jails ping: socket: Protocol not supported in Jail /compat/linux

[Airost]

I am still struggling with jails in bastille. I wonder if you could help me why I cannot ping anywhere out of jail. It works for my wwwserver jail, mailserver jail but it doesn't work with gameserver jail. I have checked config and there is not much difference in between configs. sysctl.conf has line:

security.jail.allow_raw_sockets=1

and my gameserver jail runs ubuntu compatibility linux.
See below conf for wwwserver jail where ping works fine:

wwwserver {
  devfs_ruleset = 4;
  enforce_statfs = 2;
  exec.clean;
  exec.consolelog = /var/log/bastille/wwwserver_console.log;
  exec.start = '/bin/sh /etc/rc';
  exec.stop = '/bin/sh /etc/rc.shutdown';
  host.hostname = wwwserver;
  mount.devfs;
  mount.fstab = /usr/local/bastille/jails/wwwserver/fstab;
  path = /usr/local/bastille/jails/wwwserver/root;
  securelevel = 2;

  allow.raw_sockets=1;
  interface = bce1.1;
  ip4.addr = 10.0.0.1;
  ip6 = disable;
}

and see below conf file for gameserver with ubuntu comp:

gameserver {
  host.hostname = gameserver;
  mount.fstab = /usr/local/bastille/jails/gameserver/fstab;
  path = /usr/local/bastille/jails/gameserver/root;
  devfs_ruleset = 4;

  exec.start = '/bin/true';
  exec.stop = '/bin/true';
  securelevel = 2;
  persist;

  allow.raw_sockets=1;
  interface = bce1.3;
  ip4.addr = 10.0.0.3;
  ip6 = disable;
}

Everytime I try to ping from gameserver jail I get:

ping: socket: Protocol not supported​

Please help, tried to solve it for few days and nothing

 

[SirDice]

security.jail.allow_raw_sockets=1

Please stop using that one. It's deprecated in favor of per jail settings (see allow.raw_sockets in jail(8)).

% sysctl -d security.jail.allow_raw_sockets
security.jail.allow_raw_sockets: Prison root can create raw sockets (deprecated)

             allow.raw_sockets
                     The jail root is allowed to create raw sockets.  Setting
                     this parameter allows utilities like ping(8) and
                     traceroute(8) to operate inside the jail.  If this is
                     set, the source IP addresses are enforced to comply with
                     the IP address bound to the jail, regardless of whether
                     or not the IP_HDRINCL flag has been set on the socket.
                     Since raw sockets can be used to configure and interact
                     with various network subsystems, extra caution should be
                     used where privileged access to jails is given out to
                     untrusted parties.

Your gameserver jail never boots (exec.start = '/bin/true') and therefor never initializes its network.

 

[zirias@]

If it isn't a VNET jail, there's no need to initialize the network inside the jail though.

My guess would be it's the same problem as with other Linux networking tools: FreeBSD's internal interfaces (ioctl, probably?) for them differs from Linux, so these Linux tools just won't work. A workaround is to copy FreeBSD's tools from /rescue (they are linked statically, so will work without a FreeBSD userland installed) over the Linux tools inside the jail.

 

[Airost]

Thanks for reply, so if jail never initializes its network how is network initialized? Main problem I have is I am trying to run steamcmd (counter strike 1.6, don't starve and ark server) and teamspeak server under linux emulator inside jail. Everytime I am trying to run it I cannot get it to work properly. See below:

2022-05-31 16:13:49.058543|INFO    |ServerLibPriv |   |TeamSpeak 3 Server 3.13.6 (2021-06-09 10:22:37)
2022-05-31 16:13:49.058977|INFO    |ServerLibPriv |   |SystemInformation: Linux 3.17.0 FreeBSD 13.1-RC3 #1 r372073M: Thu May  5 11:08:31 BST 2022 x86_64 Binary: 64bit
2022-05-31 16:13:49.059820|INFO    |DatabaseQuery |   |dbPlugin name:    SQLite3 plugin, Version 3, (c)TeamSpeak Systems GmbH
2022-05-31 16:13:49.059858|INFO    |DatabaseQuery |   |dbPlugin version: 3.11.1
2022-05-31 16:13:49.060237|INFO    |DatabaseQuery |   |checking database integrity (may take a while)
2022-05-31 16:13:49.098653|WARNING |Accounting    |   |Unable to open licensekey.dat, falling back to limited functionality
2022-05-31 16:13:49.099125|INFO    |Accounting    |   |Licensing Information
2022-05-31 16:13:49.099161|INFO    |Accounting    |   |licensed to       : Anonymous
2022-05-31 16:13:49.099192|INFO    |Accounting    |   |type              : No License
2022-05-31 16:13:49.099236|INFO    |Accounting    |   |starting date     : Thu Oct  1 00:00:00 2020
2022-05-31 16:13:49.099301|INFO    |Accounting    |   |ending date       : Tue Nov  1 00:00:00 2022
2022-05-31 16:13:49.099330|INFO    |Accounting    |   |max virtualservers: 1
2022-05-31 16:13:49.099357|INFO    |Accounting    |   |max slots         : 32
2022-05-31 16:13:50.244599|INFO    |              |   |Puzzle precompute time: 1084
2022-05-31 16:13:50.245063|ERROR   |FileManager   |   |bind failed on 212.159.22.253:30033; reason: Cannot assign requested address
2022-05-31 16:13:50.245119|CRITICAL|VirtualSvrMgr |   |Could not start file manager 258 no network port available

