Date: Thu, 23 Aug 2018 15:35:12 +0000 From: "Adriano Amorim via Dock" <invite@dock.io> To: <freebsd-questions@freebsd.org> Subject: Adriano's connection request is about to expire Message-ID: <ZK6OBAABZWds2MsFE2Hf8QmlDQo9.1535038512@dock.io>
next in thread | raw e-mail | index | archive | help
Adriano=E2=80=99s connection request is about to expire.=0D=0A=0D=0AAdriano= Amorim=0D=0AS=C3=B3cio Diretor=0D=0A=0D=0AAccept ( http://spgo.dock.io/f/a= /vxxD0Xtq8ue94B1EVpaPNg~~/AANKIgA~/RgRdYAexP0TraHR0cHM6Ly9hcHAuZG9jay5pby9v= bmJvYXJkaW5nPyZyZWZlcnJhbF9saW5rPWFhYWFyNEJvJmVtYWlsPWZyZWVic2QtcXVlc3Rpb25= zJTQwZnJlZWJzZC5vcmcmdG9rZW49VkU5TFJVNHVWakV2TldJM01tUm1NRGs1WkRneVlUZ3dNRE= EzWVdReU16azBMMlp5WldWaWMyUXRjWFZsYzNScGIyNXpRR1p5WldWaWMyUXViM0puTDJsdWRtb= DBaUzh4TlRNME1qVTBPRFUzLnFMZk15Yjh1S0Y5cTlST005dkcwT1BVLWlXUVcDc3BjQgoAADHU= flvnrC3lUh1mcmVlYnNkLXF1ZXN0aW9uc0BmcmVlYnNkLm9yZ1gEAAAAAA~~ )=0D=0A=0D=0AA= ccept now to join Dock and connect to Adriano. Dock helps you connect your = professional data and stay secure with the Safe Scan feature: check if your= email, passwords or personal information has been hacked or compromised on= other websites like LinkedIn, Dropbox, Yahoo, Snapchat, Adobe and many mor= e.=0D=0A=0D=0AStart your scan ( http://spgo.dock.io/f/a/vxxD0Xtq8ue94B1EVpa= PNg~~/AANKIgA~/RgRdYAexP0TraHR0cHM6Ly9hcHAuZG9jay5pby9vbmJvYXJkaW5nPyZyZWZl= cnJhbF9saW5rPWFhYWFyNEJvJmVtYWlsPWZyZWVic2QtcXVlc3Rpb25zJTQwZnJlZWJzZC5vcmc= mdG9rZW49VkU5TFJVNHVWakV2TldJM01tUm1NRGs1WkRneVlUZ3dNREEzWVdReU16azBMMlp5Wl= dWaWMyUXRjWFZsYzNScGIyNXpRR1p5WldWaWMyUXViM0puTDJsdWRtbDBaUzh4TlRNME1qVTBPR= FUzLnFMZk15Yjh1S0Y5cTlST005dkcwT1BVLWlXUVcDc3BjQgoAADHUflvnrC3lUh1mcmVlYnNk= LXF1ZXN0aW9uc0BmcmVlYnNkLm9yZ1gEAAAAAA~~ )=0D=0A=0D=0AAdriano Amorim=0D=0A= =0D=0AS=C3=B3cio Diretor=0D=0A=0D=0AOther people you may know on Dock=0D=0A= =0D=0AImage=0D=0A=0D=0ARafael Teixeira=0D=0A=0D=0AProject Manager at CI&T= =0D=0A=0D=0AImage=0D=0A=0D=0APaul van den Bergen=0D=0A=0D=0Abitwrangler=0D= =0A=0D=0AImage=0D=0A=0D=0AAndrew Pantyukhin=0D=0A=0D=0ACo-founder at Tangem= =0D=0A=0D=0AImage=0D=0A=0D=0AAntonio Prado=0D=0A=0D=0ACTO at AS59715=0D=0A= =0D=0AImage=0D=0A=0D=0ANejc =C5=A0koberne=0D=0A=0D=0ACEO at Genialis=0D=0A= =0D=0AYou are receiving this email because you were listed in Adriano=E2=80= =99s=0D=0A=0D=0ALinkedIn Contacts=0D=0A=0D=0Aand Adriano requested to invit= e you to Dock.=0D=0AWe value your data privacy, learn more ( http://spgo.do= ck.io/f/a/uzpm07Sn_0pYdvn3FKFqUg~~/AANKIgA~/RgRdYAexP0Q1aHR0cHM6Ly9oZWxwLmR= vY2suaW8vbGVnYWwtYW5kLXByaXZhY3kvcHJpdmFjeS1wb2xpY3lXA3NwY0IKAAAx1H5b56wt5V= IdZnJlZWJzZC1xdWVzdGlvbnNAZnJlZWJzZC5vcmdYBAAAAAA~ ).=0D=0A=0D=0ADock ( htt= p://spgo.dock.io/f/a/TGSUVT2YIJGo78GRltqHTQ~~/AANKIgA~/RgRdYAexP0QPaHR0cHM6= Ly9kb2NrLmlvVwNzcGNCCgAAMdR-W-esLeVSHWZyZWVic2QtcXVlc3Rpb25zQGZyZWVic2Qub3J= nWAQAAAAA )=0D=0A=0D=0A149 New Montgomery St Suite 425 San Francisco CA 941= 05 ( http://spgo.dock.io/f/a/TGSUVT2YIJGo78GRltqHTQ~~/AANKIgA~/RgRdYAexP0QP= aHR0cHM6Ly9kb2NrLmlvVwNzcGNCCgAAMdR-W-esLeVSHWZyZWVic2QtcXVlc3Rpb25zQGZyZWV= ic2Qub3JnWAQAAAAA )=0D=0A=0D=0AUnsubscribe from invites to Dock ( http://sp= go.dock.io/f/a/PQWEScwcF81VfDGPZiedJQ~~/AANKIgA~/RgRdYAexP0S6aHR0cHM6Ly9hcH= AuZG9jay5pby91bnN1YnNjcmliZT9mcm9tPWludml0ZSZ0b2tlbj1WRTlMUlU0dVZqRXZOV0kzT= W1SbU1EazVaRGd5WVRnd01EQTNZV1F5TXprMEwyWnlaV1ZpYzJRdGNYVmxjM1JwYjI1elFHWnla= V1ZpYzJRdWIzSm5MMmx1ZG1sMFpTOHhOVE0wTWpVME9EVTMucUxmTXliOHVLRjlxOVJPTTl2RzB= PUFUtaVdRVwNzcGNCCgAAMdR-W-esLeVSHWZyZWVic2QtcXVlc3Rpb25zQGZyZWVic2Qub3JnWA= QAAAAA )=0D=0A From owner-freebsd-questions@freebsd.org Thu Aug 23 18:45:06 2018 Return-Path: <owner-freebsd-questions@freebsd.org> Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6018E1094D2B for <freebsd-questions@mailman.ysv.freebsd.org>; Thu, 23 Aug 2018 18:45:06 +0000 (UTC) (envelope-from Norman.Gray@glasgow.ac.uk) Received: from hillend.cent.gla.ac.uk (hillend.cent.gla.ac.uk [130.209.16.102]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E25AE8186C for <freebsd-questions@freebsd.org>; Thu, 23 Aug 2018 18:45:05 +0000 (UTC) (envelope-from Norman.Gray@glasgow.ac.uk) Received: from cas07.campus.gla.ac.uk ([130.209.14.164]) by hillend.cent.gla.ac.uk with esmtp (Exim 4.72) (envelope-from <Norman.Gray@glasgow.ac.uk>) id 1fsubK-0007KO-Fm for freebsd-questions@freebsd.org; Thu, 23 Aug 2018 19:44:58 +0100 Received: from [10.130.248.80] (130.209.203.66) by cas07.campus.gla.ac.uk (130.209.14.164) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Thu, 23 Aug 2018 19:44:58 +0100 From: Norman Gray <norman.gray@glasgow.ac.uk> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Jails and networks Date: Thu, 23 Aug 2018 19:44:57 +0100 X-Mailer: MailMate (1.11.3r5509) Message-ID: <6B17F10B-F3AE-45C5-8011-EBE52462230E@glasgow.ac.uk> MIME-Version: 1.0 Content-Type: text/plain; format=flowed Content-Transfer-Encoding: quoted-printable X-Originating-IP: [130.209.203.66] X-ClientProxiedBy: CAS08.campus.gla.ac.uk (130.209.14.165) To cas07.campus.gla.ac.uk (130.209.14.164) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: User questions <freebsd-questions.freebsd.org> List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/> List-Post: <mailto:freebsd-questions@freebsd.org> List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help> List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, <mailto:freebsd-questions-request@freebsd.org?subject=subscribe> X-List-Received-Date: Thu, 23 Aug 2018 18:45:06 -0000 Greetings. I'm having difficulty creating a jail which is able to see the outside world. The various recipes I've found seem to be subtly contradictory: I'm trying to understand what they're doing rather than dumbly following them, and my lack of success here is telling me that my mental model of jails+networking doesn't quite match reality. I think I'm on the verge of a very educational experience.... I'm using ezjail, on 11.2. Sources: * The manual [1] describes basic usage, but mentions release 9.3; I get the impression that ezjail's procedure for starting and configuring jails (using /etc/jail.conf rather than the old 4 arguments) is slightly but significantly incompatible with 11.2. * The ezjail documentation [2] describes setting up a jail using em0|10.0.0.2, very straightforwardly * A forum post [3] describes setting up a jail using ezjail and pf. Now, I don't think I need pf in my situation, so I want to skip that part of the instructions. But I now suspect I'm doing so naively. * Another forum post [4] describes setting up both a VIMAGE and a non-VIMAGE jail, and is usefully explicit about the contents of the /etc/jail.conf file. This is the one I've been following most closely, but I realise that I don't understand why it configures a bridge interface, but adds only a single real interface igb0 to it (my model of a bridge interface is that it necessarily involves two interfaces, or does the igb0 in the host and the one in the client count as two?). My host is on a 172.16.0.0/12 private network, which is routable locally, though it has to use a proxy to get to the web. I want to set up a jail on (slightly at random) 192.168.11.128. I have: * net.inet.ip.forwarding: 1 * igb0 configured with the correct IP address and mask, not aliased at all * I've created lo1 My /etc/jail.conf looks like exec.start =3D "/bin/sh /etc/rc"; exec.stop =3D "/bin/sh /etc/rc.shutdown"; exec.clean; path =3D "/local/jails/$name"; mount.fstab =3D "/etc/jail/fstab.