How to use jails with epair with FreeBSD 8.2
August 2011.
Introduction
System used:
FreeBSD testjail.example.net 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Thu Aug 11 09:10:23 CEST 2011 root@testjail.example.net:/usr/obj/usr/src/sys/JAILKERNEL amd64
Build and install a kernel including VIMAGE, epair and briged interfaces
Configure the kernel: (/usr/src/sys/amd64/conf/JAILKERNEL)
include GENERIC
cpu HAMMER
ident JAILKERNEL
# Firewalling
device pf
device pflog
# Virtual networking for jail
options VIMAGE
device epair
device if_bridge
# The nullFS to mount local directory
options NULLFS
Make and install the kernel:
cd /usr/src
make buildkernel KERNCONF=JAILKERNEL
make installkernel KERNCONF=JAILKERNEL
reboot
Create the jail's environement
mkdir /usr/jails/testjail
cd /usr/src
make installworld DESTDIR=/usr/jails/testjail
make distribution DESTDIR=/usr/jails/testjail
echo 'hostname="testjail.example.com"' >> /usr/jails/testjail/etc/rc.conf
echo 'nameserver 8.8.8.8"' >> /usr/jails/testjail/etc/resolv.conf
mkdir /usr/jails/testjail/usr/ports
Start and use the jail manually
Start the jail:
# jail -c vnet name=testjail host.hostname=testjail path=/usr/jails/testjail persist
# jls
JID IP Address Hostname Path
1 - testjail /usr/jails/testjail
Create the virtual ethernet cable:
# ifconfig epair0 create
epair0a
# ifconfig epair0b vnet 1
Create the bridge:
# ifconfig bridge create
bridge0
# ifconfig bridge0 addm epair0a addm bge0
Configure the network on both sides:
# ifconfig bge0 192.168.1.10/24
# ifconfig epair0a 192.168.1.11/24
# jexec testjail ifconfig epair0a 192.168.1.12/24
# jexec testjail ifconfig
lo0: flags=8008metric 0 mtu 16384
options=3
epair0b: flags=8843metric 0 mtu 1500
ether 02:06:d7:00:07:0b
inet 192.168.1.12 netmask 0xffffff00 broadcast 192.168.3.255
inet6 fe80::6:d7ff:fe00:70b%epair0b prefixlen 64 scopeid 0x2
nd6 options=3
Test the connection:
# jexec testjail ping -c 1 192.168.1.11
PING 192.168.1.11 (192.168.1.11): 56 data bytes
64 bytes from 192.168.1.11: icmp_seq=0 ttl=64 time=0.059 ms
--- 192.168.1.11 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.059/0.059/0.059/0.000 ms
# jexec web ping -c 1 192.168.1.10
PING 192.168.1.10 (192.168.1.10): 56 data bytes
64 bytes from 192.168.1.10: icmp_seq=0 ttl=64 time=0.094 ms
--- 192.168.1.10 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.094/0.094/0.094/0.000 ms
Stop the jail:
# jail -r testjail
enceinte# jls
JID IP Address Hostname Path
Clean the network:
# ifconfig epair0a destroy
# ifconfig bridge0 destroy
Start the jail automatically
As of 2011/08/01, /etc/rc.d/jail has problems using the new jail command (v2), so you must patch it if you want to use vnets:
http://www.freebsd.org/cgi/query-pr.cgi?pr=142972
In /etc/rc.conf:
#
# Jails networking
#
cloned_interfaces="bridge0"
ifconfig_bridge0="addm bge0"
#
# Jails configuration
#
jail_enable="YES"
jail_v2_enable="YES"
jail_list="testjail"
jail_testjail_name="testjail"
jail_testjail_hostname="testjail.example.net"
jail_testjail_devfs_enable="YES"
jail_testjail_rootdir="/usr/jails/testjail"
jail_testjail_vnet_enable="YES"
jail_testjail_exec_prestart0="ifconfig epair0 create"
jail_testjail_exec_prestart1="ifconfig bridge0 addm epair0a"
jail_testjail_exec_prestart2="ifconfig epair0a up"
jail_testjail_exec_earlypoststart0="ifconfig epair0b vnet testjail"
jail_testjail_exec_afterstart0="ifconfig lo0 127.0.0.1"
jail_testjail_exec_afterstart1="ifconfig epair0b 192.168.1.12 netmask 255.255.255.0 up"
jail_testjail_exec_afterstart2="route add default 192.168.1.1"
jail_testjail_exec_afterstart3="/bin/sh /etc/rc"
jail_testjail_exec_poststop0="ifconfig bridge0 deletem epair0a"
jail_testjail_exec_poststop1="ifconfig epair0a destroy"
Then:
# /etc/rc.d/jails start testjail
# jexec web ping -c 1 example.net
PING example.net (192.0.43.10): 56 data bytes
64 bytes from 192.0.43.10: icmp_seq=0 ttl=243 time=94.903 ms
--- example.net ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 94.903/94.903/94.903/0.000 ms