From owner-freebsd-jail@freebsd.org Mon Jun 1 22:20:49 2020 Return-Path: Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 758762F4A6A for ; Mon, 1 Jun 2020 22:20:49 +0000 (UTC) (envelope-from foo.squiggly@yandex.com) Received: from forward100p.mail.yandex.net (forward100p.mail.yandex.net [77.88.28.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 49bV4J25Q0z3xwF for ; Mon, 1 Jun 2020 22:20:48 +0000 (UTC) (envelope-from foo.squiggly@yandex.com) Received: from mxback17o.mail.yandex.net (mxback17o.mail.yandex.net [IPv6:2a02:6b8:0:1a2d::68]) by forward100p.mail.yandex.net (Yandex) with ESMTP id B425B5980C1A for ; Tue, 2 Jun 2020 01:20:45 +0300 (MSK) Received: from localhost (localhost [::1]) by mxback17o.mail.yandex.net (mxback/Yandex) with ESMTP id narqvpmX93-KjwqksHC; Tue, 02 Jun 2020 01:20:45 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.com; s=mail; t=1591050045; bh=Q6hDp/+M+TPCE6lN+LWN4rUqGZdxORKG3Q8e8S5nLzM=; h=Message-Id:Date:Subject:To:From; b=ns4N2S7JyqPtj6YpAXScGFSfebphJw8RsZdPsMzYW3o4QGVa+9+ZHoAATrqGHwm51 eE1eKVHHUQNYBnZ/kQ5lA1DCFdD6hj1j3lFG07BCUqN1z3asKLJ9RPmdjJpz6OLWxG ZKXjrxOf0O8jiB5DtlKg8I054DvuEwwlbt0XanjQ= Received: by sas8-7f9782e89a50.qloud-c.yandex.net with HTTP; Tue, 02 Jun 2020 01:20:45 +0300 From: squiggly foo Envelope-From: foo-squiggly@yandex.com To: "freebsd-jail@freebsd.org" Subject: Running GUI applications in jails X-Mailer: Yamail [ http://yandex.ru ] 5.0 Date: Mon, 01 Jun 2020 17:20:45 -0500 Message-Id: <2284521591050002@mail.yandex.com> X-Rspamd-Queue-Id: 49bV4J25Q0z3xwF X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=yandex.com header.s=mail header.b=ns4N2S7J; dmarc=pass (policy=none) header.from=yandex.com; spf=pass (mx1.freebsd.org: domain of foo.squiggly@yandex.com designates 77.88.28.100 as permitted sender) smtp.mailfrom=foo.squiggly@yandex.com X-Spamd-Result: default: False [-3.41 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.97)[-0.974]; R_DKIM_ALLOW(-0.20)[yandex.com:s=mail]; FROM_HAS_DN(0.00)[]; RWL_MAILSPIKE_GOOD(0.00)[77.88.28.100:from]; FREEMAIL_FROM(0.00)[yandex.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.05)[-1.048]; PREVIOUSLY_DELIVERED(0.00)[freebsd-jail@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+ip4:77.88.0.0/18]; DKIM_TRACE(0.00)[yandex.com:+]; MIME_BASE64_TEXT(0.10)[]; RCVD_IN_DNSWL_NONE(0.00)[77.88.28.100:from]; NEURAL_HAM_SHORT(-0.79)[-0.786]; MIME_HTML_ONLY(0.20)[]; TO_DN_EQ_ADDR_ALL(0.00)[]; DMARC_POLICY_ALLOW(-0.50)[yandex.com,none]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:~]; FREEMAIL_ENVFROM(0.00)[yandex.com]; ASN(0.00)[asn:13238, ipnet:77.88.0.0/18, country:RU]; RCVD_TLS_LAST(0.00)[] MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.33 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Jun 2020 22:20:49 -0000 From owner-freebsd-jail@freebsd.org Thu Jun 4 11:06:57 2020 Return-Path: Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id F358F3351EA for ; Thu, 4 Jun 2020 11:06:57 +0000 (UTC) (envelope-from dch@skunkwerks.at) Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 49d2zP2qWfz4Rr2 for ; Thu, 4 Jun 2020 11:06:57 +0000 (UTC) (envelope-from dch@skunkwerks.at) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id A96ED5C007D; Thu, 4 Jun 2020 07:06:56 -0400 (EDT) Received: from imap6 ([10.202.2.56]) by compute4.internal (MEProxy); Thu, 04 Jun 2020 07:06:56 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=skunkwerks.at; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm2; bh=7P8/t+GLSEq4nd646MUzRNEVKWN6JlD mQxg0Ngpfjss=; b=Lf3NeW5u0WkK8wBtPmAx/rO6K0tyqsdr1YXAE3qclBWych4 3djP11k8IUlEnLkO22VZEWmrlHnz6GOwEl5vUpuS1JNZruszZfIWM2fO1aFPKICa sVRdnTTkY5vGpDl80bj3gAWpCzbiA1b2geN+e7bRHiT53QNdiYu2Hem7we+QvLUl BC7gnLLy/rvPTC+6InkXmO6VSSmzJ3ljUZ17JL0FOgBCAoo4ZPzHo+VY/Wct0wIf FEG9cu9fslmHeZws0Nt/6qLHYlRonAxg/LIWopshEUbbfJt8vsGECLWNLaw3/Pso AknlcYO3Qpf+HjwPZ9jiPy6Nn9ofFaqbHE8tniw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=7P8/t+ GLSEq4nd646MUzRNEVKWN6JlDmQxg0Ngpfjss=; b=bkBzyW5dtcoRp18XbdAloz