jails no internet inside jails added an ipv4 address same problem

[sixpiece]

Hello I am having a problem no internet inside jail and added an ipv4 address...

 

[SirDice]

How To Ask Questions The Smart Way; Be precise and informative about your problem

 

[sixpiece]

I don't believe that this answers the question... there is no internet inside the jail. anyways let's start with this :

root@hydroponique:~ # pkg update
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:12:amd64/quarterly, please wait...
pkg: Error fetching http://pkg.FreeBSD.org/FreeBSD:12:amd64/quarterly/Latest/pkg.txz: No address record
A pre-built version of pkg could not be found for your system.
Consider changing PACKAGESITE or installing it from ports: 'ports-mgmt/pkg'.
root@hydroponique:~ #

root@hydroponique:~ # ifconfig
vtnet0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=4c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,TXCSUM_IPV6>
ether retracted
inet 10retracted 77 netmask 0xffffffff broadcast 10retracted 7
inet6 20retracted 3:103::1 prefixlen 64
media: Ethernet autoselect (10Gbase-T <full-duplex>)
status: active
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo1: flags=8008<LOOPBACK,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
root@hydroponique:~ #

root@hydroponique:~ # ping google.com
ping: ssend socket: Operation not permitted
root@hydroponique:~ #

 

[Bobi B.]

I believe SirDice meant you simply did not provide enough information for the rest of us to be helpful.

No address record

typically means missing /etc/resolv.conf inside the jail. Test with host freebsd.org. However that also depends on a proper network configuration.

ping: ssend socket: Operation not permitted

is usually due to RAW sockets not been enabled for a jail (allow.raw_sockets in jail.conf(5); check jail(8)). Instead, test with printf "GET /\r\n\r\n" | nc freebsd.org 80.

 

[sixpiece]

I believe SirDice meant you simply did not provide enough information for the rest of us to be helpful.

typically means missing /etc/resolv.conf inside the jail. Test with host freebsd.org. However that also depends on a proper network configuration.

is usually due to RAW sockets not been enabled for a jail (allow.raw_sockets in jail.conf(5); check jail(8)). Instead, test with printf "GET /\r\n\r\n" | nc freebsd.org 80.

this is very interesting what you are telling me, how would you install mysql for example in a jail without allowing raw sockets?

root@videotron:/etc # jexec 4
# pkg update
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:12:amd64/quarterly, please wait...
pkg: Error fetching http://pkg.FreeBSD.org/FreeBSD:12:amd64/quarterly/Latest/pkg.txz: No address record
A pre-built version of pkg could not be found for your system.
Consider changing PACKAGESITE or installing it from ports: 'ports-mgmt/pkg'.
# ping google.com
ping: cannot resolve google.com: Host name lookup failure
# ping google.ca
ping: cannot resolve google.ca: Host name lookup failure
# dhclient vtnet0
ifconfig: up: permission denied
Can't find free bpf: No such file or directory
exiting.
# ifconfig
vtnet0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=4c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,TXCSUM_IPV6>
ether 56:00:02:fb:83:4a
inet 104.238.191.77 netmask 0xffffffff broadcast 104.238.191.77
inet6 2001:19f0:6801:ee3:103::1 prefixlen 64
media: Ethernet autoselect (10Gbase-T <full-duplex>)
status: active
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo1: flags=8008<LOOPBACK,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
# dhclient vtnet0
ifconfig: up: permission denied
Can't find free bpf: No such file or directory
exiting.

it didn't solve the issue either adding the line... in jail.conf and rebooting... I would like to ideally firstly see it working just to have a seperate distinct environment in which I could install a website with for example a working version of php, mysql , etc.. that is independent of the host system but I also want to have a seperate distinct environment that I could use to trust others that it will not pose a potential threat to the host system such as a friend who hires an independent web designer and is using my space for hosting services as an example which may mean not allowing raw sockets if I understand it correctly, so I would like to learn the proper form to do this..

 

[SirDice]

how would you install mysql for example in a jail without allowing raw sockets?

Why do you think installing mysql requires raw sockets?

 

[sixpiece]

I was under the misinpretion to believe that allowing raw sockets would solve the issue and then it would be like having a whole new environment.

Can you install mysql in a jail or not? and if so , how the heck does one go about doing so? Can it be done with the package manager?

 

[getopt]

I was under the misinterpretation to believe that allowing raw sockets would solve the issue and then it would be like having a whole new environment.

Well "believing" may help elsewhere or may not. In this case knowledge is preferred.

