multiple interfaces for jail.conf(1) and jail_set(2)

Wed Dec 14 02:09:43 UTC 2016

Isaac (.ike) Levy wrote:
> Hi All,
> 
> Can I specify multiple IP interfaces and assign IP’s to them using jail.conf?
> I have jails with IPv4/IPv6 addresses on multiple physical interfaces, as well as assigning a loopback.
> 
> I have not found answers in the respective man pages or digging online.
> 
> I’m finally starting to poke around to start using the impressively simple jail.conf subsystem to manage jails.  I have been managing jails with simple custom start scripts since 99’, and custom devfs rulesets since ~2006, so jail.conf(1) and jail_set(2) are a big welcome change for me- really awesome and clean :)
> 
> --
> Additional detail to clarify my loopback use:
> In general, I always assign each jail it’s own a loopback IP somewhere in the RFC5735 specified range, 127.0.0.0/8 - (simply saving 127.0.0.1 for the jailing host), and then I simply set localhost to point at it’s IP in /etc/hosts for the jail.  On the host, I simply add the IP alias to lo0 like any other interface.
> This is often overlooked in common jailing practice, but often eliminates complexity and confusion for many userland daemons.  For full Virtual Server applications, loopback is simply dotting the i’s and crossing the t’s.
> 
> I can see how localhost would be challenging to automate for easy jail.conf configuration, mostly, in picking a loopback IP for the jail and not letting that get messy- etc…
> 
> Thanks in advance for any info!
> 
> Best,
> .ike
> 

Using native jail.conf you can assign multiple NICs with both ipv4 & 
ipv6 ip address. By native I mean use the jail(8) command to start/stop 
your jails IE. not [service jail start] command. Use this format
ip.addr = "rlo:10.0.10.02,xl0:10.20.10.07,lo0:127.10.0.02" This will 
also automatically create and remove the required aliases.

A word about loopback. Just like on the host, most services do not use 
the loopback interface, this is also true for jailed services. Only 
services that default to using the loopback interface need one defined 
in the jail to work correctly.

Take note, the services that use the loopback interface default to using 
127.0.0.1 ip address. For a service in a jail that uses loopback MUST 
have it's configuration changed to use the 127.10.0.02 ip address 
assigned on the jails jail.conf ip.addr parameter. No service in a jail 
can be assigned the hosts 127.0.0.1 ip address.

I recommend you check out these ports,
jail-primer gives background on jails across Freebsd releases.
qjail a utility that simplifies jail admin.