Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 11 Jun 2014 16:56:33 -0400
From:      Jason Hellenthal <jhellenthal@dataix.net>
To:        "s7r@sky-ip.org" <s7r@sky-ip.org>
Cc:        "freebsd-jail@freebsd.org" <freebsd-jail@freebsd.org>
Subject:   Re: Assign Lookback address 127.0.0.1 to jail
Message-ID:  <CAO2cuEOWA=tas1q2ROuC5qUpB7YZhhFsz3t=Y2B7_G3gmzOD9Q@mail.gmail.com>
In-Reply-To: <5398B3C4.4050009@sky-ip.org>
References:  <53979DA8.60002@sky-ip.org> <5397A0D9.403@freebsd.org> <5397A16E.8080504@sky-ip.org> <5397A2C3.1090109@freebsd.org> <5397AE8F.8020000@sky-ip.org> <8B8FC782-7DF2-4BD3-883D-4ADE7E07822A@dataix.net> <5398B3C4.4050009@sky-ip.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Simple.

echo 'options VIMAGE' >>/sys/`uname -p`/GENERIC
cd /usr/src && make buildkernel && make installkernel

Make the necessary adjustments to ensure your system is stable as you want
it to be during testing and then lock the settings for the jails into the
perspective configuration files and the host systems /etc/rc.conf for the
interfaces you will use.

Just an example of my base jail that I use for setting up other jails on
the fly...
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.poststop = "umount /export/cnt/$name/dev";
exec.clean;

mount.devfs;

path = "/export/cnt/$name";

allow.raw_sockets;
allow.socket_af;
vnet = new;

base {
        host.hostname = base;
        vnet.interface = vnet0;
        securelevel = 3;
        exec.start = "ifconfig vnet0 inet 172.X.X.22/22 broadcast
172.X.X.255";
        exec.start += "route add default 172.X.X.1";
        exec.start += "/bin/sh /etc/rc";
}

And in my systems rc.conf...
ifconfig_interface0_name="vnet0"

I actually give my base template jail a full actual interface to work with
so I can segment it off on the network at the switch level and drop it into
another management vlan. But the configuration is simple and similar to
other interfaces virtual or not like if_epair(4).

The rest of the jail configuration as in rc.conf and such within the jail
is the same as if it was not a VIMAGE so you should already be aware of
those details so I won't rattle on with those. But if you have any specific
questions about this as you move through setting up VIMAGE jails feel free
to give me a hollar directly or back to this list and Ill be happy to give
you a hand.




