VIMAGE: vnet, epair and lots of jails on bridgeX - routing

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

VIMAGE: vnet, epair and lots of jails on bridgeX - routing

O. Hartmann-5
Hello,

I fight with the following problem without any kind of success and I need some
help and/or advice.

We are running several CURRENT and 11.1-RELENG-p6 boxes. CURRENT is at the most
recent version as of today.

VIMAGE is compiled in into all kernels.
IPFW is compiled into all kernels and is the one and only firewall used.
On CURRENT, the host's ipfw is set to "OPEN" (using the rc.-scripts so far). By
convention, I address the host running the kernel by "host".

Every jail is created/configured with its own "vnet" cloned network stack
(vnet=new).

All hosts do have at least three physical NICs. The host itself is supposed to
be member of the "friendly" network via a dedicated NIC. The two remaining NICs
are split into fractions belonging to an "hostile" network on which I'd like to
place exposed jails (for now), and to the "friendly" network, on which also
jails will be hosted, but via a dedicated NIC.

Inbetween those two networks, the host will have a third, intermediate,
network, call it the "service" network.

The following will be true for ALL jails created, including the host itself:

net.link.bridge.pfil_member=0
net.link.bridge.pfil_bridge=0
net.link.bridge.pfil_onlyip=0

First, I clone/create three bridge(4) devices, bridge0 (considered to be the
"glue" between the "service" jails), bridge1 (considered to be the glue between
the jails on the friednly network side) and bridge2, which is the glue between
the jails on the hostile side. bridge1 has eth1 as a member, which provides the
physical access to the friendly network, eth2 is member of bridge2, which
provides access to the hostile network.

By convention, when creating epair(4), the a-portion belongs to the jail itself
and is assigned with an IPv6 address. The b-portion of the epair(4) is member
of its bridge according to its realm (friendly, service or hostile network).

Additionally, there is a special jail, the router, which has three epair(4)
devices, the b-portion of the epair is member of the appropriate bridge(4) and
this router jail has static routes assigned, pointing to the appropriate
epairXXXa that is suppoesd to be the link into the correct bridge/network. IPFW
is set to open on this jail (for now). On this special
jail it is set: net.inet.ip.forwarding=1.

I hope, the topology is clear so far. All epairs or epair endpoints as well as
the bridges are UP! Double checked this.

Jails on bridge0 (service net) have IPs in the range 10.10.0.0/24, the
b-portion of the routing jail's epair is member of bridge0, as described above,
and the a-portion of the epair has IP 10.10.0.1. Default route on each jeail
on bridge0 is set to 10.10.0.1 accordingly.

Consider a similar setup on the other jails on the friendly and hostile
network, except the fact that their bridges do have a physical NIC to which
they may have access to a real network.

The setup might not be ideal and/or applicable for the purpose of separartion
of networks virtually, but that shouldn't be the subject here. More important
is that I assume that I haven't understood some essentials, because the setup
doens't work as expected. Furthermore, it behaves on FreeBSD 11.1-RELENG-p6
sometimes completely unpredictable - but in that special case, I think I ran
IPFW on the host as "WORKSTATION" and dynamic rules may play an important role
here. But focussing on the CURRENT box, the host's IPFW is set to OPEN.

With jexec -l hostA I gain access to host A on the "service" bridge0 and I
want to ping its neighbour, hostB, on the same bridge and in the same net. It
doesn't work! From the routing jail, I CAN NOT ping any host on bridge0. The
routing jail has these network settings:

[... routing jail ...]
 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
[epair to bridge0 - service net]
epair4000a: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 02:57:d0:00:07:0a
        inet 10.10.0.1 netmask 0xffffff00 broadcast 10.10.0.255
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        groups: epair
[epair to bridge1, friendly net]
epair4001a: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 02:57:d0:00:09:0a
        inet 192.168.11.1 netmask 0xffffff00 broadcast 192.168.11.255
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        groups: epair
[epair to bridge2, hostile net]
epair4002a: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 02:57:d0:00:0b:0a
        inet 10.10.10.1 netmask 0xfffffc00 broadcast 10.10.10.255
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        groups: epair

routing:
netstat -Warn
Routing tables

Internet:
Destination        Gateway            Flags       Use    Mtu      Netif Expire
10.10.0.0/24       link#2             U            11   1500 epair4000a
10.10.0.1          link#2             UHS           4  16384        lo0
10.10.10.0/24      link#4             U           210   1500 epair4002a
10.10.10.1         link#4             UHS          44  16384        lo0
127.0.0.1          link#1             UH            0  16384        lo0
192.168.11.0/24    link#3             U             9   1500 epair4001a
192.168.11.1       link#3             UHS           0  16384        lo0

Consider a jail hostCC on bridge2 in the hostile network, IP 10.10.10.128.
I can ping that jail, although it has conceptionally the very same setup as the
unreachable jails on bridge0!

