I'm shifting my gateway from 14.2 to 15.0 and the gateway runs a number of applications (statically compiled) in jails of their own. What I have encountered with a clean fresh install of 15 (that's absent in both 14.2 (current gateway) and 14.3 (testbed)) is that processes that are forked by jail(8) during jail creating fail with SIGSEGV, in my case when ifconfig(8) is run by jail(8) to create an IP alias, and mount(8) run by the same to mount devfs. If I do those manually as root myself prior to starting the jail, jail(8) does create a functioning jail. This is what happens:-
when I attempt to bring up the jail from the command line:-
truss -f on the same command gives
However, when I create the alias manually, jail(8) now trips up on mount(8)ing of devfs:-
with the failure following the same pattern:-
but when I also mount devfs manually, the jail gets created just fine and works:-
and just to check that it works, on a different box:-
Clearly, something's changed between 14 and 15 that's causing fork()ed commands to fail with SIGSEGV when being called by jail(8), and I'm clearly missing what's changed or how to fix that... Any ideas?
Code:
# uname -a
FreeBSD gateway 15.0-RELEASE FreeBSD 15.0-RELEASE releng/15.0-n280995-7aedc8de6446 GENERIC amd64
# ifconfig ixv0
ixv0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
options=4e507bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
ether 58:9c:fc:10:55:29
inet 192.0.2.1 netmask 0xffffff00 broadcast 192.0.2.255
groups: ingress
media: Ethernet autoselect (10Gbase-T <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
# file /jails/unbound-1/unbound
/jails/unbound-1/unbound: ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), statically linked, for FreeBSD 15.0 (1500068), FreeBSD-style, with debug_info, not strippedwhen I attempt to bring up the jail from the command line:-
Code:
# jail -c path=/jails/unbound-1 host.hostname=unbound ip4.addr=192.0.2.2 interface=ixv0 mount.devfs devfs_ruleset=10 command=/unbound -c /unbound-1.conf
jail: /sbin/ifconfig ixv0 inet 192.0.2.2 netmask 255.255.255.255 alias: exited on signal 11truss -f on the same command gives
Code:
8331: __sysctl("sysctl.oidfmt security.jail.param.devfs_ruleset",6,0x1cc39e423ebc,0x1cc39e423e40,0x0,0) = 0 (0x0)
8389: <new process>
8331: fork() = 8389 (0x20c5)
8331: kqueue() = 3 (0x3)
8389: SIGNAL 11 (SIGSEGV) code=SEGV_MAPERR trapno=12 addr=0x0
8331: kevent(3,{ 8389,EVFILT_PROC,EV_ADD,NOTE_EXIT,0,0x0 },1,0x0,0,0x0) = 0 (0x0)
8389: process killed, signal = 11 (core dumped)
8331: kevent(3,0x0,0,{ 8389,EVFILT_PROC,EV_ONESHOT|EV_CLEAR|EV_EOF,NOTE_EXIT,0x8b,0x0 },1,0x0) = 1 (0x1)
8331: wait4(8389,0x0,WNOHANG,0x0) = 8389 (0x20c5)
jail: 8331: write(2,"jail: ",6) = 6 (0x6)
/sbin/ifconfig ixv0 inet 192.0.2.2 netmask 255.255.255.255 alias: exited on signal 11 8331: write(2,"/sbin/ifconfig ixv0 inet 192.0"...,85) = 85 (0x55)
8331: write(2,"\n",1) = 1 (0x1)
8331: _exit(0x1)
8331: process exit, rval = 1However, when I create the alias manually, jail(8) now trips up on mount(8)ing of devfs:-
Code:
# ifconfig ixv0 inet 192.0.2.2/32 alias
# jail -c path=/jails/unbound-1 host.hostname=unbound ip4.addr=192.0.2.2 mount.devfs devfs_ruleset=10 command=/unbound -c /unbound-1.conf
jail: /sbin/mount -t devfs -oruleset=10 . /jails/unbound-1/dev: exited on signal 11with the failure following the same pattern:-
Code:
9969: __sysctl("sysctl.oidfmt security.jail.param.devfs_ruleset",6,0xcabe32219ec,0xcabe3221970,0x0,0) = 0 (0x0)
9969: fstatat(AT_FDCWD,"/jails/unbound-1/dev",{ mode=drwxr-xr-x ,inode=730063,size=512,blksize=32768 },AT_SYMLINK_NOFOLLOW) = 0 (0x0)
10122: <new process>
9969: fork() = 10122 (0x278a)
9969: kqueue() = 3 (0x3)
9969: kevent(3,{ 10122,EVFILT_PROC,EV_ADD,NOTE_EXIT,0,0x0 },1,0x0,0,0x0) = 0 (0x0)
10122: SIGNAL 11 (SIGSEGV) code=SEGV_MAPERR trapno=12 addr=0x0
10122: process killed, signal = 11 (core dumped)
9969: kevent(3,0x0,0,{ 10122,EVFILT_PROC,EV_ONESHOT|EV_CLEAR|EV_EOF,NOTE_EXIT,0x8b,0x0 },1,0x0) = 1 (0x1)
9969: wait4(10122,0x0,WNOHANG,0x0) = 10122 (0x278a)
jail: 9969: write(2,"jail: ",6) = 6 (0x6)
/sbin/mount -t devfs -oruleset=10 . /jails/unbound-1/dev: exited on signal 11 9969: write(2,"/sbin/mount -t devfs -oruleset=1"...,77) = 77 (0x4d)
9969: write(2,"\n",1) = 1 (0x1)
9969: _exit(0x1)
9969: process exit, rval = 1but when I also mount devfs manually, the jail gets created just fine and works:-
Code:
# mount -t devfs -oruleset=10 . /jails/unbound-1/dev/
# jail -c path=/jails/unbound-1 host.hostname=unbound ip4.addr=192.0.2.2 command=/unbound -c /unbound-1.conf
# jls
JID IP Address Hostname Path
9 192.0.2.2 unbound /jails/unbound-1and just to check that it works, on a different box:-
Code:
$ nslookup
> server 192.0.2.2
Default server: 192.0.2.2
Address: 192.0.2.2#53
> google.com
Server: 192.0.2.2
Address: 192.0.2.2#53
Non-authoritative answer:
Name: google.com
Address: 142.250.140.139
Name: google.com
Address: 142.250.140.113
Name: google.com
Address: 142.250.140.100
Name: google.com
Address: 142.250.140.138
Name: google.com
Address: 142.250.140.102
Name: google.com
Address: 142.250.140.101
Name: google.com
Address: 2a00:1450:4009:c0b::66
Name: google.com
Address: 2a00:1450:4009:c0b::8a
Name: google.com
Address: 2a00:1450:4009:c0b::71
Name: google.com
Address: 2a00:1450:4009:c0b::64
>Clearly, something's changed between 14 and 15 that's causing fork()ed commands to fail with SIGSEGV when being called by jail(8), and I'm clearly missing what's changed or how to fix that... Any ideas?