From owner-freebsd-jail@FreeBSD.ORG Mon Jan 2 02:12:17 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 423A81065670 for ; Mon, 2 Jan 2012 02:12:17 +0000 (UTC) (envelope-from rabe@uugrn.org) Received: from mail.uugrn.org (mail.uugrn.org [195.49.138.123]) by mx1.freebsd.org (Postfix) with ESMTP id 9D52C8FC08 for ; Mon, 2 Jan 2012 02:12:16 +0000 (UTC) Received: from rabe.uugrn.org (root@rabe.uugrn.org [195.49.138.102]) by mail.uugrn.org (8.14.4/8.14.3) with ESMTP id q021oLd4073300 for ; Mon, 2 Jan 2012 02:50:31 +0100 (CET) (envelope-from rabe@uugrn.org) Received: from rabox.fritz.box (rabe@rabe.uugrn.org [195.49.138.102]) by rabe.uugrn.org (8.14.4/8.13.8) with ESMTP id q021oLOs073296 for ; Mon, 2 Jan 2012 02:50:21 +0100 (CET) (envelope-from rabe@uugrn.org) Received: from rabox.fritz.box (localhost [127.0.0.1]) by rabox.fritz.box (8.14.4/8.14.4/Debian-2ubuntu1) with ESMTP id q021oGAY019163 for ; Mon, 2 Jan 2012 02:50:16 +0100 Received: (from rabe@localhost) by rabox.fritz.box (8.14.4/8.14.4/Submit) id q021oG1r019162 for freebsd-jail@freebsd.org; Mon, 2 Jan 2012 02:50:16 +0100 X-Authentication-Warning: rabox.fritz.box: rabe set sender to rabe@uugrn.org using -f Date: Mon, 2 Jan 2012 02:50:16 +0100 From: Raphael Eiselstein To: freebsd-jail@freebsd.org Message-ID: <20120102015015.GB2875@ma.sigsys.de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="yNb1oOkm5a9FJOVX" Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) Subject: conf/142972: JAILv2: a more complete mgmt solution? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jan 2012 02:12:17 -0000 --yNb1oOkm5a9FJOVX Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello there, I'm responding to conf/142972: [jail] [patch] Support JAILv2 and vnet in rc= =2Ed/jailconf/142972 http://www.freebsd.org/cgi/query-pr.cgi?pr=3D142972.=20 bz wrote: > As was said multiple times before, it is very unlikely that > the current rc script will be changed for the experimental > feature and a more complete mgmt solution is being sought of > for the final support. I understand, that /etc/rc.d/jail is currently far more than a "rc-script" should be. But I like to use it with traditional jails, it works good for me even with ifconfig and so on. I'm about planning our[1] "next generation" jailhosting platform based on FreeBSD 9 and with vimage support, maybe hierachical jails. Multiple-IP, v4+v6, ... I don't know yet what and how...=20 My idea is something like that: * The host is booting several jails with epair-support.=20 * I don't exactly how to configure epair in existing /etc/rc.d/* * Each Jails will do it's own (local) IP setup on startup using local /etc/rc.conf , so the host just needs to know about subnets... maybe. * I'd like to have something which fits into /etc/rc.d/ and will be configured through /etc/rc.conf What is best practise here? Are there any standards or prototypes yet=20 or do I have to invent my own wheel here? I hope not! Hints and Howtos will be highly appreciated. Best Regards Raphael Eiselstein Footnotes: 1. "Our" is the local Unix Users Group[2], a nonprofit organisation with jailhosting to its members, currently running about 25 jails on FreeBSD 7.4, running this setup since around 4/2006. 2. Unix User Group Rhein-Neckar e.V. --=20 Raphael Eiselstein http://rabe.uugrn.org/ xmpp:freibyter@gmx.de | https://www.xing.com/profile/Raphael_Eiselstein = =20 GnuPG: E7B2 1D66 3AF2 EDC7 9828 6D7A 9CDA 3E7B 10CA 9F2D =2E........|.........|.........|.........|.........|.........|.........