freebsdjail

Why poudriere creates a pair of jails with and without IP addresses


While testing a port using poudriere with something like this:

poudriere testport -v -j 11amd64 -p custom www/go-www 

I got this error:

!!! build failure encountered !!!               
[00:00:06] ====>> Error: Build failed in phase: fetch 

For some reason, the package can't be found/downloaded, therefore in my try to check if there was an issue with the jails resolver, I listed the existing jails by doing a jls - I got this output that caught my attention:

>  jls
   JID  IP Address      Hostname                      Path
   363  127.0.0.1       11amd64-custom                /usr/local/poudriere/data/.m/11amd64-custom/ref
   364                  11amd64-custom                /usr/local/poudriere/data/.m/11amd64-custom/ref
   365  127.0.0.1       11amd64-custom-job-02         /usr/local/poudriere/data/.m/11amd64-custom/02
   366                  11amd64-custom-job-02         /usr/local/poudriere/data/.m/11amd64-custom/02
   367  127.0.0.1       11amd64-custom-job-01         /usr/local/poudriere/data/.m/11amd64-custom/01
   368                  11amd64-custom-job-01         /usr/local/poudriere/data/.m/11amd64-custom/01
   369  127.0.0.1       11amd64-custom-job-03         /usr/local/poudriere/data/.m/11amd64-custom/03
   370                  11amd64-custom-job-03         /usr/local/poudriere/data/.m/11amd64-custom/03

The thing that I notice is that if I enter to a jail with no IP address assigned jexec 364 I do can ping/fetch any host, for example, but if I enter to a jail with an IP address jexec 363, in this case 127.0.0.1 I can't ping/resolve:

ping: sendto: Can't assign requested address

Therefore I would like to know what is the idea of creating a pair of jails, one with IP (no routable) and another whitout IP (routable), what is the logic behind?

Just in case this is the configuration I am using for poudriere /usr/local/etc/poudriere.conf:

ZPOOL=tank
ZROOTFS=/poudriere
FREEBSD_HOST=https://download.FreeBSD.org
RESOLV_CONF=/etc/resolv.conf
BASEFS=/usr/local/poudriere
POUDRIERE_DATA=${BASEFS}/data
USE_PORTLINT=no
USE_TMPFS=yes
DISTFILES_CACHE=/usr/ports/distfiles
CHECK_CHANGED_OPTIONS=verbose
CHECK_CHANGED_DEPS=yes
PKG_REPO_SIGNING_KEY=/usr/local/etc/ssl/keys/pkg.key
CCACHE_DIR=/var/cache/ccache
NOLINUX=yes

UPDATE

To fix the problem I entered in interactive mode - notice the -i:

poudriere testport -v -i -j 11amd64 -p custom www/go-www 

then:

cd /usr/ports/www/go-www/; make

That fetched the packages and I just copy them to /usr/ports/distfiles/

Then again:

poudriere testport -v -j 11amd64 -p custom www/go-www 

That was an ugly hack but the main problem was a bad line in the Makefile that was duplicating content:

 GH_ACCOUNT=    nbari:DEFAULT,www

Should be:

 GH_ACCOUNT=    nbari:DEFAULT

But still wondering why the pair of jails is created with and without IP.


Solution

  • poudriere(8) preforms preforms the stages that do not need networking is a more restrictive jail, for added security. Previously the jails were restarted with, or without, networking capabilities, now two separate jails are kept throughout the process to reduce complexity.

    The jail with the listed IP address is explicitly set to a loopback address, and the one without inherits it networking from the host:

    : ${LOIP6:=::1}
    : ${LOIP4:=127.0.0.1}
    case $IPS in
    01)
            localipargs="ip6.addr=${LOIP6}"
            ipargs="ip6=inherit"
            ;;
    10)
            localipargs="ip4.addr=${LOIP4}"
            ipargs="ip4=inherit"
            ;;
    11)
            localipargs="ip4.addr=${LOIP4} ip6.addr=${LOIP6}"
            ipargs="ip4=inherit ip6=inherit"
            ;;
    esac
    
    ...
    
    jstart() {
            local name network
    
            network="${localipargs}"
    
            [ "${RESTRICT_NETWORKING}" = "yes" ] || network="${ipargs}"
    
            _my_name name
            jail -c persist name=${name} \
                    path=${MASTERMNT}${MY_JOBID+/../${MY_JOBID}} \
                    host.hostname=${BUILDER_HOSTNAME-${name}} \
                    ${network} ${JAIL_PARAMS} \
                    allow.socket_af allow.raw_sockets allow.chflags allow.sysvipc
            jail -c persist name=${name}-n \
                    path=${MASTERMNT}${MY_JOBID+/../${MY_JOBID}} \
                    host.hostname=${BUILDER_HOSTNAME-${name}} \
                    ${ipargs} ${JAIL_PARAMS} \
                    allow.socket_af allow.raw_sockets allow.chflags allow.sysvipc
    }
    

    The fetch error seems to be because of the duplicate entries in the new distfile (two entries for nbari-www-1.1.1_GH0.tar.gz). The error line in your log file starts with fetch: 4211, 4211 being the size of the duplicate entry.

    The entry in question is being added twice because of the groups specified with GH_ACCOUNT, DEFAUT adds the PORTNAME (www), and www adds itself.