nginx upgrade fails due bind error on 127.0.0.1 in a FreeBSD jail

Steven Hartland steven.hartland at multiplay.co.uk
Mon Dec 5 18:39:14 UTC 2016 

On 05/12/2016 17:12, Maxim Dounin wrote:
> Hello!
>
> On Mon, Dec 05, 2016 at 02:40:27PM +0000, Steven Hartland wrote:
snip...
> Given that the real local address of the listening socket as shown
> by netstat is 10.10.96.146, it means that the socket was created
> when there were no explicit 127.0.0.1 in the jail.

This didn't appear to be the case as nginx was restarted after the 
failure of upgrade and currently shows:
netstat -na | grep LIST
tcp4       0      0 10.10.96.146.81        *.* LISTEN

The jail does indeed have an explicit 127.0.0.1 as reported by ifconfig 
from within said jail.
ifconfig lo0
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
         options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
         inet 127.0.0.1 netmask 0xffffffff

/etc/jail.conf includes:
jailXYZ {
     path = "/data/jails/XYZ";
     ip4.addr = "10.10.96.146";
     ip4.addr += "vlan96|A.B.C.D";
     ip4.addr += "lo0|127.0.0.1";
}

This is what we see when 127.0.0.1 is not exposed to the jail, which is 
where I would expect the behaviour you describe:
ifconfig lo0
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
         options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
         groups: lo

Digging into to source of jails I found the offending code:
         ia0.s_addr = ntohl(ia->s_addr);
         if (ia0.s_addr == INADDR_LOOPBACK) {
                 ia->s_addr = pr->pr_ip4[0].s_addr;
                 mtx_unlock(&pr->pr_mtx);
                 return (0);
         }
...
         if (ntohl(ia->s_addr) == INADDR_LOOPBACK) {
                 ia->s_addr = pr->pr_ip4[0].s_addr;
                 mtx_unlock(&pr->pr_mtx);
                 return (0);
         }

This uses the first IP of the jail as loopback even if there is an 
address which explicitly matches.

So the workaround would be to change the order of the IP's in our jail 
config making 127.0.0.1 the first IP.

However this doesn't seem to be documented in jail man page so quite 
possibly needs fixing.

Thanks for pointing me in the right direction.

I'll talk to the jail / net guys and get that fixed. At the very least 
it should be clearly documented in JAIL(8) but ideally it should do the 
right thing when the jail has an address which matches INADDR_LOOPBACK.

     Regards
     Steve

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20161205/8d3fbd13/attachment.html>

More information about the nginx mailing list