On Wed, Jun 11, 2014 at 3:53 PM, s7r@sky-ip.org <s7r@sky-ip.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 6/11/2014 4:46 AM, Jason Hellenthal wrote:
> > You could just go with building the host kernel with VIMAGE  . . .
> > Then each jail has its own virtual network stack.
> >
> > image.png
> >
> > -- Jason Hellenthal Voice: 95.30.17.6/616 JJH48-ARIN
> >
> > On Jun 10, 2014, at 21:19, "s7r@sky-ip.org
> > <mailto:s7r@sky-ip.org>" <s7r@sky-ip.org <mailto:s7r@sky-ip.org>>
> > wrote:
> >
> > On 6/11/2014 3:28 AM, Allan Jude wrote:
> >>>> On 2014-06-10 20:23, s7r@sky-ip.org <mailto:s7r@sky-ip.org>
> >>>> wrote:
> >>>>> On 6/11/2014 3:20 AM, Allan Jude wrote:
> >>>>>> On 2014-06-10 20:07, s7r@sky-ip.org
> >>>>>> <mailto:s7r@sky-ip.org> wrote:
> >>>>>>> Hi,
> >>>>>>>
> >>>>>>> Operating system is FreeBSD 10.0 64 Bit
> >>>>>>>
> >>>>>>> I have installed ezjail from ports and properly
> >>>>>>> configured a jail with its own static and dedicated IP
> >>>>>>> address. Everything works good, it's just that I have
> >>>>>>> an application which requires to talk to another one
> >>>>>>> via RPC on IP 127.0.0.1, and I have noticed the jail
> >>>>>>> does not have a lo0 interface or localhost 127.0.0.1 IP
> >>>>>>> address.
> >>>>>>>
> >>>>>>> This is bad because the application has no choice but
> >>>>>>> to bind to the public IP address assigned to the jail,
> >>>>>>> and it's not safe.
> >>>>>>>
> >>>>>>> How can I add a lo0 interface with IP 127.0.0.1 to a
> >>>>>>> jail?
> >>>>>>>
> >>>>>>> Thanks in advance.
> >>>>>>> _______________________________________________
> >>>>>>> freebsd-jail@freebsd.org
> >>>>>>> <mailto:freebsd-jail@freebsd.org> mailing list
> >>>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-jail
> >>>>>>> To unsubscribe, send any mail to
> >>>>>>> "freebsd-jail-unsubscribe@freebsd.org
> >>>>>>> <mailto:freebsd-jail-unsubscribe@freebsd.org>"
> >>>>>>>
> >>>>>
> >>>>>> Does it have to be 127.0.0.1? You can add an alias like
> >>>>>> 127.0.0.2 to the lo0 interface and use that.
> >>>>>
> >>>>>> Inside the jail, 127.0.0.1 is mapped to the IP of the
> >>>>>> jail.
> >>>>>
> >>>>>> Using ezjail, you can also allocate more than 1 IP
> >>>>>> address to a jail by comma separating them
> >>>>>
> >>>>>> You can also make it automatically alias the IPs for you
> >>>>>> with the syntax:
> >>>>>
> >>>>>> em0|192.168.0.10,lo0|127.0.0.2 etc
> >>>>>
> >>>>>
> >>>>>
> >>>>> Thank you Allan for your fast reply.
> >>>>>
> >>>>> I have the jail already created via: # ezjail-admin create
> >>>>> <jailname> <em0|public IP>
> >>>>>
> >>>>> How do I modify the already existing jail to have
> >>>>> 127.0.0.2, for example, or can't  I just have 127.0.0.1 in
> >>>>> the jail?
> >>>>>
> >>>>> _______________________________________________
> >>>>> freebsd-jail@freebsd.org <mailto:freebsd-jail@freebsd.org>
> >>>>> mailing list
> >>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-jail To
> >>>>> unsubscribe, send any mail to
> >>>>> "freebsd-jail-unsubscribe@freebsd.org
> >>>>> <mailto:freebsd-jail-unsubscribe@freebsd.org>"
> >>>>>
> >>>>
> >>>> Stop the jail, and then edit /usr/local/etc/ezjail/jail_name
> >>>>
> >>>> and change the line that defines the IPs
> >>>>
> >
> > Thank you it works, with 127.0.0.2
> >
> > If I try to add 127.0.0.1 will this create any conflicts with the
> > host or will it work? Because i have something important listening
> > on hosts's 127.0.0.1 and don't want to mess up. I would need the
> > same configuration within the jail also, so that's why I need the
> > .1 localhost IP.
> >
> >> _______________________________________________
> >> freebsd-jail@freebsd.org <mailto:freebsd-jail@freebsd.org>
> >> mailing list
> >> http://lists.freebsd.org/mailman/listinfo/freebsd-jail To
> >> unsubscribe, send any mail to
> >> "freebsd-jail-unsubscribe@freebsd.org
> >> <mailto:freebsd-jail-unsubscribe@freebsd.org>"
>
>
> Hey Jason
>
> Thanks for your suggestion. can you please ellaborate a little bit and
> tell me how can i do this step by step? I have an already installed
> system with ezjail and already created one jail - how can I add VIMAGE
> to have virtual network stack in each jail without having to reinstall
> the host or the jails? Thank you, looking forward for your reply.
>
> - --
> s7r
> PGP Fingerprint: 7C36 9232 5ABD FB0B 3021 03F1 837F A52C 8126 5B11
> PGP Pubkey: http://www.sky-ip.org/s7r@sky-ip.org.asc
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQEcBAEBAgAGBQJTmLPEAAoJEIN/pSyBJlsRabgH/iG/pNAmpmb5ZBYksIjm4U5K
> hOvKcOzGiZMn/8LgbJWYf930T8li0UFmr2MttKLjkbojju/zeqjWdYfRI4t+QI5Y
> JbKj0BFHA6hPxED7BDNaorHOA/jlAbreToyzMGVlK1EIo/CxCOroMBomomucjlAx
> LxICOVrUPmHfR/f3h+sOAgqTytflQQ389PalC7gBZ7IH72JTIEFpc+8Ql5+GPDCL
> cLKrrPiTXwQqurJHQMcaaTJ3DJ1Bk1WSipJiqyRNzWIkM29q/CwEeZcyxc+7tbet
> EZaL2JechFirmlSRRj/uINqzjW5xCN4uppXBn8FakB75Ort7zRguOryH9gh98WE=
> =gyIS
> -----END PGP SIGNATURE-----
>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAO2cuEOWA=tas1q2ROuC5qUpB7YZhhFsz3t=Y2B7_G3gmzOD9Q>