From owner-freebsd-jail@FreeBSD.ORG Sun Jan 24 18:24:27 2010 Return-Path: Delivered-To: jail@FreeBSD.org Received: from frankie.nitro.dk (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by hub.freebsd.org (Postfix) with ESMTP id 8724B1065670; Sun, 24 Jan 2010 18:24:26 +0000 (UTC) (envelope-from simon@nitro.dk) Received: by frankie.nitro.dk (Postfix, from userid 2000) id 0E095E04F1; Sun, 24 Jan 2010 19:24:26 +0100 (CET) Date: Sun, 24 Jan 2010 19:24:26 +0100 From: "Simon L. Nielsen" To: Alexander Leidinger Message-ID: <20100124182425.GC1314@frankie.nitro.dk> References: <20091207080353.66241t4vpmnmrilc@webmail.leidinger.net> <20100105112447.00005e71@unknown> <0f8c4a9c3740e2185582ef1c922835b3.squirrel@www.jr-hosting.nl> <20100114133516.21277ik0pthwdo0s@webmail.leidinger.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20100114133516.21277ik0pthwdo0s@webmail.leidinger.net> User-Agent: Mutt/1.5.20 (2009-06-14) Cc: jail@FreeBSD.org, Remko Lodder Subject: Re: starting jails in the background & dependencies X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Jan 2010 18:24:27 -0000 B0;251;0cOn 2010.01.14 13:35:16 +0100, Alexander Leidinger wrote: > Quoting Remko Lodder (from Tue, 5 Jan 2010 > 11:35:48 +0100): > > > On Tue, January 5, 2010 11:24 am, Alexander Leidinger wrote: > >> On Mon, 07 Dec 2009 08:03:53 +0100 Alexander Leidinger > >> wrote: > >> > >>> Hi, > >>> > >>> now that jails are started in the background (which is good, to > >> > >> I just realized yesterday that it also stops in parallel (in the > >> background). This is bad. It may be the case that a jail is not fully > >> stopped via the rc scripts when the OS decides to kill the remaining > >> processes during a shutdown. > >> > >> My first reaction is to only allow to start in the background, but > >> everything else needs to be serialized. > >> > >> Any objections or better ideas out there? > > > I think the best way at this moment is to revert the change ( I can do > > that , or someone else, I dont mind ) and think of a better concept. Simon > > also mentioned that he didn't like the current way of doing things, so I > > kept it in, for possible suggestions. Reverting the change would mean that > > the old behaviour at least works and is with what people are used to. We > > can then further improve it where needed. > > What about the following? Just have a look at the principle, I haven't > tested it yet. What it does is: > - revert back to serial startup by default > - allow to only start in the background (jail_parallel_start=YES) In some thread there was talk about parallel stop as well, but I must admit I never looked at it. > - take input from /dev/null: in case a start script inside the > jail wants to read from stdin (it shouldn't), it will not > switch the process into STOP state (but should generate some > message in the application log) This seems like a fine change - especially since the output from the actual jail is hidden. > Copy&paste, so maybe messed up tabs: The bottom part of rc.d/jail after the patch seems.... well, "messy" in lack of a better word, but since I can't come up with a better solution right now I think this patch should be committed, and then we can always improve the implementation later. Note that I haven't tsted it, but I don't see any errors in the patch. > ---snip--- > Index: share/man/man5/rc.conf.5 > =================================================================== > --- share/man/man5/rc.conf.5 (Revision 202277) > +++ share/man/man5/rc.conf.5 (Arbeitskopie) > @@ -24,7 +24,7 @@ > .\" > .\" $FreeBSD$ > .\" > -.Dd November 11, 2009 > +.Dd January 14, 2010 > .Dt RC.CONF 5 > .Os > .Sh NAME > @@ -3472,6 +3472,11 @@ > If set to > .Dq Li NO , > any configured jails will not be started. > +.It jail_parallel_start > +.Pq Vt bool > +If set to > +.Dq Li YES > +all configured jails will be started in the background (= in parallel). > .It Va jail_list > .Pq Vt str > A space separated list of names for jails. > Index: etc/rc.d/jail > =================================================================== > --- etc/rc.d/jail (Revision 202277) > +++ etc/rc.d/jail (Arbeitskopie) > @@ -636,7 +636,8 @@ > done > > eval ${_setfib} jail ${_flags} -i ${_rootdir} ${_hostname} \ > - \"${_addrl}\" ${_exec_start} > ${_tmp_jail} 2>&1 > + \"${_addrl}\" ${_exec_start} > ${_tmp_jail} 2>&1 \ > + > if [ "$?" -eq 0 ] ; then > _jail_id=$(head -1 ${_tmp_jail}) > @@ -728,4 +729,19 @@ > if [ -n "$*" ]; then > jail_list="$*" > fi > -run_rc_command "${cmd}" & > + > +# Only allow the parallel start of jails, other commands are not > +# safe to execute in parallel. > +case "${cmd}" in > +*start) > + ;; > +*) > + jail_parallel_start=NO > +esac > + > +if checkyesno jail_parallel_start; then > + run_rc_command "${cmd}" & > +else > + run_rc_command "${cmd}" > +fi > + > Index: etc/defaults/rc.conf > =================================================================== > --- etc/defaults/rc.conf (Revision 202277) > +++ etc/defaults/rc.conf (Arbeitskopie) > @@ -630,6 +630,7 @@ > ### Jail Configuration ####################################### > ############################################################## > jail_enable="NO" # Set to NO to disable starting of any jails > +jail_parallel_start="NO" # Start jails in the background > jail_list="" # Space separated list of names of jails > jail_set_hostname_allow="YES" # Allow root user in a jail to change > its hostname > jail_socket_unixiproute_only="YES" # Route only TCP/IP within a jail > ---snip--- -- Simon L. Nielsen From owner-freebsd-jail@FreeBSD.ORG Mon Jan 25 00:47:41 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EA3B71065672 for ; Mon, 25 Jan 2010 00:47:41 +0000 (UTC) (envelope-from gausus@gausus.net) Received: from dagobah.intersec.pl (dagobah.intersec.pl [91.192.226.10]) by mx1.freebsd.org (Postfix) with ESMTP id A87958FC1C for ; Mon, 25 Jan 2010 00:47:41 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by dagobah.intersec.pl (Postfix) with ESMTP id D44C2254001; Mon, 25 Jan 2010 01:32:08 +0100 (CET) X-Virus-Scanned: amavisd-new at intersec.pl Received: from dagobah.intersec.pl ([127.0.0.1]) by localhost (dagobah.intersec.pl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dgyjpBX8n4qI; Mon, 25 Jan 2010 01:32:04 +0100 (CET) Received: from loken.local (69-dzi-33.acn.waw.pl [85.222.122.69]) by dagobah.intersec.pl (Postfix) with ESMTP id 23AD2254002; Mon, 25 Jan 2010 01:32:04 +0100 (CET) Message-ID: <4B5CE684.5000508@gausus.net> Date: Mon, 25 Jan 2010 01:32:04 +0100 From: Maciej Jan Broniarz User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; pl; rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1 MIME-Version: 1.0 To: freebsd-jail@freebsd.org, freebsd-stable@freebsd.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: ports/packages management in jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jan 2010 00:47:42 -0000 Hi, I am running a server with several jails. They were created using ezjail. What is the best way, to allow jail internal admin to manage ports/packages by himself? By default ezjail shares ports tree between basejail and otherjails. Is there a way for each jail to have a separate ports tree? Best regards, mjb From owner-freebsd-jail@FreeBSD.ORG Mon Jan 25 05:50:22 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ABDBF106566B; Mon, 25 Jan 2010 05:50:22 +0000 (UTC) (envelope-from justin@encarnate.com) Received: from ey-out-2122.google.com (ey-out-2122.google.com [74.125.78.24]) by mx1.freebsd.org (Postfix) with ESMTP id 2AA918FC23; Mon, 25 Jan 2010 05:50:21 +0000 (UTC) Received: by ey-out-2122.google.com with SMTP id 9so813596eyd.9 for ; Sun, 24 Jan 2010 21:50:21 -0800 (PST) MIME-Version: 1.0 Received: by 10.216.86.206 with SMTP id w56mr624328wee.1.1264396808687; Sun, 24 Jan 2010 21:20:08 -0800 (PST) In-Reply-To: <4B5CE684.5000508@gausus.net> References: <4B5CE684.5000508@gausus.net> Date: Sun, 24 Jan 2010 23:20:08 -0600 Message-ID: <674b4c931001242120w185d192chbaf4c19492a7548b@mail.gmail.com> From: Justin Head To: Maciej Jan Broniarz Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-jail@freebsd.org, freebsd-stable@freebsd.org Subject: Re: ports/packages management in jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jan 2010 05:50:22 -0000 On 1/24/10, Maciej Jan Broniarz wrote: > Hi, > > I am running a server with several jails. They were created using > ezjail. What is the best way, to allow jail internal admin to manage > ports/packages by himself? > By default ezjail shares ports tree between basejail and otherjails. Is > there a way for each jail to have a separate ports tree? > Inside the jail just rm the symlinked /usr/ports and then recreate /usr/ports as a regular directory. After that a simple portsnap to grab the ports tree. From owner-freebsd-jail@FreeBSD.ORG Mon Jan 25 06:44:12 2010 Return-Path: Delivered-To: jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EE633106568F; Mon, 25 Jan 2010 06:44:12 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from mailgate.jr-hosting.nl (mailgate.jr-hosting.nl [78.46.126.30]) by mx1.freebsd.org (Postfix) with ESMTP id A21DB8FC1C; Mon, 25 Jan 2010 06:44:12 +0000 (UTC) Received: from websrv01.jr-hosting.nl (websrv01 [78.47.69.233]) by mailgate.jr-hosting.nl (Postfix) with ESMTP id 5F4A71CC49; Mon, 25 Jan 2010 07:44:10 +0100 (CET) Received: from www by websrv01.jr-hosting.nl with local (Exim 4.71 (FreeBSD)) (envelope-from ) id 1NZIgE-0006Lg-Bi; Mon, 25 Jan 2010 07:44:10 +0100 Received: from 192.58.226.100 (SquirrelMail authenticated user remko) by www.jr-hosting.nl with HTTP; Mon, 25 Jan 2010 07:44:10 +0100 Message-ID: <2cb41795ae0b9b2201fce8196346ec76.squirrel@www.jr-hosting.nl> In-Reply-To: <20100124182425.GC1314@frankie.nitro.dk> References: <20091207080353.66241t4vpmnmrilc@webmail.leidinger.net> <20100105112447.00005e71@unknown> <0f8c4a9c3740e2185582ef1c922835b3.squirrel@www.jr-hosting.nl> <20100114133516.21277ik0pthwdo0s@webmail.leidinger.net> <20100124182425.GC1314@frankie.nitro.dk> Date: Mon, 25 Jan 2010 07:44:10 +0100 From: "Remko Lodder" To: "Simon L. Nielsen" User-Agent: SquirrelMail/1.4.19 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: Alexander Leidinger , Remko Lodder , jail@freebsd.org Subject: Re: starting jails in the background & dependencies X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jan 2010 06:44:13 -0000 > Note that I haven't tsted it, but I don't see any errors in the patch. > >> ---snip--- > -- > Simon L. Nielsen > Snipping a whole lot of data... Thanks Simon, I will try to get to that as soon as possible, Alexander: please feel free to do it earlier if possible, my internet access is "limited" (or at least commit capabilities). Thanks, Remko -- /"\ Best regards, | remko@FreeBSD.org \ / Remko Lodder | remko@EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-jail@FreeBSD.ORG Mon Jan 25 08:26:10 2010 Return-Path: Delivered-To: jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9FC841065693; Mon, 25 Jan 2010 08:26:10 