Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 28 Jan 2010 23:45:18 +0100
From:      "tom@diogunix.com" <tom@diogunix.com>
To:        freebsd-jail@freebsd.org
Subject:   Re: How do you manage your jails?
Message-ID:  <201001282345.19033.tom@diogunix.com>
In-Reply-To: <223601caa066$ecec32d5$0d01460a@secnap.com>
References:  <223601caa066$ecec32d5$0d01460a@secnap.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Christer, 
Michael,

thank you very much for your answers.

I meanwhile could fix the issue. To provide the solution just in short my setup 
and how I fixed it.

I run the machine in a data center and wanted GEOM GELI disk encyrption for 
the jails partitions (one per jail). Therefor, I cannot use any scripting 
solutions for jails management. Alle jails are run via generic command lines 
(jail / jexec / ...). The jails were build via make world and also all daemons 
were compiled using the ports collection. There are three jails, each with a 
small bunch of IP addresses.

The issue was that I could not find out which rules FreeBSD follows when 
deciding which of the IPs in a jail to use for outgoing connections. It did 
NOT use the primary jail IP and I also could not bind daemons to a certain IP.

Solution: From the list of alias IPs as configured via ifconfig on the host 
system, FreeBSD takes the one which comes first in the list of alias IPs to use 
it for outgoing connections. If you  do not want the IP selected by FreeBSD 
for outgoing connections just remove the alias IP on the host system (ifconfig 
-alias) and then add it again (ifconfig alias). Through this the IP will be 
become the last in the list and another alias IP will then get selected for 
outgoing connections from within the jail. You must go ahead with this method 
until the right alias IP gets used. 

That at least was my method to fix the issue. But may be there's anybody out 
there knowing a better method ...

On Christens questions:
All jails are managed by generic jail commands (as forced by the GEOM GELI 
setup). I can do this because there are not that many jails. I however do not 
use any scripting or cfengine/puppy (never heard of it). I use sendmail only 
in some jails to get the periodic status messages sent in my email box for 
admin purposes (reduced sendmail setup of course and not listening outside). I 
do not share ports. All jails are used for different purposes. Everything is 
managed "by hand". Automating it would not pay off with that few jails. Thanks 
for your link. Will visit it.

Thanks again to all
Tom


> pssh with pki  keys to run multiple commands, ports in main. Make  packages
> then pssh each to  install the package
>
> -----Original Message-----
> From: Christer Solskogen <christer.solskogen@gmail.com>
> Sent: Thursday, January 28, 2010 5:05 PM
> To: freebsd-jail@freebsd.org <freebsd-jail@freebsd.org>
> Subject: How do you manage your jails?
>
> So you have installed a FreeBSD server and setup several jails on your
> system. They run the services they need and everything works smoothly. But
> how do manage all of them? What do you do if you want to run a command on
> all jails? Do you run cfengine/puppy? How do you setup sendmail? Do
> you have sendmail on all jails?
> Do you share ports to all jails? How do you keep ports up to date on them?
> Do you have a set of scripts that you want to share? On
> http://antarctica.no/stuff/UNIX/FreeBSD/jails/ you'll find what I use.
>
> I'm preparing a talk for BLUG (the local Linux/BSD group) and I want to
> know how YOU manage your jails, there sure are more than one way do it.




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201001282345.19033.tom>