Hierarchical Jails

James Gritton jamie at freebsd.org
Fri Nov 27 17:09:10 UTC 2015 

Am 27.11.2015 um 08:54 schrieb "Carsten Bäcker":
> Sorry... something's wrong with GMX webmailer. Secont time this 
> happens.
> Hi Hackers,
> i'm running into problems creating hierarchical jails.
> First of all: this is my first try with *hierarchical* jails (in favor
> of creating a bunch of VMs for software-testing).
> I aliased lo0 with 127.0.1.1 - 127.0.1.3
> --- HOST jail.conf ---
> exec.start = "/bin/sh /etc/rc";
> exec.stop = "/bin/sh /etc/rc.shutdown";
> exec.clean;
> mount.devfs;
> persist;
> 
> allow.socket_af=1;
> allow.raw_sockets=1;
> path = "/usr/local/jails/$name";
> mount.fstab = "/usr/local/jails/fstab.$name";
> core {
>         host.hostname="jail_core";
>         children.max=2;
>         ip4.addr =
> ue0|192.168.42.90,lo0|127.0.1.1,lo0|127.0.1.2,lo0|127.0.1.3;
> }
> --- "jail_core" jail.conf ---
> exec.start = "/bin/sh /etc/rc";
> exec.stop = "/bin/sh /etc/rc.shutdown";
> exec.clean;
> mount.devfs;
> persist;
> path = "/usr/local/jails/$name";
> mount.fstab = "/usr/local/jails/fstab.$name";
> dev1 {
>         host.hostname="jail_dev1";
>         ip4.addr = lo0|127.0.1.1;
> }
> jail_core starts up fine, but "children.max" seems to have no effect
> when checked within the jail.
> root at jail_core:/ # sysctl security.jail.param.children
> security.jail.param.children.max: 0
> security.jail.param.children.cur: 0
> I'm not sure if this is related to the following problem, but when i
> try to create a child-jail in this jailed environment i run into the
> following error.
> root at jail_core:/ # jail -c dev1
> ifconfig: ioctl (SIOCAIFADDR): permission denied
> jail: dev1: /sbin/ifconfig lo0 inet 127.0.1.1 netmask 255.255.255.255
> alias: failed
> What am i doing wrong? Any suggestions?
> Unfortunately i didn't find too much information concerning
> hierarchical jails.
> Running CURRENT -r290973.
> Best Regards
> Carsten Bäcker

The trouble likes in dev1's ip4.addr specification.  "lo0|127.0.1.1"
means that the IP address is 127.0.1.1, and that an alias should be
added on the interface lo0.  But dev1 doesn't have permission to add
IP aliases, which is where the "alias: failed" message comes from.

The solution is easy in this case: you've already planned ahead and
created the alias in core (as you should have), so it doesn't need to
be created again.  Just change dev1's specification to "ip4.addr =
127.0.1.1".

- Jamie

More information about the freebsd-hackers mailing list