unable to install pkg in the jail
2,626 views
Skip to first unread message
brunosc...@gmail.com
Mar 3, 2017, 4:46:16 PM3/3/17
to iocage
Hello,
I am writing for a bit of help, I have a couple of questions.
1) I installed iocage version 0.9.5 2017/02/15 on freebsd 11. and I get this when trying to install pkg
---
root@75756a82-cefb-4086-9101-c859fcc9c2bb:~ # pkg
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly, please wait.
----
The installation will not progress beyond this.
Jail otherwise works well, has access to internet and freebsd-update works from within the jail.
Why is this happening?
2)
I installed the iocage from ports, the github project page says py36-iocage package is available but when trying to install the package was not found. Is going to be available in the near future?
BW,
B
PS: sorry if the questions are trivial, I am only starting to learn freebsd
I am writing for a bit of help, I have a couple of questions.
1) I installed iocage version 0.9.5 2017/02/15 on freebsd 11. and I get this when trying to install pkg
---
root@75756a82-cefb-4086-9101-c859fcc9c2bb:~ # pkg
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly, please wait.
----
The installation will not progress beyond this.
Jail otherwise works well, has access to internet and freebsd-update works from within the jail.
Why is this happening?
2)
I installed the iocage from ports, the github project page says py36-iocage package is available but when trying to install the package was not found. Is going to be available in the near future?
BW,
B
PS: sorry if the questions are trivial, I am only starting to learn freebsd
Dave Cottlehuber
Mar 3, 2017, 5:48:33 PM3/3/17
to ioc...@googlegroups.com
On Fri, 3 Mar 2017, at 22:46, brunosc...@gmail.com wrote:
response inline.
> root@75756a82-cefb-4086-9101-c859fcc9c2bb:~ # pkg
> The package management tool is not yet installed on your system.
> Do you want to fetch and install it now? [y/N]: y
> Bootstrapping pkg from
> pkg+http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly, please wait.
> ----
> The installation will not progress beyond this.
> Jail otherwise works well, has access to internet and freebsd-update
> works
> from within the jail.
I suspect that DNS within the jail isn't providing sufficient
functionality. pkg requires both SRV and DNSSEC support to work.
You can try a few things, after entering the jail with `iocage console
<jail>`:
- confirm DNSSEC works via dig:
~ drill -D pkg.freebsd.org
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 24163
;; flags: qr rd ra ; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 0
;; QUESTION SECTION:
;; pkg.freebsd.org. IN A
;; ANSWER SECTION:
pkg.freebsd.org. 196 IN CNAME pkgmir.geo.freebsd.org.
pkg.freebsd.org. 196 IN RRSIG CNAME 8 3 300
20170312182657 20170226091828 19515 freebsd.org.
g0tT2HKhKJOKTtKOVy/xSOmLLmPKvEfjeh9KTXp0Zv/qIERQhWNq+dlBMY+byc4LbXEFpV1JJkLQzuLUmuMTzHkDvdnkMBDO0sivDBeGvIJmY1uuefdDBXwfjkazvKR/1sEuzLDKNIi6XbHw/evMr5zEW1JRteYlvpdKDmQPLxv0qWaM65cqwnrDKRbOiM2i5pNwkw5wWLgfYxFfefW59PSGYRlElK0+vH1VueH9v1l2rI7DqG2AYHHjMM56BP4HTnWfdYr6jxixuJJl1gGnuuSwZcdqKm3T00xzwh1/H/WLGCk5uCb42AdqvPBkMePDYU48y2N5NSSLzhuh2HtypQ==
pkgmir.geo.freebsd.org. 196 IN A 213.138.116.73
;; AUTHORITY SECTION:
ant76siq4vfhmpk8jf2kbejvdf5jiti3.freebsd.org. 496 IN NSEC3
1 0 100 dcda2ac1cd3436d1 aofb29vnkmr613lpolfmilma2a6b8caq NS
ant76siq4vfhmpk8jf2kbejvdf5jiti3.freebsd.org. 496 IN RRSIG
NSEC3 8 3 600 20170309165556 20170223161823 19515 freebsd.org.
