Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

After upgrade can't start jails version 11.0.1 #90

Closed
jnbek opened this issue Oct 2, 2016 · 15 comments

Comments

@jnbek
Copy link

@jnbek jnbek commented Oct 2, 2016

([J:0]root(1)@galatians5[/cbsd/jails]# cbsd jstart httpd                                                                                               [10/02/16][17:23:29])
Ip 192.168.0.128 already exists in LAN
NIC automatically selected: em0
Starting jail: httpd, parallel timeout=5
jail: httpd: unknown parameter: allow.mount.linsysfs
jail: httpd: unknown parameter: allow.mount.linprocfs
IPFW is not enabled
([J:0]root(1)@galatians5[/cbsd/jails]# cbsd jlogin httpd                                                                                               [10/02/16][17:23:42])
Not running
([J:0]root(1)@galatians5[/cbsd/jails]#

I just upgraded my ports packages, including cbsd, then after reboot, cbsd told me to run:
cbsd initenv
to upgrade the backend. But none of my jails now will start.

@olevole

This comment has been minimized.

Copy link
Collaborator

@olevole olevole commented Oct 3, 2016

whta version you are using as hoster? do to limited resources i check only latest releases and freebsd 11.

@olevole

This comment has been minimized.

Copy link
Collaborator

@olevole olevole commented Oct 3, 2016

As work-around, you can temporary disable 'allow_mount' options for your jail:

cbsd jconfig

and sets allow_mount to 0

https://lists.freebsd.org/pipermail/svn-src-stable-10/2016-February/008293.html

Looks like this options available only from 10.3-RELEASE++
Anyway, i want to know version of FreeBSD and disable this options for FreeBSD <10.3 if you have less than 10.3 version.

olevole added a commit that referenced this issue Oct 3, 2016
@olevole

This comment has been minimized.

Copy link
Collaborator

@olevole olevole commented Oct 3, 2016

Probably fixed in 11.0.2, send to ports: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=213176

@olevole olevole closed this Oct 3, 2016
@jnbek

This comment has been minimized.

Copy link
Author

@jnbek jnbek commented Oct 3, 2016

I will test it when I get home. I am running FreeBSD 10.2-Stable on the server. I upgraded all my ports, before proceeding with the OS upgrades, it had been quite a while since I'd updated the ports so, I fig'd I'd solve any ports problems, THEN upgrade the OS, I'll be source upgrading to 11-STABLE and want to minimize any issues.

@jnbek

This comment has been minimized.

Copy link
Author

@jnbek jnbek commented Oct 4, 2016

The update fixed the problem. Thanks

@czkarex

This comment has been minimized.

Copy link

@czkarex czkarex commented Oct 5, 2016

After upgrade to 11.0.2 similar trouble (Actual FreeBSD ver. 11.0-RELEASE). Jail not start with allow_mount (1). With error: jail_set: Operation not permitted.
Any idea? Thanks, Karel

@olevole olevole reopened this Oct 5, 2016
@olevole

This comment has been minimized.

Copy link
Collaborator

@olevole olevole commented Oct 5, 2016

@czkarex Can you post full log from

cbsd jstart XXX

command? (where XXX - is your jail name)
And also:

% uname -a
% file -s /bin/sh
% cbsd -c ' cbsdsql local select * from jails ' |grep ^XXX

(where XXX - jail name)

Jail is started if you set 'allow_mount' to 0 in

% cbsd jconfig

?

@czkarex

This comment has been minimized.

Copy link

@czkarex czkarex commented Oct 5, 2016

  1. cbsd jstart agnes
    Ip 10.65.40.1 already exists in LAN
    NIC automatically selected: em0
    set resource limit: [ ]
    Starting jail: agnes, parallel timeout=5
    jail: agnes: jail_set: Operation not permitted
    IPFW is not enabled

  2. uname -a
    FreeBSD maggie 11.0-RELEASE FreeBSD 11.0-RELEASE #5 r306684M: Tue Oct 4 22:48:39 CEST 2016 karel@maggie:/usr/obj/usr/src/sys/MAGGIEKERN amd64

  3. file -s /bin/sh
    /bin/sh: ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), dynamically linked, interpreter /libexec/ld-elf.so.1, for FreeBSD 11.0 (1100120), FreeBSD-style, stripped

