My jails just died

Redd Vinylene reddvinylene at gmail.com
Sat Aug 9 12:38:33 UTC 2008 

My jails just died. They worked just fine yesterday and I haven't
touched anything.

I've tried rebooting over and over but they just won't start. jls remains empty.

(root at mother)(08/09+12:25)
(/usr) /etc/rc.d/jail start
Configuring jails:.
Starting jails:

Nothing happens. I'm confused.

On Sat, Aug 9, 2008 at 12:33 PM, Redd Vinylene <reddvinylene at gmail.com> wrote:
> Man that was very, very helpful indeed. Interesting network forensics there...
>
> Do you have PayPal? Also, do let me know when you're in Sweden so I
> can buy you a beer :-))
>
> I've now come up with this question:
>
> -
>
> I got a FreeBSD server, mother (66.252.2.2). On it, I've made two
> jails, camel (66.252.2.3) and box (66.252.2.4 through to
> 66.252.2.127). The problem is that reverse lookups for any of the IPs
> preceding .4 on box fails. If I connect to IRC with .5 for instance,
> it times out and reverts back to .4, whose lookup works just fine.
> BIND runs on camel. Could the problem be that BIND is not upstream for
> all those IPs? (I 'm not quite sure what that means though, a friend
> just gave me a tip.) Maybe I must configure the reverse for each of
> IPs individually? I would really like to keep the DNS server running
> on camel though, as its dedicated to all my vital services, whereas
> box is more the home of all my users, and thus expendable ;) My
> (hopefully) relevant configuration files can be found here --
> http://pastie.org/250469 -- much obliged, and thanks!
>
> -
>
> Cheers!
>
> On Sat, Aug 9, 2008 at 12:33 AM, Bjoern A. Zeeb
> <bzeeb-lists at lists.zabbadoz.net> wrote:
>> On Fri, 8 Aug 2008, Redd Vinylene wrote:
>>
>> Hi,
>>
>>> Actually I'm not sure how to make identd to listen to all the IPs.
>>
>> by default it does and it looks like it does:
>> tcp4       0      0  *.113                  *.* LISTEN
>>
>>
>>> There's no such option in the manuals. But ain't the problem more
>>> related to the IPs?
>>>
>>> If you need access to the host as well, surely that is no problem!
>>
>> I wondered how your users would IRC from a non-default IP but now this
>> is obvious.
>>
>>
>> So what I did in one exterm was:
>>
>> (bjoern at box)(08/09+03:06)
>> (~) telnet -s 66.252.2.38 66.252.2.117 22 Trying 66.252.2.117...
>> Connected to 66.252.2.117.
>> Escape character is '^]'.
>> SSH-2.0-OpenSSH_4.5p1 FreeBSD-20061110
>>
>>
>> and in the other I checked netstat -an for port 22 to find the other
>> port number:
>>
>> tcp4       0      0  66.252.2.117.22        66.252.2.38.50503 ESTABLISHED
>> tcp4       0      0  66.252.2.38.50503      66.252.2.117.22 ESTABLISHED
>>
>> trying to remember how to speak ident (auth):
>>
>> (bjoern at box)(08/09+03:07)
>> (~) telnet -s 66.252.2.117 66.252.2.38 113
>> Trying 66.252.2.38...
>> Connected to 66.252.2.38.
>> Escape character is '^]'.
>> 22,50503
>> 22 , 50503 : ERROR : NO-USER
>> Connection closed by foreign host.
>> (bjoern at box)(08/09+03:08)
>> (~) (bjoern at box)(08/09+03:08)
>> (~) telnet -s 66.252.2.117 66.252.2.38 113
>> Trying 66.252.2.38...
>> Connected to 66.252.2.38.
>> Escape character is '^]'.
>> 50503,22
>> 50503 , 22 : USERID : UNKNOWN : bjoern
>> Connection closed by foreign host.
>> (bjoern at box)(08/09+03:08)
>>
>> looks good.
>>
>> What I notcied was that it was responing very slowly. So next I will
>> check inetd options (especially -w/-W) and if I can find obvious things
>> like DNS timeouts...
>>
>> (~) ps axuwl | grep inetd
>> root    47676  0.0  0.1  3240  1348  ??  IsJ  Thu11PM   0:00.01 inetd 0
>> 1   0  44  0 select
>>
>> I wonder why I do not see any options there? Have you started inetd
>> manually?
>>
>> The defaults are:
>>
>> (/etc/defaults) grep inetd rc.conf inetd_enable="NO"               # Run the
>> network daemon dispatcher (YES/NO).
>> inetd_program="/usr/sbin/inetd" # path to inetd, if you want a different
>> one.
>> inetd_flags="-wW -C 60"         # Optional flags to inetd
>> (bjoern at box)(08/09+03:12)
>>
>> and rc.conf only has:
>> (/etc) grep inetd rc.conf inetd_enable="YES"
>>
>> It's probably okay to not rate limit and not tcpwrap it - as it is
>> running.
>>
>> You may want to add the following to /etc/rc.conf
>> inetd_flags=""
>>
>>
>>
>> Okay resolve.conf is populated as well:
>> (/etc) cat resolv.conf
>>
>> # FreeBSD/i386 box.fox-host.net
>>
>> nameserver 69.65.17.101
>>
>> nameserver 69.65.16.102
>>
>>
>> Typing netstat (without options) hangs after "box", when it starts to
>> resolve the additional IPs which are not in /etc/hosts.
>>
>> (/etc) host -t ns 2.252.66.in-addr.arpa. Host 2.252.66.in-addr.arpa not
>> found: 2(SERVFAIL)
>>
>> You may want to add the other IPs with some dummy values to
>> /etc/hosts to temporarily most likely solve this problem.
>>
>> telnet 66.252.2.4 22 returns instantly from within the jail,
>> telnet 66.252.2.5 22 takes ages to print the SSH "EHLO"
>>
>> So I guess you problem is neither with jails nor with auth(ident) but
>> with something trying to do a reverse lookup (on your address) and
>> timing out, timing out the ident lookups from IRC servers which should
>> return almost instantly.
>>
>> Let me know if that helped.
>>
>>
>> Bjoern
>>
>> PS:
>>
>> BTW. clock is way off on this box:
>> Sat Aug  9 03:19:45 UTC 2008
>> but it's about
>> Fri Aug  8 22:27:59 UTC 2008
>>
>> --
>> Bjoern A. Zeeb              Stop bit received. Insert coin for new game.
>>
>
>
>
> --
> http://www.home.no/reddvinylene
>



-- 
http://www.home.no/reddvinylene

More information about the freebsd-jail mailing list