J1uJcGUv9NMzSkVJp6Mnrhk2BcRGuDWi70QpwAWZoxKMoqkr1gG4PmwPTqvqMCXrzGU0Co2KZjwi2oE5C1+yEDkpbx/YlxwHOCqPTn1mk3tgqtcWVIPle57ajSxoYcg6m+cTGXU6dMWbMaY0NdAlpKv6B6+Ro8lt8ncDMW/fwRvajJsj+9vs4Vw2EBxb70HeHJc2JRHXD/k6lFQy1TUP83bprHAmk/ZmdfmnHlJQujF8lcvbcLXm8EC/IJKbUfNEy5LcU9UjlEP1d5L/YiyKw3b9T/g9mLnlqgxHYRgQadOYUba/nR5xdiee32R0F0N3nt0GhUHFi2aU7skhLsFBOQ==
geo.freebsd.org. 3496 IN NS gns0.freebsd.org.
geo.freebsd.org. 3496 IN NS gns1.freebsd.org.
geo.freebsd.org. 3496 IN NS gns2.freebsd.org.
;; ADDITIONAL SECTION:
;; Query time: 6 msec
;; EDNS: version 0; flags: do ; udp: 4096
;; SERVER: 172.16.1.1
;; WHEN: Fri Mar 3 22:38:13 2017
;; MSG SIZE rcvd: 822
~
- confirm you can look up the SRV record:
~ drill _http._tcp.pkg.freebsd.org SRV
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 56446
;; flags: qr rd ra ; QUERY: 1, ANSWER: 5, AUTHORITY: 3, ADDITIONAL: 6
;; QUESTION SECTION:
;; _http._tcp.pkg.freebsd.org. IN SRV
;; ANSWER SECTION:
_http._tcp.pkg.freebsd.org. 300 IN SRV 50 10 80
pkg0.nyi.freebsd.org.
_http._tcp.pkg.freebsd.org. 300 IN SRV 50 10 80
pkg0.bme.freebsd.org.
_http._tcp.pkg.freebsd.org. 300 IN SRV 10 10 80
pkgmir.geo.freebsd.org.
_http._tcp.pkg.freebsd.org. 300 IN SRV 50 10 80
pkg0.ydx.freebsd.org.
_http._tcp.pkg.freebsd.org. 300 IN SRV 50 10 80
pkg0.isc.freebsd.org.
;; AUTHORITY SECTION:
freebsd.org. 3600 IN NS ns3.isc-sns.info.
freebsd.org. 3600 IN NS ns2.isc-sns.com.
freebsd.org. 3600 IN NS ns1.isc-sns.net.
;; ADDITIONAL SECTION:
pkg0.bme.freebsd.org. 3600 IN A 213.138.116.73
pkg0.bme.freebsd.org. 3600 IN AAAA 2001:41c8:112:8300::50:1
pkg0.isc.freebsd.org. 3600 IN A 149.20.1.201
pkg0.isc.freebsd.org. 3600 IN AAAA 2001:4f8:1:11::50:1
pkg0.nyi.freebsd.org. 3600 IN A 96.47.72.71
pkg0.nyi.freebsd.org. 3600 IN AAAA 2610:1c1:1:606c::50:1
;; Query time: 47 msec
;; SERVER: 172.16.1.1
;; WHEN: Fri Mar 3 22:41:40 2017
;; MSG SIZE rcvd: 493
My preferred setup is that every jail uses the DNS server from the host
machine,
and I run local_unbound there.
Within the jail, you can also run pkg(8) with -d -d -d debugging flags,
its output is prolific but it may shed some light. Below you can see the
fetch and mirror lookups taking place:
$ sudo pkg -dddd install vlc 2>&1|less
Updating FreeBSD repository catalogue...
DBG(1)[17155]> pkg initialized
DBG(1)[74209]> pkg initialized
Updating FreeBSD repository catalogue...
