Help diagnosing a "network reset by peer" within a FreeBSD jail

[ita...@rwhmyers.com]

Hello, I was hoping someone could point me in helpful direction(s) to diagnose a networking issue within a FreeBSD jail.

Problem: In a newly created jail inside a recently installed host OS, network connections within the jail gets a "Connection reset by peer".  I receive that error within a few seconds on fetch extract", but also on a basic "fetch http://...."  This has happened from the start, i.e. when I first created the jail, went in to do "portsnap fetch" it failed right after finding a few peers.  It almost seems like the networking is stable for basic tasks.

I don't know how to troubleshoot the networking interplay between jail & host, especially when basic networking is working inside the jail (dns resolution, sometimes the start of fetch functions).  The only difference with other iocage installations I have is this cloud provider's additional static IPs come on additional virtual NICs ... "vtnet" (notice, not vnet, I am not using vnet/vimage)

iocage on host

- Version 1.1 RELEASE 2019/01

FreeBSD Host:

- host providing vtnet0|1|2 for the 3 static IP's, one for host OS and two for separate jails

- uname -a = FreeBSD host.domain.com 12.0-RELEASE-p3 FreeBSD 12.0-RELEASE-p3 GENERIC  amd64

- ifconfig shows

- - vtnet0 with host OS's static IP

- - when jail is running, vtnet1 shows jail's static IP

- sysrc -a shows

- - ifconfig_vtnet0 with correct settings

- - defaultrouter with vtnet0's corresponding router

- Host OS has no networking issues

- Jail has the same problem whether host's pf is enabled or disabled

iocage Jail

- uname -a = FreeBSD cs1-myclaim.rwhMyers.com 12.0-RELEASE-p3 FreeBSD 12.0-RELEASE-p3 GENERIC  amd64

- jail's properties seem correct:

- - correct "ip4_addr:vtnet1|x.x.x.x/24"

- - correct "defaultrouter" with vtnet1's corresponding router

- in jail console

- - resolves DNS fine from 3rd party DNS (9.9.9.9)

- - sysrc -a

- - - reflects jail property's defaultrouter

- - -  doesn't show an ifconfig_vtnet1 entry, but since dns resolution works I think the ip4 networking is working -- I presume it is obscured by the jail management?

- - fetch dies, both on manual test and portsnap update fetch (it finds the mirrors before dying)

I can post any output that might be helpful -- I just tried to summarize key points to maybe focus the first round of inquiry.

I will be very grateful for any help / guidance!

Thanks,

Bill

[Brandon Schneider]

You won't see a dedicated vtnet1 entry in the jail as the jail is an alias on that nic. Try setting vnet, as that will give you a full virtual networking stack. Make sure to change your ip4_addr to vnet0|IP/24 as well when doing so.

Good luck :)

-Brandon

--
You received this message because you are subscribed to the Google Groups "iocage" group.
To unsubscribe from this group and stop receiving emails from it, send an email to iocage+un...@googlegroups.com.
To post to this group, send email to ioc...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/iocage/4ee1dd5e-53fe-48e4-ba90-dc3c1ca31f7b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[William Warren]

Brandon - Thank you, I was on the fence about vnet as I know there are some issues.  Hopefully FreeBSD 12 is stable enough … want to move my client extranet to this new cloud provider.

Warm regards,
Bill

[Brandon Schneider]

William,

Yes VNET historically has been quite unstable. I have seen complete stability in 11.2-RELEASE and up, so much so that I have changed our defaults for the plugins in the project to be VNET. It really has come a long way!

-Brandon