Assign Lookback address 127.0.0.1 to jail

Jason Hellenthal jhellenthal at dataix.net
Wed Jun 11 21:31:30 UTC 2014 


-- 
 Jason Hellenthal
 Voice: 95.30.17.6/616
 JJH48-ARIN

> On Jun 11, 2014, at 17:11, "s7r at sky-ip.org" <s7r at sky-ip.org> wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
>> On 6/11/2014 11:56 PM, Jason Hellenthal wrote:
>> Simple.
>> 
>> echo 'options VIMAGE' >>/sys/`uname -p`/GENERIC cd /usr/src && make
>> buildkernel && make installkernel
> This is perfectly, clear - hope it does not affect the current
> functionality and installed ports on the running machine?
> 
>> Make the necessary adjustments to ensure your system is stable as
>> you want it to be during testing and then lock the settings for the
>> jails into the perspective configuration files and the host
>> systems /etc/rc.conf for the interfaces you will use.
>> 
>> Just an example of my base jail that I use for setting up other
>> jails on the fly... exec.stop = "/bin/sh /etc/rc.shutdown"; 
>> exec.poststop = "umount /export/cnt/$name/dev"; exec.clean;
>> 
>> mount.devfs;
>> 
>> path = "/export/cnt/$name";
>> 
>> allow.raw_sockets; allow.socket_af; vnet = new;
>> 
>> base { host.hostname = base; vnet.interface = vnet0; securelevel =
>> 3; exec.start = "ifconfig vnet0 inet 172.X.X.22/22 broadcast 
>> 172.X.X.255"; exec.start += "route add default 172.X.X.1"; 
>> exec.start += "/bin/sh /etc/rc"; }
> Q1: All This is tot be pasted into jails's /etc/rc.conf file?

That portion is for the jail.conf(5) syntax. /etc/jail.conf

Possibly easyjail ? In /usr/local as well but I'm unfamiliar with easyjail but the above settings in place should effect globally.


> 
> Q2: 172.X.X.22/22 -> I want to assign a public IP address to the jail,
> and a local loopback address.

You wont have to worry about the loop back as that will be automatically configured since it will now have its own virtual network stack. And it's very own lo0 interface.

The public IP space you can just change that 172 class B to whatever you need in the jail.conf to set that for every time the jail starts.

> 
> Q3: route add default - this is the default router? this should be the
> host's public IP address or the IP address of the gateway assigned by
> my ISP?

If I'm understanding that correctly yes. Think of this now as its own entity with its own network stack. Your just configuring it just like you would if you were setting up an actual additional machine on your network.

