Re: jail - beginner questions
On Wed, Nov 18, 2009 at 09:09:32AM +0100, Laszlo Nagy wrote: > Great. Here is what I did: > > sorb# mkdir -p /usr/jails/vm1 > sorb# cd /usr/src > sorb# setenv D /usr/jails/vm1 > sorb# make installworld DESTDIR=$D > sorb# make distribution DESTDIR=$D > sorb# cat >> /etc/rc.conf > > jail_enable="YES" > jail_list="vm1" > jail_vm1_rootdir="/usr/jails/vm1" > jail_vm1_hostname="vm1.localdomain" > jail_vm1_ip="192.168.0.11" > jail_vm1_interface="lnc0" > jail_vm1_devfs_enable="YES" > jail_vm1_devfs_ruleset="vm1_ruleset" > > ^D > sorb#mount -t devfs devfs $D /dev > sorb# /etc/rc.d/jail start vm1 > Configuring jails:. > Starting jails:ifconfig: interface lnc0 does not exist > vm1.localdomain. > > See, I do not understand how this works. If I use a real physical > interface then it works: > > sorb# ifconfig > re0: flags=8843 metric 0 mtu 1500 > > options=389b >ether 00:1a:4d:7b:cf:d6 >inet X.X.X.X netmask 0xff00 broadcast X.X.X.255 >inet 192.168.0.11 netmask 0x broadcast 192.168.0.11 >media: Ethernet autoselect (100baseTX ) >status: active I thought that your physical interface is the lnc0 on the host FreeBSD. The jail startup script doesn't create any interfaces itself. It uses any interface that extists in the host OS, and sets the ip address on it. So, you can use either re0 or lo0. > where X.X.X.X is my public internet IP address. But I do not like this. > I do not want to expose my jail's private IP address to the internet. Am > I too paranoid? Should I just add rules like > > ipfw add 1000 allow all from X.X.X.X to 192.168.0.11 > ipfw add 1001 allow all from 192.168.0.11 to X.X.X.X > ipfw add 1002 deny all from any to 192.168.0.11 > ipfw add 1003 deny all from 192.168.0.11 to any > > and be happy? Or would it be better to create a virtual ethernet > interface for my jails? Somehow? If you want to hide your jail then you can use the interface lo0. jail_vm1_interface="lo0" Suppose that your public ip address is 192.168.201.50. Then start the natd: # natd -a 192.168.201.50 and add to ipfw these divert rules: # ipfw add 10 divert natd all from any to 192.168.201.50 in # ipfw add 20 divert natd all from 192.168.0.11 to any out after that add to ipfw rules to allow the traffic diverted above or you can allow all for testing: # ipfw add 30 allow all from any to any Now your jail is hidden from the outer network. But inside the jail the network is working. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: jail - beginner questions
I really think that it should be corrected to: cd /usr/src make distribution DESTDIR=$D That's almost certainly correct, but it notes: "Notes [1] This step is not required on FreeBSD 6.0 and later." But then I get this error in syslog: bind: Can't assign requested address That's a general ntworking error. We'd need to see your ifconfig(8)/netstat(8) -rn and rc.conf(5) network settings to figure that out. ~BAS ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: jail - beginner questions
Laszlo Nagy writes: > I do not want to expose my jail's private IP address to the > internet. Use loopback interface and 127.x.x.x address. -- WBR, bsam ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: jail - beginner questions
The address 192.168.0.11 must be assigned to a interface in the host FreeBSD. You can do it before starting the jail, or when the jail is being started. To assign the address before starting the jail do somthing like this: # ifconfig lnc0 alias 192.168.0.11/24 where lnc0 is the name of nic in the host FreeBSD Great. Here is what I did: sorb# mkdir -p /usr/jails/vm1 sorb# cd /usr/src sorb# setenv D /usr/jails/vm1 sorb# make installworld DESTDIR=$D sorb# make distribution DESTDIR=$D sorb# cat >> /etc/rc.conf jail_enable="YES" jail_list="vm1" jail_vm1_rootdir="/usr/jails/vm1" jail_vm1_hostname="vm1.localdomain" jail_vm1_ip="192.168.0.11" jail_vm1_interface="lnc0" jail_vm1_devfs_enable="YES" jail_vm1_devfs_ruleset="vm1_ruleset" ^D sorb#mount -t devfs devfs $D /dev sorb# /etc/rc.d/jail start vm1 Configuring jails:. Starting jails:ifconfig: interface lnc0 does not exist vm1.localdomain. See, I do not understand how this works. If I use a real physical interface then it works: sorb# ifconfig re0: flags=8843 metric 0 mtu 1500 options=389b ether 00:1a:4d:7b:cf:d6 inet X.X.X.X netmask 0xff00 broadcast X.X.X.255 inet 192.168.0.11 netmask 0x broadcast 192.168.0.11 media: Ethernet autoselect (100baseTX ) status: active where X.X.X.X is my public internet IP address. But I do not like this. I do not want to expose my jail's private IP address to the internet. Am I too paranoid? Should I just add rules like ipfw add 1000 allow all from X.X.X.X to 192.168.0.11 ipfw add 1001 allow all from 192.168.0.11 to X.X.X.X ipfw add 1002 deny all from any to 192.168.0.11 ipfw add 1003 deny all from 192.168.0.11 to any and be happy? Or would it be better to create a virtual ethernet interface for my jails? Somehow? d.) It requires to use firewall either ipfw or pf. For example you can add to your /etc/pf.conf: nat on lnc0 from 192.168.0.11 to any -> 192.168.37.133 But the firewall requires more lines then this one to work correcly with all network traffic. And you have to know exactly what you want to get for using it. I'm using ipfw. I think I'll use natd+divert on the host. Thank you very much! I feel I'm over the hard part. :-) Laszlo ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: jail - beginner questions
