From owner-freebsd-jail@FreeBSD.ORG Sun Jan 22 07:38:43 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DF56C106564A for ; Sun, 22 Jan 2012 07:38:43 +0000 (UTC) (envelope-from other@ahhyes.net) Received: from srv.ahhyes.net (srv.ahhyes.net [109.169.82.101]) by mx1.freebsd.org (Postfix) with ESMTP id C69F88FC0C for ; Sun, 22 Jan 2012 07:38:43 +0000 (UTC) Received: from [10.1.1.1] (helo=ahhyes.net) by srv.ahhyes.net with esmtpa (Exim 4.77 (FreeBSD)) (envelope-from ) id 1Ros0Z-000JMi-7h for freebsd-jail@freebsd.org; Sun, 22 Jan 2012 18:38:36 +1100 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Sun, 22 Jan 2012 18:38:35 +1100 From: other@ahhyes.net To: In-Reply-To: <22966.1327155238.9808034899287998464@ffe8.ukr.net> References: <22966.1327155238.9808034899287998464@ffe8.ukr.net> Message-ID: X-Sender: other@ahhyes.net User-Agent: Roundcube Webmail/0.7 X-SA-Exim-Connect-IP: 10.1.1.1 X-SA-Exim-Mail-From: other@ahhyes.net X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mail.ahhyes.net X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=ham version=3.3.2 X-SA-Exim-Version: 4.2 X-SA-Exim-Scanned: Yes (on srv.ahhyes.net) Subject: Re: nat + pf, network weirdness X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Jan 2012 07:38:44 -0000 On 2012-01-22 01:13, Виталий Владимирович wrote: >> nat on xn0 from 10.1.1.0/24 to any -> (xn0) >> > You should use Packet Tagging (Policy Filtering). > Something like this: > > nat on $ext_if tag WWW tagged WWW -> ($ext_if) > nat on $ext_if tag SQL tagged SQL -> ($ext_if) > > ...... > > block in > block out > pass in quick on lo1 inet from 10.1.1.1 to !(self) tag WWW <- mark > traffic from jail to world > ..... > pass out quick on $ext_if inet from ($ext_if) tagged WWW <- > dispatch only marked WWW > > PF is very well in situations like this. With PF it is possible to > divide LAN traffic and router traffic easily. Could someone please explain how the nat rules work in the above example, I had a quick look at the pf manpage for tagging but it does not mention it's use in conjunction with NAT. Is there much connection overhead/performance difference by using tags? Is the above the only solution? Why is it I cannot see any traffic via tcpdump on lo1? From owner-freebsd-jail@FreeBSD.ORG Sun Jan 22 08:39:45 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 055C8106564A for ; Sun, 22 Jan 2012 08:39:45 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from ffe16.ukr.net (ffe16.ukr.net [195.214.192.51]) by mx1.freebsd.org (Postfix) with ESMTP id AB04B8FC14 for ; Sun, 22 Jan 2012 08:39:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ukr.net; s=ffe; h=Date:Message-Id:From:To:References:In-Reply-To:Subject:Cc:Content-Type:Content-Transfer-Encoding:MIME-Version; bh=q3ZXE3ZmSbOUlalfCk4cWeRKxb5BcOn2GhXcBdbgQj4=; b=i9fxpXijA7WXxgnKMPittp29Zts+pROGEP2uecSD7pEDmjihtZD+1umlREKeGi6QUY05f9UpuOasGYcuxo+/0y+A2NL4CKDeoYwWCUzWaZu7DFnagDUrsLtC0SFntFRKyuVyctX27HM/u/BMDviZNwLMvZx/yNDPyVfOvQAHPGM=; Received: from mail by ffe16.ukr.net with local ID 1Rosxi-000B0P-Gp ; Sun, 22 Jan 2012 10:39:42 +0200 MIME-Version: 1.0 Content-Disposition: inline Content-Transfer-Encoding: binary Content-Type: text/plain; charset="windows-1251" In-Reply-To: References: <22966.1327155238.9808034899287998464@ffe8.ukr.net> To: other@ahhyes.net From: =?WINDOWS-1251?B?wujy4Ovo6SDC6+Dk6Ozo8O7i6Pc=?