Jail with public IP alias

Frank Leonhardt frank2 at fjl.co.uk
Wed Aug 28 20:11:38 UTC 2013

On 28/08/2013 19:42, Patrick wrote:
> On Wed, Aug 28, 2013 at 7:25 AM, Alejandro Imass <aimass at yabarana.com> wrote:
>> On Wed, Aug 28, 2013 at 5:42 AM, Frank Leonhardt <frank2 at fjl.co.uk> wrote:
>>> On28/08/2013 00:19, Patrick wrote:
>>>> On Tue, Aug 27, 2013 at 3:42 PM, Alejandro Imass <aimass at yabarana.com>
>>>> wrote:
>> [...]
>>> (Tidied up so all now bottom posted)
>>> I can confirm that you shouldn't be seeing this behaviour because I don't. I
>>> don't use EzJail - i prefer "vi". Seriously, setting up a jail is very
>>> straightforward anyway, and when I tried ezjail I found it was doing stuff I
>>> didn't like, so dropped it early on. It was a long time ago and I've
>>> forgotten the specifics.
>>> I guess if you're using it your new to this particular game, so please
>>> excuse me pointing out a few basics here.
>> We use Ezjail not because it's easy or because we're new to jails, I
>> think you might be confused on what EzJail actually is and why people
>> use it. We use it because we manage a private cloud exclusively based
>> on FBSD with about a dozen servers with a couple dozen jails each. I
>> use EzJail because it allows us to manage just shy of 300 separate
>> environments with only a couple of sysadmins, and with optimized
>> system resources. We use it because IT ROCKS.
>>> Although I can't exactly see how this would cause a problem, remember that
>>> many service will bind to ALL IP addresses when they start up, and if they
>> [...]
>>> I can't see a mechanism that would get the results you're seeing, but I
>>> don't know what ezjail might be doing. I suspect your problem is with ezjail
>>> or something bizzare on your network config; can you try it manually?
>> After my OP I immediately sent out second mail stating that the
>> problem is not with Jails or EzJail and it's related to the way that
>> aliases behave on a network interface card. When you have aliases that
>> are on the same subnet, the source IP is the primary IP , that is the
>> first IP set on that network device. You can test this with out jails
>> with a simple ssh connection to another server and then typing who.
>> Even if you force ssh to bind to a particular IP using -b it will
>> still show the primary IP. If you have aliases on different subnets
>> this will not happen.
> I don't think that's true though in the case of jails. On the host
> system, yes, but when a jail is bound to a particular IP, outbound
> connections originate from that bound IP. At least they do for me in
> all of my experience. Still wondering if you're using NAT with your
> jails, as that could change things.
> (FWIW, we use ezjail as well. It doesn't do anything special except
> make having lots of jails easy and lightweight.)
Sorry guys - I had not intention of upsetting the EzJail fan club!

The fact remains that I've tried to recreate this problem on what comes 
to a similar set-up, but without EzJail, and I can't. I've only tested 
it on FreeBSD 8.2 so far, and I've only tested it from INSIDE a jail. I 
completely understood what you were saying about it doing weird stuff 
outside a jail, but my point is that this may or may not be related.

You don't say what version you're running. I can try and recreate it on 
another version.

Again basic, but when you set up an alias, what subnet do you use? "Same 
subnet" is ringing alarm bells here. The output of ifconfig might help.

Regards, Frank.

More information about the freebsd-questions mailing list