# Jailing nfsd



## Blueprint (May 3, 2010)

Hi, I seem to be having issues starting up an nfs server inside a jail. When the jail starts, only rpcbind comes up automatically, while nfsd and mountd does not.

I get the following error in messages when I try starting nfsd manually. While mountd can be started manually with no issues.


```
fs6# nfsd -u -t -n 4

fs6# cat /var/log/messages
May  3 21:33:18 fs6 syslogd: kernel boot file is /boot/kernel/kernel
May  3 21:33:18 fs6 rpcbind: cannot create socket for udp6
May  3 21:35:19 fs6 nfsd[1180]: nfssvc: Operation not permitted
May  3 21:35:19 fs6 nfsd[1183]: nfssvc: Operation not permitted
May  3 21:35:19 fs6 nfsd[1181]: nfssvc: Operation not permitted
May  3 21:35:19 fs6 nfsd[1182]: nfssvc: Operation not permitted
May  3 21:35:19 fs6 nfsd[1179]: can't Add UDP socket
```

Jail host config.


```
blueprint# cat /etc/rc.conf
zfs_enable="YES"
hostname="blueprint.domain.local"
keymap="us.iso"
ifconfig_em0="inet 192.168.0.2  netmask 255.255.255.0"
ifconfig_em0_alias0="192.168.0.6 netmask 255.255.255.0"
defaultrouter="192.168.0.1"

# Daemon Config
sshd_enable="YES"
apcupsd_enable="YES"
syslogd_flags="-b 192.168.0.2"

# Jail Config
jail_enable="YES"
jail_list="exports"

# Exports Jail
jail_exports_rootdir="/jails/exports"
jail_exports_hostname="fs6.domain.local"
jail_exports_ip="192.168.0.6"
jail_exports_devfs_enable="YES"
jail_exports_devfs_ruleset="devfsrules_jail"

blueprint# sockstat -4
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
baz      sshd       1153  3  tcp4   192.168.0.2:22        192.168.1.2:60356
root     sshd       1151  3  tcp4   192.168.0.2:22        192.168.1.2:60356
root     sendmail   816   3  tcp4   127.0.0.1:25          *:*
root     sshd       801   3  tcp4   192.168.0.2:22        *:*
root     syslogd    573   6  udp4   192.168.0.2:514       *:*
```

Jail config.


```
fs6# cat /etc/rc.conf
hostname="fs6.domain.local"
network_interfaces=""
defaultrouter="192.168.0.1"
sshd_enable="YES"
# nfs
rpcbind_enable="YES"
nfs_server_enable="YES"
mountd_enable="YES"
mountd_flags="-r -h 192.168.0.6"
rpc_lockd_enable="YES"
rpc_statd_enable="YES"

fs6# sockstat -4
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
baz      sshd       1162  3  tcp4   192.168.0.6:22        192.168.1.2:60357
root     sshd       1159  3  tcp4   192.168.0.6:22        192.168.1.2:60357
root     sendmail   1062  3  tcp4   192.168.0.6:25        *:*
root     sshd       1055  3  tcp4   192.168.0.6:22        *:*
root     rpcbind    962   7  udp4   192.168.0.6:111       *:*
root     rpcbind    962   8  udp4   192.168.0.6:806       *:*
root     rpcbind    962   9  tcp4   192.168.0.6:111       *:*
root     syslogd    947   6  udp4   192.168.0.6:514       *:*

fs6# rpcinfo -p
   program vers proto   port  service
    100000    4   tcp    111  rpcbind
    100000    3   tcp    111  rpcbind
    100000    2   tcp    111  rpcbind
    100000    4   udp    111  rpcbind
    100000    3   udp    111  rpcbind
    100000    2   udp    111  rpcbind
    100000    4 local    111  rpcbind
    100000    3 local    111  rpcbind
    100000    2 local    111  rpcbind
```


----------



## DutchDaemon (May 3, 2010)

1. Set your alias netmask correctly (255.255.255.255)
2. Try the -h flag to nfsd to bind NFS to the jail IP explicitly (see http://forums.freebsd.org/showthread.php?t=13832)


----------



## SirDice (May 3, 2010)

Yeah, all three (rpcbind, mountd and nfsd) need to be bound to the jail's IP address.