SJc3wA8Ma4JqmdeiMvGGrrxcRwR+3t+6XBXav+KzMClvwV3mHIqzgpwGdP6BLLsk s/OQnVz5tzKBYvGMde6PjsbIAnUucKLAnJVBZf5GEqhVROx4gUeinH3vtoM9mtb0 ozKKhhazJNjr5ulsHWW4LKVEPk4WKi4ctWOxQp73J+63PUzqClKF4sjOU5/S/0DY LIzSg4a2gkTYJ/WSEV+bPB3mlGCCF7mRiJD0lgjLbEvDlcyIwIrBMKQm0CPv7MdU rAwUez2whEEAdehtzZmvQA2HdxReKfuzoCxZvZDpZIaEM9bXlMf21sCWjnXPBDbQ == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrudeguddgfeegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvffutgesthdtredtreertdenucfhrhhomhepfdffrghv vgcuvehothhtlhgvhhhusggvrhdfuceouggthhesshhkuhhnkhifvghrkhhsrdgrtheqne cuggftrfgrthhtvghrnhepvdetleejhfevteeigeefgeegteejieffudefvdeivdfgteei hefguefggffhkeehnecuffhomhgrihhnpehfrhgvvggsshgurdhorhhgnecuvehluhhsth gvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepuggthhesshhkuhhnkhif vghrkhhsrdgrth X-ME-Proxy: Received: by mailuser.nyi.internal (Postfix, from userid 501) id F31EF1400A1; Thu, 4 Jun 2020 07:06:55 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.3.0-dev0-519-g0f677ba-fm-20200601.001-g0f677ba6 Mime-Version: 1.0 Message-Id: In-Reply-To: <2284521591050002@mail.yandex.com> References: <2284521591050002@mail.yandex.com> Date: Thu, 04 Jun 2020 11:06:35 +0000 From: "Dave Cottlehuber" To: "squiggly foo" , freebsd-jail Subject: Re: Running GUI applications in jails Content-Type: text/plain X-Rspamd-Queue-Id: 49d2zP2qWfz4Rr2 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=skunkwerks.at header.s=fm2 header.b=Lf3NeW5u; dkim=pass header.d=messagingengine.com header.s=fm2 header.b=bkBzyW5d; dmarc=none; spf=pass (mx1.freebsd.org: domain of dch@skunkwerks.at designates 66.111.4.26 as permitted sender) smtp.mailfrom=dch@skunkwerks.at X-Spamd-Result: default: False [-2.48 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.97)[-0.969]; R_DKIM_ALLOW(-0.20)[skunkwerks.at:s=fm2,messagingengine.com:s=fm2]; XM_UA_NO_VERSION(0.01)[]; FROM_HAS_DN(0.00)[]; RWL_MAILSPIKE_GOOD(0.00)[66.111.4.26:from]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip4:66.111.4.26]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[skunkwerks.at]; NEURAL_HAM_LONG(-1.05)[-1.045]; RCVD_COUNT_THREE(0.00)[4]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[skunkwerks.at:+,messagingengine.com:+]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.88)[-0.877]; FREEMAIL_TO(0.00)[yandex.com,freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:11403, ipnet:66.111.4.0/24, country:US]; MID_RHS_WWW(0.50)[]; RCVD_IN_DNSWL_LOW(-0.10)[66.111.4.26:from] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jun 2020 11:06:58 -0000 On Mon, 1 Jun 2020, at 22:20, squiggly foo wrote: I assume your HTML email got stripped. Judging by the subject, https://wiki.freebsd.org/VladimirKrstulja/Guides/JailingGUIApplications https://forums.freebsd.org/threads/53362/ may be of use. A+ Dav From owner-freebsd-jail@freebsd.org Thu Jun 4 11:38:37 2020 Return-Path: Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E6FE1336050 for ; Thu, 4 Jun 2020 11:38:37 +0000 (UTC) (envelope-from goya@eik.bme.hu) Received: from zero.eik.bme.hu (zero.eik.bme.hu [IPv6:2001:738:2001:2001::2001]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 49d3gw4B9Xz4Vnh for ; Thu, 4 Jun 2020 11:38:36 +0000 (UTC) (envelope-from goya@eik.bme.hu) Received: from zero.eik.bme.hu (blah.eik.bme.hu [152.66.115.182]) by localhost (Postfix) with SMTP id D47FB746335 for ; Thu, 4 Jun 2020 13:38:32 +0200 (CEST) Received: by zero.eik.bme.hu (Postfix, from userid 884) id B6F8874632C; Thu, 4 Jun 2020 13:38:32 +0200 (CEST) Date: Thu, 4 Jun 2020 13:38:32 +0200 From: =?utf-8?B?SsOBS8OTIEFuZHLDoXM=?