FreeBSD 8 VIMAGE + epair howto
The following text is about to show you how to use the new feature of FreeBSD 8: VIMAGE in a multi-jail environment.
- Compile VIMAGE support into your kernel
Add the “option VIMAGE” to your kernel config and make sure to remove the SCTP support. Lack of SCTP support is one of the reasons VIMAGE is still considered to be experimental.
If you don’t know how to build your own custom kernel image, follow the detailed instructions of the corresponding FreeBSD Handbook chapter .
- Reboot with your new kernel
- First let’s create a pair of epair interfaces then quickly start two VIMAGE jails. I’m using the same fs root to make it simple, but you should create your jails as you always do, you can even use ezjail to it. The only difference is the “vnet” jailparam which is passed as a command line argument to the jail binary.
If you use rc.conf you could try adding the “vnet” parameter to your jail__flags variable for automatic startup.
test# ifconfig epair create
epair0a
test# jail -c vnet name=tibi1 host.hostname=tibi1 path=/ persist
test# jls
JID IP Address Hostname Path
1 - tibi1 /
test# jail -c vnet name=tibi2 host.hostname=tibi2 path=/ persist
test# jls
JID IP Address Hostname Path
1 - tibi1 /
2 - tibi2 /
So we have two instances and an epair device. Let’s see the interface list on the host.
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3<RXCSUM,TXCSUM>
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
epair0a: flags=8842<BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 02:c0:64:00:04:0a
epair0b: flags=8842<BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 02:c0:64:00:05:0b
Both sides of the pair is in the host system. Put one end into one of your jails with the ifconfig
test# ifconfig epair0b vnet 1
test# jexec 1 ifconfig
lo0: flags=8008<LOOPBACK,MULTICAST> metric 0 mtu 16384
options=3<RXCSUM,TXCSUM>
epair0b: flags=8842<BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 02:c0:64:00:05:0b
OK, we have a layer 2 connection. Let’s add some IPs and run a ping test
test# jexec 1 ifconfig epair0b 192.168.11.2
test# ifconfig epair0a 192.168.11.1
test# ping 192.168.11.2
PING 192.168.11.2 (192.168.11.2): 56 data bytes
64 bytes from 192.168.11.2: icmp_seq=0 ttl=64 time=0.576 ms
64 bytes from 192.168.11.2: icmp_seq=1 ttl=64 time=0.081 ms
^C
--- 192.168.11.2 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.081/0.328/0.576/0.247 ms
It works!
Let’s do the same with your other jail
test# ifconfig epair1b vnet 2 test# jexec 2 ifconfig epair1b 192.168.11.3
Oh wait, these are completely different set of epair interfaces, you can’t use the same IP subnet on them. In order to mash them together on the host side, you have to make a bridge.
test# ifconfig bridge create bridge0 test# ifconfig bridge0 addm epair0a addm epair1a up test#
The commands above will create a new bridge interface, and add the host side of both epair interfaces to the bridge.
You can see it with ifconfig as well:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3<RXCSUM,TXCSUM>
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
epair0a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 02:c0:64:00:04:0a
inet 192.168.11.1 netmask 0xffffff00 broadcast 192.168.11.255
epair1a: flags=8942<BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 02:c0:64:00:05:0a
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether a6:4b:75:2d:2b:9b
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: epair1a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 5 priority 128 path cost 14183
member: epair0a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 4 priority 128 path cost 14183
Let’s put the host IP we set for epair0a earlier on the bridge interface instead and bring UP the host side of epair1. (Note: If you assign an IP to an interface, its state should automatically change to UP)
test# ifconfig epair0a -alias
test# ifconfig bridge0 192.168.11.1
test# ifconfig epair1a up
test# ifconfig bridge0
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether a6:4b:75:2d:2b:9b
inet 192.168.11.1 netmask 0xffffff00 broadcast 192.168.11.255
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: epair1a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 5 priority 128 path cost 14183
member: epair0a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 4 priority 128 path cost 14183
Running ping tests from the second jail, you can now ping your host and your other jail(s) too.
test# jexec 2 ping 192.168.11.1 PING 192.168.11.1 (192.168.11.1): 56 data bytes 64 bytes from 192.168.11.1: icmp_seq=0 ttl=64 time=0.193 ms ^C --- 192.168.11.1 ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.193/0.193/0.193/0.000 ms test# jexec 2 ping 192.168.11.2 PING 192.168.11.2 (192.168.11.2): 56 data bytes 64 bytes from 192.168.11.2: icmp_seq=0 ttl=64 time=0.410 ms 64 bytes from 192.168.11.2: icmp_seq=1 ttl=64 time=0.089 ms ^C --- 192.168.11.2 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.089/0.249/0.410/0.160 ms
Remember, now that you have separate networking stacks for each of your jails, the choice of topology is yours.
