From owner-freebsd-questions@FreeBSD.ORG  Wed Aug 28 18:42:17 2013
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id A8D9A125
 for <freebsd-questions@freebsd.org>; Wed, 28 Aug 2013 18:42:17 +0000 (UTC)
 (envelope-from gibblertron@gmail.com)
Received: from mail-oa0-x230.google.com (mail-oa0-x230.google.com
 [IPv6:2607:f8b0:4003:c02::230])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 71D1D2E76
 for <freebsd-questions@freebsd.org>; Wed, 28 Aug 2013 18:42:17 +0000 (UTC)
Received: by mail-oa0-f48.google.com with SMTP id o17so8079695oag.7
 for <freebsd-questions@freebsd.org>; Wed, 28 Aug 2013 11:42:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc:content-type;
 bh=+2ZYlG7X/SuUxC+BkrImJnTqe1ukVktM1M6goBu2j/s=;
 b=XfhfTaTHYIQyICjecfqYtuAxokTLRY//niD2u+w9Hpk/xpFmvzBMjHM9cmT/VYSgVp
 ySLjRK+vGcnkHrPxHA7EGFG/VMZOPBTa9iYx3PaZtvGWBPeKzd7I7gzjlKrJBmDTy/6L
 SUw8RhjCxQt8Jn78Kx0RPW115siYjjRq75fVPlezniHg3560DY3DaQffoIeTVItLsWDh
 trcfLDnWxz722S9NvUsJ3Mss7vzYJxl59p54DEppXzy1C0fTZbCMeT+Rsdd4SGE3+Hd+
 VUUa9JWZJg9XIyIdd3iiEKsbuw8uko9KowJOo8m2KSvX9qSbLCOUWVP0jlHZWNMrj74Z
 eXVQ==
MIME-Version: 1.0
X-Received: by 10.60.102.66 with SMTP id fm2mr12700019oeb.21.1377715336705;
 Wed, 28 Aug 2013 11:42:16 -0700 (PDT)
Received: by 10.182.45.228 with HTTP; Wed, 28 Aug 2013 11:42:16 -0700 (PDT)
In-Reply-To: <CAHieY7TpuAcpEAqLc8=kUf=GOiwu2DonoRkTJ60stBUsVMQCcQ@mail.gmail.com>
References: <CAHieY7Sq5XKFuwp9PYnbuLAM6i=6KrrS8h-RM2uJUCzgAQ5rcw@mail.gmail.com>
 <CAHieY7QnkKv3st31tFHipd7q1jZ1YnFAXizQvgFKjH4oPc5Hsw@mail.gmail.com>
 <CA+dWbmYDfNNAv1kV=68eGQ8ySs9G07TZz_6zE0Fkit5t40484g@mail.gmail.com>
 <CAHieY7ROHTret4QgCfgUaO5t1HwPzoi8O+85y7KKjCW=haoGmg@mail.gmail.com>
 <CA+dWbmb6VqmjQAiEyLmsE_+P8bHNZxf_Yff7BZAzdDEM3Ka4SA@mail.gmail.com>
 <521DC5EC.1010701@fjl.co.uk>
 <CAHieY7TpuAcpEAqLc8=kUf=GOiwu2DonoRkTJ60stBUsVMQCcQ@mail.gmail.com>
Date: Wed, 28 Aug 2013 11:42:16 -0700
Message-ID: <CA+dWbmbzwDV=UeUPonAKdpM080=rAvQ6xu_BG3FbRYWM4pwjoQ@mail.gmail.com>
Subject: Re: Jail with public IP alias
From: Patrick <gibblertron@gmail.com>
To: Alejandro Imass <aimass@yabarana.com>
Content-Type: text/plain; charset=ISO-8859-1
Cc: Frank Leonhardt <frank2@fjl.co.uk>,
 FreeBSD Questions <freebsd-questions@freebsd.org>
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 18:42:17 -0000

On Wed, Aug 28, 2013 at 7:25 AM, Alejandro Imass <aimass@yabarana.com> wrote:
> On Wed, Aug 28, 2013 at 5:42 AM, Frank Leonhardt <frank2@fjl.co.uk> wrote:
>> On28/08/2013 00:19, Patrick wrote:
>>>
>>> On Tue, Aug 27, 2013 at 3:42 PM, Alejandro Imass <aimass@yabarana.com>
>>> wrote:
>>>>
>
> [...]
>
>>
>> (Tidied up so all now bottom posted)
>>
>> I can confirm that you shouldn't be seeing this behaviour because I don't. I
>> don't use EzJail - i prefer "vi". Seriously, setting up a jail is very
>> straightforward anyway, and when I tried ezjail I found it was doing stuff I
>> didn't like, so dropped it early on. It was a long time ago and I've
>> forgotten the specifics.
>>
>> I guess if you're using it your new to this particular game, so please
>> excuse me pointing out a few basics here.
>>
>
> We use Ezjail not because it's easy or because we're new to jails, I
> think you might be confused on what EzJail actually is and why people
> use it. We use it because we manage a private cloud exclusively based
> on FBSD with about a dozen servers with a couple dozen jails each. I
> use EzJail because it allows us to manage just shy of 300 separate
> environments with only a couple of sysadmins, and with optimized
> system resources. We use it because IT ROCKS.
>
>> Although I can't exactly see how this would cause a problem, remember that
>> many service will bind to ALL IP addresses when they start up, and if they
>
> [...]
>
>> I can't see a mechanism that would get the results you're seeing, but I
>> don't know what ezjail might be doing. I suspect your problem is with ezjail
>> or something bizzare on your network config; can you try it manually?
>
> After my OP I immediately sent out second mail stating that the
> problem is not with Jails or EzJail and it's related to the way that
> aliases behave on a network interface card. When you have aliases that
> are on the same subnet, the source IP is the primary IP , that is the
> first IP set on that network device. You can test this with out jails
> with a simple ssh connection to another server and then typing who.
> Even if you force ssh to bind to a particular IP using -b it will
> still show the primary IP. If you have aliases on different subnets
> this will not happen.

I don't think that's true though in the case of jails. On the host
system, yes, but when a jail is bound to a particular IP, outbound
connections originate from that bound IP. At least they do for me in
all of my experience. Still wondering if you're using NAT with your
jails, as that could change things.

(FWIW, we use ezjail as well. It doesn't do anything special except
make having lots of jails easy and lightweight.)

Patrick