Date: Thu, 23 Aug 2018 18:18:53 -0400 From: Alejandro Imass <aimass@yabarana.com> To: Norman Gray <norman.gray@glasgow.ac.uk> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Jails and networks Message-ID: <CAHieY7TVruoxm4M46DgZ1CLOr6x9OyDyeKEKfj7B3mW%2BZjk1tw@mail.gmail.com> In-Reply-To: <6B17F10B-F3AE-45C5-8011-EBE52462230E@glasgow.ac.uk> References: <6B17F10B-F3AE-45C5-8011-EBE52462230E@glasgow.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Aug 23, 2018 at 3:49 PM Norman Gray <norman.gray@glasgow.ac.uk>
wrote:
>
> Greetings.
>
> I'm having difficulty creating a jail which is able to see the outside
> world. The various recipes I've found seem to be subtly contradictory:
> I'm trying to understand what they're doing rather than dumbly following
> them, and my lack of success here is telling me that my mental model of
> jails+networking doesn't quite match reality. I think I'm on the verge
> of a very educational experience....
>
> I'm using ezjail, on 11.2.
>
> Sources:
>
> * The manual [1] describes basic usage, but mentions release 9.3; I
> get the impression that ezjail's procedure for starting and configuring
> jails (using /etc/jail.conf rather than the old 4 arguments) is slightly
> but significantly incompatible with 11.2.
>
> * The ezjail documentation [2] describes setting up a jail using
> em0|10.0.0.2, very straightforwardly
>
> * A forum post [3] describes setting up a jail using ezjail and pf.
> Now, I don't think I need pf in my situation, so I want to skip that
> part of the instructions. But I now suspect I'm doing so naively.
>
> * Another forum post [4] describes setting up both a VIMAGE and a
> non-VIMAGE jail, and is usefully explicit about the contents of the
> /etc/jail.conf file. This is the one I've been following most closely,
> but I realise that I don't understand why it configures a bridge
> interface, but adds only a single real interface igb0 to it (my model of
> a bridge interface is that it necessarily involves two interfaces, or
> does the igb0 in the host and the one in the client count as two?).
>
> My host is on a 172.16.0.0/12 private network, which is routable
> locally, though it has to use a proxy to get to the web. I want to set
> up a jail on (slightly at random) 192.168.11.128.
>
> I have:
>
> * net.inet.ip.forwarding: 1
> * igb0 configured with the correct IP address and mask, not aliased
> at all
> * I've created lo1
>
> My /etc/jail.conf looks like
>
> exec.start =3D "/bin/sh /etc/rc";
> exec.stop =3D "/bin/sh /etc/rc.shutdown";
> exec.clean;
>
> path =3D "/local/jails/$name";
>
> mount.fstab =3D "/etc/jail/fstab.${name}";
> mount.devfs;
> mount.fdescfs;
> mount.procfs;
>
> host.hostname =3D "${name}.local";
>
> devfs_ruleset =3D "4";
>
> norman {
> # test jail
> ip4.addr =3D "192.168.11.128";
> interface =3D "igb0";
> }
>
> and the non-comment lines in /usr/local/etc/ezjail.conf look like
>
> ezjail_jaildir=3D/local/jails
> ezjail_ftphost=3Dhttp://ftp.uk.freebsd.org
> ezjail_use_zfs=3D"YES"
> ezjail_use_zfs_for_jails=3D"YES"
> ezjail_jailzfs=3Dzroot/local/jails
>
> I've created a ezjail flavour called 'norman' (with the inevitable
> solipsism).
>
> My _understanding_ is that this sets the jail to use the igb0 interface
> in the host (a non-VIMAGE jail doesn't have a separate networking
> stack).
>
> I create the jail
>
> ezjail-admin create -f norman -c zfs norman
> 'lo1|127.0.1.1,igb0|192.168.11.128'
>
> lo1 first, as suggested in [1]. My impression is that that sets up the
> loopback interface within the jail to be an alias of lo0 in the host,
> and attaches 192.168.11.128 to igb0 in the jail.
>
> Then I start the jail
>
If you are using ezjail then use eazjail-admin or
/usr/local/etc/rc.d/ezjail start xxxx
I.e. if ezjail is managing your jails then use ezjail admin and avoid any
jail specific commands except for jls
How do you know your jails can=E2=80=99t access the Internet ?
ping and some network commands are restricted in jails but can try wget or
curl to test. Or maybe pkg update to test
I can help you a lot with ezjail. I=E2=80=99ve used for years and it=E2=80=
=99s a great
system.
Best,
Alex
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHieY7TVruoxm4M46DgZ1CLOr6x9OyDyeKEKfj7B3mW%2BZjk1tw>