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from mail.ebusiness-leidinger.de (mail.ebusiness-leidinger.de [217.11.53.44]) by mx1.freebsd.org (Postfix) with ESMTP id 413F18FC14; Mon, 25 Jan 2010 08:26:10 +0000 (UTC) Received: from outgoing.leidinger.net (pD954F71F.dip.t-dialin.net [217.84.247.31]) by mail.ebusiness-leidinger.de (Postfix) with ESMTPSA id 529DC84403B; Mon, 25 Jan 2010 09:26:05 +0100 (CET) Received: from webmail.leidinger.net (webmail.leidinger.net [192.168.1.102]) by outgoing.leidinger.net (Postfix) with ESMTP id 4A40E236F96; Mon, 25 Jan 2010 09:26:02 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=Leidinger.net; s=outgoing-alex; t=1264407962; bh=Pygaz5VmPBe/upl6KOfZqdD3Pmv1cJF41L/hxRrW1AY=; h=Message-ID:Date:From:To:Cc:Subject:References:In-Reply-To: MIME-Version:Content-Type:Content-Transfer-Encoding; b=G5uquMnR50wabwRL9LUySxuxm58IBAQ9D6yqe1syiuY37L50fFdooiyhzyVvJJNcV uxfAUY8krt8AyaDKTLNh/gmKeVgj+PxVsoC+B38/GSPyR/jUoy5ktxlyaingUJ0pNH 3YDc10JzqsVDixlOe3Y3TwUrutacoMIMhAWlvzQ4/3pL6OJA2JfgEPC89zk7FufT7n NNoommbgBA95NMh0TqIKjTqfv1E9ly/dfvrVu9EqGDxGgbJDX4tlG9zhZ5cEsIAOfm WzEtqohuIbH8WmzkszqXuyITMbR8O451prG86s9GzsntCI/grjLuIYHocf3ok/y54K tw1sF6hAH3D0w== Received: (from www@localhost) by webmail.leidinger.net (8.14.3/8.13.8/Submit) id o0P8Q2Fu031373; Mon, 25 Jan 2010 09:26:02 +0100 (CET) (envelope-from Alexander@Leidinger.net) Received: from pslux.cec.eu.int (pslux.cec.eu.int [158.169.9.14]) by webmail.leidinger.net (Horde Framework) with HTTP; Mon, 25 Jan 2010 09:26:01 +0100 Message-ID: <20100125092601.29577741bjgbjjsw@webmail.leidinger.net> Date: Mon, 25 Jan 2010 09:26:01 +0100 From: Alexander Leidinger To: Remko Lodder References: <20091207080353.66241t4vpmnmrilc@webmail.leidinger.net> <20100105112447.00005e71@unknown> <0f8c4a9c3740e2185582ef1c922835b3.squirrel@www.jr-hosting.nl> <20100114133516.21277ik0pthwdo0s@webmail.leidinger.net> <20100124182425.GC1314@frankie.nitro.dk> <2cb41795ae0b9b2201fce8196346ec76.squirrel@www.jr-hosting.nl> In-Reply-To: <2cb41795ae0b9b2201fce8196346ec76.squirrel@www.jr-hosting.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Dynamic Internet Messaging Program (DIMP) H3 (1.1.4) X-EBL-MailScanner-Information: Please contact the ISP for more information X-EBL-MailScanner-ID: 529DC84403B.C0AD2 X-EBL-MailScanner: Found to be clean X-EBL-MailScanner-SpamCheck: not spam, spamhaus-ZEN, SpamAssassin (not cached, score=-1.44, required 6, autolearn=disabled, ALL_TRUSTED -1.44, DKIM_SIGNED 0.00, DKIM_VERIFIED -0.00) X-EBL-MailScanner-From: alexander@leidinger.net X-EBL-MailScanner-Watermark: 1265012765.7588@eXtmJXIDayA3FVeqbb0gKQ X-EBL-Spam-Status: No Cc: jail@FreeBSD.org, "Simon L. Nielsen" Subject: Re: starting jails in the background & dependencies X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jan 2010 08:26:10 -0000 Quoting Remko Lodder (from Mon, 25 Jan 2010 07:44:10 +0100): > > >> Note that I haven't tsted it, but I don't see any errors in the patch. >> >>> ---snip--- > >> -- >> Simon L. Nielsen >> > > Snipping a whole lot of data... > > Thanks Simon, I will try to get to that as soon as possible, Alexander: > please feel free to do it earlier if possible, my internet access is > "limited" (or at least commit capabilities). I have this running as I posted it. I can confirm that the jail_parallel_start=no works as expected. I didn't try the YES case. I am not happy about my man page change. Anyone with a better description? We do not start the jails in parallel, we start the jails serially in the background. I think the variable name is ok, as we start the jails in parallel to the rest of the system start scripts. I do not want to limit the wording so that it prevents to really start the jails in parallel instead of serially in the background, while still telling that it is done in parallel to the rest of the scripts. If I get some time today, I will think about a better wording (if I do not get something from the people reading this before). Bye, Alexander. -- There's nothing remarkable about it. All one has to do is hit the right keys at the right time and the instrument plays itself. -- J. S. Bach http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137 From owner-freebsd-jail@FreeBSD.ORG Mon Jan 25 11:07:04 2010 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6F8521065698 for ; Mon, 25 Jan 2010 11:07:04 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 5CAF08FC19 for ; Mon, 25 Jan 2010 11:07:04 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id o0PB7428038816 for ; Mon, 25 Jan 2010 11:07:04 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id o0PB73OD038814 for freebsd-jail@FreeBSD.org; Mon, 25 Jan 2010 11:07:03 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 25 Jan 2010 11:07:03 GMT Message-Id: <201001251107.o0PB73OD038814@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jan 2010 11:07:04 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 6 problems total. From owner-freebsd-jail@FreeBSD.ORG Mon Jan 25 11:14:43 2010 Return-Path: Delivered-To: freebsd-jail@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 73DA110656AB; Mon, 25 Jan 2010 11:14:43 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 4ABC88FC1B; Mon, 25 Jan 2010 11:14:43 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id o0PBEhJv050852; Mon, 25 Jan 2010 11:14:43 GMT (envelope-from bz@freefall.freebsd.org) Received: (from bz@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id o0PBEgx9050848; Mon, 25 Jan 2010 11:14:42 GMT (envelope-from