inside ezjail no ping can't install with pkg and ports

ericbsd

ericbsd

Developer
Hi,

We started to rant a server for ghostbsd. I did a jail with ezjail I can SSH in, but once I am in there is no way to install software true ports or pkg I can't ping www.google.com.

Code: 
root@ghsotbsd_www:~ # pkg install vim
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly, please wait...
pkg: Error fetching http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly/Latest/pkg.txz: No address record
A pre-built version of pkg could not be found for your system.
Consider changing PACKAGESITE or installing it from ports: 'ports-mgmt/pkg'.
Code: 
root@ghsotbsd_www:~ # cd /usr/ports/editors/vim
root@ghsotbsd_www:/usr/ports/editors/vim # make install clean
===> Building/installing dialog4ports as it is required for the config dialog
===>  Cleaning for dialog4ports-0.1.6
===> Skipping 'config' as NO_DIALOG is defined
===>  License BSD2CLAUSE accepted by the user
===>  dialog4ports-0.1.6 depends on file: /usr/local/sbin/pkg - not found
===> Skipping 'config' as NO_DIALOG is defined
===>  License BSD2CLAUSE accepted by the user
=> pkg-1.8.7.tar.xz doesn't seem to exist in /var/ports/distfiles/.
=> Attempting to fetch http://files.etoilebsd.net/pkg/pkg-1.8.7.tar.xz
fetch: http://files.etoilebsd.net/pkg/pkg-1.8.7.tar.xz: No address record
=> Attempting to fetch http://distcache.FreeBSD.org/local-distfiles/portmgr/pkg-1.8.7.tar.xz
fetch: http://distcache.FreeBSD.org/local-distfiles/portmgr/pkg-1.8.7.tar.xz: No address record
=> Attempting to fetch http://distcache.us-east.FreeBSD.org/local-distfiles/portmgr/pkg-1.8.7.tar.xz
fetch: http://distcache.us-east.FreeBSD.org/local-distfiles/portmgr/pkg-1.8.7.tar.xz: No address record
=> Attempting to fetch http://distcache.eu.FreeBSD.org/local-distfiles/portmgr/pkg-1.8.7.tar.xz
fetch: http://distcache.eu.FreeBSD.org/local-distfiles/portmgr/pkg-1.8.7.tar.xz: No address record
=> Attempting to fetch http://distcache.us-west.FreeBSD.org/local-distfiles/portmgr/pkg-1.8.7.tar.xz
fetch: http://distcache.us-west.FreeBSD.org/local-distfiles/portmgr/pkg-1.8.7.tar.xz: No address record
=> Attempting to fetch http://mirror.shatow.net/freebsd/pkg/pkg-1.8.7.tar.xz
fetch: http://mirror.shatow.net/freebsd/pkg/pkg-1.8.7.tar.xz: No address record
=> Attempting to fetch http://distcache.FreeBSD.org/ports-distfiles/pkg-1.8.7.tar.xz
fetch: http://distcache.FreeBSD.org/ports-distfiles/pkg-1.8.7.tar.xz: No address record
=> Couldn't fetch it - please try to retrieve this
=> port manually into /var/ports/distfiles/ and try again.
*** Error code 1

Stop.
make[5]: stopped in /basejail/usr/ports/ports-mgmt/pkg
*** Error code 1

Stop.
make[4]: stopped in /basejail/usr/ports/ports-mgmt/pkg
*** Error code 1

Stop.
make[3]: stopped in /basejail/usr/ports/ports-mgmt/dialog4ports
*** Error code 1

