Summary: | [jls] is unable to list IP(s) of vnet jails. | ||
---|---|---|---|
Product: | Base System | Reporter: | Chris Watson <chris> |
Component: | bin | Assignee: | freebsd-jail (Nobody) <jail> |
Status: | Open --- | ||
Severity: | Affects Some People | CC: | bz, emaste, melifaro, otis, pat |
Priority: | --- | Keywords: | feature |
Version: | CURRENT | ||
Hardware: | Any | ||
OS: | Any |
Description
Chris Watson
2020-12-05 22:19:12 UTC
FWIW, SmartOS keeps track of IPs in zone xml files (under /etc/zones). Then its behavior depends on whether you have IP and/or MAC spoofing turned on, etc. So you might or might not end up with the actual list of IPs within a guest. vminfod is responsible for returning this information back to the client and management tools. I don't know much about BastilleBSD, but, for example, if you happen to manage jails using `iocage', you might also use `iocage list' like: # iocage list +------+------+-------+---------+-------------+ | JID | NAME | STATE | RELEASE | IP4 | +======+======+=======+=========+=============+ | 2530 | jb12 | up | EMPTY | 100.64.3.12 | +------+------+-------+---------+-------------+ (In reply to Juraj Lutter from comment #1) Thanks for that! That provides a little more insight into how they handle things. (In reply to Juraj Lutter from comment #2) Just installed the latest iocage, not the iocage-devel pkg. So for VNET and DHCP they just display DHCP as the IP address. But they do get the IP address of a vnet only jail. So im off to take a look at that. I cannot comment on what/how other management solution on top of jails do, but jls does list IP addresses for classic jail (where IP addresses are tied to jails). With VNET jails the jail has its own network stack and potentially any kind of addresses (and address families) and as super user inside that jail you can configure at random what you she wants in terms of IPv4/v6 addresses. jls is not the tool to show or list them as jails do not care about addresses in the vnet case. Works as expected is the answer. If other management solutions show DHCP or RA or whatever there I would find that at least mindly confusing and a limited mindset. Whatever runs inside the vnet jail is a matter of the rc.conf (or other mechanisms) and provisioning of the network, not of the jail. Printing "VNET" would probably be best. As a bit more of explanation: depending on how you configure vnet jails (bridge or routed) you want to use the normal network admin controls on bridges (switches) or routers you are using (which could include the base system or another vnet jail or another box). Your DHCP config, DHCP server, L2 tables (ARP / v6 neighbour tables), routes, MAC addresses, ... (whatever else you'd do or use there). But that might also be dependent on the connectivity of a vnet jail. A vnet jail could be a router or firewall itself and have 5 different network connections. It might have an external and an internal interface, might have VLANs on top of one, ... If you really want to list the addresses of a jail, you'd need to run ifconfig/netstat in the jail context. But then you'd still only know the addresses and not necessarily the broadcast domain context. (In reply to Bjoern A. Zeeb from comment #5) Thanks for taking a second to chime in bz. So I understand what you are saying. And from the engineering pov, you are correct. But from a user pov this makes it incredibly difficult to manage more than a handful of vnet jails since you have no idea at a glance how to reach them. My first thought was to, as you note, just log in to the jail and run 'ifconfig'. But that is notoriously slow and painful. Authenticating. Issuing the ifconfig. That would be painful on all but a handful or fewer vnet jails. So then I had the idea of upon creating the jail run an 'ifconfig -a > /tmp/$FILE'. And setting up a cronjob as part of your post creation config to run that command every n seconds. So that you have a reasonably fresh and update picture of the interfaces. That would at least get you the configuration for the vnet jails interfaces. And $FILE could be read from the host and massaged into whatever tooling you are using to manage your jails. Thanks again for taking a moment to shed insight into the behavior. This should be changed from a bug to a feature request. (In reply to Chris Watson from comment #6) But you are assuming that root inside the jail couldn't disable the cronjob or write into that file whatever they want. In short, you cannot realistically rely on that data (unless you actually control all the jails as well yourself and have no 3rd party). I'd assume that using libkvm to get all vnets and then iterate over them and list all interfaces and their addresses that way from base system would probably be a better approach though that would require some C hacking but in theory everything needed should be (or once was) in place for that and just needs to be glued together. (In reply to Bjoern A. Zeeb from comment #7) That's correct. I am thinking of it from the system administrators POV, where she/he has control of all jails and there is no third party. It seems ill need to dig into libkvm as you suggest to obtain the info I seek. Thank's for the pointer! |