> 
>> And in my systems rc.conf... ifconfig_interface0_name="vnet0"
> No IP address here or alias for vnet0? In host's /etc/rc.conf? Just
> interface0_name="vnet0"? Shouldn't interface0 be em0, the default
> interface of the host? Shouldn't that come first?
> 
>> I actually give my base template jail a full actual interface to
>> work with so I can segment it off on the network at the switch
>> level and drop it into another management vlan. But the
>> configuration is simple and similar to other interfaces virtual or
>> not like if_epair(4).
>> 
>> The rest of the jail configuration as in rc.conf and such within
>> the jail is the same as if it was not a VIMAGE so you should
>> already be aware of those details so I won't rattle on with those.
>> But if you have any specific questions about this as you move
>> through setting up VIMAGE jails feel free to give me a hollar
>> directly or back to this list and Ill be happy to give you a hand.
>> 
>> 
>> 
>> 
>> On Wed, Jun 11, 2014 at 3:53 PM, s7r at sky-ip.org
>> <mailto:s7r at sky-ip.org> <s7r at sky-ip.org <mailto:s7r at sky-ip.org>>
>> wrote:
>> 
>>> On 6/11/2014 4:46 AM, Jason Hellenthal wrote:
>>> You could just go with building the host kernel with VIMAGE  . .
>>> . Then each jail has its own virtual network stack.
>> 
>>> image.png
>> 
>>> -- Jason Hellenthal Voice: 95.30.17.6/616
>>> <http://95.30.17.6/616>
>> JJH48-ARIN
>> 
>>> On Jun 10, 2014, at 21:19, "s7r at sky-ip.org
>>> <mailto:s7r at sky-ip.org> <mailto:s7r at sky-ip.org
>>> <mailto:s7r at sky-ip.org>>" <s7r at sky-ip.org
>> <mailto:s7r at sky-ip.org> <mailto:s7r at sky-ip.org
>> <mailto:s7r at sky-ip.org>>>
>>> wrote:
>> 
>>> On 6/11/2014 3:28 AM, Allan Jude wrote:
>>>>>> On 2014-06-10 20:23, s7r at sky-ip.org
>>>>>> <mailto:s7r at sky-ip.org>
>> <mailto:s7r at sky-ip.org <mailto:s7r at sky-ip.org>>
>>>>>> wrote:
>>>>>>>> On 6/11/2014 3:20 AM, Allan Jude wrote:
>>>>>>>> On 2014-06-10 20:07, s7r at sky-ip.org
>>>>>>>> <mailto:s7r at sky-ip.org> <mailto:s7r at sky-ip.org
>>>>>>>> <mailto:s7r at sky-ip.org>> wrote:
>>>>>>>>> Hi,
>>>>>>>>> 
>>>>>>>>> Operating system is FreeBSD 10.0 64 Bit
>>>>>>>>> 
>>>>>>>>> I have installed ezjail from ports and properly 
>>>>>>>>> configured a jail with its own static and dedicated
>>>>>>>>> IP address. Everything works good, it's just that I
>>>>>>>>> have an application which requires to talk to another
>>>>>>>>> one via RPC on IP 127.0.0.1, and I have noticed the
>>>>>>>>> jail does not have a lo0 interface or localhost
>>>>>>>>> 127.0.0.1 IP address.
>>>>>>>>> 
>>>>>>>>> This is bad because the application has no choice
>>>>>>>>> but to bind to the public IP address assigned to the
>>>>>>>>> jail, and it's not safe.
>>>>>>>>> 
>>>>>>>>> How can I add a lo0 interface with IP 127.0.0.1 to a 
>>>>>>>>> jail?
>>>>>>>>> 
>>>>>>>>> Thanks in advance. 
>>>>>>>>> _______________________________________________ 
>>>>>>>>> freebsd-jail at freebsd.org
>>>>>>>>> <mailto:freebsd-jail at freebsd.org> 
>>>>>>>>> <mailto:freebsd-jail at freebsd.org
>> <mailto:freebsd-jail at freebsd.org>> mailing list
>>>>>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-jail
> To unsubscribe, send any mail to
>>>>>>>>> "freebsd-jail-unsubscribe at freebsd.org
>> <mailto:freebsd-jail-unsubscribe at freebsd.org>
>>>>>>>>> <mailto:freebsd-jail-unsubscribe at freebsd.org
>> <mailto:freebsd-jail-unsubscribe at freebsd.org>>"
>>>>>>> 
>>>>>>>> Does it have to be 127.0.0.1? You can add an alias
>>>>>>>> like 127.0.0.2 to the lo0 interface and use that.