bz) Date: Mon, 25 Jan 2010 11:14:42 GMT Message-Id: <201001251114.o0PBEgx9050848@freefall.freebsd.org> To: david@nfrance.com, bz@FreeBSD.org, freebsd-jail@FreeBSD.org From: bz@FreeBSD.org Cc: Subject: Re: conf/142972: [jail] [patch] Support JAILv2 and vnet in rc.d/jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jan 2010 11:14:43 -0000 Synopsis: [jail] [patch] Support JAILv2 and vnet in rc.d/jail State-Changed-From-To: open->suspended State-Changed-By: bz State-Changed-When: Mon Jan 25 11:12:44 UTC 2010 State-Changed-Why: As was said multiple times before, it is very unlikely that the current rc script will be changed for the experimental feature and a more complete mgmt solution is being sought of for the final support. http://www.freebsd.org/cgi/query-pr.cgi?pr=142972 From owner-freebsd-jail@FreeBSD.ORG Mon Jan 25 11:20:07 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9FAFD10656AE for ; Mon, 25 Jan 2010 11:20:07 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from mail.cksoft.de (mail.cksoft.de [IPv6:2001:4068:10::3]) by mx1.freebsd.org (Postfix) with ESMTP id 5BB008FC15 for ; Mon, 25 Jan 2010 11:20:07 +0000 (UTC) Received: from localhost (amavis.fra.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id BFBA041C758 for ; Mon, 25 Jan 2010 12:20:06 +0100 (CET) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([192.168.74.103]) by localhost (amavis.fra.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id K9Vnxr4V1gRE for ; Mon, 25 Jan 2010 12:20:06 +0100 (CET) Received: by mail.cksoft.de (Postfix, from userid 66) id 18A2841C707; Mon, 25 Jan 2010 12:20:06 +0100 (CET) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 320644448EC for ; Mon, 25 Jan 2010 11:19:09 +0000 (UTC) Date: Mon, 25 Jan 2010 11:19:09 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: freebsd-jail@FreeBSD.org In-Reply-To: <201001251114.o0PBEgx9050848@freefall.freebsd.org> Message-ID: <20100125111540.N50938@maildrop.int.zabbadoz.net> References: <201001251114.o0PBEgx9050848@freefall.freebsd.org> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Subject: Re: conf/142972: [jail] [patch] Support JAILv2 and vnet in rc.d/jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jan 2010 11:20:07 -0000 On Mon, 25 Jan 2010, bz@FreeBSD.org wrote: Hi, > Synopsis: [jail] [patch] Support JAILv2 and vnet in rc.d/jail > > State-Changed-From-To: open->suspended > State-Changed-By: bz > State-Changed-When: Mon Jan 25 11:12:44 UTC 2010 > State-Changed-Why: > As was said multiple times before, it is very unlikely that > the current rc script will be changed for the experimental > feature and a more complete mgmt solution is being sought of > for the final support. > > http://www.freebsd.org/cgi/query-pr.cgi?pr=142972 that said again, I'll try to get the people involved (poked via Bcc:) to post a draft about a possible framework here, so we can discuss all the features, formats, needs, ... everyone has and concentrate on the final soultion rather than working on hacks on top of hacks that have long gotton to the point that they are not a feasible anymore. /bz -- Bjoern A. Zeeb It will not break if you know what you are doing. From owner-freebsd-jail@FreeBSD.ORG Mon Jan 25 18:18:00 2010 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D299810656B3 for ; Mon, 25 Jan 2010 18:18:00 +0000 (UTC) (envelope-from cryx-freebsd@h3q.com) Received: from mail.h3q.com (mail.h3q.com [213.73.89.199]) by mx1.freebsd.org (Postfix) with ESMTP id 0C9438FC20 for ; Mon, 25 Jan 2010 18:17:59 +0000 (UTC) Received: (qmail 34240 invoked from network); 25 Jan 2010 18:17:58 -0000 Received: from mail.h3q.com (HELO mail.h3q.com) (cryx) by mail.h3q.com with AES256-SHA encrypted SMTP; 25 Jan 2010 18:17:58 -0000 Message-ID: <4B5DE055.9040707@h3q.com> Date: Mon, 25 Jan 2010 19:17:57 +0100 From: Philipp Wuensche User-Agent: Postbox 1.1.0 (Macintosh/20091201) MIME-Version: 1.0 To: "Bjoern A. Zeeb" References: <201001251114.o0PBEgx9050848@freefall.freebsd.org> <20100125111540.N50938@maildrop.int.zabbadoz.net> In-Reply-To: <20100125111540.N50938@maildrop.int.zabbadoz.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-jail@FreeBSD.org Subject: Re: conf/142972: [jail] [patch] Support JAILv2 and vnet in rc.d/jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jan 2010 18:18:00 -0000 Bjoern A. Zeeb wrote: > On Mon, 25 Jan 2010, bz@FreeBSD.org wrote: > > Hi, > >> Synopsis: [jail] [patch] Support JAILv2 and vnet in rc.d/jail >> >> State-Changed-From-To: open->suspended >> State-Changed-By: bz >> State-Changed-When: Mon Jan 25 11:12:44 UTC 2010 >> State-Changed-Why: >> As was said multiple times before, it is very unlikely that >> the current rc script will be changed for the experimental >> feature and a more complete mgmt solution is being sought of >> for the final support. >> >> http://www.freebsd.org/cgi/query-pr.cgi?pr=142972 > > that said again, I'll try to get the people involved (poked via Bcc:) > to post a draft about a possible framework here, so we can discuss all > the features, formats, needs, ... everyone has and concentrate on the > final soultion rather than working on hacks on top of hacks that have > long gotton to the point that they are not a feasible anymore. Could you please include the ezjail-people into the discussion, we already have a lot of stuff and really would like to contribute to the final solution! greetings, philipp From owner-freebsd-jail@FreeBSD.ORG Thu Jan 28 21:55:28 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B75F1106566C