From owner-freebsd-questions@freebsd.org Thu Aug 23 22:19:06 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CD54B1099C83 for ; Thu, 23 Aug 2018 22:19:05 +0000 (UTC) (envelope-from aimass@yabarana.com) Received: from mail-vk0-x231.google.com (mail-vk0-x231.google.com [IPv6:2607:f8b0:400c:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 616818AB71 for ; Thu, 23 Aug 2018 22:19:05 +0000 (UTC) (envelope-from aimass@yabarana.com) Received: by mail-vk0-x231.google.com with SMTP id t4-v6so3381409vke.9 for ; Thu, 23 Aug 2018 15:19:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yabarana-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4sg7wUGJ/Mg+yY8oatq2aXDFhMuO6f1fM+FUMr4mxPY=; b=Jduy34bJgapHQqwIAPtrurEyoLcq0XT0m42JR79b2zcdqxhl3ApTmz1xyEMCFoeRBQ vlVthXETp5uTCHddikY/2LYiQ96d0GO6OAT/H6nA5p2S0EsTqmJCKoIH2ob56pvGgxU4 rkXM//T4pkqwGf5a4KtVGROyLKlNfNCvwGtNP1E1C4uaS0l3A0r1f08birQAbiJG4Jd6 BNbge48HQ4sutWxjWJix6U05ml1ZgUXFrfqqVmNuoj/0DRqS3u+kWRUrD52lk3oD9hNE o/xDovqeyInZY4Q8yvM6ybdA6yCZDeaMC7Fkx+qya85oLgNxud5QxOIhZMgjJ6s9OAQ/ NS0A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4sg7wUGJ/Mg+yY8oatq2aXDFhMuO6f1fM+FUMr4mxPY=; b=K1oiiWAgOXAkr8zhkFYjy3grHs/kQLJhFBAHCXV4ZySy2O5yhu9s6pk1QgU+UtEX3f eiqGfYp5U2OOWuxp1Q/S3+v/+b8AOZYQ77JDl1e+ZGjxuX+5tbOxhGLV6nD4EanLObP5 SCETTJBRXyRICkgyCORgGprncapcMS34CPKaSNz51CJPRwsIarT7MMJ+z93f//tUum/k ZKnSGbeqr11uqERAw0MDW713xhqbaoC3Mhj5zY8UdVhpkQrYXdHl3QtLFncux/ngQWpm W+XNlitTvmYYsWad1pT7615E2bcbQzMkHhdCKdO9AY9DoK4KS8kYwzNdjYKpjQ8zWnU4 ZjjA== X-Gm-Message-State: APzg51BKxWg0XaTHEWiWw3/Cy+7+5MjZnIMMJ8N1Xh7EvMvw7WnGWJUS wpu+m9lAhgaJNfgsM+ArQvC4STOK26WwWTR9RhsFsw== X-Google-Smtp-Source: ANB0Vdb+6thXyNsk/FeJz0ke8aF3jJKWNa+RbGsOj9rTfvph5Py/Rizx7TO7bnc1Vddyp8e1nPbJG4A1xGq09NKhKDc= X-Received: by 2002:a1f:3547:: with SMTP id c68-v6mr12105076vka.150.1535062744686; Thu, 23 Aug 2018 15:19:04 -0700 (PDT) MIME-Version: 1.0 References: <6B17F10B-F3AE-45C5-8011-EBE52462230E@glasgow.ac.uk> In-Reply-To: <6B17F10B-F3AE-45C5-8011-EBE52462230E@glasgow.ac.uk> From: Alejandro Imass Date: Thu, 23 Aug 2018 18:18:53 -0400 Message-ID: Subject: Re: Jails and networks To: Norman Gray Cc: FreeBSD Questions Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.27 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Aug 2018 22:19:06 -0000 On Thu, Aug 23, 2018 at 3:49 PM Norman Gray wrote: > > Greetings. > > I'm having difficulty creating a jail which is able to see the outside > world. The various recipes I've found seem to be subtly contradictory: > I'm trying to understand what they're doing rather than dumbly following > them, and my lack of success here is telling me that my mental model of > jails+networking doesn't quite match reality. I think I'm on the verge > of a very educational experience.... > > I'm using ezjail, on 11.2. > > Sources: > > * The manual [1] describes basic usage, but mentions release 9.3; I > get the impression that ezjail's procedure for starting and configuring > jails (using /etc/jail.conf rather than the old 4 arguments) is slightly > but significantly incompatible with 11.2. > > * The ezjail documentation [2] describes setting up a jail using > em0|10.0.0.2, very straightforwardly > > * A forum post [3] describes setting up a jail using ezjail and pf. > Now, I don't think I need pf in my situation, so I want to skip that > part of the instructions. But I now suspect I'm doing so naively. > > * Another forum post [4] describes setting up both a VIMAGE and a > non-VIMAGE jail, and is usefully explicit about the contents of the > /etc/jail.conf file. This is the one I've been following most closely, > but I realise that I don't understand why it configures a bridge > interface, but adds only a single real interface igb0 to it (my model of > a bridge interface is that it necessarily involves two interfaces, or > does the igb0 in the host and the one in the client count as two?). > > My host is on a 172.16.0.0/12 private network, which is routable > locally, though it has to use a proxy to get to the web. I want to set > up a jail on (slightly at random) 192.168.11.128. > > I have: > > * net.inet.ip.forwarding: 1 > * igb0 configured with the correct IP address and mask, not aliased > at all > * I've created lo1 > > My /etc/jail.conf looks like > > exec.start =3D "/bin/sh /etc/rc"; > exec.stop =3D "/bin/sh /etc/rc.shutdown"; > exec.clean; > > path =3D "/local/jails/$name"; > > mount.fstab =3D "/etc/jail/fstab.${name}"; > mount.devfs; > mount.fdescfs; > mount.procfs; > > host.hostname =3D "${name}.local"; > > devfs_ruleset =3D "4"; > > norman { > # test jail > ip4.addr =3D "192.168.11.128"; > interface =3D "igb0"; > } > > and the non-comment lines in /usr/local/etc/ezjail.conf look like > > ezjail_jaildir=3D/local/jails > ezjail_ftphost=3Dhttp://ftp.uk.freebsd.org > ezjail_use_zfs=3D"YES" > ezjail_use_zfs_for_jails=3D"YES" > ezjail_jailzfs=3Dzroot/local/jails > > I've created a ezjail flavour called 'norman' (with the inevitable > solipsism). > > My _understanding_ is that this sets the jail to use the igb0 interface > in the host (a non-VIMAGE jail doesn't have a separate networking > stack). > > I create the jail > > ezjail-admin create -f norman -c zfs norman > 'lo1|127.0.1.1,igb0|192.168.11.128' > > lo1 first, as suggested in [1]. My impression is that that sets up the > loopback interface within the jail to be an alias of lo0 in the host, > and attaches 192.168.11.128 to igb0 in the jail. > > Then I start the jail > If you are using ezjail then use eazjail-admin or /usr/local/etc/rc.d/ezjail start xxxx I.e. if ezjail is managing your jails then use ezjail admin and avoid any jail specific commands except for jls How do you know your jails can=E2=80=99t access the Internet ? ping and some network commands are restricted in jails but can try wget or curl to test. Or maybe pkg update to test I can help you a lot with ezjail. I=E2=80=99ve used for years and it=E2=80= =99s a great system. Best, Alex >