Date: Thu, 15 Nov 2012 08:54:10 -0700 From: Jamie Gritton <jamie@FreeBSD.org> To: freebsd-jail@FreeBSD.org Cc: Beeblebrox <zaphod@berentweb.com> Subject: Recent jail problems [was: ICMP RAW socket error] Message-ID: <50A51022.5000801@FreeBSD.org> In-Reply-To: <1352457514352-5759501.post@n5.nabble.com> References: <1352457514352-5759501.post@n5.nabble.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11/09/12 03:38, Beeblebrox wrote: > My jail used to work fine but it seems a recent update broke some things. My > kernel/world has INET6 disblad and there are already 2 threads re the error > that setting causes with jails. Now this error - is it a bug or am I missing > something? > > My /etc/sysctl.conf has > security.jail.allow_raw_sockets=1 > I even confirm it separately before starting the jail: > # sysctl security.jail.allow_raw_sockets > > * I start the jail but isc-dhcpd cannot start: unable to create icmp socket: > Operation not permitted > * I cannot ping from the jail: ping: socket: Operation not permitted > * This error also, but inetd starts: inetd[50866]: madvise() failed: > Operation not permitted > > No point in setting up a dhcp debug log, the error is in the network > setting. > /etc/devfs.rules has: add path net unhide, add path 'net/*' unhide > My system is not exposed to the outside so it does not have pf / nat running > on it. It is indeed a bug, same as bin/173469, except with allow_raw_sockets instead of sysvipc_allowed. With the recent change to rc.d/jail, the jail permission sysctls are no longer used in starting up jails.R You can get past it for now by setting jail_xxx_parameters="allow.raw_sockets" in your rc.conf. But that's a hack fix, and we need something better before any of this goes out to release. Here's the problem: I had planned to deprecate those global sysctls in favor of per-jail parameters, and only "old style" usage of the jail command paid attention to them so existing setups would work. But I didn't explicitly say that anywhere, leaving that as part of the new config file based setup. But the recent patch to allow arbitrary parameters in rc.d/jail necessitated a switch to the new jail command line. I think the jail_xxx_parameters patch needs to go, or least rc.d/jail needs to be a bit more complex, and run the old command line when a jail doesn't have any "_parameters". That way the old semantics will be preserved for existing users. - Jamie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50A51022.5000801>