From owner-freebsd-jail@FreeBSD.ORG Mon Oct 1 19:37:10 2007 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8CA4816A418 for ; Mon, 1 Oct 2007 19:37:10 +0000 (UTC) (envelope-from schulra@earlham.edu) Received: from sipala.earlham.edu (sipala.earlham.edu [159.28.1.75]) by mx1.freebsd.org (Postfix) with ESMTP id 661A513C480 for ; Mon, 1 Oct 2007 19:37:10 +0000 (UTC) (envelope-from schulra@earlham.edu) Received: from tdream.lly.earlham.edu (tdream.lly.earlham.edu [159.28.7.241]) by sipala.earlham.edu (8.13.6/8.13.6) with ESMTP id l91JHNd9026262 for ; Mon, 1 Oct 2007 15:17:23 -0400 (EDT) Received: from tdream.lly.earlham.edu (tdream.lly.earlham.edu [159.28.7.241]) by tdream.lly.earlham.edu (Postfix) with ESMTP id B8FE08E2F4 for ; Mon, 1 Oct 2007 15:18:53 -0400 (EDT) Date: Mon, 1 Oct 2007 15:18:53 -0400 (EDT) From: Randy Schultz X-X-Sender: schulra@tdream.lly.earlham.edu To: freebsd-jail@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Subject: djbdns on 1270.0.1 in a jail problem X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Oct 2007 19:37:10 -0000 Heya, Playing around with jails and have run across something weird, I was wondering if somebody could explain. I'm trying to get djbdns to run inside the jail, with tinydns running on 127.0.0.1. The thing I cannot figure out is why tinydns always comes up on the jail's IP address, and not lo0, as reported by sockstat: Root Dude ? sockstat -l USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS root sshd 863 3 tcp4 159.28.1.59:22 *:* tinydns tinydns 862 3 udp4 159.28.1.59:53 *:* root syslogd 800 4 dgram /var/run/log root syslogd 800 5 dgram /var/run/logpriv root syslogd 800 6 udp4 159.28.1.59:514 *:* root sshd 638 3 tcp4 159.28.1.66:22 *:* root syslogd 530 4 dgram /var/run/log root syslogd 530 5 dgram /var/run/logpriv root syslogd 530 6 udp6 *:514 *:* root syslogd 530 7 udp4 *:514 *:* root devd 464 4 stream /var/run/devd.pipe My setup(really just a standard install) runs fine on a non-jailed system, tinydns comes up on 127.0.0.1. The jail does have the correct env setting: [root@opal /]# cat /service/tinydns/env/IP 127.0.0.1 At first I thought it was because lo0 was not in /dev in the jail. I've gone as far as unhiding *everything* in /dev via: Root Dude ? cat /etc/devfs.rules [test_unhide_all=5] add include $devfsrules_jail add unhide This indeed worked as the jail now has everything in it's /dev. Grasping at straws, I've also tweaked sysctl settings for jails: Root Dude ? sysctl -a|egrep jail security.jail.jailed: 0 security.jail.chflags_allowed: 0 security.jail.allow_raw_sockets: 1 security.jail.enforce_statfs: 2 security.jail.sysvipc_allowed: 1 security.jail.socket_unixiproute_only: 1 security.jail.set_hostname_allowed: 1 I know it's just something simple I'm missing/glossed over while reading but could somebody pls point me in the general direction of why 127.0.0.1 appears to be unavailable, or where I could read up on how to get it to work? Tnx. -- Randy (schulra@earlham.edu) 765.983.1283 <*> Love with your heart, think with your head; not the other way around. From owner-freebsd-jail@FreeBSD.ORG Tue Oct 2 00:30:15 2007 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 824F816A41A for ; Tue, 2 Oct 2007 00:30:15 +0000 (UTC) (envelope-from wolf@k18.ch) Received: from mail.k18.ch (mail.k18.ch [62.2.105.52]) by mx1.freebsd.org (Postfix) with ESMTP id F1C6713C46A for ; Tue, 2 Oct 2007 00:30:14 +0000 (UTC) (envelope-from wolf@k18.ch) Received: (qmail 1935 invoked by uid 8000); 2 Oct 2007 00:03:54 -0000 Received: from efw.atel.k18.ch ([192.168.10.1]) (SquirrelMail authenticated user wolf) by mail.k18.ch with HTTP; Tue, 2 Oct 2007 02:03:54 +0200 (CEST) Message-ID: <49346.192.168.10.1.1191283434.squirrel@mail.k18.ch> Date: Tue, 2 Oct 2007 02:03:54 +0200 (CEST) From: "Alain Wolf" To: "Randy Schultz" User-Agent: SquirrelMail/1.4.8 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal References: In-Reply-To: Cc: freebsd-jail@freebsd.org Subject: Re: djbdns on 1270.0.1 in a jail problem X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Oct 2007 00:30:15 -0000 Randy Schultz wrote: > Heya, > > Playing around with jails and have run across something weird, I was wondering if somebody could explain. > > I'm trying to get djbdns to run inside the jail, with tinydns running on 127.0.0.1. The thing I cannot figure out is why tinydns always comes up on > the jail's IP address, and not lo0, as reported by sockstat: Root Dude ? Hi Randy, I fell in the same hole on my first setup. There is no such thing as 127.0.0.1 in a FreeBSD Jail. There is just the IP, which the Jail is configured for. I am not a developer, but as far as I understand, a Jail and its IP, is some kind of virtualization, which can not contain any virtualized environment inside itself again. At least not in 6.x So it looks that 127.0.0.1 would be an additional IP like any other one, which is NOT possible in FreeBSD Jails. I read promising things about a fully virtualized IP environment in FreeBSD 7.x, where we can do a lot more than this, but we have to wait for that. After I realized that, I redesigned my plans and I liked them even better. My DJB-DNS setup is now as follows, and works flawless. dnscache runs in its own Jail in every physical machine, caching DNS queries for all other Jails on the same machine. Two copies of TinyDNS run each in its own Jail too. Providing a (rather expensive) Split-Horizon DNS Solution. Hope this helps Regards Alain From owner-freebsd-jail@FreeBSD.ORG Tue Oct 2 03:08:29 2007 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D642D16A418 for ; Tue, 2 Oct 2007 03:08:29 +0000 (UTC) (envelope-from schulra@earlham.edu) Received: from sipala.earlham.edu (sipala.earlham.edu [159.28.1.75]) by mx1.freebsd.org (Postfix) with ESMTP id A46DA13C44B for ; Tue, 2 Oct 2007 03:08:29 +0000 (UTC) (envelope-from schulra@earlham.edu) Received: from tdream.lly.earlham.edu (tdream.lly.earlham.edu [159.28.7.241]) by sipala.earlham.edu (8.13.6/8.13.6) with ESMTP id l9238Q18000830 for ; Mon, 1 Oct 2007 23:08:26 -0400 (EDT) Received: from tdream.lly.earlham.edu (tdream.lly.earlham.edu [159.28.7.241]) by tdream.lly.earlham.edu (Postfix) with ESMTP id C8CC48E2F4 for ; Mon, 1 Oct 2007 23:09:57 -0400 (EDT) Date: Mon, 1 Oct 2007 23:09:57 -0400 (EDT) From: Randy Schultz X-X-Sender: schulra@tdream.lly.earlham.edu To: freebsd-jail@freebsd.org In-Reply-To: <49346.192.168.10.1.1191283434.squirrel@mail.k18.ch> Message-ID: References: <49346.192.168.10.1.1191283434.squirrel@mail.k18.ch> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: djbdns on 1270.0.1 in a jail problem X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Oct 2007 03:08:29 -0000 On Tue, 2 Oct 2007, Alain Wolf spaketh thusly: -}Hi Randy, -} -}I fell in the same hole on my first setup. -}There is no such thing as 127.0.0.1 in a FreeBSD Jail. -}There is just the IP, which the Jail is configured for. -}I am not a developer, but as far as I understand, a Jail and its IP, is -}some kind of virtualization, which can not contain any virtualized -}environment inside itself again. At least not in 6.x -} -}So it looks that 127.0.0.1 would