VNET jail and dhclient

Discussion:

(too old to reply)

Kristof Provost

2017-10-10 21:25:14 UTC

What is your FreeBSD version? This problem reproduced on FreeBSD 12
only.

I’m running r324317 on CURRENT, yes.

What arguments are you calling dhclient with?
Clearly there’s a difference between what you’re doing and what
I’m doing.

I'm not sure if this fd leak (due to pidfile_remove at the end of
dhclient), nevertheless closing pid fd in my jail/FreeBSD12 before
chroot
solve dhclient issue.

I would not expect an open file descriptor to be a problem, unless
perhaps you’ve got an open directory and
kern.chroot_allow_open_directories is unset.

Regards,
Kristof

Oleg Ginzburg

2017-10-10 21:10:37 UTC

Permalink

Hello!

Hello,
TLDR: I can setup static IP or use dhcpcd to get address, but not

dhclient.

Let me elaborate. I run 12-CURRENT on my laptop and use CBSD as jail

manager (I don't think it matters).
What version of CURRENT are you using?

# dhclient eth0
chroot
exiting.
This is what I found with truss: https://gist.github.com/anonymous/

36a4e2bf1760198971934ff609a7d0de#file-gistfile1-txt-L227-L228. Selected
lines are what I think is the problem. Offending line in the code is
probably https://svnweb.freebsd.org/base/head/sbin/dhclient/
dhclient.c?revision=317915&view=markup#l507. With that asumption, Oleg,
Is there any chance you don’t have /var/empty in your jail?
sudo jail -c name=alcatraz persist vnet vnet.interface=epair0b
(in the jail) dhclient epair0b
…
fsync(0x9) = 0 (0x0)
close(8) = 0 (0x0)
socket(PF_ROUTE,SOCK_RAW,0) = 8 (0x8)
shutdown(8,SHUT_WR) = 0 (0x0)
cap_rights_limit(8,{ CAP_READ,CAP_EVENT }) = 0 (0x0)
chroot("/var/empty") = 0 (0x0)
chdir("/") = 0 (0x0)
setgroups(0x1,0x800e2c1e4) = 0 (0x0)
…
I also see the DCHP request packets on the other end of the epair
interface.
Regards,
Kristof

What is your FreeBSD version? This problem reproduced on FreeBSD 12 only.
/var/empty is exist and trivial test:

#include <stdio.h>
#include <stdlib.h>

int main()
{
printf("%d\n",chroot("/var/empty");
}

works successfully.

I think I found something, but I do not understand why this is only
observed in jail and with commit change this.
The problem about which the Goran wrote can be fixed with:

# diff -ruN dhclient.c-orig dhclient.c
--- dhclient.c-orig 2017-10-10 23:51:52.451361000 +0000
+++ dhclient.c 2017-10-10 23:54:55.803404000 +0000
@@ -479,6 +479,7 @@

fork_privchld(pipe_fd[0], pipe_fd[1]);

+ pidfile_close(pidfile);
close(ifi->ufdesc);
ifi->ufdesc = -1;
close(ifi->wfdesc);

From pidfile(3) man page:

The pidfile_close() function closes a pidfile. It should be used after
daemon fork()s to start a child process.

chroot(2) in dhclient return NOPERM (via global errno). it seems to be
related to open descriptor outside the chroot.

I'm not sure if this fd leak (due to pidfile_remove at the end of
dhclient), nevertheless closing pid fd in my jail/FreeBSD12 before chroot
solve dhclient issue.

Goran Mekić

2017-10-11 19:48:34 UTC

Permalink

Post by Oleg Ginzburg
I think I found something, but I do not understand why this is only
observed in jail and with commit change this.
# diff -ruN dhclient.c-orig dhclient.c
--- dhclient.c-orig 2017-10-10 23:51:52.451361000 +0000
+++ dhclient.c 2017-10-10 23:54:55.803404000 +0000
@@ -479,6 +479,7 @@
fork_privchld(pipe_fd[0], pipe_fd[1]);
+ pidfile_close(pidfile);
close(ifi->ufdesc);
ifi->ufdesc = -1;
close(ifi->wfdesc);
The pidfile_close() function closes a pidfile. It should be used after
daemon fork()s to start a child process.
chroot(2) in dhclient return NOPERM (via global errno). it seems to be
related to open descriptor outside the chroot.
I'm not sure if this fd leak (due to pidfile_remove at the end of
dhclient), nevertheless closing pid fd in my jail/FreeBSD12 before chroot
solve dhclient issue.

I can confirm Oleg's patch works for me. Weird one, for sure!

Kristof Provost

2017-11-16 13:07:31 UTC

Permalink

Hello, all!
I'm got same problem...

Can you show how you call dhclient? What FreeBSD version are you running?

What’s the output of `sysctl kern.chroot_allow_open_directories`?

Regards,
Kristof

KOT MATPOCKuH

2017-11-16 13:49:26 UTC

Permalink

dhclient called very simple:
jail# dhclient epair71b.71
chroot
exiting.
jail# echo $?
1

I'm running 12.0-CURRENT r325051 and:
# sysctl kern.chroot_allow_open_directories
kern.chroot_allow_open_directories: 1

And I found some another workaround:
# dhclient -p /var/empty/pid epair71b.71
Cannot open or create pidfile: Operation not permitted
DHCPDISCOVER on epair71b.71 to 255.255.255.255 port 67 interval 6

Hello, all!
I'm got same problem...
Can you show how you call dhclient? What FreeBSD version are you running?
What’s the output of sysctl kern.chroot_allow_open_directories?
Regards,
Kristof

--
MATPOCKuH

Goran Mekić

2017-11-16 13:06:31 UTC

Permalink

Hello, all!
I'm got same problem...
Did someone open an PR for this issue?

Yes, Oleg did: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223327