From nobody Mon Jun 7 07:04:31 2021 X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 2D3D0E5BDB4 for ; Mon, 7 Jun 2021 07:04:36 +0000 (UTC) (envelope-from freebsd-jail@dino.sk) Received: from mailhost.netlabit.sk (mailhost.netlabit.sk [84.245.65.72]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Fz49v1JWgz3rs3 for ; Mon, 7 Jun 2021 07:04:34 +0000 (UTC) (envelope-from freebsd-jail@dino.sk) Received: from zeta.dino.sk (fw3.dino.sk [84.245.95.254]) (AUTH: LOGIN milan) by mailhost.netlabit.sk with ESMTPA; Mon, 07 Jun 2021 09:04:32 +0200 id 00F3A9DB.60BDC500.000028F8 Date: Mon, 7 Jun 2021 09:04:31 +0200 From: Milan Obuch To: freebsd-jail@freebsd.org Subject: Re: jail.conf question (vnet.interface) Message-ID: <20210607090431.057eb3a1@zeta.dino.sk> In-Reply-To: References: <20210606153529.526c1675@zeta.dino.sk> X-Mailer: Claws Mail 3.17.8git86 (GTK+ 2.24.33; i386-portbld-freebsd11.4) List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4Fz49v1JWgz3rs3 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of freebsd-jail@dino.sk designates 84.245.65.72 as permitted sender) smtp.mailfrom=freebsd-jail@dino.sk X-Spamd-Result: default: False [-3.30 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[84.245.65.72:from]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[dino.sk]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[84.245.65.72:from:127.0.2.255]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; R_DKIM_NA(0.00)[]; ASN(0.00)[asn:5578, ipnet:84.245.64.0/18, country:SK]; MIME_TRACE(0.00)[0:+]; MAILMAN_DEST(0.00)[freebsd-jail]; RCVD_COUNT_TWO(0.00)[2] X-ThisMailContainsUnwantedMimeParts: N On Sun, 06 Jun 2021 09:23:58 -0700, James Gritton wrote: > On 2021-06-06 06:35, Milan Obuch wrote: > > Hi, > > > > for vnet jails, one needs to move some interface into created > > virtual stack. In jail.conf, this could be achieved using > > > > jail0 > > {vnet; > > vnet.interface = re2; > > } > > > > and initialize moved interface using standard /etc/rc.conf > > configuration > > file in jail jail0. > > > > Adding small paragraph about this in jail.conf man page would be > > useful. I know it is in jail man page in some form, but it deserves > > mentioning this in example section in jail.conf man page. At least, > > this makes it easier to find for first comers :) (Well, that's not > > me, I am using vnet jails aka VIMAGE from the start as an > > experimental feature in FreeBSD 4 or 5, almost 20 years ago.) > > True, it would make sense to add a vnet example, since it's now > included in the default kernel. > I looked once more, my suggestion would be just add another config snippet into EXAMPLES section. Maybe something like my snippet above, with comment pointing to jail(8) man page for more variables. While this man page is mentioned in SEE ALSO section, it would be better to make this link more prominent, along with simple example of vnet jail usage. > > I need more interfaces moved this way. It is no problem issue > > manually > > > > ifconfig re3 vnet jail0 > > > > but trying to write > > > > jail0 > > {vnet; > > vnet.interface = re2; > > vnet.interface = re3; > > } > > > > in jail.conf means only re3 is moved and can be configured with > > standard rc.conf config file. First instance (re2) is kind of > > overwritten and forgotten. > > > > Is it possible to move more interfaces this way at all? I'd like to > > avoid any hacks if possible, and any workaround for this is ugly... > > > > It's not possible to add more than one interface that way. It would > make sense for vnet.interface to be an array, so you could say have a > comma-separated list or say "vnet.interface += re3". > Where is this functionality implemented (at least for ip4.addr list)? Which file? Is it a script of some kind? > Currently, anything more than one interface would need to be an > ifconfig command added to "exec.created". > Thanks for notice. Just to be sure, for interested ones - such a command is executed before anything else, namely /etc/rc from jail. I have some special scenarion where I am not using /etc/rc in jail, just exec.created. Regards, Milan From nobody Mon Jun 7 17:34:30 2021 X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id B0C0795DE1C for ; Mon, 7 Jun 2021 17:34:42 +0000 (UTC) (envelope-from jamie@freebsd.org) Received: from gritton.org (gritton.org [199.192.165.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4FzL8y3rhJz3l1R for ; Mon, 7 Jun 2021 17:34:42 +0000 (UTC) (envelope-from jamie@freebsd.org) Received: from gritton.org ([127.0.0.131]) (authenticated bits=0) by gritton.org (8.15.2/8.15.2) with ESMTPA id 157HYU1n031757; Mon, 7 Jun 2021 10:34:30 -0700 (PDT) (envelope-from jamie@freebsd.org) List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Mon, 07 Jun 2021 10:34:30 -0700 From: James Gritton To: freebsd-jail@freebsd.org Cc: Milan Obuch Subject: Re: jail.conf question (vnet.interface) In-Reply-To: <20210607090431.057eb3a1@zeta.dino.sk> References: <20210606153529.526c1675@zeta.dino.sk> <20210607090431.057eb3a1@zeta.dino.sk> User-Agent: Roundcube Webmail/1.4.1 Message-ID: <77b5551840c92d6b36b9f69aba2f9f20@freebsd.org> X-Sender: jamie@freebsd.org X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.2 (gritton.org [127.0.0.131]); Mon, 07 Jun 2021 10:34:32 -0700 (PDT) X-Rspamd-Queue-Id: 4FzL8y3rhJz3l1R X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-ThisMailContainsUnwantedMimeParts: N On 2021-06-07 00:04, Milan Obuch wrote: >> > I need more interfaces moved this way. It is no problem issue >> > manually >> > >> > ifconfig re3 vnet jail0 >> > >> > but trying to write >> > >> > jail0 >> > {vnet; >> > vnet.interface = re2; >> > vnet.interface = re3; >> > } >> > >> > in jail.conf means only re3 is moved and can be configured with >> > standard