On Tue, Nov 17, 2009 at 10:41:14PM +0430, Laszlo Nagy wrote: > My computer is a windows machine, with address 192.168.0.X > Then the FreeBSD host is actually a guest os running in wvmare. It has > address 192.168.37.133 > And finally, the vm1 jail should have 192.168.0.11 > > I don't know why 192.168.0.11 is not working for the jail. Anyway, if I > change the jail's address to 192.168.10.11 then > > /etc/rc.d/jail start vm1 > Starting jails: vm1.localdomain. > The address 192.168.0.11 must be assigned to a interface in the host FreeBSD. You can do it before starting the jail, or when the jail is being started. To assign the address before starting the jail do somthing like this: # ifconfig lnc0 alias 192.168.0.11/24 where lnc0 is the name of nic in the host FreeBSD And you can add to /etc/rc.conf: ifconfig_lnc0_alias0="inet 192.168.0.11/24" to assign the address then the host FreeBSD is booting. To assing the address when the jail is being started just add to /etc/rc.conf this: jail_vm1_interface="lnc0" This way is preferred. > Now the next question: how can I access the hosted (jailed) OS? I know > it is a dumb question, but I have no idea. I would like to: > > a.) run sshd in the jail > b.) login from the host to the jailed (hosted) OS > c.) install programs on the jail, configure them and finally > d.) use NATD to divert some pacakges from the host to the jail and back b.) 1. get the jails list: # jls JID IP Address Hostname Path 9 192.168.64.14 mx1.loc /store/jail/mx1 8 192.168.64.25 nslst.loc /store/jail/nslst 2. select required jail by JID, for example 9 for mx1.loc and do: # jexec 9 tcsh 3. you're in a.) Login inside the jail. Now add to /etc/rc.conf sshd_enable="YES" and execute: # /etc/rc.d/sshd start c.) When you're inside the jail you can install software like in the host system. You can use the pkg_add or the ports system. d.) It requires to use firewall either ipfw or pf. For example you can add to your /etc/pf.conf: nat on lnc0 from 192.168.0.11 to any -> 192.168.37.133 But the firewall requires more lines then this one to work correcly with all network traffic. And you have to know exactly what you want to get for using it. > > Probably this is what everybody does, so if you could point me to a > tutorial or something, I would appriciate it. > > Thanks, > > Laszlo > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: jail - beginner questions
No, I think you added the '/' before 'etc', which isn't in the web page. Gotcha. Is the problem perhaps in your /etc/rc.d/vm1 script? Normally you would use /etc/rc.d/jail. Yes, I'm. Sorry - it was a typo. I used this: /etc/rc.d/jail start vm1 Are those addresses already assigned on the host? Was the jail perhaps already running? My computer is a windows machine, with address 192.168.0.X Then the FreeBSD host is actually a guest os running in wvmare. It has address 192.168.37.133 And finally, the vm1 jail should have 192.168.0.11 I don't know why 192.168.0.11 is not working for the jail. Anyway, if I change the jail's address to 192.168.10.11 then /etc/rc.d/jail start vm1 Starting jails: vm1.localdomain. Now the next question: how can I access the hosted (jailed) OS? I know it is a dumb question, but I have no idea. I would like to: a.) run sshd in the jail b.) login from the host to the jailed (hosted) OS c.) install programs on the jail, configure them and finally d.) use NATD to divert some pacakges from the host to the jail and back Probably this is what everybody does, so if you could point me to a tutorial or something, I would appriciate it. Thanks, Laszlo ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: jail - beginner questions
Laszlo Nagy writes:
> I'm experimenting with jails. I have installed a 7.2 stable FreeBSD
> inside vmware. Then I have created two jails, using the method written
> in the handbook:
>
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-build.html
>
> The only thing that didn't work is this:
>
> cd /etc
> make distribution DESTDIR=$D
>
> I really think that it should be corrected to:
>
> cd /usr/src
> make distribution DESTDIR=$D
No, I think you added the '/' before 'etc', which isn't in the web page.
>
> After mounting devfs ("mount -t devfs devfs /vm1/dev") I try to start it:
>
> /etc/rc.d/vm1 start vm1
>
> But then I get this error in syslog:
>
> bind: Can't assign requested address
>
> Here is the config from /etc/rc.conf (in the host):
>
> jail_enable="YES"# Set to NO to disable starting
> of any jails
> jail_list="vm1 vm2" # Space separated list of names
> of jails
>
> jail_vm1_rootdir="/vm1" # jail's root directory
> jail_vm1_hostname="vm1.localdomain" # jail's hostname
> jail_vm1_ip="192.168.0.11" # jail's IP address
> jail_vm1_devfs_enable="YES" # mount devfs in the jail
> jail_vm1_devfs_ruleset="vm1_ruleset" # devfs ruleset to apply to jail
>
> jail_vm2_rootdir="/vm2" # jail's root directory
> jail_vm2_hostname="vm2.localdomain" # jail's hostname
> jail_vm2_ip="192.168.0.12" # jail's IP address
> jail_vm2_devfs_enable="YES" # mount devfs in the jail
> jail_vm2_devfs_ruleset="vm2_ruleset" # devfs ruleset to apply to jail
Is the problem perhaps in your /etc/rc.d/vm1 script?
Normally you would use /etc/rc.d/jail.
Are those addresses already assigned on the host?
Was the jail perhaps already running?
--
Lowell Gilbert, embedded/networking software engineer, Boston area
http://be-well.ilk.org/~lowell/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
