search

DtxdF / AppJail

Simple and easy-to-use tool for creating portable jails.
https://appjail.readthedocs.io
BSD 3-Clause "New" or "Revised" License
134 stars 6 forks source link

any jail i try to make using nat options gives error #10

Closed buckbucks1111 closed 3 months ago

buckbucks1111 commented 4 months ago

buckbucks% appjail makejail -f gh+AppJail-makejails/badwolf -j badwolf1 \ /usr/src -o virtualnet="ajnet:badwolf default" \ -o nat \ -o copydir=/tmp/files \ -o file=/etc/rc.conf \ -o x11 \

[00:00:00] [ info ] [badwolf1] Building ... [00:00:00] [ debug ] [badwolf1] Main Makejail: gh+AppJail-makejails/badwolf [00:00:01] [ debug ] [badwolf1] Using method:github (args:AppJail-makejails/badwolf) from gh+AppJail-makejails/badwolf. [00:00:01] [ debug ] [badwolf1] Using global cache directory (git): /usr/local/appjail/cache/git [00:00:01] [ debug ] [badwolf1] Updating /usr/local/appjail/cache/git/064c3e3f57c6b08e7a2892ed7cc20a5f8bd0aacfd20e04923099afe576a7c072 ... [00:00:01] [ debug ] [badwolf1] Including /usr/local/appjail/cache/git/064c3e3f57c6b08e7a2892ed7cc20a5f8bd0aacfd20e04923099afe576a7c072/Makejail ... [00:00:01] [ debug ] [badwolf1] Using method:file (args:options/options.makejail) from options/options.makejail. [00:00:01] [ debug ] [badwolf1] Including /usr/local/appjail/cache/git/064c3e3f57c6b08e7a2892ed7cc20a5f8bd0aacfd20e04923099afe576a7c072/options/options.makejail ... [00:00:02] [ debug ] [badwolf1] Makejail generated: [00:00:02] [ debug ] [badwolf1] RAW cd -- "/usr/local/appjail/cache/git/064c3e3f57c6b08e7a2892ed7cc20a5f8bd0aacfd20e04923099afe576a7c072" # Makejail: /usr/local/appjail/cache/git/064c3e3f57c6b08e7a2892ed7cc20a5f8bd0aacfd20e04923099afe576a7c072/Makejail [00:00:02] [ debug ] [badwolf1] RAW cd -- "/usr/local/appjail/cache/git/064c3e3f57c6b08e7a2892ed7cc20a5f8bd0aacfd20e04923099afe576a7c072/options" # Makejail: /usr/local/appjail/cache/git/064c3e3f57c6b08e7a2892ed7cc20a5f8bd0aacfd20e04923099afe576a7c072/options/options.makejail [00:00:02] [ debug ] [badwolf1] OPTION resolv_conf [00:00:02] [ debug ] [badwolf1] OPTION tzdata [00:00:02] [ debug ] [badwolf1] OPTION overwrite=force [00:00:02] [ debug ] [badwolf1] OPTION start [00:00:02] [ debug ] [badwolf1] RAW cd -- "/usr/local/appjail/cache/git/064c3e3f57c6b08e7a2892ed7cc20a5f8bd0aacfd20e04923099afe576a7c072" # Makejail: /usr/local/appjail/cache/git/064c3e3f57c6b08e7a2892ed7cc20a5f8bd0aacfd20e04923099afe576a7c072/Makejail [00:00:02] [ debug ] [badwolf1] ARG badwolf_tag=13.3 [00:00:02] [ debug ] [badwolf1] FROM --entrypoint gh+AppJail-makejails/badwolf badwolf:${badwolf_tag} [00:00:02] [ debug ] [badwolf1] CMD pw useradd -n badwolf -c "Minimalist and privacy-oriented WebKitGTK+ browser" -d /home/badwolf -s /bin/sh [00:00:02] [ debug ] [badwolf1] CMD mkdir -p /home/badwolf/.local/share/badwolf/webkit-web-extension [00:00:02] [ debug ] [badwolf1] CMD mkdir -p /home/badwolf/.config/badwolf [00:00:02] [ debug ] [badwolf1] CMD chown -R