Fighting with vnet / jails epair and so on

Philipp Huebner philipp.huebner at fdrive.com.au
Wed Jan 18 22:39:57 UTC 2012


Hi,

On 19/01/12 00:59, Denny Schierz wrote:
> =======================================
> 
> # host: 
> jexec 2 ifconfig epair0b 192.168.1.2 netmask 255.255.255.0 up
> ifconfig: up: permission denied

I use 9.0.0 release for host and jail and a generic kernel with  OPTIONS
VIMAGE being the only change/addition.
No problem.

> 
> 
> # sysctl:
> 
> security.jail.enforce_statfs: 2
> security.jail.mount_allowed: 0
> security.jail.chflags_allowed: 0
> security.jail.allow_raw_sockets: 1
> security.jail.sysvipc_allowed: 1

security.jail.allow_raw_sockets: 0
security.jail.sysvipc_allowed: 0

> security.jail.socket_unixiproute_only: 1
> security.jail.set_hostname_allowed: 1
> security.jail.jail_max_af_ips: 255
> security.jail.jailed: 0
> 
> /etc/rc.conf:
> =============================
> jail_enable="YES"
> jail_v2_enable="YES"
> jail_list=""
> jail_sysvipc_allow="YES"
I don't have this line, not sure what it does either.

> 
> #JAIL template
> jail_list="$jail_list template"
> jail_template_name="template"
> jail_template_hostname="template.CHANGED"
> jail_template_devfs_enable="YES"
> jail_template_rootdir="/jails/template"
> jail_template_mount_enable="YES"
> jail_template_fstab="/etc/jails/fstabs/template"
> jail_template_vnet_enable="YES"
> jail_template_devfs_ruleset="devfsrules_jail"
>  
> #network
> jail_template_exec_prestart0="ifconfig epair0 create"
> jail_template_exec_prestart1="ifconfig bridge0 addm epair0a"
> jail_template_exec_prestart2="ifconfig epair0a up"
> jail_template_exec_earlypoststart0="ifconfig epair0b vnet template"
> jail_template_exec_afterstart0="ifconfig lo0 127.0.0.1"
> jail_template_exec_afterstart1="ifconfig epair0b 192.168.1.2 netmask 255.255.255.0 up"
> jail_template_exec_afterstart2="route add default 130.83.160.62"
> jail_template_exec_afterstart3="/bin/sh /etc/rc"
                                  ^^^^^^^^^^^^^^^
The initscript runs /etc/rc already when the jail is created, this makes
it run a second time which messed things up for me.

When the initscript runs /etc/rc, all the scripts with NOJAIL are
skipped. For some reason, when running /etc/rc a second time through
this configuration, some daemons like cron were started a second time.

I now execute a custom /etc/rc.jail which runs a few init scripts
manually to configure networking and start a few daemons that don't come
up with the original run of /etc/rc.


> jail_template_exec_poststop0="ifconfig bridge0 deletem epair0a"
> jail_template_exec_poststop1="ifconfig epair0a destroy"

I am not doing this, because shortly after stopping a jail this would
give me a kernel panic.

If you comment those lines, the devices will stay where they are and
simply be re-used the next time you start the jail again. Works without
a problem for me.

Regards
Philipp


More information about the freebsd-stable mailing list