11.2, correct way to create jail network interfaces

[Plato]

Hi,

What's the best way to create jails? As far as I understand 11.2 doesn't create network interface for the jail itself. Should we create it for the jail ourselves?

Assume that jail should be in the same network as FreeNas box. It also should have all ports accessible from the network..

 

[dlavigne]

You can specify which interface to use in https://www.ixsystems.com/documentation/freenas/11.2/_images/jails-add-advanced.png.

 

[Plato]

That's the thing. Before 11.2 we just created a jail and the interface is generated automatically.. Now it seems we need to create an interface first and then assign it to the jail.. Correct me if I'm wrong.

 

[dlavigne]

You could also specify the interface in 11.1: https://www.ixsystems.com/documentation/freenas/11/jails.html#adding-jails.

 

[Plato]

But I could leave it blank on 11.1, and it'd create an interface for the jail itself.. Now, I have to assign an interface to my jail manually.

 

[dlavigne]

11.1 used a different backend (warden). iocage (11.2) requires the interface to be specified.

 

[rvassar]

I got bit by this yesterday as well. See my thread in the Bhyve / Jails forum on installing MySQL in a jail. I tried selecting the virtualized interface from an existing Jail, and ended up assigning my Jail's intended static IP address to the Base NAS.

In the end I checked the "VNET" box, and used the vnet0 interface that will appear at the bottom of the list.

 

[OdyMan]

I have this question as well. I created my first jail in 11.2 yesterday using Plex plug-in. I wanted to specify a static IP, but I didn't know which interface I should pick. I looked thru a couple of Plex on FreeNAS 11.2 tutorials and they all showed using DHCP and I guess it automatically selects and/or creates the appropriate network interface. So I went ahead and did that and just manipulated its IP thru my DHCP server. After the jail was created, I poked around for a few minutes to see which interface it actually used/created so that I can perhaps change the setting from DHCP to static. Still no clue yet. More research needed.

 

[jimboooooo]

I got bit by this yesterday as well. See my thread in the Bhyve / Jails forum on installing MySQL in a jail. I tried selecting the virtualized interface from an existing Jail, and ended up assigning my Jail's intended static IP address to the Base NAS.

In the end I checked the "VNET" box, and used the vnet0 interface that will appear at the bottom of the list.

VNET is the way to go for most scenarios. I found that through the UI, you have to install the plugin, then you can go back and change interface options and select VNET.

If you do this via CLI it can all be done in one step and it's easy to reproduce.

Code:

# you will be prompted to select one of the official plugins
# a vnet interface will be created
# set the IP on that interface to 192.168.1.101
# disable dhcp
# set the gateway to the router
# use google dns
# set the mac address to 02:ff:60:00:08:00

iocage fetch --plugins vnet=on ip4_addr="vnet0|192.168.1.101" dhcp=off defaultrouter="192.168.1.1" resolver="nameserver 8.8.8.8" vnet0_mac="02ff60000801","02ff60000800"

A post I found helpful. https://forums.freenas.org/index.ph...dress-for-ether-and-hwaddr.68857/#post-474278

 

[KrisBee]

VNET is the way to go for most scenarios. I found that through the UI, you have to install the plugin, then you can go back and change interface options and select VNET.

After ixsystems have devoted much effort to providing a functioning GUI for plugins and jails based on iocage under the hood, it's sad to see it's not understood.

In FN11.2, you can create a plugin that uses DHCP + VNET +BPF, or uses a static IP by creating an alias on a physical interface. For the former theres nothing t do, and for the later pick the physical interface that's configured in "Networking" and set the plugin's IP and net mask.

For Jails, you have greater flexibility, as you can use DHCP with VNET, or VNET with a static IP.

 

[jimboooooo]

After ixsystems have devoted much effort to providing a functioning GUI for plugins and jails based on iocage under the hood, it's sad to see it's not understood.

I definitely don't claim to understand everything. I will say that when installing a plugin from the UI, you don't have the networking options available initially. Looks to be different when you use the UI for creating your own jail.

