Solved Jail: <jailname>: vnet jails cannot have IP address restrictions

J

jtocci

I've searched for this error and can't find any useful info.

I did find this link about iocage but I'm not using iocage: https://github.com/iocage/iocage/issues/78
I did find this link about fubarnetes but I'm not using that either: https://github.com/fubarnetes/libjail-rs/pull/79

I have machine A with a working Jail called 'net' that I want to move to machine B.
Move went fine but I went to start the jail on machine B and...

Code: 
# service jail start net
Starting jails: cannot start jail  "net":
ng0_net
jail: net: vnet jails cannot have IP address restrictions
.

On machine A I don't have any lines in jail.conf about ip4 or ip6.
On machine B I did have ip4=inherit; ip6=inherit; in the defaults section so I set added those:
Code: 
net {
    ip4=new;
    ip6=new;
    host.hostname = "net.wfprod.com";
    path="/zroot/jails/net";
    vnet;
    vnet.interface = ng0_net;
    exec.prestart="jng bridge net igb1";
    exec.prestop  = "ifconfig ng0_net -vnet net";
    exec.poststop = "jng shutdown net";
    devfs_ruleset = "11"; # rule to unhide bpf for DHCP
}

machine A is set up with several jails all on the ix0 ethernet port(network card), while host is on igb0(motherboard).
machine B only has one ethernet port so I now have all this on igb0 ethernet:
-Host IPFW (with no NAT), plus tun0 for openvpn
-several jails on ip4/6=inherit including samba, minecraft, nginx, synapse, postfix, postgres
-the samba jail has openvpn running. the tun0 interface has a route in it for the vpn clients.

i tried turning off ipfw and then starting the jail but got the same error.
`cannot have IP address restrictions`

How does one debug this? It seems like I'm supposed to be able to do this.

Any hints at all appreciated. I'm out of clues.
 
And then I couldn't reproduce the behavior on a test server so i closed the bug. I thought I had the bug on both servers but when verifying I noticed differences.

the largest part of my problem was ping wasn't working after I set up a VNET jail. This caused me to think all the non-vnet jails had no networking.
It was the first VNET jail on this server and there were problems getting it to come up. I noticed ping wasn't working in another jail by accident and thought everything was broken. In reality it was just ping.

To fix:
I moved `ip4=inherit;` and `ip6=inherit;` from jail.conf defaults into each non-VNET jail config, then added `allow.raw_sockets;` to each non-VNET jail config (so ping would work) and ping started working again.

Then I just deleted `ip4=new;ip6=new;` from the net VNET jail config and that worked too.
 
You must log in or register to reply here.
Back
Top