= X-Mailer: freemail.ukr.net 4.0 X-Originating-Ip: [195.200.251.81] Message-Id: <41602.1327221582.9511199608840192000@ffe16.ukr.net> X-Browser: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1 Date: Sun, 22 Jan 2012 10:39:42 +0200 Cc: freebsd-jail@freebsd.org Subject: Re: nat + pf, network weirdness X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Jan 2012 08:39:45 -0000 --- Original message --- From: other@ahhyes.net To: freebsd-jail@freebsd.org Date: 22 January 2012, 09:38:51 Subject: Re: nat + pf, network weirdness > On 2012-01-22 01:13, Âèòàëèé Âëàäèìèðîâè÷ wrote: > >> nat on xn0 from 10.1.1.0/24 to any -> (xn0) > >> > > You should use Packet Tagging (Policy Filtering). > > Something like this: > > > > nat on $ext_if tag WWW tagged WWW -> ($ext_if) > > nat on $ext_if tag SQL tagged SQL -> ($ext_if) > > > > ...... > > > > block in > > block out > > pass in quick on lo1 inet from 10.1.1.1 to !(self) tag WWW <- mark > > traffic from jail to world > > ..... > > pass out quick on $ext_if inet from ($ext_if) tagged WWW <- > > dispatch only marked WWW > > > > PF is very well in situations like this. With PF it is possible to > > divide LAN traffic and router traffic easily. > > Could someone please explain how the nat rules work in the above > example, I had a quick look at the pf manpage for tagging but it does > not mention it's use in conjunction with NAT. Is there much connection > overhead/performance difference by using tags? Is the above the only > solution? You should read manuals more carefully nat-rule = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ] [ "on" ifspec ] [ af ] [ protospec ] hosts [ "tag" string ] [ "tagged" string ] [ "->" ( redirhost | "{" redirhost-list "}" ) [ portspec ] [ pooltype ] [ "static-port" ] ] From owner-freebsd-jail@FreeBSD.ORG Mon Jan 23 04:54:47 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BB8D0106566B for ; Mon, 23 Jan 2012 04:54:47 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from cosmo.uchicago.edu (cosmo.uchicago.edu [128.135.52.97]) by mx1.freebsd.org (Postfix) with ESMTP id 88AFE8FC12 for ; Mon, 23 Jan 2012 04:54:47 +0000 (UTC) Received: by cosmo.uchicago.edu (Postfix, from userid 48) id 181D4CB8C75; Sun, 22 Jan 2012 22:25:28 -0600 (CST) Received: from 69.209.76.5 (SquirrelMail authenticated user valeri) by cosmo.uchicago.edu with HTTP; Sun, 22 Jan 2012 22:25:27 -0600 (CST) Message-ID: <57939.69.209.76.5.1327292727.squirrel@cosmo.uchicago.edu> Date: Sun, 22 Jan 2012 22:25:27 -0600 (CST) From: "Valeri Galtsev" To: freebsd-jail@freebsd.org User-Agent: SquirrelMail/1.4.8-5.el5.centos.7 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal References: In-Reply-To: Subject: multiple jails with multiple network interfaces X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: galtsev@kicp.uchicago.edu List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jan 2012 04:54:47 -0000 Hello! I have a FreeBSD 9.0 host that is registered in DNS to appear with multiple IP addresses: host some.host.com some.host.com has address a.b.c.x some.host.com has address a.b.d.x some.host.com has address a.b.e.x I built multiple jails to run one service in each following mostly: http://www.freebsd.org/doc/handbook/jails-application.html I am trying to start each of the jails with all network interfaces this machine has configured (with the same IP addressed as interfaces are configured on the host system). For that I have in jail related portion of /etc/rc.conf the following jail_enable="YES" jail_set_hostname_allow="NO" jail_list="http ftp rsync pxe" jail_http_hostname="some.host.com" jail_http_ip="a.b.c.x,a.b.d.x,a.b.e.x" jail_http_rootdir="/jail/http" ... jail_ftp_hostname="some.host.com" jail_ftp_ip="a.b.c.x,a.b.d.x,a.b.e.x" jail_ftp_rootdir="/jail/ftp" ... When I start jails: /etc/rc.d/jail start first in the list jail starts perfectly (and I can verify that service configured to run in it is accessible on all three public IP addresses of the machine), all other jails, however, fail to start with the message some# /etc/rc.d/jail start