be an additional IP like any other one, -}which is NOT possible in FreeBSD Jails. -} -}I read promising things about a fully virtualized IP environment in -}FreeBSD 7.x, where we can do a lot more than this, but we have to wait for -}that. -} -}After I realized that, I redesigned my plans and I liked them even better. -}My DJB-DNS setup is now as follows, and works flawless. -} -}dnscache runs in its own Jail in every physical machine, caching DNS -}queries for all other Jails on the same machine. -} -}Two copies of TinyDNS run each in its own Jail too. Providing a (rather -}expensive) Split-Horizon DNS Solution. -} -}Hope this helps Indeed it does. Tnx heaps and loads Alain. Now I can stop focusing on getting tinydns to work on 127.0.0.1 in the jails and investigate alternatives to do what we need to do(probably quite similar to what you've outlined). Woo-hoo! Ah do love freebsd and the wonderful people on these lists. Later gators. -- Randy (schulra@earlham.edu) 765.983.1283 <*> Love with your heart, think with your head; not the other way around. From owner-freebsd-jail@FreeBSD.ORG Wed Oct 3 16:52:44 2007 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B7EF516A41A for ; Wed, 3 Oct 2007 16:52:44 +0000 (UTC) (envelope-from tevans.uk@googlemail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.174]) by mx1.freebsd.org (Postfix) with ESMTP id 4BE5D13C448 for ; Wed, 3 Oct 2007 16:52:44 +0000 (UTC) (envelope-from tevans.uk@googlemail.com) Received: by ug-out-1314.google.com with SMTP id a2so185090ugf for ; Wed, 03 Oct 2007 09:52:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=beta; h=domainkey-signature:received:received:subject:from:to:cc:content-type:date:message-id:mime-version:x-mailer; bh=GFFF39J/g08IWDb2cqv+FVXXWnQR1hcNBzxjUJOQtR4=; b=J70OQkx7luZGkgJGxhp2LVk4bkGr5N0bYSO/+1TtoBf9k4gdij01mu6vvkHDtDoT1K30cBaXF/zwIPtfGlY0ncSy4zwEAvccNy2aYzjv4G/uR4jR5m9x4d+qGfZQIdnlp9jVarzAfPW8DpMuSM/XM+9WHSl4Udwo6Z8Txcv0F6c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=beta; h=received:subject:from:to:cc:content-type:date:message-id:mime-version:x-mailer; b=mB9bMjQgKj5U9q6LRByGoi8h71lUMwD4AMKGZsT9VAsLwZGBWgvxiLhX8/OMRrGlretzDbrWHVNtaHoyvSNvsvWUfgkLYTi59hB2/8iiarpnO59P9a9jSXUt+P0Z73HXf5/YyOoKb6jMDCOUx8kLFC0LKYO2zxbOviifkdS2NkM= Received: by 10.78.193.5 with SMTP id q5mr2988071huf.1191428712867; Wed, 03 Oct 2007 09:25:12 -0700 (PDT) Received: from ?127.0.0.1? ( [217.206.187.79]) by mx.google.com with ESMTPS id h6sm3895356nfh.2007.10.03.09.25.11 (version=SSLv3 cipher=RC4-MD5); Wed, 03 Oct 2007 09:25:12 -0700 (PDT) From: Tom Evans To: freebsd-stable@freebsd.org Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-rgvsH0k1VJ01bW/EP00N" Date: Wed, 03 Oct 2007 17:25:09 +0100 Message-Id: <1191428709.1475.26.camel@localhost> Mime-Version: 1.0 X-Mailer: Evolution 2.10.2 FreeBSD GNOME Team Port Cc: freebsd-jail@freebsd.org Subject: Cannot ssh from jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Oct 2007 16:52:44 -0000 --=-rgvsH0k1VJ01bW/EP00N Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi stable@, jail@ [jail@ plz cc me as I'm not subscribed] I'm having some problems setting up some jails for semi-isolated development (ie, so we can isolate the developers into a jail, give them all the root access they want, and not worry about them blowing up more than their own jail) on 6.2-RELEASE-p5. I have set up a jail, using ezjail, which appeared to work fine. I can start the jail, and use jexec to spawn a shell inside the jail. However, if I then try to ssh from the jail to another box, ssh fails with the error