Jails routing and localhost

Dan Langille dan at langille.org
Thu Jan 18 23:52:25 UTC 2018 

> On Jan 18, 2018, at 2:32 PM, Isaac (.ike) Levy <ike at blackskyresearch.net> wrote:
> 
> Hi Ole,
> 
> I cannot comment on ezjail specifics, but can add notes on how jails fundamentally handle localhost, which may help you,
> 
> On Thu, Jan 18, 2018, at 7:23 AM, Ole wrote:
>> Hi,
>> 
>> I have some questions about how routing works for jails. 
>> 
>> I have a FreeBSD 11.1 host in a datacenter. Which has only a routed IP
>> and different /29 routed networks. The IP is setup as /32 and there is a
>> default route to the router of the datacenter:
>> 
>> 
>>  #ifconfig em1
>>    (...)
>>    inet a.a.a.57 netmask 0xffffffff broadcast a.a.a.57
>>    (...)
>> 
>> 
>>  # netstat -rn
>>    (...)
>>    Destination        Gateway            Flags     Netif Expire
>>    default            a.a.a.1            UGS         em1
>>    (...)
>> 
>> 
>> If I create jails like
>> 
>>  # ezjail-admin create somejail 'lo1|b.b.b.238,lo1|127.b.b.238'
>> 
>> everything is fine until some service in the jail tries to bind to
>> 127.0.0.1. Because it will bind to the public IP b.b.b.238.
>> The Handbook [1] tells 
>> 
>>  "Inside a jail, access to the loopback address 127.0.0.1 is
>>  redirected to the first IP address assigned to the jail."
> 
> Right- so if you don't assign a loopback address at all, loopback will use to the first IP assigned the host (another response in this thread).
> 
> Because your hardware host has the 127.0.0.1 address, if you were to assign it to jails, that would mean all jails would all be communicating using it, which would be bad - (I'm not sure if it even works or if jail(2) prevents it from working).
> 
> RFC 3330 tells us, http://www.ietf.org/rfc/rfc3330.txt
> 
>   127.0.0.0/8 - This block is assigned for use as the Internet host
>   loopback address.  A datagram sent by a higher level protocol to an
>   address anywhere within this block should loop back inside the host.
>   This is ordinarily implemented using only 127.0.0.1/32 for loopback,
>   but no addresses within this block should ever appear on any network
>   anywhere [RFC1700, page 5].
> 
> So, here's what I've been doing for many years:
> 
> - Add another 127.x.x.x address to lo0 on your hardware host  (I typically match the last octects to the public address I'm using, just my way of keeping track of things), for example, this IPv4 address could look like: "127.4.4.4/32".  You can add these single /32 addresses right to the lo0 interface on the host machine.

I do similar, except *sometimes* I create lo1 and assign those addresses there.

I use this approach on jails with no public presence (e.g. database server).

-- 
Dan Langille - BSDCan / PGCon
dan at langille.org

More information about the freebsd-jail mailing list