From owner-freebsd-jail@freebsd.org Mon Jun 8 01:59:06 2020 Return-Path: Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 33DC733E1E1 for ; Mon, 8 Jun 2020 01:59:06 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: from mail-il1-x131.google.com (mail-il1-x131.google.com [IPv6:2607:f8b0:4864:20::131]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49gGdP0LxMz48XN for ; Mon, 8 Jun 2020 01:59:04 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: by mail-il1-x131.google.com with SMTP id 18so15231931iln.9 for ; Sun, 07 Jun 2020 18:59:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=krstqlUW7r7rG4QP+bTt1/ntgYCGL3Q+Z7pmk45c4Z8=; b=Ncd1LqZO4O9mpn59W5f99aSa9EXzpQ19poaHINOkJ/BdomGcMVr1NpWzhYVffSs32D A8MO0iZH0OHzxHEGCGt9Mzis1KkeOaZPtcRf4Cl9CWLzSMYqQZmYvJ2SABfd8lGl7he+ WtX9J85fdbtQXUoAON6DuXrgP1BckVd7j7KLUv9+kth0hBChZeEC4FQ4CXYCzLbQf97L GannJ6nWzyiv6HgXkOFJo2VluZijbvnRgQ/OIJNj0eoqa/ws2Jev5ObwTrdHHsCGVZAS 0/hUmuHpnUOsLcIABMjU4/+T0NyO/YS3pfTpfg0GPJdtiD3ggs28DTQzZTRl/SqhYOEA h2mw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=krstqlUW7r7rG4QP+bTt1/ntgYCGL3Q+Z7pmk45c4Z8=; b=LKCKUb/UiXv8gMu0DhEjiyXLStWRMH2Z6Kx6oxeXJ7qtvkoJMrrT+8h2al3u2u3vqO GtcZXYp4vbGEjYVj6RguOew0FMINgyczKLc9QlVD4UJrj50mHCExNB6L13jUjWIVW1Z/ yISGp0Gb1FzW//1qXexUAVwvAd29QMS1jt6XXft0SFCi8R+kzO7xb99Up69cCQghhxiE F0T6RxnvXWTCf7FvFbCpFWrtKJuC/pLpBpRB0n5Oa/hpRbVkmDqRFhghZxprzyM+Cjlb XVsBtprdO3qmYg0qu65P5h5Pgd8KE/AgoblUozI6nc2T+IqDc+fyQxND5j9hVXPxg9KF VGXQ== X-Gm-Message-State: AOAM533gP3aLsTrDTjE9jNgSak9MTnhf0NTahb2vmQwp2Y8g0UjP2Nj3 WDEsUK12biIgph62JEFD04BoqY+CRD/e/eEF2LZo4S0u X-Google-Smtp-Source: ABdhPJyYwZubG5W821hPIu7ASAg9Pin5vx11v98J/bbMoFnOZY5vjshyLZGiATHjiOxDWtA0OMru1wpbQ4HdOnzBVPs= X-Received: by 2002:a92:cf48:: with SMTP id c8mr19025817ilr.147.1591581543543; Sun, 07 Jun 2020 18:59:03 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a4f:6cf:0:0:0:0:0 with HTTP; Sun, 7 Jun 2020 18:59:03 -0700 (PDT) From: David Mehler Date: Sun, 7 Jun 2020 21:59:03 -0400 Message-ID: Subject: vnet jail shutdown crashes system To: freebsd-jail Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 49gGdP0LxMz48XN X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=Ncd1LqZO; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of davemehler@gmail.com designates 2607:f8b0:4864:20::131 as permitted sender) smtp.mailfrom=davemehler@gmail.com X-Spamd-Result: default: False [-3.33 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.01)[-1.005]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-jail@freebsd.org]; NEURAL_HAM_LONG(-1.02)[-1.021]; RCPT_COUNT_ONE(0.00)[1]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::131:from]; NEURAL_HAM_SHORT(-0.31)[-0.307]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Jun 2020 01:59:06 -0000 Hello, I've finally created a vnet jail on FreeBSD 12.1 that will get out to the internet. Whenever I atempt to shut it down the system crashes, I have no idea why. I found an example and adapted and pounded on it until I got it working. Here's my configuration. On the host: /etc/rc.conf fragment: cloned_interfaces="bridge0" ifconfig_bridge0="inet 192.168.122.1/24 addm vtnet0 up" #cat /etc/jail.conf exec.clean; exec.start = "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc.shutdown"; mount.devfs; allow.raw_sockets; exec.system_user = "root"; exec.jail_user = "root"; vnet; jail1 { host.hostname = jail1.lan; path = "/jails/jail1"; devfs_ruleset = "5"; vnet.interface = "epair0b"; exec.prestart = "ifconfig epair0 create up"; exec.prestart += "ifconfig bridge0 addm epair0a"; exec.poststop = "ifconfig bridge0 deletem epair0a"; exec.poststop += "ifconfig epair0a destroy"; exec.consolelog = "/var/log/jail_jail1_console.log"; } ifconfig fragment: bridge0: flags=8843 metric 0 mtu 1500 ether 02:e7:79:f2:c4:00 inet 192.168.122.1 netmask 0xffffff00 broadcast 192.168.122.255 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: epair0a flags=143 ifmaxaddr 0 port 4 priority 128 path cost 2000 member: vtnet0 flags=143 ifmaxaddr 0 port 1 priority 128 path cost 2000 groups: bridge nd6 options=9 epair0a: flags=8943 metric 0 mtu 1500 options=8 ether 02:ad:9b:f9:5e:0a inet6 fe80::ad:9bff:fef9:5e0a%epair0a prefixlen 64 scopeid 0x4 groups: epair media: Ethernet 10Gbase-T (10Gbase-T ) status: active nd6 options=23 In the vnet jail: # cat /etc/rc.conf hostname="jail1.lan" ifconfig_epair0b="inet 192.168.122.50 netmask 255.255.255.0" defaultrouter="192.168.122.1" I wish I knew why stopping this jail takes the whole system down, suggestions welcome. Thanks. Dave. From owner-freebsd-jail@freebsd.org Mon Jun 8 02:07:29 2020 Return-Path: Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5CB9633E67F for ; Mon, 8 Jun 2020 02:07:29 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49gGq51r8mz49C0 for ; Mon, 8 Jun 2020 02:07:29 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: from mail-qk1-f169.google.com (mail-qk1-f169.google.com [209.85.222.