From owner-freebsd-questions@FreeBSD.ORG Tue Aug 20 17:02:58 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id F30731BE for ; Tue, 20 Aug 2013 17:02:57 +0000 (UTC) (envelope-from freebsd@qeng-ho.org) Received: from blue.qeng-ho.org (blue.qeng-ho.org [217.155.128.241]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 7F6C32D82 for ; Tue, 20 Aug 2013 17:02:57 +0000 (UTC) Received: from fileserver.home.qeng-ho.org (localhost [127.0.0.1]) by fileserver.home.qeng-ho.org (8.14.5/8.14.5) with ESMTP id r7KH2st9073731; Tue, 20 Aug 2013 18:02:55 +0100 (BST) (envelope-from freebsd@qeng-ho.org) Message-ID: <5213A13E.9050307@qeng-ho.org> Date: Tue, 20 Aug 2013 18:02:54 +0100 From: Arthur Chance User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130810 Thunderbird/17.0.8 MIME-Version: 1.0 To: Karl Pielorz Subject: Re: jail.conf ignoring exec.fib? References: <98486B2D79D00F0898B7C9E6@Mail-PC.tdx.co.uk> <520B7F0F.7020006@a1poweruser.com> <1960A5B02323B4982B4C0320@Mail-PC.tdx.co.uk> <520FA592.7010305@qeng-ho.org> <52131A55.2040400@qeng-ho.org> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Aug 2013 17:02:58 -0000 On 20/08/2013 12:50, Karl Pielorz wrote: > > > --On 20 August 2013 08:27 +0100 Arthur Chance wrote: > >> In the source the exec.fib parameter is given as an integer, so the >> quotes probably shouldn't be there, but I'm not sure whether it matters. > > I tried it just as 'exec.fib = 1;' originally, and it makes no > difference :( > >> There's definitely a setfib call in the source that's done if exec.fib >> exists. All I can think of right now is that you try firing up the jail >> using the -v verbose flag. This should show everything the jail command >> does as the jail is created. > > Ok, I tried that and got: > > " > root# jail -v -c jail > jail: run command: /sbin/mount -t devfs -oruleset=4 . /usr2/jails/jail/dev > jail: jail_set(JAIL_CREATE) persist name=jail devfs_ruleset=4 jid=100 > path=/usr2/jails/jail host.hostname=jail.somedomain.com > ip4.addr=192.186.0.20 allow.raw_sockets > jail: created > jail: run command in jail: /bin/sh /etc/rc > Setting hostname: jail.somedomain.com > ELF ldconfig path: /lib /usr/lib /usr/lib/compat /usr/local/lib > 32-bit compatibility ldconfig path: /usr/lib32 > Creating and/or trimming log files. > ln: /dev/log: Operation not permitted > Starting syslogd. > Clearing /tmp (X related). > Updating motd:. > Starting cron. > > Tue Aug 20 11:39:20 UTC 2013 > jail: jail_set(JAIL_UPDATE) jid=100 nopersist > " > > Certainly more detail, but no mention of fib's :( - I tried it both > with, and without quotes around the FIB value. You can also see I have > raw sockets available for debugging. I can't test this directly, as I'm running a generic kernel so only have one fib. However, if I add the invalid (under GENERIC) "exec.fib = 1;" to my jail.conf and try launching the jail with -v I get (slightly cut) testjail: run command: /sbin/mount -t devfs -oruleset=4 . /jails/jail/testjail/root/dev testjail: jail_set(JAIL_CREATE) persist name=testjail enforce_statfs=2 ip6=disable path=/jails/jail/testjail/root host.hostname=testjail.home.qeng-ho.org allow.set_hostname=false ip4.addr=172.16.4.2 securelevel=1 testjail: created testjail: run command in jail: /bin/sh /etc/rc jail: testjail: setfib: Invalid argument jail: testjail: /bin/sh /etc/rc: failed testjail: removed so it certainly has tried the setfib and knows it has failed. And that's just made me think of something else - I have a horrible feeling that jexec will attach to the jail using whatever fib it's running under, i.e. the fib from the host environment. Do you have (or can you enable) ssh running in the jail? If so, log into the jail that way, and see what sysctl net.my_fibnum shows then, because you'll be running under the environment created by /etc/rc. -- In the dungeons of Mordor, Sauron bred Orcs with LOLcats to create a new race of servants. Called Uruk-Oh-Hai in the Black Speech, they were cruel and delighted in torturing spelling and grammar. _Lord of the Rings 2.0, the Web Edition_