Date: Fri, 24 Aug 2018 13:35:59 +0100 From: Norman Gray <norman.gray@glasgow.ac.uk> To: Alejandro Imass <aimass@yabarana.com> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Jails and networks Message-ID: <D620F21E-566B-420A-AB88-0207E21F2B14@glasgow.ac.uk> In-Reply-To: <CAHieY7TVruoxm4M46DgZ1CLOr6x9OyDyeKEKfj7B3mW%2BZjk1tw@mail.gmail.com> References: <6B17F10B-F3AE-45C5-8011-EBE52462230E@glasgow.ac.uk> <CAHieY7TVruoxm4M46DgZ1CLOr6x9OyDyeKEKfj7B3mW%2BZjk1tw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Alejandro, hello. On 23 Aug 2018, at 23:18, Alejandro Imass wrote: > If you are using ezjail then use eazjail-admin or > /usr/local/etc/rc.d/ezjail start xxxx > > I.e. if ezjail is managing your jails then use ezjail admin and avoid = > any > jail specific commands except for jls Thanks for this advice. However I don't think this is the root of my = problem. I can do: # ezjail-admin create -c zfs norman = 'lo1|127.0.1.1,igb0|192.168.11.128' # ezjail-admin onestart norman # ezjail-admin console norman I can still see, inside the jail console, igb0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu = 1500 options=3D6403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HW= CSUM,TSO4,TSO6,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6> ether a4:bf:01:26:7d:b1 hwaddr a4:bf:01:26:7d:b1 inet 192.168.11.128 netmask 0xffffffff broadcast 192.168.11.128 media: Ethernet autoselect (1000baseT <full-duplex>) status: active lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=3D600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> groups: lo lo1: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=3D600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> inet 127.0.1.1 netmask 0xffffffff which look right, but # host www.freebsd.org ;; connection timed out; no servers could be reached # So something is still amiss with the networking inside the jail, or the = way I've set up networking outside of the jail (nothing exotic at all as = far as I'm aware), and I'm at a loss as to what it might be, or how to = debug it. There's something important about jail networking that I'm not = understanding, but I haven't a clue what it is. Most frustrating. The only thing that's at all odd about the networking context is that = the host machine is on a locally-routable private network within = 172.16.0.0/12, but I can't see how that would make any difference. ---- On the question of 'ezjail-admin start' vs /usr/sbin/jail... I'd switched to starting jails with /usr/sbin/jail partly because I'd = formed the impression that ezjail could be used as a convenient way of = doing the fiddly and errorprone work of assembling jails, but that the = jails were standard enough that they could be managed thereafter with = the standard tool. This impression may of course be wrong in an = illuminating way. If true, that's a nice place to be, since 'ezjail-admin create' is doing = work that I basically understand but would do less well, but there's no = extra magic that 'ezjail-admin start' is doing. I'm all for minimising = magic. Also, it seems that there's at least some incompatibility between = current ezjail (3.4.2) and 11.2 jails. exjail-admin starts jails using = the four-argument call to /usr/sbin/jail, which means that = /etc/jail.conf is ignored. `jail` produces a warning in this case, that = this is an 'obsolete' way of starting a jail; the jail(8) manpage = doesn't say 'obsolete', but does mention this call as being present 'for = backward compatibility'. That is: # ezjail-admin onestart norman Starting jails:/etc/rc.d/jail: WARNING: /var/run/jail.norman.conf = is created and used for jail norman. /etc/rc.d/jail: WARNING: Per-jail configuration via jail_* = variables is obsolete. Please consider migrating to /etc/jail.conf. Further, [1] mentions that: > With 11.0 and, as of writing ezjail-admin v3.4.2, startup of jails = > with ezjail-admin is no longer possible. It's required to have jails = > defined in /etc/jail.conf. We can still use ezjail-admin to set them = > up. I don't know about the 'no longer possible', but this suggests at least = some dislocation between ezjail and 11.x. But my main goal is minimising the amount of magic I don't understand. [1] = https://forums.freebsd.org/threads/howto-quick-setup-of-jail-on-zfs-using= -ezjail-with-pf-nat.30063/ > How do you know your jails can=E2=80=99t access the Internet ? > > ping and some network commands are restricted in jails but can try = > wget or > curl to test. Or maybe pkg update to test Good point, but yes, I'm already aware that ping needs raw sockets so = won't work within a jail by default, so I was testing this with dns = lookups (calling 'host'). They just time out. Best wishes, Norman -- = Norman Gray : https://nxg.me.uk SUPA School of Physics and Astronomy, University of Glasgow, UK
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D620F21E-566B-420A-AB88-0207E21F2B14>