Index

How to use jails with epair with FreeBSD 8.2

August 2011.

Introduction

System used:


FreeBSD testjail.example.net 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Thu Aug 11 09:10:23 CEST 2011     root@testjail.example.net:/usr/obj/usr/src/sys/JAILKERNEL  amd64

Build and install a kernel including VIMAGE, epair and briged interfaces

Configure the kernel: (/usr/src/sys/amd64/conf/JAILKERNEL)


include GENERIC

cpu             HAMMER
ident           JAILKERNEL

# Firewalling
device          pf
device          pflog

# Virtual networking for jail
options         VIMAGE
device          epair
device          if_bridge

# The nullFS to mount local directory
options         NULLFS

Make and install the kernel:


cd /usr/src
make buildkernel KERNCONF=JAILKERNEL
make installkernel KERNCONF=JAILKERNEL
reboot

Create the jail's environement


mkdir /usr/jails/testjail
cd /usr/src
make installworld DESTDIR=/usr/jails/testjail
make distribution DESTDIR=/usr/jails/testjail
echo 'hostname="testjail.example.com"' >> /usr/jails/testjail/etc/rc.conf
echo 'nameserver 8.8.8.8"' >> /usr/jails/testjail/etc/resolv.conf
mkdir /usr/jails/testjail/usr/ports

Start and use the jail manually

Start the jail:


# jail -c vnet name=testjail host.hostname=testjail path=/usr/jails/testjail persist
# jls
   JID  IP Address      Hostname                      Path
      1  -                      testjail                               /usr/jails/testjail

Create the virtual ethernet cable:


# ifconfig epair0 create
epair0a
# ifconfig epair0b vnet 1

Create the bridge:


# ifconfig bridge create
bridge0
# ifconfig bridge0 addm epair0a addm bge0

Configure the network on both sides:


# ifconfig bge0 192.168.1.10/24
# ifconfig epair0a 192.168.1.11/24
# jexec testjail ifconfig epair0a 192.168.1.12/24
# jexec testjail ifconfig
lo0: flags=8008 metric 0 mtu 16384
        options=3
epair0b: flags=8843 metric 0 mtu 1500
        ether 02:06:d7:00:07:0b
        inet 192.168.1.12 netmask 0xffffff00 broadcast 192.168.3.255
        inet6 fe80::6:d7ff:fe00:70b%epair0b prefixlen 64 scopeid 0x2
        nd6 options=3

Test the connection:


# jexec testjail ping -c 1 192.168.1.11
PING 192.168.1.11 (192.168.1.11): 56 data bytes
64 bytes from 192.168.1.11: icmp_seq=0 ttl=64 time=0.059 ms

--- 192.168.1.11 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.059/0.059/0.059/0.000 ms

# jexec web ping -c 1 192.168.1.10
PING 192.168.1.10 (192.168.1.10): 56 data bytes
64 bytes from 192.168.1.10: icmp_seq=0 ttl=64 time=0.094 ms

--- 192.168.1.10 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.094/0.094/0.094/0.000 ms

Stop the jail:


# jail -r testjail
enceinte# jls
   JID  IP Address      Hostname                      Path

Clean the network:


# ifconfig epair0a destroy
# ifconfig bridge0 destroy

Start the jail automatically

As of 2011/08/01, /etc/rc.d/jail has problems using the new jail command (v2), so you must patch it if you want to use vnets:
http://www.freebsd.org/cgi/query-pr.cgi?pr=142972

In /etc/rc.conf:


#
# Jails networking
#
cloned_interfaces="bridge0"
ifconfig_bridge0="addm bge0"

#
# Jails configuration
#
jail_enable="YES"
jail_v2_enable="YES"
jail_list="testjail"

jail_testjail_name="testjail"
jail_testjail_hostname="testjail.example.net"
jail_testjail_devfs_enable="YES"
jail_testjail_rootdir="/usr/jails/testjail"
jail_testjail_vnet_enable="YES"
jail_testjail_exec_prestart0="ifconfig epair0 create"
jail_testjail_exec_prestart1="ifconfig bridge0 addm epair0a"
jail_testjail_exec_prestart2="ifconfig epair0a up"
jail_testjail_exec_earlypoststart0="ifconfig epair0b vnet testjail"
jail_testjail_exec_afterstart0="ifconfig lo0 127.0.0.1"
jail_testjail_exec_afterstart1="ifconfig epair0b 192.168.1.12 netmask 255.255.255.0 up"
jail_testjail_exec_afterstart2="route add default 192.168.1.1"
jail_testjail_exec_afterstart3="/bin/sh /etc/rc"
jail_testjail_exec_poststop0="ifconfig bridge0 deletem epair0a"
jail_testjail_exec_poststop1="ifconfig epair0a destroy"

Then: