127.0.0.1 in a jail

Matthew Seaman m.seaman at infracaninophile.co.uk
Thu Nov 20 17:15:51 UTC 2014 

On 11/20/14 15:55, Arthur Chance wrote:
> I don't think you can do anything to make 127.0.0.1 work as a target for
> connecting to - how is the common network stack to decide whether you're
> talking to the jail or the main box? It might be possible in VIMAGE
> jails, but I have no experience of them.

With a VIMAGE jail you certainly can create a loopback interface per
jail and set that to use 127.0.0.1 or ::1 as its addresses with a VIMAGE
jail.  Unfortunately at the moment you need a custom kernel to add the
VIMAGE functionality, and you need to avoid some of the various firewall
implementations: with VIMAGE you'ld naturally run the firewall code from
within the jail, rather than as something controlled by the host system.

There are moves to make VIMAGE part of the default kernel config for
11.0-RELEASE, but that isn't expected until sometime next year and there
are some pretty nasty crash-bugs which will have to be thoroughly
squashed before it is enabled in a release.

> You could always add an entry for localhost in the jail's /etc/hosts
> that is the jail's address rather than 127.0.0.1. That's not going to
> happen automatically though.

You can do that -- but a lot of software will try and bind to localhost
by one of the well known IP numbers rather than looking up 'localhost'.

I've found it is generally possible to configure most software --
particularly server software -- either to bind to a specific IP address
or else to use a unix domain socket, and that gives good results in
jails.  It is a bit of a faff though, and you don't get the intrinsic
protection of binding some software to the loopback address if you have
to bind it to the jail's IP.

(One of the few common daemons you can't do that with is ntpd(8), but
that's something it makes no sense at all to run in a jail, seeing as
jails use exactly the same time-of-day as the host system)

	Cheers,

	Matthew


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20141120/0f68102d/attachment.sig>

More information about the freebsd-questions mailing list