Date: Tue, 10 Oct 2017 21:10:37 +0000 From: Oleg Ginzburg <olevole@olevole.ru> To: Kristof Provost <kristof@sigsegv.be>, FreeBSD Current <freebsd-current@freebsd.org> Cc: =?UTF-8?B?R29yYW4gTWVracSH?= <meka@tilda.center>, freebsd-jail@freebsd.org Subject: Re: VNET jail and dhclient Message-ID: <CAMsb%2BmaactJTDcK=j%2BawqkXB6YitQ_dQTp9vvs=a%2BTFjrQTA7w@mail.gmail.com> In-Reply-To: <6D37D4AC-9DF4-4D55-8614-43CFC6BDD45E@sigsegv.be> References: <20171009072547.jauim6tlfennydf5@hal9000.meka.no-ip.org> <6D37D4AC-9DF4-4D55-8614-43CFC6BDD45E@sigsegv.be>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello! On Tue, Oct 10, 2017 at 8:24 PM, Kristof Provost <kristof@sigsegv.be> wrote= : > On 9 Oct 2017, at 9:25, Goran Meki=C4=87 wrote: > > Hello, > > > > TLDR: I can setup static IP or use dhcpcd to get address, but not > dhclient. > > > > Let me elaborate. I run 12-CURRENT on my laptop and use CBSD as jail > manager (I don't think it matters). > > > What version of CURRENT are you using? > > > # dhclient eth0 > > chroot > > exiting. > > > > This is what I found with truss: https://gist.github.com/anonymous/ > 36a4e2bf1760198971934ff609a7d0de#file-gistfile1-txt-L227-L228. Selected > lines are what I think is the problem. Offending line in the code is > probably https://svnweb.freebsd.org/base/head/sbin/dhclient/ > dhclient.c?revision=3D317915&view=3Dmarkup#l507. With that asumption, Ole= g, > CBSD author, noticed that the following "patch" works: > > > Is there any chance you don=E2=80=99t have /var/empty in your jail? > > I do this to create a simple vnet jail: > sudo jail -c name=3Dalcatraz persist vnet vnet.interface=3Depair0b > (in the jail) dhclient epair0b > > And see: > =E2=80=A6 > fsync(0x9) =3D 0 (0x0) > close(8) =3D 0 (0x0) > socket(PF_ROUTE,SOCK_RAW,0) =3D 8 (0x8) > shutdown(8,SHUT_WR) =3D 0 (0x0) > cap_rights_limit(8,{ CAP_READ,CAP_EVENT }) =3D 0 (0x0) > chroot("/var/empty") =3D 0 (0x0) > chdir("/") =3D 0 (0x0) > setgroups(0x1,0x800e2c1e4) =3D 0 (0x0) > =E2=80=A6 > > I also see the DCHP request packets on the other end of the epair > interface. > > Regards, > Kristof > What is your FreeBSD version? This problem reproduced on FreeBSD 12 only. /var/empty is exist and trivial test: #include <stdio.h> #include <stdlib.h> int main() { printf("%d\n",chroot("/var/empty"); } works successfully. I think I found something, but I do not understand why this is only observed in jail and with commit change this. The problem about which the Goran wrote can be fixed with: # diff -ruN dhclient.c-orig dhclient.c --- dhclient.c-orig 2017-10-10 23:51:52.451361000 +0000 +++ dhclient.c 2017-10-10 23:54:55.803404000 +0000 @@ -479,6 +479,7 @@ fork_privchld(pipe_fd[0], pipe_fd[1]); + pidfile_close(pidfile); close(ifi->ufdesc); ifi->ufdesc =3D -1; close(ifi->wfdesc); >From pidfile(3) man page: The pidfile_close() function closes a pidfile. It should be used after daemon fork()s to start a child process. chroot(2) in dhclient return NOPERM (via global errno). it seems to be related to open descriptor outside the chroot. I'm not sure if this fd leak (due to pidfile_remove at the end of dhclient), nevertheless closing pid fd in my jail/FreeBSD12 before chroot solve dhclient issue.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAMsb%2BmaactJTDcK=j%2BawqkXB6YitQ_dQTp9vvs=a%2BTFjrQTA7w>