jails jail not getting an ip address

[Nicat]

Hi there. I installed the jails in Freebsd.

Path:

pwd

/usr/home/jails/www

sysrc jail_enable="YES"

jail_enable: NO -> YES

My ip address:

 ifconfig
em0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=481009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER,NOMAP>
        ether 08:00:27:d6:a8:80
        inet 192.168.23.45 netmask 0xffffff00 broadcast 192.168.23.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

/etc/rc.conf

 cat /etc/rc.conf
hostname="host"
ifconfig_em0="DHCP"
sshd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
zfs_enable="YES"
jail_enable="YES"

/etc/jail.conf

 cat /etc/jail.conf
www {
    host.hostname = dia2.az;           # Hostname
    ip4.addr = 192.168.23.101;                   # IP address of the jail
    path = "/usr/home/jails/www";                    # Path to the jail
    mount.devfs;                               # Mount devfs inside the jail
    exec.start = "/bin/sh /etc/rc";            # Start command
    exec.stop = "/bin/sh /etc/rc.shutdown";    # Stop command
}

Then

root@host:/home/jails/www # service jail start www
Starting jails: www.
root@host:/home/jails/www # jls
   JID  IP Address      Hostname                      Path
     1  192.168.23.101  dia2.az                       /usr/home/jails/www
root@host:/home/jails/www # jexec 1 csh
root@dia2:/ # ping 8.8.8.8
ping: ssend socket: Operation not permitted

Also

root@dia2:/ # pkg install nginx
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:13:amd64/quarterly, please wait...
pkg: Error fetching http://pkg.FreeBSD.org/FreeBSD:13:amd64/quarterly/Latest/pkg.txz: Non-recoverable resolver failure
Address resolution failed for http://pkg.FreeBSD.org/FreeBSD:13:amd64/quarterly.
Consider changing PACKAGESITE.

root@dia2:/ # ifconfig
em0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=481009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER,NOMAP>
        ether 08:00:27:d6:a8:80
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        groups: lo

Looks like jail is not getting an ip address. What should I do?

 

[T-Daemon]

Looks like jail is not getting an ip address. What should I do?

Set in /etc/jail.conf

www {
    ...
    interface = em0;
    ...
}

root@dia2:/ # ping 8.8.8.8
ping: ssend socket: Operation not permitted

For ping(8) to work in a jail the allow.raw_sockets parameter must be set.

jail(8)

             allow.raw_sockets
                     The jail root is allowed to create raw sockets.  Setting
                     this parameter allows utilities like ping(8) and
                     traceroute(8) to operate inside the jail.

pkg: Error fetching http://pkg.FreeBSD.org/FreeBSD:13:amd64/quarterly/Latest/pkg.txz: Non-recoverable resolver failure
Address resolution failed for http://pkg.FreeBSD.org/FreeBSD:13:amd64/quarterly.

Besides no IP is assigned inside the jail because of missing interface parameter, probably also the DNS resolver is not configured inside the jail, copy host /etc/resolv.conf to /usr/home/jails/www/etc, start jail.

 

[Nicat]

Set in /etc/jail.conf

www {
    ...
    interface = em0;
    ...
}

For ping(8) to work in a jail the allow.raw_sockets parameter must be set.

jail(8)

             allow.raw_sockets
                     The jail root is allowed to create raw sockets.  Setting
                     this parameter allows utilities like ping(8) and
                     traceroute(8) to operate inside the jail.

Besides no IP is assigned inside the jail because of missing interface parameter, probably also the DNS resolver is not configured inside the jail, copy host /etc/resolv.conf to /usr/home/jails/www/etc, start jail.

my ip:

root@host:~ # ifconfig
em0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=481009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER,NOMAP>
        ether 08:00:27:d6:a8:80
        inet 192.168.83.45 netmask 0xffffff00 broadcast 192.168.83.255
        inet 192.168.23.101 netmask 0xffffffff broadcast 192.168.23.101
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

/etc/resolv.conf

root@host:~ # cat /etc/resolv.conf
# Generated by resolvconf
nameserver 192.168.83.176

/etc/rc.conf

root@host:~ # cat /etc/rc.conf
hostname="host"
ifconfig_em0="DHCP"
sshd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
zfs_enable="YES"
jail_enable="YES"

