Verwaltung von virtuellen Maschinen und Jails für FreeBSD

Achtung! Der deutschsprachige Inhalt ist wegen fehlenden Betreuerinnen und Betreuern veraltet. Verwenden Sie bitte die englischsprachige Version!

Attention! Current pages describe CBSD version 13.0.x. If you are using an older version, please update first.

Attention! I apologize for the automatic translation of this text. You can improve it by sending me a more correct version of the text or fix html pages via GITHUB repository.

CBSD FreeBSD jail with VIMAGE (vnet)

In view of some of the subtleties with FreeBSD vnet-jail, information about it deduced this separate article. First of all, the VIMAGE functionality requires a customized kernel with

			options VIMAGE

If you get a kernel from the repository through a command cbsd:

			% cbsd repo action=get sources=kernel

that your kernel is supports for VIMAGE.

In the case when kernel has no options, parameter vnet in the file ${workdir}/nc.inventory will always be set to 0. If this option is present in the kernel, in the configurator of creation jail will be present parameter vnet.

Second, keep in mind that although VIMAGE (available from FreeBSD 8.0) and held the status of an experimental feature for the 4 years of its existence in the base operating system, it can still be found a variety of problems, the correction of which is extremely tightened: in GNATS (current ticket system FreeBSD) quite a few panics messages using VIMAGE in conjunction with the various components;

Besides seen cases of memory leaking.

Well, now the something good;)

vnet-featured jail has at its disposal a fully virtualized and isolated network stack, which in turn allows the use of a private jail (albeit virtual) interface, "right" loopback, use within the jail a packet filters (pf, ipfw, pfilter), raise the tunnels and reconfigure the routing table.

When you create a vnet-jails the ip4_addr should indicate 0, which prohibit CBSD set itself an IP address for vnet jail.

Note: The installation of IP addresses in the vnet jail is not implemented yet

Also, if you want to get a jail itself an IP address automatically (via DHCP), you would write a separate section devfs.rules, in which you need to open bpf(4)-device ( unhide bpf*), and set this devfs rule number to vnet-jail (via cbsd jconfig jname=XXXX)

cbsd creates virtual interfaces using a pair of epair(4), but the "other end" virtual cable that connects to the jail, CBSD renamed to eth0 interface.

Note: : Rename this is relevant only for FreeBSD jails. If a jail is run as Linux-based, renaming will not happen.

Renaming to eth0 by the fact that each new epair increments the number of the interface, those of the first vnet-jail in original, interface will be called as epair0a. When you running the fifth of jails, in last jail interface will be called as epair5a. It's not very convenient whith jail migrating (on another server, it may be a different number), and definitely not convenient that every time you have to correct the contents of the rc.conf with the network setup.

Sets 0 (empty) in ip4_addr field when create vnet-jail

If the kernel has VIMAGE option, it is possible to set the vnet 1

Inside the jail. We do what we want, we get your IP, set up ipfw

Copyright © 2013—2024 CBSD Team.