From owner-freebsd-questions@freebsd.org Thu Feb 1 15:50:36 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B20EEED9676 for ; Thu, 1 Feb 2018 15:50:36 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from kicp.uchicago.edu (kicp.uchicago.edu [128.135.20.70]) by mx1.freebsd.org (Postfix) with ESMTP id 6441A72E1D for ; Thu, 1 Feb 2018 15:50:36 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from point.uchicago.edu (point.uchicago.edu [128.135.52.6]) by kicp.uchicago.edu (Postfix) with ESMTP id 635EE718049; Thu, 1 Feb 2018 09:50:35 -0600 (CST) Subject: Re: EZJAIL and ping on FreeBSD-11. To: byrnejb@harte-lyne.ca, freebsd-questions@freebsd.org References: <05940d076ac711b2c9b740451706c5d4.squirrel@webmail.harte-lyne.ca> From: Valeri Galtsev Message-ID: <2e179f4e-8811-25b2-081c-906d13149129@kicp.uchicago.edu> Date: Thu, 1 Feb 2018 09:50:35 -0600 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2 MIME-Version: 1.0 In-Reply-To: <05940d076ac711b2c9b740451706c5d4.squirrel@webmail.harte-lyne.ca> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Feb 2018 15:50:36 -0000 On 02/01/18 09:23, James B. Byrne via freebsd-questions wrote: > I have read the various 'howtos' respecting this issue and I cannot > see where I have failed to properly follow the instructions. But > clearly I have not done it right. > > I have setup a jail named hll124. it is configured and running. It > can connect to the network and the Internet without issue. DNS > resolution works fine using local_unbound. > > In /etc/sysctl.conf on the host I have this: > > # $FreeBSD: releng/11.1/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $ > # > # This file is read when going to multi-user and its contents piped thru > # ``sysctl'' to adjust kernel values. ``man 5 sysctl.conf'' for > details. > # > > # Uncomment this to prevent users from seeing information about > processes that > # are being run under another UID. > #security.bsd.see_other_uids=0 > security.bsd.see_other_uids=0 > security.bsd.see_other_gids=0 > security.bsd.unprivileged_read_msgbuf=0 > security.bsd.unprivileged_proc_debug=0 > security.bsd.stack_guard_page=1 > > # Required for Chrome/Chromium > kern.ipc.shm_allow_removed=1 > > # Add to allow jails to create sockets - 2018-01-31 JBB > security.jail.allow_raw_sockets=1 > Yes, I'm sure you need that > > The host system shows this: > > $ sudo sysctl security.jail.allow_raw_sockets > security.jail.allow_raw_sockets: 1 > Good. > > In the ezjail configuration file I have this: > > # Allow ping, traceroute and other things 2018-01-31 JBB > export jail_hll124_allow_raw_sockets="YES" > I don't know much about ezjail... but this sounds to me as pertinent to one particular jail with the name "hll124". I set up jails "by the book". To enable access to raw sockets in _all jails, I have somewhere in the configuration pertinent to all jails (i.e. not inside particular jail settings) in /etc/jail.conf the line allow.raw_sockets = 1; If you wan to give that only to some jail, add this only inside jail specific configuration in the same /etc/jail.conf, e.g.: db { host.hostname = "example.uchicago.edu"; allow.raw_sockets = 1; ... } I hope, this helps. Valeri > > When I connect to the ezjail instance with ezjail-admin console and > run ping then I see this: > > # ping 192.168.71.44 > ping: ssend socket: Operation not permitted > > What else am I missing? > -- ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++