Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 1 Feb 2018 09:50:35 -0600
From:      Valeri Galtsev <galtsev@kicp.uchicago.edu>
To:        byrnejb@harte-lyne.ca, freebsd-questions@freebsd.org
Subject:   Re: EZJAIL and ping on FreeBSD-11.
Message-ID:  <2e179f4e-8811-25b2-081c-906d13149129@kicp.uchicago.edu>
In-Reply-To: <05940d076ac711b2c9b740451706c5d4.squirrel@webmail.harte-lyne.ca>
References:  <05940d076ac711b2c9b740451706c5d4.squirrel@webmail.harte-lyne.ca>

next in thread | previous in thread | raw e-mail | index | archive | help


On 02/01/18 09:23, James B. Byrne via freebsd-questions wrote:
> I have read the various 'howtos' respecting this issue and I cannot
> see where I have failed to properly follow the instructions. But
> clearly I have not done it right.
> 
> I have setup a jail named hll124.  it is configured and running.  It
> can connect to the network and the Internet without issue. DNS
> resolution works fine using local_unbound.
> 
> In /etc/sysctl.conf on the host I have this:
> 
> # $FreeBSD: releng/11.1/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $
> #
> #  This file is read when going to multi-user and its contents piped thru
> #  ``sysctl'' to adjust kernel values.  ``man 5 sysctl.conf'' for
> details.
> #
> 
> # Uncomment this to prevent users from seeing information about
> processes that
> # are being run under another UID.
> #security.bsd.see_other_uids=0
> security.bsd.see_other_uids=0
> security.bsd.see_other_gids=0
> security.bsd.unprivileged_read_msgbuf=0
> security.bsd.unprivileged_proc_debug=0
> security.bsd.stack_guard_page=1
> 
> # Required for Chrome/Chromium
> kern.ipc.shm_allow_removed=1
> 
> # Add to allow jails to create sockets - 2018-01-31 JBB
> security.jail.allow_raw_sockets=1
> 

Yes, I'm sure you need that

> 
> The host system shows this:
> 
> $ sudo sysctl security.jail.allow_raw_sockets
> security.jail.allow_raw_sockets: 1
> 

Good.

> 
> In the ezjail configuration file I have this:
> 
> # Allow ping, traceroute and other things 2018-01-31 JBB
> export jail_hll124_allow_raw_sockets="YES"
> 

I don't know much about ezjail... but this sounds to me as pertinent to 
one particular jail with the name "hll124".

I set up jails "by the book". To enable access to raw sockets in _all 
jails, I have somewhere in the configuration pertinent to all jails 
(i.e. not inside particular jail settings) in /etc/jail.conf the line

allow.raw_sockets = 1;

If you wan to give that only to some jail, add this only inside jail 
specific configuration in the same /etc/jail.conf, e.g.:

db {
     host.hostname = "example.uchicago.edu";
     allow.raw_sockets = 1;
...
}

I hope, this helps.

Valeri

> 
> When I connect to the ezjail instance with ezjail-admin console and
> run ping then I see this:
> 
> # ping 192.168.71.44
> ping: ssend socket: Operation not permitted
> 
> What else am I missing?
> 

-- 
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2e179f4e-8811-25b2-081c-906d13149129>