|.. --yNb1oOkm5a9FJOVX Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk8BDVcACgkQnNo+exDKny3XeACg0JcmfbA+kFqKAJzsuqxILPpe 2NwAoK6MlqpDP2wAMxpWJ2mg+DIZVPGm =HMHT -----END PGP SIGNATURE----- --yNb1oOkm5a9FJOVX-- From owner-freebsd-jail@FreeBSD.ORG Mon Jan 2 05:20:56 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 210151065670 for ; Mon, 2 Jan 2012 05:20:56 +0000 (UTC) (envelope-from Devin.Teske@fisglobal.com) Received: from mx1.fisglobal.com (mx1.fisglobal.com [199.200.24.190]) by mx1.freebsd.org (Postfix) with ESMTP id DBAA48FC19 for ; Mon, 2 Jan 2012 05:20:55 +0000 (UTC) Received: from pps.filterd (ltcfislmsgpa04 [127.0.0.1]) by ltcfislmsgpa04.fnfis.com (8.14.4/8.14.4) with SMTP id q024QLPg020265; Sun, 1 Jan 2012 22:59:05 -0600 Received: from smtp.fisglobal.com ([10.132.206.16]) by ltcfislmsgpa04.fnfis.com with ESMTP id 1231f18n0s-2 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Sun, 01 Jan 2012 22:59:05 -0600 Received: from [10.0.0.103] (10.14.152.28) by smtp.fisglobal.com (10.132.206.16) with Microsoft SMTP Server (TLS) id 14.1.323.3; Sun, 1 Jan 2012 22:59:04 -0600 MIME-Version: 1.0 (Apple Message framework v1084) From: Devin Teske In-Reply-To: <20120102015015.GB2875@ma.sigsys.de> Date: Sun, 1 Jan 2012 20:59:02 -0800 Message-ID: References: <20120102015015.GB2875@ma.sigsys.de> To: Raphael Eiselstein X-Mailer: Apple Mail (2.1084) X-Originating-IP: [10.14.152.28] X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.5.7110, 1.0.211, 0.0.0000 definitions=2012-01-02_02:2011-12-30, 2012-01-02, 1970-01-01 signatures=0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-jail@freebsd.org Subject: Re: conf/142972: JAILv2: a more complete mgmt solution? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jan 2012 05:20:56 -0000 On Jan 1, 2012, at 5:50 PM, Raphael Eiselstein wrote: > Hello there, >=20 > I'm responding to conf/142972: [jail] [patch] Support JAILv2 and vnet in = rc.d/jailconf/142972 > http://www.freebsd.org/cgi/query-pr.cgi?pr=3D142972.=20 >=20 > bz wrote: >> As was said multiple times before, it is very unlikely that >> the current rc script will be changed for the experimental >> feature and a more complete mgmt solution is being sought of >> for the final support. >=20 > I understand, that /etc/rc.d/jail is currently far more than a "rc-script" > should be. But I like to use it with traditional jails, it works good > for me even with ifconfig and so on. >=20 > I'm about planning our[1] "next generation" jailhosting platform based on > FreeBSD 9 and with vimage support, maybe hierachical jails. Multiple-IP, > v4+v6, ... I don't know yet what and how...=20 >=20 > My idea is something like that: >=20 > * The host is booting several jails with epair-support.=20 > * I don't exactly how to configure epair in existing /etc/rc.d/* > * Each Jails will do it's own (local) IP setup on startup using local > /etc/rc.conf , so the host just needs to know about subnets... maybe. > * I'd like to have something which fits into /etc/rc.d/ and will be > configured through /etc/rc.conf >=20 > What is best practise here? Are there any standards or prototypes yet=20 > or do I have to invent my own wheel here? I hope not! >=20 > Hints and Howtos will be highly appreciated. I developed an rc.d script that you can download as a FreeBSD package and t= hen "pkg_add". http://druid.bsd.sourceforge.net/download/vimage-1.4.tbz http://druidbsd.sourceforge.net/vimage.html --=20 Devin _____________ The information contained in this message is proprietary and/or confidentia= l. If you are not the intended recipient, please: (i) delete the message an= d all copies; (ii) do not disclose, distribute or use the message in any ma= nner; and (iii) notify the sender immediately. In addition, please be aware= that any message addressed to our domain is subject to archiving and revie= w by persons other than the intended recipient. Thank you. From owner-freebsd-jail@FreeBSD.ORG Mon Jan 2 06:05:32 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 40997106566B for ; Mon, 2 Jan 2012 06:05:32 +0000 (UTC) (envelope-from jamesbrandongooch@gmail.com) Received: from