From owner-freebsd-jail@FreeBSD.ORG Thu Mar 7 23:32:45 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 4C9EFD86 for ; Thu, 7 Mar 2013 23:32:45 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from m2.gritton.org (gritton.org [199.192.164.235]) by mx1.freebsd.org (Postfix) with ESMTP id 09811A95 for ; Thu, 7 Mar 2013 23:32:44 +0000 (UTC) Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net [198.65.168.24]) (authenticated bits=0) by m2.gritton.org (8.14.5/8.14.5) with ESMTP id r27NM6S3041246; Thu, 7 Mar 2013 16:22:07 -0700 (MST) (envelope-from jamie@FreeBSD.org) Message-ID: <51392119.2090502@FreeBSD.org> Date: Thu, 07 Mar 2013 16:22:01 -0700 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:9.0) Gecko/20120126 Thunderbird/9.0 MIME-Version: 1.0 To: Yoann Gini Subject: =?UTF-8?B?UmU6IElQdjQgYWRkcmVzc2VzIGNsYXNoIC8gamFpbHMgbm90IHdvcms=?= =?UTF-8?B?aW5nIGFmdGVyIHJlYm9vdOKApg==?= References: <55865.68.255.104.38.1362619385.squirrel@cosmo.uchicago.edu> <6C130E1F-6CDC-4328-A300-5B483B8B4940@gmail.com> <513864D5.1070900@passap.ru> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Mar 2013 23:32:45 -0000 On 03/07/13 05:29, Yoann Gini wrote: > > Le 7 mars 2013 à 10:58, Boris Samorodov a écrit : > >> 07.03.2013 12:48, Yoann Gini пишет: >> >>> I need to share this IP, I’ve only one and I would like to avoid playing with NAT… >> >> One IP may be shared but for different services (ports). > > That what I’ve understand and what I’ve planned. > >>> If someone have a idea… >> >> Give some more information: >> 1. OS version, OS arch. > > FreeBSD srv0.public.example.com 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243825: Tue Dec 4 09:23:10 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 > >> 2. Jail configuration (at least one) from /etc and LOCALBASE/etc/ezjail. > > What do you want in /etc ? Except the fstab, I don’t see any config here, the fstab look like that: > > /home/jails/basejail /home/jails/front0.public.example.com/basejail nullfs ro 0 0 > /usr/ports /home/jails/front0.public.example.com/usr/ports nullfs ro 0 0 > > And here is the ezjail config > > export jail_front0_public_example_com_hostname="front0.public.example.com" > export jail_front0_public_example_com_ip=« IPv6Prefix::80,SharedIPv4,10.42.0.2" > export jail_front0_public_example_com_rootdir="/home/jails/front0.public.example.com" > export jail_front0_public_example_com_exec_start="/bin/sh /etc/rc" > export jail_front0_public_example_com_exec_stop="" > export jail_front0_public_example_com_mount_enable="YES" > export jail_front0_public_example_com_devfs_enable="YES" > export jail_front0_public_example_com_devfs_ruleset="devfsrules_jail" > export jail_front0_public_example_com_procfs_enable="YES" > export jail_front0_public_example_com_fdescfs_enable="YES" > export jail_front0_public_example_com_image="" > export jail_front0_public_example_com_imagetype="" > export jail_front0_public_example_com_attachparams="" > export jail_front0_public_example_com_attachblocking="" > export jail_front0_public_example_com_forceblocking="" > export jail_front0_public_example_com_zfs_datasets="" > export jail_front0_public_example_com_cpuset="" > export jail_front0_public_example_com_fib="" > >> 3. What do you want to achieve. > > I want a setup with: > — srv0 listen only for SSH on a alternate port for supervision on public IPv4/6 ; > — front0 to handle any public services (web, DNS, e-mail) on public IPv4/6 ; > — service0 to handle internal services (git, redmine, AFP sharepoints…) on private IP and SSH on a other alternate port on public IPv4/6 ; > — gateway0 to act as a VPN server and webproxy to secure access to private services on service0 and act as a secure gateway to encrypt network traffic for road-warriors on public network. > > In the end, I will dispatch those services on different server but for now I only access to one system, so I would like to prepare the setup to be dispatched on different hardware when the budget come. > > Actually, if I remove the SharedIPv4 from the jails, it works. > > I’ve investigate more on the open socket area and I think the problem come from Apache who still lisent on *:* even if I’ve set a Listen directive… You're allowed to have the same address in multiple jails, but only in the case of jails that have one address (i.e. one IPv4 address in this case). Jails with multiple IP addresses can't share any of those addresses with other jails. I don't know why it should work once and then not work later though. The jail config you show has only a single jail, so I also wonder what it's clashing with - a clash is defined as the same IP address between two different jails. Are there other jail configs you didn't show? Also, there's a chance a jail has been removed but is not yet gone (though I wouldn't expected that case in a reboot situation). Could you run "jls -dn" immediately after the failed jail start, and tell any output it gives? - Jamie