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) (Authenticated sender: kevans) by smtp.freebsd.org (Postfix) with ESMTPSA id 31A1816934 for ; Mon, 8 Jun 2020 02:07:29 +0000 (UTC) (envelope-from kevans@freebsd.org) Received: by mail-qk1-f169.google.com with SMTP id b27so15851034qka.4 for ; Sun, 07 Jun 2020 19:07:29 -0700 (PDT) X-Gm-Message-State: AOAM532XYoJia8ZZj07OvcwxUGlqW9dqStgU5Xl2JfhMQIBrnxmljPPf cV7IAFTwM+3xVwulmGRtSxLs8PX3lXuCVSuaXuE= X-Google-Smtp-Source: ABdhPJxSOhWfvRuCXH3t2e0XbalumxaWp9y6k/FE3BBTbnxLQrZ7NNFk18yYstRCW6DIc0zbrdqrYtP6GqxytTXUQj8= X-Received: by 2002:a37:a3ce:: with SMTP id m197mr20599469qke.493.1591582048855; Sun, 07 Jun 2020 19:07:28 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Kyle Evans Date: Sun, 7 Jun 2020 21:07:17 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: vnet jail shutdown crashes system To: David Mehler Cc: freebsd-jail Content-Type: text/plain; charset="UTF-8" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Jun 2020 02:07:29 -0000 On Sun, Jun 7, 2020 at 8:59 PM David Mehler wrote: > > Hello, > > I've finally created a vnet jail on FreeBSD 12.1 that will get out to > the internet. Whenever I atempt to shut it down the system crashes, I > have no idea why. > > [... snip ...] > > I wish I knew why stopping this jail takes the whole system down, > suggestions welcome. Without seeing a panic message, this is almost certainly the ol' epair teardown problem. I'm working toward a solution for it, but I'm still needing to get people to review the prerequisite change to add a busy mechanism to ifnet so that we can coordinate correctly. You can work around it by destroying the epair interface visible there on the host before you destroy the jail (and perhaps there's a better way), though that's not necessarily ideal if you need networking to work through a graceful shutdown. Thanks, Kyle Evans From owner-freebsd-jail@freebsd.org Tue Jun 9 02:35:29 2020 Return-Path: Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0B0283445F5 for ; Tue, 9 Jun 2020 02:35:29 +0000 (UTC) (envelope-from foo.squiggly@yandex.com) Received: from forward501o.mail.yandex.net (forward501o.mail.yandex.net [37.140.190.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 49gvNv4lJTz4HG5 for ; Tue, 9 Jun 2020 02:35:27 +0000 (UTC) (envelope-from foo.squiggly@yandex.com) Received: from mxback12o.mail.yandex.net (mxback12o.mail.yandex.net [IPv6:2a02:6b8:0:1a2d::63]) by forward501o.mail.yandex.net (Yandex) with ESMTP id 816631E80329; Tue, 9 Jun 2020 05:35:24 +0300 (MSK) Received: from localhost (localhost [::1]) by mxback12o.mail.yandex.net (mxback/Yandex) with ESMTP id Egpzyv4QXd-ZNmioIUR; Tue, 09 Jun 2020 05:35:23 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.com; s=mail; t=1591670123; bh=hwQydXAqOw0b9JAhqUsc90vunk/lNPuBdVZI/OyrTCw=; h=Message-Id:Subject:In-Reply-To:Date:References:To:From; b=RdvmmYWFF5UeB4EDBmTKHtOt+rDPR1fYef7QkpxO0kvD67LBK5MSm0hHoF95fmr68 gxEN2WP72VRu4kyicO8/uL/aNwX7ZlBPLqTZr9QdIOW8FzbUmd/2dhtFAu1EkEedn4 AOcfV8YTxtKDYK5hQSUAsTfrvKJv/QpJhFirRV+A= Received: by sas2-a098efd00d24.qloud-c.yandex.net with HTTP; Tue, 09 Jun 2020 05:35:23 +0300 From: squiggly foo Envelope-From: foo-squiggly@yandex.com To: Alexander Leidinger , "freebsd-jail@freebsd.org" In-Reply-To: <20200606192222.Horde.68H7pQpeZSUfwBodPHen_Lh@webmail.leidinger.net> References: <18251591386410@mail.yandex.com> <20200606192222.Horde.68H7pQpeZSUfwBodPHen_Lh@webmail.leidinger.net> Subject: Re: Running GUI applications in jails MIME-Version: 1.0 X-Mailer: Yamail [ http://yandex.ru ] 5.0 Date: Mon, 08 Jun 2020 21:35:23 -0500 Message-Id: <245071591669961@mail.yandex.com> Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=utf-8 X-Rspamd-Queue-Id: 49gvNv4lJTz4HG5 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=yandex.com header.s=mail header.b=RdvmmYWF; dmarc=pass (policy=none) header.from=yandex.com; spf=pass (mx1.freebsd.org: domain of foo.squiggly@yandex.com designates 37.140.190.203 as permitted sender) smtp.mailfrom=foo.squiggly@yandex.com X-Spamd-Result: default: False [-4.03 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[yandex.com:s=mail]; RWL_MAILSPIKE_POSSIBLE(0.00)[37.140.190.203:from]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; FREEMAIL_FROM(0.00)[yandex.com]; R_SPF_ALLOW(-0.20)[+ip4:37.140.128.0/18]; MIME_GOOD(-0.10)[text/plain]; NEURAL_HAM_LONG(-1.00)[-0.999]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[yandex.