From owner-freebsd-stable@FreeBSD.ORG Wed Jan 31 11:48:14 2007 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A680616A402 for ; Wed, 31 Jan 2007 11:48:14 +0000 (UTC) (envelope-from jeff@sailorfej.net) Received: from mail.sailorfej.net (mail.sailorfej.net [66.93.72.123]) by mx1.freebsd.org (Postfix) with ESMTP id 7157313C494 for ; Wed, 31 Jan 2007 11:48:14 +0000 (UTC) (envelope-from jeff@sailorfej.net) Received: from [192.168.150.100] (c-24-20-239-104.hsd1.or.comcast.net [24.20.239.104]) (authenticated bits=0) by mail.sailorfej.net (8.13.4/8.13.4) with ESMTP id l0VBVrMv068328 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 31 Jan 2007 03:31:54 -0800 (PST) (envelope-from jeff@sailorfej.net) Message-ID: <45C081E9.50509@sailorfej.net> Date: Wed, 31 Jan 2007 03:47:53 -0800 From: Jeffrey Williams User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) MIME-Version: 1.0 To: freebsd-stable@freebsd.org References: <45C06A42.6000001@sailorfej.net> <200701311119.47888.freebsd-stable@dino.sk> <45C0722B.3060504@sailorfej.net> <200701311221.34003.freebsd-stable@dino.sk> In-Reply-To: <200701311221.34003.freebsd-stable@dino.sk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.6 required=6.0 tests=BAYES_00 autolearn=failed version=3.1.1 X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on mail.sailorfej.net Subject: Re: jails and multple interfaces X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Jan 2007 11:48:14 -0000 Milan Obuch wrote: > On Wednesday 31 January 2007 11:40, Jeffrey Williams wrote: >> Milan Obuch wrote: >>> On Wednesday 31 January 2007 11:06, Jeffrey Williams wrote: >>>> Hi Folks, >>>> >>>> I am trying to set a jail hosting server to support multiple jails for >>>> development testing. >>>> >>>> The server has two network interfaces, I am configuring one for host >>>> server to use, and the other with several aliased IPs, one for each of >>>> the jail servers. >>>> >>>> All the services running on the host are configured to bind to the host >>>> IP on the first interface. >>>> > ... >>> Why are you doing this? Are your addresses from the same network segment? >>> I am binding my jail addresses to loopback interface and route them - >>> this way you could easily start take-over jail on another machine and >>> change routing table (or use dynamic routing) to minimize downtime on >>> hardware upgrades, big OS upgrades etc. I do not consider this the best >>> way, but it just satisfy my needs. >>> Regards, >>> Milan >> I want to segregate the jail and jail host traffic on separate interfaces. >> > > What do you mean with segregate? Why do you need them going through two > physical interfaces? Maybe I just can't see my nose between eyes, but I do > not understand the purpose of doing so. The server acting as jail host, is also acting as a freebsd build server, a subversion server for the developer source code repositories, and will have a lot of continuous network traffic. The jailed servers are for testing of web applications, which will frequently include network load/bandwidth testing, and network captures. To keep the web app testing clean of the hosting server's network activity I want all the jailed servers to use the second interface, while the hosting server's network traffic stays on the primary interface. And I have this part working, all the jailed servers ip addresses are configured on the second interface, and the hosting server's IP routing table shows that it is only using the primary interface/IP address, for all its IP traffic. My only concern, and what I was hoping to get more information on, is whether there are any potential problems with having two active ethernet interfaces on the same network segment, e.g. arp issues, etc. > >> How do you route traffic off you loopback interface? by definition, this >> interface only allows the network stack to talk to itself? >> > > There is nothing special there - my physical interface address is from one > segment, there is route added on upstream router for loopback bound > addresses. It is not true you are able to talk only to itself with loopback > address, it is true only for loopback address (127.0.0.1/8). All my tests > shows it works the way I want. Actually in jail you see only one IP address > on an interfaces, and regardless which one, all traffic from jailed process > uses this address as source address. Routing is done in host stack in any > case. > > Regards, > Milan >