Jails | Alexander Leidinger

IPv6 in my LAN

After enabling IPv6 in my WLAN router, I also enabled IPv6 in my FreeBSD systems. I have to tell that the IPv6 chapter in the FreeBSD handbook does not contain as much information as I would like to have about this.

Configuring the interfaces of my two 9‑current systems to also carry a specific IPv6 address (an easy one from the ULA I use) was easy after reading the man-page for rc.conf. After a little bit of experimenting it came down to:

ifconfig_rl0_ipv6=“inet6 ::2:1 prefixlen 64 accept_rtadv”
ipv6_defaultrouter=”<router address>”

Apart from this address (I chose it because the IPv4 address ends in “.2”, this way I can add some easy to remember addresses for this machine if needed), I also have two automatically configured addresses. One is with the same ULA and some not so easy to remember end (constructed from the MAC address), and one is from the official prefix the router constructed out of the official IPv4 address from the ISP (+ the same end than the other end).

Additionally I also have all my jails on this machine with an IPv6 address now (yes, they are like “…:2:100” with the :100 because the IPv4 address ends in “.100”). Still TODO is the conversion of all the services in the jails to also listen on the IPv6 address.

I already changed the config of my internal DNS to have the IPv6 addresses for all systems, listen on the IPv6 address (when I add an IPv6 network to allow-query/allow-query-cache/allow-recursion bind does not want to start). And as I was there, I also enabled the DNSSEC verification (but I get a lot of error messages in the logs: “unable to convert errno to isc_result: 42: Protocol not available”, one search result which talks exactly about this error tells it is a “cosmetic error”…).

I noticed that an IPv6 ping between two physical machines takes a little bit more time than an IPv4 ping (no IPsec enabled). It surprised me that this is such a noticeable difference (not within the std-dev at all):

— m87.Leidinger.net ping statistics —
10 packets transmitted, 10 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.168÷0.193÷0.220÷0.017 ms

— m87.Leidinger.net ping6 statistics —
10 packets transmitted, 10 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.207÷0.325÷0.370÷0.047 ms

The information I miss in the FreeBSD handbook in the IPv6 chapter is what those other IPv6 related services are and when/how to configure them. I have an idea now what this radvd is, but I am not sure what the interaction is with the accept_rtadv setting for ifconfig (and I do not think I need it, as my WLAN router seems to do it already). I know that I get the IPv6-friendly network neighborhood displayed with ndp(8). I did not have a look at enabling IPv6 multicast support in FreeBSD, and I do not know what those other IPv6 options for rc.conf do.

Share/Save

Stabilizing 7‑stable…

The 7‑stable system on which I have stability problems after an update from 7.1 to 7.2/7‑stable is now semi-stable.

The watchdog reboots after one minute of no reaction (currently it is able to run 3 – 4 hours), and the jails come up without problems now.

The problem with the jails was, that e.g. the mysql-server startup went into the STOP state because TTY-input was “requested”. I solved the problem by using /dev/null as input on jail-startup. On ‑current I do not see this behavior (I have a 9‑current system with a lot of jails which reboots every X days, and there mysql does not go into the STOP state).

I also start the jails in the background, so that one blocking jail does not block everything (done like in ‑current).

To say this with code:

--- /usr/src/etc/rc.d/jail      2009-02-07 15:04:35.000000000 +0100
+++ /etc/rc.d/jail      2009-12-16 17:03:12.000000000 +0100
@@ -556,7 +556,8 @@
 fi
 _tmp_jail=${_tmp_dir}/jail.$$
 eval ${_setfib} jail ${_flags} -i ${_rootdir} ${_hostname} \
-                       \\"${_addrl}\\" ${_exec_start} > ${_tmp_jail} 2>&1
+                       \\"${_addrl}\\" ${_exec_start} > ${_tmp_jail} 2>&1 \\
+                       </dev/null

 if [ "$?" -eq 0 ] ; then
 _jail_id=$(head -1 ${_tmp_jail})
@@ -623,4 +624,4 @@
 if [ -n "$*" ]; then
 jail_list="$*"
 fi
-run_rc_command "${cmd}"
+run_rc_command "${cmd}" &

I also identified 57 patches for ZFS which are in 8‑stable, but not in 7‑stable (I do not think they could solve the deadlock, but I do not really know, and now that there is one FS on ZFS, I would like to get as much fixed as possible). Some of them should be merged, some would be nice to merge, and some I do not care much about (but if they are easy to merge, why not…). I already have all revisions and the corresponding commit logs available in an email-draft.

