From owner-freebsd-questions@FreeBSD.ORG Tue Jul 8 16:03:47 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 261861065678 for ; Tue, 8 Jul 2008 16:03:47 +0000 (UTC) (envelope-from the.real.david.allen@gmail.com) Received: from rn-out-0910.google.com (rn-out-0910.google.com [64.233.170.190]) by mx1.freebsd.org (Postfix) with ESMTP id AD0C38FC1D for ; Tue, 8 Jul 2008 16:03:46 +0000 (UTC) (envelope-from the.real.david.allen@gmail.com) Received: by rn-out-0910.google.com with SMTP id j71so691438rne.12 for ; Tue, 08 Jul 2008 09:03:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=7O59k8+ehqgElZ3c3x42/vKTRigKmP4o2XKVk+EXSyA=; b=FOS77GkiORNYAN/ixDfOjZ9g7gAjfxJ4911oDOokFayNnYTscZoQGh++at6mqiv2P1 ZCezxxHaGeMqBF0JVd0GGX/LOws9/bmV8yefXg0U5324fXgkKdAFCzbeuBX3s9Jtvdo0 OmwAo1mncTWyNMcWY+siDaOvg0+GLtSSOqxfU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=gbn0smUC1Pq912jqRXq7gV8oZ2utofxB8c19CNL/zXpYLOYxyaSa7qmSQivdJT2SSd O4vjG6i2zjfqoWAmxiiJiRe5fT5UOIh2gk3qlE3Px2XClnLPbtkDvz7iZDIZ+2yFoOZO LRG7XubEpduaPMypLjmCS93Ou4kAjMXSS9feU= Received: by 10.150.156.20 with SMTP id d20mr10624203ybe.33.1215533025885; Tue, 08 Jul 2008 09:03:45 -0700 (PDT) Received: by 10.151.111.10 with HTTP; Tue, 8 Jul 2008 09:03:45 -0700 (PDT) Message-ID: <2daa8b4e0807080903o609d6b7ag831845b7939c20c8@mail.gmail.com> Date: Tue, 8 Jul 2008 09:03:45 -0700 From: "David Allen" To: Mel In-Reply-To: <200807081124.33377.fbsd.questions@rachie.is-a-geek.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <2daa8b4e0807070951u607ff031v98b5b96103fdab4@mail.gmail.com> <200807081124.33377.fbsd.questions@rachie.is-a-geek.net> Cc: freebsd-questions@freebsd.org Subject: Re: Jails and IP Aliasing X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jul 2008 16:03:47 -0000 On Tue, Jul 8, 2008 at 2:24 AM, Mel wrote: > On Monday 07 July 2008 18:51:33 David Allen wrote: > >> Granted, everything is really happening over the loopback address, but a >> connection originating from the jailhost to a jail should appear to be >> using the jailhost's IP address, or so I'd like to think. If it doesn't, >> then the scenario is awkward at best when trying to understand or debug >> issues. > > To debug this, you need to 'add jail support to sockstat'. This sounds hard, > and it is, but you can fake it, since sockstat gives you the PID. With a > little creative scripting, you can call `ps -o state' for each PID in the > list, look for the capital 'J' and if it is, add the 'J' to the line. Been there and done that. When I first stated working with jails, I discovered that most standard utilities didn't offer any support for jails, and chaining commands got to be really old fast. I ended up writing a few Perl scripts and routinely use those instead. IIRC, there's a jail-related port that offers a collection of something similar. Still, we're talking about a very limited subset of tools and functionality. What about tcpdump? Or firewall rules? Or any other network tool? There was a post recently (Matthew Seaman's name comes to mind) that suggested binding jails to addresses in the loopback range and then using firewall rules to redirect the traffic accordingly. There's a possibility that may help in this case, but that layer of added complexity isn't much of an improvement over seeing connections with seemingly identical endpoints and interpreting the results in my head. >> The thought occurred to me, however, that I could add a new network card >> and reserve that for the IP aliases needed by the jails. But I'm not sure >> whether that will work in telling me who's who, or whether I'll discover >> another gotcha. ;-) > > It will add more gotcha's, unless you put each network card in a different > network. With the IP's given here, you tell the host that 10.0.1.0/24 is on > fxp0, so it will never go to fxp1 for 10.0.1.4. You're probably right. I'm wondering, though, if by moving the jails into their own network space and adding routing into the mix, the end result may be more satisfactory? Setting aside the fun of mental gymnastics, the conclusion seems to be don't run anything on the jail host that would initiate a connection to a service running inside a jail. Unless, of course, you don't mind being confused (at least from a networking perspective) by WTF you're seeing. ;-) Either way, thanks very much for the input.