Re: jail and networking
On Thu, 21 Feb 2013, Shane Ambler wrote: It's been a while since I experimented with jails but I'm pretty sure it is the reason I changed my sshd_config When you start sshd on the base system by default it binds against 0.0.0.0 and :: which is every ip4 and ip6 address configured on the base system, which includes the aliased ip's for your jails. This is represented by the *:22 from sockstat. When you start the jail it can't start sshd because the base already has that address/port in use. In /etc/ssh/sshd_config comment out the ListenAddress 0.0.0.0 and ListenAddress :: then add ListenAddress 10.0.0.3 service sshd restart start your jail and try again The jail config is fine as the jail only sees the one ip address assigned to it. This is what fixed the problem. From the jail man page, ... The following frequently deployed services must have their individual configuration files modified to limit the application to listening to a specific IP address It then specifically mentions ssh and send mail. The system I looked at runs seven jails fine without my having made that change. I am not sure why I am getting away with this, but I also thank you ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: jail and networking
-Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd- questi...@freebsd.org] On Behalf Of d...@safeport.com Sent: Thursday, February 21, 2013 11:00 AM To: Shane Ambler Cc: freebsd-questions@freebsd.org; Bernt Hansson Subject: Re: jail and networking On Thu, 21 Feb 2013, Shane Ambler wrote: It's been a while since I experimented with jails but I'm pretty sure it is the reason I changed my sshd_config When you start sshd on the base system by default it binds against 0.0.0.0 and :: which is every ip4 and ip6 address configured on the base system, which includes the aliased ip's for your jails. This is represented by the *:22 from sockstat. When you start the jail it can't start sshd because the base already has that address/port in use. In /etc/ssh/sshd_config comment out the ListenAddress 0.0.0.0 and ListenAddress :: then add ListenAddress 10.0.0.3 service sshd restart start your jail and try again The jail config is fine as the jail only sees the one ip address assigned to it. This is what fixed the problem. From the jail man page, ... The following frequently deployed services must have their individual configuration files modified to limit the application to listening to a specific IP address It then specifically mentions ssh and send mail. The system I looked at runs seven jails fine without my having made that change. I am not sure why I am getting away with this, but I also thank you What I find strange is that: 1. I knew about ListenAddress w/respect to jails, but... 2. We are not changing it (sshd_config has no ListenAddress -- leading to default values used), yet... 3. Base machine and jails both work fine Not sure when it's required versus not, because we're running fine without that change here with over a dozen jails. The only thing I've ever noticed is that we tend to use jail_NAME_ip=iface|addr while most everybody else seems to be using jail_NAME_ip=addr. -- Devin _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail and networking
On 22/02/2013 05:52, Devin Teske wrote: What I find strange is that: 1. I knew about ListenAddress w/respect to jails, but... 2. We are not changing it (sshd_config has no ListenAddress -- leading to default values used), yet... 3. Base machine and jails both work fine Not sure when it's required versus not, because we're running fine without that change here with over a dozen jails. The only thing I've ever noticed is that we tend to use jail_NAME_ip=iface|addr while most everybody else seems to be using jail_NAME_ip=addr. We may need to expand out from that. I use jail_NAME_ip=addr but also ipv4_addrs_re0=10.0.0.254/24 10.0.0.1-5/24 route_jaillan0=-net 10.0.0.0/24 10.0.0.254 static_routes=jaillan0 Don't recall where I got that from but think it was an easy way to alias a number of ip's whereas