for ; Thu, 28 Jan 2010 21:55:28 +0000 (UTC) (envelope-from tom@diogunix.com) Received: from mail.kepos.org (mail.kepos.org [85.125.223.249]) by mx1.freebsd.org (Postfix) with ESMTP id 760AE8FC15 for ; Thu, 28 Jan 2010 21:55:27 +0000 (UTC) Received: from gyro.localnet (95-90-251-177-dynip.superkabel.de [95.90.251.177]) by mail.kepos.org (mail.kepos.org) with ESMTPSA id C4615514D5C for ; Wed, 27 Jan 2010 03:07:25 +0100 (CET) From: "tom@diogunix.com" To: freebsd-jail@freebsd.org Date: Wed, 27 Jan 2010 03:08:21 +0100 User-Agent: KMail/1.10.4 (Linux/2.6.27-9-generic; KDE/4.1.4; i686; ; ) MIME-Version: 1.0 Message-Id: <201001270308.21674.tom@diogunix.com> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: configuration of multiple IPs for a jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jan 2010 21:55:28 -0000 Greetings to the community. That's my first post to this list. I run a mailserver (postfix/dovecot) in a jail on a 7.2 stable system. My question is about configuring multiple IP addresses for that jail. My IP configuration is just done via # jail blabla 123.123.123.249,123.123.123.227,123.123.123.248 blabla I want to use 123.123.123.249 as my primary IP within the jail and futhermore use the same IP for outgoing SMTP connections. Everything works nice so far. The only issue is, that postfix obviously insists to use the second IP (227) to send out the Emails though it should use the primary IP (249). Trying to bind postfix to the right address did not help. I've read tons about jail configuration but could not find the one hint needed. So my question is: Does a jail always use the 'lowest' IP from a bunch of multiple IPs given with the jail start command ? I can't find any other explanation. Nothing else points to the 227 address. And if true - is there a way to change this behaviour ? Thanks a lot in advance Tom From owner-freebsd-jail@FreeBSD.ORG Thu Jan 28 22:04:56 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3066F106566C for ; Thu, 28 Jan 2010 22:04:56 +0000 (UTC) (envelope-from christer.solskogen@gmail.com) Received: from mail-ew0-f218.google.com (mail-ew0-f218.google.com [209.85.219.218]) by mx1.freebsd.org (Postfix) with ESMTP id C0BAA8FC1C for ; Thu, 28 Jan 2010 22:04:55 +0000 (UTC) Received: by ewy10 with SMTP id 10so1302461ewy.3 for ; Thu, 28 Jan 2010 14:04:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=neYOdP4Ps/5h4Om4HatN0KpoeRWqaBDSj5zcdOZBaiM=; b=eh6yed2v+iw9NG0BLbnn53Y3mAaJUNsHXLrqFRVFwJHoS8fWBaB88LS5/Sl6Q9g3oJ zu1gUivmULA/fXLuRsCvrJBHoZXafKHQ0lSTiF/6r33SJEMF7L3722Ad248phOZq8JIl zS0l6/RpD1ootQxO1rb5e3aQVUJD0k27Zz7vg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=xwaWVMqbFECn3MdQE1XJTe4BCpf+oknABswYitM3vf0PrOHny9jwjU9hVDbnUBWcPI eUCfrn0Wo6sN+oWHkgXHW7COiFEnWat+x/kfhQQ5QjBf/h6DujHjUtvOxbWm4r2dJ86q nvqzmMRn/N58TCWJ76RvMu/hb48CzIX1TCiBU= MIME-Version: 1.0 Received: by 10.213.1.219 with SMTP id 27mr3230147ebg.37.1264714621302; Thu, 28 Jan 2010 13:37:01 -0800 (PST) Date: Thu, 28 Jan 2010 22:37:01 +0100 Message-ID: From: Christer Solskogen To: freebsd-jail@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: How do you manage your jails? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jan 2010 22:04:56 -0000 So you have installed a FreeBSD server and setup several jails on your system. They run the services they need and everything works smoothly. But how do manage all of them? What do you do if you want to run a command on all jails? Do you run cfengine/puppy? How do you setup sendmail? Do you have sendmail on all jails? Do you share ports to all jails? How do you keep ports up to date on them? Do you have a set of scripts that you want to share? On http://antarctica.no/stuff/UNIX/FreeBSD/jails/ you'll find what I use. I'm preparing a talk for BLUG (the local Linux/BSD group) and I want to know how YOU manage your jails, there sure are more than one way do it. -- chs From owner-freebsd-jail@FreeBSD.ORG Thu Jan 28 22:12:08 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 462D9106568B for ; Thu, 28 Jan 2010 22:12:08 +0000 (UTC) (envelope-from scheidell@secnap.net) Received: from mx1.secnap.com.ionspam.net (mx1.secnap.com.ionspam.net [204.89.241.253]) by mx1.freebsd.org (Postfix) with ESMTP id 04EDF8FC0C for ; Thu, 28 Jan 2010 22:12:07 +0000 (UTC) Received: from mx1.secnap.com.ionspam.net (mx1.secnap.com.ionspam.net [204.89.241.253]) by mx1.secnap.com.ionspam.net (Postfix) with ESMTP id 5BB4A2B7CBB; Thu, 28 Jan 2010 17:12:07 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=secnap.net; h= date:date:subject:subject:from:from:content-class :content-transfer-encoding:content-type:content-type:message-id :mime-version; s=dkim; t=1264716725; x=1266531125; bh=B3BjIGiIrB gxaD0JVCSufmA1maXVdXbOoBv5PNxkyLw=; b=KBKjN/gjzdIZef06WUlBRjyA80 11B+qkKKzhnBMG3w5n0bq2CEDYpq3RNvdgVLr0oestNd6UXdNLKktskkBg0qxaPK Czbp4Sggr5QoUED0cn/0vGXjgA1PWNeqP01SIh7lr/ZE1fSAqGdsUdgGSayJzJ5J mUQ31g57fXtLNe9WA= X-Amavis-Modified: Mail body modified (using disclaimer) - mx1.secnap.com.ionspam.net X-Virus-Scanned: SpammerTrap(r) VPS-1500 2.10 at mx1.secnap.com.ionspam.net Received: from secnap3.secnap.com (secnap3.secnap.com [204.89.241.130]) by mx1.secnap.com.ionspam.net (Postfix) with ESMTP id E073B2B7CB7; Thu, 28 Jan 2010 17:12:05 -0500 (EST) MIME-Version: 1.0 Message-ID: <223601caa066$ecec32d5$0d01460a@secnap.com> Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-class: thread-topic: How do you manage your jails? thread-index: AcqgZuzsHsCX2fjLTMWIvHK3ALPl5w== X-MimeOLE: Produced By Microsoft Exchange V6.5 From: "Michael Scheidell" Date: Thu, 28 Jan 2010 17:12:02 -0500 Importance: normal X-Priority: 3 To: "Christer Solskogen" , Cc: Subject: RE: How do you manage your jails? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jan 2010 22:12:08 -0000 pssh with pki keys to run multiple commands, ports in main. Make = packages then pssh each to install the package=20 -----Original Message----- From: Christer Solskogen Sent: Thursday, January 28, 2010 5:05 PM To: freebsd-jail@freebsd.org Subject: How do you manage your jails? So you have installed a FreeBSD server and setup several jails on your system. They run the services they need and everything works smoothly. = But how do manage all of them? What do you do if you want to run a command = on all jails? Do you run cfengine/puppy? How do you setup sendmail? Do you have sendmail on all jails? Do you share ports to all jails? How do you keep ports up to date on = them? Do you have a set of scripts that you want to share? On http://antarctica.no/stuff/UNIX/FreeBSD/jails/ you'll find what I use. I'm preparing a talk for BLUG (the local Linux/BSD group) and I want to = know how YOU manage your jails, there sure are more than one way do it. --=20 chs _______________________________________________ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" ______________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ ______________________________________________________________________ From owner-freebsd-jail@FreeBSD.ORG Thu Jan 28 22:38:05 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D8F4E10656CA for ; Thu, 28 Jan 2010 22:38:05 +0000 (UTC) (envelope-from bazerka@beardz.net) Received: from mx-2.btshosting.co.uk (mx-2.btshosting.co.uk [87.117.208.79]) by mx1.freebsd.org (Postfix) with ESMTP id 9C7958FC08 for ; Thu, 28 Jan 2010 22:38:05 +0000 (UTC) Received: from [192.168.1.65] (host86-148-118-227.range86-148.btcentralplus.com [86.148.118.227]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: bazerka@beardz.net) by mx-2.btshosting.co.uk (Postfix) with ESMTPSA id 241D26E5463; Thu, 28 Jan 2010 22:38:04 +0000 (GMT) Message-ID: <4B6211C7.6010404@beardz.net> Date: Thu, 28 Jan 2010 22:37:59 +0000 From: Jase Thew User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1 MIME-Version: 1.0 To: "tom@diogunix.com" References: <201001270308.21674.tom@diogunix.com> In-Reply-To: <201001270308.21674.tom@diogunix.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.95.3 at mx-2.btshosting.co.uk X-Virus-Status: Clean Cc: freebsd-jail@freebsd.org Subject: Re: configuration of multiple IPs for a jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jan 2010 22:38:05 -0000 On 27/01/2010 02:08, tom@diogunix.com wrote: > Greetings to the community. That's my first post to this list. > I run a mailserver (postfix/dovecot) in a jail on a 7.2 stable system. > My question is about configuring multiple IP addresses for that jail. > My IP configuration is just done via > # jail blabla 123.123.123.249,123.123.123.227,123.123.123.248 blabla > > I want to use 123.123.123.249 as my primary IP within the jail and futhermore > use the same IP for outgoing SMTP connections. > > Everything works nice so far. The only issue is, that postfix obviously insists > to use the second IP (227) to send out the Emails though it should use the > primary IP (249). Trying to bind postfix to the right address did not help. > I've read tons about jail configuration but could not find the one hint needed. > > So my question is: > Does a jail always use the 'lowest' IP from a bunch of multiple IPs given with > the jail start command ? I can't find any other explanation. Nothing else > points to the 227 address. And if true - is there a way to change this > behaviour ? > > Thanks a lot in advance > Tom > Hi Tom, This behaviour has been addressed in RELENG_7 recently with r202924 [1]. This commit allows you to set : sysctl security.jail.ip4_saddrsel 0 , which makes the kernel use the first IP passed to jail (8) as the default source address instead of the default behaviour which picks the first matching ip for that jail on the interface. A workaround (if you're not able to update to a RELENG_7 following that commit) is to reorder your interface aliases in /etc/rc.conf ,so that your primary jail ip has a lower alias # than any secondary ips for that jail. Hope this helps, Jase. [1] http://svn.freebsd.org/changeset/base/202924 From owner-freebsd-jail@FreeBSD.ORG Thu Jan 28 22:44:23 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5A2F4106568F for ; Thu, 28 Jan 2010 22:44:23 +0000 (UTC) (envelope-from tom@diogunix.com) Received: from mail.kepos.org (mail.kepos.org [85.125.223.249]) by mx1.freebsd.org (Postfix) with ESMTP id BBA668FC16 for ; Thu, 28 Jan 2010 22:44:22 +0000 (UTC) Received: from gyro.localnet (95-90-251-177-dynip.superkabel.de [95.90.251.177]) by mail.kepos.org (mail.kepos.org) with ESMTPSA id AE8CE514D5C for ; Thu, 28 Jan 2010 23:44:22 +0100 (CET) From: "tom@diogunix.com" To: freebsd-jail@freebsd.org Date: Thu, 28 Jan 2010 23:45:18 +0100 User-Agent: KMail/1.10.4 (Linux/2.6.27-9-generic; KDE/4.1.4; i686; ; ) References: <223601caa066$ecec32d5$0d01460a@secnap.com> In-Reply-To: <223601caa066$ecec32d5$0d01460a@secnap.com> MIME-Version: 1.0 Message-Id: <201001282345.19033.tom@diogunix.com> Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: How do you manage your jails? