Is it possible to connect a jail to the internet with a dynamic IP (DHCP)?

[cabriofahrer]

I am new to jails and all I want is to create a jail (using ezjail) for experimental purposes for now, and I want to be able to install packages and ports within that jail, so obviously I need an internet connection. The Handbook and the ezjail page only explain how to setup a jail using a static IP, but I want that it gets assigned an IP through DHCP from my router, just as my host-pc does. In my host computer I have ifconfig_nfe0="DHCP" which comes from the original installation with bsdinstall.
So is something like that possible in a jail, too? Having taken a look at the FreeNAS page it seems that they have a checkbox option for a jail for DHCP if I don't understand wrong.

 

[rigoletto@]

I've never used sysutils/ezjail, I do use sysutils/iocell and I just do need to set dhcp=on. iocell(8)

So, yes you can use DHCP in jail BUT you need vnet(9) and bpf(4).

 

[Oko]

I've never used sysutils/ezjail, I do use sysutils/iocell and I just do need to set dhcp=on. iocell(8)

+1 for sysutils/iocell although silence on the mailing list is not giving much confidence about the future. sysutils/ezjail is abandoned because the author got pissed off (rightfully so) that
sysutils/qjail author has stolen his code and FreeBSD people are not removing that crap (crap refers to sysutils/qjail) from the ports. That is regrettable because there are situations in which UFS is preferable over ZFS (like in the case of embedded deployments) and iocell supports only Jail on the top of ZFS.

So, yes you can use DHCP in jail BUT you need vnet(9) and bpf(4).

VNET is not production ready. It can crash the host when you "power off" jail instance, IIRC also requires IPFW and it doesn't work with PF. There is a reason it is not enabled in generic kernel. Frankly I would not touch anything which requires kernel recompilation with a three-foot-long broomstick.

cabriofahrer
Your confusion is understandable. FreeBSD handbook is poorly maintained and deliberately misleading. FreeBSD also doesn't take a pride in their man pages. The fact that every single example of jail networking you can find by Googling seems describe the situation in which Jail uses just another IP (an alias) assigned to a physical network interface on the host should rise a red flag. Jail network infrastructure is neither complete nor production ready. Jail can only use another static IP which is assigned to the same physical interface as the host. It also have to use the same routing tables and more or less can use only the same firewall rules as the host system. You should also bare in mind that Jails safer the same security flaws which killed OpenBSD's sysjail as discovered by Kristaps Dzonsons.


That more or less reduces the usefulness of the jail infrastructure to the very simple cases (which I do use in production at work). That is very sad because in spite of its security flaws Jail infrastructure is far more appealing as a light weight sand-boxing of various services than for example Linux Containers or full blown virtualization like OpenBSD's vmm.

If you are truly interested in FreeBSD and good coder a great way to jump into the project will be to start by reading Joel Knight's (Cisco Engineer) OpenBSD blog and how virtualization of routing tables is done on OpenBSD

https://www.packetmischief.ca/2011/09/20/virtualizing-the-openbsd-routing-table/

Than think weather something like that could be technically possible with FreeBSD jails.

Another thing that really pisses me off is system admin tools like iocell have to be installed from the ports. That should be the part of the base. FreeBSD should have enough in its base to be able to automatically deploy, manage, snapshot, remote replicate, and even hot migrate few dozens of Jails right out of box.

 

[cabriofahrer]

Thank you so much for elaborating on this! I could not agree more. And yes, when reading the instructions of sysutils/iocell I could see immediately it was all about ZFS while I use UFS. Fortunately, a nice blogger gave me a good idea which I could then elaborate myself and which in the end is very easy:

Creating a bridge device as described in chapter 30.6 and which really is the concept that apparently Virtualbox for virtual machines:

#ifconfig bridge create
#ifconfig bridge0 addm nfe0 up
dhclient bridge0
ezjail-admin create bridgejail 'bridge0|192.168.1.7'

The fist command creates the bridge "bridge0". Then I added my network device (nfe0) to the bridge. When executing dhclient on bidge0, the router then assigns me the IP 192.168.1.7, which then is used to create the jail. And it works! It does, because obviously that IP never changes again once it has been assigned. And of course you would have to make all that permanent in /etc/rc.conf as described.

So what do you guys think, is that a good solution? But now I have bumped into the next problem: Apparently no X is possible within a jail? And I also would like to have 3D-acceleration with the nvidia-driver within the jail, so is that even possible?

 

[ShelLuser]

Personally I really fail to see the need for any scripts or utilities in order to maintain a jail because the involved tasks are extremely trivial. But each to their own.

The problem is basically that a jail isn't a full virtual instance but merely a kernel process running on top of your main host. That's why you have limited access to features such as dynamic IP addresses and routing tables. Some consider it a con, I personally consider it a feature because that lack of access can also help prevent possible third parties with gaining too much access to your system.

In the end it boils down to using the right tool for the job. If you want dynamic addresses and such then you might want full virtualization instead, which is something jails do not do and to my knowledge also weren't designed to do. Creating a bridge (or any other virtual NIC) on the host and using that with DHCP seems like a good idea, but I cannot help wonder what's going to happen as soon as the IP changes.

It might be a better idea to leave the DHCP part on the host, and create the jail using an address linked to lo0, then simply set up a NAT connection between those two. Then there would be no risk of any interruption as soon as the IP address suddenly changes.

 

[cabriofahrer]

Creating a bridge (or any other virtual NIC) on the host and using that with DHCP seems like a good idea, but I cannot help wonder what's going to happen as soon as the IP changes.

Well, if the IP changes obviously the jail would not have internet access anymore. But my router apparently also offers the possibility to create static IP's. All you need to fill in is a MAC address and an IP of your choice. So I guess you could use the virtual MAC address of the bridge device and then use the static IP for the jail. But I haven't tried this yet. But two more questions: Does the jail configured like that (using a bridge device) offer more security (e.g. for running a webserver, database server or whatever) over running that service directly on the host system so that the use of the jail is worth it?
And again: Any ideas about running X?