From owner-freebsd-jail@FreeBSD.ORG Mon Sep 3 11:09:38 2012 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 10867106566C for ; Mon, 3 Sep 2012 11:09:38 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id ED92E8FC19 for ; Mon, 3 Sep 2012 11:09:37 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q83B9bmd047055 for ; Mon, 3 Sep 2012 11:09:37 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q83B9Zhe046690 for freebsd-jail@FreeBSD.org; Mon, 3 Sep 2012 11:09:35 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 3 Sep 2012 11:09:35 GMT Message-Id: <201209031109.q83B9Zhe046690@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Sep 2012 11:09:38 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/169751 jail [jail] reading routing information does not work in ja o bin/167911 jail new jail(8) problem with removal, ifconfg -alias and k o kern/159918 jail [jail] inter-jail communication failure o docs/156853 jail [patch] Update docs: jail(8) security issues with worl o kern/156111 jail [jail] procstat -b not supported in jail o misc/155765 jail [patch] `buildworld' does not honors WITHOUT_JAIL o conf/154246 jail [jail] [patch] Bad symlink created if devfs mount poin o conf/149050 jail [jail] rcorder ``nojail'' too coarse for Jail+VNET s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 14 problems total. From owner-freebsd-jail@FreeBSD.ORG Mon Sep 3 12:21:08 2012 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 94FDD106566B; Mon, 3 Sep 2012 12:21:08 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) by mx1.freebsd.org (Postfix) with ESMTP id 4767C8FC0A; Mon, 3 Sep 2012 12:21:08 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 0824B25D38A0; Mon, 3 Sep 2012 12:21:06 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 2089BBE8496; Mon, 3 Sep 2012 12:21:06 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id STJ7wNbmBwEL; Mon, 3 Sep 2012 12:21:04 +0000 (UTC) Received: from nv.sbone.de (nv.sbone.de [IPv6:fde9:577b:c1a9:31::2013:138]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 58829BE8495; Mon, 3 Sep 2012 12:21:04 +0000 (UTC) Date: Mon, 3 Sep 2012 12:21:03 +0000 (UTC) From: "Bjoern A. Zeeb" To: Jamie Gritton In-Reply-To: <5039397B.7050205@FreeBSD.org> Message-ID: References: <201208252015.q7PKFVVi009920@gateway2.orleans.occnc.com> <5039397B.7050205@FreeBSD.org> X-OpenPGP-Key-Id: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-jail@FreeBSD.org, curtis@occnc.com Subject: Re: IPv6 multicast sent to jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Sep 2012 12:21:08 -0000 On Sat, 25 Aug 2012, Jamie Gritton wrote: ... >>>> Curtis >>> >>> Offhand, it does sound like a bug. I imagine the solution would be to >>> reject the join - at least the easy solution to be done first until >>> something more complicated can be done to make jails play nice with >>> multicast. >>> >>> - Jamie >> >> >> Jamie, >> >> Certainly not the preferred solution. Best would be a >> jail.allow-ipv6multicast sysctl variable with rejecting the join if 0 >> and accepting the join and passing in multicast if 1. Same for v4, >> though not of immediate concern since DHCPv4 doesn't need it. >> >> If you (or someone) would like to point me in the right direction, I >> would be willing to put some time into learning the relevant code and >> proposing a fix. No promises, but I can put some time into it. Off >> list if you prefer. >> >> Curtis > > It'll have to be someone besides me - I don't know enough about > multicast myself to be able to do more than keep it out of jails. sysctl souns bad to me; I think it should actually be grouped by ip4.* and ip6.*. What dod we currently do for raw sockets? Can we have a third level easily, as in ip4.raw.*, ip6.mc.*, ... which of course would kill the classic "allow" thing for raw sockets myabe? /bz -- Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family. From owner-freebsd-jail@FreeBSD.ORG Mon Sep 3 17:13:00 2012 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 917241065729 for ; Mon, 3 Sep 2012 17:13:00 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from m2.gritton.org (gritton.org [199.192.164.235]) by mx1.freebsd.org (Postfix) with ESMTP id 2369B8FC0C for ; Mon, 3 Sep 2012 17:12:59 +0000 (UTC) Received: from glorfindel.gritton.org (c-174-52-130-208.hsd1.ut.comcast.net [174.52.130.208]) (authenticated bits=0) by m2.gritton.org (8.14.5/8.14.5) with ESMTP id q83HCqS9057763; Mon, 3 Sep 2012 11:12:52 -0600 (MDT) (envelope-from jamie@FreeBSD.org) Message-ID: <5044E512.6090209@FreeBSD.org> Date: Mon, 03 Sep 2012 11:12:50 -0600 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.2.24) Gecko/20120129 Thunderbird/3.1.16 MIME-Version: 1.0 To: freebsd-jail@FreeBSD.org References: <6B11ADF9-5B11-41CD-BDAC-6F8236FC1E4C@jnielsen.net> <20120831204129.GP30681@www.jail.lambertfam.org> In-Reply-To: <20120831204129.GP30681@www.jail.lambertfam.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: Quotas inside jails X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Sep 2012 17:13:00 -0000 On 08/31/12 14:41, Scott Lambert wrote: > On Thu, Aug 30, 2012 at 07:05:30PM -0400, Darek M wrote: >> On Thu, Aug 30, 2012 at 5:32 PM, John Nielsen wrote: >>> >>> Another way to set hard quotas for jails is to give each one its >>> own filesystem of fixed size. This is trivially easy with zfs--just >>> create a zfs for each jail and set the quota property. To use UFS >>> you can create image files of whatever size you want, make them >>> md(4) devices, and then newfs(8) and mount(8) them. Unlike the >>> method in the handbook, neither of these options requires kernel >>> quota support. >> >> But these would be a quota for the entire jail. I'm interested in >> having per-user quotas for users inside a jail. >> >> I'm curious whether the "security.jail.param.allow.quotas" sysctl is >> my missing link, and if so, why it is immutable. > > If using ZFS, you *could* create a file system with quota for each > user's home directory in the jail. I'm not saying it would be > pretty.... > > With UFS, I think you would have to ensure that UID/GIDs do not > overlap between jails, at least for the users you want to be affected > by quotas. That could be as ugly as the thousands of ZFS file > systems. Well, you could if you trusted the jail admins not to use other UID/GIDs (which he likely isn't even aware of). But the whole point of jails is that you *don't* have to trust the admin. - Jamie From owner-freebsd-jail@FreeBSD.ORG Tue Sep 4 05:42:49 2012 Return-Path: Delivered-To: jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0FB3B106564A for ; Tue, 4 Sep 2012 05:42:49 +0000 (UTC) (envelope-from bryan@shatow.net) Received: from secure.xzibition.com (secure.xzibition.com [173.160.118.92]) by mx1.freebsd.org (Postfix) with ESMTP id AB8508FC0A for ; Tue, 4 Sep 2012 05:42:48 +0000 (UTC) DomainKey-Signature: a=rsa-sha1; c=nofws; d=shatow.net; h=message-id :date:from:mime-version:to:subject:content-type :content-transfer-encoding; q=dns; s=sweb; b=Oa3yiwZc779JDp6CXN2 Web96FmPNQUcgBHJ6G0fGyHLIfVux/n8YmSdICNXqq6u/ZzXaZtvlYMZqtfN/QMJ 3j5fCEpwINpoP7WHr70u8EL+fnJIlww36ESvhNpOJESqlA3eP3gZ3h0DVdOo0l+0 z8/0tg5H3UIsj9hN4N9wq5Qg= DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=shatow.net; h=message-id :date:from:mime-version:to:subject:content-type :content-transfer-encoding; s=sweb; bh=vgOQkXys4q/XbAZmg2d0NQSm2 IR6HifXCW9Kh153W7E=; b=MsEiDn1Z1qzGu+p5HSlC7X+1zE4fqoPfUKe2rMFxG 30BokQym3mB1Y1dZRetrMS7D9fvpuVwBBc/osMYHgVovKyzaelpYeM6MXNM2Fu9C C0ySi2z1VgCNroSzmBIlPaPOtzyBim+odO8jj/mUT1u1QeHcnYODMr4BUmioKVwq ZQ= Received: (qmail 74484 invoked from network); 4 Sep 2012 00:42:41 -0500 Received: from unknown (HELO ?10.10.0.131?) (bryan@shatow.net@10.10.0.131) by sweb.xzibition.com with ESMTPA; 4 Sep 2012 00:42:41 -0500 Message-ID: <504594DF.4000105@shatow.net> Date: Tue, 04 Sep 2012 00:42:55 -0500 From: Bryan Drewery User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20120824 Thunderbird/15.0 MIME-Version: 1.0 To: jail@freebsd.org X-Enigmail-Version: 1.4.4 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Subject: 