From owner-cvs-src@FreeBSD.ORG Thu Sep 25 06:00:22 2008 Return-Path: Delivered-To: cvs-src@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 83697106568F; Thu, 25 Sep 2008 06:00:22 +0000 (UTC) (envelope-from ru@freebsd.org) Received: from mail.vega.ru (infra.dev.vega.ru [90.156.167.14]) by mx1.freebsd.org (Postfix) with ESMTP id 2B8A18FC14; Thu, 25 Sep 2008 06:00:20 +0000 (UTC) (envelope-from ru@freebsd.org) Received: from [87.242.97.68] (port=54512 helo=edoofus.dev.vega.ru) by mail.vega.ru with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.68 (FreeBSD)) (envelope-from ) id 1KijGu-0004Xs-Kr; Thu, 25 Sep 2008 05:20:12 +0000 Date: Thu, 25 Sep 2008 09:20:04 +0400 From: Ruslan Ermilov To: freebsd-jail@freebsd.org Message-ID: <20080925052004.GB76968@edoofus.dev.vega.ru> References: <200809241525.m8OFPifi095256@repoman.freebsd.org> <20080924181315.S65801@maildrop.int.zabbadoz.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080924181315.S65801@maildrop.int.zabbadoz.net> Cc: cvs-src@freebsd.org, src-committers@freebsd.org, cvs-all@freebsd.org Subject: Re: cvs commit: src/etc/rc.d jail src/share/man/man5 rc.conf.5 X-BeenThere: cvs-src@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Sep 2008 06:00:22 -0000 Hi Bjoern, On Wed, Sep 24, 2008 at 06:34:53PM +0000, Bjoern A. Zeeb wrote: > On Wed, 24 Sep 2008, Ruslan Ermilov wrote: > > > ru 2008-09-24 15:18:27 UTC > > > > FreeBSD src repository > > > > Modified files: > > etc/rc.d jail > > share/man/man5 rc.conf.5 > > Log: > > SVN rev 183325 on 2008-09-24 15:18:27Z by ru > > > > Allow a jail's IP alias to be created with an arbitrary netmask. > > So I had been talking with various people during the last weeks/months > about this feature of configuring an interface from rc.d/jail and I > had been >< close to remove it a lot of times but it seems people > prefer to actually mix network configuration, management and jail > startup/teardown in a single script, which I think is a very > questionable thing especially considering that we already had an > SA for[1] that script for other means. > > So you now I have v4/v6/multi/no-IP jails and once the next vimage > step is in I plan to have it hit the tree and I am currently > integrating a patch that would even have allow the ifconfig to work with > multiple IPv4/v6 addresses because up to now I decided to leave this > feature in. > > Now adding a netmask only makes sense for exactly one use case to my > understanding and this is not going to play well with whatever will > hit the tree. > At work, we use ezjail as a management tool for jails. We want our jails to be moveable between a set of hosts, so a jail's IP doesn't necessarily belong to host X at any given time. With the netmask in rc.d/jail hardcoded to 255.255.255.255, we have to configure a host's interface with IP addresses/netmasks corresponding to jails' IPs (and we have different IP networks). In practice this means we waste real IPs for nothing -- for a host with a single jail we waste one real IP address. To picture it: on a host that's not otherwise configured with 192.168.0 addresses, to up a jail with 192.168.0.13 we have to waste one more address from 192.168.0, e.g. 192.168.0.1, for the host to be able to route packets between 192.168.0.13 and 192.168.0.*. > Adding yet another variable to rc.conf to control another question > knob is something, as I hate to say, I am no longer going to be ok > with (this has nothhing to do with you or that it might be needed in a > setup). > > My suggestion would be, that if we want thos features to add > them separately doing a superset of the startup script or something > just for this and actualy use network.subr or the like to set it up > but keep the list of IP/Netmasks kind of separated from options for > the jail(8) command. > > In worst case stomething like this (read the BUT later) and have a > jail_example_ipv4_alias0="192.0.2.1/24" > jail_example_ipv4_alias1="192.0.2.2/32" > jail_example_ipv4_alias2="192.0.2.2 netmask 255.255.255.255" > jail_example_ipv6_alias0="2001:dbe::1" > jail_example_ipv6_alias1="2001:dbe::2/128" > and then have a single knob > jail_example_configure_ips_on_interfaces="NO" > and still use the above list create the jail(8) argument if you want > it like that. > > BUT wait the above is not going to work out as I am missing the > interface for each alias instance. > We need a full interface X af X address X netmask tupple with each > entry and a defined order per AF as the first IP will be specially > treated. > > That's why I am saying networking is networking and jails are jails > and to combine both you need a management app/script/... as it is > too many options/knobs/... > > FYI for the multi-IP jails (without this feature) I didn't even have > to think about the startup script as it would just have continued to > work. Adding no-IP support I had to change an exit case to _foo="\"\"" > in rc.d/jail. > > With supporting the ifconfig you need to a a few more lines. > > With the netmasks I still have no idea where we'll end up. > > I suggest we once and for all discuss this on freebsd-jail, decide > how to continue with this feature. I am Cc:ing and setting Reply-to: > > > MFC after: 3 days > > I would kindly ask you to hold back an MFC into 7 until there is a > conclusion. > I'd be happy with anything that allowed us NOT to waste IP addresses, preferably in FreeBSD 7.1. I have a solution that involves having static routes (in the example above, I'd add a route to 192.168.0/24 over some Ethernet interface that's equivalent to saying to resolve these IPs using ARP on this interface), but it's not ideal as I don't want these addresses to be accessible/resolvable when a host doesn't have configured IPs in this range. Cheers, -- Ruslan Ermilov ru@FreeBSD.org FreeBSD committer