From owner-freebsd-jail@FreeBSD.ORG Wed Jun 11 21:17:26 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C491B952 for ; Wed, 11 Jun 2014 21:17:26 +0000 (UTC) Received: from outbound.mailhostbox.com (outbound.mailhostbox.com [162.222.225.21]) by mx1.freebsd.org (Postfix) with ESMTP id 85DFE279F for ; Wed, 11 Jun 2014 21:17:26 +0000 (UTC) Received: from [192.168.1.2] (unknown [109.99.157.72]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: s7r@sky-ip.org) by outbound.mailhostbox.com (Postfix) with ESMTPSA id 81E836381EC; Wed, 11 Jun 2014 21:11:11 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sky-ip.org; s=20110108; t=1402521073; bh=t2iZiv+UlZXzr3FCg/fRineu+MtRwI5ABrMcc36ktNM=; h=Message-ID:Date:From:Reply-To:MIME-Version:To:CC:Subject: References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=MhELcb9aZbsnVtc1dTbbZldF5OusYQivfLyupPhUCL+9DlOz1wVCxNP9dPD1KDWZc mldg0ragpghEsRrybfxkAU3hmggpANr7e646sm6zyexK4nr07W7sarcsNRbz02YhTi XvKnGdGNrI7ZdCf2CQtTWYrJv1Iy4BdrXxwppCHo= Message-ID: <5398C5F0.6030203@sky-ip.org> Date: Thu, 12 Jun 2014 00:11:12 +0300 From: "s7r@sky-ip.org" Reply-To: s7r@sky-ip.org User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: Jason Hellenthal Subject: Re: Assign Lookback address 127.0.0.1 to jail References: <53979DA8.60002@sky-ip.org> <5397A0D9.403@freebsd.org> <5397A16E.8080504@sky-ip.org> <5397A2C3.1090109@freebsd.org> <5397AE8F.8020000@sky-ip.org> <8B8FC782-7DF2-4BD3-883D-4ADE7E07822A@dataix.net> <5398B3C4.4050009@sky-ip.org> In-Reply-To: X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-CTCH-RefID: str=0001.0A020204.5398C5F0.0034, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0 X-CTCH-VOD: Unknown X-CTCH-Spam: Unknown X-CTCH-Score: 0.000 X-CTCH-Rules: X-CTCH-Flags: 0 X-CTCH-ScoreCust: 0.000 X-CTCH-SenderID: s7r@sky-ip.org X-CTCH-SenderID-TotalMessages: 1 X-CTCH-SenderID-TotalSpam: 0 X-CTCH-SenderID-TotalSuspected: 0 X-CTCH-SenderID-TotalBulk: 0 X-CTCH-SenderID-TotalConfirmed: 0 X-CTCH-SenderID-TotalRecipients: 0 X-CTCH-SenderID-TotalVirus: 0 X-CTCH-SenderID-BlueWhiteFlag: 0 X-Scanned-By: MIMEDefang 2.72 on 172.18.214.134 Cc: "freebsd-jail@freebsd.org" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jun 2014 21:17:26 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 6/11/2014 11:56 PM, Jason Hellenthal wrote: > Simple. > > echo 'options VIMAGE' >>/sys/`uname -p`/GENERIC cd /usr/src && make > buildkernel && make installkernel > This is perfectly, clear - hope it does not affect the current functionality and installed ports on the running machine? > Make the necessary adjustments to ensure your system is stable as > you want it to be during testing and then lock the settings for the > jails into the perspective configuration files and the host > systems /etc/rc.conf for the interfaces you will use. > > Just an example of my base jail that I use for setting up other > jails on the fly... exec.stop = "/bin/sh /etc/rc.shutdown"; > exec.poststop = "umount /export/cnt/$name/dev"; exec.clean; > > mount.devfs; > > path = "/export/cnt/$name"; > > allow.raw_sockets; allow.socket_af; vnet = new; > > base { host.hostname = base; vnet.interface = vnet0; securelevel = > 3; exec.start = "ifconfig vnet0 inet 172.X.X.22/22 broadcast > 172.X.X.255"; exec.start += "route add default 172.X.X.1"; > exec.start += "/bin/sh /etc/rc"; } > Q1: All This is tot be pasted into jails's /etc/rc.conf file? Q2: 172.X.X.22/22 -> I want to assign a public IP address to the jail, and a local loopback address. Q3: route add default - this is the default router? this should be the host's public IP address or the IP address of the gateway assigned by my ISP? > And in my systems rc.conf... ifconfig_interface0_name="vnet0" > No IP address here or alias for vnet0? In host's /etc/rc.conf? Just interface0_name="vnet0"? Shouldn't interface0 be em0, the default interface of the host? Shouldn't that come first? > I actually give my base template jail a full actual interface to > work with so I can segment it off on the network at the switch > level and drop it into another management vlan. But the > configuration is simple and similar to other interfaces virtual or > not like if_epair(4). > > The rest of the jail configuration as in rc.conf and such within > the jail is the same as if it was not a VIMAGE so you should > already be aware of those details so I won't rattle on with those. > But if you have any specific questions about this as you move > through setting up VIMAGE jails feel free to give me a hollar > directly or back to this list and Ill be happy to give you a hand. > > > > > On Wed, Jun 11, 2014 at 3:53 PM, s7r@sky-ip.org > > > wrote: > > On 6/11/2014 4:46 AM, Jason Hellenthal wrote: >> You could just go with building the host kernel with VIMAGE . . >> . Then each jail has its own virtual network stack. > >> image.png > >> -- Jason Hellenthal Voice: 95.30.17.6/616 >> > JJH48-ARIN > >> On Jun 10, 2014, at 21:19, "s7r@sky-ip.org >> > >" >> >> wrote: > >> On 6/11/2014 3:28 AM, Allan Jude wrote: >>>>> On 2014-06-10 20:23, s7r@sky-ip.org >>>>> > > >>>>> wrote: >>>>>> On 6/11/2014 3:20 AM, Allan Jude wrote: >>>>>>> On 2014-06-10 20:07, s7r@sky-ip.org >>>>>>> >>>>>> > wrote: >>>>>>>> Hi, >>>>>>>> >>>>>>>> Operating system is FreeBSD 10.0 64 Bit >>>>>>>> >>>>>>>> I have installed ezjail from ports and properly >>>>>>>> configured a jail with its own static and dedicated >>>>>>>> IP address. Everything works good, it's just that I >>>>>>>> have an application which requires to talk to another >>>>>>>> one via RPC on IP 127.0.0.1, and I have noticed the >>>>>>>> jail does not have a lo0 interface or localhost >>>>>>>> 127.0.0.1 IP address. >>>>>>>> >>>>>>>> This is bad because the application has no choice >>>>>>>> but to bind to the public IP address assigned to the >>>>>>>> jail, and it's not safe. >>>>>>>> >>>>>>>> How can I add a lo0 interface with IP 127.0.0.1 to a >>>>>>>> jail? >>>>>>>> >>>>>>>> Thanks in advance. >>>>>>>> _______________________________________________ >>>>>>>> freebsd-jail@freebsd.org >>>>>>>> >>>>>>>> > mailing list >>>>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-jail >>>>>>>> >>>>>>>> To unsubscribe, send any mail to >>>>>>>> "freebsd-jail-unsubscribe@freebsd.org > >>>>>>>> >" >>>>>>>> >>>>>> >>>>>>> Does it have to be 127.0.0.1? You can add an alias >>>>>>> like 127.0.0.2 to the lo0 interface and use that. >>>>>> >>>>>>> Inside the jail, 127.0.0.1 is mapped to the IP of the >>>>>>> jail. >>>>>> >>>>>>> Using ezjail, you can also allocate more than 1 IP >>>>>>> address to a jail by comma separating them >>>>>> >>>>>>> You can also make it automatically alias the IPs for >>>>>>> you with the syntax: >>>>>> >>>>>>> em0|192.168.0.10,lo0|127.0.0.2 etc >>>>>> >>>>>> >>>>>> >>>>>> Thank you Allan for your fast reply. >>>>>> >>>>>> I have the jail already created via: # ezjail-admin >>>>>> create >>>>>> >>>>>> How do I modify the already existing jail to have >>>>>> 127.0.0.2, for example, or can't I just have 127.0.0.1 >>>>>> in the jail? >>>>>> >>>>>> _______________________________________________ >>>>>> freebsd-jail@freebsd.org >>>>>> > > >>>>>> mailing list >>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-jail >>>>>> To unsubscribe, send any mail to >>>>>> "freebsd-jail-unsubscribe@freebsd.org > >>>>>> >" >>>>>> >>>>> >>>>> Stop the jail, and then edit >>>>> /usr/local/etc/ezjail/jail_name >>>>> >>>>> and change the line that defines the IPs >>>>> > >> Thank you it works, with 127.0.0.2 > >> If I try to add 127.0.0.1 will this create any conflicts with >> the host or will it work? Because i have something important >> listening on hosts's 127.0.0.1 and don't want to mess up. I would >> need the same configuration within the jail also, so that's why I >> need the .1 localhost IP. > >>> _______________________________________________ >>> freebsd-jail@freebsd.org > > >>> mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-jail To >>> unsubscribe, send any mail to >>> "freebsd-jail-unsubscribe@freebsd.org > >>> >" > > > Hey Jason > > Thanks for your suggestion. can you please ellaborate a little bit > and tell me how can i do this step by step? I have an already > installed system with ezjail and already created one jail - how can > I add VIMAGE to have virtual network stack in each jail without > having to reinstall the host or the jails? Thank you, looking > forward for your reply. > > > Thank you. - -- s7r PGP Fingerprint: 7C36 9232 5ABD FB0B 3021 03F1 837F A52C 8126 5B11 PGP Pubkey: http://www.sky-ip.org/s7r@sky-ip.org.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) iQEcBAEBAgAGBQJTmMXvAAoJEIN/pSyBJlsRexUH/j3MJ7iX+jjONjdYseELq749 6ZgyaVGS7WqC5Wzst2bd3nlmRUS4qkVLTJRzrFEw5mLpTxOpmgmYZSIEzWHt83Rq s++Et0wB3TKRMUofbI1Pfy+tyox+Q3vunXU1w0HtUS/IWceEsIO7k2nqZPnzwnuq RdwShXn1OCosdpu+ERG6WRZjjUsv//5gwZBTaEyp/ksJX6XaryviuTWZ1ZYJnICS ricFl26XcqW6SDHqTAav5WGWVOiLSZnwn9JovyFmiMywlKa0ytkc/wRdCYOUFWla KHkMJlCATeFPPO3tCmOfl9uU5uOoAbzdImI16Xs+WDpy9zCNPQq4zlCwg8kZPIM= =8N1Z -----END PGP SIGNATURE-----