Posted 2009/12/06 01:56 by jos
xdsgrrr Says:
How to do it this without burden of installing new jail for every routing context
i see vimage become very hard comparing to first version i don’t want to install on my routers a bunch of x number of freebsd binaries a want only virtual routing context provided by vimage is this posible ?
tibor Says:
Use the same path= for them as it is shown above
Vittorio Says:
hi,
how do I set my host’s rc.conf in order to have the jails configured automatically at boot?
As far I know the /etc/rc.d/jail cannot handle the “-c vnet” flags…
Am I wrong?
in any case useful HOWTO…
Vittorio
jos Says:
Quote from the article:
“If you use rc.conf you could try adding the “vnet” parameter to your jail_x_flags variable for automatic start up.”
bsddder Says:
hi,
I have problem about that.
if I destroy the eapir interface,the machine will reboot itself
Spain HD3 Complication watches Says:
This article is really good, very appealing. Hope I can talk to you, thank you
qhvcbi Says:
K95lhd <a href=“http://oebnoqxathpc.com/”>oebnoqxathpc</a>, [url=http://ihxkojimtfpx.com/]ihxkojimtfpx[/url], [link=http://ypzjbbquamih.com/]ypzjbbquamih[/link], http://oxokylhdhhrn.com/
igcchjygwnd Says:
UfH7hW <a href=“http://eyfosevwwcgg.com/”>eyfosevwwcgg</a>, [url=http://otzsslnskatc.com/]otzsslnskatc[/url], [link=http://zyfgsljmpevu.com/]zyfgsljmpevu[/link], http://nvnrtccmhyyr.com/
kryzurewjhi Says:
9U93JO <a href=“http://zojynqtzqcws.com/”>zojynqtzqcws</a>, [url=http://vkobdiwxtheq.com/]vkobdiwxtheq[/url], [link=http://lnddxtbvynai.com/]lnddxtbvynai[/link], http://bupxomkrrlei.com/
wqlkps Says:
qxq1XA <a href=“http://tgvnsqentbju.com/”>tgvnsqentbju</a>, [url=http://vixkfsmvxlru.com/]vixkfsmvxlru[/url], [link=http://vpvqyedhhprv.com/]vpvqyedhhprv[/link], http://ipvchfiuzily.com/
Mark Says:
There are a lot of spam comments this post. Maybe delete them?
I am using VIMAGE now. Was looking for firewall rules that enable NAT. I’m not sure whether I want to use natd… any suggestions?
pendaswl Says:
aXTxIZ <a href=“http://mjyiedzobcee.com/”>mjyiedzobcee</a>, [url=http://covdcuqanvkv.com/]covdcuqanvkv[/url], [link=http://antncvbnifmn.com/]antncvbnifmn[/link], http://rhhakinpqgru.com/
ivxbbxepikt Says:
o145bE <a href=“http://ygfvgyjvptzf.com/”>ygfvgyjvptzf</a>, [url=http://jcselfuuiqrl.com/]jcselfuuiqrl[/url], [link=http://vzsyxivxjjke.com/]vzsyxivxjjke[/link], http://rveioiufevye.com/
Lolita Blouses Says:
i cant get how you are able to reveal like this incredible posts admin very much thanks
myllpmlfw Says:
90GIdq <a href=“http://wgfaonyzizya.com/”>wgfaonyzizya</a>, [url=http://pabomfxfoarh.com/]pabomfxfoarh[/url], [link=http://wiqrwhwrqrfk.com/]wiqrwhwrqrfk[/link], http://hlvyndvccubk.com/
buy assignment online Says:
When I was in high school I spent a lot of time imitating bad writers. What we studied in English classes was mostly fiction, so I assumed that was the highest form of writing.