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jan 2010 22:44:23 -0000 Christer, Michael, thank you very much for your answers. I meanwhile could fix the issue. To provide the solution just in short my setup and how I fixed it. I run the machine in a data center and wanted GEOM GELI disk encyrption for the jails partitions (one per jail). Therefor, I cannot use any scripting solutions for jails management. Alle jails are run via generic command lines (jail / jexec / ...). The jails were build via make world and also all daemons were compiled using the ports collection. There are three jails, each with a small bunch of IP addresses. The issue was that I could not find out which rules FreeBSD follows when deciding which of the IPs in a jail to use for outgoing connections. It did NOT use the primary jail IP and I also could not bind daemons to a certain IP. Solution: From the list of alias IPs as configured via ifconfig on the host system, FreeBSD takes the one which comes first in the list of alias IPs to use it for outgoing connections. If you do not want the IP selected by FreeBSD for outgoing connections just remove the alias IP on the host system (ifconfig -alias) and then add it again (ifconfig alias). Through this the IP will be become the last in the list and another alias IP will then get selected for outgoing connections from within the jail. You must go ahead with this method until the right alias IP gets used. That at least was my method to fix the issue. But may be there's anybody out there knowing a better method ... On Christens questions: All jails are managed by generic jail commands (as forced by the GEOM GELI setup). I can do this because there are not that many jails. I however do not use any scripting or cfengine/puppy (never heard of it). I use sendmail only in some jails to get the periodic status messages sent in my email box for admin purposes (reduced sendmail setup of course and not listening outside). I do not share ports. All jails are used for different purposes. Everything is managed "by hand". Automating it would not pay off with that few jails. Thanks for your link. Will visit it. Thanks again to all Tom > pssh with pki keys to run multiple commands, ports in main. Make packages > then pssh each to install the package > > -----Original Message----- > From: Christer Solskogen > Sent: Thursday, January 28, 2010 5:05 PM > To: freebsd-jail@freebsd.org > Subject: How do you manage your jails? > > So you have installed a FreeBSD server and setup several jails on your > system. They run the services they need and everything works smoothly. But > how do manage all of them? What do you do if you want to run a command on > all jails? Do you run cfengine/puppy? How do you setup sendmail? Do > you have sendmail on all jails? > Do you share ports to all jails? How do you keep ports up to date on them? > Do you have a set of scripts that you want to share? On > http://antarctica.no/stuff/UNIX/FreeBSD/jails/ you'll find what I use. > > I'm preparing a talk for BLUG (the local Linux/BSD group) and I want to > know how YOU manage your jails, there sure are more than one way do it. From owner-freebsd-jail@FreeBSD.ORG Thu Jan 28 22:50:17 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6282D10656C3 for ; Thu, 28 Jan 2010 22:50:17 +0000 (UTC) (envelope-from tom@diogunix.com) Received: from mail.kepos.org (mail.kepos.org [85.125.223.249]) by mx1.freebsd.org (Postfix) with ESMTP id F3BD38FC17 for ; Thu, 28 Jan 2010 22:50:16 +0000 (UTC) Received: from gyro.localnet (95-90-251-177-dynip.superkabel.de [95.90.251.177]) by mail.kepos.org (mail.kepos.org) with ESMTPSA id A2B6D514D5C for ; Thu, 28 Jan 2010 23:50:16 +0100 (CET) From: "tom@diogunix.com" To: freebsd-jail@freebsd.org Date: Thu, 28 Jan 2010 23:51:13 +0100 User-Agent: KMail/1.10.4 (Linux/2.6.27-9-generic; KDE/4.1.4; i686; ; ) References: <201001270308.21674.tom@diogunix.com> <4B6211C7.6010404@beardz.net> In-Reply-To: <4B6211C7.6010404@beardz.net> MIME-Version: 1.0 Message-Id: <201001282351.13267.tom@diogunix.com> Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: configuration of multiple IPs for a jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jan 2010 22:50:17 -0000 Jase, > This behaviour has been addressed in RELENG_7 recently with r202924 [1]. thank you very much. That's what I was watching out for :-). I somehow could not find that hint in all the resources I used. > This commit allows you to set : sysctl security.jail.ip4_saddrsel 0 , > which makes the kernel use the first IP passed to jail (8) as the > default source address instead of the default behaviour which picks the > first matching ip for that jail on the interface. Just great. I run 7.2 stable on most machines and thanks to your information it will be much easier than what I meanwhile did to fix things. > A workaround (if you're not able to update to a RELENG_7 following that > commit) is to reorder your interface aliases in /etc/rc.conf ,so that > your primary jail ip has a lower alias # than any secondary ips for that > jail. Yes. I've meanwhile found exactly that out the hard way and by trial and error. Works nice (or however, it works), even when the kernel setting method of course is much more elegant. > Hope this helps, I did already. Many thanks Tom From owner-freebsd-jail@FreeBSD.ORG Fri Jan 29 09:25:07 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B4E02106568B for ; Fri, 29 Jan 2010 09:25:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [IPv6:2001:4068:10::3]) by mx1.freebsd.org (Postfix) with ESMTP id 4955A8FC18 for ; Fri, 29 Jan 2010 09:25:07 +0000 (UTC) Received: from localhost (amavis.fra.