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[yandex.com,none]; NEURAL_HAM_SHORT(-0.88)[-0.880]; NEURAL_HAM_MEDIUM(-1.05)[-1.053]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[yandex.com]; ASN(0.00)[asn:13238, ipnet:37.140.128.0/18, country:RU]; RCVD_TLS_LAST(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[37.140.190.203:from] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Jun 2020 02:35:29 -0000 Hi Alexander, You seem to have a lot of experience with X11 so I'm happy to hear your advice. To answer your first question about where the graphical output needs to happen: I am not sure I am understanding your question, but I am using one computer for all of this. The Xserver component of X11 is running on this computer on the host (not jailed) and the xclients are the jailed gui applications. My basic problem is to make sure that jailed gui applications cannot access the keystokes of other jailed gui applications. I guess I am confused by your question (maybe cause i'm thinking inside the box) but what other options are there for running the Xserver and Xclients on a single computer. Or maybe you are suggesting multiple computers running Xservers? Please let me know whatever your are thinking as a solution because I am open to ideas and thinking outside the box. Maybe I was also incorrect about running multiple Xservers on the same machine on different ttys but I thought that was an option. I should check with X11 mailing list. It's funny that you mention running a Xvnc server inside of a jail with each gui application. I have actually done that before but I never considered it as a possible option for solving my problem until now that you mentioned it. So I will look into that more. My only issue with this: the application that I want jailed the most is my "general browsing" firefox instance used for media websites like youtube but I am not sure how well a 1080p video will look over a vnc connection. But I haven't tested this idea in awhile. I suppose using Xephyr would be a similar yet heavier solution that just using your Xvnc server idea inside each jail. Would you agree? I might also look into statically compiling Xpra (if possible) so that it at least feels cleaner that all the dependencies are inside one binary instead of all over my system. Again I am open to all ideas and suggestion. Please feel free to ask more questions if you need more details about what I am trying to do. 06.06.2020, 12:22, "Alexander Leidinger" : > Quoting squiggly foo (from Fri, 05 Jun 2020 > 15:10:05 -0500): > >>  Thanks to Dave for pointing out that my HTML message was stripped. I >>  am trying this again. >> >>  Hi All, >> >>  I'm using FreeBSD as a workstation trying to keep everything as >>  lightweight and >>  segregated as possible. So I am running GUI applications inside a >>  jail. My current >>  solution to this is null mounting the Xorg socket inside the jail >>  which allows the >>  GUI applications to run on the host Xorg without issue. >>  Unfortunately this is also >>  probably the least secure solution as one jail could access the key >>  strokes of >>  another jail through the Xorg on the host. >> >>  I researched other solutions to this issue and listed them out below >>  with the advantages >>  and disadvantages. I would like to hear everyones comments/ideas >>  because maybe >>  there are betters ways. > > You haven't told where the graphical output needs to happen. The X11 > protocol is distinguishing between the X server (e.g. the component > which does the output to a grpahics card) and the X client (the > component which wants to display something e.g. a movie player or > whatever program you use to produce the output for display). So the > question here is if you just need to have a X client running there, or > the X server. You didn't describe the