Date: Thu, 14 Feb 2013 14:18:38 +0100 From: Harald Schmalzbauer <h.schmalzbauer@omnilan.de> To: Fbsd8 <fbsd8@a1poweruser.com> Cc: Fleuriot Damien <ml@my.gd>, FreeBSD questions <questions@freebsd.org> Subject: Re: setting MIBs on a per jail bases Message-ID: <511CE42E.2090509@omnilan.de> In-Reply-To: <51128B7C.4090801@a1poweruser.com> References: <5112874D.30500@a1poweruser.com> <3A0296FA-E6E1-41AD-8077-7648E6E57511@my.gd> <51128B7C.4090801@a1poweruser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigBDE81FFBE83B85CBA0E3C7F3 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable schrieb Fbsd8 am 06.02.2013 17:57 (localtime): > Fleuriot Damien wrote: >> Running 8.3 here and the answer is no. >> >> >> On Feb 6, 2013, at 5:39 PM, Fbsd8 <fbsd8@a1poweruser.com> wrote: >> >>> Is there a way to set these MIBs >>> on a per jail bases? >>> >>> allow.mount.nullfs >>> allow.raw_sockets >>> cpuset.id >>> securelevel >> >> >> > > Rereading the "man jail" for 9.1 talks about securelevel as a jail > parammeter. So correct me if I an wrong. All the security.jail.param.* > MIBs are set in rc.conf or /etc/jail.conf file on a per jail bases by > changing the word "parm" to the jailname? > This applies to jail.conf(5). That's a entirely new way to handle jails in FreeBSD 9.1. Very nice, but not included in rc.d. If you want to keep the traditional way running jails, I made a patch some time ago to control more per-jail tunables. Here you can donwload it for -9: ftp://ftp.omnilan.de/pub/FreeBSD/OmniLAN/deploy-tools/local-patches/src/j= ail-allow-selectables.patch_9 That also irons some ip configuration cosmetics, see defaults/rc.conf. If you want to give the new jail(8) and jail.conf capabilities a try, here's like I use it with vnet (vimage, virtual per-jail-network stack): Compile a kernel with "options VIMAGE" remove "# keyword nojail" in jail's etc/rc.d/netif and routing (if you want to set IP addresses inside the jail) And here's the corresponding jail.conf: ### exec.start =3D "/bin/sh /etc/rc"; exec.stop =3D "/bin/sh /etc/rc.shutdown && sleep 2"; exec.clean; allow.mount; allow.mount.devfs; allow.set_hostname; mount.devfs; devfs_ruleset=3D4; # Dynamic wildcard parameter: # Base the path off the jail name. path =3D "/.jail.$name"; mount.fstab=3D"/etc/fstab.$name"; yourname { mount; name =3D "inno"; # host.hostname =3D .your hostname.net"; but also set inside the jail along with network setup vnet =3D "new"; vnet.interface =3D "jbb$name"; } ### You can add "allow.raw_sockets" anywhere. But with vnet, you don't need that any more. Just to point you into the right direction. -Harry --------------enigBDE81FFBE83B85CBA0E3C7F3 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAlEc5C4ACgkQLDqVQ9VXb8jdhgCfWRrt/sPiEDj9kISbECebV/Bi 1cQAn1T6w476WrxgiPTheRQbnnBMdxwM =6T3F -----END PGP SIGNATURE----- --------------enigBDE81FFBE83B85CBA0E3C7F3--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?511CE42E.2090509>