jails jail using vnet - networking isn't working

[rwv37]

EDIT: PLEASE NOTE that I've now got things mostly working; the one remaining problem that I know of is that the jail host can't ping the jails (while other machines on my intranet can ping them). The config shown in this initial post is now out of date; the new config (and further details about the current remaining issue) can be found further downthread. Thank you!

I've been trying to get a jail up using VNET. I have been running into problems with network connectivity between the jail and the outside world (both directions). Through various stab-in-the-dark-ish changes, I've been able to get connectivity to fail with various different symptoms, but I've been unable to ever get it working.

The current symptoms:

ping:
* From the jail host to the jail: "ping: sendto: Host is down".
* From the jail to the jail host: same thing.

route get:
* On the jail host for the jail: Says "interface: host". That surprised me, as my uneducated assumption would be that it should show the interface as the bridge, or the endpoint of the bridge, or pretty much anything *other* than "host".
* In the jail for the jail host: Takes a long time, but eventually comes back with "interface: vnet0".

ssh (with sshd up and running on both):
* From the host to the jail: It seems to just hang, but eventually comes back with "Operation timed out".
* From the jail to the host: Same thing.

I am new to jails (though as proof-of-concept in preparation for what I'm doing now, I was able to successfully get them up using simpler forms of connectivity, e.g. the loopback/alias things, both with Bastille and with "raw" jails). I am new to VNET. As for networking in general, I am definitely no expert, but I'm not a newbie and I feel that I have a working grasp of at least some of the basics.

I am using FreeBSD-13.1-RELEASE-p2 and Bastille. My machine has two different physical IP interfaces, one of which I've named "host" and am using for the "main" part of the machine (the "jail host"), and the other I've named "jails" and am using (well... trying to use) for the jails. I've got IPv4 set up for both, and IPv6 for neither.

I've been trying to piece this all together from a variety of sources, including the Bastille documentation, "Absolute FreeBSD" by Michael W. Lucas, "FreeBSD Mastery: Jails" by the same author, and a lot of googling.

The current config for my machine is as follows. I'd appreciate any help very much. Thanks in advance.

(jail host) /etc/rc.conf:

clear_tmp_enable="YES"
syslogd_flags="-ss"
sendmail_enable="NONE"
hostname="silicon.vestertopia.net"
ifconfig_bce0_name="host"
ifconfig_bce1_name="jails"
ifconfig_host="inet 192.168.0.14 netmask 255.255.128.0"
ifconfig_jails="up"
defaultrouter="192.168.0.1"
sshd_enable="YES"
ntpd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
zfs_enable="YES"
smartd_enable="YES"
gateway_enable="YES"

(jail host) ifconfig (much of which was set up automatically by bastille):

host: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=c01bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
        ether 84:2b:2b:66:dd:c3
        inet 192.168.0.14 netmask 0xffff8000 broadcast 192.168.127.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
jails: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=c00b9<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,LINKSTATE>
        ether 84:2b:2b:66:dd:c4
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
jailsbridge: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 58:9c:fc:10:7a:17
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: e0a_bastille0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 5 priority 128 path cost 2000
        member: jails flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 2 priority 128 path cost 20000
        groups: bridge
        nd6 options=9<PERFORMNUD,IFDISABLED>
e0a_bastille0: flags=8963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: vnet host interface for Bastille jail pocjail
        options=8<VLAN_MTU>
        ether 02:20:98:66:dd:c4
        hwaddr 02:ea:dc:ca:c3:0a
        groups: epair
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

(jail host) /etc/devfs.rules (set manually, without understanding, based on documentation):

[bastille_vnet=13]
add path 'bpf*' unhide

(jail host) a few sysctl values that I set manually, without understanding, based on documentation:

net.link.bridge.pfil_member: 0
net.link.bridge.pfil_bridge: 0
net.link.bridge.pfil_onlyip: 0

(jail host) /usr/local/etc/bastille/bastille.conf (exactly the default config, except for two ZFS lines):

