From owner-freebsd-questions@FreeBSD.ORG Wed Feb 20 23:54:38 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 0A999ACD for ; Wed, 20 Feb 2013 23:54:38 +0000 (UTC) (envelope-from doug@safeport.com) Received: from oceanpt.safeport.com (oceanpt.safeport.com [65.122.17.3]) by mx1.freebsd.org (Postfix) with ESMTP id D45F23A4 for ; Wed, 20 Feb 2013 23:54:37 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by oceanpt.safeport.com (8.14.2/8.14.2) with ESMTP id r1KNhtWr086917; Wed, 20 Feb 2013 18:43:55 -0500 (EST) (envelope-from doug@safeport.com) Date: Wed, 20 Feb 2013 18:43:55 -0500 (EST) From: doug@safeport.com To: Bernt Hansson Subject: Re: jail and networking In-Reply-To: <512554C6.3070306@bananmonarki.se> Message-ID: References: <5124F505.4040906@bananmonarki.se> <13CA24D6AB415D428143D44749F57D7201EABA71@ltcfiswmsgmb21> <51250B20.4000308@bananmonarki.se> <512510ED.6080807@mail.com>, <51251496.4050701@bananmonarki.se> <13CA24D6AB415D428143D44749F57D7201EABC1F@ltcfiswmsgmb21> <51251FA5.6030903@mail.com> <512554C6.3070306@bananmonarki.se> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.0 (oceanpt.safeport.com [127.0.0.1]); Wed, 20 Feb 2013 18:43:55 -0500 (EST) Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Feb 2013 23:54:38 -0000 On Wed, 20 Feb 2013, Bernt Hansson wrote: > 2013-02-20 22:17, doug skrev: >> >> On Wed, 20 Feb 2013, Jeff Tipton wrote: >> >>> On 02/20/2013 20:59, Teske, Devin wrote: >>>> On Wed, 20 Feb 2013, Bernt Hansson wrote: >>>> >>>>> On 2013-02-20 19:07, Jeff Tipton wrote: >>>>>> On 02/20/2013 19:42, Bernt Hansson wrote: >>>>>>> On 2013-02-20 17:23, Teske, Devin wrote: >>>>>>>> On Wed, 20 Feb 2013, Bernt Hansson wrote: >>>>>>>> >>>>>>>>> Hello list! >>>>>>>>> >>>>>>>>> I dont seem to get net working in a test jail. >>>>>>>>> >>>>>>>>> These I've tried; >>>>>>>>> >>>>>>>>> ftp, fetch, telnet >>>>>>>>> >>>>>>>>> They time out. >>>>>>>>> >>>>>>>>> Ssh sort of work. >>>>>>>>> >>>>>>>>> 32bit# ssh 10.0.0.3 >>>>>>>>> ssh_askpass: exec(/usr/local/bin/ssh-askpass): No such file or >>>>>>>>> directory >>>>>>>>> Host key verification failed. >>>>>>>>> >>>>>>>>> jail is 8.3-STABLE i386 GENERIC >>>>>>>>> >>>>>>>>> host is FreeBSD 8.3-STABLE amd64 GENERIC >>>>>>>>> >>>>>>>>> I'm sure you want more info so just tell me what info. >>>>>>>> Commonly the problem is that you are "jexec'd" into the jail and I >>>>>>>> find that tools like ssh, ftp, telnet, etc. don't work when >>>>>>>> you're in >>>>>>>> the jail via "jexec" but instead what works way better is if you ssh >>>>>>>> into the jail (via the jail'd ssh process of course). >>>>>>>> >>>>>>>> Does that seem to be the case in your situation? >>>>>>> If you mean this sshd IsJ 0:00,00 /usr/sbin/sshd >>>>>>> >>>>>>> Then no. >>>>>>> >>>>>>> %ssh 10.0.0.10 ssh: connect to host 10.0.0.10 port 22: Operation >>>>>>> timed >>>>>>> out >>>>>>> >>>>>>> I did have an alias on the host to the jail's ip. >>>>>>> Tried to restart the jail it went fine, but now I can't jexec in to >>>>>>> the jail. >>>>>>> >>>>>>> testbox# jexec 1 tcsh >>>>>>> jexec: jail_attach(1): Invalid argument >>>>>>> >>>>>>> Sooo... I'm kind of out of ideas. >>>>>> What does "jls" command say? If you have restarted your jail, it's ID >>>>>> most likely has changed. >>>>> The ID did change, didn't know about that, thank you. >>>>> >>>>> But still, sshd isn't running in the jail >>>>> >>>>> 32bit# ps ax >>>>> PID TT STAT TIME COMMAND >>>>> 2385 ?? IsJ 0:00,00 sendmail: Queue runner@00:30:00 for >>>>> /var/spool/clientmqueue (sendmail) >>>>> 2391 ?? SsJ 0:00,00 /usr/sbin/cron -s >>>>> 2464 0 SJ 0:00,01 tcsh >>>>> 2482 0 R+J 0:00,00 ps ax >>>>> >>>>> testbox# ps ax | grep J >>>>> 2385 ?? IsJ 0:00,00 sendmail: Queue runner@00:30:00 for >>>>> /var/spool/clientmqueue (sendmail) >>>>> 2391 ?? SsJ 0:00,00 /usr/sbin/cron -s >>>>> 2488 0 S+ 0:00,00 grep J >>>>> >>>>> testbox is the host. > >> Or from the host: sockstat | grep :22. You should see something like >> >> root sshd 2016 3 tcp4 192.168.17.15:22 *:* >> >> for each jail > > testbox# sockstat | grep :22 > > bernt sshd 3541 3 tcp4 10.0.0.3:22 80.x.x.x:25605 > root sshd 3539 3 tcp4 10.0.0.3:22 80.x.x.x:25605 > root sshd 1296 3 tcp6 *:22 *:* > root sshd 1296 4 tcp4 *:22 *:* > > The jail has ip 10.0.0.10. There is only one jail. > I could not see anything you are doing wrong, so here are the relevant parts of a host/jail we use for testing. I got all this by following the jail man page and/or hacking things that are working. Ihope this helps. This is all on an 8.2 system. Host config rc.conf --------------------- hostname="bcr.boltsys.com" ifconfig_em0="DHCP" sshd_enable="YES" : #jail base settings inetd_flags="-wW -a 10.1.10.110" rpcbind_enable="NO" # Jail general settings ifconfig_em0_alias0="inet 10.1.10.111 netmask 255.255.255.255" jail_set_hostname_allow="NO" jail_enable="YES" jail_interface="em0" jail_devfs_enable="YES" jail_procfs_enable="YES" jail_list="webmail" jail_webmail_rootdir="/usr/home/webmail" jail_webmail_hostname="webmail.boltsys.com" jail_webmail_ip="10.1.10.111" ifconfig (host) ---------------- inet 10.1.10.111 netmask 0xffffffff broadcast 10.1.10.111 inet 10.1.10.110 netmask 0xffffff00 broadcast 10.1.10.255 Jail config rc.conf --------------------- network_interfaces="" hostname="webmail.boltsys.com" sshd_enable="YES" sendmail_enable="NO" sendmail_outbound_enable="YES" inetd_flags="-wW -a 10.1.10.111" inetd_enable="NO" rpcbind_enable="NO" _____ Douglas Denault http://www.safeport.com doug@safeport.com Voice: 301-217-9220 Fax: 301-217-9277