Solved Configure Network In Subjail

Hello,

We have put one of our clients in a jail. Well, I mean we have put their services and applications in the virtualized environement, not the client himself :D

On the host, top-level jails communicate with each other using the loopback interface. The scheme is: 192.168.0.1, 192.168.0.2, 192.168.8.3 etc... Say the jail we are talking about has the network address 192.168.0.2 (and we can call this jail J2). We need to put a database in the subjail (that we can call J2.1) so I am trying to find how we can have J2 communicate with J2.1 through an address having the form localhost:<port> or through a subnet of some sort.

To be honest I am not sure about the strategy to use, and I also do not know how to configure this kind of subnetwork for a subjail.

Any pointer would be greatly appreciately,

Many thanks
 
Nice question, and I am not sure either - but then, there is no such thing as jail subnetting. Each jail gets their own IP adress(es), and this should be true as well for sub-jails. And all of them get added as aliases to the main ip-stack (usually to lo).
So I might suppose You are completely free to distribute IP numbers as you like. All gets routed on the main system anyway, and that router throws the packet to any port that would listen on that IP - and it is always up to you to make sure that only the respective jail does that.

Another option might be to look into VIMAGE. There each jail has their own independent ip-stack, and for networking you treat them exactly as if they were separate machines (you have to employ virtual interfaces to connect them).
 
Thank you all for your insights, this was very helpful to get the picture. In particular PMc helped me see more clearly, I think what we can do in these situations is create an additional IP address on lo1, say 192.168.8.4 and assign two IP addresses to J2 in jail.conf:

Code:
jailJ2 {
    ...
    ip4.addr = "192.168.8.3,192.168.8.4";
}

So that when we create a subjail in J2, we can assign the IP address 192.168.8.4 to J2.1 in the jail.conf file within J2.
However, I have realized that in my specific situation we do not actually need to create a subjail. We name our jails using the scheme "customername-service" to ease management, so I have simply created another top level jail, especially since at the end of the day, we are the only ones managing the server.

Getting into subjails may make sense if at some point we give a customer SSH access to one of their jails and they want to have additional virtualized environments that they handle themselves. But for time being, creating top-level jails is both an easier and more appropriate approach for us. I considered getting into subjails because it seemed to make sense from a functional perspective (ie. this service is used to enable this specific service) however this implementation adds unnecessary complexity.

Just added the possible solution mentioned above for reference in case someone needs this setup since I couldn't find a direct answer to this specific question when I browsed the web. Hopefully this thread and its very informative answers will save someone time in the future.
 
  • Thanks
Reactions: PMc
Back
Top