Jails and networks

Norman Gray norman.gray at glasgow.ac.uk
Fri Aug 24 12:36:03 UTC 2018 

Alejandro, hello.

On 23 Aug 2018, at 23:18, Alejandro Imass wrote:

> If you are using ezjail then use eazjail-admin or
> /usr/local/etc/rc.d/ezjail start xxxx
>
> I.e. if ezjail is managing your jails then use ezjail admin and avoid 
> any
> jail specific commands except for jls

Thanks for this advice.  However I don't think this is the root of my 
problem.  I can do:

     # ezjail-admin create -c zfs norman 
'lo1|127.0.1.1,igb0|192.168.11.128'
     # ezjail-admin onestart norman
     # ezjail-admin console norman

I can still see, inside the jail console,

igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 
1500
	options=6403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
	ether a4:bf:01:26:7d:b1
	hwaddr a4:bf:01:26:7d:b1
	inet 192.168.11.128 netmask 0xffffffff broadcast 192.168.11.128
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
	groups: lo
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
	inet 127.0.1.1 netmask 0xffffffff

which look right, but

     # host www.freebsd.org
     ;; connection timed out; no servers could be reached
     #

So something is still amiss with the networking inside the jail, or the 
way I've set up networking outside of the jail (nothing exotic at all as 
far as I'm aware), and I'm at a loss as to what it might be, or how to 
debug it.

There's something important about jail networking that I'm not 
understanding, but I haven't a clue what it is.  Most frustrating.

The only thing that's at all odd about the networking context is that 
the host machine is on a locally-routable private network within 
172.16.0.0/12, but I can't see how that would make any difference.

----

On the question of 'ezjail-admin start' vs /usr/sbin/jail...

I'd switched to starting jails with /usr/sbin/jail partly because I'd 
formed the impression that ezjail could be used as a convenient way of 
doing the fiddly and errorprone work of assembling jails, but that the 
jails were standard enough that they could be managed thereafter with 
the standard tool.  This impression may of course be wrong in an 
illuminating way.

If true, that's a nice place to be, since 'ezjail-admin create' is doing 
work that I basically understand but would do less well, but there's no 
extra magic that 'ezjail-admin start' is doing.  I'm all for minimising 
magic.

Also, it seems that there's at least some incompatibility between 
current ezjail (3.4.2) and 11.2 jails.  exjail-admin starts jails using 
the four-argument call to /usr/sbin/jail, which means that 
/etc/jail.conf is ignored.  `jail` produces a warning in this case, that 
this is an 'obsolete' way of starting a jail; the jail(8) manpage 
doesn't say 'obsolete', but does mention this call as being present 'for 
backward compatibility'.

That is:

     # ezjail-admin onestart norman
     Starting jails:/etc/rc.d/jail: WARNING: /var/run/jail.norman.conf 
is created and used for jail norman.
     /etc/rc.d/jail: WARNING: Per-jail configuration via jail_* 
variables  is obsolete.  Please consider migrating to /etc/jail.conf.

Further, [1] mentions that:

> With 11.0 and, as of writing ezjail-admin v3.4.2, startup of jails 
> with ezjail-admin is no longer possible. It's required to have jails 
> defined in /etc/jail.conf. We can still use ezjail-admin to set them 
> up.

I don't know about the 'no longer possible', but this suggests at least 
some dislocation between ezjail and 11.x.

But my main goal is minimising the amount of magic I don't understand.

[1] 
https://forums.freebsd.org/threads/howto-quick-setup-of-jail-on-zfs-using-ezjail-with-pf-nat.30063/

> How do you know your jails can’t access the Internet ?
>
> ping and some network commands are restricted in jails but can try 
> wget or
> curl to test. Or maybe pkg update to test

Good point, but yes, I'm already aware that ping needs raw sockets so 
won't work within a jail by default, so I was testing this with dns 
lookups (calling 'host').  They just time out.

Best wishes,

Norman


-- 
Norman Gray  :  https://nxg.me.uk
SUPA School of Physics and Astronomy, University of Glasgow, UK

More information about the freebsd-questions mailing list