vmadm issueshttps://gitlab.com/Project-FiFo/FiFo/vmadm/-/issues2017-10-16T12:59:54Zhttps://gitlab.com/Project-FiFo/FiFo/vmadm/-/issues/62vmadm stop needs to wait until the jail is stopped2017-10-16T12:59:54ZHeinz N. Giesvmadm stop needs to wait until the jail is stoppedjail -r will return immediately even so the jail might linger around for quite a while, this is bad as it gives the false impression it'd be stopped, we should do better.
see: https://lists.freebsd.org/pipermail/freebsd-jail/2017-March/...jail -r will return immediately even so the jail might linger around for quite a while, this is bad as it gives the false impression it'd be stopped, we should do better.
see: https://lists.freebsd.org/pipermail/freebsd-jail/2017-March/003360.html0.9.4https://gitlab.com/Project-FiFo/FiFo/vmadm/-/issues/52improve uuid verification2017-10-02T20:50:46ZHeinz N. Giesimprove uuid verificationWhen passing a uuid that can't be decoded vmadm vomits all over the place in rather unhelpful ways.When passing a uuid that can't be decoded vmadm vomits all over the place in rather unhelpful ways.0.9.4Heinz N. GiesHeinz N. Gieshttps://gitlab.com/Project-FiFo/FiFo/vmadm/-/issues/50How to deal with trust in the outer jail2017-10-11T18:59:52ZHeinz N. GiesHow to deal with trust in the outer jailWe need to decide how much we trust the outer jail. It seems somewhere in between the trusted host and the untrusted. In an ideal world where we control all datasets, it's not a problem as we will just not execute anything in the outer j...We need to decide how much we trust the outer jail. It seems somewhere in between the trusted host and the untrusted. In an ideal world where we control all datasets, it's not a problem as we will just not execute anything in the outer jail. However, the moment we do not trust the author of the dataset things become tricky.
Consider the following scenery: Since the outer zone uses a VNET interface it would be possible for a sneaky person to misconfigure the interfaces on the outer jail and end up with an IP address they should not have access to. That said the code is still all executed inside a jail.
There are a few possible ways to deal with this:
1. We declare the outer jail 'trustworthy' and put the burden of verification on the user. That kind of doesn't sit right with me.
2. We include an empty outer jail into the dataset, or remove everything but the `/jail` directory and populate it with trusted binaries on jail reation (my favourite)
3. We get completely rid of the outer jail and do some sneaky mounty thing into a custom outer jail every time we start (feels like a lot of work)
There is also the problem with how do we deal with a startup, SmartOS uses brand and sub-brand files to strictly define startups we might need to do the same. it's a proven concept so not the worst :tm: (see [1] and [2] provided by @cneira1)
[1] https://github.com/joyent/illumos-joyent/blob/master/usr/src/lib/brand/lx/zone/lx_boot.ksh
[2] https://github.com/joyent/illumos-joyent/blob/master/usr/src/lib/brand/lx/zone/lx_boot_zone_redhat.ksh0.9.4https://gitlab.com/Project-FiFo/FiFo/vmadm/-/issues/46on startup, check if a start.sh scrip exists in the outer jail and if so run ...2017-09-30T20:27:25ZHeinz N. Gieson startup, check if a start.sh scrip exists in the outer jail and if so run thatcurrently, the way the inner jail is started is hardcoded it might be nice to allow datasets to have a `start.sh`-script that is run if it exists. This would make it potentially easier in a few scenarios, but some testing/evaluation has ...currently, the way the inner jail is started is hardcoded it might be nice to allow datasets to have a `start.sh`-script that is run if it exists. This would make it potentially easier in a few scenarios, but some testing/evaluation has to be done0.9.4https://gitlab.com/Project-FiFo/FiFo/vmadm/-/issues/36update w/o restart2017-09-27T15:17:30ZHeinz N. Giesupdate w/o restartAllow updates that can be carried out without a restart to be executed that way.
* [ ] add a nice
* [ ] remove a nic
* [ ] conege the nic config
* [ ] quota
* [ ] resource controlAllow updates that can be carried out without a restart to be executed that way.
