From owner-freebsd-stable@FreeBSD.ORG  Wed Jan 18 22:39:57 2012
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 787E1106564A
	for <freebsd-stable@freebsd.org>; Wed, 18 Jan 2012 22:39:57 +0000 (UTC)
	(envelope-from philipp.huebner@fdrive.com.au)
Received: from mel-relay01.ispone.net.au (mel-relay01.ispone.net.au
	[124.254.72.68])
	by mx1.freebsd.org (Postfix) with ESMTP id 09F238FC1D
	for <freebsd-stable@freebsd.org>; Wed, 18 Jan 2012 22:39:56 +0000 (UTC)
Received: from lists.fdrive.com.au (124-254-118-24-static.bb.ispone.net.au
	[124.254.118.24])
	by mel-relay01.ispone.net.au (Postfix) with ESMTP id EFE976A6F5
	for <freebsd-stable@freebsd.org>; Thu, 19 Jan 2012 09:22:00 +1100 (EST)
Received: from mail.fdrive.com.au (zimbra.vv.fda [192.168.50.251])
	by lists.fdrive.com.au (Postfix) with ESMTP id C957F828
	for <freebsd-stable@freebsd.org>; Thu, 19 Jan 2012 09:22:00 +1100 (EST)
Received: from localhost (localhost.localdomain [127.0.0.1])
	by mail.fdrive.com.au (Postfix) with ESMTP id BBF3FE533B
	for <freebsd-stable@freebsd.org>; Thu, 19 Jan 2012 09:22:00 +1100 (EST)
X-Virus-Scanned: amavisd-new at fdrive.com.au
Received: from mail.fdrive.com.au ([127.0.0.1])
	by localhost (mail.fdrive.com.au [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id uQSKUNG4VnSA for <freebsd-stable@freebsd.org>;
	Thu, 19 Jan 2012 09:22:00 +1100 (EST)
Received: from [192.168.50.187] (unknown [192.168.50.187])
	by mail.fdrive.com.au (Postfix) with ESMTPSA id 41158E57EF
	for <freebsd-stable@freebsd.org>; Thu, 19 Jan 2012 09:22:00 +1100 (EST)
Message-ID: <4F174607.9070707@fdrive.com.au>
Date: Thu, 19 Jan 2012 09:21:59 +1100
From: Philipp Huebner <philipp.huebner@fdrive.com.au>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20120104 Icedove/8.0
MIME-Version: 1.0
To: freebsd-stable@freebsd.org
References: <C51D1B19-1616-4165-BC5E-A681241C8ED2@4lin.net>
In-Reply-To: <C51D1B19-1616-4165-BC5E-A681241C8ED2@4lin.net>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: Fighting with vnet / jails epair and so on
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jan 2012 22:39:57 -0000

Hi,

On 19/01/12 00:59, Denny Schierz wrote:
> =======================================
> 
> # host: 
> jexec 2 ifconfig epair0b 192.168.1.2 netmask 255.255.255.0 up
> ifconfig: up: permission denied

I use 9.0.0 release for host and jail and a generic kernel with  OPTIONS
VIMAGE being the only change/addition.
No problem.

> 
> 
> # sysctl:
> 
> security.jail.enforce_statfs: 2
> security.jail.mount_allowed: 0
> security.jail.chflags_allowed: 0
> security.jail.allow_raw_sockets: 1
> security.jail.sysvipc_allowed: 1

security.jail.allow_raw_sockets: 0
security.jail.sysvipc_allowed: 0

> security.jail.socket_unixiproute_only: 1
> security.jail.set_hostname_allowed: 1
> security.jail.jail_max_af_ips: 255
> security.jail.jailed: 0
> 
> /etc/rc.conf:
> =============================
> jail_enable="YES"
> jail_v2_enable="YES"
> jail_list=""
> jail_sysvipc_allow="YES"
I don't have this line, not sure what it does either.

> 
> #JAIL template
> jail_list="$jail_list template"
> jail_template_name="template"
> jail_template_hostname="template.CHANGED"
> jail_template_devfs_enable="YES"
> jail_template_rootdir="/jails/template"
> jail_template_mount_enable="YES"
> jail_template_fstab="/etc/jails/fstabs/template"
> jail_template_vnet_enable="YES"
> jail_template_devfs_ruleset="devfsrules_jail"
>  
> #network
> jail_template_exec_prestart0="ifconfig epair0 create"
> jail_template_exec_prestart1="ifconfig bridge0 addm epair0a"
> jail_template_exec_prestart2="ifconfig epair0a up"
> jail_template_exec_earlypoststart0="ifconfig epair0b vnet template"
> jail_template_exec_afterstart0="ifconfig lo0 127.0.0.1"
> jail_template_exec_afterstart1="ifconfig epair0b 192.168.1.2 netmask 255.255.255.0 up"
> jail_template_exec_afterstart2="route add default 130.83.160.62"
> jail_template_exec_afterstart3="/bin/sh /etc/rc"
                                  ^^^^^^^^^^^^^^^
The initscript runs /etc/rc already when the jail is created, this makes
it run a second time which messed things up for me.

When the initscript runs /etc/rc, all the scripts with NOJAIL are
skipped. For some reason, when running /etc/rc a second time through
this configuration, some daemons like cron were started a second time.

I now execute a custom /etc/rc.jail which runs a few init scripts
manually to configure networking and start a few daemons that don't come
up with the original run of /etc/rc.


> jail_template_exec_poststop0="ifconfig bridge0 deletem epair0a"
> jail_template_exec_poststop1="ifconfig epair0a destroy"

I am not doing this, because shortly after stopping a jail this would
give me a kernel panic.

If you comment those lines, the devices will stay where they are and
simply be re-used the next time you start the jail again. Works without
a problem for me.

Regards
Philipp