Ezjail has no inet

[bsus]

Hi,

I have created a jail using ezjail. Before creating I have added this to rc.conf:

ifconfig_em0_alias0="inet 192.168.178.100 netmask 255.255.255.0"

and manually executed:
[cmd=]ifconfig em0 alias 192.168.178.100 netmask 255.255.255.0[/cmd]

ifconfig

 ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=19b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4>
	ether 00:1b:21:bd:1c:41
	inet6 fe80::21b:21ff:febd:1c41%em0 prefixlen 64 scopeid 0x1 
	inet 192.168.178.62 netmask 0xffffffff broadcast 192.168.178.62
	inet 192.168.178.63 netmask 0xffffffff broadcast 192.168.178.63
	inet 192.168.178.64 netmask 0xffffffff broadcast 192.168.178.64
	inet 192.168.178.60 netmask 0xffffff00 broadcast 192.168.178.255
	inet 192.168.178.50 netmask 0xffffff00 broadcast 192.168.178.255
	inet 192.168.178.100 netmask 0xffffff00 broadcast 192.168.178.255
	inet 192.168.178.4 netmask 0xffffff00 broadcast 255.255.255.0
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
re0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
	ether bc:ae:c5:70:76:64
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
	media: Ethernet autoselect (10baseT/UTP <half-duplex>)
	status: no carrier
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=3<RXCSUM,TXCSUM>
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 
	inet 127.0.0.1 netmask 0xff000000 
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

The resolv.conf of the jail is:

nameserver 192.168.178.1

When I want to install a port I get:

No route to host

How do I fix this? By the way: why isn't the ezjail using my default ports directory?
This would save traffic because it could use the local distfiles.

Regards.

 

[SirDice]

There's either a firewall blocking traffic or your host is also unable to get to the internet.

 

[Beeblebrox]

By the way: Why isn't the ezjail using my default ports dir?

Mount your "ports dir" with nullfs before you start the jail (not on the base jail):
# mount_nullfs /usr/ports jaildir/usr/ports
But an easier way would be to add the nullfs mount line in /etc/fstab.jailname. That way it mounts every time you start the jail.

Building ports inside the jail is not advised unless the jail is specifically a "build jail". You can pkg_add from your package repository (which you will also mount with nullfs) if the same package/port is already installed on host. To create the package use portmaster -g when updating or using one of pkg_create or make package.

when I want to install a port I get: No route to host

Your Jail has no internet access because you need to first set up NAT (using pf, ipfw etc)
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html

 

[bsus]

I will start setting up ezjails from scratch.

Could somebody recommand a complete how to?

I only found some which miss some details (like Beebleprox strategy):
wiki.bsdforen
Forum thread 1
Psybermonkey
Forum thread 2
FreeBSD Wiki
Secure Computing

just to list some.

All have "quite different" procedures. Which is "right"?

 

[johnd]

The one from the FreeBSD Wiki works fine. Also check ezjail-admin(1) for options.

 

[bsus]

I have a strange issue with executing # ezjail-admin install
Any ideas?

ezjail-admin install
ZFS: manage basejail and newjail
Trying 193.162.146.4:21 ...
Connected to ftp.freebsd.org.
220 ftp.beastie.tdk.net FTP server (Version 6.00LS) ready.
331 Guest login ok, send your email address as password.
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
200 Type set to I.
250 CWD command successful.
local: base.txz remote: base.txz
229 Entering Extended Passive Mode (|||65135|)
150 Opening BINARY mode data connection for 'base.txz' (57097044 bytes).
100% |***********************************************************| 55758 KiB  608.44 KiB/s    00:00 ETA
226 Transfer complete.
57097044 bytes received in 01:31 (608.44 KiB/s)
221 Goodbye.
tar: could not chdir to '/usr/local/jails/fulljail'

Trying 193.162.146.4:21 ...
Connected to ftp.freebsd.org.
220 ftp.beastie.tdk.net FTP server (Version 6.00LS) ready.
331 Guest login ok, send your email address as password.
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
200 Type set to I.
250 CWD command successful.
local: lib32.txz remote: lib32.txz
229 Entering Extended Passive Mode (|||54617|)
150 Opening BINARY mode data connection for 'lib32.txz' (9624304 bytes).
100% |***********************************************************|  9398 KiB  676.92 KiB/s    00:00 ETA
226 Transfer complete.
9624304 bytes received in 00:13 (676.91 KiB/s)
221 Goodbye.
tar: could not chdir to '/usr/local/jails/fulljail'

cd: /usr/local/jails/fulljail: No such file or directory
Error: Cant access temporary Jail directory.

 

[DutchDaemon]

inet 192.168.178.4 netmask 0xffffff00 broadcast 255.255.255.0

May be unrelated, but you wouldn't want that broadcast address. You may want the netmask, not the broadcast address .. You're also using /24 and /32 netmasks for aliases. The primary address should have the /24, the aliases should all have a /32 (when in the same /24 subnet).

 

[bsus]

Solution:
Don't mount your ZFS dataset in legacy mode.

 

[bsus]

inet 192.168.178.4 netmask 0xffffff00 broadcast 255.255.255.0

May be unrelated, but you wouldn't want that broadcast address. You may want the netmask, not the broadcast address ..

Yes, this was it I think. I have played around alot with rc.conf and # /etc/rc.d/netif restart but at the end only a restart helped

But now it works.

 

[bsus]

Some last edit:

When I add the following line to rc.conf:

ifconfig_em0_alias0="inet 192.168.178.100 netmask 255.255.255.0"

and then use # /etc/rc.d/netif restart then I am getting the no route problem (for inet connections). But when I enable the lines and reboot, it works. How can this be?

 

[SirDice]

The /etc/rc.d/netif restart deletes, then adds, the interfaces. The deletion also removes any related routes, including your default gateway.

 

[bsus]

So what would be the valid alternative to restart network and route without rebooting?

Mount your "ports dir" with nullfs before you start the jail (not on the base jail):
# mount_nullfs /usr/ports jaildir/usr/ports
But an easier way would be to add the nullfs mount line in /etc/fstab.jailname. That way it mounts every time you start the jail.

Building ports inside the jail is not advised unless the jail is specifically a "build jail". You can pkg_add from your package repository (which you will also mount with nullfs) if the same package/port is already installed on host. To create the package use portmaster -g when updating or using one of pkg_create or make package.

I now tried this but also failed:

mount_nullfs /usr/ports /usr/local/jails/www/usr/ports
mount_nullfs: /basejail: No such file or directory

The strange is that the portstree doesn't get mounted in the mounted basejail of the www-jail.

Your Jail has no internet access because you need to first set up NAT (using pf, ipfw etc)
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html

/usr/local/jails/www/usr/ports was linked to /usr/local/jails/www/basejail
You have to remove the link with # rm -rf /usr/local/jails/www/usr/ports && mkdir -p /usr/local/jails/www/usr/ports
than you can mount

 

[kpa]

# /etc/rc.d/netif restart
# /etc/rc.d/routing restart

 

[bsus]

Thank you