Broadcom NIC leads to VNET jails being unable to make DNS requests

So far, the ifconfig suggestions have not allowed DNS to work within my vnet jail.

I also tried a simple ifconfig bge0 -rxcsum first, and that yielded the same results as below.

Before starting [the only] jail:

Code: 
[11:58 r7425-01 dvl ~] % sudo ifconfig bge0 -rxcsum -txcsum -vlanhwcsum -vlanhwtso -tso4 promisc
[11:58 r7425-01 dvl ~] % ifconfig bge0                                                          
bge0: flags=1028943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC,LOWER_UP> metric 0 mtu 1500
    options=80098<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LINKSTATE>
    ether b0:26:28:b3:5b:38
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

Then I start the jail and txcsum comes back:

Code: 
[11:47 r7425-01 dvl ~] % sudo jail -c pkg02                                             
epair47a
pkg02: created

[11:58 r7425-01 dvl ~] % ifconfig bge0     
bge0: flags=1028943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC,LOWER_UP> metric 0 mtu 1500
    options=8009a<TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LINKSTATE>
    ether b0:26:28:b3:5b:38
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

My workaround at present: configuring unbound on the jail host and configuring the jail to use it instead of an off-server DNS resource.
 
In case it's obvious why txcsum comes back on after starting my jail:

Code: 
[11:59 r7425-01 dvl ~] % cat /etc/jail.conf
# Optionally include site specific defaults e.g. the domain to append to jail names.
.include "/usr/local/etc/jail[.]conf";

# Include all files ending in *.conf and all files named jail.conf in subdirectories ending on ".d".
.include "/usr/local/etc/jail.conf.d/*.conf";
[12:06 r7425-01 dvl ~] %
[12:06 r7425-01 dvl ~] %
[12:06 r7425-01 dvl ~] % cat /usr/local/etc/jail.conf
$bridge = "bridge0";

$NIC = bge0;

exec.start = "/bin/sh /etc/rc";
exec.stop  = "/bin/sh /etc/rc.shutdown";
exec.clean;
mount.devfs;
path = /jails/$name;

allow.raw_sockets;

exec.prestart  = "logger trying to start jail $name...";
exec.poststart = "logger jail $name has started";
exec.prestop   = "logger shutting down jail $name";
exec.poststop  = "logger jail $name has shut down";

host.hostname = "$name.int.unixathome.org";
exec.consolelog="/var/tmp/jail.$name";

persist;
[12:06 r7425-01 dvl ~] %
[12:06 r7425-01 dvl ~] %
[12:06 r7425-01 dvl ~] % cat /usr/local/etc/jail.conf.d/pkg02.conf
pkg02 {

  allow.mlock; # came in with poudriere upgraded: 3.4.0 -> 3.4.1
  allow.chflags;

  allow.mount.devfs;
  allow.mount.fdescfs;
  allow.mount.linprocfs;
  allow.mount.nullfs;
  allow.mount.procfs;
  allow.mount.tmpfs;
  allow.mount.zfs=true;
  allow.mount=true;

  allow.raw_sockets;
  allow.socket_af;

  children.max=250;

  enforce_statfs=1;

  exec.created+="zfs jail $name  data01/poudriere";
  exec.created+="zfs set jailed=on data01/poudriere";

  exec.poststart  += "jail -m allow.mount.linprocfs=1 name=$name";

  host.domainname=none;

  sysvmsg=new;
  sysvsem=new;
  sysvshm=new;

#  ip4.addr = "$NIC|10.55.0.${id}";

  vnet;

  # from https://codeberg.org/pkgbase/website/src/branch/main/howto/jails.md
  $gw     = "10.55.0.1";
  $gw6    = "2001:470:8abf:3053:0:0:0:0";
  $id      = "47";
  $jepair  = "epair${id}b";
  $ipaddr  = "10.55.0.${id}/24";
  $ip6addr = "2001:470:8abf:7055:c348:9dc1:0:${id}/64";

  vnet.interface = "$jepair";
  exec.prestart   = "ifconfig epair${id} create up";
  exec.prestart  += "ifconfig epair${id}a up descr vnet-${name}";
  exec.prestart  += "ifconfig $bridge addm epair${id}a up";

  exec.start      = "/sbin/ifconfig lo0 127.0.0.1 up";
  exec.start     += "/sbin/ifconfig epair${id}b ${ipaddr}";
  exec.start     += "/sbin/ifconfig epair${id}b inet6 ${ip6addr}";
  exec.start     += "/sbin/route add default ${gw}";
  exec.start     += "/bin/sh /etc/rc";

  exec.prestop    = "ifconfig epair${id}b -vnet ${name}";

  exec.poststop   = "ifconfig $bridge deletem epair${id}a";
  exec.poststop  += "ifconfig epair${id}a destroy";
}
 
Oh wait, ding ding ding.

It's not the host NIC. It's the jail epair NIC which needs -txcsum

This fixes it:

Code: 
[12:07 r7425-01 dvl ~] % ifconfig epair47a
epair47a: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    description: vnet-pkg02
    options=20000b<RXCSUM,TXCSUM,VLAN_MTU,RXCSUM_IPV6>
    ether 58:9c:fc:10:52:06
    groups: epair
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

[12:08 r7425-01 dvl ~] % sudo ifconfig epair47a -txcsum
[12:08 r7425-01 dvl ~] % sudo ifconfig epair47a       
epair47a: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    description: vnet-pkg02
    options=200009<RXCSUM,VLAN_MTU,RXCSUM_IPV6>
    ether 58:9c:fc:10:52:06
    groups: epair
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
[12:09 r7425-01 dvl ~] %
 
You must log in or register to reply here.
Back
Top