ifconfig_iface_alias0 sets one ip at a time and is also deprecated. If you use jail_NAME_ip=iface|addr does this mean you don't have ip addresses aliased to the iface on startup and they get aliased as the jail starts? That would be why sshd isn't bound to the address before. man rc.conf for jail_jname_ip says ... Additionally each address can be prefixed by the name of an interface followed by a pipe to overwrite does that mean it clears the ip from the base system and re-creates it for the jail? I also see jail_jname_interface ...When set, sets the interface to use when setting IP address alias. Note that the alias is created at jail startup and removed at jail shutdown. Which is what sounds like the solution to not have ip's available when sshd starts so it isn't bound to them. Also what sys version were these options added? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: jail and networking
On Thu, 21 Feb 2013, Shane Ambler wrote: On 22/02/2013 05:52, Devin Teske wrote: What I find strange is that: 1. I knew about ListenAddress w/respect to jails, but... 2. We are not changing it (sshd_config has no ListenAddress -- leading to default values used), yet... 3. Base machine and jails both work fine Not sure when it's required versus not, because we're running fine without that change here with over a dozen jails. The only thing I've ever noticed is that we tend to use jail_NAME_ip=iface|addr while most everybody else seems to be using jail_NAME_ip=addr. We may need to expand out from that. I use jail_NAME_ip=addr but also ipv4_addrs_re0=10.0.0.254/24 10.0.0.1-5/24 route_jaillan0=-net 10.0.0.0/24 10.0.0.254 static_routes=jaillan0 Don't recall where I got that from but think it was an easy way to alias a number of ip's whereas ifconfig_iface_alias0 sets one ip at a time and is also deprecated. If you use jail_NAME_ip=iface|addr does this mean you don't have ip addresses aliased to the iface on startup and they get aliased as the jail starts? That would be why sshd isn't bound to the address before. Correct, and this was my leading theory. man rc.conf for jail_jname_ip says ... Additionally each address can be prefixed by the name of an interface followed by a pipe to overwrite does that mean it clears the ip from the base system and re-creates it for the jail? Dunno -- I first learned about iface|addr from reading the code. It did what I wanted _and_ improved the clarity/readability of rc.conf(5) in the case of multiple jails utilizing separate interfaces on similar subnets. Thus, it was embraced. I also see jail_jname_interface ...When set, sets the interface to use when setting IP address alias. Note that the alias is created at jail startup and removed at jail shutdown. Never used that setting before. Which is what sounds like the solution to not have ip's available when sshd starts so it isn't bound to them. Right-o. Also what sys version were these options added? I would guess 8.x as we're using iface|addr in 8.1 (as previously mentioned, not using jail_jname_interface -- dunno about that one). The following URLs might be of assistance in tracking down the origins of various options: http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.d/jail http://svnweb.freebsd.org/base/head/etc/rc.d/jail -- Devin _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: jail and networking
On Wed, 20 Feb 2013, Bernt Hansson wrote: Hello list! I dont seem to get net working in a test jail. These I've tried; ftp, fetch, telnet They time out. Ssh sort of work. 32bit# ssh 10.0.0.3 ssh_askpass: exec(/usr/local/bin/ssh-askpass): No such file or directory Host key verification failed. jail is 8.3-STABLE i386 GENERIC host is FreeBSD 8.3-STABLE amd64 GENERIC I'm sure you want more info so just tell me what info. Commonly the problem is that you are jexec'd into the jail and I find that tools like ssh, ftp, telnet, etc. don't work when you're in the jail via jexec but instead what works way better is if you ssh into the jail (via the jail'd ssh process of course). Does that seem to be the case in your situation? -- Devin _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail and networking