mail-wi0-f182.google.com (mail-wi0-f182.google.com [209.85.212.182]) by mx1.freebsd.org (Postfix) with ESMTP id CB1AA8FC08 for ; Mon, 2 Jan 2012 06:05:31 +0000 (UTC) Received: by wibhr1 with SMTP id hr1so14723444wib.13 for ; Sun, 01 Jan 2012 22:05:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=kd8Ykptc5tKpnGDmdzle9IgQJZxskyVEnDde3T+7U2I=; b=Eq9gCYcCeyzgd0mNgYgTN5175h1uud59UGKb0RSIPfnSqMHbyDPH7yOccJNDie2151 ZVehWNHr27yXLOT/5ma6H+6xsv1zLJXjk5jMaUldsR9a0CiaL7elZlMRn4DsPAAHP1VV cOG00BAah8klZqKRkWMXWF4eDUccVeYVHje10= MIME-Version: 1.0 Received: by 10.216.209.99 with SMTP id r77mr25965054weo.25.1325482531706; Sun, 01 Jan 2012 21:35:31 -0800 (PST) Received: by 10.216.30.66 with HTTP; Sun, 1 Jan 2012 21:35:31 -0800 (PST) In-Reply-To: References: <20120102015015.GB2875@ma.sigsys.de> Date: Sun, 1 Jan 2012 23:35:31 -0600 Message-ID: From: Brandon Gooch To: Devin Teske Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-jail@freebsd.org, Raphael Eiselstein Subject: Re: conf/142972: JAILv2: a more complete mgmt solution? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jan 2012 06:05:32 -0000 On Sun, Jan 1, 2012 at 10:59 PM, Devin Teske wr= ote: > > On Jan 1, 2012, at 5:50 PM, Raphael Eiselstein wrote: > >> Hello there, >> >> I'm responding to conf/142972: [jail] [patch] Support JAILv2 and vnet in= rc.d/jailconf/142972 >> http://www.freebsd.org/cgi/query-pr.cgi?pr=3D142972. >> >> bz wrote: >>> As was said multiple times before, it is very unlikely that >>> the current rc script will be changed for the experimental >>> feature and a more complete mgmt solution is being sought of >>> for the final support. >> >> I understand, that /etc/rc.d/jail is currently far more than a "rc-scrip= t" >> should be. But I like to use it with traditional jails, it works good >> for me even with ifconfig and so on. >> >> I'm about planning our[1] "next generation" jailhosting platform based o= n >> FreeBSD 9 and with vimage support, maybe hierachical jails. Multiple-IP, >> v4+v6, ... I don't know yet what and how... >> >> My idea is something like that: >> >> * The host is booting several jails with epair-support. >> * I don't exactly how to configure epair in existing /etc/rc.d/* >> * Each Jails will do it's own (local) IP setup on startup using local >> =A0/etc/rc.conf , so the host just needs to know about subnets... maybe. >> * I'd like to have something which fits into /etc/rc.d/ and will be >> =A0configured through /etc/rc.conf >> >> What is best practise here? Are there any standards or prototypes yet >> or do I have to invent my own wheel here? I hope not! >> >> Hints and Howtos will be highly appreciated. > > I developed an rc.d script that you can download as a FreeBSD package and= then "pkg_add". > > http://druid.bsd.sourceforge.net/download/vimage-1.4.tbz > > http://druidbsd.sourceforge.net/vimage.html > -- > Devin > Quick correction: URL for downloading is actually: http://druidbsd.sourceforge.net/download/vimage-1.4.tbz Devin, your "utilities" (if I dare call them that) are turning out to be incredibly useful -- thanks! -Brandon From owner-freebsd-jail@FreeBSD.ORG Mon Jan 2 11:07:04 2012 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DC906106564A for ; Mon, 2 Jan 2012 11:07:04 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id CA07C8FC0A for ; Mon, 2 Jan 2012 11:07:04 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q02B74T0005151 for ; Mon, 2 Jan 2012 11:07:04 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q02B74Dp005149 for freebsd-jail@FreeBSD.org; Mon, 2 Jan 2012 11:07:04 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 2 Jan 2012 11:07:04 GMT Message-Id: <201201021107.q02B74Dp005149@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jan 2012 11:07:04 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- p bin/161957 jail jls(8): jls -v doesn't show anything if system compile o kern/159918 jail [jail] inter-jail communication failure o kern/156111 jail [jail] procstat -b not supported in jail o misc/155765 jail [patch] `buildworld' does not honors WITHOUT_JAIL o conf/154246 jail [jail] [patch] Bad symlink created if devfs mount poin o conf/149050 jail [jail] rcorder ``nojail'' too coarse for Jail+VNET s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 12 problems total. From owner-freebsd-jail@FreeBSD.ORG Wed Jan 4 01:22:54 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0F83F106566C for ; Wed, 4 Jan 2012 01:22:54 +0000 (UTC) (envelope-from andrew.hotlab@hotmail.com) Received: from dub0-omc1-s11.dub0.hotmail.com (dub0-omc1-s11.dub0.hotmail.com [157.55.0.210]) by mx1.freebsd.org (Postfix) with ESMTP id 974B08FC14 for ; Wed, 4 Jan 2012 01:22:53 +0000 (UTC) Received: from DUB112-DS50 ([157.55.0.237]) by dub0-omc1-s11.dub0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Tue, 3 Jan 2012 17:10:46 -0800 X-Originating-IP: [217.133.211.250] X-Originating-Email: [andrew.hotlab@hotmail.com] Message-ID: From: "Andrew Hotlab" To: "FreeBSD-Jail" Date: Wed, 4 Jan 2012 02:10:43 +0100 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal Importance: Normal X-Mailer: Microsoft Windows Live Mail 15.4.3538.513 X-MimeOLE: Produced By Microsoft MimeOLE V15.4.3538.513 X-OriginalArrivalTime: 04 Jan 2012 01:10:46.0545 (UTC) FILETIME=[B05C1810:01CCCA7D] Subject: jailed process listening on host addresses X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Jan 2012 01:22:54 -0000 I noticed a strange behavior some days ago, but I can't say how much long it have been happening for. Some processes which are running in different jails on the same host seems to be listening on all host IPs. Here is an example: #sockstat -4l | grep "4 \*:" root mDNSRespon 69801 3 udp4 *:45258 *:* root mDNSRespon 69801 4 udp4 *:5353 *:* root unfsd 69761 3 udp4 *:2049 *:* root unfsd 69761 4 tcp4 *:2049 *:* root rpcbind 69703 7 udp4 *:111 *:* root rpcbind 69703 8 udp4 *:732 *:* root rpcbind 69703 9 tcp4 *:111 *:* 921 transmissi 29851 10 udp4 *:* *:* 931 asterisk 29805 25 udp4 *:* *:* It's happening on several host right now (all are running FreeBSD/amd64 8.2-RELEASE-p5), with both UDP and TCP listeners. Any jail is using a single unicast IP address. I really hope to miss something important... or should I guess that these processes are "escaping" from the jails?! :S Thank very much for any explanation anyone would be so kind to give me. Andrew From owner-freebsd-jail@FreeBSD.ORG Wed Jan 4 08:54:22 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 909C51065675 for ; Wed, 4 Jan 2012 08:54:22 +0000 (UTC) (envelope-from nvass@gmx.com) Received: from mailout-eu.gmx.com (mailout-eu.gmx.com [213.165.64.42]) by mx1.freebsd.org (Postfix) with SMTP id F38F38FC13 for ; Wed, 4 Jan 2012 08:54:21 +0000 (UTC) Received: (qmail invoked by alias); 04 Jan 2012 08:54:19 -0000 Received: from adsl-211.109.242.180.tellas.gr (EHLO [192.168.73.192]) [109.242.180.211] by mail.gmx.com (mp-eu003) with SMTP; 04 Jan 2012 09:54:19 +0100 X-Authenticated: #46156728 X-Provags-ID: V01U2FsdGVkX1+y8RoGFm+ypSD6XYhLFksAi8reF5+rG7+nQJ4bd+ BnXjRqYT+fIPWj Message-ID: <4F0413B1.3040308@gmx.com> Date: Wed, 04 Jan 2012 10:54:09 +0200 From: Nikos Vassiliadis User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10 MIME-Version: 1.0 To: Andrew Hotlab References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Cc: FreeBSD-Jail Subject: Re: jailed process listening on host addresses X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Jan 2012 08:54:22 -0000 On 1/4/2012 3:10 AM, Andrew Hotlab wrote: > I noticed a strange behavior some days ago, but I can't say how much > long it have been happening for. Some processes which are running in > different jails on the same host seems to be listening on all host IPs. > Here is an example: > > #sockstat -4l | grep "4 \*:" > root mDNSRespon 69801 3 udp4 *:45258 *:* > root mDNSRespon 69801 4 udp4 *:5353 *:* > root unfsd 69761 3 udp4 *:2049 *:* > root unfsd 69761 4 tcp4 *:2049 *:* > root rpcbind 69703 7 udp4 *:111 *:* > root rpcbind 69703 8 udp4 *:732 *:* > root rpcbind 69703 9 tcp4 *:111 *:* > 921 transmissi 29851 10 udp4 *:* *:* > 931 asterisk 29805 25 udp4 *:* *:* > > > It's happening on several host right now (all are running FreeBSD/amd64 > 8.2-RELEASE-p5), with both UDP and TCP listeners. Any jail is using a > single unicast IP address. I really hope to miss something important... > or should I guess that these processes are "escaping" from the jails?! :S > > Thank very much for any explanation anyone would be so kind to give me. Could you share more about your setup? ifconfig, jls, ps in the jail, commands given to create the jail... I tried to reproduce the problem on a amd64 8.2-RELEASE, without success. > callisto# ifconfig em0 > em0: flags=8843 metric 0 mtu 1500 > options=9b > ether 08:00:27:a0:7a:90 > inet 192.168.73.194 netmask 0xffffff00 broadcast 192.168.73.255 > inet 192.168.73.128 netmask 0xffffff00 broadcast 192.168.73.255 > media: Ethernet autoselect (1000baseT ) > status: active > callisto# jail -c name=test persist ip4.addr=192.168.73.128 > callisto# jls > JID IP Address Hostname Path > 2 192.168.73.128 / > callisto# jexec test nc -lu 20000 & > [1] 1130 > callisto# sockstat -4l > USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS > root nc 1130 3 udp4 192.168.73.128:20000 *:* > root sendmail 857 4 tcp4 127.0.0.1:25 *:* > root sshd 849 4 tcp4 *:22 *:* > root syslogd 561 7 udp4 *:514 *:* Nikos From owner-freebsd-jail@FreeBSD.ORG Wed Jan 4 10:41:17 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 33F84106566B for ; Wed, 4 Jan 2012 10:41:17 +0000 (UTC) (envelope-from andrew.hotlab@hotmail.com) Received: from dub0-omc1-s33.dub0.hotmail.com (dub0-omc1-s33.dub0.hotmail.com [157.55.0.232]) by mx1.freebsd.org (Postfix) with ESMTP id B954D8FC0A for ; Wed, 4 Jan 2012 10:41:16 +0000 (UTC) Received: from DUB112-DS6 ([157.55.0.237]) by dub0-omc1-s33.dub0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Wed, 4 Jan 2012 02:41:15 -0800 X-Originating-IP: [81.174.54.98] X-Originating-Email: [andrew.hotlab@hotmail.com] Message-ID: From: "Andrew Hotlab" To: "Nikos Vassiliadis" References: <4F0413B1.3040308@gmx.com> In-Reply-To: <4F0413B1.3040308@gmx.com> Date: Wed, 4 Jan 2012 11:41:15 +0100 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=response Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal Importance: Normal X-Mailer: Microsoft Windows Live Mail 15.4.3538.513 X-MimeOLE: Produced By Microsoft MimeOLE V15.4.3538.513 X-OriginalArrivalTime: 04 Jan 2012 10:41:15.0659 (UTC) FILETIME=[628065B0:01CCCACD] Cc: FreeBSD-Jail Subject: Re: jailed process listening on host addresses X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Jan 2012 10:41:17 -0000 -----Original Message----- From: Nikos Vassiliadis Sent: Wednesday, January 04, 2012 9:54 AM To: Andrew Hotlab Cc: FreeBSD-Jail Subject: Re: jailed process listening on host addresses > On 1/4/2012 3:10 AM, Andrew Hotlab wrote: > > I noticed a strange behavior some days ago, but I can't say how much > > long it have been happening for. Some processes which are running in > > different jails on the same host seems to be listening on all host IPs. > > > > It's happening on several host right now (all are running FreeBSD/amd64 > > 8.2-RELEASE-p5), with both UDP and TCP listeners. Any jail is using a > > single unicast IP address. I really hope to miss something important... > > or should I guess that these processes are "escaping" from the jails?! > > :S > > > > Could you share more