9.1-PRERELEASE - allow.mount - allow.mount.zfs - do not get passed to child X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Sep 2012 05:42:49 -0000 I am unable to get these to pass into jails via /etc/rc.d/jail + ezjail. I set them in the host: security.jail.mount_allowed=1 security.jail.mount_zfs_allowed=1 What is the proper way to get these set? Bryan From owner-freebsd-jail@FreeBSD.ORG Tue Sep 4 05:46:34 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A8CDD106564A for ; Tue, 4 Sep 2012 05:46:34 +0000 (UTC) (envelope-from bryan@shatow.net) Received: from secure.xzibition.com (secure.xzibition.com [173.160.118.92]) by mx1.freebsd.org (Postfix) with ESMTP id 50FC58FC14 for ; Tue, 4 Sep 2012 05:46:33 +0000 (UTC) DomainKey-Signature: a=rsa-sha1; c=nofws; d=shatow.net; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sweb; b=PXGhyu VVeUoA7aKtMcKebqdCAHYJ4eXrwXDSgHShWXlifhW+miFol8QB9l/8kv5y5TVlJ8 Zel3qeSRS7I5CFhiEmWMxtxUPuuPEV+CAoR7EDmZpQWJPDb4xBurgscFsIM3bswa OVn4XsJO7JziOO9wWSUGOTFRH0hTQVcYE1nEY= DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=shatow.net; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sweb; bh=UkWNE5OcoN2/ jHKbmqxM9SbXCRXvm2mSBNMayjPtkoY=; b=JMRRJkqiymMIv1Ys6aQBRl7t/URM W0e/BCzf0+eXwaP+qT2gxkkVF5BeiRnvxLUVV0t23XUttkLbZTnsHWS3hc/lM0wC NLUZoqJrmRMZAfsscFKGkPgLBgph3q332SUFKrc0dvzXv6rBVQFfFZujCp70OAhL jKvqSjWAQYT8UqQ= Received: (qmail 87458 invoked from network); 4 Sep 2012 00:46:32 -0500 Received: from unknown (HELO ?10.10.0.131?) (bryan@shatow.net@10.10.0.131) by sweb.xzibition.com with ESMTPA; 4 Sep 2012 00:46:32 -0500 Message-ID: <504595C6.9060807@shatow.net> Date: Tue, 04 Sep 2012 00:46:46 -0500 From: Bryan Drewery User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20120824 Thunderbird/15.0 MIME-Version: 1.0 To: freebsd-jail@freebsd.org References: <504594DF.4000105@shatow.net> In-Reply-To: <504594DF.4000105@shatow.net> X-Enigmail-Version: 1.4.4 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: 9.1-PRERELEASE - allow.mount - allow.mount.zfs - do not get passed to child X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Sep 2012 05:46:34 -0000 On 9/4/2012 12:42 AM, Bryan Drewery wrote: > I am unable to get these to pass into jails via /etc/rc.d/jail + ezjail. > > I set them in the host: > > security.jail.mount_allowed=1 > security.jail.mount_zfs_allowed=1 > > What is the proper way to get these set? > > I used `jail -m` to set these, but they don't seem to work: In host: # jail -m jid=3 allow.mount allow.mount.zfs # sysctl vfs.usermount=1 In jail: # sysctl -a|grep mount vfs.usermount: 1 ... security.jail.mount_zfs_allowed: 1 security.jail.mount_allowed: 1 # zfs mount -a cannot mount 'backup': Insufficient privileges This dataset is properly jailed=on and 'zfs jail' ran on it as well. Bryan From owner-freebsd-jail@FreeBSD.ORG Tue Sep 4 05:50:08 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B2307106566C for ; Tue, 4 Sep 2012 05:50:08 +0000 (UTC) (envelope-from bryan@shatow.net) Received: from secure.xzibition.com (secure.xzibition.com [173.160.118.92]) by mx1.freebsd.org (Postfix) with ESMTP id 5A2EA8FC1D for ; Tue, 4 Sep 2012 05:50:07 +0000 (UTC) DomainKey-Signature: a=rsa-sha1; c=nofws; d=shatow.net; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sweb; b=P770vC pBw1nRY1YCGWoL+5WT+jpEpl0uhQVBtF45llcWKC+oaETq6gYjYapn+uPdvcM61U WblAi5bDROrLNiAz7uHbE99y0FSv2k6FR3HtKyhol3qBMyN8zrlcsgZRB0W+h/js AveqKvlid6mhaFdcILnRxIx9eBY3q38gNaV+I= DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=shatow.net; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sweb; bh=aYHMt7ZDc/IN 05YpEQQnicCItphXeP8INQhasygDVtI=; b=WA6KuneWRAxlsYtSTyjfbchsoJMN uMll1Sli4IqZHnHLRdljA2gRLtAfq69KobriY6iCKWd5e+qGKWFpTlZRUjK7p2HT w2gw/CtLBQqygR0ZukAc07vOTb/5wrIT/P7gIybMy8MoVrCQmf41jZvGMBOm1HPN 1gf0fB/pz3Us5EM= Received: (qmail 85675 invoked from network); 4 Sep 2012 00:50:05 -0500 Received: from unknown (HELO ?10.10.0.131?) (bryan@shatow.net@10.10.0.131) by sweb.xzibition.com with ESMTPA; 4 Sep 2012 00:50:05 -0500 Message-ID: <5045969A.3020201@shatow.net> Date: Tue, 04 Sep 2012 00:50:18 -0500 From: Bryan Drewery User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20120824 Thunderbird/15.0 MIME-Version: 1.0 To: freebsd-jail@freebsd.org References: <504594DF.4000105@shatow.net> <504595C6.9060807@shatow.net> In-Reply-To: <504595C6.9060807@shatow.net> X-Enigmail-Version: 1.4.4 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: 9.1-PRERELEASE - allow.mount - allow.mount.zfs - do not get passed to child X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Sep 2012 05:50:08 -0000 On 9/4/2012 12:46 AM, Bryan Drewery wrote: > On 9/4/2012 12:42 AM, Bryan Drewery wrote: >> I am unable to get these to pass into jails via /etc/rc.d/jail + ezjail. >> >> I set them in the host: >> >> security.jail.mount_allowed=1 >> security.jail.mount_zfs_allowed=1 >> >> What is the proper way to get these set? >> >> > > I used `jail -m` to set these, but they don't seem to work: > > In host: > > # jail -m jid=3 allow.mount allow.mount.zfs > # sysctl vfs.usermount=1 > > In jail: > > # sysctl -a|grep mount > vfs.usermount: 1 > ... > security.jail.mount_zfs_allowed: 1 > security.jail.mount_allowed: 1 > > # zfs mount -a > cannot mount 'backup': Insufficient privileges > > This dataset is properly jailed=on and 'zfs jail' ran on it as well. Sorry for the noise.. # jail -m jid=3 enforce_statfs=1 Now it works. Yes, I read the jail(8) and zfs(8) manpages. My biggest problem was the params not being passed in at startup. Bryan From owner-freebsd-jail@FreeBSD.ORG Tue Sep 4 08:55:14 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 214B61065673; Tue, 4 Sep 2012 08:55:14 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) by mx1.freebsd.org (Postfix) with ESMTP id DE6CE8FC0A; Tue, 4 Sep 2012 08:55:08 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 021CF25D39FD; Tue, 4 Sep 2012 08:55:07 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 1B08FBE84AE; Tue, 4 Sep 2012 08:55:07 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id MItct37Pzzv8; Tue, 4 Sep 2012 08:55:05 +0000 (UTC) Received: from nv.sbone.de (nv.sbone.de [IPv6:fde9:577b:c1a9:31::2013:138]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id CD576BE84AC; Tue, 4 Sep 2012 08:55:04 +0000 (UTC) Date: Tue, 4 Sep 2012 08:55:04 +0000 (UTC) From: "Bjoern A. Zeeb" To: freebsd-jail@freebsd.org, mm@freebsd.org, pjd@freebsd.org, jamie@freebsd.org Message-ID: X-OpenPGP-Key-Id: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII Cc: Subject: Fixed Jail ID for ZFS -> need proper mgmt? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Sep 2012 08:55:14 -0000 Hi, I had been talking to someone about jail management and it turns out people are using jail jid=42 to always have a fixed jail ID. The reason as I understood is that ZFS datasets are associated by jail id for delegation? [I admit having no clue about the ZFS side] If this is true I feel it's a very bad idea as it makes restarting jails a lot harder in case they remain DYING for say a not fully closed TCP session. My memories are: jid are still unique and cannot be re-used, even if in DYING, names can be re-used and thus are not neccessarily unique. Jamie, can you confirm this? Seems we need to sort out one to two problems: 1) can we make sure that the jail management framework can address a ZFS dataset for delegation somehow and automatically do that as part of the startup? 