dec 2016 12:21:06 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 In-Reply-To: <584A9D89.4040003@quip.cz> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-SA-Exim-Connect-IP: 172.16.0.79 X-SA-Exim-Mail-From: fbstable@cps-intl.org X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on berkeley.lan.cps-intl.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=10.0 tests=ALL_TRUSTED autolearn=ham autolearn_force=no version=3.4.0 Subject: Re: ZFS and Jail :: nullfs mount :: nothing visible from host X-SA-Exim-Version: 4.2 X-SA-Exim-Scanned: Yes (on berkeley.cps-intl.org) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Dec 2016 12:21:35 -0000 On 09/12/2016 12:03, Miroslav Lachman wrote: > > I am not sure, maybe it is not possible to hide them when you need to > manage zfs inside jail. > If you can live with not managing zfs inside but from the host, then > you can use enforce_statfs=2. Then you will see just a root dataset > inside jail. > > enforce_statfs=0 ~ you will see all datasets and partitions from the host > > enforce_statfs=1 ~ you will see all related to this jail (parents, > devfs etc) > > enforce_statfs=2 ~ only root mount is visible > I will try enforce_statfs=2, maybe that will give me what I need. But still, not sure what is happening with jailed=on >>> >>> zfs set jailed=on gT/JailS/testJail << Did you set this property? >> Now this is an interesting bit. I tried this, and as soon as I ran the >> command, the dataset vanished :P >> >> Not only that, I could not run jail any more. Given that gT/JailS is >> mounted on /JailS and the path parameter in jail.conf is >> /JailS/testJail, I am not surprised that the jail did not run (it >> initially complained about not being able to mount /dev, as it cannot >> find /JailS/testJail/dev) >> >> As a workaround, I removed mount.devfs, mount.procfs (that complained >> too), mount.fdesc (complained too), and then the jail ran >> >> But now that I do not have devfs, I could not do anything with zfs -- I >> could not even see them. So, manipulation from within the jail or >> outside the jail was no longer possible. > > Interesting. All documentation says jailed=on must be set. > Yes, I know. I checked everywhere and that seems to be the norm. But the moment I do it, my jail no longer functions :P > > "Everybody" say "use ezjail" because it was the first tool to > manipulate jails available for the masses. I tried it after I learned > all things about jails the hard way and then I realised ezjail is > doing strange things in some cases. I know it evolved, but I you need > to use some tool there are some better tools (in my opinion) which > were developed with ZFS features from the start. > You can try iocage or cbsd. They also can manage bhyve guests. > I did try iocage for bhyve some time back, honestly, I did not like it (maybe because it tried to do things on my behalf without letting me know what it was doing). I settled for vm-bhyve instead and am quite happy about it. cbsd I have not tried, maybe I'll give that a shot. Still, my desire for keeping it simple and raw is preventing me from taking any of these routes. I would very much like NOT to run any additional package on the host/base itself. I already have screen, mc and wget -- that is an overkill in my own personal opinion. Let us see how it goes. If I discover something, I will post it back. Thanks again for your support and suggestions, they had been very very helpful. Best regards SK From owner-freebsd-jail@freebsd.org Fri Dec 9 13:36:10 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 59A16C6E5B2 for ; Fri, 9 Dec 2016 13:36:10 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1C5FD3F9 for ; Fri, 9 Dec 2016 13:36:09 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 57B0328416; Fri, 9 Dec 2016 14:36:06 +0100 (CET) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 7B46B28412; Fri, 9 Dec 2016 14:36:05 +0100 (CET) Subject: Re: ZFS and Jail :: nullfs mount :: nothing visible from host To: SK , freebsd-jail References: <584986D0.3040109@quip.cz> <2b6346f8-ed02-0e6d-bd89-106098e7eb2d@cps-intl.org> <58499446.3050403@quip.cz> <5849C5BF.7020005@quip.cz> <584A9179.9060508@quip.cz> <584A9D89.4040003@quip.cz> <3851c5d9-7646-b670-357e-ae937fcc7e8f@cps-intl.org> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: <584AB345.4080307@quip.cz> Date: Fri, 9 Dec 2016 14:36:05 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:42.0) Gecko/20100101 Firefox/42.0 SeaMonkey/2.39 MIME-Version: 1.0 In-Reply-To: <3851c5d9-7646-b670-357e-ae937fcc7e8f@cps-intl.