From owner-freebsd-stable@freebsd.org Tue Jul 11 17:20:02 2017 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 39093DA752F for ; Tue, 11 Jul 2017 17:20:02 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id F1CE37E20D for ; Tue, 11 Jul 2017 17:20:01 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id B6DC328472; Tue, 11 Jul 2017 19:19:52 +0200 (CEST) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id D241A28475; Tue, 11 Jul 2017 19:19:51 +0200 (CEST) Subject: Re: Little issue with Jails To: Software Information , freebsd-stable@freebsd.org References: From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: <596508B7.2030703@quip.cz> Date: Tue, 11 Jul 2017 19:19:51 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:42.0) Gecko/20100101 Firefox/42.0 SeaMonkey/2.39 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jul 2017 17:20:02 -0000 Software Information wrote on 2017/07/11 19:01: > Hi All > I am using FreeBSD 11 and have created a new jail using the following steps > > 1. make buildworld DESTDIR=/here/is/the/jail > 2. make installworld DESTDIR=/here/is/the/jail > 3. make distribution DESTDIR=/here/is/the/jail > 4. mount -t devfs devfs /here/is/the/jail/dev > > I have the following in my host rc.conf > > jail_enable="YES" # Set to NO to disable starting of any jails > > jail_list="www" # Space separated list of names of jails > > Note: Jail names in jail_list should contain alphanumeric characters only. > > For each jail listed in jail_list, a group of rc.conf(5) settings, which > describe the particular jail, should be added: > > > > jail_www_rootdir="/usr/jail/www" # jail's root directory > > jail_www_hostname="jailname.org" # jail's hostname > > jail_www_ip="IP_Address" # jail's IP address > > jail_www_devfs_enable="YES" # mount devfs in the jail > > > On the host, I did sysctl security.jail.allow_raw_sockets=1 > > In /etc/jail.conf, in the config section for that jail, I entered the > line *allow.raw.sockets > = 1 * > > > and I also did an *echo 'security.jail.allow_raw_sockets=1' >> > /etc/sysctl.conf *inside the jail. > > >>From what I can tell, I should be able to ping inside the jail now but it > still doesn't work. Does anyone see anything I may have left out? I recommend you to use jail.conf only and do not set jail variables in rc.conf. It is not good to mix these two. Put jail_enable="YES" in to rc.conf and then this in to jail.conf: ## Typical static defaults: ## Use the rc scripts to start and stop jails. Mount jail's /dev. exec.start = "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc.shutdown"; exec.clean; exec.system_user = "root"; exec.jail_user = "root"; mount.devfs; devfs_ruleset = 4; enforce_statfs = 1; allow.set_hostname = 0; allow.sysvipc = 0; allow.raw_sockets = 0; ## Dynamic wildcard parameter: ## Base the path off the jail name. path = "/usr/jail/$name"; exec.consolelog = "/var/log/jail/$name.console"; mount.fstab = "/etc/fstab.$name"; ## Jail www www { host.hostname = "jailname.example.com"; ip4.addr = 10.10.10.10; allow.raw_sockets = 1; } Then you can run this jail by command: # service jail start www Miroslav Lachman