It is weird. On bridge0, no jail can be pinged, it looks like the ethernet is
somehwo down on that bridge. I would expect to ping each host member of the
very same bridge! On 11.1-RELENG-p6, there are other weird issues, I was able
to ping those jails, even ssh to them, but that vanished after several
restarts of the jails system (each bridge, epair is created by jail.conf and
destroyed after the jails has been deactivated and doing so a considerable
amount brings down the FreeBSD 11.1-RELENG-p6 host verys successfully - it
crashes!).

So, since VIMAGE is now default in CURRENT's GENERIC, I consider its
functionality at least "predictable", but I fail somehow here.

Does someone have a deeper insight or realise the mistake I'm celebrating here?

Thanks in adavnce,

Oliver
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: VIMAGE: vnet, epair and lots of jails on bridgeX - routing

O. Hartmann-5
Am Thu, 8 Feb 2018 09:31:15 +0100
"O. Hartmann" <[hidden email]> schrieb:

> Hello,
>
> I fight with the following problem without any kind of success and I need some
> help and/or advice.
>
> We are running several CURRENT and 11.1-RELENG-p6 boxes. CURRENT is at the most
> recent version as of today.
>
> VIMAGE is compiled in into all kernels.
> IPFW is compiled into all kernels and is the one and only firewall used.
> On CURRENT, the host's ipfw is set to "OPEN" (using the rc.-scripts so far). By
> convention, I address the host running the kernel by "host".
>
> Every jail is created/configured with its own "vnet" cloned network stack
> (vnet=new).
>
> All hosts do have at least three physical NICs. The host itself is supposed to
> be member of the "friendly" network via a dedicated NIC. The two remaining NICs
> are split into fractions belonging to an "hostile" network on which I'd like to
> place exposed jails (for now), and to the "friendly" network, on which also
> jails will be hosted, but via a dedicated NIC.
>
> Inbetween those two networks, the host will have a third, intermediate,
> network, call it the "service" network.
>
> The following will be true for ALL jails created, including the host itself:
>
> net.link.bridge.pfil_member=0
> net.link.bridge.pfil_bridge=0
> net.link.bridge.pfil_onlyip=0
>
> First, I clone/create three bridge(4) devices, bridge0 (considered to be the
> "glue" between the "service" jails), bridge1 (considered to be the glue between
> the jails on the friednly network side) and bridge2, which is the glue between
> the jails on the hostile side. bridge1 has eth1 as a member, which provides the
> physical access to the friendly network, eth2 is member of bridge2, which
> provides access to the hostile network.
>
> By convention, when creating epair(4), the a-portion belongs to the jail itself
> and is assigned with an IPv6 address. The b-portion of the epair(4) is member
> of its bridge according to its realm (friendly, service or hostile network).
>
> Additionally, there is a special jail, the router, which has three epair(4)
> devices, the b-portion of the epair is member of the appropriate bridge(4) and
> this router jail has static routes assigned, pointing to the appropriate
> epairXXXa that is suppoesd to be the link into the correct bridge/network. IPFW
> is set to open on this jail (for now). On this special
> jail it is set: net.inet.ip.forwarding=1.
>
> I hope, the topology is clear so far. All epairs or epair endpoints as well as
> the bridges are UP! Double checked this.
>
> Jails on bridge0 (service net) have IPs in the range 10.10.0.0/24, the
> b-portion of the routing jail's epair is member of bridge0, as described above,
> and the a-portion of the epair has IP 10.10.0.1. Default route on each jeail
> on bridge0 is set to 10.10.0.1 accordingly.
>
> Consider a similar setup on the other jails on the friendly and hostile
> network, except the fact that their bridges do have a physical NIC to which
> they may have access to a real network.
>
> The setup might not be ideal and/or applicable for the purpose of separartion
> of networks virtually, but that shouldn't be the subject here. More important
> is that I assume that I haven't understood some essentials, because the setup
> doens't work as expected. Furthermore, it behaves on FreeBSD 11.1-RELENG-p6
> sometimes completely unpredictable - but in that special case, I think I ran
> IPFW on the host as "WORKSTATION" and dynamic rules may play an important role
> here. But focussing on the CURRENT box, the host's IPFW is set to OPEN.
>