about your setup? > ifconfig, jls, ps in the jail, commands given to create the jail... > I tried to reproduce the problem on a amd64 8.2-RELEASE, without > success. > Thank you Nikos, the following commands are executed on the host: # ifconfig xl0 xl0: flags=8843 metric 0 mtu 1500 options=82009 ether 00:01:02:aa:9f:c2 inet 172.19.2.48 netmask 0xffffff00 broadcast 172.19.2.255 inet 172.19.2.49 netmask 0xffffffff broadcast 172.19.2.49 inet 172.19.2.50 netmask 0xffffffff broadcast 172.19.2.50 inet 172.19.2.51 netmask 0xffffffff broadcast 172.19.2.51 inet 172.19.2.52 netmask 0xffffffff broadcast 172.19.2.52 inet 172.19.2.53 netmask 0xffffffff broadcast 172.19.2.53 inet 172.19.2.54 netmask 0xffffffff broadcast 172.19.2.54 inet 172.19.2.55 netmask 0xffffffff broadcast 172.19.2.55 inet 172.19.2.56 netmask 0xffffffff broadcast 172.19.2.56 inet 172.19.2.57 netmask 0xffffffff broadcast 172.19.2.57 inet 172.19.2.58 netmask 0xffffffff broadcast 172.19.2.58 inet 172.19.2.59 netmask 0xffffffff broadcast 172.19.2.59 inet 172.19.2.60 netmask 0xffffffff broadcast 172.19.2.60 inet 172.19.2.61 netmask 0xffffffff broadcast 172.19.2.61 inet 172.19.2.62 netmask 0xffffffff broadcast 172.19.2.62 inet 172.19.2.63 netmask 0xffffffff broadcast 172.19.2.63 media: Ethernet autoselect (100baseTX ) status: active # jls | grep 172.19.2.50 5 172.19.2.50 rjpbx01 /usr/jails/rjpbx01 # jexec 5 /usr/local/etc/rc.d/asterisk start Starting asterisk. # sockstat -4l | grep asterisk 931 asterisk 91780 11 udp4 172.19.2.50:5060 *:* 931 asterisk 91780 12 tcp4 172.19.2.50:2000 *:* 931 asterisk 91780 18 tcp4 172.19.2.50:1720 *:* 931 asterisk 91780 19 udp4 172.19.2.50:2727 *:* 931 asterisk 91780 22 udp4 172.19.2.50:4569 *:* 931 asterisk 91780 23 udp4 *:* *:* 931 asterisk 91780 24 udp4 172.19.2.50:4520 *:* I think there might be a problem with specific processes (in this case, asterisk), because if I run several other commands (for example the nc(1) you showed me), all is working as expected. Until now, I noticed this behavior with these processes: unfsd, rpcbind, asterisk, transmission-daemon, mDNSResponderPosix. I'll try to test the same daemons in a jail with another version of FreeBSD as soon as possible. I will also verify whether these daemon are really listening on all IP addresses, by analyzing some traffic with tcpdump(1). Andrew From owner-freebsd-jail@FreeBSD.ORG Wed Jan 4 11:09:13 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BCA251065670 for ; Wed, 4 Jan 2012 11:09:13 +0000 (UTC) (envelope-from andrew.hotlab@hotmail.com) Received: from dub0-omc1-s37.dub0.hotmail.com (dub0-omc1-s37.dub0.hotmail.com [157.55.0.236]) by mx1.freebsd.org (Postfix) with ESMTP id 516338FC0C for ; Wed, 4 Jan 2012 11:09:13 +0000 (UTC) Received: from DUB112-DS50 ([157.55.0.237]) by dub0-omc1-s37.dub0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Wed, 4 Jan 2012 03:09:12 -0800 X-Originating-IP: [81.174.54.98] X-Originating-Email: [andrew.hotlab@hotmail.com] Message-ID: From: "Andrew Hotlab" To: =?iso-8859-1?Q?Eirik_=D8verby?= References: <78A52A88-CE31-4450-BB8D-3D5BC9D20456@anduin.net> In-Reply-To: <78A52A88-CE31-4450-BB8D-3D5BC9D20456@anduin.net> Date: Wed, 4 Jan 2012 12:09:11 +0100 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal Importance: Normal X-Mailer: Microsoft Windows Live Mail 15.4.3538.513 X-MimeOLE: Produced By Microsoft MimeOLE V15.4.3538.513 X-OriginalArrivalTime: 04 Jan 2012 11:09:12.0232 (UTC) FILETIME=[49D12280:01CCCAD1] Cc: FreeBSD-Jail Subject: Re: jailed process listening on host addresses X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Jan 2012 11:09:13 -0000 -----Original Message----- From: Eirik Øverby Sent: Wednesday, January 04, 2012 11:35 AM To: Andrew Hotlab Cc: FreeBSD-Jail Subject: Re: jailed process listening on host addresses > On 4. jan. 2012, at 