DBG(1)[74209]> PkgRepo: verifying update for FreeBSD
DBG(4)[74209]> Pkgdb: running 'SELECT count(name) FROM sqlite_master
WHERE type='table' AND name='repodata';'
DBG(4)[74209]> Pkgdb: running 'select count(key) from repodata WHERE key
= "packagesite" and value =
'pkg+http://pkg.FreeBSD.org/FreeBSD:12:amd64/latest''
DBG(4)[74209]> Pkgdb: running 'SELECT id, origin, name, name as
uniqueid, version, comment, prefix, desc, arch, maintainer, www,
licenselogic, flatsize, pkgsize, cksum, manifestdigest, path AS
repopath,
'FreeBSD' AS dbname FROM packages AS p ORDER BY name;' query for all
DBG(1)[74209]>
Pkgrepo, begin update of '/var/db/pkg/repo-FreeBSD.sqlite'
DBG(1)[74209]> Fetch: fetching from:
http://pkgmir.geo.freebsd.org/FreeBSD:12:amd64/latest/meta.txz with opts
"iv"
looking up pkgmir.geo.freebsd.org
connecting to pkgmir.geo.freebsd.org:80
requesting
http://pkgmir.geo.freebsd.org/FreeBSD:12:amd64/latest/meta.txz
If-Modified-Since: Thu, 02 Mar 2017 00:26:33 GMT
DBG(1)[74209]> Fetch: fetching from:
http://pkgmir.geo.freebsd.org/FreeBSD:12:amd64/latest/packagesite.txz
with opts "iv"
looking up pkgmir.geo.freebsd.org
connecting to pkgmir.geo.freebsd.org:80
requesting
http://pkgmir.geo.freebsd.org/FreeBSD:12:amd64/latest/packagesite.txz
If-Modified-Since: Thu, 02 Mar 2017 00:26:33 GMT
FreeBSD repository is up to date.
All repositories are up to date.
> 2)
> I installed the iocage from ports, the github project page says
> py36-iocage
> package is available but when trying to install the package was not
> found.
> Is going to be available in the near future?
>
> BW,
>
> B
>
> PS: sorry if the questions are trivial, I am only starting to learn
> freebsd
Welcome :-)
A+
Dave
response inline.
> root@75756a82-cefb-4086-9101-c859fcc9c2bb:~ # pkg
> The package management tool is not yet installed on your system.
> Do you want to fetch and install it now? [y/N]: y
> Bootstrapping pkg from
> pkg+http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly, please wait.
> ----
> The installation will not progress beyond this.
> Jail otherwise works well, has access to internet and freebsd-update
> works
> from within the jail.
functionality. pkg requires both SRV and DNSSEC support to work.
You can try a few things, after entering the jail with `iocage console
<jail>`:
- confirm DNSSEC works via dig:
~ drill -D pkg.freebsd.org
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 24163
;; flags: qr rd ra ; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 0
;; QUESTION SECTION:
;; pkg.freebsd.org. IN A
;; ANSWER SECTION:
pkg.freebsd.org. 196 IN CNAME pkgmir.geo.freebsd.org.
pkg.freebsd.org. 196 IN RRSIG CNAME 8 3 300
20170312182657 20170226091828 19515 freebsd.org.
g0tT2HKhKJOKTtKOVy/xSOmLLmPKvEfjeh9KTXp0Zv/qIERQhWNq+dlBMY+byc4LbXEFpV1JJkLQzuLUmuMTzHkDvdnkMBDO0sivDBeGvIJmY1uuefdDBXwfjkazvKR/1sEuzLDKNIi6XbHw/evMr5zEW1JRteYlvpdKDmQPLxv0qWaM65cqwnrDKRbOiM2i5pNwkw5wWLgfYxFfefW59PSGYRlElK0+vH1VueH9v1l2rI7DqG2AYHHjMM56BP4HTnWfdYr6jxixuJJl1gGnuuSwZcdqKm3T00xzwh1/H/WLGCk5uCb42AdqvPBkMePDYU48y2N5NSSLzhuh2HtypQ==
pkgmir.geo.freebsd.org. 196 IN A 213.138.116.73
;; AUTHORITY SECTION:
ant76siq4vfhmpk8jf2kbejvdf5jiti3.freebsd.org. 496 IN NSEC3
1 0 100 dcda2ac1cd3436d1 aofb29vnkmr613lpolfmilma2a6b8caq NS
ant76siq4vfhmpk8jf2kbejvdf5jiti3.freebsd.org. 496 IN RRSIG
NSEC3 8 3 600 20170309165556 20170223161823 19515 freebsd.org.
