Jails and networks

Erich Dollansky freebsd.ed.lists at sumeritec.com
Fri Aug 24 03:54:42 UTC 2018 

Hi,

I did not go through your e-mail. Just take my working settings to
start with:

In /etc/jails.conf

Name {
   path = "/usr/home/whateverexists";
   ip4.addr = 192.168.x.y;
   host.hostname = "jail.example.com";
   allow.raw_sockets = 1;
   interface = yournetworkinterface;
   exec.start = "sh /etc/rc";
   exec.stop = "sh /etc/rc.shutdown";
   mount.devfs;
}

In /etc/rc.conf inside the jail:

inetd_enable="YES"
inetd_flags="-wW -a 192.168.x.y"
dbus_enable="YES"
hald_enable="YES"
runlocalproxy_enable="YES"
sshd_enable="YES"

You can then start the jail with

jail -c Name

You can then add more of your settings until you have found the culprit.

Erich


On Thu, 23 Aug 2018 19:44:57 +0100
Norman Gray <norman.gray at glasgow.ac.uk> wrote:

> Greetings.
> 
> I'm having difficulty creating a jail which is able to see the outside
> world.  The various recipes I've found seem to be subtly
> contradictory: I'm trying to understand what they're doing rather
> than dumbly following them, and my lack of success here is telling me
> that my mental model of jails+networking doesn't quite match
> reality.  I think I'm on the verge of a very educational
> experience....
> 
> I'm using ezjail, on 11.2.
> 
> Sources:
> 
>    * The manual [1] describes basic usage, but mentions release 9.3; I
> get the impression that ezjail's procedure for starting and
> configuring jails (using /etc/jail.conf rather than the old 4
> arguments) is slightly but significantly incompatible with 11.2.
> 
>    * The ezjail documentation [2] describes setting up a jail using
> em0|10.0.0.2, very straightforwardly
> 
>    * A forum post [3] describes setting up a jail using ezjail and pf.
> Now, I don't think I need pf in my situation, so I want to skip that
> part of the instructions.  But I now suspect I'm doing so naively.
> 
>    * Another forum post [4] describes setting up both a VIMAGE and a
> non-VIMAGE jail, and is usefully explicit about the contents of the
> /etc/jail.conf file.  This is the one I've been following most
> closely, but I realise that I don't understand why it configures a
> bridge interface, but adds only a single real interface igb0 to it
> (my model of a bridge interface is that it necessarily involves two
> interfaces, or does the igb0 in the host and the one in the client
> count as two?).
> 
> My host is on a 172.16.0.0/12 private network, which is routable
> locally, though it has to use a proxy to get to the web.  I want to
> set up a jail on (slightly at random) 192.168.11.128.
> 
> I have:
> 
>    * net.inet.ip.forwarding: 1
>    * igb0 configured with the correct IP address and mask, not aliased
> at all
>    * I've created lo1
> 
> My /etc/jail.conf looks like
> 
>      exec.start = "/bin/sh /etc/rc";
>      exec.stop = "/bin/sh /etc/rc.shutdown";
>      exec.clean;
> 
>      path = "/local/jails/$name";
> 
>      mount.fstab = "/etc/jail/fstab.${name}";
>      mount.devfs;
>      mount.fdescfs;
>      mount.procfs;
> 
>      host.hostname = "${name}.local";
> 
>      devfs_ruleset         = "4";
> 
>      norman {
>          # test jail
>          ip4.addr = "192.168.11.128";
>          interface = "igb0";
>      }
> 
> and the non-comment lines in /usr/local/etc/ezjail.conf look like
> 
>      ezjail_jaildir=/local/jails
>      ezjail_ftphost=http://ftp.uk.freebsd.org
>      ezjail_use_zfs="YES"
>      ezjail_use_zfs_for_jails="YES"
>      ezjail_jailzfs=zroot/local/jails
> 
> I've created a ezjail flavour called 'norman' (with the inevitable
> solipsism).
> 
> My _understanding_ is that this sets the jail to use the igb0
> interface in the host (a non-VIMAGE jail doesn't have a separate
> networking stack).
> 
> I create the jail
> 
>      ezjail-admin create -f norman -c zfs norman
> 'lo1|127.0.1.1,igb0|192.168.11.128'
> 
> lo1 first, as suggested in [1].  My impression is that that sets up
> the loopback interface within the jail to be an alias of lo0 in the
> host, and attaches 192.168.11.128 to igb0 in the  jail.
> 
> Then I start the jail
> 
>      jail -c norman
> 
> it starts up sshd promptly, but takes a long time (presumably timing
> out in fact) to start sendmail_submit and sendmail_msp_queue.  Then
> 
>      jexec 4 /bin/sh
> 
> lets me see
> 
> # cat /etc/resolv.conf
> search physics.gla.ac.uk
> nameserver 130.209.4.16
> nameserver 130.209.4.18
> # ifconfig igb0
> igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu
> 1500
>    options=6403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
>   ether a4:bf:01:26:7d:b1
>   hwaddr a4:bf:01:26:7d:b1
>   inet 192.168.11.128 netmask 0xffffffff broadcast 192.168.11.128
>   media: Ethernet autoselect (1000baseT <full-duplex>)
>   status: active
> 
> ...which looks right.  But
> 
> # host www.gla.ac.uk
> ;; connection timed out; no servers could be reached
> #
> 
> The routing table is very simple:
> 
> # netstat -rn
> Routing tables
> 
> Internet:
> Destination        Gateway            Flags     Netif Expire
> 192.168.11.128     link#3             UHS         lo0
> 
> 
> I don't think I've done anything at all exotic here, and the
> resolv.conf contents and ifconfig output looks as I'd expect.  The
> routing table doesn't have a default route, but (a) if this interface
> is just the same as the same-named one in the host, so ... *mumble*;
> and (b) the various recipes I've quoted don't anywhere mention having
> to add a default route, so I don't think that can be what I'm missing.
> 
> I'm wondering if there's something to do with the private network the
> host is on.  But that can talk to the network without difficulty, and
> in any case http_proxy is correctly set in the jail.
> 
> I've seen a mention of epair(4), but I don't think that's relevant.
> 
> So I'm clearly misunderstanding something terribly important (and
> embarrassingly obvious in retrospect), which hasn't magically become
> clear by my explaining the steps clearly to myself here.  I suspect I
> don't _actually_ understand the relationship between the jail's
> interfaces and the host's -- they seem the same but not the same in
> some very uncomfortable way.
> 
> Any epiphanies gratefully received.
> 
> Best wishes,
> 
> Norman
> 
> 
> 
> [1] https://www.freebsd.org/doc/handbook/jails-ezjail.html
> [2] https://erdgeist.org/arts/software/ezjail/
> [3] https://forums.freebsd.org/threads/30063/
> [4] https://forums.freebsd.org/threads/49561/
> 
> --
> Norman Gray  :  https://nxg.me.uk
> SUPA School of Physics and Astronomy, University of Glasgow, UK
> 
> [University of Glasgow: The Times Scottish University of the Year
> 2018] _______________________________________________
> freebsd-questions at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list