There are known problems with vnet and firewalls. I’ve been plagued by such issues for months. In this case, my git jail, I’m giving up and moving away from vnet jails.
This post documents how I did this.
Get the IP address
Make sure you know the existing IP address of that jail. It might be defined within the jail, via /etc/rc.conf. It might be in the jail configuration. I ssh‘d into the jail and looked at ifconfig output.
I changed from vnet0 to ix2, the external NIC on this server (at home in my basement).
$ sudo iocage set ip4_addr="ix2|10.55.0.30/24" git.langille.org ip4_addr: vnet0|10.55.0.30/24 -> ix2|10.55.0.30/24
Other vnet configuration
Let’s grep the file:
[dan@slocum:/iocage/jails/git.langille.org] $ grep vnet config.json
"interfaces": "vnet0:bridge0",
"vnet": 1,
"vnet0_mac": "001b21b738b3 001b21b738b4",
"vnet1_mac": "none",
"vnet2_mac": "none",
"vnet3_mac": "none",
"vnet_default_interface": "auto",
"vnet_interfaces": "none",
The canonical method would be:
$ iocage get all git.langille.org | grep -i vnet interfaces:vnet0:bridge0 vnet:1 vnet0_mac:001b21b738b3 001b21b738b4 vnet1_mac:none vnet2_mac:none vnet3_mac:none vnet_default_interface:auto vnet_interfaces:none
Let’s start with:
$ sudo iocage set vnet=0 git.langille.org vnet: 1 -> 0
I also consulted my notes on Moving poudriere from the host into a jail.
Let’s compare this jail with a jail which has never had vnet:
[dan@slocum:/iocage/jails/git.langille.org] $ iocage get all webserver | grep -i vnet interfaces:vnet0:bridge0 vnet:0 vnet0_mac:none vnet1_mac:none vnet2_mac:none vnet3_mac:none vnet_default_interface:auto vnet_interfaces:none
OK, only the vnet0_mac differs. I think I’ll ignore that.
Further comparison led to this change:
$ sudo iocage set allow_raw_sockets=0 defaultrouter=auto git.langille.org allow_raw_sockets: 0 -> 0 defaultrouter: 10.55.0.1 -> auto
Start the jail!
I started the jail:
sudo iocage start git.langille.org
It started. The webpage came up. ssh worked.
BUT WAIT THERE’S MORE!
This, this is what I wanted to work and which did not under vnet:
$ sudo pkg upgrade Updating local repository catalogue... [git.langille.org] Fetching meta.conf: 100% 163 B 0.2kB/s 00:01 [git.langille.org] Fetching packagesite.txz: 100% 248 KiB 253.9kB/s 00:01 Processing entries: 100% local repository update completed. 948 packages processed. All repositories are up to date. Checking for upgrades (16 candidates): 100% Processing candidates (16 candidates): 100% The following 17 package(s) will be affected (of 0 checked): New packages to be INSTALLED: libedit: 3.1.20191231,1 Installed packages to be UPGRADED: gettext-runtime: 0.20.2 -> 0.21 git: 2.27.0 -> 2.28.0 gitea: 1.12.2 -> 1.12.3 perl5: 5.30.3 -> 5.32.0 sqlite3: 3.32.3_1,1 -> 3.32.3_2,1 Installed packages to be REINSTALLED: logcheck-1.3.20 (direct dependency changed: perl5) mime-construct-1.11_2 (direct dependency changed: perl5) p5-CGI-4.50 (direct dependency changed: perl5) p5-Error-0.17029 (direct dependency changed: perl5) p5-HTML-Parser-3.72 (direct dependency changed: perl5) p5-HTML-Tagset-3.20_1 (direct dependency changed: perl5) p5-IPC-Signal-1.00_1 (direct dependency changed: perl5) p5-MIME-Types-2.17 (direct dependency changed: perl5) p5-Proc-WaitStat-1.00_1 (direct dependency changed: perl5) p5-Term-ReadKey-2.38_1 (direct dependency changed: perl5) p5-subversion-1.14.0 (direct dependency changed: perl5) Number of packages to be installed: 1 Number of packages to be upgraded: 5 Number of packages to be reinstalled: 11 The process will require 2 MiB more space. 54 MiB to be downloaded. Proceed with this action? [y/N]:
And then
I also wanted to clear this up:
[dan@git:~] $ sudo /usr/local/etc/periodic/daily/999-samdrucker-client [dan@git:~] $
This host hadn’t been checking in with the SamDrucker results lately.
BTW, today I upgraded all my apache24 hosts. I noticed a pkg audit on one host, and then issued this query to find all the other affected hosts:
samdrucker=# select * from hostswithpackage('apache24');
hostswithpackage
-----------------------------------
samdrucker.int.unixathome.org
gelt.unixathome.org
svn.int.unixathome.org
webserver.int.unixathome.org
besser.int.unixathome.org
beta.bsdcan.org
svn.bsdcan.org
mailman.unixathome.org
svn.pgcon.org
webs01.unixathome.org
www.pgcon.org
fruity-ext.int.unixathome.org
wikis.unixathome.org
fruity-int.int.unixathome.org
nagios02.unixathome.org
librenms.int.unixathome.org
mobile-nginx01.int.unixathome.org
(17 rows)
samdrucker=#
All fixed.
Thank you for coming to my TED talk.
