headers
Christer Edwards | 1 Nov 2008 16:52
Picon
Gravatar

dhcpd possible within jail?

I recently set up a few jails for internal network services (sshd, bind,
dhcpd, etc.)  The only issue I have so far is that dhcpd doesn't seem to
work within the jail env.  It appears to start properly, and the process
shows in top, but no leases are ever given out.

I have the following in my jail /etc/rc.conf:

## dhcpd options
dhcpd_enable="YES"
dhcpd_flags="-q"
dhcpd_conf="/usr/local/etc/dhcpd.conf"
dhcpd_ifaces="hme0"
dhcpd_withumask="022"

dhcpd_chuser_enable="YES"
dhcpd_withuser="dhcpd"
dhcpd_withgroup="dhcpd"
dhcpd_chroot_enable="NO"
dhcpd_devfs_enable="NO"
#dhcpd_makedev_enable="YES"
dhcpd_rootdir="/var/db/dhcpd"
dhcpd_includedir=""
#dhcpd_jail_enable="YES"
dhcpd_hostname="hostname.domain.tld"
dhcpd_ipaddress="192.168.0.13"

I have also allowed raw_sockets from the host (unless there is another
way to accomplish this).

If anyone can tell me what I'm missing, or if its simply a jail
(Continue reading)

Permalink | Reply | 2 comments |
headers
Bjoern A. Zeeb | 1 Nov 2008 21:13

Re: dhcpd possible within jail?

On Sat, 1 Nov 2008, Christer Edwards wrote:

> I recently set up a few jails for internal network services (sshd, bind,
> dhcpd, etc.)  The only issue I have so far is that dhcpd doesn't seem to
> work within the jail env.  It appears to start properly, and the process
> shows in top, but no leases are ever given out.
[ ...]
> I have also allowed raw_sockets from the host (unless there is another
> way to accomplish this).
>
> If anyone can tell me what I'm missing, or if its simply a jail
> limitation I'd appreciate it.

dhcpd imho needs bpf, so you would have to expose /dev/bpf* to that
jail and perhaps also /dev/net* things..

try adding something like this to your /etc/devfs.rules

[devfsrules_jail_dhcp=5]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path 'bpf*' unhide
add path net unhide
add path 'net/*' unhide

the number is the first free that is not in your
/etc/defaults/devfs.rules and /etc/devfs.rules.

That done change the /etc/rc.conf line for that jail to
(Continue reading)

Permalink | Reply | 1 comment |
headers
Christer Edwards | 2 Nov 2008 00:18
Picon
Gravatar

Re: dhcpd possible within jail?

On Sat, Nov 01, 2008 at 08:13:46PM +0000, Bjoern A. Zeeb wrote:
> try adding something like this to your /etc/devfs.rules
> 
> [devfsrules_jail_dhcp=5]
> add include $devfsrules_hide_all
> add include $devfsrules_unhide_basic
> add include $devfsrules_unhide_login
> add path 'bpf*' unhide
> add path net unhide
> add path 'net/*' unhide

I've added the above lines and the devices now are listed in
/usr/jail/jailname/dev/.  I get the same output in the logs with or
without the devfs changes.. 

Nov  1 17:07:40 molly dhcpd: Wrote 0 deleted host decls to leases file.
Nov  1 17:07:40 molly dhcpd: Wrote 0 new dynamic host decls to leases
file.
Nov  1 17:07:40 molly dhcpd: Wrote 0 leases to leases file.

the dhcpd.leases file is updated when the daemon is restarted but,
again, asking another client to request an address goes ignored.

I'm beginning to wonder if its related to my network configuration
rather than my jail configuration.

DSL modem > netgear wireless AP/switch (dhcp disabled) > netgear 
gigabit switch > clients.

> imho, you do not need to allow raw sockets.
(Continue reading)

Permalink | Reply | 0 comments |
headers
FreeBSD bugmaster | 3 Nov 2008 12:06
Picon
Favicon

freebsd-jail@...

Note: to view an individual PR, use:
  http://www.freebsd.org/cgi/query-pr.cgi?pr=(number).

