Date: Thu, 1 Feb 2018 09:50:35 -0600 From: Valeri Galtsev <galtsev@kicp.uchicago.edu> To: byrnejb@harte-lyne.ca, freebsd-questions@freebsd.org Subject: Re: EZJAIL and ping on FreeBSD-11. Message-ID: <2e179f4e-8811-25b2-081c-906d13149129@kicp.uchicago.edu> In-Reply-To: <05940d076ac711b2c9b740451706c5d4.squirrel@webmail.harte-lyne.ca> References: <05940d076ac711b2c9b740451706c5d4.squirrel@webmail.harte-lyne.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On 02/01/18 09:23, James B. Byrne via freebsd-questions wrote:
> I have read the various 'howtos' respecting this issue and I cannot
> see where I have failed to properly follow the instructions. But
> clearly I have not done it right.
>
> I have setup a jail named hll124. it is configured and running. It
> can connect to the network and the Internet without issue. DNS
> resolution works fine using local_unbound.
>
> In /etc/sysctl.conf on the host I have this:
>
> # $FreeBSD: releng/11.1/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $
> #
> # This file is read when going to multi-user and its contents piped thru
> # ``sysctl'' to adjust kernel values. ``man 5 sysctl.conf'' for
> details.
> #
>
> # Uncomment this to prevent users from seeing information about
> processes that
> # are being run under another UID.
> #security.bsd.see_other_uids=0
> security.bsd.see_other_uids=0
> security.bsd.see_other_gids=0
> security.bsd.unprivileged_read_msgbuf=0
> security.bsd.unprivileged_proc_debug=0
> security.bsd.stack_guard_page=1
>
> # Required for Chrome/Chromium
> kern.ipc.shm_allow_removed=1
>
> # Add to allow jails to create sockets - 2018-01-31 JBB
> security.jail.allow_raw_sockets=1
>
Yes, I'm sure you need that
>
> The host system shows this:
>
> $ sudo sysctl security.jail.allow_raw_sockets
> security.jail.allow_raw_sockets: 1
>
Good.
>
> In the ezjail configuration file I have this:
>
> # Allow ping, traceroute and other things 2018-01-31 JBB
> export jail_hll124_allow_raw_sockets="YES"
>
I don't know much about ezjail... but this sounds to me as pertinent to
one particular jail with the name "hll124".
I set up jails "by the book". To enable access to raw sockets in _all
jails, I have somewhere in the configuration pertinent to all jails
(i.e. not inside particular jail settings) in /etc/jail.conf the line
allow.raw_sockets = 1;
If you wan to give that only to some jail, add this only inside jail
specific configuration in the same /etc/jail.conf, e.g.:
db {
host.hostname = "example.uchicago.edu";
allow.raw_sockets = 1;
...
}
I hope, this helps.
Valeri
>
> When I connect to the ezjail instance with ezjail-admin console and
> run ping then I see this:
>
> # ping 192.168.71.44
> ping: ssend socket: Operation not permitted
>
> What else am I missing?
>
--
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2e179f4e-8811-25b2-081c-906d13149129>