# lsof doesn't work inside a jail?



## japoc (Mar 24, 2018)

Hello,

this is not specifically an issue about Solr, but I ran into this error trying to use Solr inside a jail. The problem is the following: each time I start the Solr server, Solr "Waits up to 180 seconds to see Solr running on port 8983" using, apparently, lsof to check that.

And I get the error

`lsof: kvm_open(execfile=/boot/kernel/kernel, corefile=/dev/mem): No such file or directory`

displaying every second for 3 minutes before the Solr program gives up about checking.

I tried to run the lsof command directly and I get the same error:
`$ lsof
lsof: kvm_open(execfile=/boot/kernel/kernel, corefile=/dev/mem): No such file or directory`

What should I do?
Any help would be greatly appreciated.


----------



## ShelLuser (Mar 24, 2018)

Why even rely on lsof? Just use fuser, it's even part of the base system.


----------



## japoc (Mar 24, 2018)

I completely agree. However I have no control over the source code of Solr. Even if I submit a bug report to them (and for some reason the Solr project don't even accept bug reports on Github), it's going to take a long time for them to agree to change anything (if they do) and the change would appear in Solr 8.x while I'm using Solr 7.2. That's why I'm looking for a way to make it work with lsof.


----------



## japoc (Mar 24, 2018)

By the way, how would you proceed to check what program is listening on a TCP port using fuser?
I checked Solr's source code and they use it to get the pid of the program that is listening on a port:


```
pid=`lsof -i:$jettyPort -sTCP:LISTEN -t`
```

How would you achieve that using fuser?


----------



## ShelLuser (Mar 24, 2018)

Well, at first I was going to comment on how this would probably not work because of the nature of lsof and the sandbox environment which is a Jail. Then I read up a bit 

Your problem mostly evolves around the lack of /dev/mem which is basically a good thing because - as far as I know - it always provides full access to the hosts memory. Therefor more or less defying the purpose of the jail in the first place.

But it's still possible to provide a jail with access to devfs, thus a fully working /dev structure. Basically all you need is to define a few rules in /etc/jail.conf:


```
mount.devfs; 
        devfs_ruleset = 2;
        enforce_statfs = 1; 
        allow.mount.devfs;
```
If you configure your jail with this you'll have a (mostly) complete /dev structure _including_ /dev/mem which will then allow lsof to do its job.

Fair warning though: although my experience with Jails is somewhat limited I'm still convinced that this pretty much defies the whole purpose of the jail in the first place. After all: you're basically giving the jail direct access to parts of your host which is a risk. If you use the jail for security then this setup will definitely invalidate that purpose.



japoc said:


> By the way, how would you proceed to check what program is listening on a TCP port using fuser?


You don't. Use sockstat for that: `sockstat -4l` for example.


----------



## japoc (Mar 24, 2018)

Thanks! I'm going to modify the script using sockstat.


----------

