Jails routing and localhost

Luke Crooks luke at solentwholesale.com
Thu Jan 18 19:03:34 UTC 2018 

Hi Ole,

I am by no means an expert, but to me I see your problem is here..


  # ezjail-admin create somejail 'lo1|b.b.b.238,lo1|127.b.b.238'

You are binding the jail to the same network controller lo1.

Usually you would bind the jail like..

  # ezjail-admin create somejail 'lo1|127.0.0.238, emX|10.1.1.238'


Where 10.1.1.0/24 is your subnet of your host. And you have free range on
the network and want to create the jail as a fully fledged host.

Seeing as you have only been assigned a /32 for your host. I would imagine
you would either need to possibly do something like...

  # ezjail-admin create somejail 'lo1|127.0.0.238, lo0|127. 0.0.237'

E.g bind the jail loopback of lo1 to the host loopback lo0. But I have
never seen a configuration like yours using the same device twice, but I
could be totally wrong.



On 18 Jan 2018 12:58, "Ole" <ole at free.de> wrote:

> Hi,
>
> I have some questions about how routing works for jails.
>
> I have a FreeBSD 11.1 host in a datacenter. Which has only a routed IP
> and different /29 routed networks. The IP is setup as /32 and there is a
> default route to the router of the datacenter:
>
>
>   #ifconfig em1
>     (...)
>     inet a.a.a.57 netmask 0xffffffff broadcast a.a.a.57
>     (...)
>
>
>   # netstat -rn
>     (...)
>     Destination        Gateway            Flags     Netif Expire
>     default            a.a.a.1            UGS         em1
>     (...)
>
>
> If I create jails like
>
>   # ezjail-admin create somejail 'lo1|b.b.b.238,lo1|127.b.b.238'
>
> everything is fine until some service in the jail tries to bind to
> 127.0.0.1. Because it will bind to the public IP b.b.b.238.
> The Handbook [1] tells
>
>   "Inside a jail, access to the loopback address 127.0.0.1 is
>   redirected to the first IP address assigned to the jail."
>
> If I change the order of the IP-Adresses the service will bind to
> 127.b.b.238. But inside the Jail Networking fails in a way that I can't
> debug. I can conntect from the outside via ssh but I can't connect from
> the Jail to an external Server. I can't find any differences in
> routing table or ifconfig between both setups.
>
>
> I also tried to use tap interfaces instead of lo, but it results in the
> same.
>
> I wonder how others solve this problem. I searched a lot, but couldn't
> find a solution. Maybe you don't have a solution, but can give me a
> hint to debug the Problem. Thank you!
>
>
> regards
> Ole
>
> [1] https://www.freebsd.org/doc/handbook/jails-ezjail.html
>

More information about the freebsd-jail mailing list