>>>>>>> 
>>>>>>>> Inside the jail, 127.0.0.1 is mapped to the IP of the 
>>>>>>>> jail.
>>>>>>> 
>>>>>>>> Using ezjail, you can also allocate more than 1 IP 
>>>>>>>> address to a jail by comma separating them
>>>>>>> 
>>>>>>>> You can also make it automatically alias the IPs for
>>>>>>>> you with the syntax:
>>>>>>> 
>>>>>>>> em0|192.168.0.10,lo0|127.0.0.2 etc
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> Thank you Allan for your fast reply.
>>>>>>> 
>>>>>>> I have the jail already created via: # ezjail-admin
>>>>>>> create <jailname> <em0|public IP>
>>>>>>> 
>>>>>>> How do I modify the already existing jail to have 
>>>>>>> 127.0.0.2, for example, or can't  I just have 127.0.0.1
>>>>>>> in the jail?
>>>>>>> 
>>>>>>> _______________________________________________ 
>>>>>>> freebsd-jail at freebsd.org
>>>>>>> <mailto:freebsd-jail at freebsd.org>
>> <mailto:freebsd-jail at freebsd.org
>> <mailto:freebsd-jail at freebsd.org>>
>>>>>>> mailing list 
>>>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-jail
>>>>>>> To unsubscribe, send any mail to 
>>>>>>> "freebsd-jail-unsubscribe at freebsd.org
>> <mailto:freebsd-jail-unsubscribe at freebsd.org>
>>>>>>> <mailto:freebsd-jail-unsubscribe at freebsd.org
>> <mailto:freebsd-jail-unsubscribe at freebsd.org>>"
>>>>>> 
>>>>>> Stop the jail, and then edit
>>>>>> /usr/local/etc/ezjail/jail_name
>>>>>> 
>>>>>> and change the line that defines the IPs
>> 
>>> Thank you it works, with 127.0.0.2
>> 
>>> If I try to add 127.0.0.1 will this create any conflicts with
>>> the host or will it work? Because i have something important
>>> listening on hosts's 127.0.0.1 and don't want to mess up. I would
>>> need the same configuration within the jail also, so that's why I
>>> need the .1 localhost IP.
>> 
>>>> _______________________________________________ 
>>>> freebsd-jail at freebsd.org <mailto:freebsd-jail at freebsd.org>
>> <mailto:freebsd-jail at freebsd.org
>> <mailto:freebsd-jail at freebsd.org>>
>>>> mailing list 
>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-jail To 
>>>> unsubscribe, send any mail to 
>>>> "freebsd-jail-unsubscribe at freebsd.org
>> <mailto:freebsd-jail-unsubscribe at freebsd.org>
>>>> <mailto:freebsd-jail-unsubscribe at freebsd.org
>> <mailto:freebsd-jail-unsubscribe at freebsd.org>>"
>> 
>> 
>> Hey Jason
>> 
>> Thanks for your suggestion. can you please ellaborate a little bit
>> and tell me how can i do this step by step? I have an already
>> installed system with ezjail and already created one jail - how can
>> I add VIMAGE to have virtual network stack in each jail without
>> having to reinstall the host or the jails? Thank you, looking
>> forward for your reply.
> Thank you.
> - -- 
> s7r
> PGP Fingerprint: 7C36 9232 5ABD FB0B 3021 03F1 837F A52C 8126 5B11
> PGP Pubkey: http://www.sky-ip.org/s7r@sky-ip.org.asc
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> 
> iQEcBAEBAgAGBQJTmMXvAAoJEIN/pSyBJlsRexUH/j3MJ7iX+jjONjdYseELq749
> 6ZgyaVGS7WqC5Wzst2bd3nlmRUS4qkVLTJRzrFEw5mLpTxOpmgmYZSIEzWHt83Rq
> s++Et0wB3TKRMUofbI1Pfy+tyox+Q3vunXU1w0HtUS/IWceEsIO7k2nqZPnzwnuq
> RdwShXn1OCosdpu+ERG6WRZjjUsv//5gwZBTaEyp/ksJX6XaryviuTWZ1ZYJnICS
> ricFl26XcqW6SDHqTAav5WGWVOiLSZnwn9JovyFmiMywlKa0ytkc/wRdCYOUFWla
> KHkMJlCATeFPPO3tCmOfl9uU5uOoAbzdImI16Xs+WDpy9zCNPQq4zlCwg8kZPIM=
> =8N1Z
> -----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6118 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20140611/ce0f15f3/attachment.bin>

More information about the freebsd-jail mailing list