Solved Giving jails network access through host's IP

DiscmanDaemon

Member

Reaction score: 16
Messages: 40

Hello all,
I am looking to allow a processes inside jails to make network requests (such as DNS lookups, http requests, etc). The spit in the punch is that I wish to avoid giving them an alias on the host's NIC as I want to automate the creation and destruction of jails, and wish to avoid potential IP address conflicts across the LAN.

The best I can think of is attempting to request addresses with DHCP in my automated jail creation script, or, in the case of a static network, verify the address is available before creating the alias for the jail, although this feels very messy.

With exclusively incoming traffic, it is trivial to use nginx or similar to forward incoming requests to a jail bound exclusively to a loopback interface, but this obviously will not work with traffic originating inside the jail. Perhaps there is a way to configure a router and bridge for outgoing jail traffic on the loopback interface, bridging to the "real" network interface, although any ideas would be much appreciated.

Thanks,

DD
 

chrbr

Aspiring Daemon

Reaction score: 240
Messages: 668

With exclusively incoming traffic, it is trivial to use nginx or similar to forward incoming requests to a jail bound exclusively to a loopback interface, but this obviously will not work with traffic originating inside the jail.
I am not sure if I understood that by 100%. I run a jail just for a browser. This jail is configured to have a static address of a cloned loopback interface lo1. On the host system NAT is disabled. For DNS lookups I have dns/unbound configured to listed on lo1. For http www/privoxy listens on lo1, too. I just have to configure that in the browser running in the jail.
May be it is not perfect, it avoids NAT and it works for that small task. I hope this answer is a least a little bit useful.
 
OP
OP
DiscmanDaemon

DiscmanDaemon

Member

Reaction score: 16
Messages: 40

Thank you both,
I went with the NAT solution since I want to automate the jail IP address assignment, but will definitely play with the dns/unbound idea since I suspect that may be useful for another project I'm working on.

Out of curiosity, has anyone ever tried playing around with creating a bridge interface for their jails like Linux's Docker does under the covers?
 
Top