* [ ] add a nice
* [ ] remove a nic
* [ ] conege the nic config
* [ ] quota
* [ ] resource control0.9.4https://gitlab.com/Project-FiFo/FiFo/vmadm/-/issues/68Wrong assumption that the pool is mounted as toplevel directory?2019-10-25T22:28:27ZPhil KrylovWrong assumption that the pool is mounted as toplevel directory?It seems as if not only `prep.sh` but the whole Rust code as well is written under the assumption that the pool of the dataset given as "pool" in vmadm configuration is mounted as a toplevel directory (e.g. `/zroot` if dataset is `zroot/...It seems as if not only `prep.sh` but the whole Rust code as well is written under the assumption that the pool of the dataset given as "pool" in vmadm configuration is mounted as a toplevel directory (e.g. `/zroot` if dataset is `zroot/jails`).
This is not always the case.
E.g., in my environment the dataset is `pool0/vmadm` and it is mounted at `/mnt/pool0/vmadm`.
So, I run `vmadm create` which reports `No such file or directory` and the following log entry:
```json
{"msg":"initializing jail",
"v":0,
"name":"slog-rs",
"level":20,
"time":"2019-10-26T00:57:54.783636619+03:00",
"hostname":"vmadm",
"pid":36096,
"req_id":"41cdf6c1-8de8-49b4-a687-9f8c31ff968a",
"vm":"3495a48d-f772-11e9-b82e-ac1f6b4cd5d6",
"dir":"/pool0/vmadm/3495a48d-f772-11e9-b82e-ac1f6b4cd5d6/root/config"}
```https://gitlab.com/Project-FiFo/FiFo/vmadm/-/issues/67Is vmadm abandoned?2019-07-05T19:00:27ZRaphael AhrensIs vmadm abandoned?Since there are no commits in over a year I wanted to ask if this was abandoned.
GreetingsSince there are no commits in over a year I wanted to ask if this was abandoned.
Greetingshttps://gitlab.com/Project-FiFo/FiFo/vmadm/-/issues/64FreeBSD linuxlator does not implement Netlink(7) nor /sys/class/net in linsysfs2020-01-06T20:25:09ZCarlos NeiraFreeBSD linuxlator does not implement Netlink(7) nor /sys/class/net in linsysfsThese are not issues with vmadm itself but reflect current limitations on FreeBSD.
Trying minecraft server in a lx-jail I found 2 issues in the linuxlator (this works ok on the lxbrand zone):
1. /sys/class/net was not implemented in...These are not issues with vmadm itself but reflect current limitations on FreeBSD.
Trying minecraft server in a lx-jail I found 2 issues in the linuxlator (this works ok on the lxbrand zone):
1. /sys/class/net was not implemented in linsysfs
2. Netlink (http://man7.org/linux/man-pages/man7/netlink.7.html) implementation is missing.
For /sys/class/net I already coded what was needed in linsysfs, I have already submited the code to the Freebsd emulation mailing list and dchagin@freebsd.org is doing a code review to move this in I hope.
For Netlink I just saw the lxbrand implementation from SmartOS and we need to leverage that code into the linuxlator.
Maybe minecraft is not the best example as you could run it natively on both platforms, but it's a good exercise for lxbrand and linuxlator.https://gitlab.com/Project-FiFo/FiFo/vmadm/-/issues/63add a manpage2017-10-17T15:21:21ZHeinz N. Giesadd a manpageIt'd be nice to have a manpageIt'd be nice to have a manpagehttps://gitlab.com/Project-FiFo/FiFo/vmadm/-/issues/59better report for missing datasets2017-10-05T04:14:38ZHeinz N. Giesbetter report for missing datasetsgive a nicer error when the dataset isn't exisitnggive a nicer error when the dataset isn't exisitnghttps://gitlab.com/Project-FiFo/FiFo/vmadm/-/issues/55can we vaoid allow.raw_sockets2017-10-03T21:30:48ZHeinz N. Giescan we vaoid allow.raw_socketsCan we get around using raw sockets when we use the approach of having a vnet on the outside and a non vnet on the inside.
How is this exactly affecting security, can a inner jail spoof a ip despite the outer vnet having set the ip on t...Can we get around using raw sockets when we use the approach of having a vnet on the outside and a non vnet on the inside.
