From owner-freebsd-questions@freebsd.org Fri Aug 24 12:36:03 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0D3DD10892D6 for ; Fri, 24 Aug 2018 12:36:03 +0000 (UTC) (envelope-from Norman.Gray@glasgow.ac.uk) Received: from hillend.cent.gla.ac.uk (hillend.cent.gla.ac.uk [130.209.16.102]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 962A984566 for ; Fri, 24 Aug 2018 12:36:02 +0000 (UTC) (envelope-from Norman.Gray@glasgow.ac.uk) Received: from cas08.campus.gla.ac.uk ([130.209.14.165]) by hillend.cent.gla.ac.uk with esmtp (Exim 4.72) (envelope-from ) id 1ftBJo-00073Z-M8; Fri, 24 Aug 2018 13:36:00 +0100 Received: from [10.130.248.80] (130.209.203.66) by cas08.campus.gla.ac.uk (130.209.14.165) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Fri, 24 Aug 2018 13:36:00 +0100 From: Norman Gray To: Alejandro Imass CC: FreeBSD Questions Subject: Re: Jails and networks Date: Fri, 24 Aug 2018 13:35:59 +0100 X-Mailer: MailMate (1.11.3r5509) Message-ID: In-Reply-To: References: <6B17F10B-F3AE-45C5-8011-EBE52462230E@glasgow.ac.uk> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8"; format=flowed Content-Transfer-Encoding: quoted-printable X-Originating-IP: [130.209.203.66] X-ClientProxiedBy: CAS08.campus.gla.ac.uk (130.209.14.165) To cas08.campus.gla.ac.uk (130.209.14.165) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Aug 2018 12:36:03 -0000 Alejandro, hello. On 23 Aug 2018, at 23:18, Alejandro Imass wrote: > If you are using ezjail then use eazjail-admin or > /usr/local/etc/rc.d/ezjail start xxxx > > I.e. if ezjail is managing your jails then use ezjail admin and avoid = > any > jail specific commands except for jls Thanks for this advice. However I don't think this is the root of my = problem. I can do: # ezjail-admin create -c zfs norman = 'lo1|127.0.1.1,igb0|192.168.11.128' # ezjail-admin onestart norman # ezjail-admin console norman I can still see, inside the jail console, igb0: flags=3D8843 metric 0 mtu = 1500 options=3D6403bb ether a4:bf:01:26:7d:b1 hwaddr a4:bf:01:26:7d:b1 inet 192.168.11.128 netmask 0xffffffff broadcast 192.168.11.128 media: Ethernet autoselect (1000baseT ) status: active lo0: flags=3D8049 metric 0 mtu 16384 options=3D600003 groups: lo lo1: flags=3D8049 metric 0 mtu 16384 options=3D600003 inet 127.0.1.1 netmask 0xffffffff which look right, but # host www.freebsd.org ;; connection timed out; no servers could be reached # So something is still amiss with the networking inside the jail, or the = way I've set up networking outside of the jail (nothing exotic at all as = far as I'm aware), and I'm at a loss as to what it might be, or how to = debug it. There's something important about jail networking that I'm not = understanding, but I haven't a clue what it is. Most frustrating. The only thing that's at all odd about the networking context is that = the host machine is on a locally-routable private network within = 172.16.0.0/12, but I can't see how that would make any difference. ---- On the question of 'ezjail-admin start' vs /usr/sbin/jail... I'd switched to starting jails with /usr/sbin/jail partly because I'd = formed the impression that ezjail could be used as a convenient way of = doing the fiddly and errorprone work of assembling jails, but that the = jails were standard enough that they could be managed thereafter with = the standard tool. This impression may of course be wrong in an = illuminating way. If true, that's a nice place to be, since 'ezjail-admin create' is doing = work that I basically understand but would do less well, but there's no = extra magic that 'ezjail-admin start' is doing. I'm all for minimising = magic. Also, it seems that there's at least some incompatibility between = current ezjail (3.4.2) and 11.2 jails. exjail-admin starts jails using = the four-argument call to /usr/sbin/jail, which means that = /etc/jail.conf is ignored. `jail` produces a warning in this case, that = this is an 'obsolete' way of starting a jail; the jail(8) manpage = doesn't say 'obsolete', but does mention this call as being present 'for = backward compatibility'. That is: # ezjail-admin onestart norman Starting jails:/etc/rc.d/jail: WARNING: /var/run/jail.norman.conf = is created and used for jail norman. /etc/rc.d/jail: WARNING: Per-jail configuration via jail_* = variables is obsolete. Please consider migrating to /etc/jail.conf. Further, [1] mentions that: > With 11.0 and, as of writing ezjail-admin v3.4.2, startup of jails = > with ezjail-admin is no longer possible. It's required to have jails = > defined in /etc/jail.conf. We can still use ezjail-admin to set them = > up. I don't know about the 'no longer possible', but this suggests at least = some dislocation between ezjail and 11.x. But my main goal is minimising the amount of magic I don't understand. [1] = https://forums.freebsd.org/threads/howto-quick-setup-of-jail-on-zfs-using= -ezjail-with-pf-nat.30063/ > How do you know your jails can=E2=80=99t access the Internet ? > > ping and some network commands are restricted in jails but can try = > wget or > curl to test. Or maybe pkg update to test Good point, but yes, I'm already aware that ping needs raw sockets so = won't work within a jail by default, so I was testing this with dns = lookups (calling 'host'). They just time out. Best wishes, Norman -- = Norman Gray : https://nxg.me.uk SUPA School of Physics and Astronomy, University of Glasgow, UK