Asking myself what the OP has read of this

Chapter 17. Jails and Containers

Jails improve on the concept of the traditional chroot environment in several ways

docs.freebsd.org

or jail(8) and how he/she built the jail by hand or with one of the wrapping tools around jails.

how the heck does one go about doing so?

Start reading the docs and cite them when asking questions.

Can it be done with the package manager?

Absolutely, after the configuration of your jail is completed.
sixpiece have you shown us one single line of your jail configurations?

 

[sixpiece]

getopt only : special response section if your username is not getopt you can scroll ahead:

I read the manual in great detail, and specifically chapter 15 : Jails it's a small section I almost have it memorized, without looking at it 15.1-15.5. As well as the Michael Warren's book on Freebsd mastery : Jails, and TCP networking by him 2015. I will check if it's because I didn't do section 15.5.

there's nothing to cite there's nothing from the manual about installing mysql from freebsd. I also read the manual pages on several commands, as well as reviewed their c files in the github repository.

as far as how it can be done with the package manager you did not respectfully answer the question.

all users:

• yes my jail configuration was shown here: https://forums.freebsd.org/threads/no-internet-from-inside-jail.85264/ I added reluctantly the following line to jail.conf ip4.addr = whatever the address is; and ifconfig has acknowledged it.
• The problem is still not solved.

 

[sixpiece]