Now I just need to write a little bit of text and find some people willing to help (some of the changes need a review if they are applicable to 7‑stable, and everything should be tested on a scratch-box).

Share/Save

Tarsnap usage statistics

The more time passes with tarsnap, the more impressive it is.

Following is a list of all my privately used systems (2 machines which only host jails – here named Prison1 and Prison2 – and several jails – here named according to their functionality) together with some tarsnap statistics. For each backup tarsnap prints out some statistics. The amount of uncompressed storage space of all archives of this machine, the compressed storage space of all archives, the unique uncompressed storage space of all archives, the unique compressed storage space of all archives, and the same mount of info for the current archive. The unique storage space is after deduplication. The most interesting information is the unique and compressed one. For a specific archive it shows the amount of data which is different to all other archives, and for the total amount it tells how much storage space is used on the tarsnap server. I do not backup all data in tarsnap. I do a full backup on external storage (zfs snapshot + zfs send | zfs receive) once in a while and tarsnap is only for the stuff which could change daily or is very small (my mails belong to the first group, the config of applications or the system to the second group). At the end of the post there is also an overview of the money I have spend so far in tarsnap for the backups.

Attention: the following graphs are displaying small values in KB, while the text is telling about sizes in MB or even GB!

Prison1

The backup of one day covers 1.1 GB of uncompressed data, the subtrees I backup are /etc, /usr/local/etc, /home, /root, /var/db/pkg, /var/db/mergemaster.mtree, /space/jails/flavours and a subversion checkout of /usr/src (excluding the kernel compile directory; I backup this as I have local modifications to FreeBSD). If I want to have all days uncompressed on my harddisk, I would have to provide 10 GB of storage space. Compressed this comes down to 2.4 GB, unique uncompressed this is 853 MB, and unique compressed this is 243 MB. The following graph splits this up into all the backups I have as of this writting. I only show the unique values, as including the total values would make the unique values disappear in the graph (values too small).

In this graph we see that I have a constant rate of new data. I think this is mostly references to already stored data (/usr/src being the most likely cause of this, nothing changed in those directories).

Internal-DNS

One day covers 7 MB of uncompressed data, all archives take 56 MB uncompressed, unique and compressed this comes down to 1.3 MB. This covers /etc, /usr/local/etc, /root, /var/db/pkg, /var/named, and /var/db/mergemaster.mtree.

This graph is strange. I have no idea why there is so much data for the second and the last day. Nothing changed.

Outgoing-Postfix

One day covers 8 MB of uncompressed data, all archives take 62 MB uncompressed, unique and compressed this comes down to 1.5 MB. This covers /etc, /usr/local/etc, /root, /var/db/pkg, /var/spool/postfix, and /var/db/mergemaster.mtree.

This looks not bad. I was sending a lot of mails on the 25^th. And the days in the middle I was not sending much.

IMAP

One day covers about 900 MB of uncompressed data, all archives take 7.2 GB uncompressed, unique and compressed this comes down to 526 MB. This covers /etc, /usr/local/etc, /root, /var/db/pkg, /var/db/mergemaster.mtree, /home (mail folders) and /usr/local/share/courier-imap.

Obviously I have a not so small amount of change in my mailbox. As my spamfilter is working nicely this is directly correlated to mails from various mailinglists (mostly FreeBSD).

MySQL (for the Horde webmail interface)

One day covers 100 MB of uncompressed data, all archives take 801 MB uncompressed, unique and compressed this comes down to 19 MB. This covers /etc, /usr/local/etc, /root, /var/db/pkg, /var/db/mysql and /var/db/mergemaster.mtree.

This is correlated with the use of my webmail interface, and as such is also correlated with the amount of mails I get and send. Obviously I did not use my webmail interface at the weekend (as the backup covers the change of the previous day).

Webmail

One day covers 121 MB of uncompressed data, all archives take 973 MB uncompressed, unique and compressed this comes down to 33 MB. This covers /etc, /usr/local/etc, /root, /var/db/pkg, /var/db/mergemaster.mtree, /usr/local/www/horde and /home.

This one is strange again. Nothing in the data changed.

Samba

One day covers 10 MB of uncompressed data, all archives take 72 MB uncompressed, unique and compressed this comes down to 1.9 MB. This covers /etc, /usr/local/etc, /root, /var/db/pkg, /var/db/mergemaster.mtree and /var/db/samba.

Here we see the changes to /var/db/samba, this should be mostly my Wii accessing multimedia files there.