message (with -v): debug1: read_passphrase: can't open /dev/tty: Device busy Host key verification failed. The only ezjail.conf option I changed/added from default was to set ezjail_jaildir. I left ezjail_devfs_enable=3D"YES", ezjail_devfs_ruleset=3D"devfsrules_jail", the defaults. =46rom outside the jail, devfs appears to be mounted: /data2/ezjails/basejail on /data2/ezjails/monotest/basejail (nullfs, local, read-only) devfs on /data2/ezjails/monotest/dev (devfs, local) fdescfs on /data2/ezjails/monotest/dev/fd (fdescfs) procfs on /data2/ezjails/monotest/proc (procfs, local) =46rom inside the jail, there doesn't appear to be a /dev/tty, unless you look for it: # ls /dev fd ptyp0 ptyp3 ptyp6 stdin ttyp1 ttyp4 urandom log ptyp1 ptyp4 random stdout ttyp2 ttyp5 zero null ptyp2 ptyp5 stderr ttyp0 ttyp3 ttyp6 # ls -l /dev/tty crw-rw-rw- 1 root wheel 0, 91 Oct 3 16:57 /dev/tty I found a posting from 2005 describing the same problem [1], but unfortunately without a resolution. I'm sure this should be possible and I'm doing/not doing something that stops it. Any hints, tips would be appreciated. If there's any additional information I can provide..=09 Cheers Tom [1] http://lists.freebsd.org/pipermail/freebsd-hackers/2005-November/014423.htm= l --=-rgvsH0k1VJ01bW/EP00N Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) iD8DBQBHA8JZlcRvFfyds/cRAsCvAJ93GUU+LvdZ0Q4NNmy63BspQksCWwCePqPl n/potzqBHb50Kk8mImfhxEI= =6EUk -----END PGP SIGNATURE----- --=-rgvsH0k1VJ01bW/EP00N-- From owner-freebsd-jail@FreeBSD.ORG Wed Oct 3 17:17:20 2007 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D17CE16A46B for ; Wed, 3 Oct 2007 17:17:20 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (tarsier.geekcn.org [210.51.165.229]) by mx1.freebsd.org (Postfix) with ESMTP id 8164013C48D for ; Wed, 3 Oct 2007 17:17:20 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from localhost (tarsier.geekcn.org [210.51.165.229]) by tarsier.geekcn.org (Postfix) with ESMTP id 80F90EB8D39; Thu, 4 Oct 2007 00:57:59 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([210.51.165.229]) by localhost (mail.geekcn.org [210.51.165.229]) (amavisd-new, port 10024) with ESMTP id CKaRx67gv3cu; Thu, 4 Oct 2007 00:57:52 +0800 (CST) Received: from LI-Xins-MacBook.local (71.5.7.139.ptr.us.xo.net [71.5.7.139]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTP id B4729EB8111; Thu, 4 Oct 2007 00:57:51 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:cc:subject:references:in-reply-to: x-enigmail-version:openpgp:content-type; b=UuxXjEnOJl8wKM1zxrlAnG0DJAvKMCKUa93xLWeL/cdef6qBYDYA83vLXt5wKZB3H Xy99z4mdztcDd99rcSFAQ== Message-ID: <4703CA06.7050103@delphij.net> Date: Wed, 03 Oct 2007 09:57:42 -0700 From: LI Xin Organization: The FreeBSD Project User-Agent: Thunderbird 2.0.0.6 (Macintosh/20070728) MIME-Version: 1.0 To: Tom Evans References: <1191428709.1475.26.camel@localhost> In-Reply-To: <1191428709.1475.26.camel@localhost> X-Enigmail-Version: 0.95.3 OpenPGP: url=http://www.delphij.net/delphij.asc Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="------------enigB60E07C58255E25561DAFAC4" Cc: freebsd-jail@freebsd.org, freebsd-stable@freebsd.org Subject: Re: Cannot ssh from jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Oct 2007 17:17:20 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigB60E07C58255E25561DAFAC4 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Tom Evans wrote: > Hi stable@, jail@ [jail@ plz cc me as I'm not subscribed] >=20 > I'm having some problems setting up some jails for semi-isolated > development (ie, so we can isolate the