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 3B70F41C74D; Fri, 29 Jan 2010 10:25:06 +0100 (CET) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([192.168.74.103]) by localhost (amavis.fra.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id xfYtyWdzxqkx; Fri, 29 Jan 2010 10:25:05 +0100 (CET) Received: by mail.cksoft.de (Postfix, from userid 66) id C490E41C759; Fri, 29 Jan 2010 10:25:05 +0100 (CET) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 554DE4448EC; Fri, 29 Jan 2010 09:24:16 +0000 (UTC) Date: Fri, 29 Jan 2010 09:24:16 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: "tom@diogunix.com" In-Reply-To: <201001282351.13267.tom@diogunix.com> Message-ID: <20100129091822.O50938@maildrop.int.zabbadoz.net> References: <201001270308.21674.tom@diogunix.com> <4B6211C7.6010404@beardz.net> <201001282351.13267.tom@diogunix.com> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-jail@freebsd.org Subject: Re: configuration of multiple IPs for a jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jan 2010 09:25:07 -0000 On Thu, 28 Jan 2010, tom@diogunix.com wrote: Hi, > Jase, > >> This behaviour has been addressed in RELENG_7 recently with r202924 [1]. > > thank you very much. That's what I was watching out for :-). > I somehow could not find that hint in all the resources I used. > >> This commit allows you to set : sysctl security.jail.ip4_saddrsel 0 , >> which makes the kernel use the first IP passed to jail (8) as the >> default source address instead of the default behaviour which picks the >> first matching ip for that jail on the interface. That's not exactly true. Source address uses the first "matching" address for the destination on the outgoing interface if possible. There is a route lookup involved as well. So if you are serving more than one subnet it won't necessarily be the first IP of the interface seen within the jail. For the case given, it most likely will, though. > Just great. I run 7.2 stable on most machines and thanks to your information > it will be much easier than what I meanwhile did to fix things. > >> A workaround (if you're not able to update to a RELENG_7 following that >> commit) is to reorder your interface aliases in /etc/rc.conf ,so that >> your primary jail ip has a lower alias # than any secondary ips for that >> jail. > > Yes. I've meanwhile found exactly that out the hard way and by trial and > error. Works nice (or however, it works), even when the kernel setting method > of course is much more elegant. > >> Hope this helps, > > I did already. Though it might help, if you only need it for postfix, using the smtp_bind_address (and smtp_bind_address6) options might be more elegant rather than using the hammer of forcing things in the kernel. See man 5 postconf. If more services across all jails should be using the intended behavior using the sysctl and kernel is probably the right thing. /bz -- Bjoern A. Zeeb It will not break if you know what you are doing. From owner-freebsd-jail@FreeBSD.ORG Sat Jan 30 01:06:42 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E985E106566C for ; Sat, 30 Jan 2010 01:06:42 +0000 (UTC) (envelope-from bazerka@beardz.net) Received: from mx-2.btshosting.co.uk (mx-2.btshosting.co.uk [87.117.208.79]) by mx1.freebsd.org (Postfix) with ESMTP id ADAA78FC19 for ; Sat, 30 Jan 2010 01:06:42 +0000 (UTC) Received: from [192.168.1.65] (host86-148-118-227.range86-148.btcentralplus.com [86.148.118.227]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: bazerka@beardz.net) by mx-2.btshosting.co.uk (Postfix) with ESMTPSA id 082A36E5467 for ; Sat, 30 Jan 2010 01:06:40 +0000 (GMT) Message-ID: <4B63861B.1000907@beardz.net> Date: Sat, 30 Jan 2010 01:06:35 +0000 From: Jase Thew User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1 MIME-Version: 1.0 To: freebsd-jail@freebsd.org References: <201001270308.21674.tom@diogunix.com> <4B6211C7.6010404@beardz.net> <201001282351.13267.tom@diogunix.com> <20100129091822.O50938@maildrop.int.zabbadoz.net> In-Reply-To: <20100129091822.O50938@maildrop.int.zabbadoz.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.95.3 at mx-2.btshosting.co.uk X-Virus-Status: Clean Subject: Re: configuration of multiple IPs for a jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Jan 2010 01:06:43 -0000 On 29/01/2010 09:24, Bjoern A. Zeeb wrote: > On Thu, 28 Jan 2010, tom@diogunix.com wrote: > > Hi, > >> Jase, >> >>> This behaviour has been addressed in RELENG_7 recently with r202924 >>> [1]. >> >> thank you very much. That's what I was watching out for :-). >> I somehow could not find that hint in all the resources I used. >> >>> This commit allows you to set : sysctl security.jail.ip4_saddrsel 0 , >>> which makes the kernel use the first IP passed to jail (8) as the >>> default source address instead of the default behaviour which picks the >>> first matching ip for that jail on the interface. > > That's not exactly true. Source address uses the first "matching" > address for the destination on the outgoing interface if possible. > There is a route lookup involved as well. So if you are serving more > than one subnet it won't necessarily be the first IP of the interface > seen within the jail. > > For the case given, it most likely will, though. > Yes, indeed. My answer was based on the configuraton example presented and the assumption that all the IPs given were located in the same subnet. Regards, Jase.