The following is a listing of current problems submitted by FreeBSD users.
These represent problem reports covering all versions including
experimental development code and obsolete releases.

S Tracker      Resp.      Description
--------------------------------------------------------------------------------
o kern/126368  jail       [jail] Running ktrace/kdump in jail leads to stale jai
o kern/120753  jail       [jail] Zombie jails (jailed child process exits while 
o kern/119842  jail       [smbfs] [jail] "Bad address" with smbfs inside a jail
o bin/99566    jail       [jail] [patch] fstat(1) according to specified jid
o kern/97071   jail       [jail] [patch] add security.jail.jid sysctl
o kern/89989   jail       [jail] [patch] Add option -I (ASCII 73) PID  to specif
s kern/89528   jail       [jail] [patch] impossible to kill a jail
o kern/84215   jail       [jail] [patch] wildcard ip (INADDR_ANY) should not bin
o kern/74314   jail       [resolver] [jail] DNS resolver broken under certain ja
o kern/72498   jail       [libc] [jail] timestamp code on jailed SMP machine gen
o kern/68192   jail       [quotas] [jail] Cannot use quotas on jailed systems
o bin/32828    jail       [jail] w(1) incorrectly handles stale utmp slots with 

12 problems total.
Permalink | Reply | 0 comments |
headers
Matheus Cucoloto | 6 Nov 2008 12:13
Picon

Re: Succesful patch on several hosts with RELENG_7

Hi, Lorenzo.

I tried to apply this patch, but i had no success.

That is the message I got:

(On make buidkernel KERNCONF=GENERIC)
-----------------------------------------------
cc -c -O -pipe  -std=c99 -g -Wall -Wredundant-decls -Wnested-externs
-Wstrict-prototypes  -Wmissing-prototypes -Wpointer-arith -Winline
-Wcast-qual  -Wundef -Wno-pointer-sign -fformat-extensions -nostdinc
-I. -I/usr/src/sys -I/usr/src/sys/contrib/altq -D_KERNEL
-DHAVE_KERNEL_OPTION_HEADERS -include opt_global.h -fno-common
-finline-limit=8000 --param inline-unit-growth=100 --param
large-function-growth=1000  -mno-align-long-strings
-mpreferred-stack-boundary=2  -mno-mmx -mno-3dnow -mno-sse -mno-sse2
-mno-sse3 -ffreestanding -Werror  /usr/src/sys/netinet/raw_ip.c
cc1: warnings being treated as errors
/usr/src/sys/netinet/raw_ip.c: In function 'rip_bind':
/usr/src/sys/netinet/raw_ip.c:785: warning: implicit declaration of
function 'jailed_ip4'
/usr/src/sys/netinet/raw_ip.c:785: warning: nested extern declaration
of 'jailed_ip4'
*** Error code 1

Stop in /usr/obj/usr/src/sys/GENERIC.
*** Error code 1

Stop in /usr/src.
*** Error code 1
(Continue reading)

Permalink | Reply | 6 comments |
headers
Bjoern A. Zeeb | 6 Nov 2008 12:44

Re: Succesful patch on several hosts with RELENG_7

On Thu, 6 Nov 2008, Matheus Cucoloto wrote:

Hi,

> I tried to apply this patch, but i had no success.
>
> That is the message I got:
...
>
> Any hint?

http://lists.freebsd.org/pipermail/freebsd-jail/2008-October/000577.html

So the reason there is no 7 patch is that Robert and I finally found a
solution for one of the problems that came up during the review and I
still need to implement it. My plan was to do so later today...

There will be a new set of patches soon (famous last words;)

/bz

--

-- 
Bjoern A. Zeeb              Stop bit received. Insert coin for new game.
Permalink | Reply | 5 comments |
headers
dez-rPRz2n7NR91eoWH0uzbU5w@public.gmane.org | 7 Nov 2008 18:15

multi-ip jails on 7.1-BETA2

Hi list,

I've just setup a 7.1-BETA2 server with Bjoern Zeeb's patch [1], 
following the instructions described in [2].