problem you have (I try to find > out how the problem looks like outside the box), but you describe > already alternatives in a limited solution sphere (you are inside the > box and try to find a solution). > > [...] >>  5) Using multiple X servers on different ttys >>  Using this solution I could group jails according to the level of >>  security that they need. >>  On one Xorg instance say on tty3 I could have my most secure/trusted >>  GUI jails and on tty4 >>  I could have less secure less trusted GUI jails. Yes the jails >>  inside of the same Xorg instance can >>  potentially see each others keystrokes but at least I have the lest >>  trusted jails in another Xorg >>  instance. >> >>  +Not really that heavy of a solution dependency wise because I >>  already have Xorg installed on >>  the host anyways and just running it multiple times >>  +I'm assuming the separate Xorg instances don't see each other's >>  keystrokes...? >>  +/- I assume it's clipboard safe between the separate Xorg instances but not >>  in the same Xorg instance. >>  -Less flexible of a solution which can affect my workflow, but maybe >>  not so bad. > > You need to have a graphics card for each instance (I'm not aware that > two Xorg instances can share the same hardware, but I have never > looked specially for something like this, so I may have overlooked > that it can, or it started to be able to do that in the last 10 years. > And yes, they will not see the keystrokes of the other instance. > >>  6) Use Null mounts for the Xorg socket but use a script to 'KILL >>  -17' (suspend) all jails and their >>  processes except for the one jail that I wish to work with at a >>  time. Then resume them >>  afterwards. >> >>  +This is a pretty lightweight solution if slightly complex >> >>  -A suspended app can still receive keystrokes but will not register >>  them until unpaused. >>  The only assurance I have is that the suspended jailed GUI app >>  cannot request to >>  become the active window (I Think..?) and so as long as I type into >>  the correct >>  non-suspended jail, the other suspended jails cannot see keystrokes. > > I wouldn't go that way. Too complicated. > > I have patches for FreeBSD which allow to run Xorg in a jail. This > would be another option as such, but not one which provides more > security (it's even less, as it opens up the memory of the entire > machine to this jail, so this jail can see all other jails if you > write a clever program, I use that in the sense of containerization of > Xorg and a desktop environment, not for security). > > There is also the possibility to run Xvnc in each jail. Each GUI > program would then connect to the local vnc server instance (or > better: is started inside the local vnc server instance), and then > from the system you want to see the output (which can be a local Xorg > server, or a Windows laptop or an ipad or whatever is able to run a > vncviewer program) you connect with a vnc viewer to the vnc instance > of the jail. The applications inside each vnc instance will only see > keystrokes when the vnc viewer window for this particular instance is > active. So if you are in the window of vnc viewer instance A the > instance B will not see keystrokes. > > Bye, > Alexander. > > -- > http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF > http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF From owner-freebsd-jail@freebsd.org Tue Jun 9 06:49:07 2020 Return-Path: Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7FB0A34B3D3 for ; Tue, 9 Jun 2020 06:49:07 +0000 (UTC) (envelope-from Alexander@leidinger.net) Received: from mailgate.Leidinger.net (mailgate.leidinger.net [IPv6:2a00:1828:2000:313::1:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 49h11Z4gsTz3YdY for ; Tue, 9 Jun 2020 06:49:06 +0000 (UTC) (envelope-from Alexander@leidinger.net) Received: from outgoing.leidinger.net (p5b1652d4.dip0.t-ipconnect.de [91.22.82.212]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (Client did not present a certificate) by mailgate.Leidinger.net (Postfix) with ESMTPSA id DC44A98C1; Tue, 9 Jun 2020 08:48:56 +0200 (CEST) Received: from webmail.leidinger.net (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (Client did not present a certificate) by outgoing.leidinger.net (Postfix) with ESMTPS id 73E6015D06; Tue, 9 Jun 2020 08:48:54 +0200 (CEST) Date: Tue, 09 Jun 2020 08:48:54 +0200 