developers into a jail, give the= m > all the root access they want, and not worry about them blowing up more= > than their own jail) on 6.2-RELEASE-p5. >=20 > I have set up a jail, using ezjail, which appeared to work fine. I can > start the jail, and use jexec to spawn a shell inside the jail. However= , > if I then try to ssh from the jail to another box, ssh fails with the > error message (with -v): I think the problem is that if you jexec into a jail then you don't have a TTY at hand, so bad things would happen. If you login into the jail by some ways (e.g. by ssh or telnet or whatever that spawns a TTY for you) then it would work I bet. Cheers, --=20 Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! --------------enigB60E07C58255E25561DAFAC4 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHA8oGOfuToMruuMARCrr6AJ93qQaz7pes3ieRPbRZoo9ztKtBHQCeMa1V FVUn/Y4bhYMbcEHA/ruYDf4= =ha12 -----END PGP SIGNATURE----- --------------enigB60E07C58255E25561DAFAC4-- From owner-freebsd-jail@FreeBSD.ORG Thu Oct 4 08:20:30 2007 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A7F7B16A417 for ; Thu, 4 Oct 2007 08:20:30 +0000 (UTC) (envelope-from tevans.uk@googlemail.com) Received: from fk-out-0910.google.com (fk-out-0910.google.com [209.85.128.188]) by mx1.freebsd.org (Postfix) with ESMTP id 2FDE413C468 for ; Thu, 4 Oct 2007 08:20:29 +0000 (UTC) (envelope-from tevans.uk@googlemail.com) Received: by fk-out-0910.google.com with SMTP id b27so101424fka for ; Thu, 04 Oct 2007 01:20:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=beta; h=domainkey-signature:received:received:subject:from:to:cc:in-reply-to:references:content-type:date:message-id:mime-version:x-mailer; bh=bHgCDoW7D2lYLnKwevot+Ca3hOGVVna4uzLMuGfojCs=; b=mpiOj/T2EQNcCEio+adGGzpvIEF+tPcrx8L3Cb3gIMoJkpBc5DNgfsTF45sEhTekT0cGG49AYAxm+tJlv/a7TusxX7NeXCuL7jub4xXvqwwl04uHLY9KELMFDBfV9t4a4nV1nyRaT7dgz6yfaeItsxhbOM6HifozkVr3tJwunRE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=beta; h=received:subject:from:to:cc:in-reply-to:references:content-type:date:message-id:mime-version:x-mailer; b=pbom74W49q11HwVto2FZcTiMlWJPnM/hUFl2b7BE0nDB9QZBD/iGRuhK02/QgG9SoJaXdK6V0z7wEfe2mlDmygjOTYFZA1pmecFFTxh//Qy2gux7BHq54GkVz6ZGUBF7KKi/cq1UAHxI2FDBxNGBmwuazygbngIb40Cnf1PaIXE= Received: by 10.82.156.12 with SMTP id d12mr9788695bue.1191486028259; Thu, 04 Oct 2007 01:20:28 -0700 (PDT) Received: from ?127.0.0.1? ( [217.206.187.79]) by mx.google.com with ESMTPS id 31sm8147650nfu.2007.10.04.01.20.26 (version=SSLv3 cipher=RC4-MD5); Thu, 04 Oct 2007 01:20:26 -0700 (PDT) From: Tom Evans To: Kim Attree In-Reply-To: <4704A17E.6030703@za.verizonbusiness.com> References: <1191428709.1475.26.camel@localhost> <4703CA06.7050103@delphij.net> <4704A17E.6030703@za.verizonbusiness.com> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-mudIm9PVYjReKOpZ60u+" Date: Thu, 04 Oct 2007 09:20:25 +0100 Message-Id: <1191486025.1475.33.camel@localhost> Mime-Version: 1.0 X-Mailer: Evolution 2.10.2 FreeBSD GNOME Team Port Cc: freebsd-stable@freebsd.org, freebsd-jail@freebsd.org, d@delphij.net Subject: Re: Cannot ssh from jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Oct 2007 08:20:30 -0000 --=-mudIm9PVYjReKOpZ60u+ Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Thu, 2007-10-04 at 10:17 +0200, Kim Attree wrote: > LI Xin wrote: > > Tom Evans wrote: > > =20 > >> Hi stable@, jail@ [jail@ plz cc me as I'm not subscribed] > >> > >> I'm having some problems setting up some jails for semi-isolated > >> development (ie, so we can isolate the developers into a jail, give th= em > >> all the root access