= To: freebsd-jail@freebsd.org Subject: vnet jails on VLAN subinterfaces Message-ID: <20200604113832.GD76013@eik.bme.hu> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit Organization: Budapest University of Technology and Economics (BME) X-Spam-Checker-Version: Sophos PMX: 6.4.8.2820816, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2020.6.4.113018, AntiVirus-Engine: 5.74.0, AntiVirus-Data: 2020.6.4.5740001 X-Spam-Flag: NO X-Spam-Probability: 8% X-Spam-Level: X-Spam-Status: No, score=8% required=50% X-Rspamd-Queue-Id: 49d3gw4B9Xz4Vnh X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of goya@eik.bme.hu designates 2001:738:2001:2001::2001 as permitted sender) smtp.mailfrom=goya@eik.bme.hu X-Spamd-Result: default: False [0.26 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+a:nic.bme.hu]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-jail@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; HAS_ORG_HEADER(0.00)[]; DMARC_NA(0.00)[bme.hu]; NEURAL_HAM_LONG(-0.71)[-0.709]; NEURAL_HAM_SHORT(-0.41)[-0.408]; RCVD_IN_DNSWL_NONE(0.00)[2001:738:2001:2001::2001:from]; NEURAL_HAM_MEDIUM(-0.77)[-0.767]; FORGED_SENDER(0.30)[jako.andras@eik.bme.hu,goya@eik.bme.hu]; R_DKIM_NA(0.00)[]; R_MIXED_CHARSET(2.14)[subject]; ASN(0.00)[asn:1955, ipnet:2001:738::/32, country:HU]; MIME_TRACE(0.00)[0:+]; FROM_NEQ_ENVFROM(0.00)[jako.andras@eik.bme.hu,goya@eik.bme.hu]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jun 2020 11:38:38 -0000 Hello everyone, I've already asked this on forums.freebsd.org, but didn't get an answer yet. I hope someone can answer it here. I'd like to use 802.1Q tagged VLANs on an Ethernet interface, one VLAN per jail. I assigned VLAN subinterfaces to the jail's network stacks: em0 - em0.99 (host) em0 - em0.100 (jail0) em0 - em0.101 (jail1) Here em0 and em0.99 belong to the base system while em0.10[01] belong to the jails' network stacks. This works perfectly so far. But I didn't see this setup mentioned anywhere, that's why I'm curious whether this a "valid" setup, do I use vnet correctly? Or does it only work by accident? I found vnet jail examples using one epair per jail, which is connected to the physical interface by a bridge. With tagged 802.1Q VLANs this could look something like the following: em0 - em0.99 (host) em0 - em0.100 - bridge0 - epair0a - epair0b (jail0) em0 - em0.101 - bridge1 - epair1a - epair1b (jail1) Here epair[01]b belong to the jails' network stacks, and all other interfaces to the base system. This works too, but is more complicated than the one without bridges and epairs. András From owner-freebsd-jail@freebsd.org Thu Jun 4 13:44:15 2020 Return-Path: Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4A68F2F3D48 for ; Thu, 4 Jun 2020 13:44:15 +0000 (UTC) (envelope-from SRS0=Pdgf=7R=perdition.city=julien@bebif.be) Received: from orval.bbpf.belspo.be (orval.bbpf.belspo.be [193.191.208.90]) by mx1.freebsd.org (Postfix) with ESMTP id 49d6Sn1bH2z3b4X for ; Thu, 4 Jun 2020 13:44:09 +0000 (UTC) (envelope-from SRS0=Pdgf=7R=perdition.city=julien@bebif.be) Received: from x1 (77.109.123.80.adsl.dyn.edpnet.net [77.109.123.80]) by orval.bbpf.belspo.be (Postfix) with ESMTPSA id 8DA4F1D5029C; Thu, 4 Jun 2020 15:44:02 +0200 (CEST) Date: Thu, 4 Jun 2020 15:43:59 +0200 From: Julien Cigar To: =?utf-8?B?SsOBS8OTIEFuZHLDoXM=?= Cc: freebsd-jail@freebsd.org Subject: Re: vnet jails on VLAN subinterfaces Message-ID: <20200604134359.ei6vdsce5xrdbtqo@x1> References: <20200604113832.GD76013@eik.bme.hu> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20200604113832.GD76013@eik.bme.hu> X-Rspamd-Queue-Id: 49d6Sn1bH2z3b4X X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of SRS0=Pdgf=7R=perdition.city=julien@bebif.be designates 193.191.208.90 as permitted sender) smtp.mailfrom=SRS0=Pdgf=7R=perdition.city=julien@bebif.be X-Spamd-Result: default: False [-2.09 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.98)[-0.980]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; NEURAL_HAM_LONG(-0.93)[-0.932]; MIME_GOOD(-0.10)[text/plain]; MID_RHS_NOT_FQDN(0.50)[]; DMARC_NA(0.00)[perdition.city]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_SHORT(-0.77)[-0.774]; RCPT_COUNT_TWO(0.00)[2]; FORGED_SENDER(0.30)[julien@perdition.city,SRS0=Pdgf=7R=perdition.city=julien@bebif.be]; RCVD_NO_TLS_LAST(0.10)[]; RECEIVED_SPAMHAUS_PBL(0.00)[77.109.123.80:received]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_TWO(0.00)[2]; ASN(0.00)[asn:2611, ipnet:193.191.192.0/19, country:BE]; FROM_NEQ_ENVFROM(0.00)[julien@perdition.city, SRS0=Pdgf=7R=perdition.city=julien@bebif.be] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jun 