/etc/jail.conf

root@host:/ # cat /etc/jail.conf
www {
    host.hostname = dia2.az;           # Hostname
    interface="em0";
    ip4.addr = 192.168.23.101;                   # IP address of the jail
    path = "/usr/home/jails/www";                    # Path to the jail
    mount.devfs;                               # Mount devfs inside the jail
    exec.start = "/bin/sh /etc/rc";            # Start command
    exec.stop = "/bin/sh /etc/rc.shutdown";    # Stop command
    allow.raw_sockets;
}

/usr/home/jails/www/etc/resolv.conf

root@host:~ # cat /usr/home/jails/www/etc/resolv.conf
# Generated by resolvconf
nameserver 192.168.83.176

/usr/home/jails/www/etc/rc.conf

root@host:~ # cat /usr/home/jails/www/etc/rc.conf
sshd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"

root@host:~ # service jail restart www
Stopping jails: www.
Starting jails: www.

root@host:~ # jls
   JID  IP Address      Hostname                      Path
     2  192.168.23.101  dia2.az                       /usr/home/jails/www
root@host:~ # jexec 2 csh
root@dia2:/ # ifconfig
em0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=481009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER,NOMAP>
        ether 08:00:27:d6:a8:80
        inet 192.168.23.101 netmask 0xffffffff broadcast 192.168.23.101
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        groups: lo
root@dia2:/ # ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
^C
--- 8.8.8.8 ping statistics ---
14 packets transmitted, 0 packets received, 100.0% packet loss

root@dia2:/ # pkg install nginx
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:13:amd64/quarterly, please wait...

Looks like jail is not installing any package

 

[SirDice]

IP address is outside of the host's network. Where are you sending its packets to? I'm going to bet the packets are actually leaving em0 (due to the host's default gateway) but there's just no return path for the responses. In other words, check your modem/router. If you want to keep things simple, assign an address to the jail in the same subnet as the host (192.168.83.0/24).

Network packets don't magically know the way back to where they came from. You have to configure routing and subnetting correctly. Not only for the packets going out but also for the response packets coming back.

 

[serjsk8]

Looks like jail is not installing any package

Hello,
looks like your jail can't reach DNS and Gateway.
and I'm a little confused about your IPs

 

[serjsk8]

em0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=481009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER,NOMAP> ether 08:00:27:d6:a8:80 inet 192.168.83.45 netmask 0xffffff00 broadcast 192.168.83.255 inet 192.168.23.101 netmask 0xffffffff broadcast 192.168.23.101

You have network mask 32 for Jail IP, and mask 24 for Host IP.
In Jail config file you can set network mask too, like this:

 ip4.addr = "192.168.23.101/24";

 

[serjsk8]

If you want to keep things simple, assign an address to the jail in the same subnet as the host (192.168.83.0/24).

I would do the same as SirDice says.
This is the easy way.
If you want to keep the Jail on a different subnet then you will most likely have to use PF firewall for NAT and etc.

 

[Nicat]

root@host:~ # cat /etc/jail.conf
www {
    host.hostname = dia2.az;           # Hostname
    interface="em0";
    ip4.addr = 192.168.83.0/24;                   # IP address of the jail
    path = "/usr/home/jails/www";                    # Path to the jail
    mount.devfs;                               # Mount devfs inside the jail
    exec.start = "/bin/sh /etc/rc";            # Start command
    exec.stop = "/bin/sh /etc/rc.shutdown";    # Stop command
    allow.raw_sockets;
}

Like that?

 

[SirDice]

View: https://www.youtube.com/watch?v=v8aYhOxZuNg&list=PLDQaRcbiSnqF5U8ffMgZzS7fq1rHUI3Q8

 

[serjsk8]

root@host:~ # ifconfig em0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=481009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER,NOMAP> ether 08:00:27:d6:a8:80 inet 192.168.83.45 netmask 0xffffff00 broadcast 192.168.83.255 inet 192.168.23.101 netmask 0xffffffff broadcast 192.168.23.101 media: Ethernet autoselect (1000baseT <full-duplex>) status: active nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 inet 127.0.0.1 netmask 0xff000000 groups: lo nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

I don't know exactly which IP is free in your sub network 192.168.83.0/24.
Use for your Jail IP something like this 192.168.83.x/24, for example 192.168.83.50

 ip4.addr = 192.168.83.50/24;                   # IP address of the jail

 

[avner]

Running dhclient in my jail revolved a similar situation for me.

