Date: Tue, 13 Dec 2016 23:28:12 -0500 From: "Isaac (.ike) Levy" <ike@blackskyresearch.net> To: Ernie Luzar <luzar722@gmail.com> Cc: freebsd-jail@FreeBSD.org Subject: Re: multiple interfaces for jail.conf(1) and jail_set(2) Message-ID: <8E3BBF75-D2A2-4B42-A693-41D0B3F16D19@blackskyresearch.net> In-Reply-To: <5850A9F6.2090501@gmail.com> References: <0ED7F403-F14E-4A72-8E54-AF74AAE15061@blackskyresearch.net> <5850A9F6.2090501@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks Ernie, But, that straight out did not work for me, > On Dec 13, 2016, at 9:09 PM, Ernie Luzar <luzar722@gmail.com> wrote: >=20 > Isaac (.ike) Levy wrote: >> Hi All, >> Can I specify multiple IP interfaces and assign IP=E2=80=99s to them = using jail.conf? >> I have jails with IPv4/IPv6 addresses on multiple physical = interfaces, as well as assigning a loopback. >> I have not found answers in the respective man pages or digging = online. >> I=E2=80=99m finally starting to poke around to start using the = impressively simple jail.conf subsystem to manage jails. I have been = managing jails with simple custom start scripts since 99=E2=80=99, and = custom devfs rulesets since ~2006, so jail.conf(1) and jail_set(2) are a = big welcome change for me- really awesome and clean :) >> -- >> Additional detail to clarify my loopback use: >> In general, I always assign each jail it=E2=80=99s own a loopback IP = somewhere in the RFC5735 specified range, 127.0.0.0/8 - (simply saving = 127.0.0.1 for the jailing host), and then I simply set localhost to = point at it=E2=80=99s IP in /etc/hosts for the jail. On the host, I = simply add the IP alias to lo0 like any other interface. >> This is often overlooked in common jailing practice, but often = eliminates complexity and confusion for many userland daemons. For full = Virtual Server applications, loopback is simply dotting the i=E2=80=99s = and crossing the t=E2=80=99s. >> I can see how localhost would be challenging to automate for easy = jail.conf configuration, mostly, in picking a loopback IP for the jail = and not letting that get messy- etc=E2=80=A6 >> Thanks in advance for any info! >> Best, >> .ike >=20 > Using native jail.conf you can assign multiple NICs with both ipv4 & = ipv6 ip address. By native I mean use the jail(8) command to start/stop = your jails IE. not [service jail start] command. Use this format > ip.addr =3D "rlo:10.0.10.02,xl0:10.20.10.07,lo0:127.10.0.02" This will = also automatically create and remove the required aliases. That does not appear to work- which is sad, I was excited by the syntax. I am getting the following error, r# jail -c myjail jail: medial: ip4.addr: not an IPv4 address: em0:10.0.0.22 jail: myjail: ip6.addr: not an IPv6 address: em0:2:2:2:2::22 # uname -r 11.0-RELEASE-p2 My jail.conf contains precisely the following, myjail { path =3D /foo/bar; mount.devfs; host.hostname =3D bar.blackskyresearch.net; ip4.addr =3D "em0:10.0.0.22,lo0:127.0.0.22"; ip6.addr =3D "em0:2:2:2:2::22"; exec.start =3D "/bin/sh /etc/rc"; exec.stop =3D "/bin/sh /etc/rc.shutdown"; } Noteworthy- the error thrown for ip4.addr does not even get to = mentioning the second listed IP on lo0. >=20 > A word about loopback. Just like on the host, most services do not use = the loopback interface, this is also true for jailed services. Only = services that default to using the loopback interface need one defined = in the jail to work correctly. Sure sometimes, but not always. While 127.0.0.1 is hardcoded into many = apps and configs, this is certainly more controllable in my world where = I can physically slap whomever wrote the daemon with hardcoded IP=E2=80=99= s- even for using local inet sockets :) >=20 > Take note, the services that use the loopback interface default to = using 127.0.0.1 ip address. For a service in a jail that uses loopback = MUST have it's configuration changed to use the 127.10.0.02 ip address = assigned on the jails jail.conf ip.addr parameter. No service in a jail = can be assigned the hosts 127.0.0.1 ip address. Certainly. Yet, I=E2=80=99ve found very few headaches after changing a = /etc/hosts to reflect the localhost IP for the jail. =E2=80=9Clocalhost=E2= =80=9D just resolves, as it should. >=20 > I recommend you check out these ports, > jail-primer gives background on jails across Freebsd releases. I believe I gave the author of that document extensive feedback when it = was originally authored- as a submission rewrite for the handbook. While this jail-primer doc was filled with many useful and practical = words of advice, it was also a document which I provided a great deal of = constructive feedback for the author, (pre 9.2 release). I was particularly worried about the way the =E2=80=9Cjail cell=E2=80=9D = vocabulary abstraction was introduced and used. I cited a relentless = =E2=80=9Cuse my port=E2=80=9D approach to jail administration. And = finally, in that doc, there was far too much of an overall fundamental = shift away from base UNIX ways of doing things- and even the FreeBSD way = of doing things. I find documentation like this to be frustrating for = oldschoolers because it is not concise or technically informative, and = detracts for new users- by presenting jail(8) in a manner which is = abstracted into something so from the FreeBSD operating system. On a quick skim, the jail-primer project you posted appears to be = roughly the same document- and it also does not have the information = about IP interfaces jail.conf syntax you mention above. > qjail a utility that simplifies jail admin. Thanks, but I=E2=80=99m not really interested in qjail or else I would = have asked about it wherever they run their list! While I do see tools like qjail, good ol=E2=80=99 ezjail, and iocage as = being very valuable, they have little to do with my question. -- Back to the original post- did I do something wrong or interpret your = instructions incorrectly? Thanks! Best, .ike >=20 >=20 >=20 >=20 >=20 >=20 >=20 >=20 >=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8E3BBF75-D2A2-4B42-A693-41D0B3F16D19>