Date: Sun, 4 Dec 2016 13:00:44 -0500 (EST) From: doug <doug@fledge.watson.org> To: Matthew Seaman <matthew@FreeBSD.org> Cc: freebsd-questions@freebsd.org Subject: Re: Can't ping in jail Message-ID: <alpine.BSF.2.20.1612041251510.33158@fledge.watson.org> In-Reply-To: <8d283142-a8e8-fed5-0ab4-57960dfbb304@FreeBSD.org> References: <alpine.BSF.2.20.1612030234030.77272@fledge.watson.org> <alpine.BSF.2.20.1612031801220.33158@fledge.watson.org> <584368A1.5080206@gmail.com> <alpine.BSF.2.00.1612031954060.53759@bucksport.safeport.com> <5843788A.2080902@gmail.com> <8d283142-a8e8-fed5-0ab4-57960dfbb304@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 4 Dec 2016, Matthew Seaman wrote: > On 04/12/2016 01:59, Ernie Luzar wrote: >> This post sheds a lot light on your problem. ezjail uses the legacy >> method with definition statements in /etc/rc.conf and qjail uses the >> modern way using /etc/jail.conf. qjail is a fork of ezjail so many >> things will feel the same moving to qjail. The ezjail and qjail >> directory tree is named differently and use different internal control >> files so you would have to build your qjail jails anew. qjail and ezjail >> can both run on the same host at the same time just using different jail >> ip addresses. >> >> Both methods have statements for enabling allow_raw_sockets on a jail >> by jail basis which is the way it should be done. The sysctl nib has to >> be issued on the host were the jails are, not the gateway host connected >> to the public network. >> >> ezjail requires manual starting and stopping of ip alias for the jail. >> qjail does all that for you without you having to take any actions. >> >> there is a qjail version for 9.x systems, but its out dated and at EOL. > > The jail management system that has been attracting a lot of attention > and favourable comment recently is iocage. The original version was > written in /bin/sh and this is what is in ports as sysutils/iocage or > sysutils/iocage-devel. The authors are intending to rewrite it in a > different language though. >From this I hear that the file system and more specifically various jail management interfaces, which I understand as basically an abstraction layer to interface with the basic jail structure has an impact on the way raw sockets are handled in the network stack. It was/is my general understanding that best practices O/S design would and do generally following the layers underlying the original apranet design. So that's not the case with the jail implementation??
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.20.1612041251510.33158>