Solved No Networking In Bastille Jail

Azrael

Azrael

So, I thought I would try setting up a jail with Bastille. I found some documentation here:

bastillebsd.org

Bastille Networking in Depth | BastilleBSD

Bastille offers a number of networkings options for containerized applications.
bastillebsd.org bastillebsd.org

So I put this in my /etc/rc.conf:
Code: 
linux_enable="YES"
bastille_enable="YES"
cloned_interfaces="lo1"
ifconfig_lo1_name="bastille0"

I now have this in my /etc/pf.conf:
Code: 
ext_if="wlan0"

set block-policy return
scrub in on $ext_if all fragment reassemble
set skip on lo

table <jails> persist
nat on $ext_if from <jails> to any -> ($ext_if)
rdr-anchor "rdr/*"

block in all
pass out quick keep state
antispoof for $ext_if inet
pass in inet proto tcp from any to any port ssh flags S/SA keep state

This alone got errors and I found more on this link:

Create an Ubuntu Linux jail on FreeBSD 12.2

Create a jailed Ubuntu Linux with Bastille on FreeBSD 12.2 Make sure Bastille is installed and configured. click here This is not offically supported, so don’t use it in production! update 2021/02/11: Auto Installer You could try the following POC for automated jail creation: DO NOT USE THIS IN...
hackacad.net hackacad.net

I added the following to my /boot/loader.conf:
Code: 
linprocfs_load="YES"
linsysfs_load="YES"
tmpfs_load="YES"

My /usr/local/bastille/jails/debian11/fstab has the following:
Code: 
devfs           /usr/local/bastille/jails/debian11/root/dev      devfs           rw                      0       0
tmpfs           /usr/local/bastille/jails/debian11/root/dev/shm  tmpfs           rw,size=1g,mode=1777    0       0
fdescfs         /usr/local/bastille/jails/debian11/root/dev/fd   fdescfs         rw,linrdlnk             0       0
linprocfs       /usr/local/bastille/jails/debian11/root/proc     linprocfs       rw                      0       0
linsysfs        /usr/local/bastille/jails/debian11/root/sys      linsysfs        rw                      0       0
/tmp            /usr/local/bastille/jails/debian11/root/tmp      nullfs          rw                      0       0

I tried adding a /home directory, but it seems to reset on each try. This is the default though.

For /usr/local/bastille/jails/debian11/jail.conf I have this:
Code: 
debian11 {
  host.hostname = debian11;
  mount.fstab = /usr/local/bastille/jails/debian11/fstab;
  path = /usr/local/bastille/jails/debian11/root;
  devfs_ruleset = 4;

  exec.start = '/bin/true';
  exec.stop = '/bin/true';
  persist;

  allow.mount;
  allow.mount.devfs;

  interface = bastille0;
  ip4.addr = 10.17.89.11;
  ip6 = disable;
}

After that I run the following as root:

Code: 
bastille bootstrap bullseye
bastille create -L debian11 bullseye 10.17.89.11 bastille0

I then noticed the following error while the installation was completing:
Code: 
Processing triggers for libc-bin (2.31-13+deb11u3) ...
Err:1 http://deb.debian.org/debian bullseye InRelease
  Temporary failure resolving 'deb.debian.org'
Reading package lists... Done   
Building dependency tree... Done
All packages are up to date.
W: Failed to fetch http://deb.debian.org/debian/dists/bullseye/InRelease  Temporary failure resolving 'deb.debian.org'
W: Some index files failed to download. They have been ignored, or old ones used instead.

I thought I could console into the jail and correct it, but there's zero networking. Oddly enough, the jls command shows the device and ip:

Code: 
$ jls
   JID  IP Address      Hostname                      Path
     1  10.17.89.11     debian11                      /usr/local/bastille/jails/debian11/root

I can ping that ip from the host, but I can't get a ping to go out from inside the jail. I've tried restarting networking inside Debian, and yes, I know this is not a Debian forum. I tried rebooting the host. I tried running as a normal user and to sudo/doas the bastille commands. Documentation seems to be scattered and sparse on this set up Bastille. Any suggestions welcome.

EDIT: I found a site that said this might help, but no changes so far:
Code: 
sysctl security.jail.allow_raw_sockets=1 
sysctl net.inet.ip.forwarding=1
 
Israel said:
Code: 
sysctl security.jail.allow_raw_sockets=1 
sysctl net.inet.ip.forwarding=1
Click to expand...
Don't use these. The first is a deprecated setting, it sets allow_raw_sockets for all your jails. This is now deprecated in favor of a per jail setting (see allow.raw_sockets in jail(8)).
The second shouldn't be set like that, add gateway_enable="YES" to rc.conf.
 
Okay, I removed those, added the gateway_enable line to /etc/rc.conf and rebooted. Still no luck:

root@debian11:~# ping localhost
ping: socket: Protocol not supported

EDIT: Okay, I found that even though ping didn't work, apt and other services are now working. Thanks SirDice!
 
Israel said:
Okay, I removed those, added the gateway_enable line to /etc/rc.conf and rebooted. Still no luck:

root@debian11:~# ping localhost
ping: socket: Protocol not supported

EDIT: Okay, I found that even though ping didn't work, apt and other services are now working. Thanks SirDice!
Click to expand...
And "allow.raw_sockets;" in jail.conf allows the jail to ping|traceroute outwards.
 
As per mentioned by odhiambo

edit the jail.conf under the /usr/local/bastille/jails/debian11/jail.conf

add at the bottom or after the osrelease=""
allow.raw_sockets =1;

then restart the bastille debian

bastille restart debian

and login back then you can able to ping it.
 
kharlzedon said:
As per mentioned by odhiambo

edit the jail.conf under the /usr/local/bastille/jails/debian11/jail.conf

add at the bottom or after the osrelease=""
allow.raw_sockets =1;

then restart the bastille debian

bastille restart debian

and login back then you can able to ping it.
Click to expand...
Appreciated, but this was marked solved 2 years ago. I'm good, but thanks.
 
You must log in or register to reply here.
Back
Top