#####################
## [ BastilleBSD ] ##
#####################

## default paths
bastille_prefix="/usr/local/bastille"                                 ## default: "/usr/local/bastille"
bastille_backupsdir="${bastille_prefix}/backups"                      ## default: "${bastille_prefix}/backups"
bastille_cachedir="${bastille_prefix}/cache"                          ## default: "${bastille_prefix}/cache"
bastille_jailsdir="${bastille_prefix}/jails"                          ## default: "${bastille_prefix}/jails"
bastille_releasesdir="${bastille_prefix}/releases"                    ## default: "${bastille_prefix}/releases"
bastille_templatesdir="${bastille_prefix}/templates"                  ## default: "${bastille_prefix}/templates"
bastille_logsdir="/var/log/bastille"                                  ## default: "/var/log/bastille"

## bastille scripts directory (assumed by bastille pkg)
bastille_sharedir="/usr/local/share/bastille"                         ## default: "/usr/local/share/bastille"

## bootstrap archives, which components of the OS to install.
## base  - The base OS, kernel + userland
## lib32 - Libraries for compatibility with 32 bit binaries
## ports - The FreeBSD ports (3rd party applications) tree
## src   - The source code to the kernel + userland
## test  - The FreeBSD test suite
## this is a whitespace separated list:
## bastille_bootstrap_archives="base lib32 ports src test"
bastille_bootstrap_archives="base"                                    ## default: "base"

## default timezone
bastille_tzdata=""                                                    ## default: empty to use host's time zone

## default jail resolv.conf
bastille_resolv_conf="/etc/resolv.conf"                               ## default: "/etc/resolv.conf"

## bootstrap urls
bastille_url_freebsd="[URL]http://ftp.freebsd.org/pub/FreeBSD/releases/[/URL]"          ## default: "[URL]http://ftp.freebsd.org/pub/Fre[/URL]
eBSD/releases/"
bastille_url_hardenedbsd="[URL]http://installer.hardenedbsd.org/pub/hardenedbsd/[/URL]" ## default: "[URL]https://installer.hardenedbsd[/URL].
org/pub/HardenedBSD/releases/"
bastille_url_midnightbsd="[URL]https://www.midnightbsd.org/ftp/MidnightBSD/releases/[/URL]"          ## default: "[URL]https://www.midni[/URL]
ghtbsd.org/pub/MidnightBSD/releases/"

## ZFS options
bastille_zfs_enable="YES"                                             ## default: ""
bastille_zfs_zpool="zroot"                                            ## default: ""
bastille_zfs_prefix="bastille"                                        ## default: "${bastille_zfs_zpool}/bastille"
bastille_zfs_options="-o compress=lz4 -o atime=off"                   ## default: "-o compress=lz4 -o atime=off"

## Export/Import options
bastille_compress_xz_options="-0 -v"                                  ## default "-0 -v"
bastille_decompress_xz_options="-c -d -v"                             ## default "-c -d -v"
bastille_compress_gz_options="-1 -v"                                  ## default "-1 -v"
bastille_decompress_gz_options="-k -d -c -v"                          ## default "-k -d -c -v"

## Networking
bastille_network_loopback="bastille0"                                 ## default: "bastille0"
bastille_network_shared=""                                            ## default: ""
bastille_network_gateway=""                                           ## default: ""
bastille_url_midnightbsd="[URL]https://www.midnightbsd.org/ftp/MidnightBSD/releases/[/URL]"          ## default: "[URL]https://www.midni[/URL]
ghtbsd.org/pub/MidnightBSD/releases/"

## ZFS options
bastille_zfs_enable="YES"                                             ## default: ""
bastille_zfs_zpool="zroot"                                            ## default: ""
bastille_zfs_prefix="bastille"                                        ## default: "${bastille_zfs_zpool}/bastille"
bastille_zfs_options="-o compress=lz4 -o atime=off"                   ## default: "-o compress=lz4 -o atime=off"

## Export/Import options
bastille_compress_xz_options="-0 -v"                                  ## default "-0 -v"
bastille_decompress_xz_options="-c -d -v"                             ## default "-c -d -v"
bastille_compress_gz_options="-1 -v"                                  ## default "-1 -v"
bastille_decompress_gz_options="-k -d -c -v"                          ## default "-k -d -c -v"

## Networking
bastille_network_loopback="bastille0"                                 ## default: "bastille0"
bastille_network_shared=""                                            ## default: ""
bastille_network_gateway=""                                           ## default: ""
bastille_network_gateway6=""                                          ## default: ""

