Jails and networks

Thu Aug 23 22:19:06 UTC 2018

On Thu, Aug 23, 2018 at 3:49 PM Norman Gray <norman.gray at glasgow.ac.uk>
wrote:

>
> Greetings.
>
> I'm having difficulty creating a jail which is able to see the outside
> world.  The various recipes I've found seem to be subtly contradictory:
> I'm trying to understand what they're doing rather than dumbly following
> them, and my lack of success here is telling me that my mental model of
> jails+networking doesn't quite match reality.  I think I'm on the verge
> of a very educational experience....
>
> I'm using ezjail, on 11.2.
>
> Sources:
>
>    * The manual [1] describes basic usage, but mentions release 9.3; I
> get the impression that ezjail's procedure for starting and configuring
> jails (using /etc/jail.conf rather than the old 4 arguments) is slightly
> but significantly incompatible with 11.2.
>
>    * The ezjail documentation [2] describes setting up a jail using
> em0|10.0.0.2, very straightforwardly
>
>    * A forum post [3] describes setting up a jail using ezjail and pf.
> Now, I don't think I need pf in my situation, so I want to skip that
> part of the instructions.  But I now suspect I'm doing so naively.
>
>    * Another forum post [4] describes setting up both a VIMAGE and a
> non-VIMAGE jail, and is usefully explicit about the contents of the
> /etc/jail.conf file.  This is the one I've been following most closely,
> but I realise that I don't understand why it configures a bridge
> interface, but adds only a single real interface igb0 to it (my model of
> a bridge interface is that it necessarily involves two interfaces, or
> does the igb0 in the host and the one in the client count as two?).
>
> My host is on a 172.16.0.0/12 private network, which is routable
> locally, though it has to use a proxy to get to the web.  I want to set
> up a jail on (slightly at random) 192.168.11.128.
>
> I have:
>
>    * net.inet.ip.forwarding: 1
>    * igb0 configured with the correct IP address and mask, not aliased
> at all
>    * I've created lo1
>
> My /etc/jail.conf looks like
>
>      exec.start = "/bin/sh /etc/rc";
>      exec.stop = "/bin/sh /etc/rc.shutdown";
>      exec.clean;
>
>      path = "/local/jails/$name";
>
>      mount.fstab = "/etc/jail/fstab.${name}";
>      mount.devfs;
>      mount.fdescfs;
>      mount.procfs;
>
>      host.hostname = "${name}.local";
>
>      devfs_ruleset         = "4";
>
>      norman {
>          # test jail
>          ip4.addr = "192.168.11.128";
>          interface = "igb0";
>      }
>
> and the non-comment lines in /usr/local/etc/ezjail.conf look like
>
>      ezjail_jaildir=/local/jails
>      ezjail_ftphost=http://ftp.uk.freebsd.org
>      ezjail_use_zfs="YES"
>      ezjail_use_zfs_for_jails="YES"
>      ezjail_jailzfs=zroot/local/jails
>
> I've created a ezjail flavour called 'norman' (with the inevitable
> solipsism).
>
> My _understanding_ is that this sets the jail to use the igb0 interface
> in the host (a non-VIMAGE jail doesn't have a separate networking
> stack).
>
> I create the jail
>
>      ezjail-admin create -f norman -c zfs norman
> 'lo1|127.0.1.1,igb0|192.168.11.128'
>
> lo1 first, as suggested in [1].  My impression is that that sets up the
> loopback interface within the jail to be an alias of lo0 in the host,
> and attaches 192.168.11.128 to igb0 in the  jail.
>
> Then I start the jail
>

If you are using ezjail then use eazjail-admin or
/usr/local/etc/rc.d/ezjail start xxxx

I.e. if ezjail is managing your jails then use ezjail admin and avoid any
jail specific commands except for jls

How do you know your jails can’t access the Internet ?

ping and some network commands are restricted in jails but can try wget or
curl to test. Or maybe pkg update to test

I can help you a lot with ezjail. I’ve used for years and it’s a great
system.

Best,
Alex

>