Configuring jails:. Starting jails: some.host.com some.host.com some.host.com ... cannot start jail "ftp" . If I only leave one IP address in each of the jais, they all start OK. If I configure some jails with different IP (on the same class C network), leaving first jail with multiple IP addresses, e.g.: jail_http_hostname="some.host.com" jail_http_ip="a.b.c.x,a.b.d.x,a.b.e.x" jail_http_rootdir="/jail/http" ... jail_ftp_hostname="some.host.com" jail_ftp_ip="a.b.c.y" jail_ftp_rootdir="/jail/ftp" ... all jails start OK (first with multiple IPs, and other with single different IP). If first (in order of start) jail is with single IP, and next jail is with multiple IPs including the IP of the first one: jail_http_hostname="some.host.com" jail_http_ip="a.b.c.x" jail_http_rootdir="/jail/http" ... jail_ftp_hostname="some.host.com" jail_ftp_ip="a.b.c.x,a.b.d.x,a.b.e.x" jail_ftp_rootdir="/jail/ftp" ... then jail with multiple IPs will not start. I tried to search, but I didn't find anybody mentioning having this problem or having it resolved of just having similar configuration with multiple IPs. Is there something obviously wrong that I'm doing? Is it possible that there is some restriction that will not allow me to have this configuration? Thanks a lot for all your answers! Sincerely yours, Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++ From owner-freebsd-jail@FreeBSD.ORG Mon Jan 23 07:25:10 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EA5E31065670 for ; Mon, 23 Jan 2012 07:25:09 +0000 (UTC) (envelope-from freebsd@psconsult.nl) Received: from mx1.psconsult.nl (mx1.iaf.psconsult.nl [80.89.238.138]) by mx1.freebsd.org (Postfix) with ESMTP id 5DE6D8FC08 for ; Mon, 23 Jan 2012 07:25:08 +0000 (UTC) Received: from mx1.psconsult.nl (mx1.iaf.psconsult.nl [80.89.238.138]) by mx1.psconsult.nl (8.14.4/8.14.4) with ESMTP id q0N71ITJ084494 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 23 Jan 2012 08:01:23 +0100 (CET) (envelope-from freebsd@psconsult.nl) Received: (from paul@localhost) by mx1.psconsult.nl (8.14.4/8.14.4/Submit) id q0N71IbT084493 for freebsd-jail@freebsd.org; Mon, 23 Jan 2012 08:01:18 +0100 (CET) (envelope-from freebsd@psconsult.nl) X-Authentication-Warning: mx1.psconsult.nl: paul set sender to freebsd@psconsult.nl using -f Date: Mon, 23 Jan 2012 08:01:18 +0100 From: Paul Schenkeveld To: freebsd-jail@freebsd.org Message-ID: <20120123070117.GA79715@psconsult.nl> References: <57939.69.209.76.5.1327292727.squirrel@cosmo.uchicago.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <57939.69.209.76.5.1327292727.squirrel@cosmo.uchicago.edu> User-Agent: Mutt/1.5.21 (2010-09-15) Subject: Re: multiple jails with multiple network interfaces X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jan 2012 07:25:10 -0000 On Sun, Jan 22, 2012 at 10:25:27PM -0600, Valeri Galtsev wrote: > Hello! > > I have a FreeBSD 9.0 host that is registered in DNS to appear with > multiple IP addresses: > > host some.host.com > > some.host.com has address a.b.c.x > some.host.com has address a.b.d.x > some.host.com has address a.b.e.x > > I built multiple jails to run one service in each following mostly: > > http://www.freebsd.org/doc/handbook/jails-application.html > > I am trying to start each of the jails with all network interfaces this > machine has configured (with the same IP addressed as interfaces are > configured on the host system). For that I have in jail related portion of > /etc/rc.conf the following > > jail_enable="YES" > jail_set_hostname_allow="NO" > jail_list="http ftp rsync pxe" > jail_http_hostname="some.host.com" > jail_http_ip="a.b.c.x,a.b.d.x,a.b.e.x" > jail_http_rootdir="/jail/http" > ... > jail_ftp_hostname="some.host.com" > jail_ftp_ip="a.b.c.x,a.b.d.x,a.b.e.x" > jail_ftp_rootdir="/jail/ftp" > ... > > When