dhcpd within ezjail

kuyaedz

New Member


Messages: 7

We've been running FreeBSD at my office for some time now. Currently we've got all of our internal services running on a few 6.2 installations, including tinydns, dhcpd, etc.

In order to document and better familiarize myself with the setup I've tried duplicating the services and setup within a few jails at home. The only issue I've run into is that I can't seem to get dhcpd to run properly within the jail.

I can start the service and it shows that it is running within top, but when I tell another machine on the LAN to ask for an address I get no feedback from dhcpd. Nothing in the logs, and no response to the client.

Does anyone have dhcpd running within jails that might be able to offer some tips?
 

simon@

New Member
Developer

Reaction score: 1
Messages: 1

Hey

While trying to solve the same issue I came across this post so I thought I might as well post a solution here.

One way to do this is to explictly allow BPF in the jail running the DHCP server.

On the host running the jails add the following to /etc/devfs.rules (the file might not already exist).

Code:
[devfsrules_jail_bpf=5]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path 'bpf*' unhide
For the specific jail set it to use the new ruleset. E.g. I use ezjail so for my dhcp0 jail I change in /usr/local/etc/ezjail/dhcp0.

Code:
export jail_dhcp0_devfs_ruleset="devfsrules_jail"
to

Code:
export jail_dhcp0_devfs_ruleset="devfsrules_jail_bpf"
and restart the jail.

Do note that this will basically allow anything in that jail to use BPF which at least allows the jail to listen to all network traffic which the host can see, and probably also to send any type of network packet. This of course does reduce the security isolation of the jail, but for me that was still an acceptable solution.

Now I just need to find a way to do it entirely with sockets and no BPF since I use DHCP relay agent, but I haven't had time to do that yet, and the above solution works...

Simon
 
Top