jail and networking

Teske, Devin Devin.Teske at fisglobal.com
Fri Feb 22 06:10:49 UTC 2013


On Thu, 21 Feb 2013, Shane Ambler wrote:

> On 22/02/2013 05:52, Devin Teske wrote:
> 
> > What I find strange is that:
> >
> > 1. I knew about ListenAddress w/respect to jails, but...
> >
> > 2. We are not changing it (sshd_config has no ListenAddress -- leading to
> > default values used), yet...
> >
> > 3. Base machine and jails both work fine
> >
> > Not sure when it's required versus not, because we're running fine without that
> > change here with over a dozen jails.
> >
> > The only thing I've ever noticed is that we tend to use
> > jail_NAME_ip="iface|addr" while most everybody else seems to be using
> > jail_NAME_ip="addr".
> >
> 
> We may need to expand out from that. I use jail_NAME_ip="addr" but also
> 
> ipv4_addrs_re0="10.0.0.254/24 10.0.0.1-5/24"
> route_jaillan0="-net 10.0.0.0/24 10.0.0.254"
> static_routes="jaillan0"
> 
> Don't recall where I got that from but think it was an easy way to alias
> a number of ip's whereas ifconfig_<iface>_alias0 sets one ip at a time
> and is also deprecated.
> 
> If you use jail_NAME_ip="iface|addr" does this mean you don't have ip
> addresses aliased to the iface on startup and they get aliased as the
> jail starts? That would be why sshd isn't bound to the address before.

Correct, and this was my leading theory.


> man rc.conf for jail_<jname>_ip says "... Additionally each address can
> be prefixed by the name of an interface followed by a pipe to overwrite"
> does that mean it clears the ip from the base system and re-creates it
> for the jail?

Dunno -- I first learned about "iface|addr" from reading the code. It did what I wanted _and_ improved the clarity/readability of rc.conf(5) in the case of multiple jails utilizing separate interfaces on similar subnets. Thus, it was embraced.

> I also see jail_<jname>_interface "...When set, sets the interface to
> use when setting IP address alias. Note that the alias is created at
> jail startup and removed at jail shutdown."

Never used that setting before.


> Which is what sounds like the solution to not have ip's available when
> sshd starts so it isn't bound to them.

Right-o.

> Also what sys version were these options added?

I would guess 8.x as we're using iface|addr in 8.1 (as previously mentioned, not using jail_<jname>_interface -- dunno about that one).

The following URLs might be of assistance in tracking down the origins of various options:

http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.d/jail
http://svnweb.freebsd.org/base/head/etc/rc.d/jail

-- 
Devin

_____________
The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.


More information about the freebsd-questions mailing list