EZJAIL and ping on FreeBSD-11.

Valeri Galtsev galtsev at kicp.uchicago.edu
Thu Feb 1 15:50:36 UTC 2018 


On 02/01/18 09:23, James B. Byrne via freebsd-questions wrote:
> I have read the various 'howtos' respecting this issue and I cannot
> see where I have failed to properly follow the instructions. But
> clearly I have not done it right.
> 
> I have setup a jail named hll124.  it is configured and running.  It
> can connect to the network and the Internet without issue. DNS
> resolution works fine using local_unbound.
> 
> In /etc/sysctl.conf on the host I have this:
> 
> # $FreeBSD: releng/11.1/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $
> #
> #  This file is read when going to multi-user and its contents piped thru
> #  ``sysctl'' to adjust kernel values.  ``man 5 sysctl.conf'' for
> details.
> #
> 
> # Uncomment this to prevent users from seeing information about
> processes that
> # are being run under another UID.
> #security.bsd.see_other_uids=0
> security.bsd.see_other_uids=0
> security.bsd.see_other_gids=0
> security.bsd.unprivileged_read_msgbuf=0
> security.bsd.unprivileged_proc_debug=0
> security.bsd.stack_guard_page=1
> 
> # Required for Chrome/Chromium
> kern.ipc.shm_allow_removed=1
> 
> # Add to allow jails to create sockets - 2018-01-31 JBB
> security.jail.allow_raw_sockets=1
> 

Yes, I'm sure you need that

> 
> The host system shows this:
> 
> $ sudo sysctl security.jail.allow_raw_sockets
> security.jail.allow_raw_sockets: 1
> 

Good.

> 
> In the ezjail configuration file I have this:
> 
> # Allow ping, traceroute and other things 2018-01-31 JBB
> export jail_hll124_allow_raw_sockets="YES"
> 

I don't know much about ezjail... but this sounds to me as pertinent to 
one particular jail with the name "hll124".

I set up jails "by the book". To enable access to raw sockets in _all 
jails, I have somewhere in the configuration pertinent to all jails 
(i.e. not inside particular jail settings) in /etc/jail.conf the line

allow.raw_sockets = 1;

If you wan to give that only to some jail, add this only inside jail 
specific configuration in the same /etc/jail.conf, e.g.:

db {
     host.hostname = "example.uchicago.edu";
     allow.raw_sockets = 1;
...
}

I hope, this helps.

Valeri

> 
> When I connect to the ezjail instance with ezjail-admin console and
> run ping then I see this:
> 
> # ping 192.168.71.44
> ping: ssend socket: Operation not permitted
> 
> What else am I missing?
> 

-- 
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

More information about the freebsd-questions mailing list