Forum List Message List New Topic Print View

steveh

December 05, 2016 01:40PM

Registered: 13 years ago
Posts: 51

On 05/12/2016 17:12, Maxim Dounin wrote:
> Hello!
>
> On Mon, Dec 05, 2016 at 02:40:27PM +0000, Steven Hartland wrote:
snip...
> Given that the real local address of the listening socket as shown
> by netstat is 10.10.96.146, it means that the socket was created
> when there were no explicit 127.0.0.1 in the jail.

This didn't appear to be the case as nginx was restarted after the
failure of upgrade and currently shows:
netstat -na | grep LIST
tcp4 0 0 10.10.96.146.81 *.* LISTEN

The jail does indeed have an explicit 127.0.0.1 as reported by ifconfig
from within said jail.
ifconfig lo0
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet 127.0.0.1 netmask 0xffffffff

/etc/jail.conf includes:
jailXYZ {
path = "/data/jails/XYZ";
ip4.addr = "10.10.96.146";
ip4.addr += "vlan96|A.B.C.D";
ip4.addr += "lo0|127.0.0.1";
}

This is what we see when 127.0.0.1 is not exposed to the jail, which is
where I would expect the behaviour you describe:
ifconfig lo0
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
groups: lo

Digging into to source of jails I found the offending code:
ia0.s_addr = ntohl(ia->s_addr);
if (ia0.s_addr == INADDR_LOOPBACK) {
ia->s_addr = pr->pr_ip4[0].s_addr;
mtx_unlock(&pr->pr_mtx);
return (0);
}
....
if (ntohl(ia->s_addr) == INADDR_LOOPBACK) {
ia->s_addr = pr->pr_ip4[0].s_addr;
mtx_unlock(&pr->pr_mtx);
return (0);
}

This uses the first IP of the jail as loopback even if there is an
address which explicitly matches.

So the workaround would be to change the order of the IP's in our jail
config making 127.0.0.1 the first IP.

However this doesn't seem to be documented in jail man page so quite
possibly needs fixing.

Thanks for pointing me in the right direction.

I'll talk to the jail / net guys and get that fixed. At the very least
it should be clearly documented in JAIL(8) but ideally it should do the
right thing when the jail has an address which matches INADDR_LOOPBACK.

Regards
Steve

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
nginx upgrade fails due bind error on 127.0.0.1 in a FreeBSD jail	steveh	December 04, 2016 04:40PM
Re: nginx upgrade fails due bind error on 127.0.0.1 in a FreeBSD jail	Maxim Dounin	December 05, 2016 08:28AM
Re: nginx upgrade fails due bind error on 127.0.0.1 in a FreeBSD jail	steveh	December 05, 2016 09:52AM
Re: nginx upgrade fails due bind error on 127.0.0.1 in a FreeBSD jail	Maxim Dounin	December 05, 2016 12:14PM
Re: nginx upgrade fails due bind error on 127.0.0.1 in a FreeBSD jail	steveh	December 05, 2016 01:40PM
Re: nginx upgrade fails due bind error on 127.0.0.1 in a FreeBSD jail	steveh	April 03, 2017 10:58AM
Re: nginx upgrade fails due bind error on 127.0.0.1 in a FreeBSD jail	Alt	December 14, 2016 06:36AM
Re: nginx upgrade fails due bind error on 127.0.0.1 in a FreeBSD jail	Maxim Dounin	December 14, 2016 09:34AM
Re: nginx upgrade fails due bind error on 127.0.0.1 in a FreeBSD jail	Alt	December 15, 2016 05:36AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 172

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018