Assign Lookback address 127.0.0.1 to jail
s7r at sky-ip.org
s7r at sky-ip.org
Wed Jun 11 21:17:26 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 6/11/2014 11:56 PM, Jason Hellenthal wrote:
> Simple.
>
> echo 'options VIMAGE' >>/sys/`uname -p`/GENERIC cd /usr/src && make
> buildkernel && make installkernel
>
This is perfectly, clear - hope it does not affect the current
functionality and installed ports on the running machine?
> Make the necessary adjustments to ensure your system is stable as
> you want it to be during testing and then lock the settings for the
> jails into the perspective configuration files and the host
> systems /etc/rc.conf for the interfaces you will use.
>
> Just an example of my base jail that I use for setting up other
> jails on the fly... exec.stop = "/bin/sh /etc/rc.shutdown";
> exec.poststop = "umount /export/cnt/$name/dev"; exec.clean;
>
> mount.devfs;
>
> path = "/export/cnt/$name";
>
> allow.raw_sockets; allow.socket_af; vnet = new;
>
> base { host.hostname = base; vnet.interface = vnet0; securelevel =
> 3; exec.start = "ifconfig vnet0 inet 172.X.X.22/22 broadcast
> 172.X.X.255"; exec.start += "route add default 172.X.X.1";
> exec.start += "/bin/sh /etc/rc"; }
>
Q1: All This is tot be pasted into jails's /etc/rc.conf file?
Q2: 172.X.X.22/22 -> I want to assign a public IP address to the jail,
and a local loopback address.
Q3: route add default - this is the default router? this should be the
host's public IP address or the IP address of the gateway assigned by
my ISP?
> And in my systems rc.conf... ifconfig_interface0_name="vnet0"
>
No IP address here or alias for vnet0? In host's /etc/rc.conf? Just
interface0_name="vnet0"? Shouldn't interface0 be em0, the default
interface of the host? Shouldn't that come first?
> I actually give my base template jail a full actual interface to
> work with so I can segment it off on the network at the switch
> level and drop it into another management vlan. But the
> configuration is simple and similar to other interfaces virtual or
> not like if_epair(4).
>
> The rest of the jail configuration as in rc.conf and such within
> the jail is the same as if it was not a VIMAGE so you should
> already be aware of those details so I won't rattle on with those.
> But if you have any specific questions about this as you move
> through setting up VIMAGE jails feel free to give me a hollar
> directly or back to this list and Ill be happy to give you a hand.
>
>
>
>
> On Wed, Jun 11, 2014 at 3:53 PM, s7r at sky-ip.org
> <mailto:s7r at sky-ip.org> <s7r at sky-ip.org <mailto:s7r at sky-ip.org>>
> wrote:
>
> On 6/11/2014 4:46 AM, Jason Hellenthal wrote:
>> You could just go with building the host kernel with VIMAGE . .
>> . Then each jail has its own virtual network stack.
>
>> image.png
>
>> -- Jason Hellenthal Voice: 95.30.17.6/616
>> <http://95.30.17.6/616>
> JJH48-ARIN
>
>> On Jun 10, 2014, at 21:19, "s7r at sky-ip.org
>> <mailto:s7r at sky-ip.org> <mailto:s7r at sky-ip.org
>> <mailto:s7r at sky-ip.org>>" <s7r at sky-ip.org
> <mailto:s7r at sky-ip.org> <mailto:s7r at sky-ip.org
> <mailto:s7r at sky-ip.org>>>
>> wrote:
>
>> On 6/11/2014 3:28 AM, Allan Jude wrote:
>>>>> On 2014-06-10 20:23, s7r at sky-ip.org
>>>>> <mailto:s7r at sky-ip.org>
> <mailto:s7r at sky-ip.org <mailto:s7r at sky-ip.org>>
>>>>> wrote:
>>>>>> On 6/11/2014 3:20 AM, Allan Jude wrote:
>>>>>>> On 2014-06-10 20:07, s7r at sky-ip.org
>>>>>>> <mailto:s7r at sky-ip.org> <mailto:s7r at sky-ip.org
>>>>>>> <mailto:s7r at sky-ip.org>> wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> Operating system is FreeBSD 10.0 64 Bit
>>>>>>>>
>>>>>>>> I have installed ezjail from ports and properly
>>>>>>>> configured a jail with its own static and dedicated
>>>>>>>> IP address. Everything works good, it's just that I
>>>>>>>> have an application which requires to talk to another
>>>>>>>> one via RPC on IP 127.0.0.1, and I have noticed the
>>>>>>>> jail does not have a lo0 interface or localhost
>>>>>>>> 127.0.0.1 IP address.
>>>>>>>>
>>>>>>>> This is bad because the application has no choice
>>>>>>>> but to bind to the public IP address assigned to the
>>>>>>>> jail, and it's not safe.
>>>>>>>>
>>>>>>>> How can I add a lo0 interface with IP 127.0.0.1 to a
>>>>>>>> jail?
>>>>>>>>
>>>>>>>> Thanks in advance.