Stop.
make[2]: stopped in /basejail/usr/ports/ports-mgmt/dialog4ports
===> Options unchanged
===>  vim-7.4.1832 depends on file: /usr/local/sbin/pkg - not found
===>  License BSD2CLAUSE accepted by the user
=> pkg-1.8.7.tar.xz doesn't seem to exist in /var/ports/distfiles/.
=> Attempting to fetch http://files.etoilebsd.net/pkg/pkg-1.8.7.tar.xz
fetch: http://files.etoilebsd.net/pkg/pkg-1.8.7.tar.xz: No address record
=> Attempting to fetch http://distcache.FreeBSD.org/local-distfiles/portmgr/pkg-1.8.7.tar.xz
fetch: http://distcache.FreeBSD.org/local-distfiles/portmgr/pkg-1.8.7.tar.xz: No address record
=> Attempting to fetch http://distcache.us-east.FreeBSD.org/local-distfiles/portmgr/pkg-1.8.7.tar.xz
fetch: http://distcache.us-east.FreeBSD.org/local-distfiles/portmgr/pkg-1.8.7.tar.xz: No address record
=> Attempting to fetch http://distcache.eu.FreeBSD.org/local-distfiles/portmgr/pkg-1.8.7.tar.xz
fetch: http://distcache.eu.FreeBSD.org/local-distfiles/portmgr/pkg-1.8.7.tar.xz: No address record
=> Attempting to fetch http://distcache.us-west.FreeBSD.org/local-distfiles/portmgr/pkg-1.8.7.tar.xz
fetch: http://distcache.us-west.FreeBSD.org/local-distfiles/portmgr/pkg-1.8.7.tar.xz: No address record
=> Attempting to fetch http://mirror.shatow.net/freebsd/pkg/pkg-1.8.7.tar.xz
fetch: http://mirror.shatow.net/freebsd/pkg/pkg-1.8.7.tar.xz: No address record
=> Attempting to fetch http://distcache.FreeBSD.org/ports-distfiles/pkg-1.8.7.tar.xz
fetch: http://distcache.FreeBSD.org/ports-distfiles/pkg-1.8.7.tar.xz: No address record
=> Couldn't fetch it - please try to retrieve this
=> port manually into /var/ports/distfiles/ and try again.
*** Error code 1

Stop.
make[2]: stopped in /basejail/usr/ports/ports-mgmt/pkg
*** Error code 1

Stop.
make[1]: stopped in /basejail/usr/ports/editors/vim
*** Error code 1

Stop.
make: stopped in /basejail/usr/ports/editors/vim

Code: 
root@ghsotbsd_www:~ # ping www.google.com
ping: ssend socket: Operation not permitted

Here is my configuration.

Code: 
cat /etc/rc.conf
zfs_enable="YES"
### Added by OVH - block start
# Network configuration (IPv4)
ifconfig_em0="inet 198.27.68.94 netmask 255.255.255.0 broadcast 198.27.68.255"
defaultrouter="198.27.68.254"

# Network configuration (IPv6)
ifconfig_em0_ipv6="inet6 2607:5300:0060:1d5e:: prefixlen 64 accept_rtadv no_radr"
ipv6_network_interfaces="em0"
ipv6_default_interface="em0"
ipv6_defaultrouter="2607:5300:0060:1dff:ff:ff:ff:ff"
ipv6_route_ovhgw="2607:5300:0060:1dff:ff:ff:ff:ff -prefixlen 128 -interface em0"
ipv6_static_routes="ovhgw"

ifconfig_em0_alias0="192.99.188.34 netmask 255.255.255.255"

# Various options
dumpdev="AUTO"
clear_tmp_enable="YES"
accounting_enable="YES"

# Daemons
ntpd_enable="YES"
sshd_enable="YES"
local_unbound_enable="YES"
### Added by OVH - block end
hostname="server.ghostbsd.org"

ezjail_enable="YES"
cloned_interfaces="lo1"