2020 13:44:15 -0000 On Thu, Jun 04, 2020 at 01:38:32PM +0200, JÁKÓ András wrote: > Hello everyone, Hello, > > I've already asked this on forums.freebsd.org, but didn't get an answer > yet. I hope someone can answer it here. > > I'd like to use 802.1Q tagged VLANs on an Ethernet interface, one VLAN > per jail. I assigned VLAN subinterfaces to the jail's network stacks: > > em0 - em0.99 (host) > em0 - em0.100 (jail0) > em0 - em0.101 (jail1) > > Here em0 and em0.99 belong to the base system while em0.10[01] belong to > the jails' network stacks. > > This works perfectly so far. But I didn't see this setup mentioned > anywhere, that's why I'm curious whether this a "valid" setup, do I use > vnet correctly? Or does it only work by accident? > In your case it's OK, but as VLAN ids are unique per interface you need x different physical interfaces if x jails (VNET) need to be in the same VLAN (and use the same interface). Best option is to use SR-IOV (if your interface support it) to have multiple virtual NIC, or use bridge + epair (which has an huge performance impact due to locking issue in if_bridge, although this is fixed in -CURRENT by @kp) > > I found vnet jail examples using one epair per jail, which is connected > to the physical interface by a bridge. With tagged 802.1Q VLANs this > could look something like the following: > > em0 - em0.99 (host) > em0 - em0.100 - bridge0 - epair0a - epair0b (jail0) > em0 - em0.101 - bridge1 - epair1a - epair1b (jail1) > > Here epair[01]b belong to the jails' network stacks, and all other > interfaces to the base system. This works too, but is more complicated > than the one without bridges and epairs. > > András > _______________________________________________ > freebsd-jail@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" -- Julien Cigar Belgian Biodiversity Platform (http://www.biodiversity.be) PGP fingerprint: EEF9 F697 4B68 D275 7B11 6A25 B2BB 3710 A204 23C0 No trees were killed in the creation of this message. However, many electrons were terribly inconvenienced. From owner-freebsd-jail@freebsd.org Fri Jun 5 10:07:07 2020 Return-Path: Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id F3F4634685C for ; Fri, 5 Jun 2020 10:07:06 +0000 (UTC) (envelope-from goya@eik.bme.hu) Received: from zero.eik.bme.hu (zero.eik.bme.hu [152.66.115.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 49ddbs5SvLz4dN1 for ; Fri, 5 Jun 2020 10:07:05 +0000 (UTC) (envelope-from goya@eik.bme.hu) Received: from zero.eik.bme.hu (blah.eik.bme.hu [152.66.115.182]) by localhost (Postfix) with SMTP id 7D7BB748DCD; Fri, 5 Jun 2020 12:07:01 +0200 (CEST) Received: by zero.eik.bme.hu (Postfix, from userid 884) id 614E27475F9; Fri, 5 Jun 2020 12:07:01 +0200 (CEST) Date: Fri, 5 Jun 2020 12:07:01 +0200 From: =?utf-8?B?SsOBS8OTIEFuZHLDoXM=?= To: Julien Cigar Cc: freebsd-jail@freebsd.org Subject: Re: vnet jails on VLAN subinterfaces Message-ID: <20200605100701.GA83565@eik.bme.hu> References: <20200604113832.GD76013@eik.bme.hu> <20200604134359.ei6vdsce5xrdbtqo@x1> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20200604134359.ei6vdsce5xrdbtqo@x1> Organization: Budapest University of Technology and Economics (BME) X-Spam-Checker-Version: Sophos PMX: 6.4.8.2820816, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2020.6.5.100017, AntiVirus-Engine: 5.74.0, AntiVirus-Data: 2020.6.5.5740000 X-Spam-Flag: NO X-Spam-Probability: 8% X-Spam-Level: X-Spam-Status: No, score=8% required=50% X-Rspamd-Queue-Id: 49ddbs5SvLz4dN1 X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of goya@eik.bme.hu designates 152.66.115.2 as permitted sender) smtp.mailfrom=goya@eik.bme.hu X-Spamd-Result: default: False [-0.96 