In previous articles, we explained the basic use of CBSD for both Jails and Bhyve VMs. This time we will analyze the default network modes in Jails/Bhyve and the options they provide us.
The sections that make up the article are:
-
Jails:
- Alias
- Multiple IPs
- Shared IP address between parent and Jails
- Floatresolv
- mkhostsfile -
Bhyve:
- Bridge
Jails
Alias:
To provide network to Jails by default, aliases are used on the parent interface. Since these are aliases, they are both parent and Jail IPs simultaneously. This implies certain problems if we bind services in all available directions on the parent since they will overlap with the IPs of the jails.
On the parent, we must avoid generic bindings like these:
ListenAddress 0.0.0.0
listen *
Configuring an IP can be done both from the Jail creation wizard and by command:
Multiple IPs:
To assign multiple IPs to a Jail, simply separate them by a comma. Of course, the ranges do not have to be from the same network range:
cbsd jls
JNAME JID IP4_ADDR HOST_HOSTNAME PATH STATUS
jail1 1 192.168.69.77/24,192.168.69.78/24 jail1.alfaexploit.com /usr/jails/jails/jail1 On
Shared IP address between parent and Jails:
It is important to note that the parent interface aliases are automatically configured and deconfigured when starting/stopping the Jail. If there is only one shared IP address between the parent and the Jails, stopping any of the Jails would remove the alias, leaving the parent without an IP address and therefore the host would become unreachable.
In these cases, we must configure the Jails not to call the alias configuration/deconfiguration scripts. We access the configuration wizard and change the interface option to disable:
And we assign the same IP address as the parent to the ip4_addr field 192.168.69.77 -> 192.168.69.4:
It will warn us that a duplicate IP has been detected on the network, but this is normal, we accept the changes:
Finally, it will look like this:
We check the existing Jails:
JNAME JID IP4_ADDR HOST_HOSTNAME PATH STATUS
jail1 0 192.168.69.4 jail1.alfaexploit.com /usr/jails/jails/jail1 Off
Now, if we stop the Jail, it will not affect the parent’s IP address.
NOTE: In these cases where there is only one IP address available, the Jail services must be configured on different ports so that they do not overlap between parent/Jails or Jails/Jails.
Floatresolv:
Another interesting option is floatresolv, through which we can reset the values of the /etc/resolv.conf file on each Jail restart to values defined by CBSD.
Stop the Jail:
Configure the parameter from the wizard:
Let’s start the Jail again:
The default values are:
nameserver 9.9.9.9 # CBSD makeresolv function
nameserver 149.112.112.112 # CBSD makeresolv function
If the file is modified, at each Jail restart it will have the original content.
mkhostsfile:
This option will generate an additional entry in the /etc/hosts file with the IP address and the name of the Jail. If the entry is manually removed, it will be regenerated at the next restart.
Stop the Jail:
Configure the Jail using the wizard:
Start the Jail:
The generated entry in this case is:
192.168.69.4 jail1.alfaexploit.com # CBSD autotpl for mkhostsfile
As a final note, it should be emphasized that the hosts file is copied from the parent to the Jails, so sensitive configuration should be avoided in the parent’s hosts file as it could result in a leak of the internal structure of the servers or addressing used.
Bhyve
Bridge:
To provide network to a Bhyve VM, two tap interfaces are created in the parent, one for the VM and one for the parent, these two interfaces along with the physical interface are put inside a bridge.
The network configuration will be governed by the configuration made through the guest OS installer, ignoring the parameters of the wizard. These parameters are simply saved in the SQLite database in case integration with an external service such as a DHCP server is needed. In this way, we could run a DHCP configuration script based on the indicated IP and the VM’s MAC address just before starting it. In this article we can see a complete example.