From owner-freebsd-questions@freebsd.org Sun Dec 4 11:29:22 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 74583C6660B for ; Sun, 4 Dec 2016 11:29:22 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [IPv6:2001:8b0:151:1:c4ea:bd49:619b:6cb3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 06A47107F for ; Sun, 4 Dec 2016 11:29:22 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from liminal.local (unknown [IPv6:2001:8b0:151:1:1c1d:86a1:a200:b700]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: m.seaman@infracaninophile.co.uk) by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id EA59C28F1 for ; Sun, 4 Dec 2016 11:29:16 +0000 (UTC) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=FreeBSD.org Authentication-Results: smtp.infracaninophile.co.uk/EA59C28F1; dkim=none; dkim-atps=neutral Subject: Re: Can't ping in jail To: freebsd-questions@freebsd.org References: <584368A1.5080206@gmail.com> <5843788A.2080902@gmail.com> From: Matthew Seaman Message-ID: <8d283142-a8e8-fed5-0ab4-57960dfbb304@FreeBSD.org> Date: Sun, 4 Dec 2016 11:29:11 +0000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 MIME-Version: 1.0 In-Reply-To: <5843788A.2080902@gmail.com> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="3G4S3aBHpcSSIEQhBRjmlasqB0DjNOXXI" X-Spam-Status: No, score=-0.4 required=5.0 tests=BAYES_00,RDNS_NONE, SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on smtp.infracaninophile.co.uk X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Dec 2016 11:29:22 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --3G4S3aBHpcSSIEQhBRjmlasqB0DjNOXXI Content-Type: multipart/mixed; boundary="VH08GPmwqHQU3EbG9Eis327388db8I2LR"; protected-headers="v1" From: Matthew Seaman To: freebsd-questions@freebsd.org Message-ID: <8d283142-a8e8-fed5-0ab4-57960dfbb304@FreeBSD.org> Subject: Re: Can't ping in jail References: <584368A1.5080206@gmail.com> <5843788A.2080902@gmail.com> In-Reply-To: <5843788A.2080902@gmail.com> --VH08GPmwqHQU3EbG9Eis327388db8I2LR Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 04/12/2016 01:59, Ernie Luzar wrote: > This post sheds a lot light on your problem. ezjail uses the legacy > method with definition statements in /etc/rc.conf and qjail uses the > modern way using /etc/jail.conf. qjail is a fork of ezjail so many > things will feel the same moving to qjail. The ezjail and qjail > directory tree is named differently and use different internal control > files so you would have to build your qjail jails anew. qjail and ezjai= l > can both run on the same host at the same time just using different jai= l > ip addresses. >=20 > Both methods have statements for enabling allow_raw_sockets on a jail > by jail basis which is the way it should be done. The sysctl nib has to= > be issued on the host were the jails are, not the gateway host connecte= d > to the public network. >=20 > ezjail requires manual starting and stopping of ip alias for the jail. > qjail does all that for you without you having to take any actions. >=20 > there is a qjail version for 9.x systems, but its out dated and at EOL.= The jail management system that has been attracting a lot of attention and favourable comment recently is iocage. The original version was written in /bin/sh and this is what is in ports as sysutils/iocage or sysutils/iocage-devel. The authors are intending to rewrite it in a different language though. It does, however, require you to use ZFS, since it stores all the configuration into it needs as ZFS properties. https://iocage.readthedocs.io/en/latest/ Cheers, Matthew --VH08GPmwqHQU3EbG9Eis327388db8I2LR-- --3G4S3aBHpcSSIEQhBRjmlasqB0DjNOXXI Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQJ8BAEBCgBmBQJYQ/4MXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATZCgP/145KjuVn09Tr3sLKpIzlfQ8 6EF5bJpQRpSUGrBx80hhreqMNwOUftN406tr5tnpCiri1q9prZN3M+VuLYItVOR3 xc6Rx3aFyqo9/7HOcU5drvIlfaLJdHzPIhn96jQ5HKfJi2x/LmHvw+PEU0DVm3ZZ Yaa7keXtm3AiWpiMtWwJXgec8P3UNBtxK9vUyAkRNiFXXU5joR6eOW6+OL0ees6U VZKCjNDxClLmKCPEZOcdiVsYU2fNX6TAoD6RVeCBCsN/YA70biJ+d/7G4jAymPpT aUxfB9CmM4tc/YXA7JBSErKFMZm4Z/12orKzivaNL0EFerNRwy/bBPHlCuDHDx7I 6X+MYXF6bDmPnSykqlWdx6rI7ZaamqRYCPNT7fR/16xOOlvBC9EOmDW0X16EICHx gXNKGQakke01ISrL6ycY/juay1T4l1AB4Nx6onYPjxgvEktU+ic/Rmia7qczLOPZ xAO9pZKUD0CQQcedhG++SPMT0hNobDrJCsLWSzXA+jmTQEbhiRZkKjeMAqLzaPzI mpyoookzvn+ftwFSISjpkf+urhS8gCiOrDG4sXPe47Yckqch86xn6TIXkRAZBZVe KwoBy51UgifHfsgUQQP9lldgsY+BFONl1HGPsBwkDMpBMOlyqUwHty5cJ1GYQ3ye 7rDULv/ZHmv3EYxrBf/r =cPG9 -----END PGP SIGNATURE----- --3G4S3aBHpcSSIEQhBRjmlasqB0DjNOXXI--