Solved EzJail Networking (Public Static) + (Private LAN) - How to? (Web Servers (Public) + MySQL- [Private])

StreetDancer

StreetDancer

EzJail Networking (Public Static) + (Private LAN) - How to? (Web Servers (Public) + MySQL- [Private])

I started a thread in networking over here and it resulted in lots of testing and discovering new things. I am getting closer to a solution; however I cannot seem to figure out how to use EzJail with my Host FreeBSD12.1-RELEASE (SuperNova) which has 10 Jails on it right now created w/ EzJail.

I want to create the jails so that the static public IP's that I use for the Jails (are accessible for the services) and the LAN ip's are used for the back-end talking between jails. (Apache - MySQL), etc.

Should I be creating the Jails using the Static IP or should I be creating the Jails using LAN IP's and then within the jails; in the Apache configurations use the Static IP's for the public access?

Has anyone achieved this feat? If so; I would love to see your configuration files!

Thank you!
 
StreetDancer said:
Should I be creating the Jails using the Static IP or should I be creating the Jails using LAN IP's and then within the jails; in the Apache configurations use the Static IP's for the public access?
Click to expand...
All jails should have a LAN private IP addresses and a few can have public/static IP addresses has aliases.

All your services on private IPs can still be accessed via the host public/static IP.

Here I one of the reasons you may need a different public IP ad an alias in a jail: (Multiple app engines and) Virtual hosts with unique domains in Apache may not all bind to the same IP address particularly when you need SSL. They will ignite SSL errors. So you may need different SNIs and unique IP addresses.

How you configure the aliases is not a matter of taste. Such public IP addresses could be aliases to the host IP e.g.

rc.conf
Code: 
ifconfig_em0="inet PUBLIC_IP netmask 255.255.255.0"
ifconfig_em0_alias0="inet PUBLIC_IP_2 netmask 255.255.255.0"

ifconfig_lo0_alias0="inet 192.168.100.1 netmask 255.255.255.255"
ifconfig_lo1_alias0="inet 192.168.100.2 netmask 255.255.255.255"

/usr/local/etc/ezjail/jail0
Code: 
export jail_jail0_ip="PUBLIC_IP_2,lo1|127.0.1.1,em0|192.168.100.1"

If you don't need the public_ip_2, remove it and the "," following it.
 
Lamia,

You seem to be extremely experienced in this and this may take a while for me to understand and I may even ask lots of questions. I appreciate you responding with an answer that appears to be the solution.

Question #1) rc.conf (Is this for the Host?)

Question #2) /usr/local/etc/ezjail/jail0 (export jail_jail0_ip="PUBLIC_IP_2,lo1|127.0.1.1,em0|192.168.100.1"), should I re-create these Jails that I already created or can I simply update my host rc.conf networking; then update each and every one of the jail configs using your parameters example using the correct differential IP's per jail?

Much thank you!

~ Brandon
 
StreetDancer said:
Lamia,

You seem to be extremely experienced in this and this may take a while for me to understand and I may even ask lots of questions. I appreciate you responding with an answer that appears to be the solution.

Question #1) rc.conf (Is this for the Host?)

Question #2) /usr/local/etc/ezjail/jail0 (export jail_jail0_ip="PUBLIC_IP_2,lo1|127.0.1.1,em0|192.168.100.1"), should I re-create these Jails that I already created or can I simply update my host rc.conf networking; then update each and every one of the jail configs using your parameters example using the correct differential IP's per jail?

Much thank you!

~ Brandon
Click to expand...
1) Yes
2)Update the files.
 
I updated rc.conf:

Code: 
ifconfig_vtnet0="inet 206.162.240.66 netmask 255.255.255.224"

ifconfig_vtnet0_alias1="inet 206.162.240.67 netmask 255.255.255.224"
ifconfig_vtnet0_alias2="inet 206.162.240.68 netmask 255.255.255.224"
ifconfig_vtnet0_alias3="inet 206.162.240.69 netmask 255.255.255.224"
ifconfig_vtnet0_alias4="inet 206.162.240.70 netmask 255.255.255.224"
ifconfig_vtnet0_alias5="inet 206.162.240.71 netmask 255.255.255.224"

ifconfig_vtnet0_alias6="inet 206.162.240.72 netmask 255.255.255.224"
ifconfig_vtnet0_alias7="inet 206.162.240.73 netmask 255.255.255.224"
ifconfig_vtnet0_alias8="inet 206.162.240.74 netmask 255.255.255.224"
ifconfig_vtnet0_alias9="inet 206.162.240.75 netmask 255.255.255.224"
ifconfig_vtnet0_alias10="inet 206.162.240.76 netmask 255.255.255.224"

ifconfig_vtnet0_alias11="inet 206.162.240.77 netmask 255.255.255.224"
ifconfig_vtnet0_alias12="inet 206.162.240.78 netmask 255.255.255.224"
ifconfig_vtnet0_alias13="inet 206.162.240.79 netmask 255.255.255.224"
ifconfig_vtnet0_alias14="inet 206.162.240.80 netmask 255.255.255.224"
ifconfig_vtnet0_alias15="inet 206.162.240.81 netmask 255.255.255.224"