Code: 
cat /usr/local/etc/ezjail/ghsotbsd_www
export jail_ghsotbsd_www_hostname="ghsotbsd_www"
export jail_ghsotbsd_www_ip="lo1|127.0.2.1,em0|192.99.188.34"
export jail_ghsotbsd_www_rootdir="/usr/home/jails/ghsotbsd_www"
export jail_ghsotbsd_www_exec_start="/bin/sh /etc/rc"
export jail_ghsotbsd_www_exec_stop=""
export jail_ghsotbsd_www_mount_enable="YES"
export jail_ghsotbsd_www_devfs_enable="YES"
export jail_ghsotbsd_www_devfs_ruleset="devfsrules_jail"
export jail_ghsotbsd_www_procfs_enable="YES"
export jail_ghsotbsd_www_fdescfs_enable="YES"
export jail_ghsotbsd_www_image=""
export jail_ghsotbsd_www_imagetype=""
export jail_ghsotbsd_www_attachparams=""
export jail_ghsotbsd_www_attachblocking=""
export jail_ghsotbsd_www_forceblocking=""
export jail_ghsotbsd_www_zfs_datasets=""
export jail_ghsotbsd_www_cpuset=""
export jail_ghsotbsd_www_fib=""
export jail_ghsotbsd_www_parentzfs=""
export jail_ghsotbsd_www_parameters=""
export jail_ghsotbsd_www_post_start_script=""
export jail_ghsotbsd_www_retention_policy=""

Code: 
cat /usr/local/etc/ezjail.conf
ezjail_jaildir=/usr/home/jails
ezjail_sourcetree=/usr/src
ezjail_ftphost=ftp.freebsd.org
ezjail_mount_enable="YES"
ezjail_devfs_enable="YES"
ezjail_devfs_ruleset="devfsrules_jail"
ezjail_procfs_enable="YES"
ezjail_fdescfs_enable="YES"

Code: 
cat /etc/sysctl.conf
# $FreeBSD: releng/11.0/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $
#
#  This file is read when going to multi-user and its contents piped thru
#  ``sysctl'' to adjust kernel values.  ``man 5 sysctl.conf'' for details.
#

# Uncomment this to prevent users from seeing information about processes that
# are being run under another UID.
#security.bsd.see_other_uids=0
### Added by OVH - block start
net.link.ether.inet.log_arp_movements=0
net.inet6.ip6.accept_rtadv=1
net.inet6.ip6.no_radr=1
net.inet6.ip6.auto_linklocal=0
### Added by OVH - block end
security.jail.allow_raw_sockets=1

Code: 
root@server:~ # jls
  JID  IP Address  Hostname  Path
  6  127.0.2.1  ghsotbsd_www  /usr/home/jails/ghsotbsd_www

I do not know why I can ssh to that jail but not install pkg or ports.
 
Pings are not allowed unless you set allow.raw_sockets. See jail(8):
Code: 
             allow.raw_sockets
                     The jail root is allowed to create raw sockets.  Setting
                     this parameter allows utilities like ping(8) and
                     traceroute(8) to operate inside the jail.  If this is
                     set, the source IP addresses are enforced to comply with
                     the IP address bound to the jail, regardless of whether
                     or not the IP_HDRINCL flag has been set on the socket.
                     Since raw sockets can be used to configure and interact
                     with various network subsystems, extra caution should be
                     used where privileged access to jails is given out to
                     untrusted parties.
 
tobik This is my jail resolv.conf which is similar to the server resolv.conf
Code: 
# Generated by resolvconf
# nameserver 213.186.33.99

nameserver 127.0.2.1
options edns0

SirDice I did setup security.jail.allow_raw_sockets=1 in sysctl.conf.

Snurg I do know that I can use pkg -j but the purpose is to have the jail to act like a vps.
 
I did add:

Code: 
export jail_ghsotbsd_www_parameters="allow.raw_sockets=1"

to /usr/local/etc/ezjail/ghsotbsd_www and ping work but I can't ping outside anyway.

Code: 
root@ghsotbsd_www:~ # ping www.google.com
ping: cannot resolve www.google.com: Host name lookup failure
 
What about setting jail's resolv.conf to the hosts' address (198.27.68.94), add an allow directive in the hosts' unbound.conf so that the jail's IP queries get honored, and set up skip for lo1 and maybe also NAT for the jail's IPs in pf.conf?
 
Don't know if you got this resolved ericturgeon, but I had exactly the same issue. After some searching and trying I copied over my /etc/resolve.conf to /usr/jails/the_name_of_your_jail/etc/
That did the trick.
 
You must log in or register to reply here.
Back
Top