Information about vimage in jail

ustuntas

Member


Messages: 26

Hi all,

How/Where can i find information, usage, installation, configuration about vimage using in jail?

Regards,

ustuntas
 
OP
ustuntas

ustuntas

Member


Messages: 26

Yes you are right.
I was googling also but i coulnt find the proper information
about vimage. Some forums say, if you want to use vimage you
must recompile kernel with "option VIMAGE". But, I count find
VIMAGE option in LINT file.

So, i search a good and proper information, installation and
configuration of vimage.

Any, suggestion.

Regards, ustuntas.
 

pbd

Active Member

Reaction score: 33
Messages: 199

ustuntas said:
But, I count find VIMAGE option in LINT file.

What version of FreeBSD do you have sources for? VIMAGE is part of FreeBSD version 8 and above.
 
OP
ustuntas

ustuntas

Member


Messages: 26

Hi,

I am sorry my mistake. Yes I want to use FreeBSD-8 (amd64).

Thank you.

ustuntas
 

pbd

Active Member

Reaction score: 33
Messages: 199

I don't know why there is no VIMAGE option in amd64 LINT (while it is in i386 and I have no information that VIMAGE is not supported on amd64, but correct me, please), but if you add:
Code:
option VIMAGE
in your kernel config file, can you build and install it?

If you can, build and install [CMD=]vimage[/CMD] tool:

Code:
cd /usr/src/tools/tools/vimage
make
make install
 
OP
ustuntas

ustuntas

Member


Messages: 26

Thank you for your answer pbd.

I want to use vimage for pure jails. For multi-routed jails and
for virtual firewalls (pf).

How can i design these pure jails? Is there any step-by-step guide for installing and configuring jails with vimage (vnet)?

Regards,

ustuntas
 

Eam404

Member


Messages: 25

As for Ezjail - When starting jails Ezjail does not set the vnet flag. There for Ezjail does NOT enable vnet on the jails it creates. I also tried settings a jail_flag for this but was not able to get it to work.
 

Savagedlight

Well-Known Member

Reaction score: 100
Messages: 369

tty23: that link is no longer valid.
Any information on how to configure this?

None of the following worked:
/usr/local/etc/ezjail/jailname
Code:
export jail_jailname_flags="-m vnet"
export jail_jailname_flags="vnet"
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 11,970
Messages: 38,420

Those are supposed to go into /etc/rc.conf. They are not normal variables, they are variables that define how the rc scripts are run during boot. Read jail(8). You might also want to read rc.conf(5).
 

Savagedlight

Well-Known Member

Reaction score: 100
Messages: 369

SirDice: Sorry, I forgot to specify those lines were in the per-jail ezjail configuration file. Isn't this how it's supposed to be when using ezjail?

I just get errors about the jail not being able to start with either enabled. On the last one (without the -m flag), it said the following:
# ezjail-admin start jailname
Code:
Configuring jails:.
Starting jails: cannot start jail "jailname":
But it doesn't look like one.

I think something eats the first line of the error message, but unsure how/what.
 

tty23

Member


Messages: 51

Savagedlight said:
tty23: that link is no longer valid.
Any information on how to configure this?

None of the following worked:
/usr/local/etc/ezjail/jailname
Code:
export jail_jailname_flags="-m vnet"
export jail_jailname_flags="vnet"

Mhh, yes, unfortunately the link is dead. I think this is what is needed to make it work:

Edit /etc/rc.d/jail:
Replace this line:
Code:
		eval ${_setfib} jail ${_flags} -i ${_rootdir} ${_hostname} \
			\"${_addrl}\" ${_exec_start} > ${_tmp_jail} 2>&1
With this line:
Code:
                eval ${_setfib} jail -i ${_flags} path=${_rootdir} host.hostname=${_hostname} \
                         command=${_exec_start} > ${_tmp_jail} 2>&1

In my file this is line 638 (I use FreeBSD 8 stable).

Then add this to /etc/rc.conf:
Code:
ezjail_enable="YES"
jail_flags="-c vnet"

You should not forget to create a script to set up your interfaces, as this does not work automatically with ezjail.

