On Wed, Aug 28, 2013 at 2:42 PM, Patrick <gibblert...@gmail.com> wrote: > On Wed, Aug 28, 2013 at 7:25 AM, Alejandro Imass <aim...@yabarana.com> wrote: >> On Wed, Aug 28, 2013 at 5:42 AM, Frank Leonhardt <fra...@fjl.co.uk> wrote: >>> On28/08/2013 00:19, Patrick wrote:
[...] > I don't think that's true though in the case of jails. On the host > system, yes, but when a jail is bound to a particular IP, outbound > connections originate from that bound IP. At least they do for me in > all of my experience. Still wondering if you're using NAT with your > jails, as that could change things. > Nope, no NAT. I verified what you said using the aliases in lo0 and it does in fact use the correct private IP, and that is well, no surprise because we rarely have jails actually public IPs so I didn't notice this strange behaviour before. Actually, not so strange once you understand what's going on: It doesn't work the same using the public IP because, the public IP goes through a gateway so it's a different case. In that case it will use the "primary" IP assigned to the device in that subnet that goes through that routing rule. You can test this if you want but you will need to re-create a scenario where you have multiples IPs assigned to a physical network card and that routes through a common gateway. In this case, it will use only the primary IP assigned to network card. If you actually test it you will see it's not a jail issue, it simply works that way,and it will be consistent on a jail or the base system. The only ways to fix this are either through the routing table or source address re-writing with IPFW or similar. > (FWIW, we use ezjail as well. It doesn't do anything special except > make having lots of jails easy and lightweight.) > It does a lot more than that! We use flavours and have pre-loaded environments for easy deployment, much like people use VMWare. For example we do a lot of development in Catalyst and it takes forever to install a working Catalyst env which we only have to do once and then create Cat flavoured jails in minutes. We also, archive and re-instatiate jails in other servers or add more capacity in an existing env just by archiving and creating a clone jail on another server. So basically with EzJail we have our own cloud-type environment but running on the real hardware and with much more granular control. We also use Amazon AWS but not for anything that's core ot the company. We do a ton of other stuff that relies on EzJails tools, for example update one jail to test and the simply re-create that one to replace all the others. Plain old jails will do the same thing for sure, but if you manage hundreds you'll probably wind up re-inventing EzJail in the first place. Best, -- Alejandro Imass _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"