2) in the case of (1) it should be possible to address jails by name as ZFS would be handled automatically and we would not need another unique identifier I guess? Otherwise I'd prefer for people to be able to delegate ZFS datasets to jail names (as well), as long as they are uniquely identifyable (i.e. there are no 17 jails running with a name of "filesever"). Do we have documentation for the ZFS features in the man pages or elsewhere btw? If not we should add it. Does this make sense? /bz -- Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family. From owner-freebsd-jail@FreeBSD.ORG Tue Sep 4 09:30:54 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 36E65106564A; Tue, 4 Sep 2012 09:30:54 +0000 (UTC) (envelope-from prvs=159455d173=killing@multiplay.co.uk) Received: from mail1.multiplay.co.uk (mail1.multiplay.co.uk [85.236.96.23]) by mx1.freebsd.org (Postfix) with ESMTP id 36E728FC14; Tue, 4 Sep 2012 09:30:53 +0000 (UTC) X-Spam-Processed: mail1.multiplay.co.uk, Tue, 04 Sep 2012 10:29:51 +0100 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on mail1.multiplay.co.uk X-Spam-Level: X-Spam-Status: No, score=-5.0 required=6.0 tests=USER_IN_WHITELIST shortcircuit=ham autolearn=disabled version=3.2.5 Received: from r2d2 ([188.220.16.49]) by mail1.multiplay.co.uk (mail1.multiplay.co.uk [85.236.96.23]) (MDaemon PRO v10.0.4) with ESMTP id md50021650351.msg; Tue, 04 Sep 2012 10:29:49 +0100 X-MDRemoteIP: 188.220.16.49 X-Return-Path: prvs=159455d173=killing@multiplay.co.uk X-Envelope-From: killing@multiplay.co.uk Message-ID: From: "Steven Hartland" To: "Bjoern A. Zeeb" , , , , References: Date: Tue, 4 Sep 2012 10:30:09 +0100 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=response Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.5931 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157 Cc: Subject: Re: Fixed Jail ID for ZFS -> need proper mgmt? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Sep 2012 09:30:54 -0000 ----- Original Message ----- From: "Bjoern A. Zeeb" To: ; ; ; Sent: Tuesday, September 04, 2012 9:55 AM Subject: Fixed Jail ID for ZFS -> need proper mgmt? > Hi, > > I had been talking to someone about jail management and it turns out > people are using jail jid=42 to always have a fixed jail ID. The > reason as I understood is that ZFS datasets are associated by jail id > for delegation? [I admit having no clue about the ZFS side] > > If this is true I feel it's a very bad idea as it makes restarting > jails a lot harder in case they remain DYING for say a not fully > closed TCP session. > > My memories are: jid are still unique and cannot be re-used, even if > in DYING, names can be re-used and thus are not neccessarily unique. > Jamie, can you confirm this? > > Seems we need to sort out one to two problems: > > 1) can we make sure that the jail management framework can address a > ZFS dataset for delegation somehow and automatically do that as > part of the startup? > > 2) in the case of (1) it should be possible to address jails by name > as ZFS would be handled automatically and we would not need another > unique identifier I guess? > Otherwise I'd prefer for people to be able to delegate ZFS datasets > to jail names (as well), as long as they are uniquely identifyable > (i.e. there are no 17 jails running with a name of "filesever"). > > Do we have documentation for the ZFS features in the man pages or > elsewhere btw? If not we should add it. > > Does this make sense? We use fixed jid's here to ensure only one copy of a jail is started. If a jail is in a dying state you can still resurrect the it if your looking to restart it so it not as big a deal as you may think. Regards Steve ================================================ This e.mail is private and confidential between Multiplay (UK) Ltd. and the person or entity to whom it is addressed. In the event of misdirection, the recipient is prohibited from using, copying, printing or otherwise disseminating it or any information contained in it. In the event of misdirection, illegible or incomplete transmission please telephone +44 845 868 1337 or return the E.mail to postmaster@multiplay.co.uk. From owner-freebsd-jail@FreeBSD.ORG Tue Sep 4 09:33:15 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 190251065670; Tue, 4 Sep 2012 09:33:15 +0000 (UTC) (envelope-from mm@FreeBSD.org) Received: from mail.vx.sk (mail.vx.sk [IPv6:2a01:4f8:150:6101::4]) by mx1.freebsd.org (Postfix) with ESMTP id A145F8FC19; Tue, 4 Sep 2012 09:33:14 +0000 (UTC) Received: from core.vx.sk (localhost [127.0.0.2]) by mail.vx.sk (Postfix) with ESMTP id D0EB32D2DB; Tue, 4 Sep 2012 11:33:13 +0200 (CEST) X-Virus-Scanned: amavisd-new at mail.vx.sk Received: from mail.vx.sk by core.vx.sk (amavisd-new, unix socket) with LMTP id M0pBfUwn2-j2; Tue, 4 Sep 2012 11:33:08 +0200 (CEST) Received: from [10.0.3.3] (188-167-66-148.dynamic.chello.sk [188.167.66.148]) by mail.vx.sk (Postfix) with ESMTPSA id 749FB2D2AA; Tue, 4 Sep 2012 11:33:08 +0200 (CEST) Message-ID: <5045CAD2.9030507@FreeBSD.org> Date: Tue, 04 Sep 2012 11:33:06 +0200 From: Martin Matuska User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20120824 Thunderbird/15.0 MIME-Version: 1.0 To: "Bjoern A. Zeeb" References: In-Reply-To: X-Enigmail-Version: 1.4.4 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org, pjd@freebsd.org, jamie@freebsd.org Subject: Re: Fixed Jail ID for ZFS -> need proper mgmt? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Sep 2012 09:33:15 -0000 On 4. 9. 2012 10:55, Bjoern A. Zeeb wrote: > Hi, > > I had been talking to someone about jail management and it turns out > people are using jail jid=42 to always have a fixed jail ID. The > reason as I understood is that ZFS datasets are associated by jail id > for delegation? [I admit having no clue about the ZFS side] > ZFS can be delegated to a jail's id using the "zfs jail" subcommand. > If this is true I feel it's a very bad idea as it makes restarting > jails a lot harder in case they remain DYING for say a not fully > closed TCP session. > > My memories are: jid are still unique and cannot be re-used, even if > in DYING, names can be re-used and thus are not neccessarily unique. > Jamie, can you confirm this? > > Seems we need to sort out one to two problems: > > 1) can we make sure that the jail management framework can address a > ZFS dataset for delegation somehow and automatically do that as > part of the startup? > IMO the best way would be adding ZFS features to jail startup. I have already proposed such a script, see the sysutils/jailrc port. To have delegated ZFS datasets manageable in a jail, we need the following: a) /dev/zfs must be available in the jail b) zfs jail jailid dataset has to be called (this makes the dataset visible in a jail) - this has to be done every time the jail is created c) the dataset needs the jailed property set to "on" (this makes the dataset manageable) - this is a permanent property, I am not sure if this should be managed from the startup script > 2) in the case of (1) it should be possible to address jails by name > as ZFS would be handled automatically and we would not need another > unique identifier I guess? > Otherwise I'd prefer for people to be able to delegate ZFS datasets > to jail names (as well), as long as they are uniquely identifyable > (i.e. there are no 17 jails running with a name of "filesever"). > The binding of a ZFS dataset to a jail has to be exact. So we end up with id's. But we could add something like "zfs datasets" to the jail's configuration file. The jail command would then simply exec "zfs jail jailid dataset" for each of the datasets on jail creation right before initiating rc startup and "zfs unjail jailid dataset" for each of the datasets after jail's rc shutdown but before the jail is destroyed. > Do we have documentation for the ZFS features in the man pages or > elsewhere btw? If not we should add it. > zfs(8), section "Jails" and subcommands "jail", "unjail" > Does this make sense? > > /bz > Cheers, mm -- Martin Matuska FreeBSD committer http://blog.vx.sk From owner-freebsd-jail@FreeBSD.ORG Tue Sep 4 10:00:52 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4FB57106566C; Tue, 4 Sep 2012 10:00:52 +0000 (UTC) (envelope-from pawel@dawidek.net) Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72]) by mx1.freebsd.org (Postfix) with ESMTP id 1114A8FC0C; Tue, 4 Sep 2012 10:00:51 +0000 (UTC) Received: from localhost (dli15.neoplus.adsl.tpnet.pl [83.24.38.15]) by mail.dawidek.net (Postfix) with ESMTPSA id 1BB1C4CF; Tue, 4 Sep 2012 12:00:08 +0200 (CEST) Date: Tue, 4 Sep 2012 12:00:54 +0200 From: Pawel Jakub Dawidek To: Martin Matuska Message-ID: <20120904100054.GA1405@garage.freebsd.pl> References: <5045CAD2.9030507@FreeBSD.