Section 15.4.3 Fails


root@videotron:/jails # freebsd-update -b /jails/hydroshop/ fetch
Looking up update.FreeBSD.org mirrors... 2 mirrors found.
Fetching metadata signature for 13.0-RELEASE from update1.freebsd.org... done.
Fetching metadata index... done.
Inspecting system... done.
Preparing to download files... done.
The following files will be added as part of updating to
13.0-RELEASE-p11:
/etc/ssl/blacklisted/080911ac.0
/etc/ssl/blacklisted/0b7c536a.0
/etc/ssl/blacklisted/0c4c9b6c.0
/etc/ssl/blacklisted/116bf586.0
/etc/ssl/blacklisted/1320b215.0
/etc/ssl/blacklisted/26312675.0
/etc/ssl/blacklisted/349f2832.0
/etc/ssl/blacklisted/442adcac.0
/etc/ssl/blacklisted/5a4d6896.0
/etc/ssl/blacklisted/9c2e7d30.0
/etc/ssl/blacklisted/a8dee976.0
/etc/ssl/blacklisted/b1b8a7f3.0
/etc/ssl/blacklisted/c01cdfa2.0
/etc/ssl/blacklisted/c47d9980.0
/etc/ssl/blacklisted/cb59f961.0
/etc/ssl/blacklisted/d853d49e.0
/etc/ssl/blacklisted/dc45b0bd.0
/etc/ssl/blacklisted/ee1365c0.0
/etc/ssl/blacklisted/f90208f7.0
/etc/ssl/certs/002c0b4f.0
/etc/ssl/certs/9482e63a.0
/etc/ssl/certs/b433981b.0
/etc/ssl/certs/b81b93f0.0
/etc/ssl/certs/e35234b1.0
/etc/ssl/certs/fa5da96b.0
/etc/ssl/certs/feffd413.0
/usr/include/c++/v1/barrier
/usr/include/c++/v1/concepts
/usr/include/c++/v1/execution
/usr/include/c++/v1/latch
/usr/include/c++/v1/numbers
/usr/include/c++/v1/semaphore
/usr/include/c++/v1/tr1/barrier
/usr/include/c++/v1/tr1/concepts
/usr/include/c++/v1/tr1/execution
/usr/include/c++/v1/tr1/latch
/usr/include/c++/v1/tr1/numbers
/usr/include/c++/v1/tr1/semaphore
/usr/share/certs/blacklisted/Camerfirma_Chambers_of_Commerce_Root.pem
/usr/share/certs/blacklisted/Camerfirma_Global_Chambersign_Root.pem
/usr/share/certs/blacklisted/Certum_Root_CA.pem
/usr/share/certs/blacklisted/Chambers_of_Commerce_Root_-_2008.pem
/usr/share/certs/blacklisted/D-TRUST_Root_CA_3_2013.pem
/usr/share/certs/blacklisted/EC-ACC.pem
/usr/share/certs/blacklisted/GeoTrust_Primary_Certification_Authority_-_G2.pem
/usr/share/certs/blacklisted/Global_Chambersign_Root_-_2008.pem
/usr/share/certs/blacklisted/OISTE_WISeKey_Global_Root_GA_CA.pem
/usr/share/certs/blacklisted/QuoVadis_Root_CA.pem
/usr/share/certs/blacklisted/Sonera_Class_2_Root_CA.pem
/usr/share/certs/blacklisted/Staat_der_Nederlanden_Root_CA_-_G3.pem
/usr/share/certs/blacklisted/SwissSign_Platinum_CA_-_G2.pem
/usr/share/certs/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem
/usr/share/certs/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem
/usr/share/certs/blacklisted/Trustis_FPS_Root_CA.pem
/usr/share/certs/blacklisted/VeriSign_Universal_Root_Certification_Authority.pem
/usr/share/certs/blacklisted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem
/usr/share/certs/blacklisted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem
/usr/share/certs/trusted/AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.pem
/usr/share/certs/trusted/ANF_Secure_Server_Root_CA.pem
/usr/share/certs/trusted/Certum_EC-384_CA.pem
/usr/share/certs/trusted/Certum_Trusted_Root_CA.pem
/usr/share/certs/trusted/GLOBALTRUST_2020.pem
/usr/share/certs/trusted/GlobalSign_Root_E46.pem
/usr/share/certs/trusted/GlobalSign_Root_R46.pem
/usr/share/zoneinfo/Pacific/Kanton
The following files will be updated as part of updating to
13.0-RELEASE-p11:
/bin/freebsd-version
/lib/libalias.so.7
/lib/libcasper.so.1
/lib/libcrypto.so.111
/lib/libz.so.6
/lib/libzpool.so.2
/rescue/[
/rescue/bectl
/rescue/bsdlabel
/rescue/bunzip2
/rescue/bzcat
/rescue/bzip2
/rescue/camcontrol
/rescue/cat
/rescue/ccdconfig
/rescue/chflags
/rescue/chgrp
/rescue/chio
/rescue/chmod
/rescue/chown
/rescue/chroot
root@videotron:/jails # freebsd-update -b /jails/hydroshop/ install
Installing updates...ln: /jails/hydroshop///etc/ssl/blacklisted/080911ac.0: No such file or directory
ln: /jails/hydroshop///etc/ssl/blacklisted/0b7c536a.0: No such file or directory
ln: /jails/hydroshop///etc/ssl/blacklisted/0c4c9b6c.0: No such file or directory
ln: /jails/hydroshop///etc/ssl/blacklisted/116bf586.0: No such file or directory
ln: /jails/hydroshop///etc/ssl/blacklisted/1320b215.0: No such file or directory
ln: /jails/hydroshop///etc/ssl/blacklisted/26312675.0: No such file or directory
ln: /jails/hydroshop///etc/ssl/blacklisted/349f2832.0: No such file or directory
ln: /jails/hydroshop///etc/ssl/blacklisted/442adcac.0: No such file or directory
ln: /jails/hydroshop///etc/ssl/blacklisted/5a4d6896.0: No such file or directory
ln: /jails/hydroshop///etc/ssl/blacklisted/9c2e7d30.0: No such file or directory
ln: /jails/hydroshop///etc/ssl/blacklisted/a8dee976.0: No such file or directory
ln: /jails/hydroshop///etc/ssl/blacklisted/b1b8a7f3.0: No such file or directory
ln: /jails/hydroshop///etc/ssl/blacklisted/c01cdfa2.0: No such file or directory
ln: /jails/hydroshop///etc/ssl/blacklisted/c47d9980.0: No such file or directory
ln: /jails/hydroshop///etc/ssl/blacklisted/cb59f961.0: No such file or directory
ln: /jails/hydroshop///etc/ssl/blacklisted/d853d49e.0: No such file or directory
ln: /jails/hydroshop///etc/ssl/blacklisted/dc45b0bd.0: No such file or directory
ln: /jails/hydroshop///etc/ssl/blacklisted/ee1365c0.0: No such file or directory
ln: /jails/hydroshop///etc/ssl/blacklisted/f90208f7.0: No such file or directory
ln: /jails/hydroshop///etc/ssl/certs/002c0b4f.0: No such file or directory
ln: /jails/hydroshop///etc/ssl/certs/9482e63a.0: No such file or directory
ln: /jails/hydroshop///etc/ssl/certs/b433981b.0: No such file or directory
ln: /jails/hydroshop///etc/ssl/certs/b81b93f0.0: No such file or directory
ln: /jails/hydroshop///etc/ssl/certs/e35234b1.0: No such file or directory
ln: /jails/hydroshop///etc/ssl/certs/fa5da96b.0: No such file or directory
ln: /jails/hydroshop///etc/ssl/certs/feffd413.0: No such file or directory
install: /jails/hydroshop///usr/share/certs/blacklisted/Camerfirma_Chambers_of_Commerce_Root.pem: No such file or directory
install: /jails/hydroshop///usr/share/certs/blacklisted/Camerfirma_Global_Chambersign_Root.pem: No such file or directory
install: /jails/hydroshop///usr/share/certs/blacklisted/Certum_Root_CA.pem: No such file or directory
install: /jails/hydroshop///usr/share/certs/blacklisted/Chambers_of_Commerce_Root_-_2008.pem: No such file or directory
install: /jails/hydroshop///usr/share/certs/blacklisted/D-TRUST_Root_CA_3_2013.pem: No such file or directory
install: /jails/hydroshop///usr/share/certs/blacklisted/EC-ACC.pem: No such file or directory
install: /jails/hydroshop///usr/share/certs/blacklisted/GeoTrust_Primary_Certification_Authority_-_G2.pem: No such file or directory
install: /jails/hydroshop///usr/share/certs/blacklisted/Global_Chambersign_Root_-_2008.pem: No such file or directory
install: /jails/hydroshop///usr/share/certs/blacklisted/OISTE_WISeKey_Global_Root_GA_CA.pem: No such file or directory
install: /jails/hydroshop///usr/share/certs/blacklisted/QuoVadis_Root_CA.pem: No such file or directory
install: /jails/hydroshop///usr/share/certs/blacklisted/Sonera_Class_2_Root_CA.pem: No such file or directory
install: /jails/hydroshop///usr/share/certs/blacklisted/Staat_der_Nederlanden_Root_CA_-_G3.pem: No such file or directory
install: /jails/hydroshop///usr/share/certs/blacklisted/SwissSign_Platinum_CA_-_G2.pem: No such file or directory
install: /jails/hydroshop///usr/share/certs/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem: No such file or directory
install: /jails/hydroshop///usr/share/certs/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem: No such file or directory
install: /jails/hydroshop///usr/share/certs/blacklisted/Trustis_FPS_Root_CA.pem: No such file or directory
install: /jails/hydroshop///usr/share/certs/blacklisted/VeriSign_Universal_Root_Certification_Authority.pem: No such file or directory
install: /jails/hydroshop///usr/share/certs/blacklisted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem: No such file or directory
install: /jails/hydroshop///usr/share/certs/blacklisted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem: No such file or directory
install: /jails/hydroshop///usr/share/certs/trusted/AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.pem: No such file or directory
install: /jails/hydroshop///usr/share/certs/trusted/ANF_Secure_Server_Root_CA.pem: No such file or directory
install: /jails/hydroshop///usr/share/certs/trusted/Certum_EC-384_CA.pem: No such file or directory
install: /jails/hydroshop///usr/share/certs/trusted/Certum_Trusted_Root_CA.pem: No such file or directory
install: /jails/hydroshop///usr/share/certs/trusted/GLOBALTRUST_2020.pem: No such file or directory
install: /jails/hydroshop///usr/share/certs/trusted/GlobalSign_Root_E46.pem: No such file or directory
install: /jails/hydroshop///usr/share/certs/trusted/GlobalSign_Root_R46.pem: No such file or directory
done.
root@videotron:/jails #

