Re: Why does netstat not work in jails?

From: Chris H <bsd-lists_at_bsdforge.com>
Date: Thu, 27 Aug 2015 20:16:27 -0700
On Thu, 27 Aug 2015 22:33:04 -0400 Allan Jude <allanjude_at_freebsd.org> wrote

> On 2015-08-27 22:12, Julian Elischer wrote:
> > On 8/28/15 9:54 AM, Chris H wrote:
> >> I've been attempting to run jails on an 11-CURRENT
> >> for the purpose of building world/kernel && ports
> >> for all of our 9-STABLE production servers. I'm using
> >> standard/classic jail setup(s) -- not using any
> >> of the "convenience" ports/applications that abstract
> >> the process in any way.
> >> While everything seemed to go as intended/anticipated,
> >> I'm seeing things I *didn't* expect.
> >> The host network get's it's "public" IP from the router
> >> in front of it. From the router, I insure that it is
> >> allocated the same non-public IP everytime. So DHCP
> >> assigns it 192.168.0.100. I assigned the jail 192.168.0.103.
> >> SSHD is started within the jail, root IS allowed login.
> >> But any attempt to ssh to 192.168.0.103 from the host,
> >> returns:
> >> ssh_exchange_identification: Connection closed by remote host.
> >>
> >> SSHD id NOT running on the host.
> >>
> >> inetd_flags="-wW -a 192.168.0.100" and syslogd_flags="-ss"
> >> is set on the host via rc.conf
> > what does netstat -aAn show (on the main host).
> > 
> >> second issue; loging into the jail, via jexex. If I perform:
> >> netstat -nr
> >> The following is returned:
> >> netstat: kvm not available: /dev/mem: No such file or directory
> > is there a /dev in the jail?  if you have set it up, have you allowed
> > mem to be one of the exported devices?
> > I forget the exact details on how to set this but hopefully it's a hint.
> > I have to look it up every time.

Thanks for the hint, Julian!
> > 
> >> Routing tables
> >> rt_tables: symbol not in namelist
> >>
> >> Any thought's jump out at anyone?
> >>
> >> Thanks!
> >>
> >> --Chris
> >>
> >> -- 
> 
> Normally I wouldn't think you would want /dev/mem to be accessible
> inside a jail, but you can probably do it by editing some of the devfs
> rules.
> 
> What info are you trying to get from netstat?
Get some idea of what the jail thinks it's [network] topology is.
So I might better debug my being unable to ssh into it from the
host.

> some of the info is available from sockstat etc.
Indeed, sockstat(1) surprisingly *does* work. I thought of using it,
too. But assumed /dev/mem would have been involved there, also.
> 
> -- 
> Allan Jude

Thanks, Allen, Julian!

--Chris
Received on Fri Aug 28 2015 - 01:17:36 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:59 UTC