From owner-freebsd-jail@FreeBSD.ORG Sat Aug 27 17:59:05 2011 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1F6A9106564A for ; Sat, 27 Aug 2011 17:59:05 +0000 (UTC) (envelope-from Devin.Teske@fisglobal.com) Received: from mx1.fisglobal.com (mx1.fisglobal.com [199.200.24.190]) by mx1.freebsd.org (Postfix) with ESMTP id DF6F98FC18 for ; Sat, 27 Aug 2011 17:59:04 +0000 (UTC) Received: from sbhfislrext01.fnfis.com ([192.168.249.167]) by SCSFISLTC01 (8.14.3/8.14.3) with ESMTP id p7RH5IDt026791 for ; Sat, 27 Aug 2011 12:05:18 -0500 Received: from sbhfisltcgw01.FNFIS.COM (Not Verified[10.132.248.121]) by sbhfislrext01.fnfis.com with MailMarshal (v6, 5, 4, 7535) id ; Sat, 27 Aug 2011 12:05:14 -0500 Received: from smtp.fisglobal.com ([10.132.206.31]) by sbhfisltcgw01.FNFIS.COM with Microsoft SMTPSVC(6.0.3790.4675); Sat, 27 Aug 2011 12:05:17 -0500 Received: from [10.0.0.104] (10.14.152.54) by smtp.fisglobal.com (10.132.206.31) with Microsoft SMTP Server (TLS) id 14.1.289.1; Sat, 27 Aug 2011 12:05:11 -0500 From: Devin Teske Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Sat, 27 Aug 2011 10:05:15 -0700 Message-ID: To: FreeBSD Jail MIME-Version: 1.0 (Apple Message framework v1084) X-Mailer: Apple Mail (2.1084) X-Originating-IP: [10.14.152.54] X-OriginalArrivalTime: 27 Aug 2011 17:05:17.0682 (UTC) FILETIME=[7EEA9520:01CC64DB] Cc: Dave Robison Subject: VIMAGE versus Jail w/respect to SYSCTL security_jail OIDs X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Aug 2011 17:59:05 -0000 I'm finding a systemic problem with VIMAGE jails in comparison to regular j= ails in FreeBSD-8.1. All of the following sysctl's appear to correctly affect regular jails (eit= her created via /etc/rc.d/jail or manually via jail(8)): security.jail.mount_allowed security.jail.chflags_allowed security.jail.allow_raw_sockets security.jail.sysvipc_allowed security.jail.socket_unixiproute_only security.jail.set_hostname_allowed security.jail.jail_max_af_ips Indeed, when interrogated within the jail, they show the value that was inh= erited from the underlying host at jail startup. However, none of the above sysctl's appear to be inherited by vnet jails. These would be jails that are created with the "jail -c vnet ..." syntax of= jail(8) with VIMAGE enabled in the kernel. Interrogating any of the above sysctl's from within a vnet jail always prod= uces the following default values, regardless of what you set the host valu= es to and regardless of how many times you bounce the vimage: vnettest# sysctl security.jail | grep -v param security.jail.enforce_statfs: 1 security.jail.mount_allowed: 1 security.jail.chflags_allowed: 0 security.jail.allow_raw_sockets: 0 security.jail.sysvipc_allowed: 0 security.jail.socket_unixiproute_only: 1 security.jail.set_hostname_allowed: 1 security.jail.jail_max_af_ips: 255 security.jail.jailed: 1 Any ideas are welcome. I think I'm going to go delve into the jail(8) code now, because I've slogg= ed all through the kernel and can't find anything in the kernel that passes= these values from host to jail (it must be jail(8) that's doing this funct= ionality). --=20 Devin NOTE: This comes on the back of trying to get nfsd running within a vimage = jail. I suspect that the lack of ability to change one or more of the above= sysctl's to be the reason why we can't get nfsd to fire-up. Firing up nfsd= within a vimage jail produces no results (no error status, no error text, = no log entries, nada, zip, zilch, nothing). rpcbind runs, mountd runs, but = nfsd refuses for some reason. _____________ The information contained in this message is proprietary and/or confidentia= l. If you are not the intended recipient, please: (i) delete the message an= d all copies; (ii) do not disclose, distribute or use the message in any ma= nner; and (iii) notify the sender immediately. In addition, please be aware= that any message addressed to our domain is subject to archiving and revie= w by persons other than the intended recipient. Thank you. _____________