Discussion:
jail.conf question (vnet.interface)
James Gritton
2021-06-06 16:23:58 UTC
Permalink
Hi,
for vnet jails, one needs to move some interface into created virtual
stack. In jail.conf, this could be achieved using
jail0
{vnet;
vnet.interface = re2;
}
and initialize moved interface using standard /etc/rc.conf
configuration
file in jail jail0.
Adding small paragraph about this in jail.conf man page would be
useful. I know it is in jail man page in some form, but it deserves
mentioning this in example section in jail.conf man page. At least,
this makes it easier to find for first comers :) (Well, that's not me,
I am using vnet jails aka VIMAGE from the start as an experimental
feature in FreeBSD 4 or 5, almost 20 years ago.)
True, it would make sense to add a vnet example, since it's now included
in the default kernel.
I need more interfaces moved this way. It is no problem issue manually
ifconfig re3 vnet jail0
but trying to write
jail0
{vnet;
vnet.interface = re2;
vnet.interface = re3;
}
in jail.conf means only re3 is moved and can be configured with
standard rc.conf config file. First instance (re2) is kind of
overwritten and forgotten.
Is it possible to move more interfaces this way at all? I'd like to
avoid any hacks if possible, and any workaround for this is ugly...
It's not possible to add more than one interface that way. It would
make sense for vnet.interface to be an array, so you could say have a
comma-separated list or say "vnet.interface += re3".

Currently, anything more than one interface would need to be an ifconfig
command added to "exec.created".

- Jamie
James Gritton
2021-06-07 17:34:30 UTC
Permalink
Post by James Gritton
I need more interfaces moved this way. It is no problem issue manually
ifconfig re3 vnet jail0
but trying to write
jail0
{vnet;
vnet.interface = re2;
vnet.interface = re3;
}
in jail.conf means only re3 is moved and can be configured with
standard rc.conf config file. First instance (re2) is kind of
overwritten and forgotten.
Is it possible to move more interfaces this way at all? I'd like to
avoid any hacks if possible, and any workaround for this is ugly...
It's not possible to add more than one interface that way. It would
make sense for vnet.interface to be an array, so you could say have a
comma-separated list or say "vnet.interface += re3".
Where is this functionality implemented (at least for ip4.addr list)?
Which file? Is it a script of some kind?
For ip4.addr, there are two considerations. Adding the address to the
interface is done by jail(8), by running ifconfig before creating the
jail, and removing the address is likewise by ifconfig after removing
the jail. But also, the set of multiple addresses is passed through
jail_set(2) when the jail is created.

vnet.interface is handled entirely within jail(8), again running
ifconfig but this time after the jail is created. There's no
corresponding call to move the interfaces back, as that's automatic
on jail destruction.
Post by James Gritton
Currently, anything more than one interface would need to be an
ifconfig command added to "exec.created".
Thanks for notice. Just to be sure, for interested ones - such a
command
is executed before anything else, namely /etc/rc from jail. I have some
special scenarion where I am not using /etc/rc in jail, just
exec.created.
exec.created is the first thing run after jail_set(2) is called. In
fact, the only difference between exec.created and exec.start is the
fact that the single vnet.interface is moved between them. The order
of operations in jail creation is:

exec.prepare
ifconfig for adding IP addresses to interfaces
mount filesystems
exec.prestart
create the jail
exec.created
transfer vnet.interface
exec.start and/or command (run in jail environment)
exec.poststart

That provides a chance to run custom commands at just about any stage
of jail creation.

- Jamie

Loading...