jail.conf ignoring exec.fib?

Arthur Chance freebsd at qeng-ho.org
Tue Aug 20 17:02:58 UTC 2013 

On 20/08/2013 12:50, Karl Pielorz wrote:
>
>
> --On 20 August 2013 08:27 +0100 Arthur Chance <freebsd at qeng-ho.org> wrote:
>
>> In the source the exec.fib parameter is given as an integer, so the
>> quotes probably shouldn't be there, but I'm not sure whether it matters.
>
> I tried it just as 'exec.fib = 1;' originally, and it makes no
> difference :(
>
>> There's definitely a setfib call in the source that's done if exec.fib
>> exists. All I can think of right now is that you try firing up the jail
>> using the -v verbose flag. This should show everything the jail command
>> does as the jail is created.
>
> Ok, I tried that and got:
>
> "
> root# jail -v -c jail
> jail: run command: /sbin/mount -t devfs -oruleset=4 . /usr2/jails/jail/dev
> jail: jail_set(JAIL_CREATE) persist name=jail devfs_ruleset=4 jid=100
> path=/usr2/jails/jail host.hostname=jail.somedomain.com
> ip4.addr=192.186.0.20 allow.raw_sockets
> jail: created
> jail: run command in jail: /bin/sh /etc/rc
> Setting hostname: jail.somedomain.com
> ELF ldconfig path: /lib /usr/lib /usr/lib/compat /usr/local/lib
> 32-bit compatibility ldconfig path: /usr/lib32
> Creating and/or trimming log files.
> ln: /dev/log: Operation not permitted
> Starting syslogd.
> Clearing /tmp (X related).
> Updating motd:.
> Starting cron.
>
> Tue Aug 20 11:39:20 UTC 2013
> jail: jail_set(JAIL_UPDATE) jid=100 nopersist
> "
>
> Certainly more detail, but no mention of fib's :( - I tried it both
> with, and without quotes around the FIB value. You can also see I have
> raw sockets available for debugging.

I can't test this directly, as I'm running a generic kernel so only have 
one fib. However, if I add the invalid (under GENERIC) "exec.fib = 1;" 
to my jail.conf and try launching the jail with -v I get (slightly cut)

testjail: run command: /sbin/mount -t devfs -oruleset=4 . 
/jails/jail/testjail/root/dev
testjail: jail_set(JAIL_CREATE) persist name=testjail enforce_statfs=2 
ip6=disable path=/jails/jail/testjail/root 
host.hostname=testjail.home.qeng-ho.org allow.set_hostname=false 
ip4.addr=172.16.4.2 securelevel=1
testjail: created
testjail: run command in jail: /bin/sh /etc/rc
jail: testjail: setfib: Invalid argument
jail: testjail: /bin/sh /etc/rc: failed
testjail: removed

so it certainly has tried the setfib and knows it has failed.

And that's just made me think of something else - I have a horrible 
feeling that jexec will attach to the jail using whatever fib it's 
running under, i.e. the fib from the host environment. Do you have (or 
can you enable) ssh running in the jail? If so, log into the jail that 
way, and see what

	sysctl net.my_fibnum

shows then, because you'll be running under the environment created by 
/etc/rc.

-- 
In the dungeons of Mordor, Sauron bred Orcs with LOLcats to create a
new race of servants. Called Uruk-Oh-Hai in the Black Speech, they
were cruel and delighted in torturing spelling and grammar.

		_Lord of the Rings 2.0, the Web Edition_

More information about the freebsd-questions mailing list