On 02/20/2013 19:42, Bernt Hansson wrote: On 2013-02-20 17:23, Teske, Devin wrote: On Wed, 20 Feb 2013, Bernt Hansson wrote: Hello list! I dont seem to get net working in a test jail. These I've tried; ftp, fetch, telnet They time out. Ssh sort of work. 32bit# ssh 10.0.0.3 ssh_askpass: exec(/usr/local/bin/ssh-askpass): No such file or directory Host key verification failed. jail is 8.3-STABLE i386 GENERIC host is FreeBSD 8.3-STABLE amd64 GENERIC I'm sure you want more info so just tell me what info. Commonly the problem is that you are jexec'd into the jail and I find that tools like ssh, ftp, telnet, etc. don't work when you're in the jail via jexec but instead what works way better is if you ssh into the jail (via the jail'd ssh process of course). Does that seem to be the case in your situation? If you mean this sshd IsJ0:00,00 /usr/sbin/sshd Then no. %ssh 10.0.0.10 ssh: connect to host 10.0.0.10 port 22: Operation timed out I did have an alias on the host to the jail's ip. Tried to restart the jail it went fine, but now I can't jexec in to the jail. testbox# jexec 1 tcsh jexec: jail_attach(1): Invalid argument Sooo... I'm kind of out of ideas. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org What does jls command say? If you have restarted your jail, it's ID most likely has changed. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail and networking
On 20/02/2013 18:23, Bernt Hansson wrote: The ID did change, didn't know about that, thank you. But still, sshd isn't running in the jail 32bit# ps ax PID TT STAT TIME COMMAND 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2464 0 SJ 0:00,01 tcsh 2482 0 R+J0:00,00 ps ax testbox# ps ax | grep J 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2488 0 S+ 0:00,00 grep J testbox is the host. I assume you setup the /etc/resolv.conf? I have found that my network does not start until I have this setup. -- Regards, Gary J. Hayers g...@hayers.org PGP Signature http://www.hayers.org/pgp ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: jail and networking
On Wed, 20 Feb 2013, Bernt Hansson wrote: On 2013-02-20 17:23, Teske, Devin wrote: On Wed, 20 Feb 2013, Bernt Hansson wrote: Hello list! I dont seem to get net working in a test jail. These I've tried; ftp, fetch, telnet They time out. Ssh sort of work. 32bit# ssh 10.0.0.3 ssh_askpass: exec(/usr/local/bin/ssh-askpass): No such file or directory Host key verification failed. jail is 8.3-STABLE i386 GENERIC host is FreeBSD 8.3-STABLE amd64 GENERIC I'm sure you want more info so just tell me what info. Commonly the problem is that you are jexec'd into the jail and I find that tools like ssh, ftp, telnet, etc. don't work when you're in the jail via jexec but instead what works way better is if you ssh into the jail (via the jail'd ssh process of course). Does that seem to be the case in your situation? If you mean this sshd IsJ0:00,00 /usr/sbin/sshd Then no. %ssh 10.0.0.10 ssh: connect to host 10.0.0.10 port 22: Operation timed out I did have an alias on the host to the jail's ip. Tried to restart the jail it went fine, but now I can't jexec in to the jail. testbox# jexec 1 tcsh jexec: jail_attach(1): Invalid argument Sooo... I'm kind of out of ideas. When you restart a jail it's jid (the first argument to jexec) changes. Instead of using the jid you can use the jail name (example below): jexec NAME tcsh Otherwise, you're going to have to do jls to get the new jid after restarting the jail. -- Devin _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: jail and networking
