VLANs for jail

[bsus]

Hello,

I now gave up trying to use VIMAGE for jail use. Fortunately there are other options to go

I created two VLAN interfaces:

# ifconfig vlan0 create vlan 1 vlandev em0
# ifconfig vlan0 inet 10.0.0.0 netmask 255.255.255.0
# ifconfig vlan1 create vlan 2 vlandev em0
# ifconfig vlan1 inet 10.0.0.1 netmask 255.255.255.0

Then I created some jails using them:

# ezjail-admin create -c zfs build 10.0.0.0
# ezjail-admin create -c zfs www 10.0.0.1
# mkdir /usr/jails/build/var/ports
# echo '/usr/jails/basejail/usr/ports /usr/jails/build/var/ports nullfs rw 0 0' >> /etc/fstab.build
# ezjail-admin start build
# jexec 2 sh
# cd /usr/ports/ports-mgmt/portmaster && make install clean
===>  License check disabled, port has not defined LICENSE
===>  Found saved configuration for portmaster-3.11
=> portmaster-3.11.tar.gz doesn't seem to exist in /var/ports/distfiles/.
=> Attempting to fetch http://dougbarton.us/Downloads/portmaster-3.11.tar.gz
fetch: http://dougbarton.us/Downloads/portmaster-3.11.tar.gz: No address record
=> Attempting to fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/portmaster-3.11.tar.gz
fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/portmaster-3.11.tar.gz: No address record
=> Couldn't fetch it - please try to retrieve this
=> port manually into /var/ports/distfiles/ and try again.
*** Error code 1

Stop in /basejail/usr/ports/ports-mgmt/portmaster.
*** Error code 1

Stop in /basejail/usr/ports/ports-mgmt/portmaster.

How do I solve this? What have I forgotten?

 

[SirDice]

Fix DNS. It's failing to resolve anything. Did you set up /etc/resolv.conf correctly in the jail?

 

[bsus]

# cat /etc/resolv.conf
nameserver 192.168.178.1

This is the IP of the router. Which IP should I define for the nameserver (the local of em0)?

 

[SirDice]

Your VLAN interface is in 10.0.0.0/24. Is there a route to 192.168.178.0/24 on the host?

 

[bsus]

I don't think so:

# ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC>
	ether 00:1b:21:c5:fa:f4
	inet 192.168.178.10 netmask 0xffffff00 broadcast 192.168.178.255
	inet6 fe80::21b:21ff:fec5:faf4%em0 prefixlen 64 scopeid 0x1 
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
re0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
	ether 6c:f0:49:d8:31:19
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
	media: Ethernet autoselect (10baseT/UTP <half-duplex>)
	status: no carrier
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=3<RXCSUM,TXCSUM>
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0xb 
	inet 127.0.0.1 netmask 0xff000000 
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
vlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=3<RXCSUM,TXCSUM>
	ether 00:1b:21:c5:fa:f4
	inet 10.0.0.0 netmask 0xffffff00 broadcast 10.0.0.255
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
	vlan: 1 parent interface: em0
vlan1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=3<RXCSUM,TXCSUM>
	ether 00:1b:21:c5:fa:f4
	inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
	vlan: 2 parent interface: em0
#

I thought that the VLAN IP isn't important because it's internal?

 

[SirDice]

I thought that the vlan ip isn't important because it's internal?

I think you're confused with lo0. Some people like to clone it and bind their jails to that. That will be local only, if you need access outside of the host you would need to use NAT.

VLANs are mainly used to compartmentalize traffic to improve performance.

http://en.wikipedia.org/wiki/Virtual_LAN

 

[bsus]

Ok, this makes sense.

I thought all the time that it's just an easy way of creating an internal network.

Then I would say back trying to fix the vimage thing