Jails - vnet- netgraph

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Jails - vnet- netgraph

Peter Garshtja
Greetings FreeBSD community,


     OS: FreeBSD sun 12.2-RELEASE-p1 FreeBSD 12.2-RELEASE-p1 GENERIC  amd64


I am trying to build a netgraph vnet jail with support of official jng
script that comes with FreeBSD and developed by Devin Teske.

jail.conf file

netgraph {
   devfs_ruleset = 13;
   enforce_statfs = 2;
   exec.clean;
   exec.consolelog = /var/log/bastille/netgraph_console.log;
   exec.start = '/bin/sh /etc/rc';
   exec.stop = '/bin/sh /etc/rc.shutdown';
   host.hostname = netgraph;
   mount.devfs;
   mount.fstab = /usr/local/bastille/jails/netgraph/fstab;
   path = /usr/local/bastille/jails/netgraph/root;
   securelevel = 2;

   vnet;
   vnet.interface = e0b_bastille0;
# exec.prestart += "jib addm bastille0 re0";
# exec.poststop += "jib destroy bastille0";
   exec.prestart += "jng bridge netgraph re0";
   exec.poststop += "jng shutdown netgraph" ;
}

When I start the jail, netgraph subsystem raise the following exception

ngctl: send msg: No such file or directory
jail: netgraph: jng bridge netgraph re0: failed

I tried also to create the netgraph bridge with not using jng script

ngctl mkpeer re0: bridge lower link0
ngctl: send msg: No such file or directory

 From what I found it looks it used to work on FreeBSD 11.x and stopped
working in version 12.

Any thoughts ?

Please advise


Cheers,

Petru Garstea

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Jails - vnet- netgraph

Ernie Luzar
petru garstea wrote:

> Greetings FreeBSD community,
>
>
> Â Â Â  OS: FreeBSD sun 12.2-RELEASE-p1 FreeBSD 12.2-RELEASE-p1 GENERICÂ  
> amd64
>
>
> I am trying to build a netgraph vnet jail with support of official jng
> script that comes with FreeBSD and developed by Devin Teske.
>
> jail.conf file
>
> netgraph {
> Â  devfs_ruleset = 13;
> Â  enforce_statfs = 2;
> Â  exec.clean;
> Â  exec.consolelog = /var/log/bastille/netgraph_console.log;
> Â  exec.start = '/bin/sh /etc/rc';
> Â  exec.stop = '/bin/sh /etc/rc.shutdown';
> Â  host.hostname = netgraph;
> Â  mount.devfs;
> Â  mount.fstab = /usr/local/bastille/jails/netgraph/fstab;
> Â  path = /usr/local/bastille/jails/netgraph/root;
> Â  securelevel = 2;
>
> Â  vnet;
> Â  vnet.interface = e0b_bastille0;
> # exec.prestart += "jib addm bastille0 re0";
> # exec.poststop += "jib destroy bastille0";
> Â  exec.prestart += "jng bridge netgraph re0";
> Â  exec.poststop += "jng shutdown netgraph" ;
> }
>
> When I start the jail, netgraph subsystem raise the following exception
>
> ngctl: send msg: No such file or directory
> jail: netgraph: jng bridge netgraph re0: failed
>
> I tried also to create the netgraph bridge with not using jng script
>
> ngctl mkpeer re0: bridge lower link0
> ngctl: send msg: No such file or directory
>
>  From what I found it looks it used to work on FreeBSD 11.x and stopped
> working in version 12.
>
> Any thoughts ?
>
> Please advise
>
>
> Cheers,
>
> Petru Garstea
>

Don't see any reply so I will try to help you.
If I remember correctly the jib and jng was added as documentation back
around freebsd 10.00. I have tried to get it to work 10+, 11+ ,12+ with
no joy. There is something missing but can not tell what it is. The jail
environment has gone through many changes over time so no wonder jib/jng
don't work now.

Netgraph is a complete subsystem for network configuration that has it's
own syntax and commands. The learning curve is pretty great. There is a
outstanding bug and Devin Teske & (she) has taken up the bug. Hopping 13
holds the bug fix.









_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Jails - vnet- netgraph

Peter Garshtja
Hi Ernie,

     jib script is working fine, however in my current setup I need to
emulate bridge interface with netgraph subsystem, I tried to manage that
part with jng script with no luck then I decided to create the netgraph
bridge manually using ngctl client and in the end the result was the same.

In the recent FreeBSD magazines it was mentioned that "bridging" was
refactored and I would like to know if that might be impacted the
netgraph bridge.