On Wed, 20 Feb 2013, Bernt Hansson wrote: On 2013-02-20 19:07, Jeff Tipton wrote: On 02/20/2013 19:42, Bernt Hansson wrote: On 2013-02-20 17:23, Teske, Devin wrote: On Wed, 20 Feb 2013, Bernt Hansson wrote: Hello list! I dont seem to get net working in a test jail. These I've tried; ftp, fetch, telnet They time out. Ssh sort of work. 32bit# ssh 10.0.0.3 ssh_askpass: exec(/usr/local/bin/ssh-askpass): No such file or directory Host key verification failed. jail is 8.3-STABLE i386 GENERIC host is FreeBSD 8.3-STABLE amd64 GENERIC I'm sure you want more info so just tell me what info. Commonly the problem is that you are jexec'd into the jail and I find that tools like ssh, ftp, telnet, etc. don't work when you're in the jail via jexec but instead what works way better is if you ssh into the jail (via the jail'd ssh process of course). Does that seem to be the case in your situation? If you mean this sshd IsJ0:00,00 /usr/sbin/sshd Then no. %ssh 10.0.0.10 ssh: connect to host 10.0.0.10 port 22: Operation timed out I did have an alias on the host to the jail's ip. Tried to restart the jail it went fine, but now I can't jexec in to the jail. testbox# jexec 1 tcsh jexec: jail_attach(1): Invalid argument Sooo... I'm kind of out of ideas. What does jls command say? If you have restarted your jail, it's ID most likely has changed. The ID did change, didn't know about that, thank you. But still, sshd isn't running in the jail 32bit# ps ax PID TT STAT TIME COMMAND 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2464 0 SJ 0:00,01 tcsh 2482 0 R+J0:00,00 ps ax testbox# ps ax | grep J 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2488 0 S+ 0:00,00 grep J testbox is the host. A stab in the dark, but... Did you add sshd_enable=YES to the jail's rc.conf(5)? -- Devin _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail and networking
On 02/20/2013 20:59, Teske, Devin wrote: On Wed, 20 Feb 2013, Bernt Hansson wrote: On 2013-02-20 19:07, Jeff Tipton wrote: On 02/20/2013 19:42, Bernt Hansson wrote: On 2013-02-20 17:23, Teske, Devin wrote: On Wed, 20 Feb 2013, Bernt Hansson wrote: Hello list! I dont seem to get net working in a test jail. These I've tried; ftp, fetch, telnet They time out. Ssh sort of work. 32bit# ssh 10.0.0.3 ssh_askpass: exec(/usr/local/bin/ssh-askpass): No such file or directory Host key verification failed. jail is 8.3-STABLE i386 GENERIC host is FreeBSD 8.3-STABLE amd64 GENERIC I'm sure you want more info so just tell me what info. Commonly the problem is that you are jexec'd into the jail and I find that tools like ssh, ftp, telnet, etc. don't work when you're in the jail via jexec but instead what works way better is if you ssh into the jail (via the jail'd ssh process of course). Does that seem to be the case in your situation? If you mean this sshd IsJ0:00,00 /usr/sbin/sshd Then no. %ssh 10.0.0.10 ssh: connect to host 10.0.0.10 port 22: Operation timed out I did have an alias on the host to the jail's ip. Tried to restart the jail it went fine, but now I can't jexec in to the jail. testbox# jexec 1 tcsh jexec: jail_attach(1): Invalid argument Sooo... I'm kind of out of ideas. What does jls command say? If you have restarted your jail, it's ID most likely has changed. The ID did change, didn't know about that, thank you. But still, sshd isn't running in the jail 32bit# ps ax PID TT STAT TIME COMMAND 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2464 0 SJ 0:00,01 tcsh 2482 0 R+J0:00,00 ps ax testbox# ps ax | grep J 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2488 0 S+ 0:00,00 grep J testbox is the host. A stab in the dark, but... Did you add sshd_enable=YES to the jail's rc.conf(5)? Or, from within the jail, what does service sshd status say? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail and networking
On Wed, 20 Feb 2013, Jeff Tipton wrote: On 02/20/2013 20:59, Teske, Devin wrote: On Wed, 20 Feb 2013, Bernt Hansson wrote: On 2013-02-20 19:07, Jeff Tipton wrote: On 02/20/2013 19:42, Bernt Hansson wrote: On 2013-02-20 17:23, Teske, Devin wrote: On Wed, 20 Feb 2013, Bernt Hansson wrote: Hello list! I dont seem to get net working in a test jail. These I've tried; ftp, fetch, telnet They time out. Ssh sort of work. 32bit# ssh 10.0.0.3 ssh_askpass: exec(/usr/local/bin/ssh-askpass): No such file or directory Host key verification failed. jail is 8.3-STABLE i386 GENERIC host is FreeBSD 8.3-STABLE amd64 GENERIC I'm sure you want more info so