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="1yeeQ81UyVL57Vl7" Content-Disposition: inline In-Reply-To: <5045CAD2.9030507@FreeBSD.org> X-OS: FreeBSD 10.0-CURRENT amd64 User-Agent: Mutt/1.5.21 (2010-09-15) Cc: "Bjoern A. Zeeb" , freebsd-jail@freebsd.org, jamie@freebsd.org Subject: Re: Fixed Jail ID for ZFS -> need proper mgmt? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Sep 2012 10:00:52 -0000 --1yeeQ81UyVL57Vl7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Sep 04, 2012 at 11:33:06AM +0200, Martin Matuska wrote: > On 4. 9. 2012 10:55, Bjoern A. Zeeb wrote: > > 2) in the case of (1) it should be possible to address jails by name > > as ZFS would be handled automatically and we would not need another > > unique identifier I guess? > > Otherwise I'd prefer for people to be able to delegate ZFS datasets > > to jail names (as well), as long as they are uniquely identifyable > > (i.e. there are no 17 jails running with a name of "filesever"). > > > The binding of a ZFS dataset to a jail has to be exact. So we end up > with id's. > But we could add something like "zfs datasets" to the jail's > configuration file. The jail command would then simply exec "zfs jail > jailid dataset" for each of the datasets on jail creation right before > initiating rc startup and "zfs unjail jailid dataset" for each of the > datasets after jail's rc shutdown but before the jail is destroyed. Datasets shall not be unjailed. Jailing dataset means that it won't be mounted in the main system. You need to run 'zfs mount -a' within a jail, during it start-up to mount its datasets. This is much safer than mounting anything in jail's directory tree from the main system. We already had security issues because of that. This is also how it works in Solaris/IllumOS with zones. And I can't resist to remind how opposed I was to jail ids in the first place. Especially because they were dynamically allocated. When they were introduced I recommended jail names, which we ended up with anyway, but now we have all this jailid thing to manage in older FreeBSD versions. All in all we should move to using jail names, IMHO, the same way zone names are used in Solaris/IllumOS. When I was adding jail support to ZFS there were no jail names, only jail hostnames, which weren't an option really. --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://tupytaj.pl --1yeeQ81UyVL57Vl7 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlBF0VYACgkQForvXbEpPzTyQwCcDhIDnYnwtCykB4EbOQ5iSqxg B0IAn0qOzF8x+IufLYkwIqh5iV56ujiv =Sh58 -----END PGP SIGNATURE----- --1yeeQ81UyVL57Vl7-- From owner-freebsd-jail@FreeBSD.ORG Tue Sep 4 10:20:38 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 670C7106566B; Tue, 4 Sep 2012 10:20:38 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) by mx1.freebsd.org (Postfix) with ESMTP id E48388FC15; Tue, 4 Sep 2012 10:20:37 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id B895425D3A99; Tue, 4 Sep 2012 10:20:36 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id B0344BE84AE; Tue, 4 Sep 2012 10:20:35 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id HRoTvPBRKkDz; Tue, 4 Sep 2012 10:20:33 +0000 (UTC) Received: from nv.sbone.de (nv.sbone.de [IPv6:fde9:577b:c1a9:31::2013:138]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 90F38BE84AC; Tue, 4 Sep 2012 10:20:33 +0000 (UTC) Date: Tue, 4 Sep 2012 10:20:32 +0000 (UTC) From: "Bjoern A. Zeeb" To: Pawel Jakub Dawidek In-Reply-To: <20120904100054.GA1405@garage.freebsd.pl> Message-ID: References: <5045CAD2.9030507@FreeBSD.org> <20120904100054.GA1405@garage.freebsd.pl> X-OpenPGP-Key-Id: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-jail@freebsd.org, Martin Matuska , jamie@freebsd.org Subject: Re: Fixed Jail ID for ZFS -> need proper mgmt? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Sep 2012 10:20:38 -0000 On Tue, 4 Sep 2012, Pawel Jakub Dawidek wrote: > On Tue, Sep 04, 2012 at 11:33:06AM +0200, Martin Matuska wrote: >> On 4. 9. 2012 10:55, Bjoern A. Zeeb wrote: >>> 2) in the case of (1) it should be possible to address jails by name >>> as ZFS would be handled automatically and we would not need another >>> unique identifier I guess? >>> Otherwise I'd prefer for people to be able to delegate ZFS datasets >>> to jail names (as well), as long as they are uniquely identifyable >>> (i.e. there are no 17 jails running with a name of "filesever"). >>> >> The binding of a ZFS dataset to a jail has to be exact. So we end up >> with id's. >> But we could add something like "zfs datasets" to the jail's >> configuration file. The jail command would then simply exec "zfs jail >> jailid dataset" for each of the datasets on jail creation right before >> initiating rc startup and "zfs unjail jailid dataset" for each of the >> datasets after jail's rc shutdown but before the jail is destroyed. > > Datasets shall not be unjailed. Jailing dataset means that it won't be > mounted in the main system. You need to run 'zfs mount -a' within a > jail, during it start-up to mount its datasets. This is much safer than > mounting anything in jail's directory tree from the main system. We > already had security issues because of that. This is also how it works > in Solaris/IllumOS with zones. > > And I can't resist to remind how opposed I was to jail ids in the first > place. Especially because they were dynamically allocated. When they > were introduced I recommended jail names, which we ended up with anyway, > but now we have all this jailid thing to manage in older FreeBSD > versions. > > All in all we should move to using jail names, IMHO, the same way zone > names are used in Solaris/IllumOS. When I was adding jail support to ZFS > there were no jail names, only jail hostnames, which weren't an option > really. I guess we'd need to end up with name and if not uniqe + ID or something? Really IDs are not the problem as long as they never appear anywhere in the config file? Just not sure given names are not unique how to handle it the right way? /bz -- Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family. From owner-freebsd-jail@FreeBSD.ORG Tue Sep 4 17:10:08 2012 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8F293106566B; Tue, 4 Sep 2012 17:10:08 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from m2.gritton.org (gritton.org [199.192.164.235]) by mx1.freebsd.org (Postfix) with ESMTP id 59D788FC1B; Tue, 4 Sep 2012 17:10:07 +0000 (UTC) Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net [198.65.168.24]) (authenticated bits=0) by m2.gritton.org (8.14.5/8.14.5) with ESMTP id q84HA6NM076606; Tue, 4 Sep 2012 11:10:07 -0600 (MDT) (envelope-from jamie@FreeBSD.org) Message-ID: <504635E9.5080007@FreeBSD.org> Date: Tue, 04 Sep 2012 11:10:01 -0600 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:9.0) Gecko/20120126 Thunderbird/9.0 MIME-Version: 1.0 To: "Bjoern A. Zeeb" References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@FreeBSD.org, pjd@FreeBSD.org, mm@FreeBSD.org Subject: Re: Fixed Jail ID for ZFS -> need proper mgmt? