Project

General

Profile

Bug #34339

No networking in iocage jail after upgrade to 11.1 U5

Added by Famine Badger over 2 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
No priority
Assignee:
Brandon Schneider
Category:
OS
Target version:
Seen in:
Severity:
High
Reason for Closing:
Duplicate Issue
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

I upgraded to 11.1-U5 this morning, and after reboot found I had no networking to/from my jails - I couldn't ping them from outside, nor reach outside from within.

After checking a few things, I noticed some differences in the networking setup from before the reboot.

1) The ethernet device on the NAS was no longer in promiscuous mode, which I think should be required for VNET.

2) The ethernet device on the NAS had different options (+RXCSUM/TXCSUM) - could be related to promiscious toggle

3) The ethernet device on the NAS was no longer on the bridge created for the jails.

4) The tunnel device on the jail was missing completely.

These all seem related, and undoubtedly the reason I can't get network access, but why has this suddenly happened as part of what should be a fairly minor OS upgrade? Does anyone know what's going on here?

Thanks,

Famine


Related issues

Related to FreeNAS - Feature #33054: Automatically create bridge with default route for iocage jailsDone
Has duplicate FreeNAS - Bug #34468: NetworkingClosed

History

#2 Updated by Famine Badger over 2 years ago

FWIW, I have a pre-init task of "devfs rule -s 4 add path 'tun*' unhide" in order to make tun devices work properly with iocage (they were fine without this on warden) - but this rule was still intact post-upgrade, so that's not the problem.

#3 Updated by Famine Badger over 2 years ago

Well, a form posted has helpfully discovered that this looks to be due to a change in iocage(https://github.com/iocage/iocage/pull/530).

Unfortunately though adding an rc.conf tunable "ifconfig_bridge0=addm em0 up" doesn't fix the problem, so at present it requires manually adding the interface to the bridge at every boot, and then re-starting the VPN client inside my jail.

#4 Updated by Dru Lavigne over 2 years ago

  • Category changed from Middleware to OS
  • Assignee changed from Release Council to Brandon Schneider
  • Target version changed from Backlog to 11.1-U6

#6 Updated by Brandon Schneider over 2 years ago

  • Status changed from Unscreened to Closed
  • Reason for Closing set to Behaves as Intended

This is a purposeful change, that unfortunately wasn't targeted correctly with the associated fix ticket to do so for users (https://redmine.ixsystems.com/issues/33054). I should clarify and say only #3 is iocage's domain, the rest isn't related. You also shouldn't be needing the devfs rule, if you do, please create a ticket. That is not intended.

#7 Updated by Brandon Schneider over 2 years ago

  • Related to Bug #3054: FreeNAS 9.1.0 stalls during I/O (AFP) on x86_64 - stalled instance persists on a VM added

#8 Updated by Brandon Schneider over 2 years ago

  • Related to deleted (Bug #3054: FreeNAS 9.1.0 stalls during I/O (AFP) on x86_64 - stalled instance persists on a VM)

#9 Updated by Brandon Schneider over 2 years ago

  • Related to Feature #33054: Automatically create bridge with default route for iocage jails added

#10 Updated by Dru Lavigne over 2 years ago

  • Target version changed from 11.1-U6 to N/A
  • Reason for Closing changed from Behaves as Intended to Duplicate Issue

#11 Updated by Famine Badger over 2 years ago

Brandon Schneider wrote:

You also shouldn't be needing the devfs rule, if you do, please create a ticket. That is not intended.

Are you sure that's correct? It seems quite clear that the default ruleset for jails is 4 in /etc/defaults/devfs.rules, which hides everything except the exceptions specified in rules 2 and 3 - and tun devices are not in the list of exceptions.

There's plenty of evidence on the forum that others have also experienced this problem - e.g. https://forums.freenas.org/index.php?threads/openvpn-issues-in-new-jails-after-11-1.59828/

I think we understood that this was "working as intended" for new "more secure" iocage jails.

#12 Updated by Brandon Schneider over 2 years ago

Whoops, brain fart. I was thinking about something else. You're correct, that will still be required. It is working as intended for more secure jails. iocage takes the approach of less is more in terms of unhiding things, warden was a lot more open by default.

#13 Updated by Dru Lavigne over 2 years ago

Also available in: Atom PDF