ISC-dhcpd in jail doesn't work anymore

Hey guys,

For several months I had used isc-dhcpd in a jail. I had the usual trouble in the beginning (jails are very restrictive...) but I kind of fixed them a long time ago. As I already said - it worked like a charm for months. Until yesterday. To my knowledge I only did the following things:

- freebsd-update install
- portsnap fetch update (which should not affect the jails)

Now isc-dhcpd doesn't start anymore and shows me the old error unable to create icmp socket: Operation not permitted. This was one of the old problems I had when I first installed the jail. I solved it back then with security.jail.allow_raw_sockets=1 in the rc.conf of the jail host system. I confirmed - this parameter is still set.

So I continued with /etc/devfs.rules definitions - add path net unhide, add path 'net/*' unhide.

There are several blog Posts I used as examples and templates for my configuration:

https://forums.freebsd.org/viewtopic.php?&t=29934
http://lists.freebsd.org/pipermail/freebsd-jail/2012-November/001989.html
http://dan.langille.org/2013/08/18/creating-a-freebsd-jail-to-run-dhcp-and-dns/

Nothing works. I can't get dhcpd up anymore.

I rolled back the freebsd-update. Same problem.

I even rolled back a ZFS snapshot of the jail when it was definitely working - still nothing!

I am out of options now.I hope anybody here as an idea how to continue?

Thanks.

D
 
You do not say which version of FreeBSD, either before or after the update. Now, raw sockets are a per-jail setting.

Old format, in /etc/rc.conf:
Code:
...
jail_mydhcpjail_parameters="allow.raw_sockets=1"

For sysutils/ezjail, in /usr/local/etc/ezjail/mydhcpjail:
Code:
export jail_mydhcpjail_parameters="allow.raw_sockets=1"

New FreeBSD 10 format, in /etc/jail.conf:
Code:
mydhcpjail {
        ...
        allow.raw_sockets=1
}
 
It's the bpf() device that DHCPD requires to run in a jail. If you are using FreeBSD 10, I am guessing your updates included applying SA 14-07. https://www.freebsd.org/security/advisories/FreeBSD-SA-14:07.devfs.asc. Prior to that, jails were able to see all devices. If you are using FreeBSD 9 or 8, I am not sure as the bpf() device shouldn't have been seen without explicit config.

/etc/devfs.rules
Code:
[devfsrules_jail_with_bpf=6]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path 'bpf*' unhide

For sysutils/ezjail in /usr/local/etc/ezjail/mydhcpjail
Code:
export jail_mydhcpjail_devfs_ruleset="6"
export jail_mydhcpjail_parameters="allow.raw_sockets=1"

Equivalent /etc/jail.conf style.
Code:
allow.raw_sockets=1;
devfs_ruleset = "6";

The usual warning applies. Access to the bpf device in a jail means the root user in the jail can use tcpdump to collect packets on any interface on the system, even ones where the jail doesn't have an IP.
 
Whoops. But raw sockets are still needed, because DHCP is supposed to ping an address to make sure nobody is using it before handing it out. I just did this for /etc/devfs.rules on FreeBSD 10-stable:
Code:
[devfsrules_jail_dhcp=5]
add include $devfsrules_jail
add path 'bpf*' unhide
 
Back
Top