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Sep 2012 17:10:08 -0000 On 09/04/12 02:55, Bjoern A. Zeeb wrote: > Hi, > > I had been talking to someone about jail management and it turns out > people are using jail jid=42 to always have a fixed jail ID. The > reason as I understood is that ZFS datasets are associated by jail id > for delegation? [I admit having no clue about the ZFS side] > > If this is true I feel it's a very bad idea as it makes restarting > jails a lot harder in case they remain DYING for say a not fully > closed TCP session. > > My memories are: jid are still unique and cannot be re-used, even if > in DYING, names can be re-used and thus are not neccessarily unique. > Jamie, can you confirm this? > > Seems we need to sort out one to two problems: > > 1) can we make sure that the jail management framework can address a > ZFS dataset for delegation somehow and automatically do that as > part of the startup? > > 2) in the case of (1) it should be possible to address jails by name > as ZFS would be handled automatically and we would not need another > unique identifier I guess? > Otherwise I'd prefer for people to be able to delegate ZFS datasets > to jail names (as well), as long as they are uniquely identifyable > (i.e. there are no 17 jails running with a name of "filesever"). > > Do we have documentation for the ZFS features in the man pages or > elsewhere btw? If not we should add it. > > Does this make sense? > > /bz It's true that a jail left in the DYING state can't be re-created normally. But it can with the "-d" flag or the "allow.dying" parameter. In that case, an existing but dying jail will be re-attached to and this resurrected. So it can be gotten around, and would be a matter of education. Or perhaps we could change the default behavior to silently all re-creation of dying jails. Is there any harm in this? I.e. would there be any difference noticeable to the user if a jail was created with some old TCP connections attached to it? - Jamie From owner-freebsd-jail@FreeBSD.ORG Tue Sep 4 17:14:46 2012 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B0ADE1065670; Tue, 4 Sep 2012 17:14:46 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from m2.gritton.org (gritton.org [199.192.164.235]) by mx1.freebsd.org (Postfix) with ESMTP id 773C98FC21; Tue, 4 Sep 2012 17:14:45 +0000 (UTC) Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net [198.65.168.24]) (authenticated bits=0) by m2.gritton.org (8.14.5/8.14.5) with ESMTP id q84HEc28076703; Tue, 4 Sep 2012 11:14:38 -0600 (MDT) (envelope-from jamie@FreeBSD.org) Message-ID: <504636F9.6050202@FreeBSD.org> Date: Tue, 04 Sep 2012 11:14:33 -0600 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:9.0) Gecko/20120126 Thunderbird/9.0 MIME-Version: 1.0 To: "Bjoern A. Zeeb" References: <5045CAD2.9030507@FreeBSD.org> <20120904100054.GA1405@garage.freebsd.pl> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@FreeBSD.org, Pawel Jakub Dawidek , Martin Matuska Subject: Re: Fixed Jail ID for ZFS -> need proper mgmt? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Sep 2012 17:14:46 -0000 On 09/04/12 04:20, Bjoern A. Zeeb wrote: > On Tue, 4 Sep 2012, Pawel Jakub Dawidek wrote: > >> On Tue, Sep 04, 2012 at 11:33:06AM +0200, Martin Matuska wrote: >>> On 4. 9. 2012 10:55, Bjoern A. Zeeb wrote: >>>> 2) in the case of (1) it should be possible to address jails by name >>>> as ZFS would be handled automatically and we would not need another >>>> unique identifier I guess? >>>> Otherwise I'd prefer for people to be able to delegate ZFS datasets >>>> to jail names (as well), as long as they are uniquely identifyable >>>> (i.e. there are no 17 jails running with a name of "filesever"). >>>> >>> The binding of a ZFS dataset to a jail has to be exact. So we end up >>> with id's. >>> But we could add something like "zfs datasets" to the jail's >>> configuration file. The jail command would then simply exec "zfs jail >>> jailid dataset" for each of the datasets on jail creation right before >>> initiating rc startup and "zfs unjail jailid dataset" for each of the >>> datasets after jail's rc shutdown but before the jail is destroyed. >> >> Datasets shall not be unjailed. Jailing dataset means that it won't be >> mounted in the main system. You need to run 'zfs mount -a' within a >> jail, during it start-up to mount its datasets. This is much safer than >> mounting anything in jail's directory tree from the main system. We >> already had security issues because of that. This is also how it works >> in Solaris/IllumOS with zones. >> >> And I can't resist to remind how opposed I was to jail ids in the first >> place. Especially because they were dynamically allocated. When they >> were introduced I recommended jail names, which we ended up with anyway, >> but now we have all this jailid thing to manage in older FreeBSD >> versions. >> >> All in all we should move to using jail names, IMHO, the same way zone >> names are used in Solaris/IllumOS. When I was adding jail support to ZFS >> there were no jail names, only jail hostnames, which weren't an option >> really. > > I guess we'd need to end up with name and if not uniqe + ID or > something? Really IDs are not the problem as long as they never > appear anywhere in the config file? Just not sure given names are not > unique how to handle it the right way? > > /bz Names are unique. And we don't have the dying-jail problem with them, as creating a jail with the same name as a dying jail is allowed. OK, that means that jail names aren't quite unique - but they're at least unique among the non-dying set. - Jamie From owner-freebsd-jail@FreeBSD.ORG Tue Sep 4 18:40:46 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B7E58106566C; Tue, 4 Sep 2012 18:40:46 +0000 (UTC) (envelope-from fafaforza@gmail.com) Received: from mail-we0-f182.google.com (mail-we0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 1CB538FC08; Tue, 4 Sep 2012 18:40:45 +0000 (UTC) Received: by weyx56 with SMTP id x56so4848568wey.13 for ; Tue, 04 Sep 2012 11:40:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=G5FK9s+vfKDV/swbE5nla4r3aNXM4LkZLzosGbm1rrk=; b=EHoBbChNnEs/q/sfScWGXbBP55F5enOsW47A39zLjxTXOOUkg+ea/MUxg120r+iRWr XQlsbuwsfsOvcYb5MnpIsSksw+5/PuLoLrcr7iSQBPKnQVFcr+rjgihbXo5d4ds5pMzO GeAdWfSGASAKzngFZI5zzX47vOwNuw1JgvfjeclKSey/9EXWTjMFoXRKaMidJiWPi2FL XHFgYT2ueRn/ORUy7vPnCDzKfjPJ8kgne17U6r2qR5AiBv4zNEbKfNH1zYvV3WvgG1nS N2jRTz8QVOverR36jZYpEJiRecDqmLl6+X4TUPkJ/YfbQmec/1x71RTQ1rXdwVXSQMUu vazw== MIME-Version: 1.0 Received: by 10.180.91.132 with SMTP id ce4mr32440601wib.17.1346784044784; Tue, 04 Sep 2012 11:40:44 -0700 (PDT) Received: by 10.217.2.204 with HTTP; Tue, 4 Sep 2012 11:40:44 -0700 (PDT) In-Reply-To: <50410B12.6050606@FreeBSD.org> References: <6B11ADF9-5B11-41CD-BDAC-6F8236FC1E4C@jnielsen.net> <50410B12.6050606@FreeBSD.org> Date: Tue, 4 Sep 2012 14:40:44 -0400 Message-ID: From: Darek M To: Jamie Gritton Content-Type: text/plain; charset=ISO-8859-1 Cc: FreeBSD-Jail Subject: Re: Quotas inside jails X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Sep 2012 18:40:46 -0000 On Fri, Aug 31, 2012 at 3:05 PM, Jamie Gritton wrote: > On 08/30/12 17:05, Darek M wrote: >> I'm curious whether the "security.jail.param.allow.quotas" sysctl is >> my missing link, and if so, why it is immutable. > > > The security.jail.param.* sysctls are part of the jail_get/set system > calls, and are all immutable; they server only to define the available > jail parameters. > > So the question now comes to the allow.quotas parameter. If you set this > on a jail, then you will indeed be able to manipulate quotas inside the > jail. But the quotas still aren't per-jail - they're keyed only on > UID/GID, and would share with anyone outside the jail using the same > UID/GID. That's fine if the jail has its own filesystem, but not if it > shares with other jails or (especially) with the host system. > > - Jamie Indeed, this looks to be my missing piece. Using distinct UIDs on each jail should be easily doable, and would be cleaner than using zfs, etc.. However, I tried setting "security.jail.param.allow.quotas" to 1 inside the jail via /etc/sysctl.conf and /boot/loader.conf and it remains at 0. Am I trying to enable it the wrong way? -- Darek From owner-freebsd-jail@FreeBSD.ORG Tue Sep 4 18:47:16 2012 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 92A9F106564A for ; Tue, 4 Sep 2012 18:47:16 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from m2.gritton.org (gritton.org [199.192.164.235]) by mx1.freebsd.org (Postfix) with ESMTP id 5ABAA8FC14 for ; Tue, 4 Sep 2012 18:47:15 +0000 (UTC) Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net [198.65.168.24]) (authenticated bits=0) by m2.gritton.org (8.14.5/8.14.5) with ESMTP id q84IlEUg078119; Tue, 4 Sep 2012 12:47:15 -0600 (MDT) (envelope-from jamie@FreeBSD.org) Message-ID: <50464CAD.8080108@FreeBSD.org> Date: Tue, 04 Sep 2012 12:47:09 -0600 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:9.0) Gecko/20120126 Thunderbird/9.0 MIME-Version: 1.0 To: Darek M References: <6B11ADF9-5B11-41CD-BDAC-6F8236FC1E4C@jnielsen.net> <50410B12.6050606@FreeBSD.