----------



## Blueprint (May 4, 2010)

Hi guys, thanks for the replies. I fixed the alias netmask.

I should have mentioned I did try the -h flag with all the daemons. This is what it looks like now in my jail rc.conf.


```
rpcbind_enable="YES"
rpcbind_flags="-h 192.168.0.6"
nfs_server_enable="YES"
nfs_server_flags="-h 192.168.0.6"
mountd_enable="YES"
mountd_flags="-r -h 192.168.0.6"
rpc_lockd_enable="YES"
rpc_statd_enable="YES"
```

This is what messages say when the jail starts up with the new flags. Again nfsd and mountd still fails to automatically start.


```
May  4 08:59:47 fs6 syslogd: kernel boot file is /boot/kernel/kernel
May  4 08:59:47 fs6 rpcbind: cannot create socket for udp6
May  4 08:59:47 fs6 rpcbind: cannot bind 192.168.0.6 on udp: Address already in use
May  4 08:59:47 fs6 rpcbind: cannot bind 192.168.0.6 on tcp: Address already in use
```

If I manually start nfsd with "nfsd -u -t -n 4 -h 192.168.0.6", I get the same entry in messages as before.

Also I failed to include the following error when manually starting mountd, which happens with or without the -h flag.


```
fs6# mountd -r -h 192.168.0.6

May  4 09:07:52 fs6 mountd[4371]: can't delete exports for /: Operation not permitted 
May  4 09:07:52 fs6 mountd[4371]: can't change attributes for /exports
May  4 09:07:52 fs6 mountd[4371]: bad exports list line /exports	-network 192.168.0.0 -mask 255.255.255.0
May  4 09:07:52 fs6 mountd[4372]: bindresvport_sa: Address already in use
```

Is this format not correct in /etc/exports?

Unfortunately I have to run to work, so I only had a few minutes to try your suggestions, perhaps I missed something.


----------



## SirDice (May 4, 2010)

Make sure there's no rpcbind running on the host. Or make sure that one only listens to the host's IP address. By default all services will try and bind to _all_ available addresses, including all aliases.


----------



## akhil (Oct 23, 2010)

Any update on this thread? I am also having the exact same issue. 


```
Oct 23 20:09:38 <daemon.err> jail1-nfs1 rpcbind: cannot create socket for udp6
Oct 23 20:09:38 <daemon.err> jail1-nfs1 rpcbind: cannot bind 192.168.1.10 on udp: Address already in use
Oct 23 20:09:38 <daemon.err> jail1-nfs1 rpcbind: cannot bind 192.168.1.10 on tcp: Address already in use
Oct 23 20:09:39 <daemon.warn> jail1-nfs1 inetd[1385]: madvise() failed: Operation not permitted
Oct 23 20:24:12 <daemon.err> jail1-nfs1 nfsd[1917]: nfssvc: Operation not permitted
Oct 23 20:24:12 <daemon.err> jail1-nfs1 nfsd[1919]: nfssvc: Operation not permitted
Oct 23 20:24:12 <daemon.err> jail1-nfs1 nfsd[1918]: nfssvc: Operation not permitted
Oct 23 20:24:12 <daemon.err> jail1-nfs1 nfsd[1916]: nfssvc: Operation not permitted
Oct 23 20:25:36 <daemon.err> jail1-nfs1 nfsd[1937]: nfssvc: Operation not permitted
Oct 23 20:25:36 <daemon.err> jail1-nfs1 nfsd[1938]: nfssvc: Operation not permitted
```

Has nfsd ever been run successfully inside a jail? The jail man page indicates that the nfsd may not run properly on host, but it does not warn anything about running nfsd inside jail.


----------



## Blueprint (Oct 23, 2010)

Sorry I didn't get it to work as I ended up switching to samba.


----------



## akhil (Oct 23, 2010)

Thanks. I will wait if someone can respond with some hints at what could be next time in the troubleshooting. In theory, is this supposed to work?


----------

