• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

pkg update issue in jail (no connectivity)

FBSD

Member

Thanks: 4
Messages: 45

#1
Hi guys,

I have successfully set up jails with ezjail in the past, but for some reason this time it's just not working (on 11.1). I'm sure it's my oversight here or there.
My jail does not have access with the outside world and cannot do a pkg update
I've set up a fresh vps with FreeBSD 11.1

Can somebody please cast his/her eyes over the steps I've taken? As far as I'm aware, I've followed the steps in the handbook (Managing Jails), but something is not correct: I'm getting this error message when updating pkg in the ports:

root@webserver:~ # pkg update
Code:
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly, please wait...
pkg: Error fetching http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly/Latest/pkg.txz: No address record
A pre-built version of pkg could not be found for your system.
Consider changing PACKAGESITE or installing it from ports: 'ports-mgmt/pkg'.
Installing the suggest port doesn't work either, as there's no internet connection (telnet from jail doesn't connect either).
Note: I've not set up PF yet, so there's no active firewall

My steps (on the host):

Install ezjail

# pkg update

# pkg install ezjail

# echo 'ezjail_enable=YES' >> /etc/rc.conf


install ports and sources in basejail
# ezjail-admin install -sp

Setting up the network

add the following lines /etc/rc.conf
Code:
cloned_interfaces="lo1" 
ifconfig_lo1=”inet 192.168.0.2 netmask 255.255.255.0”
Create the local interface
# ifconfig lo1 create

Activate local interface and IP address for webserver jail
# service netif cloneup
# ifconfig lo1 inet 192.168.0.2 netmask 255.255.255.0


Check Network
# ifconfig
Code:
vtnet0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
       options=6c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,V
LAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
       ether f6:e7:81:d1:78:29
       hwaddr f6:e7:81:d1:78:29
       media: Ethernet 10Gbase-T <full-duplex>
       status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
       options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
       groups: lo 
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
       options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
       inet 192.168.0.2 netmask 0xffffff00 
       groups: lo

# service ezjail start

Create webserver jail
ezjail-admin create webserver 192.168.0.2

Copy DNS file from host to jail:
cp /etc/resolv.conf /usr/jails/webserver/etc/

Add webserver to /etc/hosts file in jail:
192.168.0.2 webserver

When in the jail, there's no connection with the outside world? It's probably something simple, but I've run out of ideas. Any suggestion's welcome :)




----------------------------------------------------------------------------------
File Contents:
Host /etc/rc.conf
Code:
shd_enable="YES"
digitaloceanpre="YES"
hostname="freebsd-s-1vcpu-1gb-adam-01"
cloudinit_enable="YES"
digitalocean="YES"
cloned_interfaces="lo1"
ifconfig_lo1="inet 192.168.0.2 netmask 255.255.255.0"
ezjail_enable=YES
Hosts file on host:
Code:
/etc/hosts
::1                     localhost localhost.my.domain
127.0.0.1               localhost localhost.my.domain
Hosts file in jail
Code:
/etc/hosts
::1                     localhost localhost.my.domain
127.0.0.1               localhost localhost.my.domain
192.168.0.2 webserver
hostname on host:
freebsd-s-1vcpu-1gb-adam-01

hostname in jail:
webserver

Telnet google.com on host:
# telnet google.com 80
Trying 172.217.7.14...
Connected to google.com.
Escape character is '^]'.

Telnet google.com in jail:
telnet google.com 80
root@webserver:~ # telnet google.com 80
google.com: hostname nor servname provided, or not known
 

FBSD

Member

Thanks: 4
Messages: 45

#2
Any ideas?
I'm willing to share a temporary password if someone has a few minutes to look around.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 5,471
Messages: 25,628

#3
You need to enable routing and you need to set up routing or NAT in order for the jail to be able to talk to the outside world.
 

linux->bsd

Member

Thanks: 33
Messages: 99

#4
Telnet google.com in jail:
telnet google.com 80
root@webserver:~ # telnet google.com 80
google.com: hostname nor servname provided, or not known
In addition to what SirDice said, it looks like you need to add name servers to your guest, too:
Code:
# mv /etc/resolv.conf /etc/resolv.conf.down
# nc -vw 2 freebsd.org 80
nc: getaddrinfo: hostname nor servname provided, or not known
# mv /etc/resolv.conf.down /etc/resolv.conf
# nc -vw 2 freebsd.org 80
Connection to freebsd.org 80 port [tcp/http] succeeded!
# cat /etc/resolv.conf
# Generated by resolvconf
nameserver 208.67.222.222
nameserver 208.67.220.220
Edit to add: 8.8.8.8 is Google. Using 8.8.8.8 instead of google.com to test network issues allows you to bypass DNS resolving issues to focus on routing and connectivity issues. Then once they're sorted, you can fix DNS.

Also, I prefer to use 8.8.178.110 and freebsd.org instead of feeding the maw of Google.
 

FBSD

Member

Thanks: 4
Messages: 45

#5
You need to enable routing and you need to set up routing or NAT in order for the jail to be able to talk to the outside world.
Thanks for the pointer SirDice. PF wasn't turned on.
Dank je wel voor de suggestie.