Jails and networks
Norman Gray
norman.gray at glasgow.ac.uk
Fri Aug 24 12:36:03 UTC 2018
Alejandro, hello.
On 23 Aug 2018, at 23:18, Alejandro Imass wrote:
> If you are using ezjail then use eazjail-admin or
> /usr/local/etc/rc.d/ezjail start xxxx
>
> I.e. if ezjail is managing your jails then use ezjail admin and avoid
> any
> jail specific commands except for jls
Thanks for this advice. However I don't think this is the root of my
problem. I can do:
# ezjail-admin create -c zfs norman
'lo1|127.0.1.1,igb0|192.168.11.128'
# ezjail-admin onestart norman
# ezjail-admin console norman
I can still see, inside the jail console,
igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu
1500
options=6403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
ether a4:bf:01:26:7d:b1
hwaddr a4:bf:01:26:7d:b1
inet 192.168.11.128 netmask 0xffffffff broadcast 192.168.11.128
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
groups: lo
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet 127.0.1.1 netmask 0xffffffff
which look right, but
# host www.freebsd.org
;; connection timed out; no servers could be reached
#
So something is still amiss with the networking inside the jail, or the
way I've set up networking outside of the jail (nothing exotic at all as
far as I'm aware), and I'm at a loss as to what it might be, or how to
debug it.
There's something important about jail networking that I'm not
understanding, but I haven't a clue what it is. Most frustrating.
The only thing that's at all odd about the networking context is that
the host machine is on a locally-routable private network within
172.16.0.0/12, but I can't see how that would make any difference.
----
On the question of 'ezjail-admin start' vs /usr/sbin/jail...
I'd switched to starting jails with /usr/sbin/jail partly because I'd
formed the impression that ezjail could be used as a convenient way of
doing the fiddly and errorprone work of assembling jails, but that the
jails were standard enough that they could be managed thereafter with
the standard tool. This impression may of course be wrong in an
illuminating way.
If true, that's a nice place to be, since 'ezjail-admin create' is doing
work that I basically understand but would do less well, but there's no
extra magic that 'ezjail-admin start' is doing. I'm all for minimising
magic.
Also, it seems that there's at least some incompatibility between
current ezjail (3.4.2) and 11.2 jails. exjail-admin starts jails using
the four-argument call to /usr/sbin/jail, which means that
/etc/jail.conf is ignored. `jail` produces a warning in this case, that
this is an 'obsolete' way of starting a jail; the jail(8) manpage
doesn't say 'obsolete', but does mention this call as being present 'for
backward compatibility'.
That is:
# ezjail-admin onestart norman
Starting jails:/etc/rc.d/jail: WARNING: /var/run/jail.norman.conf
is created and used for jail norman.
/etc/rc.d/jail: WARNING: Per-jail configuration via jail_*
variables is obsolete. Please consider migrating to /etc/jail.conf.
Further, [1] mentions that:
> With 11.0 and, as of writing ezjail-admin v3.4.2, startup of jails
> with ezjail-admin is no longer possible. It's required to have jails
> defined in /etc/jail.conf. We can still use ezjail-admin to set them
> up.
I don't know about the 'no longer possible', but this suggests at least
some dislocation between ezjail and 11.x.
But my main goal is minimising the amount of magic I don't understand.
[1]
https://forums.freebsd.org/threads/howto-quick-setup-of-jail-on-zfs-using-ezjail-with-pf-nat.30063/
> How do you know your jails can’t access the Internet ?
>
> ping and some network commands are restricted in jails but can try
> wget or
> curl to test. Or maybe pkg update to test
Good point, but yes, I'm already aware that ping needs raw sockets so
won't work within a jail by default, so I was testing this with dns
lookups (calling 'host'). They just time out.
Best wishes,
Norman
--
Norman Gray : https://nxg.me.uk
SUPA School of Physics and Astronomy, University of Glasgow, UK
More information about the freebsd-questions
mailing list