ifconfig_vtnet0_alias16="inet 206.162.240.82 netmask 255.255.255.224"
ifconfig_vtnet0_alias17="inet 206.162.240.83 netmask 255.255.255.224"
ifconfig_vtnet0_alias18="inet 206.162.240.84 netmask 255.255.255.224"
ifconfig_vtnet0_alias19="inet 206.162.240.85 netmask 255.255.255.224"
ifconfig_vtnet0_alias20="inet 206.162.240.86 netmask 255.255.255.224"

ifconfig_vtnet0_alias21="inet 206.162.240.87 netmask 255.255.255.224"
ifconfig_vtnet0_alias22="inet 206.162.240.88 netmask 255.255.255.224"
ifconfig_vtnet0_alias23="inet 206.162.240.89 netmask 255.255.255.224"
ifconfig_vtnet0_alias24="inet 206.162.240.90 netmask 255.255.255.224"
ifconfig_vtnet0_alias25="inet 206.162.240.91 netmask 255.255.255.224"

ifconfig_vtnet0_alias26="inet 206.162.240.92 netmask 255.255.255.224"
ifconfig_vtnet0_alias27="inet 206.162.240.93 netmask 255.255.255.224"
ifconfig_vtnet0_alias28="inet 206.162.240.94 netmask 255.255.255.224"

ifconfig_lo0_alias0="inet 192.168.100.1 netmask 255.255.255.255"

defaultrouter="206.162.240.65"

Then /usr/local/etc/ezjail/jail1: (php1)

Code: 
export jail_php1_hostname="php1"
export jail_php1_ip="vtnet0|206.162.240.81,lo1|127.0.1.1,lo0_alias0|192.168.100.2"
export jail_php1_rootdir="/usr/jails/php1"
export jail_php1_exec_start="/bin/sh /etc/rc"
export jail_php1_exec_stop=""
export jail_php1_mount_enable="YES"
export jail_php1_devfs_enable="YES"
export jail_php1_devfs_ruleset="devfsrules_jail"
export jail_php1_procfs_enable="YES"
export jail_php1_fdescfs_enable="YES"
export jail_php1_image=""
export jail_php1_imagetype=""
export jail_php1_attachparams=""
export jail_php1_attachblocking=""
export jail_php1_forceblocking=""
export jail_php1_zfs_datasets=""
export jail_php1_cpuset=""
export jail_php1_fib=""
export jail_php1_parentzfs=""
export jail_php1_parameters="allow.raw_sockets=1"
export jail_php1_post_start_script=""
export jail_php1_retention_policy=""

System Start-up Error:

Code: 
cannot start jail  "php1": 
ifconfig: interface lo0_alias0 does not exist
jail: php1: /sbin/ifconfig lo0_alias0 inet 192.168.100.2/32 alias: failed

Manual Jail0 Start Error:

Code: 
root@supernova:/usr/local/etc/ezjail # ezjail-admin start php1
Starting jails: cannot start jail  "php1": 
ifconfig: interface lo0_alias0 does not exist
jail: php1: /sbin/ifconfig lo0_alias0 inet 192.168.100.2/32 alias: failed
.
/etc/rc.d/jail: WARNING: Per-jail configuration via jail_* variables  is obsolete.  Please consider migrating to /etc/jail.conf.
Error: Could not start php1.
  You need to start it by hand.
root@supernova:/usr/local/etc/ezjail #

Thanks again for your help!

~ Brandon
 
I just realized I cannot use "alias" for adapter in ezjail configurations.

I have since changed to this:

Code: 
export jail_php1_ip="vtnet0|206.162.240.81,lo1|127.0.1.1,lo0|192.168.100.2"

and restarted the server and received no messages, the server started. I am going to do this on another jail and see if LAN can be ping'd back and forth between Jails. If so! AWESOME! Thanks Lamia!
 
Lamia,

Thanks 1000%

Worked like a charm!

php1 = 192.168.100.2
php2 = 192.168.100.3

Code: 
root@php2:~ # ping 192.168.100.2
PING 192.168.100.2 (192.168.100.2): 56 data bytes
64 bytes from 192.168.100.2: icmp_seq=0 ttl=64 time=0.098 ms
64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=0.113 ms
64 bytes from 192.168.100.2: icmp_seq=2 ttl=64 time=0.115 ms
64 bytes from 192.168.100.2: icmp_seq=3 ttl=64 time=0.110 ms
64 bytes from 192.168.100.2: icmp_seq=4 ttl=64 time=0.122 ms
^C
--- 192.168.100.2 ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.098/0.112/0.122/0.008 ms
root@php2:~ #

Solved!


Thanks Open Source Awesome Team!

~ Brandon
 
You must log in or register to reply here.
Back
Top