jails What are "vnet" and "epair"? (Configuring a "vnet" "thick" jail.)

I

ikevin8me

I'm trying to understand how to configure a "vnet" jail for a "thick" jail. In the jail documentation, it has this config:

vnet {
...

# VNET/VIMAGE
vnet;
vnet.interface = "${epair}b";

# NETWORKS/INTERFACES
$id = "154";
$ip = "192.168.1.${id}/24";
$gateway = "192.168.1.1";
$bridge = "bridge0";
$epair = "epair${id}";

# ADD TO bridge INTERFACE
exec.prestart = "ifconfig ${epair} create up";
exec.prestart += "ifconfig ${epair}a up descr jail:${name}";
exec.prestart += "ifconfig ${bridge} addm ${epair}a up";
exec.start += "ifconfig ${epair}b ${ip} up";
exec.start += "route add default ${gateway}";
exec.poststop = "ifconfig ${bridge} deletem ${epair}a";
exec.poststop += "ifconfig ${epair}a destroy";
}
Click to expand...

I need some help to understand what those settings.

Question 1:
In the:
# VNET/VIMAGE
vnet;
Click to expand...
What is the "vnet" referring to? Is this referring to the name of the jail as it is at the top line, or the type of networking? (If it means the jail, it has the jail name. Otherwise, the jail name can be something else but this must be "vnet;"

Question 2:
What does "epair" means? Is this specifying a type of network interface? If it is not "epair" can it be something else, like "vio"?

I'd like to be completely clear before trying to configure the jails. Thanks!
 
I could try to answer Q2. From what I understand, the epair is a pair of virtual network interfaces used by a jail. The epair looks like epairA and epairB.

epairA is attached to bridge0 and this is the gateway address for epairB which resides in the jail.

Then on the host system you NAT the epairA network like you would a normal LAN network.

I could be wrong but that's how I understand it.
 
VNET simply means Virtual NETwork. You already found almost all about that. That said, I don't think you need to NAT unless the jail isn't on the same subnet than the host. You need to make your physical network interface member of the same bridge. But, it can be opaque if you use a software like bastille.

VNET isn't mandatory to have a well perfectly functioning jail. You can just use the network stack of the host. You may just declare an ip address in the jail config file (providing it is in the same subnet than the host).

VNET is a way to isolate a little more the jail from its host.
 
ikevin8me said:
Question 1:
In the:

What is the "vnet" referring to? Is this referring to the name of the jail as it is at the top line, or the type of networking? (If it means the jail, it has the jail name. Otherwise, the jail name can be something else but this must be "vnet;"

Question 2:
What does "epair" means? Is this specifying a type of network interface? If it is not "epair" can it be something else, like "vio"?

I'd like to be completely clear before trying to configure the jails. Thanks!
Click to expand...

The "vnet" part makes your jail grab a network interface from the host, and run its own network stack on it. As opposed to share the network stack with the host system. This lets the jail have its own IP address and ports range, so you can run multiple instances of fixed port services (e.g. web servers) each in a separate jail.

Don't vnet any network interfaces that you still need on the host!

An epair() network device is kind of a virtual network cable, with e.g. epair0a and epair0b as network interfaces at each end. The typical use is to have a virtual bridge() device, then add one epair end to the bridge and let the jail grab the other end for its vnet network stack. To get public network access you would add a physical network interface to the bridge, your jail is then visible with its epair MAC on the network, through the bridge.
 
You must log in or register to reply here.
Back
Top