Message-ID: <20200609084854.Horde.hoNVb-yBxmnHiEt74ihgT0n@webmail.leidinger.net> From: Alexander Leidinger To: squiggly foo Cc: freebsd-jail@freebsd.org Subject: Re: Running GUI applications in jails References: <18251591386410@mail.yandex.com> <20200606192222.Horde.68H7pQpeZSUfwBodPHen_Lh@webmail.leidinger.net> <245071591669961@mail.yandex.com> In-Reply-To: <245071591669961@mail.yandex.com> Accept-Language: de,en Content-Type: multipart/signed; boundary="=_bpnVkkuOBKfevbTpyJTSZT4"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 X-Rspamd-Queue-Id: 49h11Z4gsTz3YdY X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.19 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[leidinger.net:s=outgoing-alex]; NEURAL_HAM_MEDIUM(-1.03)[-1.028]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; NEURAL_HAM_LONG(-1.02)[-1.020]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[leidinger.net:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[leidinger.net,quarantine]; NEURAL_HAM_SHORT(-1.04)[-1.040]; FREEMAIL_TO(0.00)[yandex.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:34240, ipnet:2a00:1828::/32, country:DE]; RCVD_TLS_ALL(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[91.22.82.212:received] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Jun 2020 06:49:07 -0000 This message is in MIME format and has been PGP signed. --=_bpnVkkuOBKfevbTpyJTSZT4 Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Quoting squiggly foo (from Mon, 08 Jun 2020=20=20 21:35:23=20-0500): > Hi Alexander, > > You seem to have a lot of experience with X11 so I'm happy to hear=20=20 >=20your advice. > To answer your first question about where the graphical output needs=20= =20 >=20to happen: > > I am not sure I am understanding your question, but I am using one=20=20 >=20computer for > all of this. The Xserver component of X11 is running on this=20=20 >=20computer on the host > (not jailed) and the xclients are the jailed gui applications. My=20=20 >=20basic problem is to > make sure that jailed gui applications cannot access the keystokes=20=20 >=20of other jailed gui > applications. I guess I am confused by your question (maybe cause=20=20 >=20i'm thinking inside > the box) but what other options are there for running the Xserver=20=20 >=20and Xclients on a single > computer. Or maybe you are suggesting multiple computers running=20=20 >=20Xservers? Please > let me know whatever your are thinking as a solution because I am=20=20 >=20open to ideas and > thinking outside the box. With X11 it doesn't matter if you talk about 1 or multiple computers.=20=20 Within=20the same network and with a fast enough speed of the network,=20= =20 it=20should work (edge-cases may differ). > Maybe I was also incorrect about running multiple Xservers on the=20=20 >=20same machine on > different ttys but I thought that was an option. I should check=20=20 >=20with X11 mailing > list. > > It's funny that you mention running a Xvnc server inside of a jail=20=20 >=20with each gui > application. I have actually done that before but I never=20=20 >=20considered it as a possible > option for solving my problem until now that you mentioned it. So I=20= =20 >=20will look into that > more. My only issue with this: the application that I want jailed=20=20 >=20the most is my > "general browsing" firefox instance used for media websites like=20=20 >=20youtube but I am not > sure how well a 1080p video will look over a vnc connection. But I=20=20 >=20haven't tested this > idea in awhile. For your particular use cases you will only know if you test it. As=20=20 you=20are doing this locally, the "network" speed is a combination of=20=20 the=20internal bus / CPU / memory speed, and some vnc settings like=20=20 compression=20may play arole here too, but my gut feeling is, that this=20= =20 could=20work. > I suppose using Xephyr would be a similar yet heavier solution that=20=20 >=20just using your > Xvnc server idea inside each jail. Would you agree? > > I might also look into statically compiling Xpra (if possible) so=20=20 >=20that it at least feels > cleaner that all the dependencies are inside one binary instead of=20=20 >=20all over my system. I do not know Xephyr or Xpra. I had a very quick look at the=20=20 homepages,=20and it looks like they are "just" a normal X server (with=20= =20 some=20special features) and use the X11 protocol. As such I do