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; NEURAL_HAM_LONG(-0.98)[-0.978]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[bme.hu]; NEURAL_HAM_MEDIUM(-1.03)[-1.028]; HAS_ORG_HEADER(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_MED(-0.20)[152.66.115.2:from]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.63)[-0.627]; FORGED_SENDER(0.30)[jako.andras@eik.bme.hu,goya@eik.bme.hu]; R_DKIM_NA(0.00)[]; R_MIXED_CHARSET(1.88)[subject]; RCVD_COUNT_TWO(0.00)[2]; MIME_TRACE(0.00)[0:+]; FROM_NEQ_ENVFROM(0.00)[jako.andras@eik.bme.hu,goya@eik.bme.hu]; ASN(0.00)[asn:2547, ipnet:152.66.0.0/16, country:EU] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jun 2020 10:07:07 -0000 > > I'd like to use 802.1Q tagged VLANs on an Ethernet interface, one VLAN > > per jail. I assigned VLAN subinterfaces to the jail's network stacks: > > > > em0 - em0.99 (host) > > em0 - em0.100 (jail0) > > em0 - em0.101 (jail1) > > > > Here em0 and em0.99 belong to the base system while em0.10[01] belong to > > the jails' network stacks. > > > > This works perfectly so far. But I didn't see this setup mentioned > > anywhere, that's why I'm curious whether this a "valid" setup, do I use > > vnet correctly? Or does it only work by accident? > > > > In your case it's OK, but as VLAN ids are unique per interface you need > x different physical interfaces if x jails (VNET) need to be in the same > VLAN (and use the same interface). Thanks! I only need one jail per VLAN right now, but I understand that this simple setup does not work with more jails in the same VLAN. > Best option is to use SR-IOV (if your interface support it) to have > multiple virtual NIC, or use bridge + epair (which has an huge > performance impact due to locking issue in if_bridge, although this is > fixed in -CURRENT by @kp) I didn't know about SR-IOV but it's very promising. András From owner-freebsd-jail@freebsd.org Fri Jun 5 20:10:12 2020 Return-Path: Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 267253367E9 for ; Fri, 5 Jun 2020 20:10:12 +0000 (UTC) (envelope-from foo.squiggly@yandex.com) Received: from forward102j.mail.yandex.net (forward102j.mail.yandex.net [IPv6:2a02:6b8:0:801:2::102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 49dtzk3yd2z3VMv for ; Fri, 5 Jun 2020 20:10:10 +0000 (UTC) (envelope-from foo.squiggly@yandex.com) Received: from mxback23o.mail.yandex.net (mxback23o.mail.yandex.net [IPv6:2a02:6b8:0:1a2d::74]) by forward102j.mail.yandex.net (Yandex) with ESMTP id 0DBE3F20B0A for ; Fri, 5 Jun 2020 23:10:07 +0300 (MSK) Received: from localhost (localhost [::1]) by mxback23o.mail.yandex.net (mxback/Yandex) with ESMTP id HYOTISpvTx-A6aKsrvT; Fri, 05 Jun 2020 23:10:06 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.com; s=mail; t=1591387806; bh=AbWDpthYl5yPXX8oUS2AU4OJpgyQAfKjASGcnI5SbtU=; h=Message-Id:Date:Subject:To:From; b=qFbIRoBCEszuzuzndDJxMoH34vPSsma4u1JkZdwdJdW4EjA80Cj+130YE3sruEQJf oV2ze6Pe05cQF5KFIXtUFq+nP8Yhf7pAIweLt+MwrWX3IBTde5ev6OjyylvvdgwGNp LFJ7X1b9SG+AWCXxV0yeTC9oqeoT8mZt+QDqkj64= Received: by myt6-887fb48a9c29.qloud-c.yandex.net with HTTP; Fri, 05 Jun 2020 23:10:05 +0300 From: squiggly foo Envelope-From: foo-squiggly@yandex.com To: freebsd-jail Subject: Running GUI applications in jails MIME-Version: 1.0 X-Mailer: Yamail [ http://yandex.ru ] 5.0 Date: Fri, 05 Jun 2020 15:10:05 -0500 Message-Id: <18251591386410@mail.yandex.com> Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Rspamd-Queue-Id: 49dtzk3yd2z3VMv X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=yandex.com header.s=mail header.b=qFbIRoBC; dmarc=pass (policy=none) header.from=yandex.com; spf=pass (mx1.freebsd.org: domain of foo.squiggly@yandex.com designates 2a02:6b8:0:801:2::102 as permitted sender) smtp.mailfrom=foo.squiggly@yandex.com X-Spamd-Result: default: False [-3.88 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.98)[-0.985]; R_DKIM_ALLOW(-0.20)[yandex.com:s=mail]; FROM_HAS_DN(0.00)[]; FREEMAIL_FROM(0.00)[yandex.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-jail@freebsd.org]; NEURAL_HAM_LONG(-0.99)[-0.987]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_THREE(0.00)[4]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[yandex.com:+]; DMARC_POLICY_ALLOW(-0.50)[yandex.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2a02:6b8:0:801:2::102:from]; NEURAL_HAM_SHORT(-0.91)[-0.906]; R_SPF_ALLOW(-0.20)[+ip6:2a02:6b8:0::/52]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[yandex.com]; ASN(0.00)[asn:13238, ipnet:2a02:6b8::/32, country:RU]; RCVD_TLS_LAST(0.00)[] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jun 2020 20:10:12 -0000 Thanks to Dave for pointing out that my HTML message was stripped. I am trying this again. Hi All, I'm using FreeBSD as a workstation trying to keep everything as lightweight and segregated as possible. So I am running GUI applications inside a jail. My current solution to this is null mounting the Xorg socket inside the jail which allows the GUI applications to run on the host Xorg without issue. Unfortunately this is also probably the least secure solution as one jail could access the key strokes of another jail through the Xorg on the host. I researched other solutions to this issue and listed them out below with the advantages and disadvantages. I would like to hear everyones comments/ideas because maybe there are betters ways. 1) Using Xpra + So far this seems like the most secure solution as every GUI application would have its own xorg instance and cannot see each others key strokes. + I assume it's clipboard safe...? - Good lord the dependencies! This is probably by far the most heavy weight solution. 2) Using Xephyr (Xnest) +This solution is also just as secure as Xpra as every GUI jailed app will have its own xorg instance. + Much less dependencies than Xpra and therefore more light weight + I assume it's clipboard safe...? - It will produce a whole X window with windows manager in addition to just the app that I want to run which is space inefficient for monitor real estate. 3) Null Mounting the Xorg socket in the jail + The easiest and the most lightweight solution - The least secure so far according to my research - Not clipboard safe 4) SSH -X Forwarding + Just slightly more weighty than null mounting a socket inside the jail - It uses X11 security which makes it slightly more secure than a null mount but it could still see the keystrokes I'm typing into another jail or host. - Slower X performance..? - Not clipboard safe 5) Using multiple X servers on different ttys Using this solution I could group jails according to the level of security that they need. On one Xorg instance say on tty3 I could have my most secure/trusted GUI jails and on tty4 I could have less secure less trusted GUI jails. Yes the jails inside of the same Xorg instance can potentially see each others keystrokes but at least I have the lest trusted jails in another Xorg instance. +Not really that heavy of a solution dependency wise because I already have Xorg installed on the host anyways and just running it multiple times +I'm assuming the separate Xorg instances don't see each other's keystrokes...? +/- I assume it's clipboard safe between the separate Xorg instances but not in the same Xorg instance. -Less flexible of a solution which can affect my workflow, but maybe not so bad. 6) Use Null mounts for the Xorg socket but use a script to 'KILL -17' (suspend) all jails and their processes except for the one jail that I wish to work with at a time. Then resume them afterwards. +This is a pretty lightweight solution if slightly complex -A suspended app can still receive keystrokes but will not register them until unpaused. The only assurance I have is that the suspended jailed GUI app cannot request to become the active window (I Think..?) and so as long as I type into the correct non-suspended jail, the other suspended jails cannot see keystrokes. Comments? Questions? How does everyone else do it? From owner-freebsd-jail@freebsd.org Sat Jun 6 17:22:27 2020 Return-Path: Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id DE15B339E67 for ; Sat, 6 Jun 2020 