>>>>>>>> _______________________________________________
>>>>>>>> freebsd-jail at freebsd.org
>>>>>>>> <mailto:freebsd-jail at freebsd.org>
>>>>>>>> <mailto:freebsd-jail at freebsd.org
> <mailto:freebsd-jail at freebsd.org>> mailing list
>>>>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-jail
>>>>>>>>
>>>>>>>>
To unsubscribe, send any mail to
>>>>>>>> "freebsd-jail-unsubscribe at freebsd.org
> <mailto:freebsd-jail-unsubscribe at freebsd.org>
>>>>>>>> <mailto:freebsd-jail-unsubscribe at freebsd.org
> <mailto:freebsd-jail-unsubscribe at freebsd.org>>"
>>>>>>>>
>>>>>>
>>>>>>> Does it have to be 127.0.0.1? You can add an alias
>>>>>>> like 127.0.0.2 to the lo0 interface and use that.
>>>>>>
>>>>>>> Inside the jail, 127.0.0.1 is mapped to the IP of the
>>>>>>> jail.
>>>>>>
>>>>>>> Using ezjail, you can also allocate more than 1 IP
>>>>>>> address to a jail by comma separating them
>>>>>>
>>>>>>> You can also make it automatically alias the IPs for
>>>>>>> you with the syntax:
>>>>>>
>>>>>>> em0|192.168.0.10,lo0|127.0.0.2 etc
>>>>>>
>>>>>>
>>>>>>
>>>>>> Thank you Allan for your fast reply.
>>>>>>
>>>>>> I have the jail already created via: # ezjail-admin
>>>>>> create <jailname> <em0|public IP>
>>>>>>
>>>>>> How do I modify the already existing jail to have
>>>>>> 127.0.0.2, for example, or can't I just have 127.0.0.1
>>>>>> in the jail?
>>>>>>
>>>>>> _______________________________________________
>>>>>> freebsd-jail at freebsd.org
>>>>>> <mailto:freebsd-jail at freebsd.org>
> <mailto:freebsd-jail at freebsd.org
> <mailto:freebsd-jail at freebsd.org>>
>>>>>> mailing list
>>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-jail
>>>>>> To unsubscribe, send any mail to
>>>>>> "freebsd-jail-unsubscribe at freebsd.org
> <mailto:freebsd-jail-unsubscribe at freebsd.org>
>>>>>> <mailto:freebsd-jail-unsubscribe at freebsd.org
> <mailto:freebsd-jail-unsubscribe at freebsd.org>>"
>>>>>>
>>>>>
>>>>> Stop the jail, and then edit
>>>>> /usr/local/etc/ezjail/jail_name
>>>>>
>>>>> and change the line that defines the IPs
>>>>>
>
>> Thank you it works, with 127.0.0.2
>
>> If I try to add 127.0.0.1 will this create any conflicts with
>> the host or will it work? Because i have something important
>> listening on hosts's 127.0.0.1 and don't want to mess up. I would
>> need the same configuration within the jail also, so that's why I
>> need the .1 localhost IP.
>
>>> _______________________________________________
>>> freebsd-jail at freebsd.org <mailto:freebsd-jail at freebsd.org>
> <mailto:freebsd-jail at freebsd.org
> <mailto:freebsd-jail at freebsd.org>>
>>> mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-jail To
>>> unsubscribe, send any mail to
>>> "freebsd-jail-unsubscribe at freebsd.org
> <mailto:freebsd-jail-unsubscribe at freebsd.org>
>>> <mailto:freebsd-jail-unsubscribe at freebsd.org
> <mailto:freebsd-jail-unsubscribe at freebsd.org>>"
>
>
> Hey Jason
>
> Thanks for your suggestion. can you please ellaborate a little bit
> and tell me how can i do this step by step? I have an already
> installed system with ezjail and already created one jail - how can
> I add VIMAGE to have virtual network stack in each jail without
> having to reinstall the host or the jails? Thank you, looking
> forward for your reply.
>
>
>
Thank you.
- --
s7r
PGP Fingerprint: 7C36 9232 5ABD FB0B 3021 03F1 837F A52C 8126 5B11
PGP Pubkey: http://www.sky-ip.org/s7r@sky-ip.org.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQEcBAEBAgAGBQJTmMXvAAoJEIN/pSyBJlsRexUH/j3MJ7iX+jjONjdYseELq749
6ZgyaVGS7WqC5Wzst2bd3nlmRUS4qkVLTJRzrFEw5mLpTxOpmgmYZSIEzWHt83Rq
s++Et0wB3TKRMUofbI1Pfy+tyox+Q3vunXU1w0HtUS/IWceEsIO7k2nqZPnzwnuq
RdwShXn1OCosdpu+ERG6WRZjjUsv//5gwZBTaEyp/ksJX6XaryviuTWZ1ZYJnICS
ricFl26XcqW6SDHqTAav5WGWVOiLSZnwn9JovyFmiMywlKa0ytkc/wRdCYOUFWla
KHkMJlCATeFPPO3tCmOfl9uU5uOoAbzdImI16Xs+WDpy9zCNPQq4zlCwg8kZPIM=
=8N1Z
-----END PGP SIGNATURE-----
More information about the freebsd-jail
mailing list