J1uJcGUv9NMzSkVJp6Mnrhk2BcRGuDWi70QpwAWZoxKMoqkr1gG4PmwPTqvqMCXrzGU0Co2KZjwi2oE5C1+yEDkpbx/YlxwHOCqPTn1mk3tgqtcWVIPle57ajSxoYcg6m+cTGXU6dMWbMaY0NdAlpKv6B6+Ro8lt8ncDMW/fwRvajJsj+9vs4Vw2EBxb70HeHJc2JRHXD/k6lFQy1TUP83bprHAmk/ZmdfmnHlJQujF8lcvbcLXm8EC/IJKbUfNEy5LcU9UjlEP1d5L/YiyKw3b9T/g9mLnlqgxHYRgQadOYUba/nR5xdiee32R0F0N3nt0GhUHFi2aU7skhLsFBOQ==
geo.freebsd.org. 3496 IN NS gns0.freebsd.org.
geo.freebsd.org. 3496 IN NS gns1.freebsd.org.
geo.freebsd.org. 3496 IN NS gns2.freebsd.org.
;; ADDITIONAL SECTION:
;; Query time: 6 msec
;; EDNS: version 0; flags: do ; udp: 4096
;; SERVER: 172.16.1.1
;; WHEN: Fri Mar 3 22:38:13 2017
;; MSG SIZE rcvd: 822
~
- confirm you can look up the SRV record:
~ drill _http._tcp.pkg.freebsd.org SRV
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 56446
;; flags: qr rd ra ; QUERY: 1, ANSWER: 5, AUTHORITY: 3, ADDITIONAL: 6
;; QUESTION SECTION:
;; _http._tcp.pkg.freebsd.org. IN SRV
;; ANSWER SECTION:
_http._tcp.pkg.freebsd.org. 300 IN SRV 50 10 80
pkg0.nyi.freebsd.org.
_http._tcp.pkg.freebsd.org. 300 IN SRV 50 10 80
pkg0.bme.freebsd.org.
_http._tcp.pkg.freebsd.org. 300 IN SRV 10 10 80
pkgmir.geo.freebsd.org.
_http._tcp.pkg.freebsd.org. 300 IN SRV 50 10 80
pkg0.ydx.freebsd.org.
_http._tcp.pkg.freebsd.org. 300 IN SRV 50 10 80
pkg0.isc.freebsd.org.
;; AUTHORITY SECTION:
freebsd.org. 3600 IN NS ns3.isc-sns.info.
freebsd.org. 3600 IN NS ns2.isc-sns.com.
freebsd.org. 3600 IN NS ns1.isc-sns.net.
;; ADDITIONAL SECTION:
pkg0.bme.freebsd.org. 3600 IN A 213.138.116.73
pkg0.bme.freebsd.org. 3600 IN AAAA 2001:41c8:112:8300::50:1
pkg0.isc.freebsd.org. 3600 IN A 149.20.1.201
pkg0.isc.freebsd.org. 3600 IN AAAA 2001:4f8:1:11::50:1
pkg0.nyi.freebsd.org. 3600 IN A 96.47.72.71
pkg0.nyi.freebsd.org. 3600 IN AAAA 2610:1c1:1:606c::50:1
;; Query time: 47 msec
;; SERVER: 172.16.1.1
;; WHEN: Fri Mar 3 22:41:40 2017
;; MSG SIZE rcvd: 493
My preferred setup is that every jail uses the DNS server from the host
machine,
and I run local_unbound there.