> With jexec -l hostA I gain access to host A on the "service" bridge0 and I
> want to ping its neighbour, hostB, on the same bridge and in the same net. It
> doesn't work! From the routing jail, I CAN NOT ping any host on bridge0. The
> routing jail has these network settings:
>
> [... routing jail ...]
>  lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
>         options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
>         inet 127.0.0.1 netmask 0xff000000
>         groups: lo
> [epair to bridge0 - service net]
> epair4000a: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
>         options=8<VLAN_MTU>
>         ether 02:57:d0:00:07:0a
>         inet 10.10.0.1 netmask 0xffffff00 broadcast 10.10.0.255
>         media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
>         status: active
>         groups: epair
> [epair to bridge1, friendly net]
> epair4001a: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
>         options=8<VLAN_MTU>
>         ether 02:57:d0:00:09:0a
>         inet 192.168.11.1 netmask 0xffffff00 broadcast 192.168.11.255
>         media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
>         status: active
>         groups: epair
> [epair to bridge2, hostile net]
> epair4002a: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
>         options=8<VLAN_MTU>
>         ether 02:57:d0:00:0b:0a
>         inet 10.10.10.1 netmask 0xfffffc00 broadcast 10.10.10.255
>         media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
>         status: active
>         groups: epair
>
> routing:
> netstat -Warn
> Routing tables
>
> Internet:
> Destination        Gateway            Flags       Use    Mtu      Netif Expire
> 10.10.0.0/24       link#2             U            11   1500 epair4000a
> 10.10.0.1          link#2             UHS           4  16384        lo0
> 10.10.10.0/24      link#4             U           210   1500 epair4002a
> 10.10.10.1         link#4             UHS          44  16384        lo0
> 127.0.0.1          link#1             UH            0  16384        lo0
> 192.168.11.0/24    link#3             U             9   1500 epair4001a
> 192.168.11.1       link#3             UHS           0  16384        lo0
>
> Consider a jail hostCC on bridge2 in the hostile network, IP 10.10.10.128.
> I can ping that jail, although it has conceptionally the very same setup as the
> unreachable jails on bridge0!
>
> It is weird. On bridge0, no jail can be pinged, it looks like the ethernet is
> somehwo down on that bridge. I would expect to ping each host member of the
> very same bridge! On 11.1-RELENG-p6, there are other weird issues, I was able
> to ping those jails, even ssh to them, but that vanished after several
> restarts of the jails system (each bridge, epair is created by jail.conf and
> destroyed after the jails has been deactivated and doing so a considerable
> amount brings down the FreeBSD 11.1-RELENG-p6 host verys successfully - it
> crashes!).
>
> So, since VIMAGE is now default in CURRENT's GENERIC, I consider its
> functionality at least "predictable", but I fail somehow here.
>
> Does someone have a deeper insight or realise the mistake I'm celebrating here?
>
> Thanks in adavnce,
>
> Oliver

Is this problem to trivial?

oh

attachment0 (321 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: VIMAGE: vnet, epair and lots of jails on bridgeX - routing

Bjoern A. Zeeb
On 9 Feb 2018, at 16:22, O. Hartmann wrote:

> Am Thu, 8 Feb 2018 09:31:15 +0100
> "O. Hartmann" <[hidden email]> schrieb:
>
> Is this problem to trivial?

I read through it yesterday and found myself in the position that I need
a whiteboard or paper and pencil or an ASCII art of your situation.  But
by the time I made it to the question I was basically lost.  Could you
massively simplify this and maybe produce the ASCII art?

/bz
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: VIMAGE: vnet, epair and lots of jails on bridgeX - routing

Olivier Cochard-Labbé-4
On Sat, Feb 10, 2018 at 8:52 AM, O. Hartmann <[hidden email]> wrote:

>
> The moment any of the bridges gets an additional member epair interface
> (so the bridge
> has at least three members including the on reaching into the virtual
> router jail) the
> vbridge seems to operate unpredictable (to me). Pinging jails memeber of
> that vbridge
> are unreachable.
>
>
​First idea:
Did you try with a more simple setup, like with just 3 jails members of one
bridge ?
=> I've tried it on a -head, and all 4 members  (3 jails and the host)
reach to communicate.

