allow jail to connect to internet on ec2 [simple]

gideondsouza

New Member


Messages: 6

So I'm mostly a linux newbie itself. Let alone FreeBSD, so please bear with me.

I have a jail running :
Code:
# jls
   JID  IP Address      Hostname                      Path
     1  192.168.1.101   01.gideon.com                /jails/01.gideon.com

If I goto that jail's console I can't install perl on it. If I do portsnap fetch inside the jail I get :
Code:
host: isc_socket_bind: address not available
no mirrors, giving up.

I've looked at several articles and posts but I'm confused about what goes where, I just want you to tell me where I should put the right entries, this is a sample from this article, my system info is below:

rc.conf
Code:
hostname="" #what goes here?
defaultrouter=""#what goes here?
#I don't understand what this is for?
ifconfig_em0="inet 192.168.0.10 netmask 255.255.255.0"

#I'm guessing this should be like this:
ifconfig_xn0="inet 192.168.1.101 netmask 255.255.255.0"

# Should I use an alias?
# ifconfig_em0_alias0="inet 192.168.0.111 netmask 255.255.255.0"

This is what ifconfig -a gives me:

Code:
# ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
xn0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=503<RXCSUM,TXCSUM,TSO4,LRO>
        ether 12:31:39:2a:dc:cc
        inet 10.8.106.58 netmask 0xfffffe00 broadcast 10.8.107.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet manual
        status: active

This is my /etc/resolve.conf:

Code:
# Generated by resolvconf
search ec2.internal
nameserver 172.16.0.23

So how do I go about this, please help me out :)
 

junovitch@

Daemon
Developer

Reaction score: 632
Messages: 1,773

Hello. I would recommend checking out something like sysutils/qjail or sysutils/ezjail. With that it's fairly easy to share one copy of ports to all the running jails and not have to waste space and time running portsnap on each jail. However, if you want to keep pressing on with what you are doing, jails don't bind to sockets without you explicitly enabling it. I suspect you can't ping anything either. You can try this on the host system and put it in /etc/sysctl.conf.
# sysctl security.jail.allow_raw_sockets=1
 
OP
gideondsouza

gideondsouza

New Member


Messages: 6

Hi. Yea. I've been up all night trying various things. I used qjail and got everything working. But I still can't get to the internet. If I do an [CMD=""]nslookup[/CMD] I get : connected timed out.

I posted my findings here (which is awaiting moderation) and I also posted here.

Please help.
 

junovitch@

Daemon
Developer

Reaction score: 632
Messages: 1,773

I came across a few posts that discuss Ezjails and/or Amazon EC2. I am not an expert but the most likely issue I see is that your "MY_JAIL" variable in your /etc/pf.conf isn't the same as your external IP assigned through DHCP. In these two guides below it looks like the standard practice when using PF is to assign all the jails on a "lo" loopback interface and use PF rather than just assigning them as aliases to the current running interfaces as you are. The timing out just seems the be the result of data getting sent out of the machine and not knowing how to get back.

http://forums.freebsd.org/showthread.php?t=28650

http://forums.freebsd.org/showthread.php?t=30063
 
Top