bastille icon indicating copy to clipboard operation
bastille copied to clipboard

Published 20 hours ago verified publisher icon BastilleBSD

[ENHANCEMENT] Multiple interfaces for VNET jails

Open eyegog opened this issue 1 year ago • 2 comments

Is your feature request related to a problem? Please describe. I do have use cases where I would like to have jails with multiple interfaces attached to different bridges on different VLANs (mgmt, service, etc) for example:

mount.devfs;
exec.start="/bin/sh /etc/rc";
exec.stop="/bin/sh /etc/rc.shutdown";
devfs_ruleset="11";

myjail {
	path="/jails/myjail";
        host.hostname="$name.something.co.uk";
        enforce_statfs=2;
        vnet;
        vnet.interface+=myjail0_b;
        exec.prestart+="/usr/local/sbin/epair_create myjail0 bridge0";
        exec.poststop+="ifconfig myjail0_a destroy";
        vnet.interface+=myjail1_b;
        exec.prestart+="/usr/local/sbin/epair_create myjail1 bridge1";
        exec.poststop+="ifconfig myjail1_a destroy";

}

Inside jail:

$ ifconfig
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
	options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
	inet 127.0.0.1 netmask 0xff000000
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0xd
	groups: lo
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=0 metric 0 mtu 33152
	options=0
	groups: pflog
myjail0_b: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 02:c9:eb:88:6b:0b
	inet 10.10.99.14 netmask 0xffffff00 broadcast 10.10.99.255
	groups: epair
	media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
	status: active
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
myjail1_b: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 02:4c:71:81:a1:0b
	inet 10.10.4.7 netmask 0xffffff00 broadcast 10.10.4.255
	groups: epair
	media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
	status: active
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

As far as I am aware, Bastille doesn't support creating VNET jails with this kind of configuration.

Describe the solution you'd like For Bastille to be able to create jails with multiple interfaces, perhaps with something like the following syntax:

bastille create -B azkaban 13.2-RELEASE 192.168.1.50/24 bridge0 172.16.17.5/24 bridge1

Describe alternatives you've considered As of the moment I've written other automation to create VNET jails with multiple interfaces but it would be nice to assimilate this functionality into a single tool.

Additional context Admittedly I am a newbie to the Bastille source code - but I am willing to contribute towards the development of this functionality and mainly I want to know if the dev team would be interested in such a feature :)

eyegog avatar Dec 29 '23 11:12 eyegog

This would be a great enhancement. I'm currently achieving the outcome by modifying the jail.conf by hand and using a patched jib to make it work nicely with multiple bridges.

--- jib	2023-12-21 21:05:09.900919000 +0000
+++ /usr/local/bin/jib	2023-08-25 01:16:54.224528000 +0000
@@ -259,17 +259,10 @@
 	fi
 }
 
-jib_addm_usage="addm [-b BRIDGE_NAME] NAME [!]iface0 [[!]iface1 ...]"
+jib_addm_usage="addm NAME bridge0 bridge1 ...]"
 jib_addm_descr="Creates e0b_NAME [e1b_NAME ...]"
 jib_addm()
 {
-	local OPTIND=1 OPTARG flag bridge=bridge
-	while getopts b: flag; do
-		case "$flag" in
-		b) bridge="${OPTARG:-bridge}" ;;
-		*) action_usage addm # NOTREACHED
-		esac
-	done
 	shift $(( $OPTIND - 1 ))
 
 	local name="$1"

and then the relevant part of the jail.conf:

  vnet;
  vnet.interface = e0b_port, e1b_port, e2b_port, e3b_port, e4b_port, e5b_port, e6b_port, e7b_port, e8b_port;
  exec.prestart += "jib addm port a0 b0 c0 d0 a1 b1 c1 d1 a2";
  exec.poststop += "jib destroy port";

I also create the bridge interfaces via rc.conf, some bridged to local vlans.

ifconfig_genet0="up"
ifconfig_genet0_2="up"
ifconfig_genet0_4="up"
ifconfig_genet0_6="up"
ifconfig_genet0_8="up"
vlans_genet0="2 4 6 8"
cloned_interfaces="bridge0 bridge1 bridge2 bridge3 bridge4 bridge5 bridge6 bridge7 bridge8"
ifconfig_bridge0_name="a0"
ifconfig_bridge1_name="b0"
ifconfig_bridge2_name="c0"
ifconfig_bridge3_name="d0"
ifconfig_bridge4_name="a1"
ifconfig_bridge5_name="b1"
ifconfig_bridge6_name="c1"
ifconfig_bridge7_name="d1"
ifconfig_bridge8_name="a2"
ifconfig_a0="inet 10.15.0.1/24"
ifconfig_b0="inet 10.14.0.129/25"
ifconfig_c0="inet 10.14.0.1/25"
ifconfig_d0="inet 10.14.2.1/24"
autobridge_interfaces="a1 b1 c1 d1"
autobridge_a1="genet0.6"
autobridge_b1="genet0.2"
autobridge_c1="genet0.4"
autobridge_d1="genet0.8"

nreilly avatar Dec 29 '23 22:12 nreilly

I agree that this would be a good thing to make work. I'm considering moving from iocage to bastille based on the fact that iocage seems to be dead. However I need the ability to apply different vlans to different jails (or interfaces in the same jail) and public ip jails outside the subnet of the host.

Notsonoble avatar Apr 09 '24 18:04 Notsonoble