not that this was the specific goal but showing that 15.4.3 is a fail it should be obvious

 

[sixpiece]

https://tuprints.ulb.tu-darmstadt.de/6243/1/TR-18.pdf I am reading this to learn what is a raw socket.

also I checked on sysctl variables and need to use that to work so getopt's advice wasn't all bad... I figured as much as that there was something I was not getting...

 

[sixpiece]

thank you the problem is solved . I had to allow sockets through system control and not through jail.conf... my last question would be whether there was other ways to do it but I will maybe open a new thread on this ... sysctl allow sockets=1 something like that from the manual 15.4 ... thank you for the help that was a bit ridiculous... before knowing about other ways to do it I will take the time to learn what sockets are ...

 

[getopt]

From jail(8)

allow.raw_sockets
The jail root is allowed to create raw sockets. Setting
this parameter allows utilities like ping(8) and
traceroute(8) to operate inside the jail. If this is
set, the source IP addresses are enforced to comply with
the IP address bound to the jail, regardless of whether
or not the IP_HDRINCL flag has been set on the socket.
Since raw sockets can be used to configure and interact
with various network subsystems, extra caution should be
used where privileged access to jails is given out to un-
trusted parties.

So jails are expected to work without allowing raw_sockets for a good reason. If you temporarily allow it for debugging ok, but better turn it off again.