Date: Tue, 13 Dec 2016 23:28:12 -0500 From: "Isaac (.ike) Levy" <ike@blackskyresearch.net> To: Ernie Luzar <luzar722@gmail.com> Cc: freebsd-jail@FreeBSD.org Subject: Re: multiple interfaces for jail.conf(1) and jail_set(2) Message-ID: <8E3BBF75-D2A2-4B42-A693-41D0B3F16D19@blackskyresearch.net> In-Reply-To: <5850A9F6.2090501@gmail.com> References: <0ED7F403-F14E-4A72-8E54-AF74AAE15061@blackskyresearch.net> <5850A9F6.2090501@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks Ernie,
But, that straight out did not work for me,
> On Dec 13, 2016, at 9:09 PM, Ernie Luzar <luzar722@gmail.com> wrote:
>=20
> Isaac (.ike) Levy wrote:
>> Hi All,
>> Can I specify multiple IP interfaces and assign IP=E2=80=99s to them =
using jail.conf?
>> I have jails with IPv4/IPv6 addresses on multiple physical =
interfaces, as well as assigning a loopback.
>> I have not found answers in the respective man pages or digging =
online.
>> I=E2=80=99m finally starting to poke around to start using the =
impressively simple jail.conf subsystem to manage jails. I have been =
managing jails with simple custom start scripts since 99=E2=80=99, and =
custom devfs rulesets since ~2006, so jail.conf(1) and jail_set(2) are a =
big welcome change for me- really awesome and clean :)
>> --
>> Additional detail to clarify my loopback use:
>> In general, I always assign each jail it=E2=80=99s own a loopback IP =
somewhere in the RFC5735 specified range, 127.0.0.0/8 - (simply saving =
127.0.0.1 for the jailing host), and then I simply set localhost to =
point at it=E2=80=99s IP in /etc/hosts for the jail. On the host, I =
simply add the IP alias to lo0 like any other interface.
>> This is often overlooked in common jailing practice, but often =
eliminates complexity and confusion for many userland daemons. For full =
Virtual Server applications, loopback is simply dotting the i=E2=80=99s =
and crossing the t=E2=80=99s.
>> I can see how localhost would be challenging to automate for easy =
jail.conf configuration, mostly, in picking a loopback IP for the jail =
and not letting that get messy- etc=E2=80=A6
>> Thanks in advance for any info!
>> Best,
>> .ike
>=20
> Using native jail.conf you can assign multiple NICs with both ipv4 & =
ipv6 ip address. By native I mean use the jail(8) command to start/stop =
your jails IE. not [service jail start] command. Use this format
> ip.addr =3D "rlo:10.0.10.02,xl0:10.20.10.07,lo0:127.10.0.02" This will =
also automatically create and remove the required aliases.
That does not appear to work- which is sad, I was excited by the syntax.
I am getting the following error,
r# jail -c myjail
jail: medial: ip4.addr: not an IPv4 address: em0:10.0.0.22
jail: myjail: ip6.addr: not an IPv6 address: em0:2:2:2:2::22
# uname -r
11.0-RELEASE-p2
My jail.conf contains precisely the following,
myjail {
path =3D /foo/bar;
mount.devfs;
host.hostname =3D bar.blackskyresearch.net;
ip4.addr =3D "em0:10.0.0.22,lo0:127.0.0.22";
ip6.addr =3D "em0:2:2:2:2::22";
exec.start =3D "/bin/sh /etc/rc";
exec.stop =3D "/bin/sh /etc/rc.shutdown";
}
Noteworthy- the error thrown for ip4.addr does not even get to =
mentioning the second listed IP on lo0.
>=20
> A word about loopback. Just like on the host, most services do not use =
the loopback interface, this is also true for jailed services. Only =
services that default to using the loopback interface need one defined =
in the jail to work correctly.
Sure sometimes, but not always. While 127.0.0.1 is hardcoded into many =
apps and configs, this is certainly more controllable in my world where =
I can physically slap whomever wrote the daemon with hardcoded IP=E2=80=99=
s- even for using local inet sockets :)
>=20
> Take note, the services that use the loopback interface default to =
using 127.0.0.1 ip address. For a service in a jail that uses loopback =
MUST have it's configuration changed to use the 127.10.0.02 ip address =
assigned on the jails jail.conf ip.addr parameter. No service in a jail =
can be assigned the hosts 127.0.0.1 ip address.
Certainly. Yet, I=E2=80=99ve found very few headaches after changing a =
/etc/hosts to reflect the localhost IP for the jail. =E2=80=9Clocalhost=E2=
=80=9D just resolves, as it should.
>=20
> I recommend you check out these ports,
> jail-primer gives background on jails across Freebsd releases.
I believe I gave the author of that document extensive feedback when it =
was originally authored- as a submission rewrite for the handbook.
While this jail-primer doc was filled with many useful and practical =
words of advice, it was also a document which I provided a great deal of =
constructive feedback for the author, (pre 9.2 release).
I was particularly worried about the way the =E2=80=9Cjail cell=E2=80=9D =
vocabulary abstraction was introduced and used. I cited a relentless =
=E2=80=9Cuse my port=E2=80=9D approach to jail administration. And =
finally, in that doc, there was far too much of an overall fundamental =
shift away from base UNIX ways of doing things- and even the FreeBSD way =
of doing things. I find documentation like this to be frustrating for =
oldschoolers because it is not concise or technically informative, and =
detracts for new users- by presenting jail(8) in a manner which is =
abstracted into something so from the FreeBSD operating system.
On a quick skim, the jail-primer project you posted appears to be =
roughly the same document- and it also does not have the information =
about IP interfaces jail.conf syntax you mention above.
> qjail a utility that simplifies jail admin.
Thanks, but I=E2=80=99m not really interested in qjail or else I would =
have asked about it wherever they run their list!
While I do see tools like qjail, good ol=E2=80=99 ezjail, and iocage as =
being very valuable, they have little to do with my question.
--
Back to the original post- did I do something wrong or interpret your =
instructions incorrectly?
Thanks!
Best,
.ike
>=20
>=20
>=20
>=20
>=20
>=20
>=20
>=20
>=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8E3BBF75-D2A2-4B42-A693-41D0B3F16D19>