[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ezjail] Two jail newbie questions

On Oct 22, 2007, at 11:12 PM, Stefan Grundmann wrote:

From outside the jail I cannot ssh in.
Where should I look at to fix this.  sshd is running inside the jail.
I get the error
ssh: connect to host xxx.65.222.198 port 22: No route to host
i cannot reproduce this with my setup. but i remember problems last time i
tried to abuse the loopback if for jails.

What issues did you have with loopback if and jails? I run dozens of jails on lo0 using 127.0.0._ addresses. The only "special" case is 127.0.01. Skip it and you're good to go. Depending on what the jail needs, I sometimes use stunnel to proxy the connection from a public to loopback IP but most of the time I use PF with nat and rdr rules.

The only issue I have is what I described here: http://www.nabble.com/Jails-and-loopback-interfaces-t4014351.html

But you'd have that same issue regardless of the private interface or netblock being used. So I configured split-horizon DNS and that solves the issue for me.

Q. 2.
I also tried to add some software from ports as root inside the jail
but cannot access the ports tree.

you did install a ports tree inside the jail (ezjail-admin -p) ?

Do I add software from inside the jail? Or do I add it from outside the

you do it from inside the jail (o.k. you _could_ do it from the host system overriding PREFIX and maybe the package database but it is not the ezjail way)

Depends on what your after.

I use jails for applications. MySQL goes in one. Apache with some custom perl extensions in another. Lighttpd with PHP in another. Etc. I find that easier to manage as each application has exactly what it needs installed in each jail and nothing more. When I need to make changes, I'm only affecting one application or site instead of dozens.

I'm typically the only user in most of my jails. With that being the case, it is senseless to have multiple copies of the ports tree installed in each jail. So I have /usr/ports as a directory in each jail and I run a script from the jail host that automatically nullfs mounts the ports tree and drops me into the jail.

  [matt@jails] ~ % ./jail_manage.sh simerson
  running as matt, using sudo
  processing jail simerson
      mount_nullfs /usr/ports /usr/jails/simerson/usr/ports
  simerson# exit
  all done!
      /sbin/umount /usr/jails/simerson/usr/ports
  consider installng tripwire in jail simerson

When I'm done, I exit the jail and if the script mounted ports, it automatically unmounts it as well. It also checks to see if tripwire is installed and if so, offers to run the update script. This saves me a lot of typing when keeping each of my jails up-to-date.


Attachment: jail_manage.sh
Description: Binary data