Within the jail, you can also run pkg(8) with -d -d -d debugging flags,
its output is prolific but it may shed some light. Below you can see the
fetch and mirror lookups taking place:
$ sudo pkg -dddd install vlc 2>&1|less
Updating FreeBSD repository catalogue...
DBG(1)[17155]> pkg initialized
DBG(1)[74209]> pkg initialized
Updating FreeBSD repository catalogue...
DBG(1)[74209]> PkgRepo: verifying update for FreeBSD
DBG(4)[74209]> Pkgdb: running 'SELECT count(name) FROM sqlite_master
WHERE type='table' AND name='repodata';'
DBG(4)[74209]> Pkgdb: running 'select count(key) from repodata WHERE key
= "packagesite" and value =
'pkg+http://pkg.FreeBSD.org/FreeBSD:12:amd64/latest''
DBG(4)[74209]> Pkgdb: running 'SELECT id, origin, name, name as
uniqueid, version, comment, prefix, desc, arch, maintainer, www,
licenselogic, flatsize, pkgsize, cksum, manifestdigest, path AS
repopath,
'FreeBSD' AS dbname FROM packages AS p ORDER BY name;' query for all
DBG(1)[74209]>
Pkgrepo, begin update of '/var/db/pkg/repo-FreeBSD.sqlite'
DBG(1)[74209]> Fetch: fetching from:
http://pkgmir.geo.freebsd.org/FreeBSD:12:amd64/latest/meta.txz with opts
"iv"
looking up pkgmir.geo.freebsd.org
connecting to pkgmir.geo.freebsd.org:80
requesting
http://pkgmir.geo.freebsd.org/FreeBSD:12:amd64/latest/meta.txz
If-Modified-Since: Thu, 02 Mar 2017 00:26:33 GMT
DBG(1)[74209]> Fetch: fetching from:
http://pkgmir.geo.freebsd.org/FreeBSD:12:amd64/latest/packagesite.txz
with opts "iv"
looking up pkgmir.geo.freebsd.org
connecting to pkgmir.geo.freebsd.org:80
requesting
http://pkgmir.geo.freebsd.org/FreeBSD:12:amd64/latest/packagesite.txz
If-Modified-Since: Thu, 02 Mar 2017 00:26:33 GMT
FreeBSD repository is up to date.
All repositories are up to date.
> 2)
> I installed the iocage from ports, the github project page says
> py36-iocage
> package is available but when trying to install the package was not
> found.
> Is going to be available in the near future?
>
> BW,
>
> B
>
> PS: sorry if the questions are trivial, I am only starting to learn
> freebsd
A+
Dave
brunosc...@gmail.com
Mar 5, 2017, 1:04:51 PM3/5/17
to iocage
Hello Dave,
Thank you for your reply. Your suggestions were spot on, although it took a while for me to find out what exactly was wrong.
The freebsd instance was running as a guest in the virtualbox and I didn't have the virtual network adapter configured properly. Confusingly for me, I could browse the web but DNSSEC wasn't working as I found following your advice above.
All's lovely now.
Best wishes,
Thank you for your reply. Your suggestions were spot on, although it took a while for me to find out what exactly was wrong.
The freebsd instance was running as a guest in the virtualbox and I didn't have the virtual network adapter configured properly. Confusingly for me, I could browse the web but DNSSEC wasn't working as I found following your advice above.
All's lovely now.
Best wishes,
Francisco Reyes
Mar 5, 2017, 11:56:38 PM3/5/17
to iocage
On Friday, March 3, 2017 at 5:48:33 PM UTC-5, Dave Cottlehuber wrote:
Having the same error as the original poster.
I suspect that DNS within the jail isn't providing sufficient
functionality. pkg requires both SRV and DNSSEC support to work.
both SRV and DNSSEC are working.
~ drill -D pkg.freebsd.org
~ drill _http._tcp.pkg.freebsd.org SRV
Both of those return valid data.
