Trying to allow ports lower than 1023 in jail results in Operation not permitted

[wuxia]

I'm trying to allow ports lower than 1023 in my jail:

# sysctl net.inet.ip.portrange.reservedhigh=79
net.inet.ip.portrange.reservedhigh: 1023
sysctl: net.inet.ip.portrange.reservedhigh=79: Operation not permitted

Works fine on the host:

# sysctl net.inet.ip.portrange.reservedhigh=79
net.inet.ip.portrange.reservedhigh: 79 -> 79

What can be the reason for that and is there some workaround?

 

[HoneyBadger]

Ports under 1024 are "privileged ports" and are typically reserved for processes running as root.

What service are you attempting to run, and can it be run on a higher port instead?

 

[MisterE2002]

it is possible:

echo "net.inet.ip.portrange.reservedhigh=0" >> /etc/sysctl.conf

Change => "Jail Properties" => "securelevel" from 2 to -1

 

[Patrick M. Hausen]

Jails can perfectly well without any additional configuration listen to ports < 1024. If the process is run by root (inside the jail) and if it is a VNET jail. Which should be the default today. VNET is just superior in about every aspect compared to host based networking.

 

[wuxia]

it is possible:

echo "net.inet.ip.portrange.reservedhigh=0" >> /etc/sysctl.conf

Change => "Jail Properties" => "securelevel" from 2 to -1

Thanks, that worked.

 

[wuxia]

Ports under 1024 are "privileged ports" and are typically reserved for processes running as root.

What service are you attempting to run, and can it be run on a higher port instead?

It's a web server so I need port 80/443 to avoid higher ports as it will be awkward to use.

 

[jgreco]

VNET is just superior in about every aspect compared to host based networking.

Well, that's definitely a matter of opinion. There's a lot more screwing around involved in setting up a VNET based jail, and it can be very useful to have the host platform controlling stuff like routing and firewalls.

 

[Patrick M. Hausen]

Well, that's definitely a matter of opinion. There's a lot more screwing around involved in setting up a VNET based jail, and it can be very useful to have the host platform controlling stuff like routing and firewalls.

Our entire hosting stack would not work without a separate working 127.0.0.1 in each individual customer jail. So yes, I'm biased, but I have a convincing business case. If you use jails for multi-tenancy, VNET is the way to go.

 

[Ericloewe]

Well, that's definitely a matter of opinion. There's a lot more screwing around involved in setting up a VNET based jail, and it can be very useful to have the host platform controlling stuff like routing and firewalls.

Sure, but my contract manager at Dell/HPE/Lenovo told me that more virtualization is more betterer, and since I'm already running a rack full of servers running a bunch of VMs that load balance my web app and database serving 20 users (5 concurrent), surely using virtual networking inside my TrueNAS jails (TrueNAS hosted on Hyper-V) would be extra bettererer, no?

(Not a jab at @Patrick M. Hausen in any way, I like VNET, but day job gets boring if I can't make fun of enterprise vendor nonsense after spending an aftenoon fiddling with a tape library).