Solved How to have network access inside a Linux jail?

  • Thread starter Deleted member 63539
  • Start date
D

Deleted member 63539

Guest


Here is my jail.conf:

Code:
LINUX {
        host.hostname = "LINUX.jail";
        interface = re0;
        ip4.addr = 192.168.1.10;
        path = /LINUX;
        persist;

        mount.devfs;
        mount.fstab = /etc/fstab.LINUX;

        allow.mount;
        allow.mount.devfs;
}
The jail currently can't access internet:

Code:
root@LINUX:/# ping -c 3 genk.vn
ping: socket: Protocol not supported
Please help. Thanks.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 9,279
Messages: 33,825

Ping is not allowed by default in a jail.

Code:
             allow.raw_sockets
                     The jail root is allowed to create raw sockets.  Setting
                     this parameter allows utilities like ping(8) and
                     traceroute(8) to operate inside the jail.  If this is
                     set, the source IP addresses are enforced to comply with
                     the IP address bound to the jail, regardless of whether
                     or not the IP_HDRINCL flag has been set on the socket.
                     Since raw sockets can be used to configure and interact
                     with various network subsystems, extra caution should be
                     used where privileged access to jails is given out to
                     untrusted parties.
See jail(8).
 
OP
D

Deleted member 63539

Guest


Ping is not allowed by default in a jail.

Code:
             allow.raw_sockets
                     The jail root is allowed to create raw sockets.  Setting
                     this parameter allows utilities like ping(8) and
                     traceroute(8) to operate inside the jail.  If this is
                     set, the source IP addresses are enforced to comply with
                     the IP address bound to the jail, regardless of whether
                     or not the IP_HDRINCL flag has been set on the socket.
                     Since raw sockets can be used to configure and interact
                     with various network subsystems, extra caution should be
                     used where privileged access to jails is given out to
                     untrusted parties.
See jail(8).
What about apt?

Code:
root@LINUX:/# apt update
Err:1 http://ftp.debian.org/debian stretch InRelease
  Could not resolve 'ftp.debian.org'
Err:2 http://security.debian.org stretch/updates InRelease
  Could not resolve 'security.debian.org'
Err:3 http://www.deb-multimedia.org stretch InRelease
  Could not resolve 'www.deb-multimedia.org'
Err:4 http://ftp.debian.org/debian stretch-updates InRelease
  Could not resolve 'ftp.debian.org'
Err:5 https://repo.sparkylinux.org core InRelease
  Could not resolve host: repo.sparkylinux.org
Err:6 https://repo.sparkylinux.org oldstable InRelease
  Could not resolve host: repo.sparkylinux.org
Reading package lists... Done
Building dependency tree       
Reading state information... Done
All packages are up to date.
W: Failed to fetch http://ftp.debian.org/debian/dists/stretch/InRelease  Could not resolve 'ftp.debian.org'
W: Failed to fetch http://security.debian.org/dists/stretch/updates/InRelease  Could not resolve 'security.debian.org'
W: Failed to fetch http://ftp.debian.org/debian/dists/stretch-updates/InRelease  Could not resolve 'ftp.debian.org'
W: Failed to fetch http://www.deb-multimedia.org/dists/stretch/InRelease  Could not resolve 'www.deb-multimedia.org'
W: Failed to fetch https://repo.sparkylinux.org/dists/core/InRelease  Could not resolve host: repo.sparkylinux.org
W: Failed to fetch https://repo.sparkylinux.org/dists/oldstable/InRelease  Could not resolve host: repo.sparkylinux.org
W: Some index files failed to download. They have been ignored, or old ones used instead.
The jail doesn't have /etc/hosts or /etc/resolv.conf. I think these things managed by NetworkManager on Linux, now. But as I extracted it from the live file system, it doesn't have these setup already. Please check my jail.conf to see if there is any errors. If if's fine then it's the jail itself that caused problem, I will search how to setup network on Linux without NetworkManager myself. Thanks.
 

mjollnir

Daemon

Reaction score: 700
Messages: 1,154

1st make shure the network works without name resolution. E.g. set up a service (sshd(8) or an MTA) and connect to the jail given only the IP number (or put that in the host's /etc/hosts). You did not set a netmask in jail.conf(5). Make shure the default is ok, else set the network mask. Beware any packet filter rules on the host might interfere. For the test, switch them off.
 
OP
D

Deleted member 63539

Guest


This jail networking stuff is too hard. I give up.


If I know Linux jail is completely not supported, I will not even attempt to try. This also explain why there is nothing about Linux jail in the handbook.
 