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: FreeBSD-Jail Subject: Re: Quotas inside jails X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Sep 2012 18:47:16 -0000 On 09/04/12 12:40, Darek M wrote: > On Fri, Aug 31, 2012 at 3:05 PM, Jamie Gritton wrote: >> On 08/30/12 17:05, Darek M wrote: > >>> I'm curious whether the "security.jail.param.allow.quotas" sysctl is >>> my missing link, and if so, why it is immutable. >> >> >> The security.jail.param.* sysctls are part of the jail_get/set system >> calls, and are all immutable; they server only to define the available >> jail parameters. >> >> So the question now comes to the allow.quotas parameter. If you set this >> on a jail, then you will indeed be able to manipulate quotas inside the >> jail. But the quotas still aren't per-jail - they're keyed only on >> UID/GID, and would share with anyone outside the jail using the same >> UID/GID. That's fine if the jail has its own filesystem, but not if it >> shares with other jails or (especially) with the host system. >> >> - Jamie > > Indeed, this looks to be my missing piece. Using distinct UIDs on > each jail should be easily doable, and would be cleaner than using > zfs, etc.. > > However, I tried setting "security.jail.param.allow.quotas" to 1 > inside the jail via /etc/sysctl.conf and /boot/loader.conf and it > remains at 0. Am I trying to enable it the wrong way? Yes. You need to set the "allow.quotas" parameter in the jail. There's not a good way to do that from rc at this moment, but a "jail -m jid= allow.quotas" should do the trick after the jail is up and running. - Jamie From owner-freebsd-jail@FreeBSD.ORG Tue Sep 4 20:36:11 2012 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1446F106566B; Tue, 4 Sep 2012 20:36:11 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) by mx1.freebsd.org (Postfix) with ESMTP id 903048FC08; Tue, 4 Sep 2012 20:36:10 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 6EBD625D3A13; Tue, 4 Sep 2012 20:36:09 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 8E08BBE84B0; Tue, 4 Sep 2012 20:36:08 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id jxr4KjHgVhTA; Tue, 4 Sep 2012 20:36:07 +0000 (UTC) Received: from nv.sbone.de (nv.sbone.de [IPv6:fde9:577b:c1a9:31::2013:138]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 5E467BE84AF; Tue, 4 Sep 2012 20:36:07 +0000 (UTC) Date: Tue, 4 Sep 2012 20:36:06 +0000 (UTC) From: "Bjoern A. Zeeb" To: Jamie Gritton In-Reply-To: <504636F9.6050202@FreeBSD.org> Message-ID: References: <5045CAD2.9030507@FreeBSD.org> <20120904100054.GA1405@garage.freebsd.pl> <504636F9.6050202@FreeBSD.org> X-OpenPGP-Key-Id: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-jail@FreeBSD.org, Pawel Jakub Dawidek , Martin Matuska Subject: Re: Fixed Jail ID for ZFS -> need proper mgmt? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Sep 2012 20:36:11 -0000 On Tue, 4 Sep 2012, Jamie Gritton wrote: > Names are unique. And we don't have the dying-jail problem with them, as > creating a jail with the same name as a dying jail is allowed. OK, that > means that jail names aren't quite unique - but they're at least unique > among the non-dying set. Perfect; all we need. -- Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family. From owner-freebsd-jail@FreeBSD.ORG Tue Sep 4 20:37:34 2012 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5E7CD106564A; Tue, 4 Sep 2012 20:37:34 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (bird.sbone.de [46.4.1.90]) by mx1.freebsd.org (Postfix) with ESMTP id 0C9828FC15; Tue, 4 Sep 2012 20:37:33 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id E52AB25D39FD; Tue, 4 Sep 2012 20:37:32 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 661B3BE84B0; Tue, 4 Sep 2012 20:37:32 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id DrD9sUpC7hqo; Tue, 4 Sep 2012 20:37:31 +0000 (UTC) Received: from nv.sbone.de (nv.sbone.de [IPv6:fde9:577b:c1a9:31::2013:138]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id C6790BE84AF; Tue, 4 Sep 2012 20:37:30 +0000 (UTC) Date: Tue, 4 Sep 2012 20:37:30 +0000 (UTC) From: "Bjoern A. Zeeb" To: Jamie Gritton In-Reply-To: <504635E9.5080007@FreeBSD.org> Message-ID: References: <504635E9.5080007@FreeBSD.org> X-OpenPGP-Key-Id: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-jail@FreeBSD.org, pjd@FreeBSD.org, mm@FreeBSD.org Subject: Re: Fixed Jail ID for ZFS -> need proper mgmt? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Sep 2012 20:37:34 -0000 On Tue, 4 Sep 2012, Jamie Gritton wrote: > It's true that a jail left in the DYING state can't be re-created > normally. But it can with the "-d" flag or the "allow.dying" parameter. > In that case, an existing but dying jail will be re-attached to and this > resurrected. So it can be gotten around, and would be a matter of > education. Or perhaps we could change the default behavior to silently > all re-creation of dying jails. Is there any harm in this? I.e. would > there be any difference noticeable to the user if a jail was created > with some old TCP connections attached to it? Yes, really bad and TCP is not the only thing in theory. Assume your management does not make sure the same users gets the same jail; you elak a lot of (possibly security related) information. Would also make it quite hard in terms of auditing etc. to get this right unless done knowingly and on purpose. -- Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family. From owner-freebsd-jail@FreeBSD.ORG Tue Sep 4 20:46:48 2012 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8E8881065677; Tue, 4 Sep 2012 20:46:48 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from m2.gritton.org (gritton.org [199.192.164.235]) by mx1.freebsd.org (Postfix) with ESMTP id 55AF98FC1D; Tue, 4 Sep 2012 20:46:47 +0000 (UTC) Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net [198.65.168.24]) (authenticated bits=0) by m2.gritton.org (8.14.5/8.14.5) with ESMTP id q84KkjP7081229; Tue, 4 Sep 2012 14:46:45 -0600 (MDT) (envelope-from jamie@FreeBSD.org) Message-ID: <504668B0.1080000@FreeBSD.org> Date: Tue, 04 Sep 2012 14:46:40 -0600 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:9.0) Gecko/20120126 Thunderbird/9.0 MIME-Version: 1.0 To: "Bjoern A. Zeeb" References: <504635E9.5080007@FreeBSD.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@FreeBSD.org, pjd@FreeBSD.org, mm@FreeBSD.org Subject: Re: Fixed Jail ID for ZFS -> need proper mgmt? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Sep 2012 20:46:48 -0000 On 09/04/12 14:37, Bjoern A. Zeeb wrote: > On Tue, 4 Sep 2012, Jamie Gritton wrote: > >> It's true that a jail left in the DYING state can't be re-created >> normally. But it can with the "-d" flag or the "allow.dying" parameter. >> In that case, an existing but dying jail will be re-attached to and this >> resurrected. So it can be gotten around, and would be a matter of >> education. Or perhaps we could change the default behavior to silently >> all re-creation of dying jails. Is there any harm in this? I.e. would >> there be any difference noticeable to the user if a jail was created >> with some old TCP connections attached to it? > > Yes, really bad and TCP is not the only thing in theory. Assume > your management does not make sure the same users gets the same jail; > you elak a lot of (possibly security related) information. Would also > make it quite hard in terms of auditing etc. to get this right unless > done knowingly and on purpose. This isn't a ZFS concern anymore it sounds like (if we tie ZFS to names), but I still wonder about better handling of dying jails. The other question that comes to mind is, could we make dying jails closer to nonexistent than they are? Such as stripping them of their jid, so a jid could be immediately re-used - and a dying jail couldn't be queried via jail_get. Or perhaps passing off a removed jail's TIME_WAIT tcp connections to a placeholder jail, possibly to prison0? I suppose vnet could complicate either of those in ways I'm unaware of. - Jamie From owner-freebsd-jail@FreeBSD.ORG Wed Sep 5 19:14:41 