just tell me what info. Commonly the problem is that you are jexec'd into the jail and I find that tools like ssh, ftp, telnet, etc. don't work when you're in the jail via jexec but instead what works way better is if you ssh into the jail (via the jail'd ssh process of course). Does that seem to be the case in your situation? If you mean this sshd IsJ0:00,00 /usr/sbin/sshd Then no. %ssh 10.0.0.10 ssh: connect to host 10.0.0.10 port 22: Operation timed out I did have an alias on the host to the jail's ip. Tried to restart the jail it went fine, but now I can't jexec in to the jail. testbox# jexec 1 tcsh jexec: jail_attach(1): Invalid argument Sooo... I'm kind of out of ideas. What does jls command say? If you have restarted your jail, it's ID most likely has changed. The ID did change, didn't know about that, thank you. But still, sshd isn't running in the jail 32bit# ps ax PID TT STAT TIME COMMAND 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2464 0 SJ 0:00,01 tcsh 2482 0 R+J0:00,00 ps ax testbox# ps ax | grep J 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2488 0 S+ 0:00,00 grep J testbox is the host. A stab in the dark, but... Did you add sshd_enable=YES to the jail's rc.conf(5)? Or, from within the jail, what does service sshd status say? Or from the host: sockstat | grep :22. You should see something like root sshd 2016 3 tcp4 192.168.17.15:22 *:* for each jail ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail and networking
2013-02-20 19:59, Teske, Devin skrev: On Wed, 20 Feb 2013, Bernt Hansson wrote: On 2013-02-20 19:07, Jeff Tipton wrote: On 02/20/2013 19:42, Bernt Hansson wrote: On 2013-02-20 17:23, Teske, Devin wrote: On Wed, 20 Feb 2013, Bernt Hansson wrote: Hello list! I dont seem to get net working in a test jail. These I've tried; ftp, fetch, telnet They time out. Ssh sort of work. 32bit# ssh 10.0.0.3 ssh_askpass: exec(/usr/local/bin/ssh-askpass): No such file or directory Host key verification failed. jail is 8.3-STABLE i386 GENERIC host is FreeBSD 8.3-STABLE amd64 GENERIC I'm sure you want more info so just tell me what info. Commonly the problem is that you are jexec'd into the jail and I find that tools like ssh, ftp, telnet, etc. don't work when you're in the jail via jexec but instead what works way better is if you ssh into the jail (via the jail'd ssh process of course). Does that seem to be the case in your situation? If you mean this sshd IsJ0:00,00 /usr/sbin/sshd Then no. %ssh 10.0.0.10 ssh: connect to host 10.0.0.10 port 22: Operation timed out I did have an alias on the host to the jail's ip. Tried to restart the jail it went fine, but now I can't jexec in to the jail. testbox# jexec 1 tcsh jexec: jail_attach(1): Invalid argument Sooo... I'm kind of out of ideas. What does jls command say? If you have restarted your jail, it's ID most likely has changed. The ID did change, didn't know about that, thank you. But still, sshd isn't running in the jail 32bit# ps ax PID TT STAT TIME COMMAND 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2464 0 SJ 0:00,01 tcsh 2482 0 R+J0:00,00 ps ax testbox# ps ax | grep J 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2488 0 S+ 0:00,00 grep J testbox is the host. A stab in the dark, but... Did you add sshd_enable=YES to the jail's rc.conf(5)? Yes, yes I did. rc.conf from the jail #ifconfig_xl0=DHCP #defaultrouter=10.0.0.3 sendmail_enable=NO #inetd_enable=NO sshd_enable=YES #ntpdate_enable=YES #ntpdate_flags=time1.stupi.se # -- sysinstall generated deltas -- # Mon Jan 21 01:22:37 2013 keymap=swedish.iso ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail and networking