## Default Templates
bastille_template_base="default/base"                                 ## default: "default/base"
bastille_template_empty=""                                            ## default: "default/empty"
bastille_template_thick="default/thick"                               ## default: "default/thick"
bastille_template_clone="default/clone"                               ## default: "default/clone"
bastille_template_thin="default/thin"                                 ## default: "default/thin"
bastille_template_vnet="default/vnet"                                 ## default: "default/vnet"

(jail host) /usr/local/bastille/jails/fstab (created automatically by bastille):

/usr/local/bastille/releases/13.1-RELEASE /usr/local/bastille/jails/pocjail/root/.bastille nullfs ro 0 0

(jail host) /usr/local/bastille/jails/jail.conf (created automatically by bastille):

pocjail {
  devfs_ruleset = 13;
  enforce_statfs = 2;
  exec.clean;
  exec.consolelog = /var/log/bastille/pocjail_console.log;
  exec.start = '/bin/sh /etc/rc';
  exec.stop = '/bin/sh /etc/rc.shutdown';
  host.hostname = pocjail;
  mount.devfs;
  mount.fstab = /usr/local/bastille/jails/pocjail/fstab;
  path = /usr/local/bastille/jails/pocjail/root;
  securelevel = 2;

  vnet;
  vnet.interface = e0b_bastille0;
  exec.prestart += "jib addm bastille0 jails";
  exec.prestart += "ifconfig e0a_bastille0 description \"vnet host interface for Bastille jail pocjail\"";
  exec.poststop += "jib destroy bastille0";
}

(jail) /etc/rc.conf:

syslogd_flags="-ss"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
cron_flags="-J 60"
ifconfig_e0b_bastille0_name="vnet0"
ifconfig_vnet0="inet 192.168.14.1/17"
defaultrouter="192.168.0.1"

(jail) ifconfig:

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
vnet0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 0e:20:98:66:dd:c4
        hwaddr 02:ea:dc:ca:c3:0b
        inet 192.168.14.1 netmask 0xffff8000 broadcast 192.168.127.255
        groups: epair
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

 

[chrbr]

From my understanding you have to configure epair to connect the jail with the host. Unfortunately I have not dived deeper into that because the laptop I have used for that has died.

 

[rwv37]

chrbr, thanks.

From my understanding you have to configure epair to connect the jail with the host

I'm sorry, this is the first I'm ever using VNET, so I'm not sure that I'm understanding properly, but: Isn't that what Bastille automatically did when it created e0a_bastille0 on the host and e0b_bastille0 (which it subsequently renamed "vnet0") on the jail?

 

[rwv37]

Also, I'd like to take this opportunity to change my "As for networking in general, I am definitely no expert, but I'm not a newbie" to "... but I'm not a total newbie". I'm definitely newbie-ish enough that it's probably safer to assume I don't understand anything specific about networking unless I somehow manage to demonstrate otherwise

 

[chrbr]

I am a newbie on VNET, too. The is also VLAN. It is different to VNET but there are more howtodos in the internet. If you seek for VLAN you can see how epairs are generated and destroyed by commands in /etc/jails.conf. The documentation on the iocage project page is good to read, too.

 

[Emrion]

I have an old machine with a VNET jail. I used iocage to set it.

The difference I see between our network configs is that your bridge (jailsbridge) is connected to a loopback interface (jails) whereas mine is connected to a real ethernet interface (re0 in my case). Don't know if it is relevant or not.

 

[chrbr]

I am not sure how to setup that configuration properly. But it should be fine to connect the bridge to a real interface.

 

[rwv37]

The difference I see between our network configs is that your bridge (jailsbridge) is connected to a loopback interface (jails) whereas mine is connected to a real ethernet interface (re0 in my case).

I might not be understanding, but I believe my jails interface represents a real ethernet interface:

# ifconfig jails
jails: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=c00b9<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,LINKSTATE>
        ether 84:2b:2b:66:dd:c4
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

It's actually bce1 (ifconfig_bce1_name="jails" in /etc/rc.conf), which is my second physical ethernet port, and which I can use fine (I mean in general, not necessarily in the current configuration).

Maybe it has something to do with it not having an assigned IP address? I did that based on instructions in one of the Lucas books, but it struck me as weird and I'm not sure that I was correctly understanding those instructions.

I am a newbie on VNET, too. The is also VLAN.