It all went well, patch applied ok, userland tools, kernel and world 
built successfully.  However, the new jail utility doesn't accept 
multiple IPs on the command line:

server% jail
usage: jail [-i] [-J jid_file] [-s securelevel] \
   [-l -u username | -U username] path hostname ip-number command ...

Using the same patch and setup instructions I can get a working multi-ip 
jail setup using 7.1-PRERELEASE-200809 snapshot.

Does the said patch not work with the beta?  As Bjoern indicated in an 
earlier mail to the list, "There will be a new set of patches soon". 
Will they work with the beta and final 7.1 releases?

Many thanks.

[1] - http://people.freebsd.org/~bz/bz_jail7-20080920-01-at150161.diff
[2] - http://www.mail-archive.com/freebsd-jail-h+KGxgPPiopAfugRpC6u6w <at> public.gmane.org/msg00459.html

--

-- 
Dez
Permalink | Reply | 2 comments |
headers
Bjoern A. Zeeb | 7 Nov 2008 21:31

Re: multi-ip jails on 7.1-BETA2

On Fri, 7 Nov 2008, dez@... wrote:

> server% jail
> usage: jail [-i] [-J jid_file] [-s securelevel] \
>  [-l -u username | -U username] path hostname ip-number command ...

that's not a patched userland (this jail binary is old and was not
updated). Did you also rebuild userland or only the kernel?

/bz

--

-- 
Bjoern A. Zeeb              Stop bit received. Insert coin for new game.
Permalink | Reply | 1 comment |
headers
FreeBSD bugmaster | 10 Nov 2008 12:06
Picon
Favicon

freebsd-jail@...

Note: to view an individual PR, use:
  http://www.freebsd.org/cgi/query-pr.cgi?pr=(number).

The following is a listing of current problems submitted by FreeBSD users.
These represent problem reports covering all versions including
experimental development code and obsolete releases.

S Tracker      Resp.      Description
--------------------------------------------------------------------------------
o kern/126368  jail       [jail] Running ktrace/kdump in jail leads to stale jai
o kern/120753  jail       [jail] Zombie jails (jailed child process exits while 
o kern/119842  jail       [smbfs] [jail] "Bad address" with smbfs inside a jail
o bin/99566    jail       [jail] [patch] fstat(1) according to specified jid
o kern/97071   jail       [jail] [patch] add security.jail.jid sysctl
o kern/89989   jail       [jail] [patch] Add option -I (ASCII 73) PID  to specif
s kern/89528   jail       [jail] [patch] impossible to kill a jail
o kern/84215   jail       [jail] [patch] wildcard ip (INADDR_ANY) should not bin
o kern/74314   jail       [resolver] [jail] DNS resolver broken under certain ja
o kern/72498   jail       [libc] [jail] timestamp code on jailed SMP machine gen
o kern/68192   jail       [quotas] [jail] Cannot use quotas on jailed systems
o bin/32828    jail       [jail] w(1) incorrectly handles stale utmp slots with 

12 problems total.
Permalink | Reply | 0 comments |
headers
Vicks Desmond | 10 Nov 2008 17:58

Re: multi-ip jails on 7.1-BETA2

Bjoern A. Zeeb wrote:
> On Fri, 7 Nov 2008, dez@... wrote:
> 
>> server% jail
>> usage: jail [-i] [-J jid_file] [-s securelevel] \
>>  [-l -u username | -U username] path hostname ip-number command ...
> 
> that's not a patched userland (this jail binary is old and was not
> updated). Did you also rebuild userland or only the kernel?

Thanks for your reply.  Having checked everything again I found that I 
was using patch(1) with -C argument (ie, check, but don't do), which 
explains why the userland wasn't updated.  Now things are working as 
expected and I'm a proud owner of a multi-ip jail :)

Sorry for the noise and note to self - don't blindly copy and paste 
commands, especially one's that I think I understand.

Cheers,
--

-- 
Dez
Permalink | Reply | 0 comments |

Gmane