[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ezjail] Two jail newbie questions



On Tue, 23 Oct 2007, Matt Simerson wrote:

:> > From outside the jail I cannot ssh in.
:> > Where should I look at to fix this.  sshd is running inside the jail.
:> > I get the error
:> > ssh: connect to host xxx.65.222.198 port 22: No route to host
:> i cannot reproduce this with my setup. but i remember problems last time i
:> tried to abuse the loopback if for jails.
:> > 
:
:What issues did you have with loopback if and jails?  I run dozens of jails on
:lo0 using 127.0.0._ addresses. The only "special" case is 127.0.01.  Skip it
:and you're good to go. Depending on what the jail needs, I sometimes use
:stunnel to proxy the connection from a public to loopback IP but most of the
:time I use PF with nat and rdr rules.

I'm not sure what the problem was with using the loopback interface. I 
simply don't know enough about jails to figure this out yet.  I did get 
this working by aliasing the address to the ethernet port so I'm going to 
leave it as is for the time being.   

:The only issue I have is what I described here:
:http://www.nabble.com/Jails-and-loopback-interfaces-t4014351.html

I visited your site but the information is simply over my head at this 
time.

:But you'd have that same issue regardless of the private interface or netblock
:being used. So I configured split-horizon DNS and that solves the issue for me.
:
:> > Q. 2.
:> > I also tried to add some software from ports as root inside the jail
:> > but cannot access the ports tree.
:> 
:> you did install a ports tree inside the jail (ezjail-admin -p) ?
:> 
:> > Do I add software from inside the jail? Or do I add it from outside the
:> > jail?
:> 
:> you do it from inside the jail (o.k. you _could_ do it from the host system
:> overriding PREFIX and maybe the package database but it is not the ezjail
:> way)
:
:Depends on what your after.
:
:I use jails for applications. MySQL goes in one. Apache with some custom perl
:extensions in another. Lighttpd with PHP in another. Etc. I find that easier to
:manage as each application has exactly what it needs installed in each jail and
:nothing more. When I need to make changes, I'm only affecting one application
:or site instead of dozens.
:
:I'm typically the only user in most of my jails. With that being the case, it
:is senseless to have multiple copies of the ports tree installed in each jail.
:So I have /usr/ports as a directory in each jail and I run a script from the
:jail host that automatically nullfs mounts the ports tree and drops me into the
:jail.

: [matt@jails] ~ % ./jail_manage.sh simerson
: running as matt, using sudo
: processing jail simerson
:     mount_nullfs /usr/ports /usr/jails/simerson/usr/ports
: simerson# exit
: exit
: all done!
:     /sbin/umount /usr/jails/simerson/usr/ports
: consider installng tripwire in jail simerson
:
:When I'm done, I exit the jail and if the script mounted ports, it
:automatically unmounts it as well. It also checks to see if tripwire is
:installed and if so, offers to run the update script. This saves me a lot of
:typing when keeping each of my jails up-to-date.

That sounds like a very neat system however I'm not sure that it's 
applicable to my situation. 

I actually set up two jail servers. One is simply to learn on and use as a 
test bed for the other which will be a development server for someone from 
another dept. to use.  I was given a list of software that would be needed 
and installed it for the developer.  One of the things needed was MySql so 
I installed it along with the rest of the requested packages on both 
machines so that I can use one as a test bed in case the developer needs 
changes.  Obviously my first time supporting jail servers so I'm a little 
apprehensive.

Thanks for your help, it is really appreciated.

rick