02:10, "Andrew Hotlab" > wrote: > > > I noticed a strange behavior some days ago, but I can't say how much > > long it have been happening for. Some processes which are > running in > > different jails on the same host seems to be listening on all host IPs. > > > > It's happening on several host right now (all are running FreeBSD/amd64 > > 8.2-RELEASE-p5), with both UDP and TCP listeners. Any > > jail is using a single unicast IP address. I really hope to miss > > something important... or should I guess that these processes are > > "escaping" from the jails?! :S > > Did you try to actually connect to any of those listeners? I see the same > here, but I cannot actually connect to the ports on anything > but the > jail IP.. > I've just tried to connect to the TCP port 2049 (the unfsd daemon is running in a jail), and actually I can only telnet to the address assigned to the jail where the daemon is running, even if sockstat(1) tells me that the process is listening on all IP addresses. Thus the sockstat(1) command might not be able to display correctly the actual sockets used by some jailed processes?! It sounds pretty strange to me... maybe these processes are sharing something with the host because they are using SysV IPC or something else I ignore? Andrew From owner-freebsd-jail@FreeBSD.ORG Wed Jan 4 11:37:42 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3C93B106566C for ; Wed, 4 Jan 2012 11:37:42 +0000 (UTC) (envelope-from ltning@anduin.net) Received: from mail.modirum.com (mail.modirum.com [31.185.27.10]) by mx1.freebsd.org (Postfix) with ESMTP id EB8188FC14 for ; Wed, 4 Jan 2012 11:37:41 +0000 (UTC) Received: from [195.159.219.66] (helo=[192.168.3.148]) by mail.modirum.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.77 (FreeBSD)) (envelope-from ) id 1RiOCD-000EkM-SE; Wed, 04 Jan 2012 10:35:50 +0000 References: In-Reply-To: Mime-Version: 1.0 (1.0) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Message-Id: <78A52A88-CE31-4450-BB8D-3D5BC9D20456@anduin.net> X-Mailer: iPhone Mail (9B5127c) From: =?utf-8?Q?Eirik_=C3=98verby?= Date: Wed, 4 Jan 2012 11:35:49 +0100 To: Andrew Hotlab X-SA-Authenticated: Yes X-SA-Exim-Connect-IP: 195.159.219.66 X-SA-Exim-Rcpt-To: andrew.hotlab@hotmail.com, freebsd-jail@freebsd.org X-SA-Exim-Mail-From: ltning@anduin.net X-SA-Exim-Scanned: No (on mail.modirum.com); SAEximRunCond expanded to false Cc: FreeBSD-Jail Subject: Re: jailed process listening on host addresses X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Jan 2012 11:37:42 -0000 On 4. jan. 2012, at 02:10, "Andrew Hotlab" wrote= : > I noticed a strange behavior some days ago, but I can't say how much long i= t have been happening for. Some processes which are running in different jai= ls on the same host seems to be listening on all host IPs. Here is an exampl= e: >=20 > #sockstat -4l | grep "4 \*:" > root mDNSRespon 69801 3 udp4 *:45258 *:* > root mDNSRespon 69801 4 udp4 *:5353 *:* > root unfsd 69761 3 udp4 *:2049 *:* > root unfsd 69761 4 tcp4 *:2049 *:* > root rpcbind 69703 7 udp4 *:111 *:* > root rpcbind 69703 8 udp4 *:732 *:* > root rpcbind 69703 9 tcp4 *:111 *:* > 921 transmissi 29851 10 udp4 *:* *:* > 931 asterisk 29805 25 udp4 *:* *:* >=20 >=20 > It's happening on several host right now (all are running FreeBSD/amd64 8.= 2-RELEASE-p5), with both UDP and TCP listeners. Any jail is using a single u= nicast IP address. I really hope to miss something important... or should I g= uess that these processes are "escaping" from the jails?! :S Did you try to actually connect to any of those listeners? I see the same he= re, but I cannot actually connect to the ports on anything but the jail IP..= > Thank very much for any explanation anyone would be so kind to give me. >=20 > Andrew >=20 > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" >=20