Hmmm... where I said "I'm new to VNET", I guess I should have said "I'm new to virtual networks". Maybe I'm inappropriately mixing and matching them? The Bastille documentation that I followed for this part (Bastille Networking in Depth) says VNET, but I see a bunch of "VLAN" things in the ifconfig jails output shown above. I have no idea whether that's correct or not.

 

[Emrion]

My fault. Reading the output of ifconfig, I confused lo and Jails.
So, there is no visible difference.

 

[chrbr]

May be https://forums.freebsd.org/threads/jails-vnet-and-vlan-help.83064/ is a good resource. The last post shows a working configuration with VNET.

 

[rwv37]

This is embarrassing, but... it may have been as simple as a reboot!

I gave up last night after trying a bunch of stab-in-the-dark things, and today I was about to wipe out the machine and start over, but decided to reboot, and it worked! I'm not 100% sure that the reboot was the only thing that was necessary, since I did try those stab-in-the-dark things last night. But it seems like there's at least a good chance of it.

I am now tempting fate by wiping out the machine and starting over anyway, to see if I can get everything configured, up, and running via controlled, known steps. I feel near-certain that I will soon deeply regret this decision

Anyway, thanks for the help!

 

[Erichans]

When exploring jails & vnet, have a look at Virtualise your network on FreeBSD with VNET and Jails and VNET, a guide

 

[rwv37]

OK, I've wiped out the machine and started from scratch, and almost everything is working (and rebooting hasn't helped this time ). The one thing (as far as I know) that is not working is that the jail host can't ping into the jails.

The jail host can ping anything but the jails:

• itself
• other machines on my intranet
• machines on the internet

A jail can ping:

• itself
• the other jails
• the jail host
• other machines on my intranet
• machines on the internet

Another machine on my intranet can ping:

• itself
• the jail host
• the jails
• other machines on my intranet
• machines on the internet

To remind you, the machine I'm setting up has two ethernet ports, and I am using one for the jail host and the other for the jails.

One thing that stands out to me is the output of route get <jail-ip-addr> when done on the jail host:

# route get 192.168.14.1
   route to: 192.168.14.1
destination: default
       mask: default
    gateway: 192.168.0.1
        fib: 0
  interface: host
      flags: <UP,GATEWAY,DONE,STATIC>
 recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0      1500         1         0

Specifically, the interface is host, i.e. the interface that I'm using for the jail host itself, representing an actual ethernet port that is hooked up to my router. Is this correct? I ignorantly imagine that it should be routing things for the jails into the bridge interface, not the host interface?

As a stab in the dark, I tried manually adding a route to the jails bridge on the jail host:

# route add -net 192.168.14.0/24 -interface jailsbridge
# service netif restart
# service routing restart

But that just made things worse (I forget the specifics, but various other things lost the ability to ping other various other things). I have since deleted that route, and now it's back to the situation I've described earlier in this comment.

Another thing I think I should mention: I have not done any configuration for any pf or rdr stuff (at least not intentionally or knowingly). Unless something has modified them without my knowledge, they're entirely set up as they would be in a fresh install of FreeBSD done by someone who doesn't even know they exist.

I know virtually nothing about them, but the documentation I've read seems to not bother mentioning them at all when setting up jails over VNET, whereas they're prominently mentioned in sections describing setting up jails with other networking schemes. Am I correct in therefore thinking that they can be ignored when setting up jails over VNET?

Thanks again for any help.

 

[rwv37]

Another thing I think I should mention: I have not done any configuration for any pf or rdr stuff (at least not intentionally or knowingly). Unless something has modified them without my knowledge, they're entirely set up as they would be in a fresh install of FreeBSD done by someone who doesn't even know they exist.

Oh, except maybe for setting a few sysctl settings that have "pf" in their names (as suggested by the docs, seemingly regardless of the networking scheme being used for jails):

net.link.bridge.pfil_member: 0
net.link.bridge.pfil_bridge: 0
net.link.bridge.pfil_onlyip: 0

But I mean I have not modified /etc/pf.conf or anything like that.