they want, and not worry about them blowing up mor= e > >> than their own jail) on 6.2-RELEASE-p5. > >> > >> I have set up a jail, using ezjail, which appeared to work fine. I can > >> start the jail, and use jexec to spawn a shell inside the jail. Howeve= r, > >> if I then try to ssh from the jail to another box, ssh fails with the > >> error message (with -v): > >> =20 > > > > I think the problem is that if you jexec into a jail then you don't hav= e > > a TTY at hand, so bad things would happen. If you login into the jail > > by some ways (e.g. by ssh or telnet or whatever that spawns a TTY for > > you) then it would work I bet. > > > > Cheers, > > =20 > I had the same problem, setup SSHD in the jail, ssh'ed into that, and > then from there got a TTY and could ssh to anywhere. >=20 > Li is right, with jexec you don't get allocated a TTY. >=20 > Laters, >=20 > Kim Thanks guys, that works perfectly Cheers Tom --=-mudIm9PVYjReKOpZ60u+ Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) iD8DBQBHBKJFlcRvFfyds/cRAr7tAKCTYi3f7cNrIU0S+pemjoLVCNjm6ACeMggo gKmg8sVbCN9w2J1m7v8HaQM= =QHGB -----END PGP SIGNATURE----- --=-mudIm9PVYjReKOpZ60u+-- From owner-freebsd-jail@FreeBSD.ORG Thu Oct 4 08:45:07 2007 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 42F4116A41A; Thu, 4 Oct 2007 08:45:07 +0000 (UTC) (envelope-from kim.attree@za.verizonbusiness.com) Received: from mx01.uunet.co.za (mx01.uunet.co.za [196.7.142.153]) by mx1.freebsd.org (Postfix) with ESMTP id C5BF313C4A8; Thu, 4 Oct 2007 08:45:06 +0000 (UTC) (envelope-from kim.attree@za.verizonbusiness.com) Received: from [196.30.158.7] (helo=pixproxy.so.jnb6.za.uu.net) by mx01.uunet.co.za with esmtp (Exim 4.67 (FreeBSD)) (envelope-from ) id 1IdLpY-0006I7-R6; Thu, 04 Oct 2007 10:13:12 +0200 Received: from chickenboo.ops.uunet.co.za (chickenboo.ops.uunet.co.za [196.22.64.216]) by pixproxy.so.jnb6.za.uu.net (Postfix) with ESMTP id C94AF1088C0; Thu, 4 Oct 2007 10:13:12 +0200 (SAST) Message-ID: <4704A17E.6030703@za.verizonbusiness.com> Date: Thu, 04 Oct 2007 10:17:02 +0200 From: Kim Attree User-Agent: Thunderbird 2.0.0.6 (Macintosh/20070728) MIME-Version: 1.0 To: d@delphij.net References: <1191428709.1475.26.camel@localhost> <4703CA06.7050103@delphij.net> In-Reply-To: <4703CA06.7050103@delphij.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Tom Evans , freebsd-jail@freebsd.org, freebsd-stable@freebsd.org Subject: Re: Cannot ssh from jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Oct 2007 08:45:07 -0000 LI Xin wrote: > Tom Evans wrote: > >> Hi stable@, jail@ [jail@ plz cc me as I'm not subscribed] >> >> I'm having some problems setting up some jails for semi-isolated >> development (ie, so we can isolate the developers into a jail, give them >> all the root access they want, and not worry about them blowing up more >> than their own jail) on 6.2-RELEASE-p5. >> >> I have set up a jail, using ezjail, which appeared to work fine. I can >> start the jail, and use jexec to spawn a shell inside the jail. However, >> if I then try to ssh from the jail to another box, ssh fails with the >> error message (with -v): >> > > I think the problem is that if you jexec into a jail then you don't have > a TTY at hand, so bad things would happen. If you login into the jail > by some ways (e.g. by ssh or telnet or whatever that spawns a TTY for > you) then it would work I bet. > > Cheers, > I had the same problem, setup SSHD in the jail, ssh'ed into that, and then from there got a TTY and could ssh to anywhere. Li is right, with jexec you don't get allocated a TTY. Laters, Kim