jails Jail steals port 22 from the host - huh?

patmaddox

patmaddox

I have a DigitalOcean VPS with a single public IP address. I've created a very simple jail:

Code: 
test {
  host.hostname = test;
  ip4.addr = 1.2.3.4;
  path = /jails/test;
  exec.start = "/bin/sh /etc/rc";
  exec.stop = "/bin/sh /etc/rc.shutdown";
}

The ip4.addr is the same IP as the host.

I have SSHed into the host. Now I start the jail, and enable sshd within it.

I would expect the jail to error at this point, saying that port 22 is taken. However it succeeds, and when I SSH to the host IP address, I get connected to the jail's SSHD!

This makes no sense to me at all. What am I misunderstanding about jail config, and how do I fix it? I certainly don't want to steal port 22 from the host!
 
On the host make sure all your services are bound to the specific host IP address instead of 'all'. Same for the jails, configure your service to bind to their address specifically.

Code: 
   Setting up the Host Environment
     First, set up the real system's environment to be “jail-friendly”.  For
     consistency, we will refer to the parent box as the “host environment”,
     and to the jailed virtual machine as the “jail environment”.  Since jails
     are implemented using IP aliases, one of the first things to do is to
     disable IP services on the host system that listen on all local IP
     addresses for a service.  If a network service is present in the host
     environment that binds all available IP addresses rather than specific IP
     addresses, it may service requests sent to jail IP addresses if the jail
     did not bind the port.
From jail(8).
 
1. I only have one IP address, that I'm sharing between the host and jail.
2. I'm seeing the exact opposite behavior of what the man page describes.

What I expect to happen
- SSHD is running on the host
- I start the jail
- I try to start SSHD on the jail
- the jail complains that port 22 is in use
- SSH to the shared IP address is handled by the host

As the man page says, "[the host] may service requests sent to jail IP addresses if the jail did not bind the port"

What actually happens
- SSHD is running on the host
- I start the jail
- I successfully start SSHD on the jail
- the jail complains that port 22 is in use
- SSH to the shared IP address is handled by the jail!

If I stop SSHD on the jail, then SSH to the shared IP address is once again handled by the host.

What now?
Ideally I would have unique IP addresses for the host and jail, but I don't right now.

Of far greater concern to me is why the jail steals port 22 from the host. I can't make sense of it, nor can I reconcile it with the jail documentation.
 
Jails are namespaces.

I can tell what i do,
For the jail
ip4=inherit
ip6=inherit
Then the jail has the same ip address as the host.
Then i run services in jail & host simply on different ports.
This setup feels easier for my brain.
 
You must log in or register to reply here.
Back
Top