2012 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6CD93106564A; Wed, 5 Sep 2012 19:14:41 +0000 (UTC) (envelope-from curtis@occnc.com) Received: from gateway2.orleans.occnc.com (gateway2.orleans.occnc.com [IPv6:2001:470:1f07:1545::1:145]) by mx1.freebsd.org (Postfix) with ESMTP id 0B4378FC14; Wed, 5 Sep 2012 19:14:40 +0000 (UTC) Received: from harbor2.ipv6.occnc.com (harbor2.ipv6.occnc.com [IPv6:2001:470:1f07:1545::1:404]) (authenticated bits=0) by gateway2.orleans.occnc.com (8.14.5/8.14.5) with ESMTP id q85JEdGR058616; Wed, 5 Sep 2012 15:14:39 -0400 (EDT) (envelope-from curtis@occnc.com) Message-Id: <201209051914.q85JEdGR058616@gateway2.orleans.occnc.com> To: "Bjoern A. Zeeb" From: Curtis Villamizar In-reply-to: Your message of "Mon, 03 Sep 2012 12:21:03 -0000." Date: Wed, 05 Sep 2012 15:14:39 -0400 Cc: freebsd-jail@FreeBSD.org, Jamie Gritton , curtis@occnc.com Subject: Re: IPv6 multicast sent to jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: curtis@occnc.com List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2012 19:14:41 -0000 In message "Bjoern A. Zeeb" writes: > On Sat, 25 Aug 2012, Jamie Gritton wrote: > > ... > >>>> Curtis > >>> > >>> Offhand, it does sound like a bug. I imagine the solution would be to > >>> reject the join - at least the easy solution to be done first until > >>> something more complicated can be done to make jails play nice with > >>> multicast. > >>> > >>> - Jamie > >> > >> > >> Jamie, > >> > >> Certainly not the preferred solution. Best would be a > >> jail.allow-ipv6multicast sysctl variable with rejecting the join if 0 > >> and accepting the join and passing in multicast if 1. Same for v4, > >> though not of immediate concern since DHCPv4 doesn't need it. > >> > >> If you (or someone) would like to point me in the right direction, I > >> would be willing to put some time into learning the relevant code and > >> proposing a fix. No promises, but I can put some time into it. Off > >> list if you prefer. > >> > >> Curtis > > > > It'll have to be someone besides me - I don't know enough about > > multicast myself to be able to do more than keep it out of jails. > > sysctl souns bad to me; I think it should actually be grouped by > ip4.* and ip6.*. What dod we currently do for raw sockets? Can we > have a third level easily, as in ip4.raw.*, ip6.mc.*, ... which of > course would kill the classic "allow" thing for raw sockets myabe? > > /bz For raw sockets the sysctl variable is: security.jail.allow_raw_sockets One sysctl variable for both inet and inet6 AF. Perhaps a reasonable name would be: security.jail.ip4.allow_multicast security.jail.ip6.allow_multicast Just to be clear, I was hoping to get some help if I were to make an attempt to allow ipv6 multicast through, though I suspect that the code would be very similar for ipv4. Curtis > -- > Bjoern A. Zeeb You have to have visions! > Stop bit received. Insert coin for new address family. From owner-freebsd-jail@FreeBSD.ORG Wed Sep 5 22:51:16 2012 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1BF8D106566B; Wed, 5 Sep 2012 22:51:16 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) by mx1.freebsd.org (Postfix) with ESMTP id C36C38FC0A; Wed, 5 Sep 2012 22:51:15 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 8364025D387C; Wed, 5 Sep 2012 22:51:14 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id A24FCBE84BD; Wed, 5 Sep 2012 22:51:13 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id jrvmqCTmzbg4; Wed, 5 Sep 2012 22:51:11 +0000 (UTC) Received: from nv.sbone.de (nv.sbone.de [IPv6:fde9:577b:c1a9:31::2013:138]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id B421CBE84BA; Wed, 5 Sep 2012 22:51:11 +0000 (UTC) Date: Wed, 5 Sep 2012 22:51:10 +0000 (UTC) From: "Bjoern A. Zeeb" To: Curtis Villamizar In-Reply-To: <201209051914.q85JEdGR058616@gateway2.orleans.occnc.com> Message-ID: References: <201209051914.q85JEdGR058616@gateway2.orleans.occnc.com> X-OpenPGP-Key-Id: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-jail@FreeBSD.org, Jamie Gritton Subject: Re: IPv6 multicast sent to jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2012 22:51:16 -0000 On Wed, 5 Sep 2012, Curtis Villamizar wrote: > > In message > "Bjoern A. Zeeb" writes: > >> On Sat, 25 Aug 2012, Jamie Gritton wrote: >> >> ... >>>>>> Curtis >>>>> >>>>> Offhand, it does sound like a bug. I imagine the solution would be to >>>>> reject the join - at least the easy solution to be done first until >>>>> something more complicated can be done to make jails play nice with >>>>> multicast. >>>>> >>>>> - Jamie >>>> >>>> >>>> Jamie, >>>> >>>> Certainly not the preferred solution. Best would be a >>>> jail.allow-ipv6multicast sysctl variable with rejecting the join if 0 >>>> and accepting the join and passing in multicast if 1. Same for v4, >>>> though not of immediate concern since DHCPv4 doesn't need it. >>>> >>>> If you (or someone) would like to point me in the right direction, I >>>> would be willing to put some time into learning the relevant code and >>>> proposing a fix. No promises, but I can put some time into it. Off >>>> list if you prefer. >>>> >>>> Curtis >>> >>> It'll have to be someone besides me - I don't know enough about >>> multicast myself to be able to do more than keep it out of jails. >> >> sysctl souns bad to me; I think it should actually be grouped by >> ip4.* and ip6.*. What dod we currently do for raw sockets? Can we >> have a third level easily, as in ip4.raw.*, ip6.mc.*, ... which of >> course would kill the classic "allow" thing for raw sockets myabe? >> >> /bz > > For raw sockets the sysctl variable is: > > security.jail.allow_raw_sockets > > One sysctl variable for both inet and inet6 AF. Perhaps a reasonable > name would be: > > security.jail.ip4.allow_multicast > security.jail.ip6.allow_multicast > > Just to be clear, I was hoping to get some help if I were to make an > attempt to allow ipv6 multicast through, though I suspect that the > code would be very similar for ipv4. The sysctls are mostly not relevant anymore but yes, if we can get these options we can look at the code. Defaults to off. I might be able to help on the v6 trailing end. Jamie could you prepare the jail options changes for us? -- Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family. From owner-freebsd-jail@FreeBSD.ORG Fri Sep 7 15:04:50 2012 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8A4031065674 for ; Fri, 7 Sep 2012 15:04:50 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from m2.gritton.org (gritton.org [199.192.164.235]) by mx1.freebsd.org (Postfix) with ESMTP id 55BCD8FC12 for ; Fri, 7 Sep 2012 15:04:49 +0000 (UTC) Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net [198.65.168.24]) (authenticated bits=0) by m2.gritton.org (8.14.5/8.14.5) with ESMTP id q87F4ee5040296; Fri, 7 Sep 2012 09:04:41 -0600 (MDT) (envelope-from jamie@FreeBSD.org) Message-ID: <504A0D03.7040700@FreeBSD.org> Date: Fri, 07 Sep 2012 09:04:35 -0600 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:9.0) Gecko/20120126 Thunderbird/9.0 MIME-Version: 1.0 To: freebsd-jail@FreeBSD.org References: <201209051914.q85JEdGR058616@gateway2.orleans.occnc.com> In-Reply-To: Content-Type: multipart/mixed; boundary="------------060102050303020403000502" Cc: "Bjoern A. Zeeb" , Curtis Villamizar Subject: Re: IPv6 multicast sent to jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Sep 2012 15:04:50 -0000 This is a multi-part message in MIME format. --------------060102050303020403000502 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit On 09/05/12 16:51, Bjoern A. Zeeb wrote: > On Wed, 5 Sep 2012, Curtis Villamizar wrote: > >> >> In message >> "Bjoern A. Zeeb" writes: >> >>> On Sat, 25 Aug 2012, Jamie Gritton wrote: >>> >>> ... >>>>>>> Curtis >>>>>> >>>>>> Offhand, it does sound like a bug. I imagine the solution would be to >>>>>> reject the join - at least the easy solution to be done first until >>>>>> something more complicated can be done to make jails play nice with >>>>>> multicast. >>>>>> >>>>>> - Jamie >>>>> >>>>> >>>>> Jamie, >>>>> >>>>> Certainly not the preferred solution. Best would be a >>>>> jail.allow-ipv6multicast sysctl variable with rejecting the join if 0 >>>>> and accepting the join and passing in multicast if 1. Same for v4, >>>>> though not of immediate concern since DHCPv4 doesn't need it. >>>>> >>>>> If you (or someone) would like to point me in the right direction, I >>>>> would be willing to put some time into learning the relevant code and >>>>> proposing a fix. No promises, but I can put some time into it. Off >>>>> list if you prefer. >>>>> >>>>> Curtis >>>> >>>> It'll have to be someone besides me - I don't know enough about >>>> multicast myself to be able to do more than keep it out of jails. >>> >>> sysctl souns bad to me; I think it should actually be grouped by >>> ip4.