Configure Poudriere Jail

[freebuser]

Hi All,

I just started to use Poudriere to compile packages for my jails.

My host IP = 10.0.0.*
My jail IP's = 192.168.1.*

I like to share the packages via Poudriere jail, for this I believe I need to change the IP of Poudriere jail to match with other Jail IP's.

Can someone please help me on how to set up the IP for Poudriere jail or what other options I have to update the packages in jails.

Thanks with regards,

 

[kpa]

Look at the item number 10 in my Poudriere HOWTO:

https://forums.freebsd.org/threads/...-poudriere-no-zfs-required.38859/#post-285430

You don't need/want to fiddle with the Poudriere jail IP addresses, they are managed automatically by ports-mgmt/poudriere itself. The poudriere jails do have network connectivity but only when fetching distfiles, the actual building of packages happens in a cloned jail that has no network connectivity.

 

[freebuser]

Is it possible to set one of ezjail jail's directories as pkg directory for Poudriere?

 

[kpa]

You want to do it the other way by nullfs(5) mounting the package directory of the host to the jails.

# mount_nullfs /usr/local/poudriere/data/packages/<jailname>-default /path/to/jailroot/usr/ports/packages

I'm sure ezjail offers option to automate that mount on jail startup, I just haven't used it so I can't advise on that.

The other way would be to share the host's package directory via a web server and allow the jails to access that web server.

 

[SirDice]

You can also install nginx for example and "share" the packages that way. Another way is to set your path like this:

dicelan-desktop: {
    url: file:///usr/local/poudriere/data/packages/11-desktop-default/
    mirror_type: none
    enabled: yes
}

dicelan-server {
    url: file:///usr/local/poudriere/data/packages/11-server-default/
    mirror_type: none
    enabled: yes
}

I test different types of packages on this machine, it also builds them. You can use the nullfs(5) trick kpa showed to mount the poudriere package directory on the host or on other jails.

 

[freebuser]

Thanks kpa / SirDice,

As I mentioned on my post the host and jails are in different subnets. I think I need to modify the pf.conf to redirect requests from jail to host for either methods nginx or file://.

Thanks

 

[SirDice]

If you use file:// it will use the local filesystem. As this won't use the network a firewall would be irrelevant. If you go the http:// route then of course you need to allow access from the jails.

 

[kpa]

Depending on your setup you won't need any redirections to allow the jails to access the web server running on the host. As long as you have IP forwarding on there will be access across the different subnets/interfaces if your PF rules allow the connections in the first place.

 

[freebuser]

I think I clearly missing something here:

SirDice: My understanding of jails is it cannot access to file system in the host, thus the configuration with file:// inside the jail won't be useful as the path won't be inside the jail.

kpa: As both the jails and the host are on the same computer (I have only one FreeBSD server so there are no other jails/hosts to update in the whole network) it my understanding that pf.conf is the only way that I can set up IP forward.

Thanks

 

[SirDice]

SirDice: My understanding of jails is it cannot access to file system in the host, thus the configuration with file:// inside the jail won't be useful as the path won't be inside the jail.

True, but you can use nullfs(5) to mount that filesystem on other jails.

Kpa: As both the jails and the host are on the same computer ( I have only one FreeBSD server so there are no other jails/hosts to update in the whole network) it my understanding that pf.conf is the only way that I can set up IP forward.

PF doesn't forward the traffic. It's done with the gateway_enable setting. PF uses the routing capabilities of the host it runs on.

 

[freebuser]

Although I came across gateway_enable before, I didn't really pay much attention to it.

I will go through this and see how I can improve my setup.

EDIT: Not sure how you got that green letters

 

[kpa]

I think I clearly missing something here:

Kpa: As both the jails and the host are on the same computer ( I have only one FreeBSD server so there are no other jails/hosts to update in the whole network) it my understanding that pf.conf is the only way that I can set up IP forward.

Thanks

You can set up FreeBSD as a fully working router without using any kind of packet filter. It won't be able to do any filtering or address rewriting but it will work as long as all IP addresses used are routable. As SirDice above wrote the ability to forward IP packets between interfaces is controlled only by gateway_enable setting in rc.conf(5) (ipv6_gateway_enable for IPv6) that turns on the net.inet.ip.forwarding sysctl(8) that is the actual control for IP forwarding.

 

[cpm@]

EDIT: Not sure how you got that green letters

Please, read our Formatting Guidelines:

https://forums.freebsd.org/threads/formatting-guidelines.49535/