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Dec 2016 13:36:10 -0000 SK wrote on 2016/12/09 13:21: > I will try enforce_statfs=2, maybe that will give me what I need. But > still, not sure what is happening with jailed=on > >>>> >>>> zfs set jailed=on gT/JailS/testJail << Did you set this property? >>> Now this is an interesting bit. I tried this, and as soon as I ran the >>> command, the dataset vanished :P >> Interesting. All documentation says jailed=on must be set. >> > Yes, I know. I checked everywhere and that seems to be the norm. But the > moment I do it, my jail no longer functions :P My last idea - put zfs_enable="YES" in jails /etc/rc.conf. Maybe the dataset is not mounted if has property jailed=on (I don't know I didn't test it yet) > Still, my desire for keeping it simple and raw is preventing me from > taking any of these routes. I would very much like NOT to run any > additional package on the host/base itself. I already have screen, mc > and wget -- that is an overkill in my own personal opinion. I understand it. I am running jails on many machines for years without any 3rd party tools :) But you can try iocage, cbsd or ezjail just to test if it is possible to do what you want. Then you can check sysctls in host, in jail, check jail's properties (`jls -s`), `zfs get all` and then you can try it reproduce without 3rd party tools. Ping me next week, I hope I will have more spare time to test it. Miroslav Lachman From owner-freebsd-jail@freebsd.org Fri Dec 9 16:50:10 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E7B28C6EB62 for ; Fri, 9 Dec 2016 16:50:10 +0000 (UTC) (envelope-from Alexander@leidinger.net) Received: from mailgate.Leidinger.net (bastille.leidinger.net [89.238.82.207]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 913B49FB for ; Fri, 9 Dec 2016 16:50:10 +0000 (UTC) (envelope-from Alexander@leidinger.net) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=leidinger.net; s=outgoing-alex; t=1481302188; bh=MwN9WmR/72GJjpE66W3yJcpuT4/qspmko10mL8ymDp0=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=3Suv0wO1H+z18DSlpOWgugkBf3RUMdrXp5mDDJ4EcMoYeyBRm56BLjGrZQPhrf/ml qqc+kcB+fm5QvTWy41lrG9HdDt63NmtBfjKr9lM6SZIMg34lkuCWZp/kzipjkotXkG JruFpIiZn9Khnq5ZKJbnFKr23rpIQ3f/t610m6u1SDFYVJISz7IACpFa3FtATdlV58 WtU9BUisT8ubvufaxvSxWix/bdPKHP7STzAx0AoGQk9UMmgpBRYsk1wsmb3i3VziSy I4HzNdXV5lDd7dPWT6p0+BTG0o+Bg5GnNVye9T0qcblLLXtRcIQI6sT01JWh2JAzt+ /SAqT96OuzuKA== DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=leidinger.net; s=outgoing-alex; t=1481302207; bh=MwN9WmR/72GJjpE66W3yJcpuT4/qspmko10mL8ymDp0=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=PV0XuwXIIcJEQjrkYKgHt5u4Gdocg9pDp5BHMLdgxIm0vSLLFinPo+RpaDT4A2Lch yvmy8NrypnhlWZfU1ouH/CpXzTJ7b9al8KW2mi/KFz+92Hw+xT4rZVlJx/85zgjTrD EPZ+NohYuiumFOR80uKhHEXqe41MpJX0DjPFi10pRsYieyXOsc6QWw3aPO5lznazzj b3iTplZyTmhrVCM6sSOXUHO38afYzp+9u2btHl9YTRDdX9LtpwhIeOfUtvh4pZ6U2n eUKbVVLjV+h8zQaAKBPDWZ3SZJyPjXG9nNtC8LQ/vIJTaSGbLS2etlnja65R+G8695 VZV5bX6H2ZZsQ== Date: Fri, 09 Dec 2016 17:49:47 +0100 Message-ID: <20161209174947.Horde.SMh4Zhj9PxpBbaA71NIfgFO@webmail.leidinger.net> From: Alexander Leidinger To: SK Cc: Miroslav Lachman <000.fbsd@quip.cz>, freebsd-jail Subject: Re: ZFS and Jail :: nullfs mount :: nothing visible from host References: <584986D0.3040109@quip.cz> <2b6346f8-ed02-0e6d-bd89-106098e7eb2d@cps-intl.org> <58499446.3050403@quip.cz> In-Reply-To: User-Agent: Horde Application Framework 5 Content-Type: multipart/signed; boundary="=_SLbYKO_TdkA6PxX3pexrEr9"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Dec 