rc.conf config file. First instance (re2) is kind of >> > overwritten and forgotten. >> > >> > Is it possible to move more interfaces this way at all? I'd like to >> > avoid any hacks if possible, and any workaround for this is ugly... >> > >> >> It's not possible to add more than one interface that way. It would >> make sense for vnet.interface to be an array, so you could say have a >> comma-separated list or say "vnet.interface += re3". >> > > Where is this functionality implemented (at least for ip4.addr list)? > Which file? Is it a script of some kind? For ip4.addr, there are two considerations. Adding the address to the interface is done by jail(8), by running ifconfig before creating the jail, and removing the address is likewise by ifconfig after removing the jail. But also, the set of multiple addresses is passed through jail_set(2) when the jail is created. vnet.interface is handled entirely within jail(8), again running ifconfig but this time after the jail is created. There's no corresponding call to move the interfaces back, as that's automatic on jail destruction. >> Currently, anything more than one interface would need to be an >> ifconfig command added to "exec.created". >> > > Thanks for notice. Just to be sure, for interested ones - such a > command > is executed before anything else, namely /etc/rc from jail. I have some > special scenarion where I am not using /etc/rc in jail, just > exec.created. exec.created is the first thing run after jail_set(2) is called. In fact, the only difference between exec.created and exec.start is the fact that the single vnet.interface is moved between them. The order of operations in jail creation is: exec.prepare ifconfig for adding IP addresses to interfaces mount filesystems exec.prestart create the jail exec.created transfer vnet.interface exec.start and/or command (run in jail environment) exec.poststart That provides a chance to run custom commands at just about any stage of jail creation. - Jamie From nobody Fri Jun 11 10:18:02 2021 X-Original-To: jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id B48DB11D0236 for ; Fri, 11 Jun 2021 10:18:02 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4G1cHG4fXTz4ck9 for ; Fri, 11 Jun 2021 10:18:02 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 88DA720D75 for ; Fri, 11 Jun 2021 10:18:02 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 15BAI24W010358 for ; Fri, 11 Jun 2021 10:18:02 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 15BAI26E010357 for jail@FreeBSD.org; Fri, 11 Jun 2021 10:18:02 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: jail@FreeBSD.org Subject: [Bug 256544] jail crashes on config parsing Date: Fri, 11 Jun 2021 10:18:02 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: Unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: jail@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D256544 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs@FreeBSD.org |jail@FreeBSD.org --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Sat Jun 12 01:33:58 2021 X-Original-To: jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 1398A7EBA0D for ; Sat, 12 Jun 2021 01:33:58 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4G20c600yDz3LPX for ; Sat, 12 Jun 2021 01:33:58 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id DDB6A2D955 for ; Sat, 12 Jun 2021 01:33:57 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 15C1XviK091303 for ; Sat, 12 Jun 2021 01:33:57 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 15C1XvKQ091302 for jail@FreeBSD.org; Sat, 12 Jun 2021 01:33:57 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: jail@FreeBSD.org Subject: [Bug 256544] jail crashes on config parsing Date: Sat, 12 Jun 2021 01:33:58 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: Unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: joeb1@a1poweruser.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: jail@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D256544 joeb1@a1poweruser.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |joeb1@a1poweruser.com --- Comment #1 from joeb1@a1poweruser.com --- See=20 https://forums.freebsd.org/threads/vnet-jail-with-public-internet-access-us= ing-the-bridge-epair-method.76071/ for the correct way to set up a vnet jail. Give attention to size of addres= ses to assign to each vnet jail. And besides you have ever option when it not necessary. What your doing with options just makes any jail insecure. That = may be ok for test but not acceptable for production. --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Sat Jun 12 05:46:54 2021 X-Original-To: jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 66B7C11CD1FB for ; Sat, 12 Jun 2021 05:46:54 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4G26Cy28fQz3pNq for ; Sat, 12 Jun 2021 05:46:54 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 2F0341095 for ; Sat, 12 Jun 2021 05:46:54 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 15C5ksNK023962 for ; Sat, 12 Jun 2021 05:46:54 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 15C5ksSs023961 for jail@FreeBSD.org; Sat, 12 Jun 2021 05:46:54 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: jail@FreeBSD.org Subject: [Bug 256544] jail crashes on config parsing Date: Sat, 12 Jun 2021 05:46:54 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: Unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: cryptogranny@gmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: jail@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D256544 --- Comment #2 from crypt47 --- joeb1@a1poweruser.com, thanks, I can take care of my jails just fine. It's = not the point of this bug report. --=20 You are receiving this mail because: You are the assignee for the bug.=