Date: Fri, 24 Aug 2018 13:35:59 +0100 From: Norman Gray <norman.gray@glasgow.ac.uk> To: Alejandro Imass <aimass@yabarana.com> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Jails and networks Message-ID: <D620F21E-566B-420A-AB88-0207E21F2B14@glasgow.ac.uk> In-Reply-To: <CAHieY7TVruoxm4M46DgZ1CLOr6x9OyDyeKEKfj7B3mW%2BZjk1tw@mail.gmail.com> References: <6B17F10B-F3AE-45C5-8011-EBE52462230E@glasgow.ac.uk> <CAHieY7TVruoxm4M46DgZ1CLOr6x9OyDyeKEKfj7B3mW%2BZjk1tw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Alejandro, hello.
On 23 Aug 2018, at 23:18, Alejandro Imass wrote:
> If you are using ezjail then use eazjail-admin or
> /usr/local/etc/rc.d/ezjail start xxxx
>
> I.e. if ezjail is managing your jails then use ezjail admin and avoid =
> any
> jail specific commands except for jls
Thanks for this advice. However I don't think this is the root of my =
problem. I can do:
# ezjail-admin create -c zfs norman =
'lo1|127.0.1.1,igb0|192.168.11.128'
# ezjail-admin onestart norman
# ezjail-admin console norman
I can still see, inside the jail console,
igb0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu =
1500
options=3D6403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HW=
CSUM,TSO4,TSO6,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
ether a4:bf:01:26:7d:b1
hwaddr a4:bf:01:26:7d:b1
inet 192.168.11.128 netmask 0xffffffff broadcast 192.168.11.128
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3D600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
groups: lo
lo1: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3D600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet 127.0.1.1 netmask 0xffffffff
which look right, but
# host www.freebsd.org
;; connection timed out; no servers could be reached
#
So something is still amiss with the networking inside the jail, or the =
way I've set up networking outside of the jail (nothing exotic at all as =
far as I'm aware), and I'm at a loss as to what it might be, or how to =
debug it.
There's something important about jail networking that I'm not =
understanding, but I haven't a clue what it is. Most frustrating.
The only thing that's at all odd about the networking context is that =
the host machine is on a locally-routable private network within =
172.16.0.0/12, but I can't see how that would make any difference.
----
On the question of 'ezjail-admin start' vs /usr/sbin/jail...
I'd switched to starting jails with /usr/sbin/jail partly because I'd =
formed the impression that ezjail could be used as a convenient way of =
doing the fiddly and errorprone work of assembling jails, but that the =
jails were standard enough that they could be managed thereafter with =
the standard tool. This impression may of course be wrong in an =
illuminating way.
If true, that's a nice place to be, since 'ezjail-admin create' is doing =
work that I basically understand but would do less well, but there's no =
extra magic that 'ezjail-admin start' is doing. I'm all for minimising =
magic.
Also, it seems that there's at least some incompatibility between =
current ezjail (3.4.2) and 11.2 jails. exjail-admin starts jails using =
the four-argument call to /usr/sbin/jail, which means that =
/etc/jail.conf is ignored. `jail` produces a warning in this case, that =
this is an 'obsolete' way of starting a jail; the jail(8) manpage =
doesn't say 'obsolete', but does mention this call as being present 'for =
backward compatibility'.
That is:
# ezjail-admin onestart norman
Starting jails:/etc/rc.d/jail: WARNING: /var/run/jail.norman.conf =
is created and used for jail norman.
/etc/rc.d/jail: WARNING: Per-jail configuration via jail_* =
variables is obsolete. Please consider migrating to /etc/jail.conf.
Further, [1] mentions that:
> With 11.0 and, as of writing ezjail-admin v3.4.2, startup of jails =
> with ezjail-admin is no longer possible. It's required to have jails =
> defined in /etc/jail.conf. We can still use ezjail-admin to set them =
> up.
I don't know about the 'no longer possible', but this suggests at least =
some dislocation between ezjail and 11.x.
But my main goal is minimising the amount of magic I don't understand.
[1] =
https://forums.freebsd.org/threads/howto-quick-setup-of-jail-on-zfs-using=
-ezjail-with-pf-nat.30063/
> How do you know your jails can=E2=80=99t access the Internet ?
>
> ping and some network commands are restricted in jails but can try =
> wget or
> curl to test. Or maybe pkg update to test
Good point, but yes, I'm already aware that ping needs raw sockets so =
won't work within a jail by default, so I was testing this with dns =
lookups (calling 'host'). They just time out.
Best wishes,
Norman
-- =
Norman Gray : https://nxg.me.uk
SUPA School of Physics and Astronomy, University of Glasgow, UK
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D620F21E-566B-420A-AB88-0207E21F2B14>