I start jails: > > /etc/rc.d/jail start > > first in the list jail starts perfectly (and I can verify that service > configured to run in it is accessible on all three public IP addresses of > the machine), all other jails, however, fail to start with the message > > some# /etc/rc.d/jail start > Configuring jails:. > Starting jails: some.host.com some.host.com some.host.com ... > cannot start jail "ftp" > . > > If I only leave one IP address in each of the jais, they all start OK. If > I configure some jails with different IP (on the same class C network), > leaving first jail with multiple IP addresses, e.g.: > > jail_http_hostname="some.host.com" > jail_http_ip="a.b.c.x,a.b.d.x,a.b.e.x" > jail_http_rootdir="/jail/http" > ... > jail_ftp_hostname="some.host.com" > jail_ftp_ip="a.b.c.y" > jail_ftp_rootdir="/jail/ftp" > ... > > all jails start OK (first with multiple IPs, and other with single > different IP). If first (in order of start) jail is with single IP, and > next jail is with multiple IPs including the IP of the first one: > > jail_http_hostname="some.host.com" > jail_http_ip="a.b.c.x" > jail_http_rootdir="/jail/http" > ... > jail_ftp_hostname="some.host.com" > jail_ftp_ip="a.b.c.x,a.b.d.x,a.b.e.x" > jail_ftp_rootdir="/jail/ftp" > ... > > then jail with multiple IPs will not start. > > > I tried to search, but I didn't find anybody mentioning having this > problem or having it resolved of just having similar configuration with > multiple IPs. > > Is there something obviously wrong that I'm doing? > > Is it possible that there is some restriction that will not allow me to > have this configuration? See jail(8): ip4.addr ... It is only possible to start multiple jails with the same IP address, if none of the jails has more than this single overlapping IP address assigned to itself. So jails can have the same IP4 address but that has to be the only IP4 address of that jail, otherwise all address must be unique. Kind regards, Paul Schenkeveld From owner-freebsd-jail@FreeBSD.ORG Mon Jan 23 11:07:06 2012 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E3921106564A for ; Mon, 23 Jan 2012 11:07:06 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id D16468FC0A for ; Mon, 23 Jan 2012 11:07:06 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q0NB76hY080991 for ; Mon, 23 Jan 2012 11:07:06 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q0NB76Bv080989 for freebsd-jail@FreeBSD.org; Mon, 23 Jan 2012 11:07:06 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 23 Jan 2012 11:07:06 GMT Message-Id: <201201231107.q0NB76Bv080989@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jan 2012 11:07:07 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- p bin/161957 jail jls(8): jls -v doesn't show anything if system compile o kern/159918 jail [jail] inter-jail communication failure o kern/156111 jail [jail] procstat -b not supported in jail o misc/155765 jail [patch] `buildworld' does not honors WITHOUT_JAIL o conf/154246 jail [jail] [patch] Bad symlink created if devfs mount poin o conf/149050 jail [jail] rcorder ``nojail'' too coarse for Jail+VNET s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 12 problems total. From owner-freebsd-jail@FreeBSD.ORG Mon Jan 23 11:36:31 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0BCE8106566C for ; Mon, 23 Jan 2012 11:36:31 +0000 (UTC) (envelope-from linuxmail@4lin.net) Received: from mail.4lin.net (mail.4lin.net [IPv6:2a01:4f8:130:6021::50]) by mx1.freebsd.org (Postfix) with ESMTP id 9607D8FC08 for ; Mon, 23 Jan 2012 11:36:30 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.4lin.net (Postfix) with ESMTP id D88D96C88 for ; Mon, 23 Jan 2012 12:38:26 +0100 (CET) X-Virus-Scanned: amavisd-new at mail.4lin.net Received: from mail.4lin.net ([127.0.0.1]) by localhost (mail.4lin.