Cannot run fping in jail - (null): can't create raw socket (must run as root?) : Protocol not supported

boris_net

Member

Thanks: 3
Messages: 89

#1
Hi all,

Could somebody help me understand the work around mentioned in bug.229903 to run fping in a jail?

I have the following jail created by iocage with raw sockets allowed.

Code:
iocage get all mon
CONFIG_VERSION:16
allow_chflags:0
allow_mlock:0
allow_mount:1
allow_mount_devfs:0
allow_mount_fusefs:0
allow_mount_nullfs:1
allow_mount_procfs:0
allow_mount_tmpfs:0
allow_mount_zfs:0
allow_quotas:0
allow_raw_sockets:1
allow_set_hostname:1
allow_socket_af:0
allow_sysvipc:1
allow_tun:0
available:readonly
basejail:no
boot:on
bpf:no
children_max:0
cloned_release:12.0-RELEASE
comment:none
compression:lz4
compressratio:readonly
coredumpsize:off
count:1
cpuset:off
cputime:off
datasize:off
dedup:off
defaultrouter:172.27.0.254
defaultrouter6:none
depends:none
devfs_ruleset:4
dhcp:off
enforce_statfs:2
exec_clean:1
exec_fib:0
exec_jail_user:root
exec_poststart:/usr/bin/true
exec_poststop:/usr/bin/true
exec_prestart:/usr/bin/true
exec_prestop:/usr/bin/true
exec_start:/bin/sh /etc/rc
exec_stop:/bin/sh /etc/rc.shutdown
exec_system_jail_user:0
exec_system_user:root
exec_timeout:60
host_domainname:none
host_hostname:mon
host_hostuuid:mon
host_time:yes
hostid:95ea72f8-065c-0000-726b-8ebb5b6ae68c
hostid_strict_check:off
interfaces:vnet0:bridge0
ip4:new
ip4_addr:bge3|172.27.2.4/24
ip4_saddrsel:1
ip6:new
ip6_addr:none
ip6_saddrsel:1
jail_zfs:off
jail_zfs_dataset:iocage/jails/mon/data
jail_zfs_mountpoint:none
last_started:2019-01-05 17:15:18
login_flags:-f root
mac_prefix:f872ea
maxproc:off
memorylocked:off
memoryuse:off
mount_devfs:1
mount_fdescfs:1
mount_linprocfs:0
mount_procfs:0
mountpoint:readonly
msgqqueued:off
msgqsize:off
nmsgq:off
notes:none
nsemop:off
nshm:off
nthr:off
openfiles:off
origin:readonly
owner:root
pcpu:off
priority:99
pseudoterminals:off
quota:none
release:12.0-RELEASE-p1
reservation:none
resolver:/etc/resolv.conf
rlimits:off
rtsold:off
securelevel:2
shmsize:off
stacksize:off
state:up
stop_timeout:30
swapuse:off
sync_state:none
sync_target:none
sync_tgt_zpool:none
sysvmsg:new
sysvsem:new
sysvshm:new
template:no
type:jail
used:readonly
vmemoryuse:off
vnet:off
vnet0_mac:none
vnet1_mac:none
vnet2_mac:none
vnet3_mac:none
vnet_default_interface:auto
vnet_interfaces:none
wallclock:off
Inside the jail:

Code:
root@mon:~ # uname -a
FreeBSD mon 12.0-RELEASE FreeBSD 12.0-RELEASE r341666 GENERIC  amd64
root@mon:~ # sysctl -a | grep socket
kern.ipc.maxsockets: 1044976
kern.ipc.numopensockets: 85
net.inet.tcp.functions_inherit_listen_socket_stack: 1
security.jail.param.allow.socket_af: 0
security.jail.param.allow.raw_sockets: 0
security.jail.allow_raw_sockets: 1
security.jail.socket_unixiproute_only: 1
And running fping:
Code:
root@mon:~ # fping
(null): can't create raw socket (must run as root?) : Protocol not supported

root@mon:~ # ls -lai /usr/local/sbin/fping
167430 -r-sr-xr-x  1 root  wheel  48056 Dec 20 14:33 /usr/local/sbin/fping
When I configure fping disabling IPv6 as per recommended, I get fping working for IPv4.

How should I proceed if I wanted to use fping for IPv6?
 

ShelLuser

Son of Beastie

Thanks: 1,648
Messages: 3,501

#2
First time I heard of fping, which begs the question: what happens if you use ping and/or ping6?
 

ShelLuser

Son of Beastie

Thanks: 1,648
Messages: 3,501

#4
I have not tried ping6 as my jail is not numbered in IPv6 yet.
Then why assume up front that it won't work if you haven't even tried it yet?

Also note that the bug report mentions that you'll need IPv6 support either way in order to have it work for IPv4 as well, the other fix seems to be merely a workaround. Ergo: I'd try this again after you set up IPv6.
 
OP
OP
B

boris_net

Member

Thanks: 3
Messages: 89

#5
Then why assume up front that it won't work if you haven't even tried it yet?

Also note that the bug report mentions that you'll need IPv6 support either way in order to have it work for IPv4 as well, the other fix seems to be merely a workaround. Ergo: I'd try this again after you set up IPv6.
Because IPv4 does not work with IPv6 enabled in fping and I won't see how IPv6 will work with IPv6 disabled at the time of compiling.
So it is not a question of testing but more a question of logic beyond what looks like a workaround in the bug rather than a fix unless I read the bug report in a wrong way.
 
Top