2013-02-20 20:10, Jeff Tipton skrev: On 02/20/2013 20:59, Teske, Devin wrote: On Wed, 20 Feb 2013, Bernt Hansson wrote: On 2013-02-20 19:07, Jeff Tipton wrote: On 02/20/2013 19:42, Bernt Hansson wrote: On 2013-02-20 17:23, Teske, Devin wrote: On Wed, 20 Feb 2013, Bernt Hansson wrote: Hello list! I dont seem to get net working in a test jail. These I've tried; ftp, fetch, telnet They time out. Ssh sort of work. 32bit# ssh 10.0.0.3 ssh_askpass: exec(/usr/local/bin/ssh-askpass): No such file or directory Host key verification failed. jail is 8.3-STABLE i386 GENERIC host is FreeBSD 8.3-STABLE amd64 GENERIC I'm sure you want more info so just tell me what info. Commonly the problem is that you are jexec'd into the jail and I find that tools like ssh, ftp, telnet, etc. don't work when you're in the jail via jexec but instead what works way better is if you ssh into the jail (via the jail'd ssh process of course). Does that seem to be the case in your situation? If you mean this sshd IsJ0:00,00 /usr/sbin/sshd Then no. %ssh 10.0.0.10 ssh: connect to host 10.0.0.10 port 22: Operation timed out I did have an alias on the host to the jail's ip. Tried to restart the jail it went fine, but now I can't jexec in to the jail. testbox# jexec 1 tcsh jexec: jail_attach(1): Invalid argument Sooo... I'm kind of out of ideas. What does jls command say? If you have restarted your jail, it's ID most likely has changed. The ID did change, didn't know about that, thank you. But still, sshd isn't running in the jail 32bit# ps ax PID TT STAT TIME COMMAND 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2464 0 SJ 0:00,01 tcsh 2482 0 R+J0:00,00 ps ax testbox# ps ax | grep J 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2488 0 S+ 0:00,00 grep J testbox is the host. A stab in the dark, but... Did you add sshd_enable=YES to the jail's rc.conf(5)? Or, from within the jail, what does service sshd status say? 32bit# service sshd status sshd is not running. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail and networking
2013-02-20 22:17, doug skrev: On Wed, 20 Feb 2013, Jeff Tipton wrote: On 02/20/2013 20:59, Teske, Devin wrote: On Wed, 20 Feb 2013, Bernt Hansson wrote: On 2013-02-20 19:07, Jeff Tipton wrote: On 02/20/2013 19:42, Bernt Hansson wrote: On 2013-02-20 17:23, Teske, Devin wrote: On Wed, 20 Feb 2013, Bernt Hansson wrote: Hello list! I dont seem to get net working in a test jail. These I've tried; ftp, fetch, telnet They time out. Ssh sort of work. 32bit# ssh 10.0.0.3 ssh_askpass: exec(/usr/local/bin/ssh-askpass): No such file or directory Host key verification failed. jail is 8.3-STABLE i386 GENERIC host is FreeBSD 8.3-STABLE amd64 GENERIC I'm sure you want more info so just tell me what info. Commonly the problem is that you are jexec'd into the jail and I find that tools like ssh, ftp, telnet, etc. don't work when you're in the jail via jexec but instead what works way better is if you ssh into the jail (via the jail'd ssh process of course). Does that seem to be the case in your situation? If you mean this sshd IsJ0:00,00 /usr/sbin/sshd Then no. %ssh 10.0.0.10 ssh: connect to host 10.0.0.10 port 22: Operation timed out I did have an alias on the host to the jail's ip. Tried to restart the jail it went fine, but now I can't jexec in to the jail. testbox# jexec 1 tcsh jexec: jail_attach(1): Invalid argument Sooo... I'm kind of out of ideas. What does jls command say? If you have restarted your jail, it's ID most likely has changed. The ID did change, didn't know about that, thank you. But still, sshd isn't running in the jail 32bit# ps ax PID TT STAT TIME COMMAND 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2464 0 SJ 0:00,01 tcsh 2482 0 R+J0:00,00 ps ax testbox# ps ax | grep J 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2488 0 S+ 0:00,00 grep J testbox is the host. Or from the host: sockstat | grep :22. You should see something like root sshd 2016 3 tcp4 192.168.17.15:22 *:* for each jail testbox# sockstat | grep :22 berntsshd 3541 3 tcp4 10.0.0.3:22 80.x.x.x:25605 root sshd 3539 3 tcp4 10.0.0.3:22 80.x.x.x:25605 root sshd 1296 3 tcp6 *:22 *:* root sshd 1296 4 tcp4 *:22 *:* The jail has ip 10.0.0.10. There is only one jail. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail and networking
