From owner-freebsd-stable@FreeBSD.ORG Fri Feb 13 20:34:27 2004 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A2E3F16A4CE; Fri, 13 Feb 2004 20:34:27 -0800 (PST) Received: from nfserver.hpc.unm.edu (nfserver.hpc.unm.edu [129.24.245.111]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7238543D1D; Fri, 13 Feb 2004 20:34:27 -0800 (PST) (envelope-from download@hpc.unm.edu) Received: from lcws.hpc.unm.edu (lcws.hpc.unm.edu [129.24.244.32]) i1E4YQTv020073 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Fri, 13 Feb 2004 21:34:26 -0700 Date: Fri, 13 Feb 2004 21:34:26 -0700 (MST) From: Jim Prewett To: Robert Watson In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-stable@freebsd.org Subject: Re: jail issue X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Feb 2004 04:34:27 -0000 Hi Robert, I've been using jails (very happily) for quite some time and have *never* had a problem like this. I really don't have a clue what to look for :) I'm getting complaints from fellow keyserver ops as my IP seems to sometimes be the jail and sometimes the host, so some of my packets get rejected as that IP has not been configured (by the remote host) to be a peer. (how strange is that?!) Here is an email I recieved. I cvsup'd this morning, rebuilt everything, and did a final clean reboot before starting up the pgp jail. I recieved this email from one of my peer sites (the timestamps confirm this was after starting the jail after rebuilding): To: download@hpc.unm.edu Subject: PGP/nox again 2004-02-13 10:52:01 Enabling gossip 2004-02-13 10:52:02 Reconciliation attempt from unauthorized host . Ignoring the host (nox) is 129.24.244.72, the jail (pgp) is 129.24.244.40. On Fri, 13 Feb 2004, Robert Watson wrote: > > On Fri, 13 Feb 2004, Jim Prewett wrote: > > > I run a PGP key server (SKS 1.0.6) inside of a jail. However, my key > > server seems to be getting confused as to its IP address and is sending > > packets as the host environment (not as the jail environment). > > Could you show the output of sockstat as run in the host environment? > Likewise, the output of ps ax. I'd like to see what the socket is bound > to, as the theory goes that jail modifies the bind requests from the > process to set them to the IP in the jail. Either we have a bug in socket > handling, or the process isn't running in the jail. I'm really afraid I may have inadvertantly found a bug! It is definantly in the jail environment (I've included the ps output below). The SKS daemons definantly answer on the jail environment IP (i've included the output of nmap against both the host and the jail below)! here are the sockets related to the sks process: nox# sockstat | grep sks root sks 276 5 tcp4 129.24.244.40:11371 *:* root sks 271 4 tcp4 129.24.244.40:11370 *:* root sks 276 6 stream ./db_com_sock root sks 271 5 stream ./recon_com_sock and sks processes: nox# ps ax | grep sks 5804 p2 S+ 0:00.00 grep sks 271 con- S+J 0:03.29 sks recon 276 con- S+J 0:11.50 sks db nmap of host (nox) and jail (pgp): nox# nmap nox pgp -p 11370-11371 Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-02-13 21:21 MST Interesting ports on nox.hpc.unm.edu (129.24.244.72): PORT STATE SERVICE 11370/tcp closed unknown 11371/tcp closed pksd Interesting ports on pgp.hpc.unm.edu (129.24.244.40): PORT STATE SERVICE 11370/tcp open unknown 11371/tcp open pksd Nmap run completed -- 2 IP addresses (2 hosts up) scanned in 0.339 seconds ifconfig from the host: nox# ifconfig -a fxp0: flags=8943 mtu 1500 inet 10.0.0.1 netmask 0xff000000 broadcast 10.255.255.255 inet6 fe80::2d0:b7ff:fe7f:f678%fxp0 prefixlen 64 scopeid 0x1 ether 00:d0:b7:7f:f6:78 media: Ethernet autoselect (none) status: no carrier vr0: flags=8843 mtu 1500 inet 129.24.244.72 netmask 0xfffffc00 broadcast 129.24.247.255 inet6 fe80::210:dcff:fedf:1a01%vr0 prefixlen 64 scopeid 0x2 inet 129.24.244.40 netmask 0xffffffff broadcast 129.24.244.40 ether 00:10:dc:df:1a:01 media: Ethernet autoselect (100baseTX ) status: active lp0: flags=8810 mtu 1500 ppp0: flags=8010 mtu 1500 sl0: flags=c010 mtu 552 faith0: flags=8002 mtu 1500 lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 inet 127.0.0.1 netmask 0xff000000 ifconfig from the jail: pgp# ifconfig -a fxp0: flags=8943 mtu 1500 ether 00:d0:b7:7f:f6:78 media: Ethernet autoselect (none) status: no carrier vr0: flags=8843 mtu 1500 inet 129.24.244.40 netmask 0xffffffff broadcast 129.24.244.40 ether 00:10:dc:df:1a:01 media: Ethernet autoselect (100baseTX ) status: active lp0: flags=8810 mtu 1500 ppp0: flags=8010 mtu 1500 sl0: flags=c010 mtu 552 faith0: flags=8002 mtu 1500 lo0: flags=8049 mtu 16384 If there is anything else that I can provide, please let me know. I'm *very* interested in resolving this. Thanks, Jim -- James Prewett OpenPGP key: pub 1024D/31816D93 Systems Team Leader Designated Security Officer HPC Systems Engineer III @ HPC@UNM -- download@hpc.unm.edu Jim@Prewett.org