Converting an iocage jail from vnet

There are known problems with vnet and firewalls. I’ve been plagued by such issues for months. In this case, my git jail, I’m giving up and moving away from vnet jails.

This post documents how I did this.

Get the IP address

Make sure you know the existing IP address of that jail. It might be defined within the jail, via /etc/rc.conf. It might be in the jail configuration. I ssh‘d into the jail and looked at ifconfig output.

I changed from vnet0 to ix2, the external NIC on this server (at home in my basement).

$ sudo iocage set ip4_addr="ix2|"
ip4_addr: vnet0| -> ix2|

Other vnet configuration

Let’s grep the file:

[dan@slocum:/iocage/jails/] $ grep vnet config.json 
    "interfaces": "vnet0:bridge0",
    "vnet": 1,
    "vnet0_mac": "001b21b738b3 001b21b738b4",
    "vnet1_mac": "none",
    "vnet2_mac": "none",
    "vnet3_mac": "none",
    "vnet_default_interface": "auto",
    "vnet_interfaces": "none",

The canonical method would be:

$ iocage get all | grep -i vnet
vnet0_mac:001b21b738b3 001b21b738b4

Let’s start with:

$ sudo iocage set vnet=0
vnet: 1 -> 0

I also consulted my notes on Moving poudriere from the host into a jail.

Let’s compare this jail with a jail which has never had vnet:

[dan@slocum:/iocage/jails/] $ iocage get all webserver | grep -i vnet

OK, only the vnet0_mac differs. I think I’ll ignore that.

Further comparison led to this change:

$ sudo iocage set allow_raw_sockets=0 defaultrouter=auto
allow_raw_sockets: 0 -> 0
defaultrouter: -> auto

Start the jail!

I started the jail:

sudo iocage start

It started. The webpage came up. ssh worked.


This, this is what I wanted to work and which did not under vnet:

$ sudo pkg upgrade
Updating local repository catalogue...
[] Fetching meta.conf: 100%    163 B   0.2kB/s    00:01    
[] Fetching packagesite.txz: 100%  248 KiB 253.9kB/s    00:01    
Processing entries: 100%
local repository update completed. 948 packages processed.
All repositories are up to date.
Checking for upgrades (16 candidates): 100%
Processing candidates (16 candidates): 100%
The following 17 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	libedit: 3.1.20191231,1

Installed packages to be UPGRADED:
	gettext-runtime: 0.20.2 -> 0.21
	git: 2.27.0 -> 2.28.0
	gitea: 1.12.2 -> 1.12.3
	perl5: 5.30.3 -> 5.32.0
	sqlite3: 3.32.3_1,1 -> 3.32.3_2,1

Installed packages to be REINSTALLED:
	logcheck-1.3.20 (direct dependency changed: perl5)
	mime-construct-1.11_2 (direct dependency changed: perl5)
	p5-CGI-4.50 (direct dependency changed: perl5)
	p5-Error-0.17029 (direct dependency changed: perl5)
	p5-HTML-Parser-3.72 (direct dependency changed: perl5)
	p5-HTML-Tagset-3.20_1 (direct dependency changed: perl5)
	p5-IPC-Signal-1.00_1 (direct dependency changed: perl5)
	p5-MIME-Types-2.17 (direct dependency changed: perl5)
	p5-Proc-WaitStat-1.00_1 (direct dependency changed: perl5)
	p5-Term-ReadKey-2.38_1 (direct dependency changed: perl5)
	p5-subversion-1.14.0 (direct dependency changed: perl5)

Number of packages to be installed: 1
Number of packages to be upgraded: 5
Number of packages to be reinstalled: 11

The process will require 2 MiB more space.
54 MiB to be downloaded.

Proceed with this action? [y/N]: 

And then

I also wanted to clear this up:

[dan@git:~] $ sudo /usr/local/etc/periodic/daily/999-samdrucker-client
[dan@git:~] $ 

This host hadn’t been checking in with the SamDrucker results lately.

BTW, today I upgraded all my apache24 hosts. I noticed a pkg audit on one host, and then issued this query to find all the other affected hosts:

samdrucker=# select * from hostswithpackage('apache24');
(17 rows)


All fixed.

Thank you for coming to my TED talk.

Website Pin Facebook Twitter Myspace Friendfeed Technorati Digg Google StumbleUpon Premium Responsive

Leave a Comment