  4. cbsd -c ' cbsdsql local select * from jails ' |grep ^agnes
    agnes|0|/usr/jails/jails/agnes|agnes.my.domain|10.65.40.1/24|1|1|1|1|/usr/jails/jails-fstab/fstab.agnes|1|5|auto|0|0|0|0|0|0|1|0|/usr/jails/jails-data/agnes-data|0|1|0|/usr/jails/jails-rcconf/rc.conf_agnes|1|11|amd64|0|/bin/sh /etc/rc|/bin/sh /etc/rc.shutdown|0|0|0|0|0|0|0|0|0|180|0|900|1|1|0|1|1|0|0|jail|0|0|1|0|10|0|new|0|0

  5. allow_mount: 0
    cbsd jstart agnes
    Ip 10.65.40.1 already exists in LAN
    NIC automatically selected: em0
    set resource limit: [ ]
    Starting jail: agnes, parallel timeout=5
    agnes: created
    IPFW is not enabled
    it's work....

@olevole

This comment has been minimized.

Copy link
Collaborator

@olevole olevole commented Oct 6, 2016

@czkarex Still not very clear for me..

All difference on allow_mount in:
https://github.com/cbsd/cbsd/blob/master/tools/makejconf#L239

After @jnbek issue, i've added test (based on ELF header/version) for skipping features that absent on FreeBSD < 10.3:

if [ "${allow_mount}" = "1" ]; then
    echo "allow.mount = \"true\";" >> ${out}
    echo "enforce_statfs=\"1\";" >>${out}

    if [ ${freebsdhostversion} -gt 1003000 ]; then
        echo "allow.mount.linsysfs = \"true\";" >> ${out}
        echo "allow.mount.linprocfs=\"1\";" >> ${out}
    fi
fi

Can you say, what return to you execution of:

sysctl -a | grep -E "linproc|linsys"

?

You can help me by debugging which exactly allow* params not working. To do this, create new jail with baserw=1 (it need to skip nullfs mounts), e.g: jail1

Create jconf for this jail:
0)

% cbsd makejconf jname=jail1 out=/tmp/jconf.jconf

<< it generate standart jail.conf for the jail1 jail.

  1. Run jail1 by jconf:
% jail -f /tmp/jconf.jconf -c jail1
  1. Stop jail1 via CBSD:
% cbsd jstop jail1

You can remove by one line in /tmp/jconf.jconf allow_ params in cycle stop/start (by repeating 1/2 steps) to find which parameter is causing the error.

It not reproduce on my FreeBSD 11 ;-(

@czkarex

This comment has been minimized.

Copy link

@czkarex czkarex commented Oct 6, 2016

I upgraded CBSD from 10.3 to 11.0.2. (FreeBSD 11 only update to actual release)
sysctl -a | grep -E "linproc|linsys"
security.jail.param.allow.mount.linsysfs: 0
security.jail.param.allow.mount.linprocfs: 0
security.jail.mount_linsysfs_allowed: 0
security.jail.mount_linprocfs_allowed: 0

"Config test"
I tested it, result is: I have to set:
allow.mount.linsysfs = "false";
allow.mount.linprocfs="0";
Jail working,
And fails during stopping:
jail: jail1: mount.fdescfs: /usr/jails/jails-data/jail1-data/dev/fd: not a mount point

K.

@czkarex

This comment has been minimized.

Copy link

@czkarex czkarex commented Oct 14, 2016

Error is in my custom kernel, with GENERIC kernel jails work... (modifications Xorg in jail) I use the modification by you (from ver. 10). Could you help me with it? Thanks, K.

@olevole

This comment has been minimized.

Copy link
Collaborator

@olevole olevole commented Oct 14, 2016

Now I understand why I have not reproduced ) I stopped using xorg-in-jail some time ago, so CBSD patch is not actual (or not tested this on FreeBSD 11.0-RELEASE). What a patch you applied?

@czkarex

This comment has been minimized.

Copy link

@czkarex czkarex commented Oct 14, 2016

I'm using some version your patch (for FreeBSD ver. 10.1). It worked correctly to releng/11.0 (Before update to 11.0-RELEASE-p1).

@olevole

This comment has been minimized.

Copy link
Collaborator

@olevole olevole commented Oct 15, 2016

I just update and test patch for FreeBSD 11.0-RELEASE: 19b7214

If you build kernel with 'buildkernel' script, you need to change

apply_cbsd_patch=0
to
apply_cbsd_patch=1

in ~workdir/etc/scrup.conf
and run:

cbsd srcup
@olevole olevole closed this Oct 15, 2016
@czkarex

This comment has been minimized.

Copy link

@czkarex czkarex commented Oct 15, 2016

Error was in my update script, patch 11 is OK, fbfs patch isn't compatible. My mistake, sorry. K

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.