From owner-freebsd-jail@FreeBSD.ORG Mon Feb 25 17:42:43 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 3EAF6B1C for ; Mon, 25 Feb 2013 17:42:43 +0000 (UTC) (envelope-from Devin.Teske@fisglobal.com) Received: from mx1.fisglobal.com (mx1.fisglobal.com [199.200.24.190]) by mx1.freebsd.org (Postfix) with ESMTP id 0EF3CAC2 for ; Mon, 25 Feb 2013 17:42:42 +0000 (UTC) Received: from smtp.fisglobal.com ([10.132.206.16]) by ltcfislmsgpa03.fnfis.com (8.14.5/8.14.5) with ESMTP id r1PHgXdI014094 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Mon, 25 Feb 2013 11:42:34 -0600 Received: from LTCFISWMSGMB21.FNFIS.com ([10.132.99.23]) by LTCFISWMSGHT05.FNFIS.com ([10.132.206.16]) with mapi id 14.02.0309.002; Mon, 25 Feb 2013 11:42:33 -0600 From: "Teske, Devin" To: Andreas Nilsson , Mailinglists FreeBSD Subject: RE: vnet jails and rc-scripts Thread-Topic: vnet jails and rc-scripts Thread-Index: AQHOE3nlRy0m0/4HXk6OU+4xkkAf+JiK1jl4 Date: Mon, 25 Feb 2013 17:42:32 +0000 Message-ID: <13CA24D6AB415D428143D44749F57D7201EADE8B@ltcfiswmsgmb21> References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.132.253.120] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.9.8327, 1.0.431, 0.0.0000 definitions=2013-02-25_02:2013-02-22,2013-02-25,1970-01-01 signatures=0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Feb 2013 17:42:43 -0000 My vimage package, available here: http://druidbsd.sourceforge.net/download.shtml#vimage ...has a solution around that and you can read about it here: http://druidbsd.cvs.sourceforge.net/viewvc/druidbsd/pkgbase/freebsd/RELENG_= 8_3/sysutils/vimage/src/rc.conf.d/vimage?revision=3D1.1&view=3Dmarkup Network scripts, ipfw, and other "nojail" services are started fine with my= setup. Note that in my notes, we have a PR for adding a sysctl MIB (security.jail.= vnet) for distinguishing vnet jails from non-vnet jails (from within the ja= il): http://www.freebsd.org/cgi/query-pr.cgi?pr=3Dconf/149050 I think this is the best approach long-term). In essence, ultimately teach = rcorder(8) about the difference between a jail and a vnet jail. --=20 Devin ________________________________________ From: owner-freebsd-jail@freebsd.org [owner-freebsd-jail@freebsd.org] on be= half of Andreas Nilsson [andrnils@gmail.com] Sent: Monday, February 25, 2013 8:55 AM To: Mailinglists FreeBSD Subject: vnet jails and rc-scripts Hello, while trying to set up a couple of vnet jails I ran into some problems: 1. The networking scripts are not run. 2. The firewall script ( ipfw ) is not run. Both are skipped since they have the nojail keyword. Is the only solution to remove that keyword to get them running from rc in a jail? With vnet jails it seems that a lot network related scripts should be allowed to run. Is there any work being done address this? Also, what is the sysctl security.jail.param.vnet supposed to tell me? Running it on the host gives 0 Running it in vnet jail gives 0 Running it in normal jail gives 0 which to me seems counter intuitive, as I would have expected it to be 1 in the vnet jail. Best regards Andreas _______________________________________________ freebsd-jail@freebsd.org mailing list https://urldefense.proofpoint.com/v1/url?u=3Dhttp://lists.freebsd.org/mailm= an/listinfo/freebsd-jail&k=3D%2FbkpAUdJWZuiTILCq%2FFnQg%3D%3D%0A&r=3DMrjs6v= R4%2Faj2Ns9%2FssHJjg%3D%3D%0A&m=3DgcdnBfFT9%2FgDP4aiNb3SH%2B2HC58tTrjf3m0lz= 7RvTbo%3D%0A&s=3D2b3714f7bc212f52b740f1794fc5de6ca2cb7804242aa0c82db7029785= 5aff70 To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" _____________ The information contained in this message is proprietary and/or confidentia= l. If you are not the intended recipient, please: (i) delete the message an= d all copies; (ii) do not disclose, distribute or use the message in any ma= nner; and (iii) notify the sender immediately. In addition, please be aware= that any message addressed to our domain is subject to archiving and revie= w by persons other than the intended recipient. Thank you.