bastille
bastille copied to clipboard
BastilleBSD
[BUG] Cannot create a jail with a pure inherited network
[MANDATORY] Describe the bug [MANDATORY] There is no way to create a jail which should have the following network config:
ip4 = inherit;
ip6 = disable;
Even if you modify jail.conf manually start.sh will complain about missing interface entry.
[MANDATORY] Bastille and FreeBSD version (paste bastille -v && freebsd-version -kru output)
0.8.20210115
12.2-STABLE
12.2-STABLE
12.2-STABLE
[MANDATORY] How did you install bastille? (port/pkg/git) ports
[optional] Steps to reproduce? Not possible
[optional] Expected behavior Some way not to provide IP address and interface
[optional] Additional context
The purpose is to create a neutral, inactive jail which shall be build and updated based on stacked templates and then used for cloning to create new jails fast. This "template jail" shall contain the following templates: base, base-services, ca-certificates, base-ports. A cloned jail will receive network configuration. host names (/etc/hosts), root config + the rest which is usecase specific.
I could create a vnet template jail and clone this, but it would already contain host specific information which does not really make sense here.
I would really need this feature implemented (as iti is in basesystem jail and jail managers alternatives) , this post could be in reference with #369
Does inherit mode work at all? I tried to pass the loopback and then add inherit, but it didn't work.
interface += bastille0;
ip4.addr += bastille0|192.168.0.10;
ip4 += inherit;
ip6 = disable;
It hangs on jail start. If I ctrl+c out, the jail has started and I can console in. But when I try to run ntopng inside the jail it hangs without ever throwing errors about inaccessible interfaces.
Does inherit mode work at all? I tried to pass the loopback and then add inherit, but it didn't work.
interface += bastille0; ip4.addr += bastille0|192.168.0.10; ip4 += inherit; ip6 = disable;It hangs on jail start. If I ctrl+c out, the jail has started and I can console in. But when I try to run ntopng inside the jail it hangs without ever throwing errors about inaccessible interfaces.
This doesn't look inherited, no? You are using the vnet bridge?
I have no idea. Jails are new to me. I was trying to use both the loopback (bastille0) and inherit the rest of the adapters with the += operator. The way you worded your bug "pure inherited" made me thing that maybe if I mixed inherited with the basic loopback I wouldn't get the error.
I have no idea. Jails are new to me. I was trying to use both the loopback (bastille0) and inherit the rest of the adapters with the
+=operator. The way you worded your bug "pure inherited" made me thing that maybe if I mixed inherited with the basic loopback I wouldn't get the error.
AFAIK, you have to decide: Inherit or VNET
Gotcha. And inherit doesn't work with Bastille. I'm digging into vnet + pf now. Thanks for the help!
UPDATE: This has absolutely nothing to do with the original bug. But there's not a lot of info out there on the internet, so in case anyone else lands here looking to pass an interface to a jail. Here's how I ended up doing it.
- ~~Create /etc/devfs.rules as suggested in the Bastille docs.~~
- Create vnet jail for ntopng with bastille using -V and attaching it to my normal LAN interface.
- Add
vnet.interface += bce3;to the jail's jail.conf file (where bce3 is the physical interface I want to monitor). - Inside the jail:
ifconfig bce3 up(and/or addifconfig_bce3="up"to /etc/rc.conf) - Install ntopng and redis inside the jail.
- Start ntopng and monitor bce3.
Not sure why, the ntopng service won't start with the jail when added to the jail's rc.conf. But I can manually start the service after the jail is fully loaded. This is a minor issue, the main part is working! Hope this helps someone in the future.
@bmac2, please reopen the PR is still open so is this issue not resolved.