Q. Re loopback address for jails

James B. Byrne byrnejb at harte-lyne.ca
Tue Apr 11 19:56:52 UTC 2017

On Tue, April 11, 2017 15:15, Ernie Luzar wrote:
> James B. Byrne via freebsd-questions wrote:
>> Given that for a FreeBSD jail one clones the lo interface and
>> assigns
>> a different address than say what files does
>> one
>> need to change throughout the jail?
>> I have modified /usr/jails/jail/etc/hosts,
>> /usr/jails/jail/etc/resolv.conf and
>> usr/jails/jail/etc/ssh/sshd_config. I note however that there are a
>> very large number of configuration files throughout the jail that
>> contain a literal value of  Do all of these need
>> updating?
>> Under  /usr/jails/jail/usr/local/etc/ there are also files that
>> contain as literal values,
>> /usr/jails/hlldns02/usr/local/etc/rc.d/named for example.  How does
>> one handle rc.d scripts that specify
>> If these all require manual alteration then why is not localhost
>> used
>> instead?  Then one would only need alter the hosts file.
> Anything you do for the lo0/ interface in a jail is just so
> much wasted effort. It's not needed nor required in all most all usage
> cases. The exception is for those cases when you are running an
> application in the jail that purposefully uses the lo0 interface. For
> that use case only, you need to do the clone lo0 thing and change the
> config file for that application to use the newly allocated
> lo1/ setup and leave all the other normal setting un-touched.
> Take note there is no official documentation on jail(8) and the lo0
> interface that gives credence to cloning the lo0 interface for all
> jails.
> The jail-ezjail section of the handbook does talk about the cloning of
> the lo0 interface for all ezjails. This is something that maybe the
> author of that section thinks is a unique requirement for ezjail, but
> this thinking should not be extrapolated to mean all non-ezjails also
> need it. On the other hand, based on my experience using ezjail,
> ezjail lo0 default usage also falls under the usage cases talked
> about above and that handbook section should be corrected to
> reflect that, thus removing the confusion it's current content
> is causing.
> Just step back and think about it for a moment. If jail(8)
> really needed some kind of special handling of the lo0 interface
> it would be very easy to find official documentation on this subject.

I have not found an absence of documentation to be much of a comfort,

> In conclusion; Don't try to fix a problem that doesn't exist.

However, I rapidly discovered that unless /etc/hosts and
/etc/resolv.conf are altered to match the lo# IP addr assigned to a
jail then things that depend upon DNS start to fail or time-out.  As
the use case for these jails are 1. BIND DNS, and 2. Postfix MX, that
problem is difficult to ignore.

I just want to know what else people have run into with respect to
cloned lo i/fs and the explicit assumption that the lo i/f address is

***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

More information about the freebsd-questions mailing list