From owner-freebsd-questions@freebsd.org Sun Apr 2 00:41:17 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1FC88D1E1BF for ; Sun, 2 Apr 2017 00:41:17 +0000 (UTC) (envelope-from orion@blackboxconsortium.com) Received: from vps.getseenmedia.com (vps.getseenmedia.com [184.154.14.79]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E3A45B89 for ; Sun, 2 Apr 2017 00:41:16 +0000 (UTC) (envelope-from orion@blackboxconsortium.com) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=blackboxconsortium.com; s=default; h=Content-Transfer-Encoding:Content-Type :In-Reply-To:MIME-Version:Date:Message-ID:From:References:To:Subject:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=R0lm9v21b+Lpab1IJTrTjiUtzGDsO9sHpp1PWtf/g0c=; b=exn8E7FjfJ9Myii1XxyVwkzLDW pXTYisw68VvqOxnFhnfK5Nx/+Q322CiR6sWEJ/U7g9duUJAX9M3q5xMH3bgpHymAZ+gig93jceoxr ggFvCoSAV6aD+4dF2nN7PYceY5iug86osxFcBJi7sl4S8HDw9KJ9wT4EAY3nzkT07D89xUcSlW9Ta GJmf65czJA7mojObWraYvwuFyEYubJc9TTS+v0zY0uISo8cnETeB7rIOLPvfAl26AWQ2E+DDUdjKe VcErArMonTBt9iwkSkRbe1cf1SauSQdtcRwZFr05fDLNsxYC5GGibeyTOS7YjJIr2Z8BtX+dSU/G0 9G2XYVLg==; Received: from 47-51-33-228.static.mtpk.ca.charter.com ([47.51.33.228]:48244 helo=homemail.leadverticals.com) by vps.getseenmedia.com with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128) (Exim 4.87) (envelope-from ) id 1cuSLm-0004NP-F2 for freebsd-questions@freebsd.org; Sat, 01 Apr 2017 16:22:30 -0700 Subject: Re: Multiple Jails on a single host To: freebsd-questions@freebsd.org References: <115d4cb1df2a32f979091b29f7aa2e0f.squirrel@webmail.harte-lyne.ca> From: Orion Tiller Message-ID: Date: Sat, 1 Apr 2017 16:22:27 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: <115d4cb1df2a32f979091b29f7aa2e0f.squirrel@webmail.harte-lyne.ca> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - vps.getseenmedia.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - blackboxconsortium.com X-Get-Message-Sender-Via: vps.getseenmedia.com: authenticated_id: orion@blackboxconsortium.com X-Authenticated-Sender: vps.getseenmedia.com: orion@blackboxconsortium.com X-Source: X-Source-Args: X-Source-Dir: X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Apr 2017 00:41:17 -0000 > I have a FreeBSD host on which I wish to have two jails. I have set-up > the first using ezjail and the relevant information for it follows: > > /etc/rc.conf > > ### Jailed Services > jail_enable="YES" # Set to NO to disable starting of > any jails > ezjail_enable="YES" # Enable ezjail jail manager > jail_list="hlldns02" # Space separated list of jail names > > cloned_interfaces="lo1" > ipv4_addrs_lo1="192.168.209.33/32" > > > /usr/local/etc/ezjail/hlldns02 > > export jail_hlldns02_hostname="hlldns02" > export jail_hlldns02_ip="lo1|127.0.1.1,em0|192.168.209.33" > ' > > This jail has sshd configured and enabled. With the jail started I > can reach it with "ssh 192.168.209.33 -t -Y 'bash || sh'". It passes > over the host's firewall without problem. > > However when I add the following additional configuration in > /etc/rc.conf to handle the second jail then I can no longer connect to > the first jail. Instead I receive this error: > > ssh: connect to host 192.168.209.33 port 22: No route to host > > If I try to ping it I get this: > > ping 192.168.209.33 > PING 192.168.209.33 (192.168.209.33) 56(84) bytes of data. > From 192.168.209.2:icmp_seq=2 Redirect Host(New nexthop: 192.168.209.33) > From 192.168.209.2:icmp_seq=3 Redirect Host(New nexthop: 192.168.209.33) > From 192.168.209.2:icmp_seq=4 Redirect Host(New nexthop: 192.168.209.33) > From 192.168.209.2:icmp_seq=4 Destination Host Unreachable > > This is the altered configuration: > > /etc/rc.conf > > cloned_interfaces="lo1" > ipv4_addrs_lo1="192.168.209.33/32" > cloned_interfaces="lo2" > ipv4_addrs_lo2="192.168.209.18/32" > > > /usr/local/etc/ezjail/hllmx18 > > export jail_hllmx18_hostname="hllmx18" > export jail_hllmx18_ip="lo2|127.0.2.1,em0|192.168.209.18" > > > > If I remove the second set of lo cloning statements from rc.conf then > the first jail starts and can be connected to but the second jail will > not start at all. > > Obviously I am missing some critical piece of information respecting > jails and it seems to involve the loopback interface. What entries > should be in /etc/rc.conf to handle the two jails I have outlined > above such that I can communicate to them directly? > > Thanks. > try cloned_interfaces="lo1 lo2" ipv4_addrs_lo1="192.168.209.33/32" ipv4_addrs_lo2="192.168.209.18/32"