Please advise

Cheers,

Petru Garstea

On 1/26/21 12:53 PM, Ernie Luzar wrote:

> petru garstea wrote:
>> Greetings FreeBSD community,
>>
>>
>>     OS: FreeBSD sun 12.2-RELEASE-p1 FreeBSD 12.2-RELEASE-p1
>> GENERIC  amd64
>>
>>
>> I am trying to build a netgraph vnet jail with support of official
>> jng script that comes with FreeBSD and developed by Devin Teske.
>>
>> jail.conf file
>>
>> netgraph {
>>   devfs_ruleset = 13;
>>   enforce_statfs = 2;
>>   exec.clean;
>>   exec.consolelog = /var/log/bastille/netgraph_console.log;
>>   exec.start = '/bin/sh /etc/rc';
>>   exec.stop = '/bin/sh /etc/rc.shutdown';
>>   host.hostname = netgraph;
>>   mount.devfs;
>>   mount.fstab = /usr/local/bastille/jails/netgraph/fstab;
>>   path = /usr/local/bastille/jails/netgraph/root;
>>   securelevel = 2;
>>
>>   vnet;
>>   vnet.interface = e0b_bastille0;
>> # exec.prestart += "jib addm bastille0 re0";
>> # exec.poststop += "jib destroy bastille0";
>>   exec.prestart += "jng bridge netgraph re0";
>>   exec.poststop += "jng shutdown netgraph" ;
>> }
>>
>> When I start the jail, netgraph subsystem raise the following exception
>>
>> ngctl: send msg: No such file or directory
>> jail: netgraph: jng bridge netgraph re0: failed
>>
>> I tried also to create the netgraph bridge with not using jng script
>>
>> ngctl mkpeer re0: bridge lower link0
>> ngctl: send msg: No such file or directory
>>
>>  From what I found it looks it used to work on FreeBSD 11.x and
>> stopped working in version 12.
>>
>> Any thoughts ?
>>
>> Please advise
>>
>>
>> Cheers,
>>
>> Petru Garstea
>>
>
> Don't see any reply so I will try to help you.
> If I remember correctly the jib and jng was added as documentation
> back around freebsd 10.00. I have tried to get it to work 10+, 11+
> ,12+ with no joy. There is something missing but can not tell what it
> is. The jail environment has gone through many changes over time so no
> wonder jib/jng don't work now.
>
> Netgraph is a complete subsystem for network configuration that has
> it's own syntax and commands. The learning curve is pretty great.
> There is a outstanding bug and Devin Teske & (she) has taken up the
> bug. Hopping 13 holds the bug fix.
>
>
>
>
>
>
>
>
>
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Jails - vnet- netgraph

Kristof Provost
On 27 Jan 2021, at 3:59, petru garstea wrote:
> In the recent FreeBSD magazines it was mentioned that "bridging" was
> refactored and I would like to know if that might be impacted the
> netgraph bridge.
>
No, the if_bridge changes do not affect the netgraph code.

Best regards,
Kristof
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Jails - vnet- netgraph

Peter Garshtja
Greetings,

     Finally, I sorted out.

I have copied an example from the following path
/usr/share/examples/netgraph/ether.bridge and found out that I needed to
load modules into the kernel

ng_socket.ko
ng_bridge.ko
ng_ether.ko
ng_eiface.ko

and jng script start working, I spawned a jail and confirmed that vnet
netgraph interface was properly configured

However I have another question, if I run ifconfig on the host I dont
see in the list the netgraph bridge interface and the jails ether
interface, I can see these interfaces only if run

ngctl list

   Name: ng0_vnetjail    Type: eiface          ID: 00000010   Num hooks: 1
   Name: re0                  Type: ether           ID: 00000005 Num
hooks: 2
   Name: ngctl1544       Type: socket          ID: 00000017   Num hooks: 0
   Name: re0bridge       Type: bridge          ID: 0000000b   Num hooks: 3

Please advise

Cheers,

Petru Garstea


On 1/27/21 5:36 AM, Kristof Provost wrote:
> On 27 Jan 2021, at 3:59, petru garstea wrote:
>> In the recent FreeBSD magazines it was mentioned that "bridging" was
>> refactored and I would like to know if that might be impacted the
>> netgraph bridge.
>>
> No, the if_bridge changes do not affect the netgraph code.
>
> Best regards,
> Kristof
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Jails - vnet- netgraph

Kristof Provost
On 28 Jan 2021, at 2:54, petru garstea wrote:

> Greetings,
>
>     Finally, I sorted out.
>
> I have copied an example from the following path
> /usr/share/examples/netgraph/ether.bridge and found out that I needed
> to load modules into the kernel
>
> ng_socket.ko
> ng_bridge.ko
> ng_ether.ko
> ng_eiface.ko
>
> and jng script start working, I spawned a jail and confirmed that vnet
> netgraph interface was properly configured
>
> However I have another question, if I run ifconfig on the host I dont
> see in the list the netgraph bridge interface and the jails ether
> interface, I can see these interfaces only if run
>
Vnet jails own the interfaces, so it’s entirely expected that you
wouldn’t see them in on the host.

> ngctl list
>
>   Name: ng0_vnetjail    Type: eiface          ID:
> 00000010   Num hooks: 1
>   Name: re0                  Type:
> ether           ID: 00000005 Num hooks: 2
>   Name: ngctl1544       Type: socket          ID:
> 00000017   Num hooks: 0
>   Name: re0bridge       Type: bridge          ID:
> 0000000b   Num hooks: 3
>
If you can see those from the host that seems like it’d be a bug in
the netgraph code.

Regards,
Kristof
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"