[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ezjail] [PATCH] "Locally configured IP" check in ezjail-admin is not 100% reliable

On 16-01-2012 05:38, Dirk Engling wrote:

> Well, what interest me more than what happens when STARTING a jail is
> what you do when STOPPING it. Do you leave the IP address configured? If
> not how do you figure out if it is needed by another service or another
> jail? What if the host system runs on the IP address?

I leave the IP configured when stopping the jail, for a lot of different
reasons :)

> Also on startup how do you decide which interface to choose, for my use
> cases I usually configure IP addresses on cloned loopback interfaces and
> set up NAT as well. 

I use the routing table to find an interface with another IP in the same
subnet, and
add the IP alias (v4/v6) there. There is also a new ezjail.conf option
to set a "default"
interface to use when it cannot be automatically determined. I have this
set to "lo1"
on most of my machines, which is what I expect you would do.

> How would you smartly interact with jail's own fibs?

I haven't worked with fibs so I don't know. This is one of the things
I'd like to look into
before publishing the patch.

The script has worked in production on a few servers of mine for a year
or so, and it
makes my life a lot easier, so I am happy, even if it never makes it
into the main ezjail
release :)

> There's just too many things to consider before adding features that
> might possibly harm the host system's operations. Also there's strange
> things been going on with the /etc/rc.d/jail script and I try to avoid
> some of the mistakes that happen there to provide the ease of use that
> the name ezjail promises.

I agree there is a lot of things that can go wrong. But I have the same
feeling about
handling zfs filesystems, which we do today. Deleting zfs filesystems
could potentially
be very dangerous if not done correctly. However, as long as it is
disabled by default,
and carefully implemented, I feel like it can be done safely. The same I
feel goes for
handling IP aliases.

> Still, if you like to share the script, I've always been thinking about
> providing some third-party repository, containing some additional
> scripts, flavours and sample configs.
Sounds like a good idea.

Best regards,

Thomas Steen Rasmussen