And for steamcmd:

WARNING: setlocale('en_US.UTF-8') failed, using locale: 'C'. International characters may not work.
Redirecting stderr to '/home/steamserver/logs/stderr.txt'
/tmp/dumps insufficient permissions - delete and recreate
Looks like steam didn't shutdown cleanly, scheduling immediate update check
src/tier0/threadtools.cpp (2377) : Assertion Failed: Function not implemented
[  0%] Checking for available updates...
[----] Verifying installation...
Steam Console Client (c) Valve Corporation - version 1653101151
-- type 'quit' to exit --
Loading Steam API...CreateBoundSocket: failed to create socket, error [no name available] (93)
src/tier0/threadtools.cpp (2377) : Assertion Failed: Function not implemented
src/tier0/threadtools.cpp (1804) : Thread synchronization object is unuseable

I believe if ping would work then also my firewall rules would work. Under same rules but different jail and different ports works fine so I think it's the problem to do with linux jail.

See pf.conf:

rdr pass on $wan_if inet proto {tcp, udp} from any to any port { 80, 443} -> 10.0.0.1
rdr pass on $wan_if inet proto {tcp, udp} from any to any port { 27015, 27016, 7777 }  -> 10.0.0.3
rdr pass on $wan_if inet proto {tcp, udp} from any to any port { 27005, 27020, 51840 }  -> 10.0.0.3
rdr pass on $wan_if inet proto {tcp, udp} from any to any port 9987 -> 10.0.0.3
rdr pass on $wan_if inet proto {tcp, udp} from any to any port 10011 -> 10.0.0.3
rdr pass on $wan_if inet proto {tcp, udp} from any to any port 30033 -> 10.0.0.3

First line applies to server www and that is inside wwwserver jail - works perfectly.

Any idea how to solve it? I copied all files from /rescue on host to game server /bin (didn't overwrite existing files) and that didn't help

 

[Alexander88207]

I dont know if you run it under linux too but, the Teamspeak 3 server is natively available audio/teamspeak3-server.

 

[Airost]

Well, thanks but I want to keep all gaming related stuff together in one jail and anyway I have teamspeak configured properly using linux emulator just need to sort out network in it.

 

[Airost]

Guys, what comes to my mind is there any solution such as bridge or vnet or anything that might fix my problem? I managed to find out that :

 exec.start = '/bin/true';

returns only true value therefore like SirDice mentioned it doesn't initialize network. I don't wanna spam but I keep searching for solutions.
If I copy line :

 exec.start = '/bin/sh /etc/rc';

it doesn't work, for linux compatibility mode I think something like this might work:

 exec.start = '/bin/bash /etc/?????';

but not sure what to type under question marks that will start up network. Anybody had same problem?

 

[zirias@]

Did you try to use a FreeBSD ping binary as I suggested?

For a Linux userland using classic sysv-rc, the following would work:

exec.start = "/etc/init.d/rc 3";
exec.stop = "/etc/init.d/rc 0";

But again, if it isn't a VNET jail, there's no need for any network initialization inside the jail.

And if it is a VNET jail, network initialization won't work without replacing some tools like ifconfig with FreeBSD binaries.

 

[Airost]

Zirias thanks for reply, your code doesn't work see below:

[root@ldrive /]# bastille start gameserver
[gameserver]:
gameserver: created
jail: gameserver: exec /etc/init.d/rc: No such file or directory
jail: gameserver: /etc/init.d/rc 3: failed
gameserver: removed

What tools I need to replace? All I need is my services to run which is steamcmd and teamspeak, possibly some more in the future.

 

[zirias@]

your code doesn't work

As I said, it's for classic sysv init. If your jail uses some other init system, you'll need other commands....

All I need is my services to run which is steamcmd and teamspeak

From your posts, I figured you try to get ping to work. Then, replace it with the FreeBSD ping from /rescue. Again: if your jail isn't a VNET jail, there's no need to initialize networing inside it. In general, quite some Linux networking tools would need replacement if you expect them to work on FreeBSD, e.g. ifconfig.

If the networking software you're trying to use directly operates on network interfaces (ioctl etc...) instead of using a standard API (BSD sockets), you'll be out of luck.