Thursday, November 18, 2004

mijail5 on FreeBSD 5.3-RELEASE

As promised in my last post here is some more info on getting the mijail5 patch to apply to FreeBSD 5.3-RELEASE.

Just so Google knows what I'm on about, the mijail5 patch lets you bind multiple IP addresses (interfaces?) to a jail. Normal jail(8) will only let you have one and sometimes many is useful. It was written for 5-CURRENT and in its original form doesn't apply to 5.3-RELEASE.

You can get a copy of my muchly hacked patch here. The usual disclaimers apply: your mileage may vary, don't blame me if it breaks things, etc. I'm not a jail or IP stack guru so some of my changes may be ill advised — all I was trying to do was get pjd's patch to apply cleanly to the RELENG_5_3_0_RELEASE source tree and allow me to compile a kernel that booted. If you can write better kernel code than me, rewrite it.

That said, we've been running my patch on one of our production web servers for a couple of days now. So far so good. The machine is up and appears to be stable and working properly.

The old problem of DNS in the jail remains. I've been reading through the source and have a fair idea of why it happens, but not how to fix it. The problem appears to be in the way that INADDR_ANY source addresses are handled for UDP datagrams. When you establish a TCP communication from inside a jail, the INADDR_ANY is silently rewritten to the jail address. This doesn't seem to happen properly for UDP packets, which is most noticeable when you can't resolve DNS.

You should be aware that this is a problem that the mijail5 patch introduces. DNS works fine before you patch your jail. I had a go at fixing it without much success (I was really stabbing in the dark). Those attempts aren't reflected in my version of the patch, that happened after those diffs were done.

My temporary work around is to run a forwarding only nameserver inside the jail. I'm doing this with the bind9 in the base install. The trick is to configure the name server to listen on the jail's primary IP address and to use the same IP address as the query-source address. The latter is important as it is what fixes the INADDR_ANY source address problem! I point my jail's resolv.conf at the nameserver inside the jail and effectively it proxies DNS requests for me and silently does the INADDR_ANY -> primary IP translation.

posted by guy at: 23:14 SAST | path: /systems | permanent link

June 2010 (1)
August 2008 (1)
July 2008 (1)
May 2008 (2)
October 2007 (2)
September 2007 (1)
April 2007 (2)
November 2006 (1)
October 2006 (2)
September 2006 (3)
July 2006 (1)
June 2006 (1)
March 2006 (2)
December 2005 (1)
November 2005 (1)
October 2005 (3)
September 2005 (1)
August 2005 (3)
July 2005 (4)
June 2005 (1)
May 2005 (6)
April 2005 (4)
March 2005 (5)
February 2005 (2)
January 2005 (4)
November 2004 (5)
October 2004 (3)
September 2004 (10)
August 2004 (5)
July 2004 (12)
June 2004 (6)
February 2004 (7)
January 2004 (16)