jail issue
Jim Prewett
download at hpc.unm.edu
Fri Feb 13 20:34:27 PST 2004
Hi Robert,
I've been using jails (very happily) for quite some time and have *never*
had a problem like this. I really don't have a clue what to look for :)
I'm getting complaints from fellow keyserver ops as my IP seems to
sometimes be the jail and sometimes the host, so some of my packets get
rejected as that IP has not been configured (by the remote host) to be a
peer. (how strange is that?!)
Here is an email I recieved. I cvsup'd this morning, rebuilt everything,
and did a final clean reboot before starting up the pgp jail. I recieved
this email from one of my peer sites (the timestamps confirm this was
after starting the jail after rebuilding):
To: download at hpc.unm.edu
Subject: PGP/nox again
2004-02-13 10:52:01 Enabling gossip
2004-02-13 10:52:02 Reconciliation attempt from unauthorized host
<ADDR_INET
129
.24.244.72:2040>. Ignoring
the host (nox) is 129.24.244.72, the jail (pgp) is 129.24.244.40.
On Fri, 13 Feb 2004, Robert Watson wrote:
>
> On Fri, 13 Feb 2004, Jim Prewett wrote:
>
> > I run a PGP key server (SKS 1.0.6) inside of a jail. However, my key
> > server seems to be getting confused as to its IP address and is sending
> > packets as the host environment (not as the jail environment).
>
> Could you show the output of sockstat as run in the host environment?
> Likewise, the output of ps ax. I'd like to see what the socket is bound
> to, as the theory goes that jail modifies the bind requests from the
> process to set them to the IP in the jail. Either we have a bug in socket
> handling, or the process isn't running in the jail.
I'm really afraid I may have inadvertantly found a bug! It is definantly
in the jail environment (I've included the ps output below). The SKS
daemons definantly answer on the jail environment IP (i've included the
output of nmap against both the host and the jail below)!
here are the sockets related to the sks process:
nox# sockstat | grep sks
root sks 276 5 tcp4 129.24.244.40:11371 *:*
root sks 271 4 tcp4 129.24.244.40:11370 *:*
root sks 276 6 stream ./db_com_sock
root sks 271 5 stream ./recon_com_sock
and sks processes:
nox# ps ax | grep sks
5804 p2 S+ 0:00.00 grep sks
271 con- S+J 0:03.29 sks recon
276 con- S+J 0:11.50 sks db
nmap of host (nox) and jail (pgp):
nox# nmap nox pgp -p 11370-11371
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-02-13 21:21
MST
Interesting ports on nox.hpc.unm.edu (129.24.244.72):
PORT STATE SERVICE
11370/tcp closed unknown
11371/tcp closed pksd
Interesting ports on pgp.hpc.unm.edu (129.24.244.40):
PORT STATE SERVICE
11370/tcp open unknown
11371/tcp open pksd
Nmap run completed -- 2 IP addresses (2 hosts up) scanned in 0.339 seconds
ifconfig from the host:
nox# ifconfig -a
fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
inet 10.0.0.1 netmask 0xff000000 broadcast 10.255.255.255
inet6 fe80::2d0:b7ff:fe7f:f678%fxp0 prefixlen 64 scopeid 0x1
ether 00:d0:b7:7f:f6:78
media: Ethernet autoselect (none)
status: no carrier
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 129.24.244.72 netmask 0xfffffc00 broadcast 129.24.247.255
inet6 fe80::210:dcff:fedf:1a01%vr0 prefixlen 64 scopeid 0x2
inet 129.24.244.40 netmask 0xffffffff broadcast 129.24.244.40
ether 00:10:dc:df:1a:01
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
inet 127.0.0.1 netmask 0xff000000
ifconfig from the jail:
pgp# ifconfig -a
fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
ether 00:d0:b7:7f:f6:78
media: Ethernet autoselect (none)
status: no carrier
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 129.24.244.40 netmask 0xffffffff broadcast 129.24.244.40
ether 00:10:dc:df:1a:01
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
If there is anything else that I can provide, please let me know. I'm
*very* interested in resolving this.
Thanks,
Jim
--
James Prewett OpenPGP key: pub 1024D/31816D93
Systems Team Leader Designated Security Officer
HPC Systems Engineer III @ HPC at UNM -- download at hpc.unm.edu Jim at Prewett.org
More information about the freebsd-stable
mailing list