Fw: Re: vimage-assigning interface to jail
Julian Elischer
julian at elischer.org
Fri Oct 2 20:02:23 UTC 2009
remodeler wrote:
> Thank you Glen: (sorry this copied twice to glen)
>
>> Do you have your nameserver in /etc/resolv.conf ?
>
> The jail and hostname both have /etc/resolv.conf set to a nameserver on the
> local host. I get the same error message pinging to the private-space address
> of the physical ethernet interface (the server is on a NAT'd development network):
>
> PING 192.168.0.10 (192.168.0.10): 56 data bytes
> ping: sendto: No route to host
>
> Some other information:
>
> #ngctl list
> There are 5 total nodes:
> Name: bridge0 Type: bridge ID: 00000007 Num hooks: 3
> Name: ipfw Type: ipfw ID: 00000001 Num hooks: 0
> Name: ngeth0 Type: eiface ID: 00000004 Num hooks: 1
> Name: ngctl1495 Type: socket ID: 0000000f Num hooks: 0
> Name: msk0 Type: ether ID: 00000002 Num hooks: 2
>
> Firewall rules are permissive, allow any to any. The jail environment is:
>
> #ifconfig
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
> options=3<RXCSUM,TXCSUM>
> inet 127.0.0.1 netmask 0xff000000
> inet6 ::1 prefixlen 128
> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
> nd6 options=33<PERFORMNUD,AUTO_LINKLOCAL>
> maclabel mls/equal(equal-equal)
> eth0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
> ether 40:0a:0b:0c:0d:01
> inet 172.26.75.10 netmask 0xffffffff broadcast 172.26.75.10
> inet6 fe80::420a:bff:fe0c:d01%eth0 prefixlen 64 scopeid 0x2
> nd6 options=33<PERFORMNUD,AUTO_LINKLOCAL>
> maclabel mls/low(low-low)
>
> with eth0 being a ng_eiface node, moved to the jail with vimage -i testvnet
> ngeth0. The host environment is:
>
> #ifconfig
> msk0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
> options=11a<TXCSUM,VLAN_MTU,VLAN_HWTAGGING,TSO4>
> ether [edited]
> inet 192.168.0.10 netmask 0xffffff00 broadcast 192.168.0.255
> inet6 fe80::223:54ff:fe08:2bf7%msk0 prefixlen 64 scopeid 0x1
> nd6 options=41<IFDISABLED,PERFORMNUD,AUTO_LINKLOCAL>
> maclabel mls/low(low-low)
> media: Ethernet autoselect (100baseTX <full-duplex,flag0,flag1>)
> status: active
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
> options=3<RXCSUM,TXCSUM>
> inet 127.0.0.1 netmask 0xff000000
> inet6 ::1 prefixlen 128
> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
> nd6 options=33<PERFORMNUD,AUTO_LINKLOCAL>
> maclabel mls/equal(equal-equal)
>
> Output of jls from the host is:
>
> #jls
> # JID IP Address Hostname Path
> # 1 - testnet.myorg.org /jail/j/testnet
>
> I cannot set the IP address when I create the jail without an error:
> ip4.addr=${addr} gives "jail: vnet jails cannot have IP address restrictions";
> ip4${addr} gives "jail: ip4: unknown jailsys value "172.26.72.10""; and
> ip=${addr} gives "jail: unknown parameter: ip".
>
> netstat -rn gives:
>
> #netstat: kvm not available: /dev/mem: Permission denied
> #Routing tables
> #rt_tables: symbol not in namelist
>
> /dev/mem is available in the jail environment, and /dev is mounted in the
> jail. I get a permission denied error on both /dev/mem and /dev/kmem:
>
> #ll /dev/kmem (or ll /dev/mem)
> #ls: /dev/kmem: Permission denied
>
> also,
>
> #vimage -l
> testvnet
>
> I do have vimage-enabled kernels on both the host and the jails (8.0). I
> originally installed a non-vimage kernel in the jails, and then updated to a
> vimage-enabled kernel following instructions in the handbook (using a template
> system). I am fairly certain I have the new kernel, as uname shows my new
> build date.
>
I don't think the kernel in a jail matters.
the following has a jail with a root of / for simplicity of testing:
soekris# jail -c host.hostname=test path=/ vnet command=/bin/tcsh
test#
lo0: flags=8008<LOOPBACK,MULTICAST> metric 0 mtu 16384
options=3<RXCSUM,TXCSUM>
---- back on host system:
soekris# jls
JID IP Address Hostname Path
1 - test /
soekris# ifconfig vr2 vnet 1
soekris#
---- back on jail 'test' (1):
test# ifconfig
lo0: flags=8008<LOOPBACK,MULTICAST> metric 0 mtu 16384
options=3<RXCSUM,TXCSUM>
vr2: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=280b<RXCSUM,TXCSUM,VLAN_MTU,WOL_UCAST,WOL_MAGIC>
ether 00:00:24:c9:24:6a
media: Ethernet autoselect (none)
status: no carrier
test# ifconfig vr2 172.28.15.1/24
test# netstat -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
172.28.15.0/24 link#2 U 0 0 vr2
172.28.15.1 link#2 UHS 0 0 lo0
test# route add default 172.28.15.2
add net default: gateway 172.28.15.2
test# netstat -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 172.28.15.2 UGS 0 0 vr2
172.28.15.0/24 link#2 U 0 0 vr2
172.28.15.1 link#2 UHS 0 0 lo0
test#
I think you need to add a default rule for starters as there is no
route to 192.168.x.x in your jail.
Remember the jail can not see your base system.
> Thank you very much again.
> ------- End of Forwarded Message -------
>
>
> __ __
> ________ ____ ___ ____ ____/ /__ / /__ _____
> / ___/ _ \/ __ `__ \/ __ \/ __ / _ \/ / _ \/ ___/
> / / / __/ / / / / / /_/ / /_/ / __/ / __/ /
> /_/ \___/_/ /_/ /_/\____/\__,_/\___/_/\___/_/
>
> The information contained in this message is confidential and is intended
> for the addressee only. Any unauthorized use, dissemination of the
> information, or copying of this message is prohibited.
>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
More information about the freebsd-net
mailing list