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uc32JIAEewsR for ; Mon, 23 Jan 2012 12:38:23 +0100 (CET) Received: from pcdenny.rbg.informatik.tu-darmstadt.de (pcdenny.rbg.informatik.tu-darmstadt.de [130.83.160.152]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.4lin.net (Postfix) with ESMTPSA id 81D0565F4 for ; Mon, 23 Jan 2012 12:38:23 +0100 (CET) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Apple Message framework v1251.1) From: Denny Schierz In-Reply-To: <40EF185D-8B72-4F30-90C6-B8DCA8EEDA29@fisglobal.com> Date: Mon, 23 Jan 2012 12:36:25 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <509A14B3-35D9-4DB9-BB81-EF4273C25C1D@4lin.net> References: <07AF4A15-D2A2-4736-9596-8C41F93579B0@4lin.net> <40EF185D-8B72-4F30-90C6-B8DCA8EEDA29@fisglobal.com> To: freebsd-jail@freebsd.org X-Mailer: Apple Mail (2.1251.1) Subject: Re: * Re: Getting Jail v2 working with 9-stable X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jan 2012 11:36:31 -0000 hi, Am 20.01.2012 um 15:05 schrieb Devin Teske: > Try my vimage rc.d script for this. >=20 > http://druidbsd.sf.net/vimage.html >=20 > http://druidbsd.sourceforge.net/download/vimage-1.4.tbz I tried it, but doesn't work. I think, it must be a bug in the SPARC = Kernel, because other with I386 and same options doesn't have the same = problems. cu denny= From owner-freebsd-jail@FreeBSD.ORG Mon Jan 23 16:27:49 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 71CDB106566B for ; Mon, 23 Jan 2012 16:27:49 +0000 (UTC) (envelope-from Devin.Teske@fisglobal.com) Received: from mx1.fisglobal.com (mx1.fisglobal.com [199.200.24.190]) by mx1.freebsd.org (Postfix) with ESMTP id 373298FC08 for ; Mon, 23 Jan 2012 16:27:48 +0000 (UTC) Received: from pps.filterd (ltcfislmsgpa04 [127.0.0.1]) by ltcfislmsgpa04.fnfis.com (8.14.4/8.14.4) with SMTP id q0NGRYE5018206; Mon, 23 Jan 2012 10:27:41 -0600 Received: from smtp.fisglobal.com ([10.132.206.15]) by ltcfislmsgpa04.fnfis.com with ESMTP id 12h9urrd1f-35 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Mon, 23 Jan 2012 10:27:41 -0600 Received: from [10.0.0.105] (10.14.152.28) by smtp.fisglobal.com (10.132.206.15) with Microsoft SMTP Server (TLS) id 14.1.323.3; Mon, 23 Jan 2012 10:26:34 -0600 References: <07AF4A15-D2A2-4736-9596-8C41F93579B0@4lin.net> <40EF185D-8B72-4F30-90C6-B8DCA8EEDA29@fisglobal.com> <509A14B3-35D9-4DB9-BB81-EF4273C25C1D@4lin.net> In-Reply-To: <509A14B3-35D9-4DB9-BB81-EF4273C25C1D@4lin.net> MIME-Version: 1.0 (iPhone Mail 8C148) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="us-ascii" Message-ID: X-Mailer: iPhone Mail (8C148) From: Devin Teske Date: Mon, 23 Jan 2012 08:26:24 -0800 To: Denny Schierz X-Originating-IP: [10.14.152.28] X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.6.7361, 1.0.211, 0.0.0000 definitions=2012-01-23_03:2012-01-22, 2012-01-23, 1970-01-01 signatures=0 Cc: "" Subject: * Re: * Re: Getting Jail v2 working with 9-stable X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jan 2012 16:27:49 -0000 On Jan 23, 2012, at 3:36 AM, Denny Schierz wrote: > hi, >=20 > Am 20.01.2012 um 15:05 schrieb Devin Teske: >=20 >> Try my vimage rc.d script for this. >>=20 >> http://druidbsd.sf.net/vimage.html >>=20 >> http://druidbsd.sourceforge.net/download/vimage-1.4.tbz >=20 > I tried it, but doesn't work. I think, it must be a bug in the SPARC Kern= el, because other with I386 and same options doesn't have the same problem= s. >=20 I don't know if VIMAGE is supported yet on SPARC platform. Maybe someone wa= nts to chime in that's more familiar with which-platforms