On 11/09/12 03:38, Beeblebrox wrote:
My jail used to work fine but it seems a recent update broke some things. My
kernel/world has INET6 disblad and there are already 2 threads re the error
that setting causes with jails. Now this error - is it a bug or am I missing
something?
My /etc/sysctl.conf has
security.jail.allow_raw_sockets=1
I even confirm it separately before starting the jail:
# sysctl security.jail.allow_raw_sockets
* I start the jail but isc-dhcpd cannot start: unable to create icmp socket:
Operation not permitted
* I cannot ping from the jail: ping: socket: Operation not permitted
* This error also, but inetd starts: inetd[50866]: madvise() failed:
Operation not permitted
No point in setting up a dhcp debug log, the error is in the network
setting.
/etc/devfs.rules has: add path net unhide, add path 'net/*' unhide
My system is not exposed to the outside so it does not have pf / nat running
on it.
It is indeed a bug, same as bin/173469, except with allow_raw_sockets
instead of sysvipc_allowed. With the recent change to rc.d/jail, the
jail permission sysctls are no longer used in starting up jails.R
You can get past it for now by setting
jail_xxx_parameters="allow.raw_sockets" in your rc.conf. But that's a
hack fix, and we need something better before any of this goes out to
release.
Here's the problem: I had planned to deprecate those global sysctls in
favor of per-jail parameters, and only "old style" usage of the jail
command paid attention to them so existing setups would work. But I
didn't explicitly say that anywhere, leaving that as part of the new
config file based setup. But the recent patch to allow arbitrary
parameters in rc.d/jail necessitated a switch to the new jail command line.
I think the jail_xxx_parameters patch needs to go, or least rc.d/jail
needs to be a bit more complex, and run the old command line when a jail
doesn't have any "_parameters". That way the old semantics will be
preserved for existing users.
- Jamie
_______________________________________________
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
