WIP - will move this to MasonLoringBliss/JailsEpair once it seems good.

Warning - the following instructions will ravage your machine and then eat all the food in your refrigerator, and unlike the dwarves, they won't be kidding about breaking your dishes.


As of FreeBSD 12, VIMAGE is turned on by default. This lets jails have private network stacks, which is useful.


Here's an example /etc/jail.conf. Previously, the basic assumption here was that you're using vimage, specifying a custom MAC, and using dhclient(8) to pull a dynamic address. Given ordering requirements resulting from BZ#237656, experimentation with dhclient is on hold, so this version uses static addressing.

This assumes jail root in /var/jail/{foo,bar} and an already-extant bridge0.

exec.prestart = "ifconfig epair${ep} create up";
exec.prestart += "ifconfig $bridge addm epair${ep}a";

exec.start = "/sbin/ifconfig epair${ep}b link $mac";

# Static:
#exec.start += "/sbin/ifconfig epair${ep}b 10.0.0.${ep}/24";
#exec.start += "/sbin/route add -net default 10.0.0.1";
# Dynamic:
exec.start += "/sbin/dhclient epair${ep}b";

exec.start += "/bin/sh /etc/rc";
exec.stop = "sh /etc/rc.shutdown jail";

exec.poststop = "ifconfig $bridge deletem epair${ep}a";
exec.poststop += "ifconfig epair${ep}a destroy";

exec.clean;

allow.mount;
allow.mount.devfs;
allow.chflags;
allow.raw_sockets;
mount.devfs;

devfs_ruleset = 110;

exec.system_user = "root";
exec.jail_user = "root";
vnet;
persist;

$bridge = "bridge0";
path = "/var/jail/$name";

vnet.interface = "epair${ep}b";

.include "/etc/jail.conf.d/*.conf";


An example /etc/jail.conf.d/0-myjail.conf:

myjail {
    $ep = 0;
    $mac = "AA:BB:CC:DD:EE:FF";
}


My /etc/devfs.rules turns on bpf, for dhclient - this is based on the jail example in /etc/defaults/devfs.rules:

[jail_devfs=110]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
#add path fuse unhide
#add path zfs unhide
add path 'bpf*' unhide
add path 'tun*' unhide


The docs don't seem to say how to create a bridge and give it a static address, and

  1. You can't have multiple ifconfig lines.
  2. The order matters - you can't have addm first.

So, here's how I'm specifying this in /etc/rc.conf:

cloned_interfaces="bridge0"
ifconfig_bridge0="inet 10.0.0.2 netmask 0xffffff00 addm em0"
ifconfig_em0="up"

In case your system suffers from this, at least Intel NICs can experience a delay when adding the first epair to a bridge. In this case, attaching a "sacrificial" epair on boot should prevent subsequent impact:

cloned_interfaces="bridge0 epair0"
ifconfig_bridge0="inet 10.0.0.2 netmask 0xffffff00 addm em0 addm epair0a"
ifconfig_em0="up"


CategoryHowTo

MasonLoringBliss/JailsEpair-wip (last edited 2024-02-11T17:34:07+0000 by MasonLoringBliss)