2016 16:50:11 -0000 This message is in MIME format and has been PGP signed. --=_SLbYKO_TdkA6PxX3pexrEr9 Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Quoting SK (from Thu, 8 Dec 2016 19:13:15 +0000): > @Alexander : I checked out your link. It is interesting, but you are=20= =20 >=20using ezjail which I am trying to avoid. I have nothing against it,=20= =20 >=20but I think making it working without too many additional layer of=20= =20 >=20obfuscation will help me learn it better. So, thanks again, and=20=20 >=20sorry I cannot use that solution right now. My comment was targeted to the devfs rule to unhide /dev/zfs (and as I=20= =20 see=20this is what you did), this is independed from the context (plain=20= =20 jail,=20ezjail, iocage, ...). > Current status > > the main system (host) has gT as the pool/dataset, where the root is=20= =20 >=20mounted. I have created two more datasets > # zfs list > NAME USED AVAIL REFER MOUNTPOINT > gT 10.3G 199G 9.51G legacy > gT/JailS 832M 199G 20K /JailS > gT/JailS/testJail 546K 199G 827M /JailS/testJail > > > Initially they were not visible from within the jail, but as I ran > zfs jail testJail gT/JailS/testJail > they were visible from inside. This means it works, else you would be able to see anything. > HOWEVER, I am unable to do any manipulation whatsoever from within the ja= il. > root@testJail:/ # zfs list > NAME USED AVAIL REFER MOUNTPOINT > gT 10.3G 199G 9.51G legacy > gT/JailS 832M 199G 20K /JailS > gT/JailS/testJail 546K 199G 827M /JailS/testJail > root@testJail:/ # zfs snapshot gT/JailS/testJail@test > *cannot create snapshots : permission denied* > root@testJail:/ # zfs create gT/JailS/testJail/test > *cannot create 'gT/JailS/testJail/test': permission denied* > root@testJail:/ # exit Hmmm.... no immediate idea for that one... I definitively are able to snapshot inside my jails. Apart from the :rc.conf:zfs_enable=3D"YES" which you already got=20= =20 told=20about... wait, do you have increased the security level ("sysctl=20= =20 kern.securelevel")=20of the host? > Even after the jail was able to see the dataset, the following=20=20 >=20sysctl was still zero > security.jail.mount_zfs_allowed: 0 I think this is needed if you want to import a pool (zpool import)=20=20 from=20a device (which is made visible in the devfs) or file. > I changed it to one, but that didn't seem to have the desired effect=20= =20 >=20(should have I restarted?) A restart of the jail may be needed to have this setting take effect,=20=20 but=20not the host. Bye, Alexander. --=20 http://www.Leidinger.net=20Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_SLbYKO_TdkA6PxX3pexrEr9 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- iQIcBAABAgAGBQJYSuCrAAoJEKrxQhqFIICE+uMP/2O5QRf3WQZvuRSi0gL+mpZf 0pHb2FDKFilwHE9rmY9FedV7nYsLV8D92XP4VFhXkWJU/ulURSh/ivCgDfXGgili t4r7XTOPOnBzxBMPPIbxPBUrolm6aA3NNfVGxiqRVJIO4/fenfA5KIB0fIEUC5sY CPPZeW1ibv3JPaUbrwocDT0Syl1ZFagu8r61PWby4ybBzOA+AhHyF16f1lNBcehy EMZRMFbEM7o+DUWH7xwE04usIRXckBWMrIHdlYvQQ8fuiR/EVwPbNPTAunIHb1r9 G4Lb5j81Gy9rxvH6ZERVyOIzJu+B8zjD6P+YJI0AMps7OPfmfiCc6ZsrUoihXMHP YbgPNx0/UZ2rFBD4Dw3otNdeGYkKaoGwDT8rzcMllIMytNWdgJBYF0odr0l3PSwn tGFfhVicvzk7pGnKVQAkfp1Kig9MbcGyGQU759FbFHwShswzPKiAEAkGO1il79Lp zzh3hdaPoVWx2J9+cJ81rMAe0/VsERt4Vg80ex5XNNkNip3oqPcUtnkbfmcwwKtQ 5Eti/6vV4fSDUWnD1WVkqO0rkeGe48PHWSy2sNajXSjMkAnlaTjj2sHZYaJirgs0 GoC5GxeDOLxNVXWKQZQLwhgt+VHYDypLx9HkVjzoAfdvjSVpZhWkxAqB7pSH4gAl D5vHbr6EnrG3RVOAmFuS =QMcx -----END PGP SIGNATURE----- --=_SLbYKO_TdkA6PxX3pexrEr9-- From owner-freebsd-jail@freebsd.org Sat Dec 10 03:26:28 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B5AF9C6F4BC for ; Sat, 10 Dec 2016 03:26:28 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A51B51C8C for ; Sat, 10 Dec 2016 03:26:28 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id uBA3QSMM057174 for ; Sat, 10 Dec 2016 03:26:28 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 215008] [patch] jls(8) separate lists for IPv4 and IPv6 in verbose libxo output Date: Sat, 10 Dec 2016 03:26:28 +0000 X-Bugzilla-Reason: AssignedTo CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-jail@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Dec 2016 03:26:28 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D215008 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|freebsd-bugs@FreeBSD.org |freebsd-jail@FreeBSD.org CC|freebsd-jail@FreeBSD.org | --=20 You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug.= From owner-freebsd-jail@freebsd.org Sat Dec 10 14:33:09 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 27AB0C70DE5 for ; Sat, 10 Dec 2016 14:33:09 +0000 (UTC) (envelope-from kayasaman@gmail.com) Received: from mail-wm0-x229.google.com (mail-wm0-x229.google.com [IPv6:2a00:1450:400c:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B47FA1AC4 for ; Sat, 10 Dec 2016 14:33:08 +0000 (UTC) (envelope-from kayasaman@gmail.com) Received: by mail-wm0-x229.google.com with SMTP id t79so12191572wmt.0 for ; Sat, 10 Dec 2016 06:33:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=to:from:subject:message-id:date:user-agent:mime-version :content-transfer-encoding; bh=XxV+UeQpCsraseeOjd72hb6PbwgTfsF616CN84hO5+E=; b=c6UYI4CVY2jfuH0pg7B65UKfWwpd6f+QflSEsl7+deZXi0KXaxhOYxyJP/nSd04h/u E14jPaDoWK8B5IpF/4lIag+WMmPOJ6g8Tgoq0B3+UoD+4wERCSPiZduCkwrzeNV9Awaz 2tdoPCG4q9A3t97OW2yqjZHOg6Sjm/WMBLwsCtqGhjQWN4Ngmfy2HmogG0D6xc4FehAk ZESMmOfPKiJrbc+aHJNOwEXzF9LuoezmfrfLuyJWpL0vx2xBVGQ88tO7OTjkOHrJpb0K jjT1ZgwoIf0cw9cQZ2dkrqSn5NuI7xmIWWezM6QH/oFOg8/brMb1NatePWB+yCHNSbkj Ab5A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-transfer-encoding; bh=XxV+UeQpCsraseeOjd72hb6PbwgTfsF616CN84hO5+E=; b=Q4g2Zu3+Fz29V43UnI6LFI253GVcdSwCJvnszdF7of63UzDLt7REYJ81yp1jcBsj3o Joe/HAPWv96YtPkWvxgo8/Tk2EJMNvcup9agSTMsFsVsqY+/+e9xp53qXK8H4oiQexsr c1Foi/ttE1uNqe2MF6p9cp3MG1IBx2NeCuoc96J96qTrc119phyuWXbeLZtrUcstn7F3 WGArX5iMYU24ol84gMTnbjnU6pm8cfeIGGa4D9EmdYQSjE4HkPEtbU41qLDbCkzAtBBM 1eKkrUZAJfcLmyZX+3uscV9L+mx8eAmn8tyUXTE/vIwoc7mQ2PeadG8Uh9Zy+iEX0z/Z 5w4g== X-Gm-Message-State: AKaTC03aWxLIfwk1cPBtVCOZYNMAJR1wrQ3BjLA7obj9FWPP8HH5m1IlBszBmMsaNm/HRw== X-Received: by 10.28.31.23 with SMTP id f23mr2844385wmf.94.1481380386540; Sat, 10 Dec 2016 06:33:06 -0800 (PST) Received: from x220.optiplex-networks.com (optiplexnetworks.plus.com. [212.159.80.17]) by smtp.googlemail.com with ESMTPSA id d85sm26078316wmd.17.2016.12.10.06.33.05 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 10 Dec 2016 06:33:05 -0800 (PST) To: freebsd-jail@freebsd.org From: Kaya Saman Subject: Getting "Permission Denied" issues after migrating jails Message-ID: Date: Sat, 10 Dec 2016 14:33:05 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Dec 2016 14:33:09 -0000 Hi, Recently I migrated my jails onto a new ZPOOL as their old location started filling up. I used rsync -avvcrt --progress --remove-source-files /path/to/jail to achieve this. The Jails all start fine and some processes are working inside the jails however, on certain things I'm getting permission denied issues. I'm guessing this is to do with file system flags and unprivileged users?? An example is when trying to build or update a @Port inside the jail: ===> Cleaning for gettext-runtime-0.19.8.1_1 pkg-static: unable to open vulnxml file /var/db/pkg/vuln.xml: Permission denied ===> gettext-runtime-0.19.8.1_1 has known vulnerabilities: => Please update your ports tree and try again. => Note: Vulnerable ports are marked as such even if there is no update available. => If you wish to ignore this vulnerability rebuild with 'make DISABLE_VULNERABILITIES=yes' *** Error code 1 certain services are giving the exact same issue when trying to start. The closest I have come to figuring this out is: https://forums.freebsd.org/threads/44052/ which suggests fixing the noexec flags. On the actual ZFS dataset the exec=on parameter is already set meaning that this must be a local issue and something to do with the "chflags" command but I can't recall or even find any clue on which files to run the command on and parameters to use in "man chflags". Would someone have an idea on a fix for this? Thanks Kaya