From nobody Mon Jun 07 07:04:31 2021 X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 2D3D0E5BDB4 for ; Mon, 7 Jun 2021 07:04:36 +0000 (UTC) (envelope-from freebsd-jail@dino.sk) Received: from mailhost.netlabit.sk (mailhost.netlabit.sk [84.245.65.72]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Fz49v1JWgz3rs3 for ; Mon, 7 Jun 2021 07:04:34 +0000 (UTC) (envelope-from freebsd-jail@dino.sk) Received: from zeta.dino.sk (fw3.dino.sk [84.245.95.254]) (AUTH: LOGIN milan) by mailhost.netlabit.sk with ESMTPA; Mon, 07 Jun 2021 09:04:32 +0200 id 00F3A9DB.60BDC500.000028F8 Date: Mon, 7 Jun 2021 09:04:31 +0200 From: Milan Obuch To: freebsd-jail@freebsd.org Subject: Re: jail.conf question (vnet.interface) Message-ID: <20210607090431.057eb3a1@zeta.dino.sk> In-Reply-To: References: <20210606153529.526c1675@zeta.dino.sk> X-Mailer: Claws Mail 3.17.8git86 (GTK+ 2.24.33; i386-portbld-freebsd11.4) List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4Fz49v1JWgz3rs3 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of freebsd-jail@dino.sk designates 84.245.65.72 as permitted sender) smtp.mailfrom=freebsd-jail@dino.sk X-Spamd-Result: default: False [-3.30 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[84.245.65.72:from]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[dino.sk]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[84.245.65.72:from:127.0.2.255]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; R_DKIM_NA(0.00)[]; ASN(0.00)[asn:5578, ipnet:84.245.64.0/18, country:SK]; MIME_TRACE(0.00)[0:+]; MAILMAN_DEST(0.00)[freebsd-jail]; RCVD_COUNT_TWO(0.00)[2] X-ThisMailContainsUnwantedMimeParts: N On Sun, 06 Jun 2021 09:23:58 -0700, James Gritton wrote: > On 2021-06-06 06:35, Milan Obuch wrote: > > Hi, > > > > for vnet jails, one needs to move some interface into created > > virtual stack. In jail.conf, this could be achieved using > > > > jail0 > > {vnet; > > vnet.interface = re2; > > } > > > > and initialize moved interface using standard /etc/rc.conf > > configuration > > file in jail jail0. > > > > Adding small paragraph about this in jail.conf man page would be > > useful. I know it is in jail man page in some form, but it deserves > > mentioning this in example section in jail.conf man page. At least, > > this makes it easier to find for first comers :) (Well, that's not > > me, I am using vnet jails aka VIMAGE from the start as an > > experimental feature in FreeBSD 4 or 5, almost 20 years ago.) > > True, it would make sense to add a vnet example, since it's now > included in the default kernel. > I looked once more, my suggestion would be just add another config snippet into EXAMPLES section. Maybe something like my snippet above, with comment pointing to jail(8) man page for more variables. While this man page is mentioned in SEE ALSO section, it would be better to make this link more prominent, along with simple example of vnet jail usage. > > I need more interfaces moved this way. It is no problem issue > > manually > > > > ifconfig re3 vnet jail0 > > > > but trying to write > > > > jail0 > > {vnet; > > vnet.interface = re2; > > vnet.interface = re3; > > } > > > > in jail.conf means only re3 is moved and can be configured with > > standard rc.conf config file. First instance (re2) is kind of > > overwritten and forgotten. > > > > Is it possible to move more interfaces this way at all? I'd like to > > avoid any hacks if possible, and any workaround for this is ugly... > > > > It's not possible to add more than one interface that way. It would > make sense for vnet.interface to be an array, so you could say have a > comma-separated list or say "vnet.interface += re3". > Where is this functionality implemented (at least for ip4.addr list)? Which file? Is it a script of some kind? > Currently, anything more than one interface would need to be an > ifconfig command added to "exec.created". > Thanks for notice. Just to be sure, for interested ones - such a command is executed before anything else, namely /etc/rc from jail. I have some special scenarion where I am not using /etc/rc in jail, just exec.created. Regards, Milan