 

[PMc]

I'd suggest to quit the stab-in-the-dark approach, as it may lead to function rather perchance, and yield no systematic debugging if something does not function.
Basic rule 1: a vnet jail networking behaves 99% identical to a separate node. (The remaining 1% is mostly bugs and lack-of-implementation around special features of ipfw)
This leads to basic rule 2: you need a networking plan. What is supposed to connect to where by what means?
Rule 3: a systematic approach. It is quite pointless to see what ssh does as long as ping doesn't work. Whatever firewalling should be disengaged for testing connectivity; doing evaluations in hot (internet-connected) sites is something for the pros.

So, to get connectivity to the jail, you need some interface, just like when connecting any standalone machine to a network. Only here the connectivity is virtual interfaces. I am using netgraph for these, most people use ifconfig-style bridges and peers. The latter have some more features, while the netgraph tools provide a separate infrastructure that is mostly independent from the ifconfig stuff. Choice is up to you.
You can either create a bridge and then attach any jails to that bridge, or create a peer (two interfaces connected together) for arbitrary links between two jails or jail-to-host.
The respective interface that should reside in the jail is first created on the host and then moved into the jail with the vnet option of ifconfig - usually this happens at jail startup. (It should be moved back again before killing the jail, otherwise you will never get rid of it again and may need to reboot. The jail.conf should do this.)
That accomplished, some MAC address can be put onto the interfaces, and usually some ip address (the latter is usually done from inside the jail, with rc.conf), and then we can check if arp does it's job (with ipv4, ndp with ipv6), and then basic neighbour ping should work.
From there onwards, routing is as usual. So we can describe a route for the DNS, and then maybe we can start to look at things like ssh.

Now lets try to get a clue. bce0 is your regular outbound interface. bce1 is apparently just lingering there without purpose. There is a bridge connecting bce1 with some e0a_bastille, and a vnet.interface parameter would move the latter into the jail, where it then would get an ip address. So there is connectivity, but it connects to nowhere, because the only other bridge member is bce1 which doesn't have an address.
So now you could either give bce1 an ip-address, and then do layer-3 routing in the host between bce1 (that is, the jail) and bce0, or attach bce0 to the bridge and thereby give the jail a direct (layer-2) way out to the real network. In any case you don't need bce1 to be a physical interface, unless you want to connect some other things there. (BTW, if this is a dell machine, then bce1 is usually the ipmi interface. Sure it works at all?)
Just noticed: it is e0b_bastille that goes into the jail. So you apparently have a pair and a bridge and an extra physif! If this is indeed a pair, then the hostside peer should already do, and you could give that an ip-address and route layer-3 in the host. Otherwise, not sure if this works with ifconfig virtuals the same as with netgraph, but if you have a bridge, you normally don't need a pair, because the jailside interface can just be connected to the bridge (before moving it into the jail). Then you would connect the jailside interface and bce0 to that bridge and give the jail a regular ip on the outbound network (and do the appropriate firewalling in the jail).

Probably I forgot a bunch of things, but that should be the basics.

 

[rwv37]

Thank you. That's a bit much for me and I will take some time to try to digest it. However, a few preliminary notes based on my first read:

First, I'm not sure if you're responding to the original post or to my most recent comments, where I said that I've got ping working from everything to everything with the exception of from the jail host to the jails. For example, I can ping the jails from the outside world. Or from the other jails on the same machine. And the jails themselves can ping anything at all. The only kind of ping that doesn't work is trying to ping a jail from the jail host on the same physical machine.

In any case you don't need bce1 to be a physical interface

The documentation I've read seems to suggest using a separate physical network for the jails, if possible. For example, in Lucas's "FreeBSD Mastery: Jails", his VNET examples use em1 rather than em0. I gather (perhaps mistakenly) that this is to further increase the separation between the jails and the jail host. For example, he writes:

I don’t want my jails using the host’s management interface. That’s why
I have this jailether interface, so jails can spew their garbage on
the network and not interfere with my pristine host.

The jailether interface he refers to there is just his renamed em1, and I intended my jails (f.k.a. bce1) to be analogous to it.

bce1 is apparently just lingering there without purpose.

Its purpose is to serve the jails. Are you referring to the fact that it has no IP address? Here I again believe I'm following the Lucas book in this:

Either way, pick a physical interface to dedicate to the jail. Remove
all IP networking configuration from the interface; only bring it up
and give it a name.

ifconfig_em1_name=”jailether”
ifconfig_jailether=”up”

You can now configure vnet jails against that interface.

