Re: local-unbound in a jail

On 18/02/2022 17:02, Steve Kirk wrote:
> I suspect that I know the answer to this question, however... I have 
> tried to run local-unbound in a jail (as I intend to run rspamd in said 
> jail) but it seems like it doesn't play nicely because there's no 
> loopback address *inside* the jail which is the only interface this 
> service is designed to work with.
> 

If you create a vnet jail, then it will have a loopback interface. 
Minimal /etc/jail.conf would be something like the following:

```
graph {
     host.hostname = "${name}.infracaninophile.co.uk";

     exec.system_user = "root";
     exec.jail_user= "root";

     vnet;
     vnet.interface = "e0b_${name}";
     exec.prestart = "jib addm ${name} ${interface}";
     exec.poststop = "jib destroy ${name}";

     devfs_ruleset = "5";
     allow.set_hostname = true;
}
```

where `jib` is from /usr/src/share/examples/jails/jib and the additional 
devfs rules look like:

```
[devfsrules_jail_demojail=5]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path 'tun*' unhide
add path 'bpf*' unhide
add path zfs unhide
```

There will be some other global settings you need in terms of allowing 
mounting of various types of filesystem and so forth, but these depend 
on your precise use case.

Note that for a vnet jail you will have to add `ifconfig` settings to 
/etc/rc.conf inside the jail: it's much more like a full-blown host.

	Cheers,

	Matthew