No networking in iocage jail after upgrade to 11.1 U5
I upgraded to 11.1-U5 this morning, and after reboot found I had no networking to/from my jails - I couldn't ping them from outside, nor reach outside from within.
After checking a few things, I noticed some differences in the networking setup from before the reboot.
1) The ethernet device on the NAS was no longer in promiscuous mode, which I think should be required for VNET.
2) The ethernet device on the NAS had different options (+RXCSUM/TXCSUM) - could be related to promiscious toggle
3) The ethernet device on the NAS was no longer on the bridge created for the jails.
4) The tunnel device on the jail was missing completely.
These all seem related, and undoubtedly the reason I can't get network access, but why has this suddenly happened as part of what should be a fairly minor OS upgrade? Does anyone know what's going on here?
#1 Updated by Famine Badger over 2 years ago
#3 Updated by Famine Badger over 2 years ago
Well, a form posted has helpfully discovered that this looks to be due to a change in iocage(https://github.com/iocage/iocage/pull/530).
Unfortunately though adding an rc.conf tunable "ifconfig_bridge0=addm em0 up" doesn't fix the problem, so at present it requires manually adding the interface to the bridge at every boot, and then re-starting the VPN client inside my jail.
#6 Updated by Brandon Schneider over 2 years ago
- Status changed from Unscreened to Closed
- Reason for Closing set to Behaves as Intended
This is a purposeful change, that unfortunately wasn't targeted correctly with the associated fix ticket to do so for users (https://redmine.ixsystems.com/issues/33054). I should clarify and say only #3 is iocage's domain, the rest isn't related. You also shouldn't be needing the devfs rule, if you do, please create a ticket. That is not intended.
#11 Updated by Famine Badger over 2 years ago
Brandon Schneider wrote:
You also shouldn't be needing the devfs rule, if you do, please create a ticket. That is not intended.
Are you sure that's correct? It seems quite clear that the default ruleset for jails is 4 in /etc/defaults/devfs.rules, which hides everything except the exceptions specified in rules 2 and 3 - and tun devices are not in the list of exceptions.
There's plenty of evidence on the forum that others have also experienced this problem - e.g. https://forums.freenas.org/index.php?threads/openvpn-issues-in-new-jails-after-11-1.59828/
I think we understood that this was "working as intended" for new "more secure" iocage jails.
#12 Updated by Brandon Schneider over 2 years ago
Whoops, brain fart. I was thinking about something else. You're correct, that will still be required. It is working as intended for more secure jails. iocage takes the approach of less is more in terms of unhiding things, warden was a lot more open by default.