badwolf:badwolf /home/badwolf [00:00:02] [ debug ] [badwolf1] COPY usr [00:00:02] [ debug ] [badwolf1] STOP [00:00:02] [ debug ] [badwolf1] STAGE custom:badwolf_open [00:00:02] [ debug ] [badwolf1] ENV DISPLAY=:0 [00:00:02] [ debug ] [badwolf1] USER badwolf [00:00:02] [ debug ] [badwolf1] RUN badwolf.sh [00:00:02] [ debug ] [badwolf1] Running makejail command (cmd): /usr/local/share/appjail/makejail/cmd/all/RAW (args:cd -- "/usr/local/appjail/cache/git/064c3e3f57c6b08e7a2892ed7cc20a5f8bd0aacfd20e04923099afe576a7c072" # Makejail: /usr/local/appjail/cache/git/064c3e3f57c6b08e7a2892ed7cc20a5f8bd0aacfd20e04923099afe576a7c072/Makejail) [00:00:02] [ debug ] [badwolf1] Running makejail command (cmd): /usr/local/share/appjail/makejail/cmd/all/RAW (args:cd -- "/usr/local/appjail/cache/git/064c3e3f57c6b08e7a2892ed7cc20a5f8bd0aacfd20e04923099afe576a7c072/options" # Makejail: /usr/local/appjail/cache/git/064c3e3f57c6b08e7a2892ed7cc20a5f8bd0aacfd20e04923099afe576a7c072/options/options.makejail) [00:00:02] [ debug ] [badwolf1] Running makejail command (cmd): /usr/local/share/appjail/makejail/cmd/build/OPTION (args:resolv_conf) [00:00:02] [ debug ] [badwolf1] Running makejail command (cmd): /usr/local/share/appjail/makejail/cmd/build/OPTION (args:tzdata) [00:00:02] [ debug ] [badwolf1] Running makejail command (cmd): /usr/local/share/appjail/makejail/cmd/build/OPTION (args:overwrite=force) [00:00:02] [ debug ] [badwolf1] Running makejail command (cmd): /usr/local/share/appjail/makejail/cmd/build/OPTION (args:start) [00:00:02] [ debug ] [badwolf1] Running makejail command (cmd): /usr/local/share/appjail/makejail/cmd/all/RAW (args:cd -- "/usr/local/appjail/cache/git/064c3e3f57c6b08e7a2892ed7cc20a5f8bd0aacfd20e04923099afe576a7c072" # Makejail: /usr/local/appjail/cache/git/064c3e3f57c6b08e7a2892ed7cc20a5f8bd0aacfd20e04923099afe576a7c072/Makejail) [00:00:02] [ debug ] [badwolf1] Running makejail command (cmd): /usr/local/share/appjail/makejail/cmd/all/ARG (args:badwolf_tag=13.3) [00:00:03] [ debug ] [badwolf1] Running makejail command (cmd): /usr/local/share/appjail/makejail/cmd/build/FROM (args:--entrypoint gh+AppJail-makejails/badwolf badwolf:${badwolf_tag}) [00:00:03] [ debug ] [badwolf1] Running makejail command (cmd): /usr/local/share/appjail/makejail/cmd/all/CMD (args:pw useradd -n badwolf -c "Minimalist and privacy-oriented WebKitGTK+ browser" -d /home/badwolf -s /bin/sh) [00:00:03] [ debug ] [badwolf1] Running makejail command (cmd): /usr/local/share/appjail/makejail/cmd/all/CMD (args:mkdir -p /home/badwolf/.local/share/badwolf/webkit-web-extension) [00:00:03] [ debug ] [badwolf1] Running makejail command (cmd): /usr/local/share/appjail/makejail/cmd/all/CMD (args:mkdir -p /home/badwolf/.config/badwolf) [00:00:03] [ debug ] [badwolf1] Running makejail command (cmd): /usr/local/share/appjail/makejail/cmd/all/CMD (args:chown -R badwolf:badwolf /home/badwolf) [00:00:04] [ debug ] [badwolf1] Running makejail command (cmd): /usr/local/share/appjail/makejail/cmd/all/COPY (args:usr) [00:00:04] [ debug ] [badwolf1] Running makejail command (cmd): /usr/local/share/appjail/makejail/cmd/build/STOP (args:) [00:00:04] [ debug ] [badwolf1] Running makejail command (cmd): /usr/local/share/appjail/makejail/cmd/all/ENV (args:DISPLAY=:0) [00:00:04] [ debug ] [badwolf1] Running makejail command (cmd): /usr/local/share/appjail/makejail/cmd/all/USER (args:badwolf) [00:00:04] [ debug ] [badwolf1] Running makejail command (cmd): /usr/local/share/appjail/makejail/cmd/all/RUN (args:badwolf.sh) [00:00:05] [ debug ] [badwolf1] Running makejail command (write): /usr/local/share/appjail/makejail/write/all/ARG (input:/usr/local/appjail/cache/tmp/.appjail/appjail.ZIY2LP6IPL) [00:00:05] [ debug ] [badwolf1] Running makejail command (write): /usr/local/share/appjail/makejail/write/build/FROM (input:/usr/local/appjail/cache/tmp/.appjail/appjail.k8HQvrHx6o) [00:00:05] [ debug ] [badwolf1] Running makejail command (write): /usr/local/share/appjail/makejail/write/build/OPTION (input:/usr/local/appjail/cache/tmp/.appjail/appjail.446F8Cgkh7) [00:00:05] [ debug ] [badwolf1] Running makejail command (write): /usr/local/share/appjail/makejail/write/all/RAW (input:/usr/local/appjail/cache/tmp/.appjail/appjail.FLvI6quf1Y/stages/build/0.RAW) [00:00:05] [ debug ] [badwolf1] Running makejail command (write): /usr/local/share/appjail/makejail/write/all/RAW (input:/usr/local/appjail/cache/tmp/.appjail/appjail.FLvI6quf1Y/stages/build/1.RAW) [00:00:05] [ debug ] [badwolf1] Running makejail command (write): /usr/local/share/appjail/makejail/write/all/RAW (input:/usr/local/appjail/cache/tmp/.appjail/appjail.FLvI6quf1Y/stages/build/6.RAW) [00:00:05] [ debug ] [badwolf1] Running makejail command (write): /usr/local/share/appjail/makejail/write/all/CMD (input:/usr/local/appjail/cache/tmp/.appjail/appjail.FLvI6quf1Y/stages/build/9.CMD) [00:00:05] [ debug ] [badwolf1] Running makejail command (write): /usr/local/share/appjail/makejail/write/all/CMD (input:/usr/local/appjail/cache/tmp/.appjail/appjail.FLvI6quf1Y/stages/build/10.CMD) [00:00:05] [ debug ] [badwolf1] Running makejail command (write): /usr/local/share/appjail/makejail/write/all/CMD (input:/usr/local/appjail/cache/tmp/.appjail/appjail.FLvI6quf1Y/stages/build/11.CMD) [00:00:05] [ debug ] [badwolf1] Running makejail command (write): /usr/local/share/appjail/makejail/write/all/CMD (input:/usr/local/appjail/cache/tmp/.appjail/appjail.FLvI6quf1Y/stages/build/12.CMD) [00:00:05] [ debug ] [badwolf1] Running makejail command (write): /usr/local/share/appjail/makejail/write/all/COPY (input:/usr/local/appjail/cache/tmp/.appjail/appjail.FLvI6quf1Y/stages/build/13.COPY) [00:00:05] [ debug ] [badwolf1] Running makejail command (write): /usr/local/share/appjail/makejail/write/build/STOP (input:/usr/local/appjail/cache/tmp/.appjail/appjail.FLvI6quf1Y/stages/build/14.STOP) [00:00:05] [ debug ] [badwolf1] Buildscript generated: [00:00:05] [ debug ] [badwolf1] set -T [00:00:05] [ debug ] [badwolf1] [00:00:05] [ debug ] [badwolf1] . "${APPJAIL_CONFIG}" [00:00:05] [ debug ] [badwolf1] . "${LIBDIR}/load" [00:00:05] [ debug ] [badwolf1] [00:00:05] [ debug ] [badwolf1] lib_load "${LIBDIR}/sysexits" [00:00:05] [ debug ] [badwolf1] lib_load "${LIBDIR}/atexit" [00:00:05] [ debug ] [badwolf1] lib_load "${LIBDIR}/log" [00:00:05] [ debug ] [badwolf1] lib_load "${LIBDIR}/check_func" [00:00:05] [ debug ] [badwolf1] [00:00:05] [ debug ] [badwolf1] lib_atexit_init [00:00:05] [ debug ] [badwolf1] [00:00:05] [ debug ] [badwolf1] trap '' SIGINT [00:00:05] [ debug ] [badwolf1] set -e [00:00:05] [ debug ] [badwolf1] badwolf_tag="13.3" [00:00:05] [ debug ] [badwolf1] lib_load "${LIBDIR}/check_func" [00:00:05] [ debug ] [badwolf1] [00:00:05] [ debug ] [badwolf1] while [ $# -gt 0 ]; do [00:00:05] [ debug ] [badwolf1] case "$1" in [00:00:05] [ debug ] [badwolf1] --badwolf_tag) [00:00:05] [ debug ] [badwolf1] badwolf_tag="$2"; shift [00:00:05] [ debug ] [badwolf1] ;; [00:00:05] [ debug ] [badwolf1] --) [00:00:05] [ debug ] [badwolf1] shift [00:00:05] [ debug ] [badwolf1] break [00:00:05] [ debug ] [badwolf1] ;; [00:00:05] [ debug ] [badwolf1] --) [00:00:05] [ debug ] [badwolf1] lib_err ${EX_USAGE} -- "$1: Invalid option." [00:00:05] [ debug ] [badwolf1] ;; [00:00:05] [ debug ] [badwolf1] ) [00:00:05] [ debug ] [badwolf1] break [00:00:05] [ debug ] [badwolf1] ;; [00:00:05] [ debug ] [badwolf1] esac [00:00:05] [ debug ] [badwolf1] [00:00:05] [ debug ] [badwolf1] shift [00:00:05] [ debug ] [badwolf1] done
[00:00:05] [ debug ] [badwolf1] if lib_check_empty "$badwolf_tag"; then [00:00:05] [ debug ] [badwolf1] lib_err ${EX_DATAERR} "option requires an argument -- badwolf_tag" [00:00:05] [ debug ] [badwolf1] fi [00:00:05] [ debug ] [badwolf1] "${APPJAIL_SCRIPT}" image import -a "amd64" -N .ajspec -n "badwolf" -t "${badwolf_tag}" -- "gh+AppJail-makejails/badwolf" [00:00:05] [ debug ] [badwolf1] "${APPJAIL_SCRIPT}" image jail -a "amd64" -i "badwolf" -t "${badwolf_tag}" -- "${APPJAIL_JAILNAME}" "resolv_conf" "tzdata" "overwrite=force" "start" "virtualnet=ajnet:badwolf default" "nat" "copydir=/tmp/files" "file=/etc/rc.conf" "x11" [00:00:05] [ debug ] [badwolf1] cd -- "/usr/local/appjail/cache/git/064c3e3f57c6b08e7a2892ed7cc20a5f8bd0aacfd20e04923099afe576a7c072" # Makejail: /usr/local/appjail/cache/git/064c3e3f57c6b08e7a2892ed7cc20a5f8bd0aacfd20e04923099afe576a7c072/Makejail [00:00:05] [ debug ] [badwolf1] cd -- "/usr/local/appjail/cache/git/064c3e3f57c6b08e7a2892ed7cc20a5f8bd0aacfd20e04923099afe576a7c072/options" # Makejail: /usr/local/appjail/cache/git/064c3e3f57c6b08e7a2892ed7cc20a5f8bd0aacfd20e04923099afe576a7c072/options/options.makejail [00:00:05] [ debug ] [badwolf1] cd -- "/usr/local/appjail/cache/git/064c3e3f57c6b08e7a2892ed7cc20a5f8bd0aacfd20e04923099afe576a7c072" # Makejail: /usr/local/appjail/cache/git/064c3e3f57c6b08e7a2892ed7cc20a5f8bd0aacfd20e04923099afe576a7c072/Makejail [00:00:05] [ debug ] [badwolf1] "${APPJAIL_SCRIPT}" cmd jexec "${APPJAIL_JAILNAME}" env "badwolf_tag=${badwolf_tag}" sh -c "pw useradd -n badwolf -c \"Minimalist and privacy-oriented WebKitGTK+ browser\" -d /home/badwolf -s /bin/sh" [00:00:05] [ debug ] [badwolf1] "${APPJAIL_SCRIPT}" cmd jexec "${APPJAIL_JAILNAME}" env "badwolf_tag=${badwolf_tag}" sh -c "mkdir -p /home/badwolf/.local/share/badwolf/webkit-web-extension" [00:00:05] [ debug ] [badwolf1] "${APPJAIL_SCRIPT}" cmd jexec "${APPJAIL_JAILNAME}" env "badwolf_tag=${badwolf_tag}" sh -c "mkdir -p /home/badwolf/.config/badwolf" [00:00:05] [ debug ] [badwolf1] "${APPJAIL_SCRIPT}" cmd jexec "${APPJAIL_JAILNAME}" env "badwolf_tag=${badwolf_tag}" sh -c "chown -R badwolf:badwolf /home/badwolf" [00:00:05] [ debug ] [badwolf1] cp -a -- "usr" "${APPJAIL_JAILDIR}/" [00:00:05] [ debug ] [badwolf1] "${APPJAIL_SCRIPT}" stop -- "${APPJAIL_JAILNAME}" [00:00:06] [ debug ] [badwolf1] Cloning https://github.com/AppJail-makejails/badwolf as /usr/local/appjail/cache/tmp/.appjail/appjail.N2sXFepwFz ... [00:00:06] [ info ] [badwolf] badwolf (arch:amd64, tag:13.3): already up to date. [00:00:07] [ debug ] [badwolf1] quick parameters: import+root="input:/usr/local/appjail/cache/images/badwolf/13.3-amd64-image.appjail" portable resolv_conf tzdata overwrite=force start virtualnet=ajnet:badwolf default nat copydir=/tmp/files file=/etc/rc.conf x11 [00:00:07] [ warn ] [badwolf1] Trying to remove badwolf1 ... [00:00:07] [ warn ] [badwolf1] badwolf1 is not running. [00:00:07] [ debug ] [badwolf1] Destroy flags: [00:00:08] [ debug ] [badwolf1] Removing badwolf1 jail... [00:00:08] [ debug ] [badwolf1] Using zfs-destroy(8) ... [00:00:09] [ debug ] [badwolf1] Removing files... [00:00:09] [ debug ] [badwolf1] badwolf1 was removed. [00:00:09] [ info ] [badwolf1] Creating an empty jail ... [00:00:09] [ info ] [badwolf1] Importing /usr/local/appjail/cache/images/badwolf/13.3-amd64-image.appjail as badwolf1 ... [00:00:28] [ info ] [badwolf1] Done. [00:00:28] [ debug ] [badwolf1] Adding files ("/etc/rc.conf") to the list of files to copy ... [00:00:28] [ debug ] [badwolf1] (1/1): Checking /etc/rc.conf ... [00:00:28] [ debug ] [badwolf1] (1/1): Copying etc/rc.conf ... [00:00:28] [ debug ] [badwolf1] Copying /etc/localtime as /usr/local/appjail/jails/badwolf1/jail/etc/localtime [00:00:28] [ debug ] [badwolf1] Copying /usr/local/etc/appjail/resolv.conf as /usr/local/appjail/jails/badwolf1/jail/etc/resolv.conf [00:00:28] [ debug ] [badwolf1] Reserving an IPv4 address for badwolf1 in ajnet ... [00:00:29] [ debug ] [badwolf1] VNET Interface:e[ab]_badwolf Description: [00:00:29] [ debug ] [badwolf1] ajnet is the default router. [00:00:29] [ debug ] [badwolf1] Creating NAT rules ... [00:00:29] [ debug ] [badwolf1] Setting NAT rule: network:ajnet ext_if:wlan0 logopts:0 () on_if:wlan0 [00:00:30] [ error ] [badwolf1] The nat command requires appjail-nat/jail/ and appjail-nat/network/ anchors to work. buckbucks%

