ip madness - multiple ip, jails, and ping, oh my...

decuser

decuser

Well, this is a cluster and your help sorting it out is appreciated. On my desktop, I'm exploring jails via Michael Lucas's Jail Mastery. In that text, it says "For our initial testing, use an IP address already attached to the host". That's a mouthful. It implies that there are addresses attached to the host. I only had one address (other than loopback), so I went messing with the network (always painful). After a bit of travail, here's what I did:

Code: 
vi /etc/rc.conf
ifconfig_em0="inet 192.168.111.13 netmask 255.255.255.0"
defaultrouter="192.168.111.1"
ifconfig_em0_alias0="inet 192.168.111.131 netmask 255.255.255.255"
service netif restart
service routing restart

Then I tested the internet and whatnot and I appear to have preserved my access. Then I tested from a remote location and sure enough, I was able to ping both addresses.

So, apparently, I can have multiple ip addresses associated with my nic this way (is it the right way?).

Next up was the jail. I created a place for my jails to live, extracted 32 bit 13.2 base.txz, and edited jail.conf:

Code: 
$j="/jail";

path="$j/$name";

host.hostname="$name.my.home"

loghost {
    ip4.addr="192.168.111.131";
}

Then, I fired up sh in the jail:
Code: 
sudo jail /jail/loghost loghost 192.168.111.131 /bin/sh

I got a prompt, and did uname -a

Code: 
FreeBSD loghost 14.0-RELEASE-p3 FreeBSD 14.0-RELEASE-p3 #0: Mon Dec 11 04:56:01 UTC 2023     root@amd64-builder.daemonology.net:/usr/obj/usr/src/amd64.amd64/sys/GENERIC i386

Weird, but seems different from my working env, am I really in a jail?

Code: 
sysctl security.jail.jailed
security.jail.jailed: 1

Apparently so. I added resolv.conf, etc. and then tried ping

Code: 
ping -4 8.8.8.8
ping: ssend socket: Operation not permitted

Ouch. So, from the host?

Code: 
ping -4 192.168.111.131
PING 192.168.111.131 (192.168.111.131): 56 data bytes
64 bytes from 192.168.111.131: icmp_seq=0 ttl=64 time=0.045 ms

Hmm... is that the host or my jail. dunno, kinda lost at this point. Time to bail

Code: 
# exit
jail: /bin/sh: failed

Fascinating. I thought sh worked fine, networking, not so much, but sh, WTF?

Any helpful observations appreciated. No, I don't know what I'm doing, but I'd like to :).
 
Don't use jails at the moment but remember looking at them at one point - on the operation not supported:

forums.freebsd.org

Solved - Jail. Ping to Host, Operation not permitted

I tried configure Jail subsystem. I do follows. * Creating alias wlan0 ifconfig wlan0 alias 192.168.137.170 netmask 255.255.255.0 Ifconfig: wlan0: flags=8843 metric 0 mtu 1500 ether 24:77:03:22:26:0c inet 192.168.137.171 netmask 0xffffff00 broadcast 192.168.137.255 inet 192.168.137.170...
forums.freebsd.org forums.freebsd.org
 
Well, I figure out how to get some of this working, thanks to the handbook. First, jail.conf:

Code: 
loghost {
  # STARTUP/LOGGING
  exec.start = "/bin/sh /etc/rc";
  exec.stop = "/bin/sh /etc/rc.shutdown";
  exec.consolelog = "/var/log/jail_console_${name}.log";

  # PERMISSIONS
  allow.raw_sockets;
  exec.clean;
  mount.devfs;

  # HOSTNAME/PATH
  host.hostname = "${name}";
  path = "/jail/${name}";

  # NETWORK
  ip4.addr = 192.168.111.131;
  interface = em0;
}

start it up

Code: 
service jail start loghost
Starting jails: loghost.

jls:

Code: 
   JID  IP Address      Hostname                      Path
     3  192.168.111.131   loghost                       /jail/loghost

enter the jail:

Code: 
jexec -u root loghost

do the ping:

Code: 
ping -c 3 -4 google.com
PING google.com (142.251.116.101): 56 data bytes
64 bytes from 142.251.116.101: icmp_seq=0 ttl=57 time=5.056 ms

Wow. Still don't know what I'm doing, but it's working and I'm learning.
 
When going through mwl's "Jails" book, my host was on a DCHP assigned address, so I put the toy jails on a private 10.x.x.x network addresses bound to lo.

Props to you for using jail.conf. That is the way to learn.
 
Oh man. I did:

Code: 
sysrc sshd_enable="YES"
sshd_enable: NO -> YES
# service sshd start

In the jail... then ssh'd into my jail from another machine on the network and I finally started to get the picture of why folks bother with jails! :). Glad I persisted. Off to learn more about them, but already, I'm planning to move my fossil server into its own jail.

Oh the possibilities - with ZFS and jails, moving services around the network become much simpler. Send and receive the jails snapshot, edit jail.conf and rc.conf bring one down the other up. No more having to rebuild the stupid server as part of the install, more of just restoring. So much to learn, so little time.
 
My `jail.conf` is almost exactly the same as decuser's, the only different is my interface is lo0.

If I set it to:

Code: 
ip4 = "inherit";

Then pings work. If I set it to an ip address instead like:

Code: 
ip4.addr = 192.168.111.131;

Then pings do not work. Any ideas?
 
You must log in or register to reply here.
Back
Top