How is this exactly affecting security, can a inner jail spoof a ip despite the outer vnet having set the ip on the interface?https://gitlab.com/Project-FiFo/FiFo/vmadm/-/issues/54allow.chflags for jails2017-10-03T20:47:13ZHeinz N. Giesallow.chflags for jailsThe manpage reads:
```
Normally, privileged users inside a jail are treated as
unprivileged by chflags(2). When this parameter is set,
such users are treated as privileged, ...The manpage reads:
```
Normally, privileged users inside a jail are treated as
unprivileged by chflags(2). When this parameter is set,
such users are treated as privileged, and may manipulate
system file flags subject to the usual constraints on
kern.securelevel.
```
It is not really clear what the security implecations of this are inside a jail.https://gitlab.com/Project-FiFo/FiFo/vmadm/-/issues/53centos 7 does not use `/etc/rc.d/rc`2017-10-04T18:55:02ZHeinz N. Giescentos 7 does not use `/etc/rc.d/rc`well that suckswell that suckshttps://gitlab.com/Project-FiFo/FiFo/vmadm/-/issues/38datatypes for more information2017-09-27T15:17:06ZHeinz N. Giesdatatypes for more informationThanks to JSON a lot of the data is stringly typed, it'd be a nice to have some real datratypes. Things that come to mind:
* MAC addresses
* IP Addresses & subnets,Thanks to JSON a lot of the data is stringly typed, it'd be a nice to have some real datratypes. Things that come to mind:
* MAC addresses
* IP Addresses & subnets,https://gitlab.com/Project-FiFo/FiFo/vmadm/-/issues/37use path for files2017-09-27T15:17:16ZHeinz N. Giesuse path for filesCurrently, a lot of file operations are carried out with concatenating strings, that stinks and could need some love.
It's not a huge task and a good way to get familiar with the codebase so I'll add this as an easy task to start off,...Currently, a lot of file operations are carried out with concatenating strings, that stinks and could need some love.
It's not a huge task and a good way to get familiar with the codebase so I'll add this as an easy task to start off, if anyone feels like taking it on I'm happy to assist.https://gitlab.com/Project-FiFo/FiFo/vmadm/-/issues/32use library calls for netwokring2017-10-17T16:47:03ZHeinz N. Giesuse library calls for netwokringright now we're calling the ifconfig binary, using the library calls would be a much cleaner way to deal with this. The networking code is already encapsulated so this should not affect other partsright now we're calling the ifconfig binary, using the library calls would be a much cleaner way to deal with this. The networking code is already encapsulated so this should not affect other partshttps://gitlab.com/Project-FiFo/FiFo/vmadm/-/issues/31use lib for rctl2017-09-27T19:25:58ZHeinz N. Giesuse lib for rctlright now we're calling the rctl binary, using the library calls would be a much cleaner way to deal with this.
This is a bit more tricky as rctl isn't nicely encapsulated at the moment so a 1st step would be to encapsulate this.
-...right now we're calling the rctl binary, using the library calls would be a much cleaner way to deal with this.
This is a bit more tricky as rctl isn't nicely encapsulated at the moment so a 1st step would be to encapsulate this.
- [ ] encapsulate rctl code
- [ ] use lib callshttps://gitlab.com/Project-FiFo/FiFo/vmadm/-/issues/30use lib for jail commands2017-09-27T19:25:56ZHeinz N. Giesuse lib for jail commandsright now we're calling the jails/jls binary, using the library calls would be a much cleaner way to deal with this. The jail code is already encapsulated so this should not affect other partsright now we're calling the jails/jls binary, using the library calls would be a much cleaner way to deal with this. The jail code is already encapsulated so this should not affect other partshttps://gitlab.com/Project-FiFo/FiFo/vmadm/-/issues/29use libzfs2017-09-27T15:22:36ZHeinz N. Giesuse libzfsright now we're calling the zfs binary, using libzfs would be a much cleaner way to deal with this. The zfs code is already encapsulated so this should not affect other partsright now we're calling the zfs binary, using libzfs would be a much cleaner way to deal with this. The zfs code is already encapsulated so this should not affect other partshttps://gitlab.com/Project-FiFo/FiFo/vmadm/-/issues/28beehyve support2017-09-27T19:25:52ZHeinz N. Giesbeehyve supportBeehyve support is a maybe but w/ the nested jails this has become feasible. It requires a lot of research so, help is welcome and will certainly expedite this.Beehyve support is a maybe but w/ the nested jails this has become feasible. It requires a lot of research so, help is welcome and will certainly expedite this.