$ sudo pkg -dddd install vlc 2>&1|less
As root I am trying: pkg -ddd update
And get
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly, please wait...
pkg: Error fetching http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly/Latest/pkg.txz: No address record
A pre-built version of pkg could not be found for your system.
Consider changing PACKAGESITE or installing it from ports: 'ports-mgmt/pkg'.
Output from drill:
drill -D pkg.freebsd.org
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 46617
;; flags: qr rd ra ; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
pkg.freebsd.org. 299 IN CNAME pkgmir.geo.freebsd.org.
pkg.freebsd.org. 299 IN RRSIG CNAME 8 3 300 20170312182657 20170226091828 19515 freebsd.org. g0tT2HKhKJOKTtKOVy/xSOmLLmPKvEfjeh9KTXp0Zv/qIERQhWNq+dlBMY+byc4LbXEFpV1JJkLQzuLUmuMTzHkDvdnkMBDO0sivDBeGvIJmY1uuefdDBXwfjkazvKR/1sEuzLDKNIi6XbHw/evMr5zEW1JRteYlvpdKDmQPLxv0qWaM65cqwnrDKRbOiM2i5pNwkw5wWLgfYxFfefW59PSGYRlElK0+vH1VueH9v1l2rI7DqG2AYHHjMM56BP4HTnWfdYr6jxixuJJl1gGnuuSwZcdqKm3T00xzwh1/H/WLGCk5uCb42AdqvPBkMePDYU48y2N5NSSLzhuh2HtypQ==
pkgmir.geo.freebsd.org. 299 IN A 96.47.72.71
and
drill _http._tcp.pkg.freebsd.org SRV
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 15561
;; flags: qr rd ra ; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0
_http._tcp.pkg.freebsd.org. 90 IN SRV 10 10 80 pkgmir.geo.freebsd.org.
_http._tcp.pkg.freebsd.org. 90 IN SRV 50 10 80 pkg0.isc.freebsd.org.
_http._tcp.pkg.freebsd.org. 90 IN SRV 50 10 80 pkg0.bme.freebsd.org.
_http._tcp.pkg.freebsd.org. 90 IN SRV 50 10 80 pkg0.ydx.freebsd.org.
_http._tcp.pkg.freebsd.org. 90 IN SRV 50 10 80 pkg0.nyi.freebsd.org.
Yet:
ping pkg.freebsd.org
ping: cannot resolve pkg.freebsd.org: Host name lookup failure
How can drill work, but ping fail due to lookup failure?
Any pointers/suggestions would be greatly appreciated.
Dave Cottlehuber
Mar 6, 2017, 8:01:48 AM3/6/17
to ioc...@googlegroups.com
On Mon, 6 Mar 2017, at 05:56, Francisco Reyes wrote:
> On Friday, March 3, 2017 at 5:48:33 PM UTC-5, Dave Cottlehuber wrote:
>
> Having the same error as the original poster.
> > I suspect that DNS within the jail isn't providing sufficient
> > functionality. pkg requires both SRV and DNSSEC support to work.
> >
>
> both SRV and DNSSEC are working.
I assume you've done these within the jail just to be sure.
> On Friday, March 3, 2017 at 5:48:33 PM UTC-5, Dave Cottlehuber wrote:
>
> Having the same error as the original poster.
> > I suspect that DNS within the jail isn't providing sufficient
> > functionality. pkg requires both SRV and DNSSEC support to work.
> >
>
> both SRV and DNSSEC are working.
> As root I am trying: pkg -ddd update
> And get
>
> The package management tool is not yet installed on your system.
> Do you want to fetch and install it now? [y/N]: y
> Bootstrapping pkg from
> pkg+http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly, please wait...
