From owner-freebsd-questions@FreeBSD.ORG  Thu Feb 14 13:18:42 2013
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id E9FBB97C
 for <questions@freebsd.org>; Thu, 14 Feb 2013 13:18:42 +0000 (UTC)
 (envelope-from h.schmalzbauer@omnilan.de)
Received: from host.omnilan.net (s1.omnilan.net [62.245.232.135])
 by mx1.freebsd.org (Postfix) with ESMTP id 76D1E18E
 for <questions@freebsd.org>; Thu, 14 Feb 2013 13:18:41 +0000 (UTC)
Received: from titan.inop.wdn.omnilan.net (titan.inop.wdn.omnilan.net
 [172.21.3.1]) (authenticated bits=0)
 by host.omnilan.net (8.13.8/8.13.8) with ESMTP id r1EDNo2k033600
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
 Thu, 14 Feb 2013 14:23:50 +0100 (CET)
 (envelope-from h.schmalzbauer@omnilan.de)
Message-ID: <511CE42E.2090509@omnilan.de>
Date: Thu, 14 Feb 2013 14:18:38 +0100
From: Harald Schmalzbauer <h.schmalzbauer@omnilan.de>
Organization: OmniLAN
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; de-DE;
 rv:1.9.2.8) Gecko/20100906 Lightning/1.0b2 Thunderbird/3.1.2
MIME-Version: 1.0
To: Fbsd8 <fbsd8@a1poweruser.com>
Subject: Re: setting MIBs on a per jail bases
References: <5112874D.30500@a1poweruser.com>
 <3A0296FA-E6E1-41AD-8077-7648E6E57511@my.gd>
 <51128B7C.4090801@a1poweruser.com>
In-Reply-To: <51128B7C.4090801@a1poweruser.com>
X-Enigmail-Version: 1.1.2
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="------------enigBDE81FFBE83B85CBA0E3C7F3"
Cc: Fleuriot Damien <ml@my.gd>, FreeBSD questions <questions@freebsd.org>
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Feb 2013 13:18:43 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigBDE81FFBE83B85CBA0E3C7F3
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

 schrieb Fbsd8 am 06.02.2013 17:57 (localtime):
> Fleuriot Damien wrote:
>> Running 8.3 here and the answer is no.
>>
>>
>> On Feb 6, 2013, at 5:39 PM, Fbsd8 <fbsd8@a1poweruser.com> wrote:
>>
>>> Is there a way to set these MIBs
>>> on a per jail bases?
>>>
>>> allow.mount.nullfs
>>> allow.raw_sockets
>>> cpuset.id
>>> securelevel
>>
>>
>>
>
> Rereading the  "man jail" for 9.1 talks about securelevel as a jail
> parammeter. So correct me if I an wrong. All the security.jail.param.*
> MIBs are set in rc.conf or /etc/jail.conf file on a per jail bases by
> changing the word "parm" to the jailname?
>

This applies to jail.conf(5).
That's a entirely new way to handle jails in FreeBSD 9.1. Very nice, but
not included in rc.d.

If you want to keep the traditional way running jails, I made a patch
some time ago to control more per-jail tunables.
Here you can donwload it for -9:
ftp://ftp.omnilan.de/pub/FreeBSD/OmniLAN/deploy-tools/local-patches/src/j=
ail-allow-selectables.patch_9
That also irons some ip configuration cosmetics, see defaults/rc.conf.

If you want to give the new jail(8) and jail.conf capabilities a try,
here's like I use it with vnet (vimage, virtual per-jail-network stack):
Compile a kernel with "options VIMAGE"
remove "# keyword nojail" in jail's etc/rc.d/netif and routing (if you
want to set IP addresses inside the jail)

And here's the corresponding jail.conf:
###
exec.start =3D "/bin/sh /etc/rc";
exec.stop =3D "/bin/sh /etc/rc.shutdown && sleep 2";
exec.clean;
allow.mount;
allow.mount.devfs;
allow.set_hostname;
mount.devfs;
devfs_ruleset=3D4;

# Dynamic wildcard parameter:
# Base the path off the jail name.
path =3D "/.jail.$name";
mount.fstab=3D"/etc/fstab.$name";

yourname {
        mount;
        name =3D "inno";
#       host.hostname =3D .your hostname.net"; but also set inside the
jail along with network setup
        vnet =3D "new";
        vnet.interface =3D "jbb$name";
}
###

You can add "allow.raw_sockets" anywhere.
But with vnet, you don't need that any more.
Just to point you into the right direction.

-Harry


--------------enigBDE81FFBE83B85CBA0E3C7F3
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)

iEYEARECAAYFAlEc5C4ACgkQLDqVQ9VXb8jdhgCfWRrt/sPiEDj9kISbECebV/Bi
1cQAn1T6w476WrxgiPTheRQbnnBMdxwM
=6T3F
-----END PGP SIGNATURE-----

--------------enigBDE81FFBE83B85CBA0E3C7F3--