General Hello and SSH issue in jail

dinsdale

dinsdale

Hello,

Just wanted to introduce myself because I'm going to be around here fairly frequently. My name is Russ - er, @dinsdale - and I am a Windows developer that has just started delving into FreeBSD. I've really been pleased by the great documentation and I think I'm drunk with the power of Unix! I've re-purposed my mothers old Athlon X2 computer, stole some memory from a computer scrap pile from work (2GB DDR2 5300, sweeeet!) and seem to have a pretty decent little computer here. I've set up Samba 4 as a PDC for my laptop (why, because I can and I don't have to pay! ahhhahahahah!) and created a jail to run serviio because it's got a Windows phone app for my Lumia 800.

All that seems to be going well but I have run into a problem connecting to the jail when I start it in rc.conf. My network adapter doesn't have an IP address (although if I run jls from the host it shows it with an IP)? If I kill that jail and re-create it, I get my network connection working again. I have to then restart sshd manually in order to get that working. I assume there is something basic I'm missing in rc.conf?

Code: 
root@serviio:/# cat /etc/rc.conf
sshd_enable="YES"

serviio_enable="YES"
serviio_args=-Dserviio.remoteHost=172.23.153.50

hald_enable="YES"
dbus_enable="YES"
php_fpm_enable="YES"
nginx_enable="YES"

Anyway, thanks in advance to any suggestions.

Russ
 
Last edited by a moderator:
You don't give enough information to even make a guess as to what is going on.

For starters; what is the host using? Do you have two or one network interface card ("NIC")? If you have two then it would be helpful to know how the network accessibility to the host operates; does that work normally? Actually, it would be helpful to know this either way ;) Also; is the network connection using a static or dynamic IP address, that can make quite the difference as well.

Also; you said you started your jail using rc.conf but you don't show us anything about that configuration; please do.

Although it may look as if your problem is focussed around the jail (I assume as much from your comment that restarting sshd, which I think you're doing from within the jail, actually fixes things) it really is a bit too early to draw such conclusions.

For example; when DHCP is involved it could actually be a timing related issue.
 
dinsdale said:
Hello,

[...]

Anyway, thanks in advance to any suggestions.

Russ
Click to expand...

Hi.

Assuming a single IP in a VPS and sysutils/ezjail utility:

  • Issue:
    Code: 
    ifconfig lo1 create
ifconfig lo1 alias 10.0.0.1 netmask 0xffffffff
vi /etc/rc.conf
  • Add:
    Code: 
    cloned_interfaces="lo1"
ifconfig_lo1="inet 10.0.0.254 netmask 0xffffff00"
ifconfig_lo1_alias0="inet 10.0.0.1 netmask 0xffffffff"
ezjail_enable="YES"
  • Add a rule to /etc/pf.conf:
    Code: 
    nat pass on em0 from 10.0.0.254 to any -> em0
rdr pass on em0 proto tcp from any to em0 port ssh -> 10.0.0.1
  • Reload PF rules:
    pfctl -f /etc/pf.conf
  • Create, start and access jail:
    Code: 
    ezjail-admin create folsom 10.0.0.1
cp /etc/resolv.conf /usr/jails/folsom/etc/
service ezjail start
ezjail-admin console folsom

Assuming local network at home:
  • Issue:
    Code: 
    ifconfig em0 alias 10.0.0.1 netmask 0xffffffff broadcast 10.0.0.255
vi /etc/rc.conf
  • Add:
    Code: 
    ifconfig_rl0_alias0="inet 10.0.0.1 netmask 0xffffffff broadcast 10.0.0.255
ezjail_enable="YES"
  • Create, start and access jail:
    Code: 
    ezjail-admin create folsom 10.0.0.1
cp /etc/resolv.conf /usr/jails/folsom/etc/
service ezjail start
ezjail-admin console folsom
Hope that helps.
 
Great, thanks for all the input.

FreeBSD version (host and jail): FreeBSD 9.2-RELEASE #0 r255898: Thu Sep 26 22:50:31 UTC 2013 [email=root@bake.isc.freebsd.org]root@bake.isc.freebsd.org[/email]:/usr/obj/usr/src/sys/GENERIC

Network Configuration: I have one 100 Mbps NIC. I'm using a static IP Address in both the host and jail (172.23.153.55 and 172.23.153.50 respectively) and DNS is from the samba4 installation on the host. There is no issue with the host network connection before or after the required jail restart. I am able to SSH into the host system without issue.


