jails Restarting bastille VNET jail loses default route in host

[kolumatani]

Hello,

Could someone please help explain my anomaly with bastille jails.

When multiple bastille jails are running, then restarting one jail loses default route in host.

When in host runs only single bastille jail, then restarting it does not lose default route in host.

Messages from /var/log/messages:

One jail running, restarting it:

Dec 28 09:38:33 fuj kernel: [nhop_ctl] inet.0 nhop_free: failed to unlink nh#2/inet/vnet0/resolve
Dec 28 09:38:33 fuj kernel: e0a_bastille4: link state changed to DOWN
Dec 28 09:38:33 fuj kernel: vnet0: link state changed to DOWN
Dec 28 09:38:33 fuj root[34607]: /etc/rc.d/netif: WARNING: e0a_bastille4 does not exist.  Skipped.
Dec 28 09:38:33 fuj kernel: epair0a: Ethernet address: 02:bc:1c:9f:5c:0a
Dec 28 09:38:33 fuj kernel: epair0b: Ethernet address: 02:bc:1c:9f:5c:0b
Dec 28 09:38:33 fuj kernel: epair0a: link state changed to UP
Dec 28 09:38:33 fuj kernel: epair0b: link state changed to UP
Dec 28 09:38:33 fuj kernel: epair0a: promiscuous mode enabled
Dec 28 09:38:33 fuj kernel: epair0a: changing name to 'e0a_bastille4'
Dec 28 09:38:33 fuj kernel: epair0b: changing name to 'e0b_bastille4'
Dec 28 09:38:33 fuj kernel: e0b_bastille4: changing name to 'vnet0'
Dec 28 09:38:33 fuj kernel: lo0: link state changed to UP
Dec 28 09:38:33 fuj dhclient[61247]: connection closed
Dec 28 09:38:33 fuj dhclient[61247]: exiting.
Dec 28 09:38:34 fuj dhclient[69425]: New IP Address (wlan0): 192.168.1.237
Dec 28 09:38:34 fuj dhclient[70204]: New Subnet Mask (wlan0): 255.255.255.0
Dec 28 09:38:34 fuj dhclient[72356]: New Broadcast Address (wlan0): 192.168.1.255
Dec 28 09:38:34 fuj dhclient[73819]: New Routers (wlan0): 192.168.1.1
Dec 28 09:38:34 fuj root[84600]: /etc/rc.d/netif: WARNING: vnet0 does not exist.  Skipped.
Dec 28 09:38:34 fuj dhclient[66505]: connection closed
Dec 28 09:38:34 fuj dhclient[66505]: exiting.
Dec 28 09:38:34 fuj dhclient[37398]: New IP Address (wlan0): 192.168.1.237
Dec 28 09:38:34 fuj dhclient[38080]: New Subnet Mask (wlan0): 255.255.255.0
Dec 28 09:38:34 fuj dhclient[40102]: New Broadcast Address (wlan0): 192.168.1.255
Dec 28 09:38:34 fuj dhclient[41276]: New Routers (wlan0): 192.168.1.1

Multiple jails running, restarting one of them:

Dec 28 09:43:51 fuj kernel: [nhop_ctl] inet.0 nhop_free: failed to unlink nh#2/inet/vnet0/resolve
Dec 28 09:43:51 fuj kernel: e0a_bastille4: link state changed to DOWN
Dec 28 09:43:51 fuj kernel: vnet0: link state changed to DOWN
Dec 28 09:43:51 fuj root[51224]: /etVc/rc.d/netif: WARNING: e0a_bastille4 does not exist.  Skipped.
Dec 28 09:43:51 fuj kernel: epair0a: Ethernet address: 02:b7:16:74:14:0a
Dec 28 09:43:51 fuj kernel: epair0b: Ethernet address: 02:b7:16:74:14:0b
Dec 28 09:43:51 fuj kernel: epair0a: link state changed to UP
Dec 28 09:43:51 fuj kernel: epair0b: link state changed to UP
Dec 28 09:43:51 fuj kernel: epair0a: promiscuous mode enabled
Dec 28 09:43:51 fuj kernel: epair0a: changing name to 'e0a_bastille4'
Dec 28 09:43:51 fuj kernel: epair0b: changing name to 'e0b_bastille4'
Dec 28 09:43:51 fuj root[62188]: /etc/rc.d/netif: WARNING: vnet0 does not exist.  Skipped.
Dec 28 09:43:51 fuj kernel: e0b_bastille4: changing name to 'vnet0'
Dec 28 09:43:51 fuj kernel: lo0: link state changed to UP

jail.conf of the jail that is restarted:

wg7 {
  devfs_ruleset = 13;
  enforce_statfs = 2;
  exec.clean;
  exec.consolelog = /var/log/bastille/wg7_console.log;
  exec.start = '/bin/sh /etc/rc';
  exec.stop = '/bin/sh /etc/rc.shutdown';
  host.hostname = wg7;
  mount.devfs;
  mount.fstab = /usr/local/bastille/jails/wg7/fstab;
  path = /usr/local/bastille/jails/wg7/root;
  securelevel = 2;

  vnet;
  vnet.interface = e0b_bastille4;
  exec.prestart += "jib addm bastille4 wlan0";
  exec.prestart += "ifconfig e0a_bastille4 description \"vnet host interface for Bastille jail wg7\"";
  exec.poststop += "jib destroy bastille4";
}

It seems that restarting the jail manipulates the wlan0 interface. Should it be so?

How could i ensure that manipulating the jails does not lose connection with host?

 

[kolumatani]

It seems, that problem arises from destroying the epairs.

Minimal example:

When one VNET jail is already running, create and destroy epairs:

ifconfig epair50 create
ifconfig epair50a destroy

This loses the default route in host.
Messages from /var/log/messages:

Dec 28 22:30:52 fuj kernel: epair50a: Ethernet address: 02:da:31:e1:c4:0a
Dec 28 22:30:52 fuj kernel: epair50b: Ethernet address: 02:da:31:e1:c4:0b
Dec 28 22:30:52 fuj kernel: epair50a: link state changed to UP
Dec 28 22:30:52 fuj kernel: epair50b: link state changed to UP
Dec 28 22:31:03 fuj dhclient[46120]: receive_packet failed on epair50a: Device not configured
Dec 28 22:31:03 fuj kernel: epair50a: link state changed to DOWN
Dec 28 22:31:03 fuj kernel: epair50b: link state changed to DOWN
Dec 28 22:31:03 fuj dhclient[46120]: ioctl(SIOCGIFFLAGS) on epair50a: Operation not permitted
Dec 28 22:31:03 fuj dhclient[46120]: Interface epair50a no longer appears valid.
Dec 28 22:31:03 fuj dhclient[46120]: No live interfaces to poll on - exiting.
Dec 28 22:31:03 fuj dhclient[46120]: exiting.
Dec 28 22:31:03 fuj dhclient[46120]: connection closed
Dec 28 22:31:03 fuj dhclient[46120]: exiting.
Dec 28 22:31:03 fuj root[48909]: /etc/rc.d/dhclient: WARNING: failed to start dhclient
Dec 28 22:31:03 fuj root[52002]: /etc/rc.d/netif: WARNING: epair50a does not exist.  Skipped.
Dec 28 22:31:03 fuj root[89314]: /etc/rc.d/netif: WARNING: epair50b does not exist.  Skipped.

Network interface in host, wlan0, uses DHCP. It seems that ifconfig helpfully (and in my case unnecessarily) configures created epairs also with DHCP.

Is it possible to create epairs without DHCP or at least unhook them after from dhclient?