Jail with public IP alias

Patrick gibblertron at gmail.com
Wed Aug 28 18:42:17 UTC 2013

On Wed, Aug 28, 2013 at 7:25 AM, Alejandro Imass <aimass at yabarana.com> wrote:
> On Wed, Aug 28, 2013 at 5:42 AM, Frank Leonhardt <frank2 at fjl.co.uk> wrote:
>> On28/08/2013 00:19, Patrick wrote:
>>> On Tue, Aug 27, 2013 at 3:42 PM, Alejandro Imass <aimass at yabarana.com>
>>> wrote:
> [...]
>> (Tidied up so all now bottom posted)
>> I can confirm that you shouldn't be seeing this behaviour because I don't. I
>> don't use EzJail - i prefer "vi". Seriously, setting up a jail is very
>> straightforward anyway, and when I tried ezjail I found it was doing stuff I
>> didn't like, so dropped it early on. It was a long time ago and I've
>> forgotten the specifics.
>> I guess if you're using it your new to this particular game, so please
>> excuse me pointing out a few basics here.
> We use Ezjail not because it's easy or because we're new to jails, I
> think you might be confused on what EzJail actually is and why people
> use it. We use it because we manage a private cloud exclusively based
> on FBSD with about a dozen servers with a couple dozen jails each. I
> use EzJail because it allows us to manage just shy of 300 separate
> environments with only a couple of sysadmins, and with optimized
> system resources. We use it because IT ROCKS.
>> Although I can't exactly see how this would cause a problem, remember that
>> many service will bind to ALL IP addresses when they start up, and if they
> [...]
>> I can't see a mechanism that would get the results you're seeing, but I
>> don't know what ezjail might be doing. I suspect your problem is with ezjail
>> or something bizzare on your network config; can you try it manually?
> After my OP I immediately sent out second mail stating that the
> problem is not with Jails or EzJail and it's related to the way that
> aliases behave on a network interface card. When you have aliases that
> are on the same subnet, the source IP is the primary IP , that is the
> first IP set on that network device. You can test this with out jails
> with a simple ssh connection to another server and then typing who.
> Even if you force ssh to bind to a particular IP using -b it will
> still show the primary IP. If you have aliases on different subnets
> this will not happen.

I don't think that's true though in the case of jails. On the host
system, yes, but when a jail is bound to a particular IP, outbound
connections originate from that bound IP. At least they do for me in
all of my experience. Still wondering if you're using NAT with your
jails, as that could change things.

(FWIW, we use ezjail as well. It doesn't do anything special except
make having lots of jails easy and lightweight.)


More information about the freebsd-questions mailing list