Re: IPv4 addresses clash / jails not working after reboot…
Jamie Gritton
jamie at FreeBSD.org
Thu Mar 7 23:32:45 UTC 2013
On 03/07/13 05:29, Yoann Gini wrote:
>
> Le 7 mars 2013 à 10:58, Boris Samorodov<bsam at passap.ru> a écrit :
>
>> 07.03.2013 12:48, Yoann Gini пишет:
>>
>>> I need to share this IP, I’ve only one and I would like to avoid playing with NAT…
>>
>> One IP may be shared but for different services (ports).
>
> That what I’ve understand and what I’ve planned.
>
>>> If someone have a idea…
>>
>> Give some more information:
>> 1. OS version, OS arch.
>
> FreeBSD srv0.public.example.com 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243825: Tue Dec 4 09:23:10 UTC 2012 root at farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64
>
>> 2. Jail configuration (at least one) from /etc and LOCALBASE/etc/ezjail.
>
> What do you want in /etc ? Except the fstab, I don’t see any config here, the fstab look like that:
>
> /home/jails/basejail /home/jails/front0.public.example.com/basejail nullfs ro 0 0
> /usr/ports /home/jails/front0.public.example.com/usr/ports nullfs ro 0 0
>
> And here is the ezjail config
>
> export jail_front0_public_example_com_hostname="front0.public.example.com"
> export jail_front0_public_example_com_ip=« IPv6Prefix::80,SharedIPv4,10.42.0.2"
> export jail_front0_public_example_com_rootdir="/home/jails/front0.public.example.com"
> export jail_front0_public_example_com_exec_start="/bin/sh /etc/rc"
> export jail_front0_public_example_com_exec_stop=""
> export jail_front0_public_example_com_mount_enable="YES"
> export jail_front0_public_example_com_devfs_enable="YES"
> export jail_front0_public_example_com_devfs_ruleset="devfsrules_jail"
> export jail_front0_public_example_com_procfs_enable="YES"
> export jail_front0_public_example_com_fdescfs_enable="YES"
> export jail_front0_public_example_com_image=""
> export jail_front0_public_example_com_imagetype=""
> export jail_front0_public_example_com_attachparams=""
> export jail_front0_public_example_com_attachblocking=""
> export jail_front0_public_example_com_forceblocking=""
> export jail_front0_public_example_com_zfs_datasets=""
> export jail_front0_public_example_com_cpuset=""
> export jail_front0_public_example_com_fib=""
>
>> 3. What do you want to achieve.
>
> I want a setup with:
> — srv0 listen only for SSH on a alternate port for supervision on public IPv4/6 ;
> — front0 to handle any public services (web, DNS, e-mail) on public IPv4/6 ;
> — service0 to handle internal services (git, redmine, AFP sharepoints…) on private IP and SSH on a other alternate port on public IPv4/6 ;
> — gateway0 to act as a VPN server and webproxy to secure access to private services on service0 and act as a secure gateway to encrypt network traffic for road-warriors on public network.
>
> In the end, I will dispatch those services on different server but for now I only access to one system, so I would like to prepare the setup to be dispatched on different hardware when the budget come.
>
> Actually, if I remove the SharedIPv4 from the jails, it works.
>
> I’ve investigate more on the open socket area and I think the problem come from Apache who still lisent on *:* even if I’ve set a Listen directive…
You're allowed to have the same address in multiple jails, but only in
the case of jails that have one address (i.e. one IPv4 address in this
case). Jails with multiple IP addresses can't share any of those
addresses with other jails. I don't know why it should work once and
then not work later though.
The jail config you show has only a single jail, so I also wonder what
it's clashing with - a clash is defined as the same IP address between
two different jails. Are there other jail configs you didn't show?
Also, there's a chance a jail has been removed but is not yet gone
(though I wouldn't expected that case in a reboot situation). Could you
run "jls -dn" immediately after the failed jail start, and tell any
output it gives?
- Jamie
More information about the freebsd-jail
mailing list