17:22:27 +0000 (UTC) (envelope-from Alexander@leidinger.net) Received: from mailgate.Leidinger.net (mailgate.leidinger.net [IPv6:2a00:1828:2000:313::1:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 49fRCl08KQz4PTt for ; Sat, 6 Jun 2020 17:22:26 +0000 (UTC) (envelope-from Alexander@leidinger.net) Received: from outgoing.leidinger.net (p508d5bbe.dip0.t-ipconnect.de [80.141.91.190]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256)) (Client did not present a certificate) by mailgate.Leidinger.net (Postfix) with ESMTPSA id D02477563; Sat, 6 Jun 2020 19:22:24 +0200 (CEST) Received: from webmail.leidinger.net (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (Client did not present a certificate) by outgoing.leidinger.net (Postfix) with ESMTPS id 50389155E7; Sat, 6 Jun 2020 19:22:22 +0200 (CEST) Date: Sat, 06 Jun 2020 19:22:22 +0200 Message-ID: <20200606192222.Horde.68H7pQpeZSUfwBodPHen_Lh@webmail.leidinger.net> From: Alexander Leidinger To: freebsd-jail@freebsd.org, foo.squiggly@yandex.com Subject: Re: Running GUI applications in jails In-Reply-To: <18251591386410@mail.yandex.com> Accept-Language: de,en Content-Type: multipart/signed; boundary="=_gY-uWUUW1NIB4D8LdYnp_9z"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 X-Rspamd-Queue-Id: 49fRCl08KQz4PTt X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.94 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[leidinger.net:s=outgoing-alex]; NEURAL_HAM_MEDIUM(-0.99)[-0.988]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; NEURAL_HAM_LONG(-1.01)[-1.014]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; TO_DN_NONE(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[leidinger.net:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[leidinger.net,quarantine]; NEURAL_HAM_SHORT(-0.84)[-0.841]; FREEMAIL_TO(0.00)[freebsd.org,yandex.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:34240, ipnet:2a00:1828::/32, country:DE]; RCVD_TLS_ALL(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[80.141.91.190:received] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Jun 2020 17:22:27 -0000 This message is in MIME format and has been PGP signed. --=_gY-uWUUW1NIB4D8LdYnp_9z Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Quoting squiggly foo (from Fri, 05 Jun 2020=20=20 15:10:05=20-0500): > Thanks to Dave for pointing out that my HTML message was stripped. I=20= =20 >=20am trying this again. > > Hi All, > > I'm using FreeBSD as a workstation trying to keep everything as=20=20 >=20lightweight and > segregated as possible. So I am running GUI applications inside a=20=20 >=20jail. My current > solution to this is null mounting the Xorg socket inside the jail=20=20 >=20which allows the > GUI applications to run on the host Xorg without issue.=20=20 >=20Unfortunately this is also > probably the least secure solution as one jail could access the key=20=20 >=20strokes of > another jail through the Xorg on the host. > > I researched other solutions to this issue and listed them out below=20= =20 >=20with the advantages > and disadvantages. I would like to hear everyones comments/ideas=20=20 >=20because maybe > there are betters ways. You haven't told where the graphical output needs to happen. The X11=20=20 protocol=20is distinguishing between the X server (e.g. the component=20=20 which=20does the output to a grpahics card) and the X client (the=20=20 component=20which wants to display something e.g. a movie player or=20=20 whatever=20program you use to produce the output for display). So the=20=20 question=20here is if you just need to have a X client running there, or=20= =20 the=20X server. You didn't describe the problem you have (I try to find=20= =20 out=20how the problem looks like outside the box), but you describe=20=20 already=20alternatives in a limited solution sphere (you are inside the=20= =20 box=20and try to find a solution). [...] > 5) Using multiple X servers on different ttys > Using this solution I could group jails according to the level