Can't ping in jail

doug doug at fledge.watson.org
Sun Dec 4 18:00:46 UTC 2016



On Sun, 4 Dec 2016, Matthew Seaman wrote:

> On 04/12/2016 01:59, Ernie Luzar wrote:
>> This post sheds a lot light on your problem. ezjail uses the legacy
>> method with definition statements in /etc/rc.conf and qjail uses the
>> modern way using /etc/jail.conf. qjail is a fork of ezjail so many
>> things will feel the same moving to qjail. The ezjail and qjail
>> directory tree is named differently and use different internal control
>> files so you would have to build your qjail jails anew. qjail and ezjail
>> can both run on the same host at the same time just using different jail
>> ip addresses.
>>
>> Both methods have statements for enabling  allow_raw_sockets on a jail
>> by jail basis which is the way it should be done. The sysctl nib has to
>> be issued on the host were the jails are, not the gateway host connected
>> to the public network.
>>
>> ezjail requires manual starting and stopping of ip alias for the jail.
>> qjail does all that for you without you having to take any actions.
>>
>> there is a qjail version for 9.x systems, but its out dated and at EOL.
>
> The jail management system that has been attracting a lot of attention
> and favourable comment recently is iocage.  The original version was
> written in /bin/sh and this is what is in ports as sysutils/iocage or
> sysutils/iocage-devel.  The authors are intending to rewrite it in a
> different language though.

>From this I hear that the file system and more specifically various jail 
management interfaces, which I understand as basically an abstraction layer to 
interface with the basic jail structure has an impact on the way raw sockets are 
handled in the network stack. It was/is my general understanding that best 
practices O/S design would and do generally following the layers underlying the 
original apranet design. So that's not the case with the jail implementation??


More information about the freebsd-questions mailing list