not=20=20 expect=20that their use will solve your problem (read: I expect that you=20= =20 will=20be able to see keystrokes across all jails). Bye, Alexander. --=20 http://www.Leidinger.net=20Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_bpnVkkuOBKfevbTpyJTSZT4 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJe3zDVAAoJEBINsJsD+NiGaFMP/1Vn7cqr6ZFcVul0I3gHkS2I WvnDj+CziMfl5K4mJwFAVzi57wKYKNDQH8DAGBSFl9gRkO0tfvI4AWLGmbbXMQj3 /EESbY7ZwT64SG9DlYsSfP8INbX56xwbHzKihha1OeFS40Gixwwf5yb0gupcEyvC 1y05WgrjWqRe6I7eojTxkvKEOWP18VFKmNJJzjCrK280kk1d/3VTTfe9P2F3Kj9V De6D1v0qQKBlLNgwz9ueQ/p3oKVEq46d7HYNoJACXUlne65TkpJyVSV20OEynOoP yvvn9bqyOUGTgbbs/jCK4yNu3RbJtB/UlA3qFHW75K8qYe/4Z4HyIfiyZp5t2PkR HObDrfYv0VjFAHAlYp+xX0QT/rnXmrBuwRjCbsSEQjU1vpflzjtOu1TVh8sPvkAY EIj7Yn6eIOPfy1xAB9IMxzzlZINvZjnBprLuoc0XPwXvGe3dISk/wOLkfrBsuyPr yZQQyxD0Ax+TtveqyFYnjdjg0w5xzp09xtjAWCtmBrqhfm1T/fekSFOVce3CYpv/ erP/xdeqT9yDgdz7yFsnRoVY3iih0g8CBHoc7StBYfA+8NYCiEcAmG0Yaqx1d7bZ z2ZpirKnkoqEAfpZA/cH5egUaK8kWqSxbCMkJFQKzunxAXM1D8ngsM8h9zpRgZQD k5SolvA8AjX8w4oZ7gtJ =gnAU -----END PGP SIGNATURE----- --=_bpnVkkuOBKfevbTpyJTSZT4-- From owner-freebsd-jail@freebsd.org Tue Jun 9 16:25:59 2020 Return-Path: Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 8FF59332312 for ; Tue, 9 Jun 2020 16:25:59 +0000 (UTC) (envelope-from ole@free.de) Received: from smtp.free.de (smtp.free.de [91.204.6.103]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 49hFqB59V0z40t2 for ; Tue, 9 Jun 2020 16:25:58 +0000 (UTC) (envelope-from ole@free.de) Received: from lenp43s (x5d8369d6.dyn.telefonica.de [93.131.105.214]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp.free.de (Postfix) with ESMTPSA id 8CB1E9CD6A for ; Tue, 9 Jun 2020 18:25:51 +0200 (CEST) Date: Tue, 9 Jun 2020 18:25:46 +0200 From: Ole To: freebsd-jail@freebsd.org Subject: Re: vnet jail shutdown crashes system Message-ID: <20200609182546.6693d2e3.ole@free.de> In-Reply-To: References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; boundary="Sig_/kqTjVfhN2gRTpBhzCu+DYyA"; protocol="application/pgp-signature" X-Rspamd-Queue-Id: 49hFqB59V0z40t2 X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of ole@free.de designates 91.204.6.103 as permitted sender) smtp.mailfrom=ole@free.de X-Spamd-Result: default: False [0.32 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.48)[-0.479]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ptr]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-jail@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-0.41)[-0.409]; DMARC_NA(0.00)[free.de]; NEURAL_SPAM_SHORT(0.61)[0.613]; MID_CONTAINS_FROM(1.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:31371, ipnet:91.204.4.0/22, country:DE]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[93.131.105.214:received] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Jun 2020 16:25:59 -0000 --Sig_/kqTjVfhN2gRTpBhzCu+DYyA Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Hello Dave, I had the same problem. I found out, that the system will crash, if I do the 'ifconfig epair0a destroy' direct after the 'jail -r'. My solution is to sleep 2 seconds after the 'jail -r' command. Maybe a little bit dirty. Ole Sun, 7 Jun 2020 21:59:03 -0400 - David Mehler : > Hello, >=20 > I've finally created a vnet jail on FreeBSD 12.1 that will get out to > the internet. Whenever I atempt to shut it down the system crashes, I > have no idea why. >=20 > I found an example and adapted and pounded on it until I got it > working. Here's my configuration. On the host: >=20 > /etc/rc.conf fragment: > cloned_interfaces=3D"bridge0" > ifconfig_bridge0=3D"inet 192.168.122.1/24 addm vtnet0 up" >=20 > #cat /etc/jail.conf > exec.clean; > exec.start =3D "/bin/sh /etc/rc"; > exec.stop =3D "/bin/sh /etc/rc.shutdown"; > mount.devfs; > allow.raw_sockets; > exec.system_user =3D "root"; > exec.jail_user =3D "root"; > vnet; >=20 > jail1 { > host.hostname =3D jail1.lan; > path =3D "/jails/jail1"; > devfs_ruleset =3D "5"; > vnet.interface =3D "epair0b"; > exec.prestart =3D "ifconfig epair0 create up"; > exec.prestart +=3D "ifconfig bridge0 addm epair0a"; > exec.poststop =3D "ifconfig bridge0 deletem epair0a"; > exec.poststop +=3D "ifconfig epair0a destroy"; > exec.consolelog =3D "/var/log/jail_jail1_console.log"; > } >=20 > ifconfig fragment: > bridge0: flags=3D8843 metric 0 > mtu 1500 ether 02:e7:79:f2:c4:00 > inet 192.168.122.1 netmask 0xffffff00 broadcast > 