 

[KrisBee]

I definitely don't claim to understand everything. I will say that when installing a plugin from the UI, you don't have the networking options available initially. Looks to be different when you use the UI for creating your own jail.

https://www.ixsystems.com/documentation/freenas/11.2/plugins.html and Fig. 13.1.2 Installing the Plex Plugin

 

[jimboooooo]

https://www.ixsystems.com/documentation/freenas/11.2/plugins.html and Fig. 13.1.2 Installing the Plex Plugin

I wasn't clear. You aren't able to create a vnet interface or specify the MAC address for that interface from the UI in Fig. 13.1.2. You can't create one through the UI for the official plugin installation until after you've actually installed the plugin. That can be problematic depending on the scenario.

 

[KrisBee]

I wasn't clear. You aren't able to create a vnet interface or specify the MAC address for that interface from the UI in Fig. 13.1.2. You can't create one through the UI for the official plugin installation until after you've actually installed the plugin. That can be problematic depending on the scenario.

For a Plugin, if DHCP is selected, the pop-up message tells you "Set for DHCP to automatically configure network settings" which means the vnet interface and associated MAC addresses (for vnet & epair) are automatically created. So I don't understand your statement.

I would agree the FN11.2 guide would be improved if there was an example of configuring a plugin with a static IP and it's debatable which class of interface should be in the drop-down list.

 

[rvassar]

For a Plugin, if DHCP is selected, the pop-up message tells you "Set for DHCP to automatically configure network settings" which means the vnet interface and associated MAC addresses (for vnet & epair) are automatically created. So I don't understand your statement.

I would agree the FN11.2 guide would be improved if there was an example of configuring a plugin with a static IP and it's debatable which class of interface in the drop-down list.

I actually read the whole chapter before trying it. It's unclear enough that in hunting around & guessing which interface to use (with an existing pre-upgrade warden jail configured), I actually attached my jail's intended IP to the base NAS. I'm not comfortable enough with my knowledge of the feature / product to call that a UI bug. But I do have to wonder if there's some interfaces that need to be excluded from the list, or at least tagged as "(not recommended)". As it stands, the UI just presents a list of nearly all available interfaces. Getting rid of the warden jail cleaned up the list presented.

I did work around the static IP issue by letting the jail come up as VNET / DHCP with a dynamic address. I then grabbed the generated MAC address and set it up on my DHCP server as a fixed address assignment. But that assumes that MAC address won't change at some point, be it another update or even a host reboot. That's often true for other virtualization products, but I haven't tested it with iocage jails, so I may be revisiting this. Of course, not everyone gets control over their DHCP either.

 

[KrisBee]

I actually read the whole chapter before trying it. It's unclear enough that in hunting around & guessing which interface to use (with an existing pre-upgrade warden jail configured), I actually attached my jail's intended IP to the base NAS. I'm not comfortable enough with my knowledge of the feature / product to call that a UI bug. But I do have to wonder if there's some interfaces that need to be excluded from the list, or at least tagged as "(not recommended)". As it stands, the UI just presents a list of nearly all available interfaces. Getting rid of the warden jail cleaned up the list presented.

I did work around the static IP issue by letting the jail come up as VNET / DHCP with a dynamic address. I then grabbed the generated MAC address and set it up on my DHCP server as a fixed address assignment. But that assumes that MAC address won't change at some point, be it another update or even a host reboot. That's often true for other virtualization products, but I haven't tested it with iocage jails, so I may be revisiting this. Of course, not everyone gets control over their DHCP either.

I haven't looked at the outstanding issues being worked on for FN112-U1, but warden jails were meant to be converted to iocage jails. As far as iocage based jails are concerned AFAIU it's either VNET, with or without DHCP. or a so-called "shared IP" which most would pick to create an alias on a phyiscal NIC. Whether there is a use case for trying to attach a jail network to a pre-existing bridge or tap or epair device is open to question.