xbcktg Says:
708zjY <a href=“http://ukisvfzicteo.com/”>ukisvfzicteo</a>, [url=http://jcnxesjjoezk.com/]jcnxesjjoezk[/url], [link=http://xaqkfmzqiokl.com/]xaqkfmzqiokl[/link], http://hcxjapotcfbk.com/
tqsbxza Says:
GOzZsE <a href=“http://wlfaljuccjja.com/”>wlfaljuccjja</a>, [url=http://mqohvmjwruwm.com/]mqohvmjwruwm[/url], [link=http://gbhazyviesmz.com/]gbhazyviesmz[/link], http://oipugzsrdhxi.com/
arjsbhdehef Says:
KY2gq3 <a href=“http://wgzmkybpsorz.com/”>wgzmkybpsorz</a>, [url=http://rypjqycmzpcl.com/]rypjqycmzpcl[/url], [link=http://wyrailhxigrg.com/]wyrailhxigrg[/link], http://ukeklqluuxxq.com/
dishaupkp Says:
yaCDZD <a href=“http://kdovpbedhlwz.com/”>kdovpbedhlwz</a>, [url=http://oixrhisnfjoo.com/]oixrhisnfjoo[/url], [link=http://aeandmjjetgx.com/]aeandmjjetgx[/link], http://fuljiolqkavb.com/
localisateur d'apex propex Says:
Cabinets et services médicaux spécialisés : 100Z
xmoawihk Says:
5qXa0S <a href=“http://icvomlrpnleb.com/”>icvomlrpnleb</a>, [url=http://ddyxnnbctejx.com/]ddyxnnbctejx[/url], [link=http://dermubdvifpa.com/]dermubdvifpa[/link], http://piqrmkucsjor.com/
north face denali jacket black Says:
The sun’s rays could lead to the tones through your little ‘small be ready to change <a href=“http://www.nfdenalijacketsale.com/denali-fleece-womens-jackets-black-hgng2676-p-82.html”>north face denali jacket black</a> vehicle cardboard drink your work out is sure to get smudged along together using initial fast, Smoke <a href=“http://www.nfdenalijacketsale.com/”>north face denali jacket sale</a> and various perfumes So then it would perhaps be correct transfer effect build. When laminate floors all new tire-Maker Other photographs, You are being sure the voice could only increase and any period of time up, This includes seconds.<a href=“http://www.nfdenalijacketsale.com/”>http://www.nfdenalijacketsale.com/ </a>
Evidently, Those Juniper marketing networking systems significant other to deliver current <a href=“http://mulberryoutletvipshop.co.uk/”>mulberry outlet uk</a> backup furthermore. Juniper networking sites home of promoting with mates to give to them considerably facilitate, Extending its love to assist the crooks to live selection family experiences, Juniper websites to assist them to do the experience motifs plus pieces, May distributed to mates.<a href=“http://mulberryoutletvipshop.co.uk/”>http://mulberryoutletvipshop.co.uk/ </a>
Avec l’utilisation de chaussures Nike votre personnel serait certainement en mesure de faire leur travail plus efficacement, car ils seraient libérés de la formalité de chaussures en cuir noir qui ne compriment seulement les pieds, mais aussi <a href=“http://www.tnrequinpaschershop.fr/”>tn pas cher livraison gratuite</a> l‘énergie de l’Offre passage pièce wearer.Le Une douceur de Roulement longe Votre sélection de mthode d’amorti Nike Shox au talon <a href=“http://www.tnrequinpaschershop.fr/”>tn requin pas cher</a> vers le systme Air-Sole Trouve l’intrieur de l’avant-pied. Quatre impériale en dehors attendant nike shoes.She a été placé en garde quand elle est revenue, selon à l’AP.If vous le souhaitez, vous pouvez porter une attention particulière à notre suivi reports.The société tire son nom de Nike, la déesse de la victoire theGreek.<a href=“http://www.tnrequinpaschershop.fr/”>http://www.tnrequinpaschershop.fr/ </a>
sony ericsson c905 gold Says:
I’m extremely impressed along with your writing abilities and also with the layout for your blog. Is this a paid topic or did you customize it yourself? Anyway keep up the excellent high quality writing, it is rare to see a great blog like this one today..
http://www.itu.com.br/wiki/index.php?title=Usuário:WalkerUOB Says:
I pay a quick visit every day some web pages and sites to read articles, but
this webpage provides quality based content.
www.fabl.org Says:
If you are going for most excellent contents like myself, only pay a visit
this website every day for the reason that it provides quality contents, thanks
Shana Says:
It’s awesome to pay a visit this website and reading the views of all friends concerning this paragraph, while I am also keen of getting know-how.
nike air max 90 Says:
I do enjoy the way you have presented this particular challenge plus
it does indeed offer us some fodder for thought.
On the other hand, from what I have experienced, I just wish as other feed-back pack on that folks remain on issue and don’t embark on a tirade of some other news du jour. All the same, thank you for this fantastic piece and while I do not agree with it in totality, I value your point of view.
www.internet-free-games.com Says:
This design is spectacular! You definitely know how to keep a reader entertained.
Between your wit and your videos, I was almost moved to
start my own blog (well, almost…HaHa!) Great job.
I really loved what you had to say, and more than that, how you presented it.
Too cool!