192.168.122.255 id 00:00:00:00:00:00 priority 32768 hellotime 2 > fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 > root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 > member: epair0a flags=3D143 > ifmaxaddr 0 port 4 priority 128 path cost 2000 > member: vtnet0 flags=3D143 > ifmaxaddr 0 port 1 priority 128 path cost 2000 > groups: bridge > nd6 options=3D9 > epair0a: flags=3D8943 > metric 0 mtu 1500 > options=3D8 > ether 02:ad:9b:f9:5e:0a > inet6 fe80::ad:9bff:fef9:5e0a%epair0a prefixlen 64 scopeid 0x4 > groups: epair > media: Ethernet 10Gbase-T (10Gbase-T ) > status: active > nd6 options=3D23 >=20 > In the vnet jail: > # cat /etc/rc.conf > hostname=3D"jail1.lan" > ifconfig_epair0b=3D"inet 192.168.122.50 netmask 255.255.255.0" > defaultrouter=3D"192.168.122.1" >=20 > I wish I knew why stopping this jail takes the whole system down, > suggestions welcome. > Thanks. > Dave. > _______________________________________________ > freebsd-jail@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to > "freebsd-jail-unsubscribe@freebsd.org" --Sig_/kqTjVfhN2gRTpBhzCu+DYyA Content-Type: application/pgp-signature Content-Description: Digitale Signatur von OpenPGP -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE60BGd7KVfL83NXCUJZaRRqjklFAFAl7fuAoACgkQJZaRRqjk lFApoBAAn1Ziw6T65l3ZvaCy5BmpI+My1N41SL925t7OHAYnxHMumnMqMYtXuY54 A0oO7wSvVPmCV/IXGAd5jk5fehNUY5VifIAkHQau1x2NtQKzB5gqAq7Y3r4px2tV 9+hgxWwZRZ+qc40s2AyYWYRbxrFTMeFA4hrvyhW5in24uRSPG/K7UPssR4ITNJ4S ZIGEPWIF7SFxlT3tHvWFw8mKhWmhTe0+6QI20zhR9+D3QB3ypnBpHRrOilteP0Gx GsXepGamSMdLjXIBI2OTgJ6B9upJOGSW83+81/fQhbxQotqXAdQWORqQT8mcXBk2 J0nixE9t6nFYAoOIR7L3Qfc40qLDOFK1h4e9tn8vfWDRL/euqAuXSleomgMutzil hIgdFFduv6Py1ySoqlejWgarYysUm/EV+1cE3Fi7zMIW/khMY5Jh0tZrsBI+ITin mzTUAZVZxpBcG1XgwehQSYFVMQRsczwOL/tenPSmOcMyCjQO+DyO5QfHlCVkg8eX zfoKXgXJzGfRnIGeL6jG9lQ5oZ+MI82xxHoK6/l48I5dV/+ml1zQ3JamHMDyVrsN 4PqxyTzl08RWH5sWM33DK9zFYdsXp1YBMgpCAN7/x9ySCLq+GNFPkZWuAcxWXgM7 iygOeTDN9rlZjYjndp6fbAbsVE9url0lOI6og2xcRHHdVK8MEi8= =zzjN -----END PGP SIGNATURE----- --Sig_/kqTjVfhN2gRTpBhzCu+DYyA-- From owner-freebsd-jail@freebsd.org Fri Jun 12 17:48:58 2020 Return-Path: Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 185E9340C4E for ; Fri, 12 Jun 2020 17:48:58 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: from mail-io1-xd2a.google.com (mail-io1-xd2a.google.com [IPv6:2607:f8b0:4864:20::d2a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49k7WY0g4jz3Z58; Fri, 12 Jun 2020 17:48:56 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: by mail-io1-xd2a.google.com with SMTP id t9so11116252ioj.13; Fri, 12 Jun 2020 10:48:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=QjN/z5rYQ2n3xeYhG9RyZ3loSWkNnvzwoLu9r0r4h8k=; b=hQMfCz1d7dJ4ANdoiVfd8N1D+jJT50sveC20O0EhqRmX0B+NQObqS82wYCsOOUim02 2OWRligad2DxeBJ26XVsVAeEn9mZCmMGVHIzcBNzlRdGvjF+Eq/7bVkGuXhKVUYZYLqR BrHgPA+ZuEdGuhIAmIO9E6qSq5WFwIfznTGL6+XrnmVRe6YPbgSwBSsMsRwOf0wAFn8d nXPhMpxhTXImt3tLLlYzTXMzKVVoRmiFtcHhTY2RH1ehHv5Dl+GVdCVI4JUbo+iGrdgV ChRFPyeEEQrv4s08CDBJ7sypNn85zfVidJ3qyxNykxX9cMIK4XehIRjv7J5aWi+QCAb4 Zxmg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=QjN/z5rYQ2n3xeYhG9RyZ3loSWkNnvzwoLu9r0r4h8k=; b=TVRNcYUh35/l2Q7v+pad3K+xKhGZ4o50FQRJQWeK0DYcSuKxPl8KlSQz5AQKtNaSpg z/SwIbX2Fo3Xy9UT9gpzgQ+M5NBlbPDsknUGGdCoolYsLtuRhEbEQ+Pfj+cajSn8ekiS fIahXLn0/LeUU60fO6ghNA3Hdndj8yUg57DqMyrCsedOXBr9d84akn0tvVqnu1lYUd6w +8EjenpO4GPXThNlS+dan+WxdxeYfPUoJgUb3SvOBWWtmAoao5dqBkde6EldXQPVy8hZ s2mLTqvQ6ex/baEb4ZjzM6ONO2kknV6E0r4mX+59dSBgi4GRf2YV9BhfzeOC9f9lcw6r l+RQ== X-Gm-Message-State: AOAM5324UVOAo+zSaqe/hJBTxCKgIUPD1r1p2qlFYfnqciRBsxFREKcA jXGZcJE0dHViHweeldfvDZa3YWAFGdFBB+uwb/GK1Bme X-Google-Smtp-Source: ABdhPJxUF10gOEG3mnZ8fhsvBP2PrNftaSuhWU7Z3FNZ6sdwMBqLa+O6Xleb7BY6qyBPSksb7kr4Si7DSDwLLEDmNoU= X-Received: by 2002:a05:6602:2055:: with SMTP id z21mr14966303iod.60.1591984135746; Fri, 12 Jun 2020 10:48:55 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a4f:6cf:0:0:0:0:0 with HTTP; Fri, 12 Jun 2020 10:48:55 -0700 (PDT) In-Reply-To: <20200609182546.6693d2e3.ole@free.de> References: <20200609182546.6693d2e3.ole@free.de> From: David Mehler Date: Fri, 12 Jun 2020 13:48:55 -0400 Message-ID: Subject: Re: vnet jail shutdown crashes system To: Ole Cc: Kyle Evans , freebsd-jail@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 49k7WY0g4jz3Z58 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=hQMfCz1d; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of