Could do with some guidance on iocage

[felthamn]

Relative Newbie Warning !!!!!!

I have recently upgraded to FreeNAS 11.1-U4 for about a month now and I am looking to create a new plex instance on the server (I have on already in a jail - warden) however would like the new instance running from iocage. I have never use iocage before and to be honest I have no confidence with the new UI as there are many parts of it that are just not working.. My question is where the hell do I start!

I know it not the best question but I am well and truly frustrated with trying do a simple thing like create a plex instance (which I could do blind folded on the old jail system).

Apologies for the rant and any advise would be gratefully received.

 

[danb35]

Yeah, iX has put themselves (and their users) in a bad position. They haven't built a FreeBSD-11.1 template for warden, and 11.0 is EOL'd (which in itself seems like a poor decision by the FreeBSD crew, but that's a separate issue). There is a FreeBSD-11.1 template for iocage, but iocage itself is broken in 11.1-U4, and the new GUI is far from feature-complete in this regard. So...

First, don't try to build the jail using the GUI--you'll need to use the CLI.

Second, to fix networking issues, update iocage:

Code:

cd /tmp
git clone --recursive https://github.com/iocage/iocage
cp -R iocage/iocage/lib/ /usr/local/lib/python3.6/site-packages/iocage/lib

Third, create the jail itself:

Code:

iocage create --name "plex" -r 11.1-RELEASE ip4_addr="vnet0|${JAIL_IP}/24" defaultrouter="${DEFAULT_GW_IP}" boot="on" host_hostname="plex" vnet="on"

Fourth, add any desired storage to the jail:

Code:

iocage fstab -a plex /source/path /destination/path nullfs rw 0 0

Repeat as necessary.

Fifth, enter the jail to install whatever else you want:

Code:

iocage console plex

 

[NasKar]

I would setup iocage jails with the CLI and follow this guide.
Its been a while since I switch to iocage but I think you need to run
iocage activate zpool
iocage fetch and grab 11.1 and then follow his guide. You maybe able to get to the same place by creating a new jail in the new UI.

 

[NasKar]

Second, to fix networking issues, update iocage:

Code:

cd /tmp
git clone --recursive https://github.com/iocage/iocage
cp -R iocage/iocage/lib/ /usr/local/lib/python3.6/site-packages/iocage/lib

What issue does this fix? I couldn't find anything about it on there wiki page. Does it eliminate the need to do

Code:

iocage exec <jail> 'sysrc ifconfig_epair0_name="epair0b"'

 

[danb35]

What issue does this fix?

Networking error messages when creating the jail. I don't remember the exact messages, but they're discussed on my thread about the scripted Nextcloud install.

 

[Jailer]

I would setup iocage jails with the CLI and follow this guide.
Its been a while since I switch to iocage but I think you need to run
iocage activate zpool
iocage fetch and grab 11.1 and then follow his guide. You maybe able to get to the same place by creating a new jail in the new UI.

If you run the command @danb35 posted to create the jail it will fetch the release specified in the command.

What issue does this fix?

If you don't update iocage networking will be broken in your newly created jail.

 

[felthamn]

Thanks for the tips. Will give it a shot and see what happens. Though the way things are going with FreeNAS and broken updates I think I will be moving to another platform. It's a shame as it has the potential of being really great.

 

[Jailer]

Give iocage a shot before you give up on FreeNAS. It's pretty simple to use and the commands are easy to learn once you start using it.

 

[felthamn]

okay now its telling me the following:

The package management tool is not yet installed on your system.

 

[felthamn]

The full message is

The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly, please wait...
pkg: Error fetching http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly/Latest/pkg.txz: Network is unreachable

 

[Jailer]

Did you apply the patch @danb35 posted? The patch is run on FreeNAS not in the jail.

 

[felthamn]

Yes, well this is what I have done....