I created a script for doing this and setting jail names:
Code:
#!/bin/sh
# $Id: jailsetup,v 1.00 2010/02/06 12:08:54 cryx Exp $
#
# $FreeBSD$
#
# PROVIDE: jailsetup
# REQUIRE: ezjail
# BEFORE: securelevel
# KEYWORD: nojail shutdown
#

. /etc/rc.subr

name=jailsetup
rcvar=`set_rcvar`

start_cmd="do_jailsetup"

set_jailname()
{
        DNSNAME=$1 
        JAILNAME=$2
        
        local JID
        JID=`jls | grep $DNSNAME | awk '{ print $1 }'`

        jail -m jid=$JID name=$JAILNAME
}


do_jailsetup()
{
	## Set jail names, unfortunately the default script seems not be able to do that

	set_jailname "git" "git"
	set_jailname "dmz" "dmz"

	## Prepare network interfaces
	
	#git
	ifconfig epair0b vnet git
	#dmz
	ifconfig re1 vnet dmz
	ifconfig epair0a vnet dmz
	
	## Run init scripts
	
	jexec git /etc/setup_jail
	jexec dmz /etc/setup_jail
}

load_rc_config ${name}
run_rc_command "$1"

Please note, that I am not 100% sure that this is all that I did. Also, it seems that after these changes you cannot use non vnet jails any more.
 

Savagedlight

Well-Known Member

Reaction score: 100
Messages: 369

tty23: Thank you for the information, it was very helpful.

I've made a patch to the 8.1-RELEASE-p1 /etc/rc.d/jail script which allows both normal and vimage jails to work side by side on my system.
# diff /root/original_rc.d_jail /etc/rc.d/jail
Code:
638,639c638,644
<               eval ${_setfib} jail ${_flags} -i ${_rootdir} ${_hostname} \
<                       \"${_addrl}\" ${_exec_start} > ${_tmp_jail} 2>&1
---
>               if [ -z "${_addrl}" ] ; then
>                       eval ${_setfib} jail -i ${_flags} path=${_rootdir} host.hostname=${_hostname} \
>                               command=${_exec_start} > ${_tmp_jail} 2>&1
>               else
>                       eval ${_setfib} jail -i ${_flags} ${_rootdir} ${_hostname} \
>                                 \"${_addrl}\" ${_exec_start} > ${_tmp_jail} 2>&1
>               fi
While this patch may be useful to some people, I think it might be a too dirty hack to apply to the default release.
However, I do believe that the automatic startup of jails should use the new named parameters instead of the depreciated flags.. This is probably getting offtopic for this thread though.

Back on topic:
The hosts networking is configured as such:
/etc/rc.conf
Code:
...
cloned_interfaces="vlan0 vlan1 bridge0"
ifconfig_em0="up mtu 9000 polling"
ifconfig_vlan0="inet n.n.n.n/nn vlan n vlandev em0 name lanif"
ifconfig_vlan1="up vlan nn vlandev em0 name jailif up"
ifconfig_bridge0="inet n.n.n.n/nn name jailbridge mtu 9000 addm jailif"

I've altered my ezjail configuration as follows:
/usr/local/etc/ezjail/jailname
Code:
#vnet stuff
export jail_jailname_flags="-c vnet name=jailname"
export jail_jailname_exec_prestart0="ifconfig epair0 create mtu 9000"
export jail_jailname_exec_prestart1="ifconfig jailbridge addm epair0a"
export jail_jailname_exec_prestart2="ifconfig epair0a up"

export jail_jailname_exec_poststart0="ifconfig epair0b vnet jailname"
export jail_jailname_exec_poststart1="jexec jailname /bin/sh /etc/rc.d/netif start"
export jail_jailname_exec_poststart2="jexec jailname /bin/sh /etc/rc.d/routing start"
export jail_jailname_exec_poststart3="jexec jailname /bin/sh /etc/rc"

export jail_jailname_exec_poststop0="ifconfig jailbridge deletem epair0a"
export jail_jailname_exec_poststop1="ifconfig epair0a destroy"
#end vnet stuff

And I've altered the jails /etc/rc.conf to define ip/subnet/name & default router.
Everything seems to work flawlessly at the moment. :)
 

bsus

Well-Known Member


Messages: 299

Hello,

Has somebody managed this with FreeBSD-9.0-RELEASE?

I never get network access in the jails; furthermore I get a kernel panic when stopping the jails.
 

bsus

Well-Known Member


Messages: 299

Does qjail support ZFS and what are the benefits to ezjail?

Found some other threads asking something like this but with no answer :O
 
Top