Jails "helper" programs: I am starting the jail following the instructions from the handbook. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-build.html

This is the rc.conf from the host:

Code: 
$ cat /etc/rc.conf
hostname="sylvester"
ifconfig_nfe0="inet 172.23.153.55 netmask 255.255.255.0"
defaultrouter="172.23.153.65"
ifconfig_nfe0_ipv6="inet6 accept_rtadv"
sshd_enable="YES"
moused_enable="YES"
ntpd_enable="YES"
powerd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"
nginx_enable="YES"
samba4_enable="YES"
sendmail_enable="NO"
inetd_flags="-wW -a 172.23.153.55"
rpcbind_enable="NO"


#Jails
jail_enable="YES"
jail_list="serviio"

jail_serviio_rootdir="/jails/svc/serviio"     # jail's root directory
jail_serviio_hostname="serviio"  # jail's hostname
jail_serviio_ip="172.23.153.50/24"           # jail's IP address
jail_serviio_devfs_enable="YES"          # mount devfs in the jail
#not sure what this line does yet...
#jail_www_devfs_ruleset="www_ruleset" # devfs ruleset to apply to jail
And finally, jail.conf:

Code: 
~$ cat /etc/jail.conf
serviio {
        path = /jails/svc/serviio;
        mount.devfs;
        host.hostname = serviio;
        ip4.addr = 172.23.153.50/24;
        interface = nfe0;
        exec.start = "/bin/tcsh";
        exec.stop = "/bin/tcsh";
}

Edit:
Okay, I've re-started the host. I have no virtual interface for the jail, even though the jls command shows an IP.

(host)
Code: 
 ifconfig
nfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=82008<VLAN_MTU,WOL_MAGIC,LINKSTATE>
        ether 38:c6:c4:8f:13:00
        inet 172.23.153.55 netmask 0xffffff00 broadcast 172.23.153.255
        inet6 fe80::3ac6:c4ff:fe8f:1300%nfe0 prefixlen 64 scopeid 0x3
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

Code: 
 jls
   JID  IP Address      Hostname                      Path
     1  172.23.153.50   serviio                       /jails/svc/serviio
I log into the the jail and don't see any IP address for the interface in the jail.
Code: 
ifconfig
nfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=82008<VLAN_MTU,WOL_MAGIC,LINKSTATE>
        ether 38:c6:c4:8f:13:00
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>

But if I kill the jail and restart it manually I get a good network connection

Code: 
rhaley@sylvester:~$ sudo jail -c serviio
serviio: created
serviio jail:
Code: 
root@serviio:/#  ifconfig
nfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=82008<VLAN_MTU,WOL_MAGIC,LINKSTATE>
        ether 38:c6:c4:8f:13:00
        inet 172.23.153.50 netmask 0xffffff00 broadcast 172.23.153.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>

host:
Code: 
rhaley@sylvester:~$ ifconfig
nfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=82008<VLAN_MTU,WOL_MAGIC,LINKSTATE>
        ether 38:c6:c4:8f:13:00
        inet 172.23.153.55 netmask 0xffffff00 broadcast 172.23.153.255
        inet6 fe80::3ac6:c4ff:fe8f:1300%nfe0 prefixlen 64 scopeid 0x3
        inet 172.23.153.50 netmask 0xffffff00 broadcast 172.23.153.255
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

Thanks,
Dinsdale
 
Okay, thanks for the qjailand ezjail suggestions. If I have to re-create a jail I'll look into using them. I like the idea that they both save disk space.
 
You have no local IP assigned to your jail on your NIC.

On your host issue:
ifconfig nfe0 alias 172.23.153.50 netmask 0xffffffff broadcast 172.23.153.255

and add the following line to your host /etc/rc.conf file:
Code: 
ifconfig_nfe0_alias0="inet 172.23.153.50 netmask 0xffffffff broadcast 172.23.153.255"

And you should be good.
 
nanotek said:
You have no local IP assigned to your jail on your NIC.

On your host issue:
ifconfig nfe0 alias 172.23.153.50 netmask 0xffffffff broadcast 172.23.153.255

and add the following line to your host /etc/rc.conf file:
Code: 
ifconfig_nfe0_alias0="inet 172.23.153.50 netmask 0xffffffff broadcast 172.23.153.255"

And you should be good.
Click to expand...