On Wed, 20 Feb 2013, Bernt Hansson wrote: 2013-02-20 22:17, doug skrev: On Wed, 20 Feb 2013, Jeff Tipton wrote: On 02/20/2013 20:59, Teske, Devin wrote: On Wed, 20 Feb 2013, Bernt Hansson wrote: On 2013-02-20 19:07, Jeff Tipton wrote: On 02/20/2013 19:42, Bernt Hansson wrote: On 2013-02-20 17:23, Teske, Devin wrote: On Wed, 20 Feb 2013, Bernt Hansson wrote: Hello list! I dont seem to get net working in a test jail. These I've tried; ftp, fetch, telnet They time out. Ssh sort of work. 32bit# ssh 10.0.0.3 ssh_askpass: exec(/usr/local/bin/ssh-askpass): No such file or directory Host key verification failed. jail is 8.3-STABLE i386 GENERIC host is FreeBSD 8.3-STABLE amd64 GENERIC I'm sure you want more info so just tell me what info. Commonly the problem is that you are jexec'd into the jail and I find that tools like ssh, ftp, telnet, etc. don't work when you're in the jail via jexec but instead what works way better is if you ssh into the jail (via the jail'd ssh process of course). Does that seem to be the case in your situation? If you mean this sshd IsJ0:00,00 /usr/sbin/sshd Then no. %ssh 10.0.0.10 ssh: connect to host 10.0.0.10 port 22: Operation timed out I did have an alias on the host to the jail's ip. Tried to restart the jail it went fine, but now I can't jexec in to the jail. testbox# jexec 1 tcsh jexec: jail_attach(1): Invalid argument Sooo... I'm kind of out of ideas. What does jls command say? If you have restarted your jail, it's ID most likely has changed. The ID did change, didn't know about that, thank you. But still, sshd isn't running in the jail 32bit# ps ax PID TT STAT TIME COMMAND 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2464 0 SJ 0:00,01 tcsh 2482 0 R+J0:00,00 ps ax testbox# ps ax | grep J 2385 ?? IsJ0:00,00 sendmail: Queue runner@00:30:00 for /var/spool/clientmqueue (sendmail) 2391 ?? SsJ0:00,00 /usr/sbin/cron -s 2488 0 S+ 0:00,00 grep J testbox is the host. Or from the host: sockstat | grep :22. You should see something like root sshd 2016 3 tcp4 192.168.17.15:22 *:* for each jail testbox# sockstat | grep :22 berntsshd 3541 3 tcp4 10.0.0.3:22 80.x.x.x:25605 root sshd 3539 3 tcp4 10.0.0.3:22 80.x.x.x:25605 root sshd 1296 3 tcp6 *:22 *:* root sshd 1296 4 tcp4 *:22 *:* The jail has ip 10.0.0.10. There is only one jail. I could not see anything you are doing wrong, so here are the relevant parts of a host/jail we use for testing. I got all this by following the jail man page and/or hacking things that are working. Ihope this helps. This is all on an 8.2 system. Host config rc.conf - hostname=bcr.boltsys.com ifconfig_em0=DHCP sshd_enable=YES : #jail base settings inetd_flags=-wW -a 10.1.10.110 rpcbind_enable=NO # Jail general settings ifconfig_em0_alias0=inet 10.1.10.111 netmask 255.255.255.255 jail_set_hostname_allow=NO jail_enable=YES jail_interface=em0 jail_devfs_enable=YES jail_procfs_enable=YES jail_list=webmail jail_webmail_rootdir=/usr/home/webmail jail_webmail_hostname=webmail.boltsys.com jail_webmail_ip=10.1.10.111 ifconfig (host) inet 10.1.10.111 netmask 0x broadcast 10.1.10.111 inet 10.1.10.110 netmask 0xff00 broadcast 10.1.10.255 Jail config rc.conf - network_interfaces= hostname=webmail.boltsys.com sshd_enable=YES sendmail_enable=NO sendmail_outbound_enable=YES inetd_flags=-wW -a 10.1.10.111 inetd_enable=NO rpcbind_enable=NO _ Douglas Denault http://www.safeport.com d...@safeport.com Voice: 301-217-9220 Fax: 301-217-9277 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: jail and networking
It's been a while since I experimented with jails but I'm pretty sure it is the reason I changed my sshd_config When you start sshd on the base system by default it binds against 0.0.0.0 and :: which is every ip4 and ip6 address configured on the base system, which includes the aliased ip's for your jails. This is represented by the *:22 from sockstat. When you start the jail it can't start sshd because the base already has that address/port in use. In /etc/ssh/sshd_config comment out the ListenAddress 0.0.0.0 and ListenAddress :: then add ListenAddress 10.0.0.3 service sshd restart start your jail and try again The jail config is fine as the jail only sees the one ip address assigned to it. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org