${name}"; mount.devfs; mount.fdescfs; mount.procfs; host.hostname =3D "${name}.local"; devfs_ruleset =3D "4"; norman { # test jail ip4.addr =3D "192.168.11.128"; interface =3D "igb0"; } and the non-comment lines in /usr/local/etc/ezjail.conf look like ezjail_jaildir=3D/local/jails ezjail_ftphost=3Dhttp://ftp.uk.freebsd.org ezjail_use_zfs=3D"YES" ezjail_use_zfs_for_jails=3D"YES" ezjail_jailzfs=3Dzroot/local/jails I've created a ezjail flavour called 'norman' (with the inevitable solipsism). My _understanding_ is that this sets the jail to use the igb0 interface in the host (a non-VIMAGE jail doesn't have a separate networking stack). I create the jail ezjail-admin create -f norman -c zfs norman 'lo1|127.0.1.1,igb0|192.168.11.128' lo1 first, as suggested in [1]. My impression is that that sets up the loopback interface within the jail to be an alias of lo0 in the host, and attaches 192.168.11.128 to igb0 in the jail. Then I start the jail jail -c norman it starts up sshd promptly, but takes a long time (presumably timing out in fact) to start sendmail_submit and sendmail_msp_queue. Then jexec 4 /bin/sh lets me see # cat /etc/resolv.conf search physics.gla.ac.uk nameserver 130.209.4.16 nameserver 130.209.4.18 # ifconfig igb0 igb0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=3D6403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HW= CSUM,TSO4,TSO6,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6> ether a4:bf:01:26:7d:b1 hwaddr a4:bf:01:26:7d:b1 inet 192.168.11.128 netmask 0xffffffff broadcast 192.168.11.128 media: Ethernet autoselect (1000baseT <full-duplex>) status: active ...which looks right. But # host www.gla.ac.uk ;; connection timed out; no servers could be reached # The routing table is very simple: # netstat -rn Routing tables Internet: Destination Gateway Flags Netif Expire 192.168.11.128 link#3 UHS lo0 I don't think I've done anything at all exotic here, and the resolv.conf contents and ifconfig output looks as I'd expect. The routing table doesn't have a default route, but (a) if this interface is just the same as the same-named one in the host, so ... *mumble*; and (b) the various recipes I've quoted don't anywhere mention having to add a default route, so I don't think that can be what I'm missing. I'm wondering if there's something to do with the private network the host is on. But that can talk to the network without difficulty, and in any case http_proxy is correctly set in the jail. I've seen a mention of epair(4), but I don't think that's relevant. So I'm clearly misunderstanding something terribly important (and embarrassingly obvious in retrospect), which hasn't magically become clear by my explaining the steps clearly to myself here. I suspect I don't _actually_ understand the relationship between the jail's interfaces and the host's -- they seem the same but not the same in some very uncomfortable way. Any epiphanies gratefully received. Best wishes, Norman [1] https://www.freebsd.org/doc/handbook/jails-ezjail.html [2] https://erdgeist.org/arts/software/ezjail/ [3] https://forums.freebsd.org/threads/30063/ [4] https://forums.freebsd.org/threads/49561/ -- Norman Gray : https://nxg.me.uk SUPA School of Physics and Astronomy, University of Glasgow, UK [University of Glasgow: The Times Scottish University of the Year 2018]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ZK6OBAABZWds2MsFE2Hf8QmlDQo9.1535038512>