Second idea:
Can you check that all epairs have different MAC address each ?​
I hit this bug: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=176671

Regards,

Olivier
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: VIMAGE: vnet, epair and lots of jails on bridgeX - routing

O. Hartmann-5
On Sat, 10 Feb 2018 11:52:18 +0100
Olivier Cochard-Labbé <[hidden email]> wrote:

> On Sat, Feb 10, 2018 at 8:52 AM, O. Hartmann <[hidden email]> wrote:
>
> >
> > The moment any of the bridges gets an additional member epair interface
> > (so the bridge
> > has at least three members including the on reaching into the virtual
> > router jail) the
> > vbridge seems to operate unpredictable (to me). Pinging jails memeber of
> > that vbridge
> > are unreachable.
> >
> >  
> ​First idea:
> Did you try with a more simple setup, like with just 3 jails members of one
> bridge ?
> => I've tried it on a -head, and all 4 members  (3 jails and the host)  
> reach to communicate.

Yes, I did.

I used to setup one bridge (bridge0) and three jails. Each jail owns its
epairXXa device with IP assigned. epairXXb of each jail is member of the
bridge. Bridge is up, epairXXb is up.

>
> Second idea:
> Can you check that all epairs have different MAC address each ?​
> I hit this bug: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=176671

Very good shot! Thanks. No, they do not have all of them unique MAC adrresses
and in some occassions members of the very same bridge have the very same MAC
addresses, mostly the a-part of the epair:

From console:
[...]
ng_ether_ifnet_arrival_event: can't re-name node epair10250a
==>> epair20128a: Ethernet address: 02:ce:d0:00:07:0a
epair20128b: Ethernet address: 02:ce:d0:00:13:0b
epair20128a: link state changed to UP
epair20128b: link state changed to UP
epair20128b: promiscuous mode enabled
ng_ether_ifnet_arrival_event: can't re-name node epair20128a
==>> epair20129a: Ethernet address: 02:ce:d0:00:07:0a
epair20129b: Ethernet address: 02:ce:d0:00:14:0b
epair20129a: link state changed to UP
epair20129b: link state changed to UP
epair20129b: promiscuous mode enabled
ng_ether_ifnet_arrival_event: can't re-name node epair20129a

epair20XXX are member of bridge2 and dedicated epairs of jails.

The following is the desastrous picture of bridge1:

[...]
==>> epair235a: Ethernet address: 02:ce:d0:00:07:0a
epair235b: Ethernet address: 02:ce:d0:00:0d:0b
epair235a: link state changed to UP
epair235b: link state changed to UP
epair235b: promiscuous mode enabled
ng_ether_ifnet_arrival_event: can't re-name node epair235a
==>> epair237a: Ethernet address: 02:ce:d0:00:07:0a
epair237b: Ethernet address: 02:ce:d0:00:0e:0b
epair237a: link state changed to UP
epair237b: link state changed to UP
epair237b: promiscuous mode enabled
ng_ether_ifnet_arrival_event: can't re-name node epair237a
==>> epair251a: Ethernet address: 02:ce:d0:00:07:0a
epair251b: Ethernet address: 02:ce:d0:00:0f:0b
epair251a: link state changed to UP
epair251b: link state changed to UP
epair251b: promiscuous mode enabled
ng_ether_ifnet_arrival_event: can't re-name node epair251a
==>> epair238a: Ethernet address: 02:ce:d0:00:07:0a
epair238b: Ethernet address: 02:ce:d0:00:10:0b
epair238a: link state changed to UP
epair238b: link state changed to UP
epair238b: promiscuous mode enabled
ng_ether_ifnet_arrival_event: can't re-name node epair238a
[...]


This is on CURRENT (FreeBSD 12.0-CURRENT #36 r329150: Mon Feb 12 06:30:47 CET
2018 amd64).

I did check on Friday in the bureau and didn't catch it since I was checking on
each jail, but the console log accessed via dmesg revealed the problem very
easily.

I did a check on the 11.1-RELENG-p6 box and I got the same picture there,
different, but very similar setup.

So I didn't see it in the masses of epairs our setup requires :-(

I'll go now for setting MAC addresses manually and check functionality again.

>
> Regards,
>
> Olivier

Kind regards,

Oliver
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "[hidden email]"