* and ip6.*. What dod we currently do for raw sockets? Can we >>> have a third level easily, as in ip4.raw.*, ip6.mc.*, ... which of >>> course would kill the classic "allow" thing for raw sockets myabe? >>> >>> /bz >> >> For raw sockets the sysctl variable is: >> >> security.jail.allow_raw_sockets >> >> One sysctl variable for both inet and inet6 AF. Perhaps a reasonable >> name would be: >> >> security.jail.ip4.allow_multicast >> security.jail.ip6.allow_multicast >> >> Just to be clear, I was hoping to get some help if I were to make an >> attempt to allow ipv6 multicast through, though I suspect that the >> code would be very similar for ipv4. > > The sysctls are mostly not relevant anymore but yes, if we can get > these options we can look at the code. Defaults to off. > I might be able to help on the v6 trailing end. Jamie could you > prepare the jail options changes for us? Here's a patch that adds flags for multicast, with the parameters ip4.multicast and ip6.multicast. They default to false, and don't have any associated sysctls (which I'd like to phase out). This needs work on my end, as far making sure permissions are handled correctly for jail hierarchies, but is enough for starting the work on the multicast side of things. The check you'll want to make is prison_flag(cred, PR_IP4_MCAST). - Jamie --------------060102050303020403000502 Content-Type: text/plain; name="mcast.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="mcast.diff" Index: sys/sys/jail.h =================================================================== --- sys/sys/jail.h (revision 240198) +++ sys/sys/jail.h (working copy) @@ -207,6 +207,8 @@ /* primary jail address. */ #define PR_IP6_SADDRSEL 0x00000100 /* Do IPv6 src addr sel. or use the */ /* primary jail address. */ +#define PR_IP4_MCAST 0x00000200 /* Allow IPv4 multicast */ +#define PR_IP6_MCAST 0x00000400 /* Allow IPv6 multicast */ /* Internal flag bits */ #define PR_REMOVE 0x01000000 /* In process of being removed */ Index: sys/kern/kern_jail.c =================================================================== --- sys/kern/kern_jail.c (revision 240198) +++ sys/kern/kern_jail.c (working copy) @@ -84,14 +84,17 @@ #ifdef INET #ifdef INET6 #define _PR_IP_SADDRSEL PR_IP4_SADDRSEL|PR_IP6_SADDRSEL +#define _PR_IP_MCAST PR_IP4_MCAST|PR_IP6_MCAST #else #define _PR_IP_SADDRSEL PR_IP4_SADDRSEL +#define _PR_IP_MCAST PR_IP4_MCAST #endif #else /* !INET */ #ifdef INET6 #define _PR_IP_SADDRSEL PR_IP6_SADDRSEL +#define _PR_IP_MCAST PR_IP6_MCAST #else -#define _PR_IP_SADDRSEL 0 +#define _PR_IP_MCAST 0 #endif #endif @@ -108,9 +111,9 @@ .pr_hostuuid = DEFAULT_HOSTUUID, .pr_children = LIST_HEAD_INITIALIZER(prison0.pr_children), #ifdef VIMAGE - .pr_flags = PR_HOST|PR_VNET|_PR_IP_SADDRSEL, + .pr_flags = PR_HOST|PR_VNET|_PR_IP_SADDRSEL|_PR_IP_MCAST, #else - .pr_flags = PR_HOST|_PR_IP_SADDRSEL, + .pr_flags = PR_HOST|_PR_IP_SADDRSEL|_PR_IP_MCAST, #endif .pr_allow = PR_ALLOW_ALL, }; @@ -158,9 +161,11 @@ [0] = "persist", #ifdef INET [7] = "ip4.saddrsel", + [9] = "ip4.multicast", #endif #ifdef INET6 [8] = "ip6.saddrsel", + [10] = "ip6.multicast", #endif }; const size_t pr_flag_names_size = sizeof(pr_flag_names); @@ -169,9 +174,11 @@ [0] = "nopersist", #ifdef INET [7] = "ip4.nosaddrsel", + [9] = "ip4.nomulticast", #endif #ifdef INET6 [8] = "ip6.nosaddrsel", + [10] = "ip6.nomulticast", #endif }; const size_t pr_flag_nonames_size = sizeof(pr_flag_nonames); @@ -232,6 +239,7 @@ static int jail_default_devfs_rsnum = JAIL_DEFAULT_DEVFS_RSNUM; #if defined(INET) || defined(INET6) static unsigned jail_max_af_ips = 255; +static unsigned jail_default_ip = JAIL_DEFAULT_ALLOW; #endif #ifdef INET @@ -4341,6 +4349,8 @@ SYSCTL_JAIL_PARAM(_ip4, saddrsel, CTLTYPE_INT | CTLFLAG_RW, "B", "Do (not) use IPv4 source address selection rather than the " "primary jail IPv4 address."); +SYSCTL_JAIL_PARAM(_ip4, multicast, CTLTYPE_INT | CTLFLAG_RW, + "B", "Jail may use IPv4 multicast addresses"); #endif #ifdef INET6 SYSCTL_JAIL_PARAM_SYS_NODE(ip6, CTLFLAG_RDTUN, @@ -4350,6 +4360,8 @@ SYSCTL_JAIL_PARAM(_ip6, saddrsel, CTLTYPE_INT | CTLFLAG_RW, "B", "Do (not) use IPv6 source address selection rather than the " "primary jail IPv6 address."); +SYSCTL_JAIL_PARAM(_ip6, multicast, CTLTYPE_INT | CTLFLAG_RW, + "B", "Jail may use IPv6 multicast addresses"); #endif SYSCTL_JAIL_PARAM_NODE(allow, "Jail permission flags"); --------------060102050303020403000502-- From owner-freebsd-jail@FreeBSD.ORG Sat Sep 8 18:15:01 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 52C94106564A for ; Sat, 8 Sep 2012 18:15:01 +0000 (UTC) (envelope-from jacks@sage-american.com) Received: from mail.sagedata.net (mail.sagedata.net [38.106.15.121]) by mx1.freebsd.org (Postfix) with ESMTP id 2AD528FC08 for ; Sat, 8 Sep 2012 18:15:01 +0000 (UTC) Received: from [192.168.1.67] (99-111-143-21.lightspeed.crchtx.sbcglobal.net [99.111.143.21]) by mail.sagedata.net (8.14.5/8.14.5) with ESMTP id q88IF0CO065138 for ; Sat, 8 Sep 2012 13:15:00 -0500 (CDT) (envelope-from jacks@sage-american.com) X-Authentication-Warning: mail.sagedata.net: Host 99-111-143-21.lightspeed.crchtx.sbcglobal.net [99.111.143.21] claimed to be [192.168.1.67] Message-ID: <504B8B31.6030202@sage-american.com> Date: Sat, 08 Sep 2012 13:15:13 -0500 From: Jack Stone User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120824 Thunderbird/15.0 MIME-Version: 1.0 To: freebsd-jail@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: milter-spamc/1.15.388 (mail.sagedata.net [38.106.15.121]); Sat, 08 Sep 2012 13:15:00 -0500 X-Spam-Status: NO, hits=-10.00 required=4.50 X-Spam-Report: Content analysis details: (-10.0 points, 4.5 required) | | pts rule name description | ---- ---------------------- -------------------------------------------------- | -0.0 SHORTCIRCUIT Not all rules were run, due to a shortcircuited rule | -10 ALL_TRUSTED Passed through trusted hosts only via SMTP | Subject: Upgrading FBSD-7.0 --> 7.4 and Jail won't start X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Sep 2012 18:15:01 -0000 uname -a FreeBSD mail.sagedata.net 7.0-RELEASE-p9 FreeBSD 7.0-RELEASE-p9 #2: Sun Jan 18 19:59:27 CST 2009 root@mail.sagedata.net:/usr/obj/usr/src/sys/SMP i386 Have been running and upgrading host+jail for years and through several versions of FreeBSD. However, I got behind on updates and now playing catchup on an important production server. Tried to upgrade fbsd-7.0 --> 7.4 followed by upgarde of a jail as in past. However, on reboot, the host booted up OK, but the jail would not work. On re-trying to start the jail, only got a crytic error about missing syscalls. I've never seen this before and don't have a clue what needs fixing. My setups for starting jails are in the /etc/rc.conf file and such still works here in Texas on local servers when upgraded. However, the production server is in Los Angeles and cannot react to any serious boot problems without sending the ISP owner downtown to switch my HD back to a bootable clone before the upgrade attempts. I cannot afford to have the jail offline as it contains my SSL stuff vital to the business. I manage the jails using the tools that came with Jail(8). Can anyone point me in the right direction on this issue? Do I now need stuff in sysctl.conf for the jail? Or.....???? Thanks for any help!! -- All the best, Jack