> pkg: Error fetching
> http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly/Latest/pkg.txz: No
> address record
so the protocol that is being used by libpkg here is not the same as
what drill in the jail is using - perhaps one of:
- not allowed by firewall (ipv6 vs ipv4 or tcp vs udp etc)
- doesn't have the correct IP address that is allowed by your DNS server
(e.g. local_unbound in the host)
- doesn't have the correct return path
At this point I'd probably run local_unbound in the host in debug mode
(see below), reach for dtruss (sysutils/dtrace-toolkit) and tcpdump, to
run in the host and see what's exactly failing, and run both drill & pkg
through this to compare, especially try drill -4t .... and drill -4u ...
to see specifically whether udp and tcp IPv4 lookups are working or not.
If you're using local_unbound you need to have `interface-automatic` to
have the reply get sent back on the correct interface, and you also need
the more obvious `access-control` to permit the initial query. The
outgoing IP address may well not be what you expect, after the kernel
and your firewall has had a crack - hence checking with tcpdump.
In my specific case I have local_unbound with more or less these pf.conf
and unbound settings. Note the protip debugging notes ;-).
# /etc/unbound/conf.d/secure.conf
# for debugging, stop local_unbound, uncomment
# logfile: ""
# and then run:
# /usr/sbin/unbound -c /var/unbound/unbound.conf -dvvvv`
server:
# let replies come back on the interface that they arrived from
interface-automatic: yes
# the jail private network
access-control: 10.0.0.0/8 allow
access-control: ::1/64 allow
access-control: ::/8 refuse
access-control: 127.0.0.0/8 allow
access-control: 0.0.0.0/0 refuse
# /etc/pf.conf
ext_if="lagg0"
int_if="lo0"
internal_net=$int_if:network
# bigger state tables help erlang receive sockets faster
# https://blog.tyk.nu/blog/fun-with-freebsd-listen-queue-overflow/
set limit { states 80000, frags 20000, src-nodes 20000 }
set timeout { adaptive.start 60000, adaptive.end 78000 }
# clean packets are happy packets
scrub in all
# jails are allowed outbound connections but not inbound
# these should be set up explicitly using spiped or similar
nat on $ext_if inet proto { tcp, udp, icmp } from $internal_net to any
-> ($ext_if)
pass in all
pass out all
When you get all this working, please post back to the list with your
specific secret sauce.
A+
Dave
Francisco Reyes
Mar 6, 2017, 5:40:55 PM3/6/17
to iocage
On Monday, March 6, 2017 at 8:01:48 AM UTC-5, Dave Cottlehuber wrote:
I assume you've done these within the jail just to be sure.
Yes.
If you're using local_unbound you need to have `interface-automatic` to
Testing unbound with this config:
server:
username: unbound
directory: /var/unbound
chroot: /var/unbound
pidfile: /var/run/local_unbound.pid
auto-trust-anchor-file: /var/unbound/root.key
interface-automatic: yes
logfile: ""
# let replies come back on the interface that they arrived from
# the jail private network
access-control: 192.168.1.0/24 allow
access-control: ::1/64 allow
access-control: ::/8 refuse
access-control: 127.0.0.0/8 allow
access-control: 0.0.0.0/0 refuse
include: /var/unbound/forward.conf
include: /var/unbound/lan-zones.conf
include: /var/unbound/control.conf
include: /var/unbound/conf.d/*.conf
In my specific case I have local_unbound with more or less these pf.conf
As far as I can tell there is no pf, or any other firewall in the host. Did not install any firewalls in the jail.
