Networking¶
Intro¶
Jails have multiple networking options based on what features are desired. Traditionally jails only supported IP alias based networking where an IP address is assigned to the host’s interface which is then utilized by the jail for network communication. This is known as “shared IP” based jails.
Anoter option emerged in recent years, called VNET or sometimes referred to as VIMAGE. VNET is a fully virtualized, isolated per jail networking stack. VNET abstracts virtual network interfaces to jails, which behave the same way as physical interfaces.
iocell will try to guess whether VNET support is available in the system and if it is will enable it by default for newly created jails.
VIMAGE/VNET¶
Stability: VIMAGE is considered experimental, unexpected system crashes can occur (for details please see known issues section)
System requirements¶
Kernel
Rebuild the kernel with the following options:
(also disable SCTP if not required)
nooptions SCTP # Stream Control Transmission Protocol
options VIMAGE # VNET/Vimage support
options RACCT # Resource containers
options RCTL # same as above
/etc/rc.conf
Add bridge configuration to /etc/rc.conf:
(on the host node)
# set up two bridge interfaces for iocell
cloned_interfaces="bridge0 bridge1"
# plumb interface em0 into bridge0
ifconfig_bridge0="addm em0 up"
ifconfig_em0="up"
/etc/sysctl.conf
Add these tunables to /etc/sysctl.conf:
net.inet.ip.forwarding=1 # Enable IP forwarding between interfaces
net.link.bridge.pfil_onlyip=0 # Only pass IP packets when pfil is enabled
net.link.bridge.pfil_bridge=0 # Packet filter on the bridge interface
net.link.bridge.pfil_member=0 # Packet filter on the member interface
Configure default GW for jail
Example: iocell set defaultrouter=10.1.1.254 UUID | TAG
Configure an IP address
iocell set ip4_addr="vnet0|10.1.1.10/24" UUID | TAG
Start jail and ping default gateway
Start the jail:
iocell start UUID | TAG
Drop into jail:
iocell console UUID | TAG
Ping default gateway, example:
ping 10.1.1.254
Gotchas¶
Routes
Make sure default gateway knows the route back to the VNET subnets.
If using VLANs
If you are using VLAN interfaces for the jail host you not only have to add the vlan interface as bridge member but the parent interface of the VLAN as bridge member as well.
Configuring Network Interfaces¶
iocell handles network configuration for both, shared IP and VNET jails transparently.
Configuring a VNET jail¶
To configure both IPv4 and IPv6:
iocell set ip4_addr="vnet0|192.168.0.10/24" UUID|TAG
iocell set ip6_addr="vnet0|2001:123:456:242::5/64" UUID|TAG
iocell set defaultrouter6="2001:123:456:242::1" UUID|TAG
NOTE: For VNET jails a default route has to be specified too.
Hints¶
To start a jail with no IPv4/6 address whatsoever set these properties:
iocell set ip4_addr=none ip6_addr=none UUID|TAG
iocell set defaultrouter=none defaultrouter6=none UUID|TAG