of=20=20 >=20security that they need. > On one Xorg instance say on tty3 I could have my most secure/trusted=20= =20 >=20GUI jails and on tty4 > I could have less secure less trusted GUI jails. Yes the jails=20=20 >=20inside of the same Xorg instance can > potentially see each others keystrokes but at least I have the lest=20=20 >=20trusted jails in another Xorg > instance. > > +Not really that heavy of a solution dependency wise because I=20=20 >=20already have Xorg installed on > the host anyways and just running it multiple times > +I'm assuming the separate Xorg instances don't see each other's=20=20 >=20keystrokes...? > +/- I assume it's clipboard safe between the separate Xorg instances but = not > in the same Xorg instance. > -Less flexible of a solution which can affect my workflow, but maybe=20= =20 >=20not so bad. You need to have a graphics card for each instance (I'm not aware that=20= =20 two=20Xorg instances can share the same hardware, but I have never=20=20 looked=20specially for something like this, so I may have overlooked=20=20 that=20it can, or it started to be able to do that in the last 10 years. And yes, they will not see the keystrokes of the other instance. > 6) Use Null mounts for the Xorg socket but use a script to 'KILL=20=20 >=20-17' (suspend) all jails and their > processes except for the one jail that I wish to work with at a=20=20 >=20time. Then resume them > afterwards. > > +This is a pretty lightweight solution if slightly complex > > -A suspended app can still receive keystrokes but will not register=20=20 >=20them until unpaused. > The only assurance I have is that the suspended jailed GUI app=20=20 >=20cannot request to > become the active window (I Think..?) and so as long as I type into=20=20 >=20the correct > non-suspended jail, the other suspended jails cannot see keystrokes. I wouldn't go that way. Too complicated. I have patches for FreeBSD which allow to run Xorg in a jail. This=20=20 would=20be another option as such, but not one which provides more=20=20 security=20(it's even less, as it opens up the memory of the entire=20=20 machine=20to this jail, so this jail can see all other jails if you=20=20 write=20a clever program, I use that in the sense of containerization of=20= =20 Xorg=20and a desktop environment, not for security). There is also the possibility to run Xvnc in each jail. Each GUI=20=20 program=20would then connect to the local vnc server instance (or=20=20 better:=20is started inside the local vnc server instance), and then=20=20 from=20the system you want to see the output (which can be a local Xorg=20= =20 server,=20or a Windows laptop or an ipad or whatever is able to run a=20=20 vncviewer=20program) you connect with a vnc viewer to the vnc instance=20= =20 of=20the jail. The applications inside each vnc instance will only see=20= =20 keystrokes=20when the vnc viewer window for this particular instance is=20= =20 active.=20So if you are in the window of vnc viewer instance A the=20=20 instance=20B will not see keystrokes. Bye, Alexander. --=20 http://www.Leidinger.net=20Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_gY-uWUUW1NIB4D8LdYnp_9z Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJe29DNAAoJEBINsJsD+NiGdwQQAIhK0j728QlGh22+3v2prmB2 m5Yw6RzL137sSTDEJWosX2M0vnbQHgU2iq1q+7jNL0PK5OuSrlEHRNLvKsN6Dxrl 7oMTfUib+Erc+E2JJAxnAmJnANh+kJYD7RcVviimmEYG9+rM2frdVqCAkk1Uo6yr 8x5sOTNreU5llY8mBSR5R5ACQodJRPvWfrsnMMEskZnt+CMGY3Ns5A7P+3kVo0QD CHlu4HU1BQSjkGdbvPAEHCe8cbY4/YeRLJ49sgSdZMkm2u0L2gbTTaKswCni4vKE uACIOsiiEDynov5R6LNHx4L7a+xr4jpZcoXaeIEIVfq5IMsqEMuloUzVhXZ9hNam y5JhrrT3KJLC89d0uZPoypCnyt4EnzVITBVfaI2AVQmObiNIDE+ZV5YN0YPFixo3 p8VzGRzFrK8pJJoMQTG/mD7wedF947L5/LnEYvaCboYk4eWji5kaISio7C0YJGNN THdyiqwuFf9rDvwmYxQdskGLKVted04facdIUS9L+vVkbQSsz01+lTXuUkquN0Vg W6bLhlobe6gjmLjmryHyw1wswkLFnl69/tjhQNV+WOlHS9WKZ7jsJnVf8Maorq9c pgdkUz5VGU6cKL1n1S9/J0OVW70uYO8Zyxtqohb/qYPNchP0hzlznj6We3lQppvs v/C+aZeh8g6qNdVSahZu =iL+/ -----END PGP SIGNATURE----- --=_gY-uWUUW1NIB4D8LdYnp_9z--