Phishfry

Son of Beastie

Reaction score: 1,962
Messages: 4,960

This how-to works:
 
OP
D

Deleted member 63539

Guest


mjollnir Phishfry I just deleted a bunch of bookmarks about documents + tutorials about jail/linux jail and I confirm with you two I have read both of these threads and none of them worked. Let me give more information why I just give up but not keep on trying: On dmesg, whenever I run the ifconfig inside the jail, it printed an error about feature not implemented, meanwhile the ifconfig commands all failed with SIOCSIFADDR: Invalid argument and the ip commands even worse, never worked, always Cannot open netlink socket: Address family not supported by protocol. So do you think I should keep on trying or just give up, what is better then?
 

mjollnir

Daemon

Reaction score: 700
Messages: 1,154

While IMHO there's no reason to install a Linux jail on a personal computer running FreeBSD except for cross-development -- you can install all major services on native FreeBSD -- I can not believe all those links are that outdated. Maybe try an older Debian version before you give up completely. A quick search may reveal more valuable information. CloneOS author(s) make a living from that knowledge, so'd say it might be worth to try harder.
 

_martin

Aspiring Daemon

Reaction score: 178
Messages: 846

Short answer: personally I'd give it up and use other VM possibilities that FreeBSD offers, should you need native Linux environment.
 
OP
D

Deleted member 63539

Guest


While IMHO there's no reason to install a Linux jail on a personal computer running FreeBSD except for cross-development -- you can install all major services on native FreeBSD -- I can not believe all those links are that outdated. Maybe try an older Debian version before you give up completely. A quick search may reveal more valuable information. CloneOS author(s) make a living from that knowledge, so'd say it might be worth to try harder.
These tutorials are just duplication of the two forums threads you previously mentioned. The fact is the information about Linux Jail is very limited indeed. Most of the questions regarding them on this forums is about networking (just like this one) and I saw they mostly go to nowhere.

There is a reason Linux jails are completely unsupported and it's not ease of use…
If I saw shkhln's post earlier I would not even bother to try.
 
OP
D

Deleted member 63539

Guest


There is a bit about Linux jails in the wiki: https://wiki.freebsd.org/LinuxJails. However, this is an advanced topic for people who know exactly what they want. Linux jails are mostly useful for debugging Linuxulator itself and, maybe, some complex enterprise server applications.
Didn't found this when I tried. But the wiki page clearly state that it's only apply for 13-CURRENT. So it's not for me. I'm still on 11.4-p1. BTW, it didn't mention how to setup network for the jail in details. I have /etc/resolv.conf copied from the host too but it didn't work for me. The message ifconfig printed on dmesg is very clear: feature not implemented. So give up is the right answer for me.
 
OP
D

Deleted member 63539

Guest


ifconfig is not supposed to work at all.
Then, how? I get my base system by extracting a live squashfs image. As you know, network on Linux is configured by NetworkManager, so network has not yet configured on this jail at all. How to configure network inside the jail without using ifconfig?

p/s: To be clear, it's the Linux ifconfig of the jail, not the ifconfig of the host.
 

shkhln

Daemon

Reaction score: 649
Messages: 1,623

You aren't dealing with the Linux kernel. Linux network management tools do not quite fit FreeBSD, so Linuxulator doesn't bother to support the interfaces they rely upon, such as the PF_NETLINK protocol. In general, if something is not required for actual end user applications, it's out of scope.
 
OP
D

Deleted member 63539

Guest


Sorry everyone for the mess I have created. I switched from taking my linux jail's base from SparkyLinux to antiX Linux and everything now worked. It's worked fine indeed. Let me clarify now I think there is no problems with the two tutorial threads everyone mentioned. The way I and them get the base for our jail is different, but the same jail.conf (I adapted it from them, not my previous jail.conf) worked for both of us.

Then as remember that Sparky use SystemD and antiX use SysVinit. Did you all notice my jail.conf lacked exec.start and exec.stop indeed? It's what caused the problem. A bunch of startup scripts need to be run to come up with a working system. Without them, the jail is nothing different than another /compat/linux for us to chroot (or jexec) into.

I'm not think the fault is of SystemD, though. Someone with enough knowledge about it could choose the appropriate exec.start and exec.stop and I think it should work, too. The fact is antiX uses SysVinit so I could reuse the exec.start and exec.stop of the tutorial. If it uses another init system, then the same as the SystemD situation, I will have no idea how to choose the appropriate exec.start and exec.stop for it!

Problem SOLVED. Sorry everyone and thanks for patient with me. FreeBSD rocks!

p/s: the Linux jail speed is much much better than a Linux VM by Bhyve or VirtualBox. I have the Linux build environment up and running now.
 
Top