VIMAGE is support= ed. --=20 Devin _____________ The information contained in this message is proprietary and/or confidentia= l. If you are not the intended recipient, please: (i) delete the message an= d all copies; (ii) do not disclose, distribute or use the message in any ma= nner; and (iii) notify the sender immediately. In addition, please be aware= that any message addressed to our domain is subject to archiving and revie= w by persons other than the intended recipient. Thank you. From owner-freebsd-jail@FreeBSD.ORG Mon Jan 23 16:38:11 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 65A9C106564A for ; Mon, 23 Jan 2012 16:38:11 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) by mx1.freebsd.org (Postfix) with ESMTP id E67ED8FC0C for ; Mon, 23 Jan 2012 16:38:10 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id C361B25D3810; Mon, 23 Jan 2012 16:38:09 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id B1D56BD9CD0; Mon, 23 Jan 2012 16:38:08 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id 8qXTzUk2l2Sw; Mon, 23 Jan 2012 16:38:07 +0000 (UTC) Received: from orange-en1.sbone.de (orange-en1.sbone.de [IPv6:fde9:577b:c1a9:31:cabc:c8ff:fecf:e8e3]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 871ECBD9CCF; Mon, 23 Jan 2012 16:38:07 +0000 (UTC) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: "Bjoern A. Zeeb" In-Reply-To: Date: Mon, 23 Jan 2012 16:38:06 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: <44DD6F50-EB54-4D84-8129-6AA9790A0903@lists.zabbadoz.net> References: <07AF4A15-D2A2-4736-9596-8C41F93579B0@4lin.net> <40EF185D-8B72-4F30-90C6-B8DCA8EEDA29@fisglobal.com> <509A14B3-35D9-4DB9-BB81-EF4273C25C1D@4lin.net> To: Devin Teske X-Mailer: Apple Mail (2.1084) Cc: freebsd-jail Subject: Re: * Re: * Re: Getting Jail v2 working with 9-stable X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jan 2012 16:38:11 -0000 On 23. Jan 2012, at 16:26 , Devin Teske wrote: > On Jan 23, 2012, at 3:36 AM, Denny Schierz wrote: >=20 >> hi, >>=20 >> Am 20.01.2012 um 15:05 schrieb Devin Teske: >>=20 >>> Try my vimage rc.d script for this. >>>=20 >>> http://druidbsd.sf.net/vimage.html >>>=20 >>> http://druidbsd.sourceforge.net/download/vimage-1.4.tbz >>=20 >> I tried it, but doesn't work. I think, it must be a bug in the SPARC = Kernel, because other with I386 and same options doesn't have the same = problems. >>=20 >=20 > I don't know if VIMAGE is supported yet on SPARC platform. Maybe = someone wants to chime in that's more familiar with which-platforms = VIMAGE is supported. VIMAGE should be arch independent. --=20 Bjoern A. Zeeb You have to have visions! It does not matter how good you are. It matters what good you do! From owner-freebsd-jail@FreeBSD.ORG Mon Jan 23 16:43:08 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 62086106566B for ; Mon, 23 Jan 2012 16:43:08 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from cosmo.uchicago.edu (cosmo.uchicago.edu [128.135.52.97]) by mx1.freebsd.org (Postfix) with ESMTP id 2FFE88FC17 for ; Mon, 23 Jan 2012 16:43:07 +0000 (UTC) Received: by cosmo.uchicago.edu (Postfix, from userid 48) id 855BACB8C7D; Mon, 23 Jan 2012 10:43:07 -0600 (CST) Received: from 128.135.70.2 (SquirrelMail authenticated user valeri) by cosmo.uchicago.edu with HTTP; Mon, 23 Jan 2012 10:43:07 -0600 (CST) Message-ID: <38576.128.135.70.2.1327336987.squirrel@cosmo.uchicago.edu> In-Reply-To: <20120123070117.GA79715@psconsult.nl> References: <57939.69.209.76.5.1327292727.squirrel@cosmo.uchicago.edu> <20120123070117.GA79715@psconsult.nl> Date: Mon, 23 Jan 2012 10:43:07 -0600 (CST) From: "Valeri Galtsev" To: freebsd-jail@freebsd.org User-Agent: SquirrelMail/1.4.8-5.el5.centos.7 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: Re: multiple jails with multiple network interfaces X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: galtsev@kicp.uchicago.edu List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jan 2012 16:43:08 -0000 Thanks you, Paul! As I keep repeating myself, in nothing else helps, read the manual... Knowing what I can do ipv4-wise in jail now, I'll just create multiple jails for each of services, one per IP address. Thanks a lot! Sincerely yours, Valeri On Mon, January 23, 2012 1:01 am, Paul Schenkeveld wrote: > On Sun, Jan 22, 2012 at 10:25:27PM -0600, Valeri Galtsev wrote: >> Hello! >> >> I have a FreeBSD 9.0 host that is registered in DNS to appear with >> multiple IP addresses: >> >> host some.host.com >> >> some.host.com has address a.b.c.x >> some.host.com has address a.b.d.x >> some.host.com has address a.b.e.x >> >> I built multiple jails to run one service in each following mostly: >> >> http://www.freebsd.org/doc/handbook/jails-application.html >> >> I am trying to start each of the jails with all network interfaces this >> machine has configured (with the same IP addressed as interfaces are >> configured on the host system). For that I have in jail related portion >> of >> /etc/rc.conf the following >> >> jail_enable="YES" >> jail_set_hostname_allow="NO" >> jail_list="http ftp rsync pxe" >> jail_http_hostname="some.host.com" >> jail_http_ip="a.b.c.x,a.b.d.x,a.b.e.x" >> jail_http_rootdir="/jail/http" >> ... >> jail_ftp_hostname="some.host.com" >> jail_ftp_ip="a.b.c.x,a.b.d.x,a.b.e.x" >> jail_ftp_rootdir="/jail/ftp" >> ... >> >> When I start jails: >> >> /etc/rc.d/jail start >> >> first in the list jail starts perfectly (and I can verify that service >> configured to run in it is accessible on all three public IP addresses >> of >> the machine), all other jails, however, fail to start with the message >> >> some# /etc/rc.d/jail start >> Configuring jails:. >> Starting jails: some.host.com some.host.com some.host.com ... >> cannot start jail "ftp" >> . >> >> If I only leave one IP address in each of the jais, they all start OK. >> If >> I configure some jails with different IP (on the same class C network), >> leaving first jail with multiple IP addresses, e.g.: >> >> jail_http_hostname="some.host.com" >> jail_http_ip="a.b.c.x,a.b.d.x,a.b.e.x" >> jail_http_rootdir="/jail/http" >> ... >> jail_ftp_hostname="some.host.com" >> jail_ftp_ip="a.b.c.y" >> jail_ftp_rootdir="/jail/ftp" >> ... >> >> all jails start OK (first with multiple IPs, and other with single >> different IP). If first (in order of start) jail is with single IP, and >> next jail is with multiple IPs including the IP of the first one: >> >> jail_http_hostname="some.host.com" >> jail_http_ip="a.b.c.x" >> jail_http_rootdir="/jail/http" >> ... >> jail_ftp_hostname="some.host.com" >> jail_ftp_ip="a.b.c.x,a.b.d.x,a.b.e.x" >> jail_ftp_rootdir="/jail/ftp" >> ... >> >> then jail with multiple IPs will not start. >> >> >> I tried to search, but I didn't find anybody mentioning having this >> problem or having it resolved of just having similar configuration with >> multiple IPs. >> >> Is there something obviously wrong that I'm doing? >> >> Is it possible that there is some restriction that will not allow me to >> have this configuration? > > See jail(8): > > ip4.addr > ... It is only possible to start > multiple jails with the same IP address, if none of the jails has > more than this single overlapping IP address assigned to itself. > > So jails can have the same IP4 address but that has to be the only IP4 > address of that jail, otherwise all address must be unique. > > Kind regards, > > Paul Schenkeveld > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++