From owner-freebsd-questions@FreeBSD.ORG Thu Aug 29 00:58:37 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 23D5A128 for ; Thu, 29 Aug 2013 00:58:37 +0000 (UTC) (envelope-from aimass@yabarana.com) Received: from mail-pa0-f51.google.com (mail-pa0-f51.google.com [209.85.220.51]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id EE5522547 for ; Thu, 29 Aug 2013 00:58:36 +0000 (UTC) Received: by mail-pa0-f51.google.com with SMTP id lf1so178792pab.24 for ; Wed, 28 Aug 2013 17:58:30 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=e13mPxLO8d5AOWEOrR03kw5xqxOZzmQQ9cgPvP95rt0=; b=SzfPKfi1ZqBcPQgrOti34rITwV8O5tAeINlcWrgtDqWSdIpb+BNSJAUurnz1e8S4Iu j/wXi+tu/ja18f9ye7ZQrEaqoXg6Icl8ZXpp9m9N+p8JNTARrjmj718e776goxWk//Rv R87FqeNdzhSGPlofebzjQQIiA1wTI1gpV8wDKFSEmEgJ9bn9G9Z56OeWtj5Ti8Eoqr0Y mb3wMLnMdCINM3bP525egtdTqPwTetxJzT02lCYzltIpYRZZQTKeLx1YYSzt1d04mIox vOAI/6+/+FyAcJBKVuKC/zKfJdzerhLOLbhDcd8oFz0Sm848XJwKeF7aoMi2KsrIMOQE F7pw== X-Gm-Message-State: ALoCoQkBMwGw0Y26yJOiN0wuVFCmR0zPVlHj3wBsXDRU1KjeVURyb3h2AfOghSRJWqLg4HVtc2T0 MIME-Version: 1.0 X-Received: by 10.66.149.73 with SMTP id ty9mr1424155pab.36.1377737910682; Wed, 28 Aug 2013 17:58:30 -0700 (PDT) Received: by 10.66.240.5 with HTTP; Wed, 28 Aug 2013 17:58:30 -0700 (PDT) In-Reply-To: References: <521DC5EC.1010701@fjl.co.uk> Date: Wed, 28 Aug 2013 20:58:30 -0400 Message-ID: Subject: Re: Jail with public IP alias From: Alejandro Imass To: Patrick Content-Type: text/plain; charset=ISO-8859-1 Cc: Frank Leonhardt , FreeBSD Questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Aug 2013 00:58:37 -0000 On Wed, Aug 28, 2013 at 2:42 PM, Patrick wrote: > On Wed, Aug 28, 2013 at 7:25 AM, Alejandro Imass wrote: >> On Wed, Aug 28, 2013 at 5:42 AM, Frank Leonhardt wrote: >>> On28/08/2013 00:19, Patrick wrote: [...] > I don't think that's true though in the case of jails. On the host > system, yes, but when a jail is bound to a particular IP, outbound > connections originate from that bound IP. At least they do for me in > all of my experience. Still wondering if you're using NAT with your > jails, as that could change things. > Nope, no NAT. I verified what you said using the aliases in lo0 and it does in fact use the correct private IP, and that is well, no surprise because we rarely have jails actually public IPs so I didn't notice this strange behaviour before. Actually, not so strange once you understand what's going on: It doesn't work the same using the public IP because, the public IP goes through a gateway so it's a different case. In that case it will use the "primary" IP assigned to the device in that subnet that goes through that routing rule. You can test this if you want but you will need to re-create a scenario where you have multiples IPs assigned to a physical network card and that routes through a common gateway. In this case, it will use only the primary IP assigned to network card. If you actually test it you will see it's not a jail issue, it simply works that way,and it will be consistent on a jail or the base system. The only ways to fix this are either through the routing table or source address re-writing with IPFW or similar. > (FWIW, we use ezjail as well. It doesn't do anything special except > make having lots of jails easy and lightweight.) > It does a lot more than that! We use flavours and have pre-loaded environments for easy deployment, much like people use VMWare. For example we do a lot of development in Catalyst and it takes forever to install a working Catalyst env which we only have to do once and then create Cat flavoured jails in minutes. We also, archive and re-instatiate jails in other servers or add more capacity in an existing env just by archiving and creating a clone jail on another server. So basically with EzJail we have our own cloud-type environment but running on the real hardware and with much more granular control. We also use Amazon AWS but not for anything that's core ot the company. We do a ton of other stuff that relies on EzJails tools, for example update one jail to test and the simply re-create that one to replace all the others. Plain old jails will do the same thing for sure, but if you manage hundreds you'll probably wind up re-inventing EzJail in the first place. Best, -- Alejandro Imass