Unexpected Plugin/Jail IP address assignment behavior

[Cainram]

In the Morning!

I'm running firmware version FreeNAS-9.2.1.6-RELEASE-x64. In the past I have used my Jails configuration page to determine the IP address assigned to a newly created jail. It is a production machine and here at work we use static IPs for almost everything. When I am setting up a new jail, I NEED it to be assigned a particular IP address upon creation because if it uses an address already in use there could be (and has been in the past - my fault that time...) a conflict.

What I usually do is set the start and end network address ranges in the jails configuration page to the value I want the next jail created to use. Yes, I set them both to the same value. This has always worked in the past. This most recent time, however, I set both values to 10.6.18.22 and then installed the Owncloud plugin as per usual. A jail was automatically created and I didn't get any error messages. When I checked the Jails page, I saw that the jail had been assigned the address 10.6.18.24. What gives? (subnet looks like this: 10.6.18.0/24)

Is there any way to assign a plugin jail an IP address before it is created? Is there any way to install plugins from the repository to an existing jail without manually downloading a PBI? Can jails be set to use DHCP? Any ideas would be helpful.

I know that the 'answer' is to set aside a small range of IP addressses on the network for use with newly created jails and then just change the address of the jail after it is created, then restart the jail. This is problematic, however, if the jail creation routine doesn't respect the range set in the configuration page.

The workaround I am going to use for now is to create a new subnet and set aside a range of IP addresses there for use with jail creation. I'll then move the jails over after testing.

Any input would be much appreciated.

 

[DrKK]

So, I never use the plugins, so I don't know what the dialog is there, but on the "regular" jails that you create, right on the front screen, front and center, you can set the IP address you want to use.

I think what's going on here, really, is that anyone advanced enough to be assigned specific static IP's to jails won't be using the plugins anyway, so no one ever thought about it. (I just build all the same stuff, myself, in normal jails, for example). Still, if the plugin jails don't give you a chance to choose your IP, that does seem weird. Can anyone confirm that? Seems like it might rise to the level of "bug".

 

[dlavigne]

Plugins were designed for users who just want to click "Install" without worrying about any of the background jail configuration. Jails were designed for those users who want more control over their jail environments.

 

[Cainram]

Both of those responses make sense. As far as the issue of not being able to choose the IP address of a jail while installing a plugin, an argument could be made that 'it is a feature, not a bug'. I understand that the whole point of having a plugin system is making it as simple as possible. However, if I were going to choose one thing that could be input by the user it would be an opportunity to choose a static IP or DHCP at the time of installation.

Moving on to the part about the jail's being assigned an address outside of the range I had set. Has anyone else experienced this behavior or is this considered a bug? Is it because the range is only one address?

If anyone has any ideas, I'd appreciate the input.

Thanks again!

 

[cyberjock]

If the jails are outside their assigned address then things do break. I put in a ticket to have the range and jails checked against each other a few weeks ago to prevent this user-error.

What you need to do is assign the range of IPs and then create the jail. I'm confused on why you'd set it to just one IP as that's not what the WebGUI is wanting in that field. It's wanting a range of IPs you can use.

 

[Cainram]

Hey, cyberjock, I'm glad you chimed in. I was under the impression that the IP range in the jails configuration area was just for doling out IP addresses to jails automatically created during plugin installation. You are saying that jails won't operate properly if they are assigned IPs outside the given range? That is REALLY good to know. After quickly reviewing the manual, I did not see this data point covered. The only warning I saw was to be sure to change the IP address of the jail from the jail configuration GUI and not the command line of the jail.

As far as my restricting the range of IP addresses to one address, I was trying to force the jail creation portion of the plugin installation routine to use a particular IP address. I wanted to use 10.8.6.22 and 10.6.8.21 and 10.6.8.23 were already in use. I understand that this is certainly not best practice but I have found that doing things the 'wrong' way is often a good way to find bugs (and break things, but...) And if the bit about keeping jails within the defined range of addresses after creation is in the manual somewhere that I missed, please point me in the right direction so I may cite it in our company's internal wiki.

Anyway, we are creating a new class B subnet here at work just for experimental stuff like this so it won't be a problem in the future. I just wanted to have a little dialog about what I found and bounce it off of you all.

Thanks.

 

[cyberjock]

No, it seems to do something with the network stack in FreeNAS. Not sure what. Someone else a few weeks ago had a jail outside the range he set and it was borked. As soon as he moved the jail inside the range (or expanded the range, I forget which) his problems were solved.

9.3 will do a sanity check and if your jail doesn't fit within the range it won't let you create the jail. Likewise, if you change the range and any jails are inside that range it won't let you change the range.

The manual explains the purpose of the range pretty clearly to me.. do you disagree?

Review the default values of the "IPv4 Network Start Address" and "IPv4 Network End Address" to determine if that range is appropriate for the number of jails that you will create. If there is a DHCP server on the network, make sure that this range of addresses is excluded from the scope of the DHCP server. As jails are created, they will automatically be assigned the next free IP address within the range specified by these two values.

 

[Cainram]

I just didn't read between the lines to take it as a warning to KEEP the jails within this range. The fact that jails must continue to operate within that range due to the way the networking stack operates isn't explicitly expressed; I just took the IP range setting to be a kind of 'dumb DHCP' function that would hand out IP addresses in a predetermined range and prevent conflicts on the network.

I think many people will mistakenly think of jails like virtual machines (which they are not) and think they can just move them around all over the network with impunity (which apparently, they can't).

The sanity check in the upcoming version will go a long way toward preventing others from misunderstanding the manual like I did.