Proxy

One day covers 31 MB of uncompressed data, all archives take 223 MB uncompressed, unique and compressed this comes down to 6.6 MB. This covers /etc, /usr/local/etc, /root, /var/db/pkg and /var/db/mergemaster.mtree.

This is also a strange graph. Again, nothing changed there (the cache directory is not in the backup).

phpMyAdmin

One day covers 44 MB of uncompressed data, all archives take 310 uncompressed, unique and compressed this comes down to 11 MB. This covers /etc, /usr/local/etc, /root, /var/db/pkg, /var/db/mergemaster.mtree, /home and /usr/local/www/phpMyAdmin.

And again a strange graph. No changes in the FS.

Gallery

One day covers 120 MB of uncompressed data, all archives take 845 MB uncompressed, unique and compressed this comes down to 25 MB. This covers /etc, /usr/local/etc, /root, /var/db/pkg, /var/db/mergemaster.mtree, /usr/local/www/gallery2 and /home/gallery (excluding some parts of /home/gallery).

This one is OK. Friends and Family accessing the pictures.

Prison2

One day covers 7 MB of uncompressed data, all archives take 28 MB uncompressed, unique and compressed this comes down to 1.3 MB. This covers /etc, /usr/local/etc, /root, /var/db/pkg, /var/db/mergemaster.mtree, /space/jails/flavours and /home.

This one looks strange to me again. Same reasons as with the previous graphs.

Incoming-Postfix

One day covers 56 MB of uncompressed data, all archives take 225 MB uncompressed, unique and compressed this comes down to 5.4 MB. This covers /etc, /usr/local/etc, /usr/local/www/postfixadmin, /root/, /var/db/pkg, /var/db/mysql, /var/spool/postfix and /var/db/mergemaster.mtree.

This graph looks OK to me.

Blog-and-XMPP

One day covers 59 MB of uncompressed data, all archives take 478 MB uncompressed, unique and compressed this comes down to 14 MB. This covers /etc, /usr/local/etc, /root, /home, /var/db/pkg, /var/db/mergemaster.mtree, /var/db/mysql and /var/spool/ejabberd (yes, no backup of the web-data, I have it in another jail, no need to backup it again).

With the MySQL and XMPP databases in the backup, I do not think this graph is wrong.

Totals

The total amount of stored data per system is:

Costs

Since I use tarsnap (8 days), I have spend 38 cents, most of this is bandwidth cost for the transfer of the initial backup (29.21 cents). According to the graphs, I am currently at about 8 – 14 cents per week (or about half a dollar per month) for my backups (I still have a machine to add, and this may increase the amount in a similar way than the Prison1 system with 2 – 3 jails). The amount of money spend in US-cents (rounded!) per day is:

Share/Save

We got ZFS!

ZFS is there. Great! Thanks Pawel!

Now I wait a little bit until the first bugs are ironed out, and then I move all my stuff to it. The nice part: when you have 2 machines and everything you use is jailed, you just can do this without an “interruption of service” (or at least only with a very small one). Just move the jails to the other machine, replace the old FS with ZFS, and then move all jails back.

Share/Save

A desktop environment in a jail.

Yeah! Finally I got time to finish my work to put a desktop environment (in this case GNOME) into a jail. At least I have a proof of concept (I write this with firefox running in my “deskjail”). No, I don’t do this for additional security (there’s more security than in a non-jailed setup, but less security than in an ordinary jail, as you have to allow access to a lot more devices than in an ordinary jail), I do this for additional flexibility: Moving my desktop is now only the install of FreeBSD on a new machine and rsyncing the jail over to it. As the machine will also be a host of several jails where I have some common users with the same UID in each jail, I don’t pollute the jail-host with the desktop stuff and I have everything nicely separated.

Without a kernel patch and good devfs rules you will not get Xorg up and running in a jail (at least I didn’t managed to let it recognize my graphic card without the kernel patch). Now I have to beef up the patch a little bit and ask for review (it weakens up the security a little bit like the sysctl security.jail.sysvipc_allowed=1 or security.jail.allow_raw_sockets=1).

But first I have to finish the move of all my services I use at home to the jail-host now.

Share/Save

Prison1

Internal-DNS

Outgoing-Postfix

IMAP

MySQL (for the Horde web­mail interface)

Web­mail

Sam­ba

Proxy

php­MyAd­min

Gallery

Prison2

Incoming-Postfix

Blog-and-XMPP

Totals

Costs

MySQL (for the Horde webmail interface)

Webmail

Samba

phpMyAdmin