I hope I'm not missing something, but in a jail using Linux compatibility, jail { interface = ix1; linux = new; mount.fstab = /var/jail/etc/fstab; } /var/jail/etc/fstab: linprocfs /var/jail/compat/linux/proc linprocfs rw 0 0 It appears that the jail can see the ix0 interface on the host. I would have thought it would see ix1 mapped as eth0 only. NAMI "/compat/linux/proc/net/dev" GIO fd 4 read 571 bytes "Inter-| Receive| Transmit face|bytes packets errs drop fifo frame compressed multicast| bytes packets errs drop fifo colls carrier compressed eth0: 400275 5236 0 0 0 0 0 1 668562 4589 0 0 0 0 0 0 eth1: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 lo0: 208242 1115 0 0 0 0 0 0 208242 1115 0 0 0 0 0 0 "
linprocfs_donetdev() does no filtering for jails, but probably should. In fact, the only linprocfs routine that does any jail-specific behavior appears to be linprocfs_doprocroot() (proc/pid/root). I.e., it seems like proc/pid may show processes outside the jail, too.
I'm not seeing processes outside the jail: mutt-hbsd[shawn]:/mnt $ ls -al total 9 dr-xr-xr-x 1 root wheel 0 Jul 22 16:18 . drwxr-xr-x 18 root wheel 22 Jul 11 13:22 .. dr-xr-xr-x 1 shawn shawn 0 Jul 22 16:18 2054 dr-xr-xr-x 1 shawn shawn 0 Jul 22 16:18 30443 dr-xr-xr-x 1 shawn shawn 0 Jul 22 16:18 37567 dr-xr-xr-x 1 shawn shawn 0 Jul 22 16:18 50606 dr-xr-xr-x 1 shawn shawn 0 Jul 22 16:18 51623 dr-xr-xr-x 1 shawn shawn 0 Jul 22 16:18 61613 -r--r--r-- 1 root wheel 0 Jul 22 16:18 cmdline -r--r--r-- 1 root wheel 0 Jul 22 16:18 cpuinfo -r--r--r-- 1 root wheel 0 Jul 22 16:18 devices -r--r--r-- 1 root wheel 0 Jul 22 16:18 filesystems -r--r--r-- 1 root wheel 0 Jul 22 16:18 loadavg -r--r--r-- 1 root wheel 0 Jul 22 16:18 meminfo -r--r--r-- 1 root wheel 0 Jul 22 16:18 mounts -r--r--r-- 1 root wheel 0 Jul 22 16:18 mtab dr-xr-xr-x 1 root wheel 0 Jul 22 16:18 net -r--r--r-- 1 root wheel 0 Jul 22 16:18 partitions dr-xr-xr-x 1 root wheel 0 Jul 22 16:18 scsi lr--r--r-- 1 root wheel 0 Jul 22 16:18 self -> 50606 -r--r--r-- 1 root wheel 0 Jul 22 16:18 stat -r--r--r-- 1 root wheel 0 Jul 22 16:18 swaps dr-xr-xr-x 1 root wheel 0 Jul 22 16:18 sys -r--r--r-- 1 root wheel 0 Jul 22 16:18 uptime -r--r--r-- 1 root wheel 0 Jul 22 16:18 version mutt-hbsd[shawn]:/mnt $ sysctl security.jail.jailed security.jail.jailed: 1
Jails don't hide interfaces, only IP addresses. While there are interfaces specified in jail.conf, that's only for the convenience of adding the jail's IP address as an alias on that interface when the jail is created. This isn't Linuxulator-specific. ifconfig will also show all interfaces, just without any non-jail IP addresses.
(In reply to Jamie Gritton from comment #3) There is an odd behavior with IP aliases. If two jails use the same address, first { interface = ix0; ip4.addr = 192.0.2.1; } second { interface = ix0; ip4.addr = 192.0.2.1; } When either jail is started, the IP aliases are created. When either jail is stopped, the IP aliases are removed; even if the other jail is still running.
(In reply to Jason Mader from comment #4) that is a totally different issue; that's using a hack badly; sorry. Classic jails don't care about interfaces (as Jamie said) and the hack to do the provisioning is simply calling ifconfig on start/stop. There is no "state" or refcounting involved. In those cases I usually provision the IP aliases using the base system configuration rather than ab-using the jail-trying-to-be-helpful logic for this.
(In reply to Jamie Gritton from comment #3) There is a point that we should zero the statistics for non-IPs for queries from jails to not leak that information (as so many other things) and then only for the jail-IPs keep them. Two jails sharing an IP address might still be able to derive that there is another one, etc.; on the other hand, jails were never meant to be that perfect. For a moment I thought we might even go the long way and if there is no IP for the jail on an interface, ditch the entire interface but the logic to hide a little detail grows quickly. The linprocfs should however never expose more than the native tools and for as long as that's true, I am ok with whatever linprocfs exports.
(In reply to Bjoern A. Zeeb from comment #6) A workaround would be to use epair devices with jails. It would be nice to be on par with Solaris Crossbow and Zones with complete jail isolation. Making epair the preferred method of jail networking would bring us closer to that dream. :)
MARKED AS SPAM