From owner-freebsd-jail@freebsd.org Wed Dec 14 20:53:43 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 147E6C77848 for ; Wed, 14 Dec 2016 20:53:43 +0000 (UTC) (envelope-from trashcan@ellael.org) Received: from mx2.enfer-du-nord.net (mx2.enfer-du-nord.net [IPv6:2001:41d0:d:3049:1:1:0:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A699C1CCE for ; Wed, 14 Dec 2016 20:53:42 +0000 (UTC) (envelope-from trashcan@ellael.org) Received: from [IPv6:2003:8c:2e04:5401:2d94:6496:ed77:a6cf] (p2003008C2E0454012D946496ED77A6CF.dip0.t-ipconnect.de [IPv6:2003:8c:2e04:5401:2d94:6496:ed77:a6cf]) by mx2.enfer-du-nord.net (Postfix) with ESMTPSA id 3tf81T1d8nzNDt for ; Wed, 14 Dec 2016 21:53:33 +0100 (CET) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: multiple interfaces for jail.conf(1) and jail_set(2) From: Michael Grimm In-Reply-To: <907B489D-899A-4204-96D8-ACF86EE829A7@blackskyresearch.net> Date: Wed, 14 Dec 2016 21:53:31 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <818391CE-7425-49DF-8794-B6E43C1389AD@ellael.org> References: <0ED7F403-F14E-4A72-8E54-AF74AAE15061@blackskyresearch.net> <45822529-2096-4B32-8515-F5875BEF7101@ellael.org> <907B489D-899A-4204-96D8-ACF86EE829A7@blackskyresearch.net> To: freebsd-jail@FreeBSD.org X-Virus-Scanned: clamav-milter 0.99.2 at mail X-Virus-Status: Clean X-Mailer: Apple Mail (2.3124) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Dec 2016 20:53:43 -0000 Isaac (.ike) Levy wrote > Wow, that=E2=80=99s rad Michael, >=20 >> On Dec 14, 2016, at 3:30 PM, Michael Grimm = wrote: >>=20 >> Isaac (.ike) Levy wrote: >>=20 >>> Can I specify multiple IP interfaces and assign IP=E2=80=99s to them = using jail.conf? >>=20 >> Not sure if I understand your question correctly, but I do define the = following in my jail.conf for VNET jails: >>=20 >> # >> # host dependent global settings >> # >> $ip6prefixLOCAL =3D "fd00:dead:beef:1234"; >>=20 >> # >> # global jail settings >> # >> host.hostname =3D "${name}"; >> path =3D "/usr/home/jails/${name}"; >> mount.fstab =3D "/etc/fstab.${name}"; >> exec.consolelog =3D "/var/log/jail_${name}_console.log"; >> vnet =3D "new"; >> vnet.interface =3D "epair${jailID}b"; >> exec.clean; >> mount.devfs; >> persist; >>=20 >> # >> # network settings to apply/destroy during start/stop of every jail >> # >> exec.prestart =3D "sleep 2"; >> exec.prestart +=3D "/sbin/ifconfig epair${jailID} = create up"; >> exec.prestart +=3D "/sbin/ifconfig bridge0 addm = epair${jailID}a"; >> exec.start =3D "/sbin/sysctl net.inet6.ip6.dad_count=3D0"; >> exec.start +=3D "/sbin/ifconfig lo0 127.0.0.1 up"; >> exec.start +=3D "/sbin/ifconfig epair${jailID}b inet = ${ip4_addr}"; >> exec.start +=3D "/sbin/ifconfig epair${jailID}b inet6 = ${ip6_addr}"; >> exec.start +=3D "/sbin/route add default -gateway = 10.1.1.254"; >> exec.start +=3D "/sbin/route add -inet6 default -gateway = ${ip6prefixLOCAL}::254"; >> exec.stop =3D "/sbin/route del default"; >> exec.stop +=3D "/sbin/route del -inet6 default"; >> exec.stop +=3D "/bin/sh /etc/rc.shutdown"; >> exec.poststop =3D "/sbin/ifconfig epair${jailID}a = destroy"; >>=20 >> # >> # individual jail settings >> # >> dns { >> $jailID =3D 1; >> $ip4_addr =3D 10.1.1.1; >> $ip4_addr_2 =3D 10.1.1.2; >> $ip6_addr =3D ${ip6prefixLOCAL}::1/64; >> $ip6_addr_2 =3D ${ip6prefixLOCAL}::2/64; >> exec.start +=3D "/sbin/ifconfig epair${jailID}b inet = ${ip4_addr_2} alias"; >> exec.start +=3D "/sbin/ifconfig epair${jailID}b inet6 = ${ip6_addr_2} alias"; >> exec.start +=3D "/bin/sh /etc/rc"; >> } >>=20 >> etc. >=20 > I=E2=80=99ll need to study/look up some of that syntax, to fully grok = this, but that comprehensive example appears to hit the nail on the head = several times over with the exec.start/exec.stop action. >=20 > Two questions though: >=20 > - I=E2=80=99m confused how you define the shell style $ variables in = your individual jail settings above, e.g. =E2=80=98$ip4_addr_2 =3D = 10.1.1.2;=E2=80=99, why/how does that work? Is that a variable to be = expanded, or some other behavior? This is described in jail.conf(5) under the section "variables". I do = have 10 jails running, and those $ variables/parameters are very = helpful, indeed. >> Again, not sure if I do understand your issue correctly, but the = shown examples of exec.start, exec.stop, etc. are quite versatile to = use. >>=20 >> I do start/stop my jails by "service jail start/stop=E2=80=9D. >=20 > - Obviously you state you=E2=80=99re using service to start/stop = jails, but shouldn=E2=80=99t this work with =E2=80=98jail -c = =E2=80=99, or are these subsystems not interoperable? Hmm. I do have to admit that I never tried 'jail -c ', but I = just gave it a try, and yes, it works as well :-)=20 I do use "service jail start/stop" because that will obey my pre-defined = starting/stopping order of jails (which I do need to have, e.g. dns = before mail and such) in /etc/rc.conf jail_enable=3D"YES" jail_reverse_stop=3D"YES" jail_list=3D"dns mail ..." Regards, Michael