ISC-Dhcpd + Jail

Greetings!


I am running into an issue with dhcpd where the service starts just fine ( no errors in logs ) but will not hand out addresses.

I have built a simple jail using Ezjail, isc-dhcpd was built with rawsockets enabled. Also i have added a devfs rule to specifically allow my dhcpd jail to use bpf. Since I'm using sockets the devfs rule isnt needed but for now its there if i need it. Tcpdump shows the dhcp request from my client but the server will not hand out addresses. Also the sysctl that referneces jail sockets is set to 1. I cant think of any reason why this should not work - I hope DNS will work when I set it up.


Any ideas?


I can provide configs if need be however FreeBSD is not something thats new to me :)

Also, running 8.0-RELEASE, I do have a custom kernel but everything is GENERIC aside from my added pf and vesa options.

Sorry for grammer in huge hurry!

-Eric
 
I cannot think of anything else but 8 has new networking stack to communicate between jail. Jails can now have its own firewall and routing too. You need to add 'options VIMAGE' to kernel config and build it again. See jail(8) and epair(4) man pages.
 
i was curious as to whether this solved your problem?

Also, have you tried dnsmasq? That's the program i use for dhcp on my FreeBSD router
 
Wonslung -

I am not sure yet - my kernel is still rebuilding. My hardware is an embedded mini ITX VIA bored with a 1000 MHZ proc, so my build time is kinda slow :p When its done I will test and post results.
 
Update:

I added options VIMAGE to my kernel, and disabled SCTP. I am able to notice that my jails seem to have their own network stack via VNET. I know this because when I try to vnet a jail via ifconfig it tells me its already set. I thought maybe the ezjail framework might not add the vnet option by default, but it looks like it does. Netstat however does not work due to device mem. I suppose I need to add this to my kernel to view routing tables. The orgional issue of dhcpd not handing out addresses seems to remain. I did play with the epair driver set but this seems to be mainly used for child jails (I could be wrong). I once again can see the dhcp request via tcpdump but nothing is handed out. Also I can see all my physical interfaces in my jails (previously before VIMAGE i was not able too). When I try to set or pull ips for these interfaces I get permission denied errors. I must be missing something or perhaps I don't quite understand how to use epair. I went ahead and created another test jail after the kernel recompile. It too has the same issues.

To give an overview of what was done see below:



WAN = vr0
LAN = vr1

Code:
BEFORE VIMAGE


ifconfig vr1 alias 10.0.0.10 netmask 255.255.255.0

ezjail-admin create Dhcpd 10.0.0.10

Start Jail and verify its running via jls...

SSH into jail...

cp /etc/resolv.conf /usr/jails/Dhcpd/etc

Toss this in the jail's rc.conf...


rpc_bind_enable="NO"
network_interfaces=""
sshd_enable="YES"
sendmail_enable="NO"
defautrouter="10.0.0.1"
early_late_divider="NETWORKING"

Remove the jails /usr/ports and create a /usr/ports dir

On the host:  mount_nullfs /usr/src /usr/jails/Dhcpd/usr/ports

Now jail can use hosts ports...

On Host set the sysctl for jail raw sockets to 1..

Install isc-dhcpd31-server w/ Jail socket support

Edit /usr/local/etc/dhcpd.conf

Use /usr/local/rc.d/isc-dhcpd script to start service..

Verify service is running on jail via sockstat -4

Plug test machine into vr1 and try to pull an IP... request goes out but nothing comes back.
After VIMAGE the same steps were applied however i was not able to access the outside world from the jail, as stated above I can see the hosts physical interfaces from the jail but cant assign addresses. There for could not install dhcpd or use ports.

Questions:

Could someone explain the proper use of epair w/ examples

Am I missing something?

Comments:

I understand epair and vnet are still in testing periods and are to be used with caution.



Thanks guys - I appreciate the help.
 
Update II

Still trying to figure this out - I did was able to get netstat working by adding a devfs.rules entry similar to my bpf entry.

Code:
add path 'mem*' unhide

I believe not being able to get to the ouside world has something to do with my misuse of epair - not totally sure however. I am running out of ideas to try =/
 
My quest to get basic network services to work inside a jail has come a little further. Thanks to the guys at basbased.com they were able to provide a How Too with Epair and VIMAGE.

http://bsdbased.com/2009/12/06/freebsd-8-vimage-epair-howto


I still am tweaking the setup to get it to work correctly. I have found a few issues that will need to be dealt with. When building jails manually with vnet I can ping between jails. I cant however get outside to the world. Regardless if i use epair or not. I will continue to update this thread when I have it completely working. I would suggest looking at the how to posted above as it is the most complete, and nearly only information you can find on the topic. Since these features are so new there isnt much information about them that I can find.
 
Figured I'd update this thread to help any other people having similar issues.

I was never able to get jails working correctly with dhcpd via VIMAGE. I ended up removing VIMAGE from my kernel and using regular jails. I was able to figure out my orgional issue as to dhcpd not handing out address. if you compile isc-dhcpd WITH SOCKETS instead of BPF it WILL NOT WORK. Granted I've added a devfs rule to allow my jail to access bpf. However it will not work with sockets. I was able to discover this when building test jails and using pkg_add instead of compiling. By default isc-dhcpd is built WITHOUT socket support. After discovering that my tests jails handed out addresses i was able to figure out the issue.
 
Did you test with the security.jail.allow_raw_sockets sysctl as well? Don't know if it applies to this particular socket type.
 
DD -

I sure did - I tested with and without that sysctl set. The results seem to have no affact on weather that is set. If you run dhcpd in a jail, and compile it with sockets it doesnt seem to work.


I have only tested on ONE system but for shits I'll go ahead and test on another platform.
 
Back
Top