 

[Nicat]

I don't know exactly which IP is free in your sub network 192.168.83.0/24.
Use for your Jail IP something like this 192.168.83.x/24, for example 192.168.83.50

 ip4.addr = 192.168.83.50/24;                   # IP address of the jail

root@host:~ # ifconfig
em0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=481009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER,NOMAP>
        ether 08:00:27:d6:a8:80
        inet 192.168.254.40 netmask 0xffffff00 broadcast 192.168.254.255
        inet 192.168.83.0 netmask 0xffffff00 broadcast 192.168.83.255
        inet 192.168.83.50 netmask 0xffffff00 broadcast 192.168.83.255
        inet 192.168.254.50 netmask 0xffffff00 broadcast 192.168.254.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
root@host:~ # cat /etc/jail.conf
www {
    host.hostname = dia2.az;           # Hostname
    interface="em0";
    ip4.addr = 192.168.254.50/24;                   # IP address of the jail
    path = "/usr/home/jails/www";                    # Path to the jail
    mount.devfs;                               # Mount devfs inside the jail
    exec.start = "/bin/sh /etc/rc";            # Start command
    exec.stop = "/bin/sh /etc/rc.shutdown";    # Stop command
    allow.raw_sockets;
}
root@host:~ # service jail restart www
Stopping jails: www.
Starting jails: www.
root@host:~ # jls
   JID  IP Address      Hostname                      Path
     4  192.168.254.50  dia2.az                       /usr/home/jails/www
root@host:~ # jexec 4 csh
root@dia2:/ # ifconfig
em0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=481009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER,NOMAP>
        ether 08:00:27:d6:a8:80
        inet 192.168.254.50 netmask 0xffffff00 broadcast 192.168.254.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        groups: lo

root@dia2:/ # ifconfig
em0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=481009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER,NOMAP>
        ether 08:00:27:d6:a8:80
        inet 192.168.254.50 netmask 0xffffff00 broadcast 192.168.254.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        groups: lo
root@dia2:/ # ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=117 time=239.181 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=117 time=367.803 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=117 time=66.515 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=117 time=454.063 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=117 time=414.386 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=117 time=381.245 ms
^C
--- 8.8.8.8 ping statistics ---
6 packets transmitted, 6 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 66.515/320.532/454.063/131.467 ms
root@dia2:/ # pkg install nginx
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:13:amd64/quarterly, please wait...
pkg: Error fetching http://pkg.FreeBSD.org/FreeBSD:13:amd64/quarterly/Latest/pkg.txz: No address record
Address resolution failed for http://pkg.FreeBSD.org/FreeBSD:13:amd64/quarterly.
Consider changing PACKAGESITE.

 

[Nicat]

Running dhclient in my jail revolved a similar situation for me.

root@dia2:/etc # service dhclient status em0
dhclient is not running.
root@dia2:/etc # service dhclient start em0
'em0' is not a DHCP-enabled interface

 

[serjsk8]

em0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=481009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER,NOMAP>
ether 08:00:27:d6:a8:80
inet 192.168.254.40 netmask 0xffffff00 broadcast 192.168.254.255
inet 192.168.83.0 netmask 0xffffff00 broadcast 192.168.83.255
inet 192.168.83.50 netmask 0xffffff00 broadcast 192.168.83.255
inet 192.168.254.50 netmask 0xffffff00 broadcast 192.168.254.255

Hi, Nicat
Why you have 4 IPs on NIC em0 ?
I don't understand your networks...
Before you had IP 192.168.23.45 then 192.168.83.45 and now 192.168.254.40 on your NIC em0.
What you need to do is to assign an IP address to your Jail from the same subnet as the IP of your host machine.

 

[serjsk8]

root@dia2:/etc # service dhclient status em0
dhclient is not running.
root@dia2:/etc # service dhclient start em0
'em0' is not a DHCP-enabled interface

You use static IP configuration, you can't use DHCP on your em0