Date: Thu, 30 May 2013 12:18:49 -0400 From: Joe <fbsd8@a1poweruser.com> To: Pietro Paolini <pulsarpietro@aol.com> Cc: freebsd-questions@freebsd.org Subject: Re: VIMAGE Message-ID: <51A77BE9.7070107@a1poweruser.com> In-Reply-To: <627BE01F-08C6-4A79-A6DC-32B7C65B6DA7@aol.com> References: <DB90C1DC-66E4-4429-A888-44F4F9E4B98B@aol.com> <51A74637.8090809@a1poweruser.com> <627BE01F-08C6-4A79-A6DC-32B7C65B6DA7@aol.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Pietro Paolini wrote: > On May 30, 2013, at 2:29 PM, Joe <fbsd8@a1poweruser.com> wrote: > >> Pietro Paolini wrote: >>> Hello all, >>> I am a new bye on the FreeBSD and I am looking at the VIMAGE features experiencing some problems. >>> I added the options : >>> VIMAGE >>> if_bridge >>> and I removed >>> STCP >>> then I recompiled my kernel and install it. >>> After that, following this tutorial http://imunes.tel.fer.hr/virtnet/eurobsdcon07_tutorial.pdf I tried the "Exercise 2" which consist on the following commands: >>> vimage -c n1 >>> vimage -c n2 >>> ngctl mkpeer efface ether ether >>> ngctl mkpeer efface ether ether >>> ngctl mkpeer em0: bridge lower link0 >>> ngctl name em0:lower bridge0 >>> ngctl connect em0: bridge0: upper link1 >>> ngctl connect ngeth0: bridge0: ether link2 >>> ngctl connect ngeth1: bridge0: ether link3 >>> vimage -i n1 ngeth0 e0 >>> But my virtual interface on the n1 vimage does not receive any packet from the external network while I can see the packet go out from it. >>> For instance using DHCP, e0 on n1 sends DHCP packets but it does not receive the answers (which are send, I verified it from wireshark), in adding >>> the ARP request for his IP address (if I try to add it statically) are not received then it can not answer. >>> At the end of the line the question is: how can I make this "virtual network" and the external real network be able to communicate ? >>> Thanks in advance. >>> Pietro. >> 1. That link is from 2007. So very much has changed since then. >> There are more current links on the internet about this subject. Most are for 8.X releases. >> >> 2. If your running 8.2-RELEASE or 9.1-RELEASE all you need to add is "options vimage" statement to your kernel source and recompile. >> >> 3. There are 2 networking methods available for creating vnet/vimage jail networks, if_bridge/epair and netgraph. The if_bridge/epair method is far simpler to config and use then the netgraph method. >> >> 4. There are 2 methods of jail setup, the rc.d method where your jail definition parameters go into the hosts rc.conf and the jail(8) method where you can place each jails definition parameter in separate files. >> >> 5. There are two very important show stopper PRs on vimage, >> 164763 memory leak and 149050 the rc.d keyword "nojail" problem. >> Vimage is a very long way from prime time usage, thats why it's labeled as highly experimental. Host system freezes and page faults are common. >> >> 6. When it comes to running a firewall in a vnet/vimage jail your limited to IPFW and it has limitations. Dummynet and in kernel NAT cause system freezes. IPFILTER causes page fault at boot time. PF will run on the host but not run in the vnet/vimage jail. Here are a bunch of PRs on vimage firewall problems, 143621, 176092, 161094, 176992, 143808, 148155, 165252, 178480, 178482 >> >> >> Check out these links >> >> http://druidbsd.sourceforge.net/vimage.shtml >> http://devinteske.com/vimage-jails-on-freebsd-8 >> http://lists.freebsd.org/pipermail/freebsd-virtualization/2011-September/000747.html >> >> http://bsdbased.com/2009/12/06/freebsd-8-vimage-epair-howto >> http://zewaren.net/site/?q=node/78 >> >> >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > Thanks so much, really interesting and good links but I can't again accomplish my task - I followed http://bsdbased.com/2009/12/06/freebsd-8-vimage-epair-howto as a base tutorial - > > > I would like simulate more client for my PC using this technology, and that's my topology: > > 1 - Two epairs created > 2 - Two jail created > 3 - Assign one intf for jail > 4 - Add the real interface to a bridge where I put all the interfaces > > ------- > JAIL1 > 0b > ------- > > ------- > JAIL2 > 1b > ------- > > ------- > HOST > 0a > 1a > em0 --> REAL > ------- > > Where {0,1}a is the first pair and {0,1}b is the second and em0 is my real interface (it has an IP address), then I got to the problem, I tried > to : > > jexec 2 dhclient epair1b > > And I can see the DHCP packet with the correct MAC address going out, the server reply (I have a sniffer pc) but the transaction does not end successfully, what is really strange is that if I attach tcpdump on em0 I can NOT see the answer server sends while when I try > > dhclient em0 > > I can see the packet going in and out and the DHCP transaction finish successfully. Do you have any idea about how can I accomplish my > target ? Maybe I am using the wrong technology ? > > I would not surprised if I make a error on my configuration but what really interest me is if I CAN do that using jail. > > Thanks a lot, and in advance ! :-) > > Pietro. > Pietro; You really have to provide a lot more info about your host system and jail configuration. What version of FreeBSD are you running? Which method do you use to create your jails, rc.d/rc.conf or jail(8). How are your creating the if_bridge/epair network, IE entering commands by hand or using a script? Post the script. Can you post the output of ifconfig command after you have your jail network created? How are you handling the "rc.d nojail keyword" problem? Have you manually assigned a private LAN ip address and default route to the epairXb interface inside of the vnet jail? DHCP will not work from inside of the vnet jail. Your ISP only assigns a single dymamic IP address per each account. You already used your assigned ip address for your host. If the computer your running the vnet/vimage jail on is on a local area network and the gateway host is running a DHCP server to dynamically assign private ip address to computers on the LAN, then DHCP in the vnet/vimage jail may work. To the broader question, why do you think you need a vnet/vimage jail in the first place. You wrote "simulate more client for my PC", If client means hosting paying clients then you sure don't want to be using vimage because it highly experimental and NOT reliable. Jails are a security feature that encloses a process in a container. By process I mean "postfix email server" or "apache web server". If your "client" means "processes", then this is what the non-vnet/vimage jail is for.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51A77BE9.7070107>