lsof doesn't work inside a jail?

Hello,

this is not specifically an issue about Solr, but I ran into this error trying to use Solr inside a jail. The problem is the following: each time I start the Solr server, Solr "Waits up to 180 seconds to see Solr running on port 8983" using, apparently, lsof to check that.

And I get the error

lsof: kvm_open(execfile=/boot/kernel/kernel, corefile=/dev/mem): No such file or directory

displaying every second for 3 minutes before the Solr program gives up about checking.

I tried to run the lsof command directly and I get the same error:
$ lsof
lsof: kvm_open(execfile=/boot/kernel/kernel, corefile=/dev/mem): No such file or directory


What should I do?
Any help would be greatly appreciated.
 
I completely agree. However I have no control over the source code of Solr. Even if I submit a bug report to them (and for some reason the Solr project don't even accept bug reports on Github), it's going to take a long time for them to agree to change anything (if they do) and the change would appear in Solr 8.x while I'm using Solr 7.2. That's why I'm looking for a way to make it work with lsof.
 
By the way, how would you proceed to check what program is listening on a TCP port using fuser?
I checked Solr's source code and they use it to get the pid of the program that is listening on a port:

Code:
pid=`lsof -i:$jettyPort -sTCP:LISTEN -t`

How would you achieve that using fuser?
 
Well, at first I was going to comment on how this would probably not work because of the nature of lsof and the sandbox environment which is a Jail. Then I read up a bit ;)

Your problem mostly evolves around the lack of /dev/mem which is basically a good thing because - as far as I know - it always provides full access to the hosts memory. Therefor more or less defying the purpose of the jail in the first place.

But it's still possible to provide a jail with access to devfs, thus a fully working /dev structure. Basically all you need is to define a few rules in /etc/jail.conf:

Code:
        mount.devfs; 
        devfs_ruleset = 2;
        enforce_statfs = 1; 
        allow.mount.devfs;
If you configure your jail with this you'll have a (mostly) complete /dev structure including /dev/mem which will then allow lsof to do its job.

Fair warning though: although my experience with Jails is somewhat limited I'm still convinced that this pretty much defies the whole purpose of the jail in the first place. After all: you're basically giving the jail direct access to parts of your host which is a risk. If you use the jail for security then this setup will definitely invalidate that purpose.

By the way, how would you proceed to check what program is listening on a TCP port using fuser?
You don't. Use sockstat for that: sockstat -4l for example.
 
Back
Top