1. remote into freenas using ssh
2. cd /tmp
3. cloned and updated the iocage as advised by danb35
4. Created the iocage jail replacing ${JAIL_IP} with an IP address and ${DEFAULT_GW_IP} with the default gateway IP address
5. iocage downloads manifest, base.txz, lib32.txz, doc.txz and src.txz. System extracts and installs updates however, src component not installed, skipped. Installing updates... done and reports plex jail successfully created. The jail starts, configures VNET ok and starts services.
6. For the purposes of this test I have only added one storage location - iocage fstab -a plex /mnt/homenet/Movies /media.movies nullfs rw 0 0

so far so good

so I now access the plex jail with iocage console plex which takes me into root@plex

tried to install plex with pkg install plexmediaserver

to which I see

root@plex:~ # pkg install plrxmediaserver
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]:

I respond with y

and get this

Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly, please wait...
pkg: Error fetching http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly/Latest/pkg.txz: Network is unreachable
A pre-built version of pkg could not be found for your system.
Consider changing PACKAGESITE or installing it from ports: 'ports-mgmt/pkg'.

now stumped

 

[felthamn]

small typo

6. For the purposes of this test I have only added one storage location - iocage fstab -a plex /mnt/homenet/Movies /media.movies nullfs rw 0 0

should be

iocage fstab -a plex /mnt/homenet/Movies /media/movies nullfs rw 0 0

 

[ewhac]

root@plex:~ # pkg install plrxmediaserver
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]:

I respond with y

and get this

Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly, please wait...
pkg: Error fetching http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly/Latest/pkg.txz: Network is unreachable
A pre-built version of pkg could not be found for your system.
Consider changing PACKAGESITE or installing it from ports: 'ports-mgmt/pkg'.

I'm having the same problem. I applied the above patch to iocage (that's done off the master branch, right?), built a jail, logged in to it, but can't get packets in or out. I added ifconfig_epair0_name="epair0b" to /etc/rc.conf and restarted the jail, but still no joy.

Jail constructed using:

Code:

sudo iocage create -n "smtp"  -r 11.1-RELEASE ip4_addr="vnet0|10.0.2.2/16" defaultrouter="10.0.0.1" vnet="on" allow_raw_sockets="1" boot="on"

Resulting jail config:

Code:

$ iocage get -a smtp
CONFIG_VERSION:11
allow_chflags:0
allow_mount:0
allow_mount_devfs:0
allow_mount_nullfs:0
allow_mount_procfs:0
allow_mount_tmpfs:0
allow_mount_zfs:0
allow_quotas:0
allow_raw_sockets:1
allow_set_hostname:1
allow_socket_af:0
allow_sysvipc:0
available:readonly
basejail:no
boot:on
bpf:no
children_max:0
cloned_release:11.1-RELEASE
comment:none
compression:lz4
compressratio:readonly
coredumpsize:off
count:1
cpuset:off
cputime:off
datasize:off
dedup:off
defaultrouter:10.0.0.1
defaultrouter6:none
depends:none
devfs_ruleset:4
dhcp:off
enforce_statfs:2
exec_clean:1
exec_fib:0
exec_jail_user:root
exec_poststart:/usr/bin/true
exec_poststop:/usr/bin/true
exec_prestart:/usr/bin/true
exec_prestop:/usr/bin/true
exec_start:/bin/sh /etc/rc
exec_stop:/bin/sh /etc/rc.shutdown
exec_system_jail_user:0
exec_system_user:root
exec_timeout:60
host_domainname:none
host_hostname:smtp
host_hostuuid:smtp
host_time:yes
hostid:8a7c44ae-42fa-11e8-aedf-ac1f6b832546
hostid_strict_check:off
interfaces:vnet0:bridge0
ip4:new
ip4_addr:vnet0|10.0.2.2/16
ip4_saddrsel:1
ip6:new
ip6_addr:none
ip6_saddrsel:1
jail_zfs:off
jail_zfs_dataset:iocage/jails/smtp/data
jail_zfs_mountpoint:none
last_started:2018-05-20 00:12:43
login_flags:-f root
mac_prefix:02ff60
maxproc:off
memorylocked:off
memoryuse:off
mount_devfs:1
mount_fdescfs:1
mount_linprocfs:0
mount_procfs:0
mountpoint:readonly
msgqqueued:off
msgqsize:off
nmsgq:off
notes:none
nsemop:off
nshm:off
nthr:off
openfiles:off
origin:readonly
owner:root
pcpu:off
priority:99
pseudoterminals:off
quota:none
release:11.1-RELEASE-p10
reservation:none
resolver:/etc/resolv.conf
rlimits:off
securelevel:2
shmsize:off
stacksize:off
state:up
stop_timeout:30
swapuse:off
sync_state:none
sync_target:none
sync_tgt_zpool:none
sysvmsg:new
sysvsem:new
sysvshm:new
template:no
type:jail
used:readonly
vmemoryuse:off
vnet:on
vnet0_mac:02ff604d86e8,02ff604d86e9
vnet1_mac:none
vnet2_mac:none
vnet3_mac:none
vnet_interfaces:none
wallclock:off

ifconfig for FreeNAS:

Code:

igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=6403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
   ether ac:1f:6b:83:25:46
   hwaddr ac:1f:6b:83:25:46
   inet 10.0.0.4 netmask 0xffff0000 broadcast 10.0.255.255
   nd6 options=9<PERFORMNUD,IFDISABLED>
   media: Ethernet autoselect (1000baseT <full-duplex>)
   status: active
igb1: flags=8c02<BROADCAST,OACTIVE,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=6403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
   ether ac:1f:6b:83:25:47
   hwaddr ac:1f:6b:83:25:47
   nd6 options=9<PERFORMNUD,IFDISABLED>
   media: Ethernet autoselect
   status: no carrier
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
   options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
   inet6 ::1 prefixlen 128
   inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
   inet 127.0.0.1 netmask 0xff000000
   nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
   groups: lo
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
   ether 02:50:06:73:13:00
   nd6 options=1<PERFORMNUD>
   groups: bridge
   id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
   maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
   root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
   member: vnet0:2 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
		   ifmaxaddr 0 port 5 priority 128 path cost 2000
vnet0:2: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
   description: associated with jail: smtp
   options=8<VLAN_MTU>
   ether 02:ff:60:4d:86:e8
   hwaddr 02:cf:50:00:05:0a
   nd6 options=1<PERFORMNUD>
   media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
   status: active
   groups: epair

ifconfig from inside jail:

Code:

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
   options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
   inet6 ::1 prefixlen 128
   inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
   inet 127.0.0.1 netmask 0xff000000
   nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
   groups: lo
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=8<VLAN_MTU>
   ether 02:ff:60:4d:86:e9
   hwaddr 02:cf:a0:00:06:0b
   inet 10.0.2.2 netmask 0xffff0000 broadcast 10.0.255.255
   nd6 options=1<PERFORMNUD>
   media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
   status: active
   groups: epair

The routes inside the jail also look good. But pings all fail with "Host is down." What's left undone?

 

[Jailer]

The routes inside the jail also look good.

No it doesn't. You created your jail on a different subnet than what is listed for the default router. There's no way that jail is going to be able to communicate with anything.

 

[ewhac]

No it doesn't. You created your jail on a different subnet than what is listed for the default router. There's no way that jail is going to be able to communicate with anything.

Could you be more specific where the mistake is? Near as I can tell, all those IP addresses should all be on the same /16 subnet (10.0.x.x), so 10.0.2.2 should have no trouble talking to 10.0.0.1.

(My current theory is that the igb0 interface isn't a member of bridge0. I can't figure out who's responsible for setting that up; the old warden stuff seemed to do it automagically.)

 

[adrianwi]

I'm no network expert, but it looks to me like you've created the jail on 10.0.2.x whilst everything else is on 10.0.0.x?

 

[Jailer]

Near as I can tell, all those IP addresses should all be on the same /16 subnet (10.0.x.x), so 10.0.2.2 should have no trouble talking to 10.0.0.1.

That's not how it works. /16 is the subnet mask. The first three octets of the IP address have to be the same to be in the same subnet with the last octet denoting the specific address of the device in that network segment.

You should do some research on proper network structure before you go any further.

https://en.wikipedia.org/wiki/Private_network

 

[danb35]

That's not how it works. /16 is the subnet mask. The first three octets of the IP address have to be the same to be in the same subnet with the last octet denoting the specific address of the device in that network segment.

Wait, what? Why are private networks limited to Class C subnets?

 

[fracai]

Wait, what? Why are private networks limited to Class C subnets?

They aren't. The standard private IP ranges are:

Code:

class C: 192.168.0.0/16 (255.255.0.0) : 192.168.0.0 – 192.168.255.255
class B: 172.16.0.0/12 (255.240.0.0) : 172.16.0.0 – 172.31.255.255
class A: 10.0.0.0/8 (255.0.0.0) : 10.0.0.0 – 10.255.255.255

In this case though /16 would indeed indicate that 10.0.2.2 can't talk to 10.0.1.1 unless a static route is present to connect them.