If you're using a 0xffffffff netmask for the alias address you should not force the broadcast address at the same time. Let the system do its thing and assign a suitable broadcast address. In this case the correct broadcast address is the alias address itself, 172.23.153.50. This should be always enough in rc.conf:

Code: 
ifconfig_nfe0_alias0="inet 172.23.153.50/32"

Use of the CIDR notation also gets rid of the complex hex notation and is easier to read.
 
Okay, halfway there...

Thanks @nanotech and @kpa. I added
Code: 
ifconfig_nfe0_alias0="inet 172.23.153.50/24"
to my /etc/rc.conf file. After a reboot I can SSH into my jail, but the DNS service in Samba4 on the host stopped working.

smb4.conf

Code: 
# Global parameters

 [global]
     workgroup = HIGHFELL
     realm = HIGHFELL.HOME
     netbios name = SYLVESTER
     server role = active directory domain controller
     dns forwarder = 172.23.153.65
     idmap_ldb:use rfc2307 = yes

 [netlogon]
     path = /var/db/samba4/sysvol/highfell.home/scripts
     read only = No

 [sysvol]
     path = /var/db/samba4/sysvol
     read only = No

 [media]
     path = /mnt/media
     read only = No


host ifconfig

Code: 
 ifconfig
nfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=82008<VLAN_MTU,WOL_MAGIC,LINKSTATE>
        ether 38:c6:c4:8f:13:00
        inet 172.23.153.55 netmask 0xffffff00 broadcast 172.23.153.255
        inet6 fe80::3ac6:c4ff:fe8f:1300%nfe0 prefixlen 64 scopeid 0x3
        inet 172.23.153.50 netmask 0xffffff00 broadcast 172.23.153.255
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

Just to confirm, when I manually restart the jail and SSH in the jail, DNS on the host still works. Host network configuration after a manual restart of the jail:

Code: 
 ifconfig
nfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=82008<VLAN_MTU,WOL_MAGIC,LINKSTATE>
        ether 38:c6:c4:8f:13:00
        inet 172.23.153.55 netmask 0xffffff00 broadcast 172.23.153.255
        inet6 fe80::3ac6:c4ff:fe8f:1300%nfe0 prefixlen 64 scopeid 0x3
        inet 172.23.153.50 netmask 0xffffff00 broadcast 172.23.153.255
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

I suspect this may be a http://www.samba.org/ question?
Thanks,
Dinsdale
 
Last edited by a moderator:
The alias has to be added with a /32 netmask if there's already an address on the interface from the same subnet. FreeBSD has a peculiar routing implementation compared to other UNIX-like systems that forces you to use /32 netmask on such aliases (note that IPv6 aliases don't suffer from the same limitation). Just use this line from my previous post in rc.conf

Code: 
ifconfig_nfe0_alias0="inet 172.23.153.50/32"
 
Bummer, I still don't have any DNS. I modified the alias in rc.conf to use the /32 netmask and modified my jail configuration as well. As follows:

Code: 
cat /etc/rc.conf
hostname="sylvester"
ifconfig_nfe0="inet 172.23.153.55 netmask 255.255.255.0"
ifconfig_nfe0_alias0="inet 172.23.153.50/32"
defaultrouter="172.23.153.65"
ifconfig_nfe0_ipv6="inet6 accept_rtadv"
sshd_enable="YES"
moused_enable="YES"
ntpd_enable="YES"
powerd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"
nginx_enable="YES"
samba4_enable="YES"
sendmail_enable="NO"
inetd_flags="-wW -a 172.23.153.55"
rpcbind_enable="NO"


#Jails
jail_enable="YES"
jail_list="serviio"

jail_serviio_rootdir="/jails/svc/serviio"     # jail's root directory
jail_serviio_hostname="serviio"  # jail's hostname
jail_serviio_ip="172.23.153.50/32"           # jail's IP address
jail_serviio_devfs_enable="YES"          # mount devfs in the jail
#not sure what this line does yet...
#jail_www_devfs_ruleset="www_ruleset" # devfs ruleset to apply to jail

ifconfig from the host:

Code: 
ifconfig
nfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=82008<VLAN_MTU,WOL_MAGIC,LINKSTATE>
        ether 38:c6:c4:8f:13:00
        inet 172.23.153.55 netmask 0xffffff00 broadcast 172.23.153.255
        inet6 fe80::3ac6:c4ff:fe8f:1300%nfe0 prefixlen 64 scopeid 0x3
        inet 172.23.153.50 netmask 0xffffffff broadcast 172.23.153.50
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

Any other suggestions?
 
Hey @kpa, I see you're from Finland. Do you have a Jolla phone yet? Do you know anybody that does? I'm dying to know what they're like and how well they run Android. I have the Sailfish emulator and qt IDE on my laptop at work but I haven't done anything with it yet except play with the UI (still learning WP and BB10). One of my many "wish list" projects is to load mer on a Sony phone like an Xperia Arc (which is apparently very doable because the "Andriod" kernel is compatible and Sony provides flash utilities and basebands!).

(Sorry for the aside...)

Cheers,
dinsdale
 
Last edited by a moderator:
Nope, I haven't really considered updating from my Nokia N8 yet. It still works well enough even though Nokia practically has dropped all support for its Symbian phones. My next phone when I'm forced to buy a new one will be most likely an iPhone.
 
Ah hahaha! Got it. The answer was in the /usr/local/etc/smb4.conf file. I needed to define the interface/addresses for the smbd and nmbd processes. The Handbook mentioned this would be an issue when setting up jails.

The reference is here:
http://www.sloop.net/smb.conf.html (look up bind interface only and interface)

cat /usr/local/etc/smb4.conf
Code: 
# Global parameters
[global]
        workgroup = HIGHFELL
        realm = HIGHFELL.HOME
        netbios name = SYLVESTER
        server role = active directory domain controller
    bind interfaces only = yes
    interfaces = 172.23.153.55/24 
    dns forwarder = 172.23.153.65
        idmap_ldb:use rfc2307 = yes

[netlogon]
        path = /var/db/samba4/sysvol/highfell.home/scripts
        read only = No

[sysvol]
        path = /var/db/samba4/sysvol
        read only = No

[media]
        path = /mnt/media
        read only = No

Cheers,

Dinsdale.

p.s. @kpa, the N8 is one of my favorite all time phones. Right up there with the Motorola Razr V8. It would be neat to see Nokia revise the design with Windows Phone and Office on it. How slick would that be? I wonder if it's flashable with an Andriod mod?
 
Last edited by a moderator:
kpa said:
nanotek said:
[...] On your host issue:
ifconfig nfe0 alias 172.23.153.50 netmask 0xffffffff broadcast 172.23.153.255
[...]
Click to expand...

If you're using a 0xffffffff netmask for the alias [...] Let the system do its thing and assign a suitable broadcast address. [...] the correct broadcast address is the alias address itself, 172.23.153.50.

[...]

Use of the CIDR notation also gets rid of the complex hex notation and is easier to read.
Click to expand...

Thanks for the advice, @kpa. On my VPSs I don't assign a broadcast to my aliases created on a cloned device; however, they are typically provided one, which matches the format of the assignments they're given (x.x.x.255) when I do provide the broadcast address for my aliases on the active NIC on my server at home; both methods appear to operate the same. I also prefer the same hex format used in my rc.conf that ifconfig outputs; it keeps things looking consistent, thus easy to parse.


kpa said:
The alias has to be added with a /32 netmask if there's already an address on the interface from the same subnet.
[...][/file]
Click to expand...

I think you'll find that since a certain version [0] of FreeBSD, this is no longer necessary, i.e. a /24 assignment works fine.

[0] Can't recall which; it was brought to my attention in one of the FreeBSD mailing lists.


dinsdale said:
Okay, halfway there...

Thanks @nanotech and @kpa. I added
Code: 
ifconfig_nfe0_alias0="inet 172.23.153.50/24"
to my /etc/rc.conf file. After a reboot I can SSH into my jail, but the DNS service in Samba4 on the host stopped working.

[...]

Code: 
 ifconfig
nfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=82008<VLAN_MTU,WOL_MAGIC,LINKSTATE>
        ether 38:c6:c4:8f:13:00
        inet 172.23.153.55 netmask 0xffffff00 broadcast 172.23.153.255
        inet6 fe80::3ac6:c4ff:fe8f:1300%nfe0 prefixlen 64 scopeid 0x3
        inet 172.23.153.50 netmask 0xffffff00 broadcast 172.23.153.255
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

[...]

I suspect this may be a http://www.samba.org/ question?
Thanks,
Dinsdale
Click to expand...

Dinsdale, I don't use samba and am not qualified to provide the solution. But, I suspect that it is a samba problem now caused by the new aliases. The experts (@SirDice, @kpa, @wblock, @ShelLuser, etc) should be able to work this one out easily enough.
 
Last edited by a moderator:
You must log in or register to reply here.
Back
Top