When I try with the above getting some invalid argument errors
[1488838879] unbound[53208:0] debug: iter_handle processing q with state QUERY RESPONSE STATE
[1488838879] unbound[53208:0] info: query response was nodata ANSWER
[1488838879] unbound[53208:0] debug: iter_handle processing q with state FINISHED RESPONSE STATE
[1488838879] unbound[53208:0] info: finishing processing for natserv.com. DS IN
[1488838879] unbound[53208:0] debug: mesh_run: iterator module exit state is module_finished
[1488838879] unbound[53208:0] debug: validator[module 0] operate: extstate:module_wait_module event:module_event_moddone
[1488838879] unbound[53208:0] info: validator operate: query natserv.com. DS IN
[1488838879] unbound[53208:0] debug: validator: nextmodule returned
[1488838879] unbound[53208:0] debug: not validating response, is valrec(validation recursion lookup)
[1488838879] unbound[53208:0] debug: mesh_run: validator module exit state is module_finished
[1488838879] unbound[53208:0] info: validator: inform_super, sub is natserv.com. DS IN
[1488838879] unbound[53208:0] info: super is natserv.com. A IN
[1488838879] unbound[53208:0] info: verify rrset CK0POJMG874LJREF7EFN8430QVIT8BSM.com. NSEC3 IN
[1488838879] unbound[53208:0] debug: verify sig 31697 8
[1488838879] unbound[53208:0] debug: verify result: sec_status_secure
[1488838879] unbound[53208:0] info: verify rrset I6KVGJ9FJQPOBQL7K6DFQ9QJ9J4DEFQ4.com. NSEC3 IN
[1488838879] unbound[53208:0] debug: verify sig 31697 8
[1488838879] unbound[53208:0] debug: verify result: sec_status_secure
[1488838879] unbound[53208:0] debug: nsec3: keysize 1024 bits, max iterations 150
[1488838879] unbound[53208:0] info: ce candidate com. TYPE0 CLASS0
[1488838879] unbound[53208:0] info: NSEC3s for the referral proved no DS.
[1488838879] unbound[53208:0] debug: validator[module 0] operate: extstate:module_wait_subquery event:module_event_pass
[1488838879] unbound[53208:0] info: validator operate: query natserv.com. A IN
[1488838879] unbound[53208:0] debug: val handle processing q with state VAL_VALIDATE_STATE
[1488838879] unbound[53208:0] info: Verified that unsigned response is INSECURE
[1488838879] unbound[53208:0] debug: val handle processing q with state VAL_FINISHED_STATE
[1488838879] unbound[53208:0] debug: mesh_run: validator module exit state is module_finished
[1488838879] unbound[53208:0] info: send_udp over interface: 192.168.1.125
[1488838879] unbound[53208:0] notice: sendmsg failed: Invalid argument
[1488838879] unbound[53208:0] notice: remote address is ip4 192.168.1.125 port 47440 (len 16)
[1488838879] unbound[53208:0] debug: query took 0.179916 sec
[1488838879] unbound[53208:0] info: mesh_run: end 0 recursion states (0 with reply, 0 detached), 0 waiting replies, 1 recursion replies sent, 0 replies dropped, 0 states jostled out
[1488838879] unbound[53208:0] info: average recursion processing time 0.179916 sec
[1488838879] unbound[53208:0] info: histogram of recursion processing times
[1488838879] unbound[53208:0] info: [25%]=0 median[50%]=0 [75%]=0
[1488838879] unbound[53208:0] info: lower(secs) upper(secs) recursions
[1488838879] unbound[53208:0] info: 0.131072 0.262144 1
[1488838879] unbound[53208:0] debug: cache memory msg=67037 rrset=69984 infra=3130 val=68405
[1488838879] unbound[53208:0] debug: svcd callbacks end
[1488838879] unbound[53208:0] debug: close of port 16642
[1488838879] unbound[53208:0] debug: close fd 8
[1488838884] unbound[53208:0] info: receive_udp on interface: 192.168.1.125
[1488838884] unbound[53208:0] info: send_udp over interface: 192.168.1.125
[1488838884] unbound[53208:0] notice: sendmsg failed: Invalid argument
[1488838884] unbound[53208:0] notice: remote address is ip4 192.168.1.125 port 41857 (len 16)
[1488838889] unbound[53208:0] info: receive_udp on interface: 192.168.1.125
[1488838889] unbound[53208:0] info: send_udp over interface: 192.168.1.125
[1488838889] unbound[53208:0] notice: sendmsg failed: Invalid argument
[1488838889] unbound[53208:0] notice: remote address is ip4 192.168.1.125 port 12504 (len 16)
Reply all
Reply to author
Forward
0 new messages