sysvipc problem

Alexander Petrovsky askjuise at gmail.com
Mon Aug 23 04:36:51 UTC 2010 

Hi!

I have two servers for jail virtualization:

1. Only ezjail framework:

# uname -a
FreeBSD troll.golodnyj.ru 8.0-STABLE FreeBSD 8.0-STABLE #0 r199880: Thu Dec
3 13:35:21 IRKT 2009
alexander at troll.golodnyj.ru:/usr/obj/usr/src/sys/WEBKERNEL
i386

# cat /etc/rc.conf | grep jail
jail_sysvipc_allow="YES"
ezjail_enable="YES"

# less /usr/local/etc/ezjail/www
# To specify the start up order of your ezjails, use these lines to
# create a Jail dependency tree. See rcorder(8) for more details.
#
# PROVIDE: standard_ezjail
# REQUIRE:
# BEFORE:
#
export jail_www_hostname="www"
export jail_www_ip="84.237.22.15,192.168.47.15"
export jail_www_rootdir="/var/jails/www"
export jail_www_exec="/bin/sh /etc/rc"
export jail_www_mount_enable="YES"
export jail_www_devfs_enable="YES"
export jail_www_devfs_ruleset="devfsrules_jail"
export jail_www_procfs_enable="YES"
export jail_www_fdescfs_enable="YES"
export jail_www_image=""
export jail_www_imagetype=""
export jail_www_attachparams=""
export jail_www_attachblocking=""
export jail_www_forceblocking=""

# jls -v
   JID  Hostname                      Path
        Name                          State
        CPUSetID
        IP Address(es)
     1  www                       /var/jails/www
        1                             ACTIVE
        2
        84.237.22.15
        192.168.47.15

# sysctl security.jail.sysvipc_allowed
security.jail.sysvipc_allowed: 1
# jexec 1 sysctl security.jail.sysvipc_allowed
security.jail.sysvipc_allowed: 1

-------------------------------------------------------------------

2. ezjail framework and patched jail rc script

# uname -a
FreeBSD garem.golodnyj.ru 8.0-STABLE FreeBSD 8.0-STABLE #0: Fri Feb 19
16:36:58 IRKT 2010     alexander@:/usr/obj/usr/src/sys/GAREMKERNEL  amd64

# cat /etc/rc.conf | grep jail
jail_enable="YES"
jail_v2_enable="YES"
ezjail_enable="YES"
jail_sysvipc_allow="YES"
jail_set_hostname_allow="YES"
jail_list=""
jail_list="$jail_list jail01"
jail_jail01_hostname="propeller"
jail_jail01_rootdir="/var/jails/${jail_jail01_name}"
jail_jail01_vnet_enable="YES"
jail_jail01_mount_enable="YES"
jail_jail01_devfs_enable="YES"
jail_jail01_devfs_ruleset="devfsrules_jail"
jail_jail01_exec_erlyprestart0="mdconfig -a -t vnode -f
/var/jails/img/${jail_jail01_name} -u 1"
jail_jail01_exec_prestart0="ifconfig epair1 create"
jail_jail01_exec_prestart1="ifconfig epair2 create"
jail_jail01_exec_prestart2="ifconfig epair1b up"
jail_jail01_exec_prestart3="ifconfig epair2b up"
jail_jail01_exec_prestart4="ifconfig bridge0 addm epair1b"
jail_jail01_exec_prestart5="ifconfig bridge1 addm epair2b"
jail_jail01_exec_earlypoststart0="ifconfig epair1a vnet ${jail_jail01_name}"
jail_jail01_exec_earlypoststart1="ifconfig epair2a vnet ${jail_jail01_name}"
jail_jail01_exec_afterstart0="ifconfig lo0 127.0.0.1"
jail_jail01_exec_afterstart1="ifconfig epair1a name igb0"
jail_jail01_exec_afterstart2="ifconfig epair2a name igb1"
jail_jail01_exec_afterstart3="ifconfig igb0 84.237.22.14 netmask 0xffffff80"
jail_jail01_exec_afterstart4="ifconfig igb1 192.168.6.14 netmask 0xffffff00"
jail_jail01_exec_afterstart5="route add default 84.237.22.1"
jail_jail01_exec_afterstart6="route add -net 192.168.0.0/16 192.168.6.1"
jail_jail01_exec_afterstart7="/bin/sh /etc/rc"
jail_jail01_exec_poststop0="ifconfig bridge0 deletem epair1b"
jail_jail01_exec_poststop1="ifconfig bridge1 deletem epair2b"
jail_jail01_exec_poststop2="ifconfig epair1b destroy"
jail_jail01_exec_poststop3="ifconfig epair2b destroy"
jail_jail01_exec_poststop4="mdconfig -d -u 1"

# cat /usr/local/etc/ezjail/gerda
# To specify the start up order of your ezjails, use these lines to
# create a Jail dependency tree. See rcorder(8) for more details.
#
# PROVIDE: standard_ezjail
# REQUIRE:
# BEFORE:
#

export jail_gerda_hostname="gerda"
export jail_gerda_ip="84.237.22.5,192.168.6.5"
export jail_gerda_rootdir="/var/jails/gerda"
export jail_gerda_exec_start="/bin/sh /etc/rc"
export jail_gerda_exec_stop=""
export jail_gerda_mount_enable="YES"
export jail_gerda_devfs_enable="YES"
export jail_gerda_devfs_ruleset="devfsrules_jail"
export jail_gerda_procfs_enable="YES"
export jail_gerda_fdescfs_enable="YES"
export jail_gerda_image=""
export jail_gerda_imagetype=""
export jail_gerda_attachparams=""
export jail_gerda_attachblocking=""
export jail_gerda_forceblocking=""
export jail_gerda_zfs_datasets=""
export jail_gerda_cpuset="2"
export jail_gerda_fib="0"

# jls -v
   JID  Hostname                      Path
        Name                          State
        CPUSetID
        IP Address(es)
     4  gerda             /var/jails/gerda
        4                             ACTIVE
        5
        84.237.22.5
     ........
     8  propeller         /var/jails/jail01
        jail01                        ACTIVE
        9

# sysctl security.jail.sysvipc_allowed
security.jail.sysvipc_allowed: 1
# jexec 4 sysctl security.jail.sysvipc_allowed
security.jail.sysvipc_allowed: 0
# jexec 8 sysctl security.jail.sysvipc_allowed

-------------------------------------------------------------------

Why in 8.0 I have

# sysctl security.jail.sysvipc_allowed
security.jail.sysvipc_allowed: 1
# jexec 1 sysctl security.jail.sysvipc_allowed
security.jail.sysvipc_allowed: 1

But In 8.1 I have

# sysctl security.jail.sysvipc_allowed
security.jail.sysvipc_allowed: 1
# jexec 4 sysctl security.jail.sysvipc_allowed
security.jail.sysvipc_allowed: 0
# jexec 8 sysctl security.jail.sysvipc_allowed

I was doing wrong?

-- 
Петровский Александр / Alexander Petrovsky,

ICQ: 350342118
Jabber: juise at jabber.ru
Phone: +7 914 8 820 815

More information about the freebsd-jail mailing list