From owner-freebsd-hackers@freebsd.org Fri Nov 27 17:09:10 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 10AD2A3A862; Fri, 27 Nov 2015 17:09:10 +0000 (UTC) (envelope-from jamie@freebsd.org) Received: from gritton.org (gritton.org [162.220.209.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "www.gritton.org", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id E43181395; Fri, 27 Nov 2015 17:09:09 +0000 (UTC) (envelope-from jamie@freebsd.org) Received: from gritton.org (gritton.org [162.220.209.3]) by gritton.org (8.15.2/8.15.2) with ESMTPS id tARH93jQ071219 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 27 Nov 2015 10:09:03 -0700 (MST) (envelope-from jamie@freebsd.org) Received: (from www@localhost) by gritton.org (8.15.2/8.15.2/Submit) id tARH92DO071218; Fri, 27 Nov 2015 10:09:02 -0700 (MST) (envelope-from jamie@freebsd.org) X-Authentication-Warning: gritton.org: www set sender to jamie@freebsd.org using -f To: freebsd-hackers@freebsd.org, freebsd-jail@freebsd.org Subject: Re: Hierarchical Jails X-PHP-Originating-Script: 0:rcube.php MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Fri, 27 Nov 2015 10:09:02 -0700 From: James Gritton Cc: =?UTF-8?Q?Carsten_B=C3=A4cker?= Message-ID: <5afb4a26c024263f7312f1f0984444a1@gritton.org> X-Sender: jamie@freebsd.org User-Agent: Roundcube Webmail/1.1.2 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Nov 2015 17:09:10 -0000 Am 27.11.2015 um 08:54 schrieb "Carsten Bäcker": > Sorry... something's wrong with GMX webmailer. Secont time this > happens. > Hi Hackers, > i'm running into problems creating hierarchical jails. > First of all: this is my first try with *hierarchical* jails (in favor > of creating a bunch of VMs for software-testing). > I aliased lo0 with 127.0.1.1 - 127.0.1.3 > --- HOST jail.conf --- > exec.start = "/bin/sh /etc/rc"; > exec.stop = "/bin/sh /etc/rc.shutdown"; > exec.clean; > mount.devfs; > persist; > > allow.socket_af=1; > allow.raw_sockets=1; > path = "/usr/local/jails/$name"; > mount.fstab = "/usr/local/jails/fstab.$name"; > core { > host.hostname="jail_core"; > children.max=2; > ip4.addr = > ue0|192.168.42.90,lo0|127.0.1.1,lo0|127.0.1.2,lo0|127.0.1.3; > } > --- "jail_core" jail.conf --- > exec.start = "/bin/sh /etc/rc"; > exec.stop = "/bin/sh /etc/rc.shutdown"; > exec.clean; > mount.devfs; > persist; > path = "/usr/local/jails/$name"; > mount.fstab = "/usr/local/jails/fstab.$name"; > dev1 { > host.hostname="jail_dev1"; > ip4.addr = lo0|127.0.1.1; > } > jail_core starts up fine, but "children.max" seems to have no effect > when checked within the jail. > root@jail_core:/ # sysctl security.jail.param.children > security.jail.param.children.max: 0 > security.jail.param.children.cur: 0 > I'm not sure if this is related to the following problem, but when i > try to create a child-jail in this jailed environment i run into the > following error. > root@jail_core:/ # jail -c dev1 > ifconfig: ioctl (SIOCAIFADDR): permission denied > jail: dev1: /sbin/ifconfig lo0 inet 127.0.1.1 netmask 255.255.255.255 > alias: failed > What am i doing wrong? Any suggestions? > Unfortunately i didn't find too much information concerning > hierarchical jails. > Running CURRENT -r290973. > Best Regards > Carsten Bäcker The trouble likes in dev1's ip4.addr specification. "lo0|127.0.1.1" means that the IP address is 127.0.1.1, and that an alias should be added on the interface lo0. But dev1 doesn't have permission to add IP aliases, which is where the "alias: failed" message comes from. The solution is easy in this case: you've already planned ahead and created the alias in core (as you should have), so it doesn't need to be created again. Just change dev1's specification to "ip4.addr = 127.0.1.1". - Jamie