Jool Fails to install on CentOS 8

[mc-gridsw]

Machine Information
-----
  Operating System: CentOS Linux 8
       CPE OS Name: cpe:/o:centos:centos:8
            Kernel: Linux 4.18.0-240.10.1.el8_3.x86_64
      Architecture: x86-64
----

This happens with both of the most recent versions (4.1.4, 4.1.3) Getting these error messages from both the tar and git clone when installing, will not run modprobe jool or find bash cannot find jool. I think there may be an issue? [] kernel: jool_common: loading out-of-tree module taints kernel. [] kernel: jool_common: module verification failed: signature and/or required key missing - tainting kernel

[ydahhrk]

[] kernel: jool_common: loading out-of-tree module taints kernel. [] kernel: jool_common: module verification failed: signature and/or required key missing - tainting kernel

I'm a bit lost here. Could you please elaborate on what you mean by "when installing"? These messages are supposed to appear when you modprobe, not when you install.

They are also warnings, not error messages. They're basically just the kernel developers telling you "hey, I don't know what this 'Jool' thing is. If you kernel crashes, it's not my fault, and I might choose not to help you." But I can help you debug it if something goes wrong, so it's fine. These messages will not prevent Jool from running.

The warnings are expected. My understanding of it is that, since you are installing from source, I can't sign the modules for you. You'd have to do it yourself.

If you're really invested in purging the warnings, try this: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/module-signing.txt?id=refs/tags/v4.9-rc3

But, if I were you, I would not bother. Signing the modules would not enhance security much, because at the end of the day, you'd still be signing our code, so you'd be trusting us either way.

[mc-gridsw]

When I said: fails to install I'm mean Refuses to start. How would you get jool to start without signing the modules from building from source?

Thanks for the quick response.

[ydahhrk]

The lack of signatures is not what's preventing Jool from starting. I can replicate those warnings easily, yet my Jool runs fine.

Please tell me exactly how you're starting Jool, and what makes you think it's not working.

[mc-gridsw]

I am installing the software with directions from here.

I'm starting with modprobe jool

It does not start jool_common but I might have traced it down. You cannot run modprobe or jool from root?

[ydahhrk]

I am installing the software with directions from here.

Sorry; is that meant to be a link? I cannot see it.

I'm starting with modprobe jool

Ok, but that only "teaches NAT64" to your kernel.

To actually translate, you also need a jool instance add command. For example:

sudo jool instance add --netfilter --pool6 64:ff9b::/96

You cannot run modprobe or jool from root?

The modprobe does need root.

[mc-gridsw]

sorry link is here: https://jool.mx/en/install.html

yes, I understand. Here is part of my reboot script.

#!/bin/sh
modprobe jool
sysctl -w net.ipv4.conf.all.forwarding=1
sysctl -w net.ipv6.conf.all.forwarding=1
jool instance add "example" --iptables  --pool6 64:ff9b::/96
ip6tables -t mangle -A PREROUTING -j JOOL --instance “default”
iptables -t mangle -A PREROUTING -j JOOL --instance “default”

jool -i “default” pool4 add …
…

[ydahhrk]

Ok. Looks fine to me. What happens when an IPv6 client pings?

Eg.

ping6 64:ff9b::8.8.8.8

[mc-gridsw]

Can not ever get that part yet... this is when I run it from sudo user but not root

$ modprobe jool
modprobe: ERROR: could not insert 'jool': Operation not permitted

Feb 06 12:33:25 gsuser kernel: netlink: 48 bytes leftover after parsing attributes in process `jool'.

Feb 06 12:34:17 gsuser sudo[10500]: gsuser : TTY=pts/0 ; PWD=/home/gsuser ; USER=root ; COMMAND=/sbin/modprobe -r jool
Feb 06 12:34:17 gsuser sudo[10500]: pam_systemd(sudo:session): Cannot create session: Already running in a session or user slice
Feb 06 12:34:17 gsuser sudo[10500]: pam_unix(sudo:session): session opened for user root by gsuser(uid=0)
Feb 06 12:34:17 gsuser kernel: NAT64 Jool v4.1.4.0 module removed.
Feb 06 12:34:17 gsuser kernel: Jool: Core Jool v4.1.4.0 module removed.
Feb 06 12:34:17 gsuser sudo[10500]: pam_unix(sudo:session): session closed for user root

from sudo:

$ sudo /sbin/modprobe jool

$ jool instance add "default" --iptables  --pool6 64:ff9b::/96
Error: Don't know what to do: The packet I just received does not follow Jool's protocol.

-- no instances? Trying to get just started here.

$ jool instance display
+--------------------+-----------------+-----------+
|          Namespace |            Name | Framework |
+--------------------+-----------------+-----------+
Error: Don't know what to do: The packet I just received does not follow Jool's protocol.

Log:

Feb 06 12:38:21 gsuser sudo[10544]: gsuser : TTY=pts/0 ; PWD=/home/gsuser ; USER=root ; COMMAND=/sbin/modprobe jool
Feb 06 12:38:21 gsuser sudo[10544]: pam_systemd(sudo:session): Cannot create session: Already running in a session or user slice
Feb 06 12:38:21 gsuser sudo[10544]: pam_unix(sudo:session): session opened for user root by gsuser(uid=0)
Feb 06 12:38:21 gsuser kernel: Jool: Core Jool v4.1.4.0 module inserted.
Feb 06 12:38:21 gsuser kernel: NAT64 Jool v4.1.4.0 module inserted.
Feb 06 12:38:21 gsuser sudo[10544]: pam_unix(sudo:session): session closed for user root
Feb 06 12:38:34 gsuser kernel: netlink: 48 bytes leftover after parsing attributes in process `jool'.
Feb 06 12:39:18 gsuser kernel: netlink: 4 bytes leftover after parsing attributes in process `jool'.
~

and finally from root

# modprobe jool
# sudo jool instance add "default" --iptables --pool6 64:ff9b::/96
sudo: jool: command not found
# jool instance add "default" --iptables --pool6 64:ff9b::/96                                                                                                                
-bash: jool: command not found

No logs on root

where am I going wrong from here?

[ydahhrk]

Don't know what to do: The packet I just received does not follow Jool's protocol.

Your kernel module and your userspace client have different versions.

Your kernel module is version v4.1.4.0. I don't know what's your userspace client, but you can figure it out by running

jool --version

You said that you installed both 4.1.3 and 4.1.4. Have there been other versions of Jool installed in that machine?

See the warning box here.

[ydahhrk]

sudo: jool: command not found

This means that root is not operating with the same PATH variable as your normal user.

You can simply solve it by pointing to the actual binary of jool. In my case it's /usr/local/bin/jool:

sudo /usr/local/bin/jool instance add "default" --iptables --pool6 64:ff9b::/96

But I'm running Debian, so you might need to find it elsewhere.

[mc-gridsw]

I appreciate the tip, I changed to a different flavor of OS, and got it to start properly. I understand the PATH issue, and I'll try it in a VM in the future.

Thanks for your help.