We've been running FreeBSD at my office for some time now. Currently we've got all of our internal services running on a few 6.2 installations, including tinydns, dhcpd, etc.

In order to document and better familiarize myself with the setup I've tried duplicating the services and setup within a few jails at home. The only issue I've run into is that I can't seem to get dhcpd to run properly within the jail.

I can start the service and it shows that it is running within top, but when I tell another machine on the LAN to ask for an address I get no feedback from dhcpd. Nothing in the logs, and no response to the client.

Does anyone have dhcpd running within jails that might be able to offer some tips?

Is this the same problem: http://daemonforums.org/showthread.php?t=2314 ?

If not, I'll say what I said there - AFAIK this is not possible.

If someone knows otherwise, I welcome them to chime in.

Is this the same problem: http://daemonforums.org/showthread.php?t=2314 ?


Yeah, its the same problem. I was maybe hoping these new forums might get more attention...

The thing is, I know its possible because that is how we are running it at work. The tricky part is that all the guys who originally set it up have moved on to other companies.

Hey

While trying to solve the same issue I came across this post so I thought I might as well post a solution here.

One way to do this is to explictly allow BPF in the jail running the DHCP server.

On the host running the jails add the following to /etc/devfs.rules (the file might not already exist).

[devfsrules_jail_bpf=5]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path 'bpf*' unhide

For the specific jail set it to use the new ruleset. E.g. I use ezjail so for my 'dhcp0' jail I change in /usr/local/etc/ezjail/dhcp0

export jail_dhcp0_devfs_ruleset="devfsrules_jail"

to

export jail_dhcp0_devfs_ruleset="devfsrules_jail_bpf"

and restart the jail.

Do note that this will basically allow anything in that jail to use BPF which at least allows the jail to listen to all network traffic which the host can see, and probably also to send any type of network packet. This of course does reduce the security isolation of the jail, but for me that was still an acceptable solution.

Now I just need to find a way to do it entirely with sockets and no BPF since I use DHCP relay agent, but I haven't had time to do that yet, and the above solution works...

Simon