> > Maybe I misunderstood your requirement, but it's not sufficient to add an > > IP alias to your host's interface, and assign that IP to the jail? It can > > be do easily at jail's startup (i.e., if your host has an igb0 interface: > > ip4.addr="igb0|172.16.0.1/32"). > > The problem is you can't start another jail with > ip4.addr="igb0|172.16.0.1/32". > > Imagine you have jail with "unbound" (DNS cache/resolver) and other jails in > a host will do not care about DNS just use IPu of "unbound jail" (host-wide > service). > No firewall no packet leaks. No any work inside jails for DNS. > Than you want another service, say http proxy. You have another jail which > provide http proxy for all jails in a host. So it is a proxy host-wide > service (on IPp). Other jails in a host will use IPp for proxing. > > The problem is that all jail in a host must be manually ajusted to use IPu > for DNS and IPp for proxy. Things get worse if you consider more than one > host. Copying jail to another host entail configuration adjustment, > replacing IPu and IPp by IPu2 and IPp2 specific to that host > > The general idea is to move recurring binding to a service(s) from inside a > jails out to a separate jail. So you don't need to configure it in each jail. > Further, different host in a different places may have specific configuration > for, say, http proxying. But if a jail configured to use local host-wide > service it don't care. > > The ideal solution is to have well-known local IPw for host-wide services on > every host. If a jail rely on host-wide service it configured once for IPw. > If a jail provide host-wide service it binds to IPw.
Surely your requirements must be different from what I understood, but honestly I am not able to guess how... I mean: if you need a DNS service in your network, you can put the unbound service in a jail which has been assigned an IP alias on the host interface connected to your network, and any other jail and/or host connected to the same network will be able to use that jail's service (unbound, or any other). It's the way we mainly use jails in our customers environments: as they were a sort of virtual machines. Maybe you are referring to a scenario when jails are managed as "app containers" (aka "service jails"), but even so, I cannot see any obstacle to this approach. -- Andrew