I have the anchors in my pf.conf: buckbucks% cat /etc/pf.conf /usr/src nat-anchor "appjail-nat/jail/" nat-anchor "appjail-nat/network/" rdr-anchor "appjail-rdr/*"

anchor "appjail-nat/jail/" anchor "appjail-nat/network/" anchor "appjail-rdr/*" buckbucks% /usr/src buckbucks%

pf is running i dont know why i keep getting the errors.

DtxdF commented 4 months ago

Please use Markdown to format correctly, it is difficult to understand your problem.

pf is running i dont know why i keep getting the errors.

In your /etc/pf.conf:

I have the anchors in my pf.conf: buckbucks% cat /etc/pf.conf /usr/src nat-anchor "appjail-nat/jail/" nat-anchor "appjail-nat/network/" rdr-anchor "appjail-rdr/*"

anchor "appjail-nat/jail/" anchor "appjail-nat/network/" anchor "appjail-rdr/*"

You must use the correct anchor types:

/etc/pf.conf:

nat-anchor "appjail-nat/jail/*"
nat-anchor "appjail-nat/network/*"
rdr-anchor "appjail-rdr/*"

nat-anchor != rdr-anchor, nat-anchor != anchor, rdr-anchor != anchor. See pf.conf(5) for details:

An anchor can reference another anchor attachment point using the following kinds of rules:

nat-anchor ⟨name⟩
        Evaluates the nat rules in the specified anchor.
...
rdr-anchor ⟨name⟩
        Evaluates the rdr rules in the specified anchor.
...
anchor ⟨name⟩
        Evaluates the filter rules in the specified anchor.

Reload pf(4) rules and run the Makejail again:

service pf reload
buckbucks1111 commented 4 months ago

I have the correct anchor types exactly as you said but when i type pfctl -sn It says:

buckbucks% sudo service pf restart ~ Disabling pf. Enabling pf. buckbucks% sudo pfctl -sn ~ nat-anchor "appjail" all nat-anchor "appjail" all rdr-anchor "appjail" all buckbucks%

I dont understand why its doing that im guessing maybe a bug in pf on freebsd-current??

DtxdF commented 4 months ago

I dont understand why its doing that im guessing maybe a bug in pf on freebsd-current??

I don't know, I'm on 14.0-RELEASE. Anyway, see my pfctl(8) output:

# pfctl -sn
nat-anchor "appjail-nat/jail/*" all
nat-anchor "appjail-nat/network/*" all
rdr-anchor "appjail-rdr/*" all

I know a person who is in CURRENT, I will ask him. AFAIK, he has no problems with pf(4).

buckbucks1111 commented 4 months ago

thankk you please let me know much appreciaed

buckbucks1111 commented 4 months ago

Any luck finding out from your friend in current?

DtxdF commented 4 months ago

Yes, I contacted him, but he is busy. He'll probably tell me something this week.

Although, your pf configuration looks really weird, I don't know if it really is, or it's a side effect since you're not using Markdown.

If you can, try your configuration in RELEASE instead of CURRENT.

buckbucks1111 commented 4 months ago

i should be able to install aa base system of release in a jail or a chroot and that should be enought to check the pf config?

DtxdF commented 4 months ago

This problem does not seem to be related to AppJail. See your pfctl -sn output and compare it with mine. Maybe it is a problem on your system or a misconfiguration, but these are mere speculations. We need to test from another system to confirm.

DtxdF commented 4 months ago

Confirmed. I have been informed that pf in CURRENT shows the output in the style you describe. I don't know if this is a bug or a breaking-change.

buckbucks1111 commented 4 months ago

i believe its possible a pug cause ive noticed alot of work being done on pfctl in the src tree or could be a breaking change and if so then will have to figure out a workaround in your scripts not sure but thnk you

DtxdF commented 4 months ago

Yes, first of all I need to confirm why pf shows the output like that. If it is a bug, I don't have to change anything, but if it is a breaking-change, I will make changes in AppJail to fix this problem.

DtxdF commented 3 months ago

@buckbucks1111

Reported:

DtxdF commented 3 months ago

I recently updated my VM to check if this issue persisted, and it is now fixed!