Back to your comment:

BTW, if this is a dell machine, then bce1 is usually the ipmi interface. Sure it works at all?

It is a Dell. I know nothing about IPMI - I'm not even sure if I knew it was a thing before reading your comment. As for it working, I guess that might depend on what you mean, but: I can bring down and even physically disconnect my other ethernet port from the outside world and (after giving bce1 an IP address and stuff like that) still ping my router. If you mean something by "working" that that doesn't show, please let me know.

Just noticed: it is e0b_bastille that goes into the jail. So you apparently have a pair and a bridge and an extra physif!

Like I said earlier, I'm definitely no networking expert, and I've really got to read this part and what follows it much more closely to have a chance of understanding what you mean or what it might imply. However, I can say that except for my two physical interfaces and the loopback interface, every interface shown by ifconfig (both on the jail host and from within the jail) was created and configured automatically when I created my first jail using bastille, as follows:

# bastille create -V poc 13.1-RELEASE 192.168.14.1/17 jails

I did that based on Bastille Networking in Depth (from the official Bastille website), which gives the following example to bring up a jail on VNET:

bastille create -V nginx 12.2-RELEASE 192.168.1.13 re0

I could definitely be misunderstanding, but I believe that it is expected that Bastille should create a bridge and one end of a pair on the host, and the other end of the pair in the jail, which is (it seems to me) what it did.

 

[rwv37]

Also, since I wiped the machine and started over, I'm going to give my current configuration here (I think it's at least very similar to the original, but just in case). First, though, a little thing I should have mentioned earlier: The way ping (from the jail host to the jail) fails is that it just gives no output until I Ctrl-C, at which time it informs me of 100% packet loss. And again, everything on my network except for the jail host itself can ping the jail.

My current config:

(jail host) /etc/rc.conf:

clear_tmp_enable="YES"
syslogd_flags="-ss"
sendmail_enable="NONE"
hostname="silicon.vestertopia.net"

ifconfig_bce0_name="host"
ifconfig_bce1_name="jails"
ifconfig_host="inet 192.168.0.14 netmask 255.255.255.128"
ifconfig_jails="up"
defaultrouter="192.168.0.1"
gateway_enable="YES"

sshd_enable="YES"
ntpd_enable="YES"
dumpdev="AUTO"
zfs_enable="YES"
smartd_enable="YES"

bastille_enable="YES"

(jailhost) ifconfig:

host: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=c01bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
        ether 84:2b:2b:66:dd:c3
        inet 192.168.0.14 netmask 0xffffff80 broadcast 192.168.0.127
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
jails: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=c00b9<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,LINKSTATE>
        ether 84:2b:2b:66:dd:c4
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
jailsbridge: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 58:9c:fc:10:7a:17
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: e0a_bastille0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 5 priority 128 path cost 2000
        member: jails flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 2 priority 128 path cost 20000
        groups: bridge
        nd6 options=9<PERFORMNUD,IFDISABLED>
e0a_bastille0: flags=8963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: vnet host interface for Bastille jail poc
        options=8<VLAN_MTU>
        ether 02:20:98:66:dd:c4
        hwaddr 02:07:60:bb:70:0a
        groups: epair
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

(jail host) /etc/devfs.rules:

[bastille_vnet=13]
add path 'bpf*' unhide

(jail host) /etc/sysctl.conf:

# $FreeBSD$
#
#  This file is read when going to multi-user and its contents piped thru
#  ``sysctl'' to adjust kernel values.  ``man 5 sysctl.conf'' for details.
#

# Uncomment this to prevent users from seeing information about processes that
# are being run under another UID.
#security.bsd.see_other_uids=0
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.see_jail_proc=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.unprivileged_proc_debug=0
kern.randompid=1
kern.elf32.aslr.enable=1
kern.elf32.aslr.pie_enable=1
kern.elf32.aslr.honor_sbrk=0
kern.elf64.aslr.enable=1
kern.elf64.aslr.pie_enable=1
kern.elf64.aslr.honor_sbrk=0
vfs.zfs.min_auto_ashift=12

net.inet.ip.forwarding=1
net.link.bridge.pfil_bridge=0
net.link.bridge.pfil_onlyip=0
net.link.bridge.pfil_member=0

(jail host) /usr/local/etc/bastille/bastille.conf:

#####################
## [ BastilleBSD ] ##
#####################

## default paths
bastille_prefix="/usr/local/bastille"                                 ## default: "/usr/local/bastille"
bastille_backupsdir="${bastille_prefix}/backups"                      ## default: "${bastille_prefix}/backups"
bastille_cachedir="${bastille_prefix}/cache"                          ## default: "${bastille_prefix}/cache"
bastille_jailsdir="${bastille_prefix}/jails"                          ## default: "${bastille_prefix}/jails"
bastille_releasesdir="${bastille_prefix}/releases"                    ## default: "${bastille_prefix}/releases"
bastille_templatesdir="${bastille_prefix}/templates"                  ## default: "${bastille_prefix}/templates"
bastille_logsdir="/var/log/bastille"                                  ## default: "/var/log/bastille"

## bastille scripts directory (assumed by bastille pkg)
bastille_sharedir="/usr/local/share/bastille"                         ## default: "/usr/local/share/bastille"

## bootstrap archives, which components of the OS to install.
## base  - The base OS, kernel + userland
## lib32 - Libraries for compatibility with 32 bit binaries
## ports - The FreeBSD ports (3rd party applications) tree
## src   - The source code to the kernel + userland
## test  - The FreeBSD test suite
## this is a whitespace separated list:
## bastille_bootstrap_archives="base lib32 ports src test"
bastille_bootstrap_archives="base"                                    ## default: "base"

## default timezone
bastille_tzdata=""                                                    ## default: empty to use host's time zone

## default jail resolv.conf
bastille_resolv_conf="/etc/resolv.conf"                               ## default: "/etc/resolv.conf"

## bootstrap urls
bastille_url_freebsd="http://ftp.freebsd.org/pub/FreeBSD/releases/"          ## default: "http://ftp.freebsd.org/pub/Fre
eBSD/releases/"
bastille_url_hardenedbsd="http://installer.hardenedbsd.org/pub/hardenedbsd/" ## default: "https://installer.hardenedbsd.
org/pub/HardenedBSD/releases/"
bastille_url_midnightbsd="https://www.midnightbsd.org/ftp/MidnightBSD/releases/"          ## default: "https://www.midni
ghtbsd.org/pub/MidnightBSD/releases/"

## ZFS options
bastille_zfs_enable="YES"                                             ## default: ""
bastille_zfs_zpool="zroot"                                            ## default: ""
bastille_zfs_prefix="bastille"                                        ## default: "${bastille_zfs_zpool}/bastille"
bastille_zfs_options="-o compress=lz4 -o atime=off"                   ## default: "-o compress=lz4 -o atime=off"

## Export/Import options
bastille_compress_xz_options="-0 -v"                                  ## default "-0 -v"
bastille_decompress_xz_options="-c -d -v"                             ## default "-c -d -v"
bastille_compress_gz_options="-1 -v"                                  ## default "-1 -v"
bastille_decompress_gz_options="-k -d -c -v"                          ## default "-k -d -c -v"

## Networking
bastille_network_loopback="bastille0"                                 ## default: "bastille0"
bastille_network_shared=""                                            ## default: ""
bastille_network_gateway=""                                           ## default: ""
bastille_network_gateway6=""                                          ## default: ""

## Default Templates
bastille_template_base="default/base"                                 ## default: "default/base"
bastille_template_empty=""                                            ## default: "default/empty"
bastille_template_thick="default/thick"                               ## default: "default/thick"
bastille_template_clone="default/clone"                               ## default: "default/clone"
bastille_template_thin="default/thin"                                 ## default: "default/thin"
bastille_template_vnet="default/vnet"                                 ## default: "default/vnet"

(jail host) /usr/local/bastille/jails/poc/fstab:

/usr/local/bastille/releases/13.1-RELEASE /usr/local/bastille/jails/poc/root/.bastille nullfs ro 0 0