davemehler@gmail.com designates 2607:f8b0:4864:20::d2a as permitted sender) smtp.mailfrom=davemehler@gmail.com X-Spamd-Result: default: False [-3.64 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.99)[-0.994]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; NEURAL_HAM_LONG(-1.02)[-1.018]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::d2a:from]; NEURAL_HAM_SHORT(-0.63)[-0.632]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jun 2020 17:48:58 -0000 Hello, Thanks to everyone who offered suggestions on my vnet jail. I'm passing this on, a friend of mine sent me his configuration, which he modified from mine, it does not crash on vnet jail shutdown and takes down the interfaces both epair0a and epair0b. My rc.conf in the original post is unchanged. Here's the revised and working /etc/jail.conf: #cat jail.conf exec.clean; exec.start = "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc.shutdown"; mount.devfs; allow.raw_sockets; #exec.system_user = "root"; #exec.jail_user = "root"; vnet; jail1 { host.hostname = jail1.lan; path = "/jails/jail1"; devfs_ruleset = "4"; mount.devfs; vnet = "new"; vnet.interface = "epair0b"; exec.prestart = "ifconfig epair0 create up"; exec.prestart += "ifconfig bridge0 addm epair0a"; exec.start = "/bin/sh /etc/rc"; exec.start += "ifconfig epair0b inet 192.168.122.50 netmask 255.255.255.0"; exec.start += "route add default 192.168.122.1"; exec.stop = "/bin/sh /etc/rc.shutdown"; exec.poststop = "ifconfig bridge0 deletem epair0a"; exec.poststop += "ifconfig epair0a destroy"; exec.consolelog = "/var/log/jail_jail1_console.log"; } I have no idea why this works but it is here I'm passing it on hoping it helps others with vnet and/or track down the epair teardown issue. Thanks and HTH Dave. On 6/9/20, Ole wrote: > Hello Dave, > > I had the same problem. I found out, that the system will crash, if I do > the 'ifconfig epair0a destroy' direct after the 'jail -r'. > > My solution is to sleep 2 seconds after the 'jail -r' command. > > Maybe a little bit dirty. > > Ole > > > > Sun, 7 Jun 2020 21:59:03 -0400 - David Mehler : > >> Hello, >> >> I've finally created a vnet jail on FreeBSD 12.1 that will get out to >> the internet. Whenever I atempt to shut it down the system crashes, I >> have no idea why. >> >> I found an example and adapted and pounded on it until I got it >> working. Here's my configuration. On the host: >> >> /etc/rc.conf fragment: >> cloned_interfaces="bridge0" >> ifconfig_bridge0="inet 192.168.122.1/24 addm vtnet0 up" >> >> #cat /etc/jail.conf >> exec.clean; >> exec.start = "/bin/sh /etc/rc"; >> exec.stop = "/bin/sh /etc/rc.shutdown"; >> mount.devfs; >> allow.raw_sockets; >> exec.system_user = "root"; >> exec.jail_user = "root"; >> vnet; >> >> jail1 { >> host.hostname = jail1.lan; >> path = "/jails/jail1"; >> devfs_ruleset = "5"; >> vnet.interface = "epair0b"; >> exec.prestart = "ifconfig epair0 create up"; >> exec.prestart += "ifconfig bridge0 addm epair0a"; >> exec.poststop = "ifconfig bridge0 deletem epair0a"; >> exec.poststop += "ifconfig epair0a destroy"; >> exec.consolelog = "/var/log/jail_jail1_console.log"; >> } >> >> ifconfig fragment: >> bridge0: flags=8843 metric 0 >> mtu 1500 ether 02:e7:79:f2:c4:00 >> inet 192.168.122.1 netmask 0xffffff00 broadcast >> 192.168.122.255 id 00:00:00:00:00:00 priority 32768 hellotime 2 >> fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 >> root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 >> member: epair0a flags=143 >> ifmaxaddr 0 port 4 priority 128 path cost 2000 >> member: vtnet0 flags=143 >> ifmaxaddr 0 port 1 priority 128 path cost 2000 >> groups: bridge >> nd6 options=9 >> epair0a: flags=8943 >> metric 0 mtu 1500 >> options=8 >> ether 02:ad:9b:f9:5e:0a >> inet6 fe80::ad:9bff:fef9:5e0a%epair0a prefixlen 64 scopeid 0x4 >> groups: epair >> media: Ethernet 10Gbase-T (10Gbase-T ) >> status: active >> nd6 options=23 >> >> In the vnet jail: >> # cat /etc/rc.conf >> hostname="jail1.lan" >> ifconfig_epair0b="inet 192.168.122.50 netmask 255.255.255.0" >> defaultrouter="192.168.122.1" >> >> I wish I knew why stopping this jail takes the whole system down, >> suggestions welcome. >> Thanks. >> Dave. >> _______________________________________________ >> freebsd-jail@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-jail >> To unsubscribe, send any mail to >> "freebsd-jail-unsubscribe@freebsd.org" >