Q. Re loopback address for jails
James B. Byrne
byrnejb at harte-lyne.ca
Tue Apr 11 19:56:52 UTC 2017
On Tue, April 11, 2017 15:15, Ernie Luzar wrote:
> James B. Byrne via freebsd-questions wrote:
>> Given that for a FreeBSD jail one clones the lo interface and
>> a different address than 127.0.0.1 say 127.0.33.1 what files does
>> need to change throughout the jail?
>> I have modified /usr/jails/jail/etc/hosts,
>> /usr/jails/jail/etc/resolv.conf and
>> usr/jails/jail/etc/ssh/sshd_config. I note however that there are a
>> very large number of configuration files throughout the jail that
>> contain a literal value of 127.0.0.1. Do all of these need
>> Under /usr/jails/jail/usr/local/etc/ there are also files that
>> contain 127.0.0.1 as literal values,
>> /usr/jails/hlldns02/usr/local/etc/rc.d/named for example. How does
>> one handle rc.d scripts that specify 127.0.0.1?
>> If these all require manual alteration then why is not localhost
>> instead? Then one would only need alter the hosts file.
> Anything you do for the lo0/127.0.0.1 interface in a jail is just so
> much wasted effort. It's not needed nor required in all most all usage
> cases. The exception is for those cases when you are running an
> application in the jail that purposefully uses the lo0 interface. For
> that use case only, you need to do the clone lo0 thing and change the
> config file for that application to use the newly allocated
> lo1/127.0.2.1 setup and leave all the other normal setting un-touched.
> Take note there is no official documentation on jail(8) and the lo0
> interface that gives credence to cloning the lo0 interface for all
> The jail-ezjail section of the handbook does talk about the cloning of
> the lo0 interface for all ezjails. This is something that maybe the
> author of that section thinks is a unique requirement for ezjail, but
> this thinking should not be extrapolated to mean all non-ezjails also
> need it. On the other hand, based on my experience using ezjail,
> ezjail lo0 default usage also falls under the usage cases talked
> about above and that handbook section should be corrected to
> reflect that, thus removing the confusion it's current content
> is causing.
> Just step back and think about it for a moment. If jail(8)
> really needed some kind of special handling of the lo0 interface
> it would be very easy to find official documentation on this subject.
I have not found an absence of documentation to be much of a comfort,
> In conclusion; Don't try to fix a problem that doesn't exist.
However, I rapidly discovered that unless /etc/hosts and
/etc/resolv.conf are altered to match the lo# IP addr assigned to a
jail then things that depend upon DNS start to fail or time-out. As
the use case for these jails are 1. BIND DNS, and 2. Postfix MX, that
problem is difficult to ignore.
I just want to know what else people have run into with respect to
cloned lo i/fs and the explicit assumption that the lo i/f address is
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
More information about the freebsd-questions