Jails and networks

Fri Aug 24 15:10:14 UTC 2018

On Fri, Aug 24, 2018 at 8:35 AM, Norman Gray <norman.gray at glasgow.ac.uk> wrote:
>
> Alejandro, hello.
>
> On 23 Aug 2018, at 23:18, Alejandro Imass wrote:
>

[...]

> Thanks for this advice.  However I don't think this is the root of my
> problem.  I can do:
>

[...]

> igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
>
> options=6403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
>         ether a4:bf:01:26:7d:b1
>         hwaddr a4:bf:01:26:7d:b1
>         inet 192.168.11.128 netmask 0xffffffff broadcast 192.168.11.128

[...]

> which look right, but
>
>     # host www.freebsd.org
>     ;; connection timed out; no servers could be reached
>     #
>
> So something is still amiss with the networking inside the jail, or the way
> I've set up networking outside of the jail (nothing exotic at all as far as
> I'm aware), and I'm at a loss as to what it might be, or how to debug it.
>

Try by IP to the outside first.

Make sure you have a resolv.conf in your jail. Copy the one from
outside or use something like:

nameserver 8.8.8.8

I banged my head on this for a while.

> There's something important about jail networking that I'm not
> understanding, but I haven't a clue what it is.  Most frustrating.
>

It usually works pretty much automatic, especially with ezjail.

[...]

> On the question of 'ezjail-admin start' vs /usr/sbin/jail...
>
> I'd switched to starting jails with /usr/sbin/jail partly because I'd formed
> the impression that ezjail could be used as a convenient way of doing the
> fiddly and errorprone work of assembling jails, but that the jails were
> standard enough that they could be managed thereafter with the standard
> tool.  This impression may of course be wrong in an illuminating way.
>
> If true, that's a nice place to be, since 'ezjail-admin create' is doing
> work that I basically understand but would do less well, but there's no
> extra magic that 'ezjail-admin start' is doing.  I'm all for minimising
> magic.
>
> Also, it seems that there's at least some incompatibility between current
> ezjail (3.4.2) and 11.2 jails.  exjail-admin starts jails using the
> four-argument call to /usr/sbin/jail, which means that /etc/jail.conf is
> ignored.  `jail` produces a warning in this case, that this is an 'obsolete'
> way of starting a jail; the jail(8) manpage doesn't say 'obsolete', but does
> mention this call as being present 'for backward compatibility'.
>
> That is:
>
>     # ezjail-admin onestart norman
>     Starting jails:/etc/rc.d/jail: WARNING: /var/run/jail.norman.conf is
> created and used for jail norman.
>     /etc/rc.d/jail: WARNING: Per-jail configuration via jail_* variables  is
> obsolete.  Please consider migrating to /etc/jail.conf.
>

Yeah, I've seen that for a long time now and I've seen some discussion
around it. Not sure it makes any real difference and has never been a
problem for me.

Maybe you can try a the ezjail mailing list:

https://erdgeist.org/arts/software/ezjail/#author-contact

Dirk is usually very friendly and fast in responding. Qjail says they
work on 11 and beyond but I've never tried it. There's been some
friction over the years and I sided with Dirk and continue to use
ezjail.