Best practice for loopback interface in jails?

[jem]

Hello forum.

I'm playing around with FreeBSD jails for the first time on 10.1-RELEASE and I'm trying to work out the best way of configuring the localhost interface within the jails.

As I understand it, I can either configure each jail's lo0 interface with a unique 127.x.y.z/8 address, or I can configure them all to share 127.0.0.1 with the main host.

The benefit of the latter method would be that any services running on the main host that listen on 127.0.0.1 will be reachable from the jails as well. This could let all jails use the same local resolver, rather than each running their own instance. Or, a web server running in a jail would be able to talk to a MySQL server running in another jail, or on the main host.

The drawback of this is that if processes running on the main host and inside the jails try to bind to the same port on 127.0.0.1, the jailed processes will fail. Obviously, this can be avoided with careful configuration.

The drawback of using unique loopback addresses in each jail is that they can't seem to send traffic to other loopback addresses.

I was wondering how other FreeBSD jail users approach this issue. Is there an established best practice for this?

 

[kpa]

You're opening a potential security hole if you allow jails to share the lo0 interface with the associated 127.0.0.0/8 subnet, at least separating the jails with a firewall gets more complicated if you do that. I wouldn't try to provide the jails with a dedicated localhost address since it's not strictly necessary for correct operation.

 

[jem]

So how would you enable processes in multiple jails to communicate with each other without using loopback?

 

[SirDice]

Use a cloned interface lo1 and assign RFC-1918 addresses to your jails.

 

[jem]

I created a lo1 interface and assigned 192.168.192.1 to it on the main host, and 192.168.192.2 inside the jail:

main host:

lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 192.168.192.2 netmask 0xffffffff
        inet 192.168.192.1 netmask 0xffffff00
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

jail:

lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 192.168.192.2 netmask 0xffffffff

I also reconfigured local_unbound on the main host to listen on 192.168.192.1.

Inside the jail, I tried:

# drill www.google.com @192.168.192.1
Error: error sending query: Could not send or receive, because of network error

tcpdump on lo1 on the main host sees no packets.

 

[jem]

Needed to add lo1 to my set skip on lo0 line in /etc/pf.conf. Jails can now use the unbound instance running on the main host.