(jail host) /usr/local/bastille/jails/poc/jail.conf:

poc {
  devfs_ruleset = 13;
  enforce_statfs = 2;
  exec.clean;
  exec.consolelog = /var/log/bastille/poc_console.log;
  exec.start = '/bin/sh /etc/rc';
  exec.stop = '/bin/sh /etc/rc.shutdown';
  host.hostname = poc;
  mount.devfs;
  mount.fstab = /usr/local/bastille/jails/poc/fstab;
  path = /usr/local/bastille/jails/poc/root;
  securelevel = 2;

  vnet;
  vnet.interface = e0b_bastille0;
  exec.prestart += "jib addm bastille0 jails";
  exec.prestart += "ifconfig e0a_bastille0 description \"vnet host interface for Bastille jail poc\"";
  exec.poststop += "jib destroy bastille0";
}

(jail) /etc/rc.conf:

root@poc:~ # cat /etc/rc.conf
syslogd_flags="-ss"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
cron_flags="-J 60"
ifconfig_e0b_bastille0_name="vnet0"
ifconfig_vnet0="inet 192.168.14.1/17"
defaultrouter="192.168.0.1"

(jail) ifconfig:

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
vnet0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 0e:20:98:66:dd:c4
        hwaddr 02:07:60:bb:70:0b
        inet 192.168.14.1 netmask 0xffff8000 broadcast 192.168.127.255
        groups: epair
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

 

[rwv37]

Oooooh, I think I got it. Ping-from-x-to-y seems to be working now for all values of x and y, but I'll have to double check when I'm less sleepy, make sure everything is persistable/reproducible, etc. I think the problem might have been this:

ifconfig_host="inet 192.168.0.14 netmask 255.255.255.128"

That netmask is wrong - it should have been 255.255.128.0.

I'm not sure that this is a good setup, but it does seem to be working at least in the connectivity sense.

 

[PMc]

Thank you. That's a bit much for me and I will take some time to try to digest it.

Take Your time. I don't want to write books, I'm not Mr. Lucas, I rather prefer dialogue. Which means, You're absolutely welcome to grab any sentence of mine and ask, hey, what does that mean in detail? And then I can elaborate.

First, I'm not sure if you're responding to the original post or to my most recent comments,

I hopefully managed to get some clue on how your environment looks like. But I didn't track all subsequent changes when it became difficult to follow the details from here.

The documentation I've read seems to suggest using a separate physical network for the jails, if possible.

I think I read the same or similar descriptions, didn't really understand them, then started to build it on my own from the most basic parts, and then figured how it works and why it works and what is actually needed.

For example, in Lucas's "FreeBSD Mastery: Jails", his VNET examples use em1 rather than em0. I gather (perhaps mistakenly) that this is to further increase the separation between the jails and the jail host.

Sure, that can be done. It depends on what You want to do with the jails: the jails can have their own physical interface and the host may never touch their traffic, or, in the other extreme, the host may act as the default router/gateway for the jails and filter/firewall all their traffic. That depends on the usecase, and that is why some kind of networking plan should be devised: to become clear on who should talk to whom by which means (and then also, where to place the firewalls, the NAT, etc., if required).

Its purpose is to serve the jails. Are you referring to the fact that it has no IP address? Here I again believe I'm following the Lucas book in this:

That is correct if that interface is connected to a bridge, and the jails are connected to that same bridge. Then only the jails get ip-addresses. Then you plug a wire into that physical interface, and all the jails are on that network.

It is a Dell. I know nothing about IPMI - I'm not even sure if I knew it was a thing before reading your comment. As for it working, I guess that might depend on what you mean

I have these machines in hosting only. That means, I've never seen them, I don't really know what Dell wired together, or what the hosting guys wired together - I only know that there is some issue with the ipmi, and when I tried to figure it out, the machine failed and was replaced, and now I don't touch it anymore.
So, my recommendation is simple: if not yet done, and before expecting the bce1 to work, put a network wire into it, put an ip address onto it, and verify that it does actually get traffic through.

, but: I can bring down and even physically disconnect my other ethernet port from the outside world and (after giving bce1 an IP address and stuff like that) still ping my router. If you mean something by "working" that that doesn't show, please let me know.

Yes, thats about what I mean.

Like I said earlier, I'm definitely no networking expert

Quoting the '13th Warrior': Soon You will be.

I could definitely be misunderstanding, but I believe that it is expected that Bastille should create a bridge and one end of a pair on the host, and the other end of the pair in the jail, which is (it seems to me) what it did.

Okay, that seems to be my fault, and with ifconfig bridge and epair it is indeed done in that way, having a pair AND a bridge, according to this article.
But then it should already be correct and work in that way.