Date: Tue, 01 Dec 2015 10:21:13 +0200 From: wishmaster <artemrts@ukr.net> To: freebsd-net@freebsd.org Subject: Re[2]: vimage and jail networking Message-ID: <1448957193.218781171.7af7wapw@frv34.fwdcdn.com> In-Reply-To: <5101F264-B28E-42D0-8C21-623D6C01DFB6@vuid.com> References: <8538858C-BE02-489A-BC1B-2315AC18AD3F@vuid.com> <565D17D2.1090007@freebsd.org> <5101F264-B28E-42D0-8C21-623D6C01DFB6@vuid.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, Nathan.
> Thank you for helping me to understand vimage better Julian! I have read all three links you posted a number of times.
>
> I use iocage for jail management and it uses epair. From your comments it seems you recommend netgraph?
I thing epair is more easy than netgraph for you.
So, read manual page for epair and below small example.
/etc/rc.conf
cloned_interfaces="epair999 epair1 epair2 epair3 epair4"
ifconfig_epair999a="inet 192.168.254.253 netmask 255.255.255.252" # this is for "base" jail
ifconfig_epair1a="inet 192.168.254.1 netmask 255.255.255.252"
ifconfig_epair2a="inet 192.168.254.5 netmask 255.255.255.252"
ifconfig_epair3a="inet 192.168.254.9 netmask 255.255.255.252"
ifconfig_epair4a="inet 192.168.254.13 netmask 255.255.255.252"
ifconfig_epair5a="inet 192.168.254.17 netmask 255.255.255.252"
/etc/jail.conf must have configuration for each jail, below one example
cctv {
host.hostname = cctv;
jid = 5;
name = cctv;
path = "/home/jails/cctv";
mount.fstab = "/etc/fstab.${name}";
vnet;
vnet.interface = "epair5b";
exec.start = "/bin/sh /etc/rc";
exec.prestop = "";
exec.stop = "/bin/sh /etc/rc.shutdown";
securelevel = 2;
devfs_ruleset = 4;
mount.devfs;
persist;
#allowed
allow.set_hostname = "false";
allow.sysvipc = "false";
allow.raw_sockets = "false";
allow.chflags = "false";
allow.mount = "false";
allow.mount.devfs = "false";
allow.mount.nullfs = "false";
allow.mount.procfs = "false";
allow.mount.zfs = "false";
allow.quotas = "false";
allow.socket_af = "false";
}
IPFW disabled in jails. All filtering, port forwarding and NAT performs in the base system as with normal computer in your LAN.
Very interesting concept of one base jail (base system and software) and number of "light" jails (running services and configurations). This is very convenient, but complex enough. You may try, at first, with standard jail described in the handbook.
--
Cheers,
Vitaliy
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1448957193.218781171.7af7wapw>