pouzivani localhost v jailu

Marian Cerny jojo at matfyz.cz
Thu Jul 3 07:04:02 CEST 2008


On 2008-07-02 22:31 +0200, Miroslav Lachman wrote:
> Vim, ze se jailu pri spusteni prirazuje jedina IP adresa a ta jedina je 
> videt i ve vypisu ifconfig v jailu. Nicmene i tak je nejakym zpusobem 
> pouzitelny localhost v jailu, ale ne tak docela, jako je tomu v systemu 
> mimo jail.

Jail moze mat iba jednu IP adresu. Kedze UNIX aplikacie casto vyuzivaju
loop-back interface 127.0.0.1, tak to je v Jaile vyriesene takym trikom,
ze sa IP adresa 127.0.0.1 nahradi za pridelenu IP adresu Jailu.

Vyberam relevantnu pasaz z "Jails: Configuring the omnipotent root".
Viac na http://phk.freebsd.dk/pubs/sane2000-jail.pdf.

    6.4. Restriction to one IP number.

    Restricting TCP and UDP access to just one IP number was done almost
    entirely in the code which manages "protocol control blocks". When a
    jailed process binds to a socket, the IP number provided by the
    process will not be used, instead the pre-configured IP number of
    the jail is used.

    BSD based TCP/IP network stacks sport a special interface, the
    loop-back interface, which has the "magic" IPnumber 127.0.0.1. This
    is often used by processes to contact servers on the local machine,
    and consequently special handling for jails were needed. To handle
    this case it was necessary to also intercept and modify the
    behaviour of connection establishment, and when the 127.0.0.1
    address were seen from a jailed process, substitute the jails
    configured IP number.

Myslim, ze tento "problem" bude riesit vimage (The FreeBSD network stack
virtualization, http://wiki.freebsd.org/NetworkVirtualization), kde bude
mozne vytvorit jail s vlastnym IP stackom, mat pre neho samostatny
firewall & spol.

> Aby mi mohl Postfix komunikovat s Amavisem, musel jsem v obou povolit 
> pristup z adresy 172.16.16.3 (defaultne je povolen pristup jen z adresy 
> 127.0.0.1).

Teraz by uz malo byt jasne, preco tomu tak je.

Ja uvediem este jeden priklad, kde som kvoli 127.0.0.1 musel upravovat
konfiguraciu. Na vecsine serverov pouzivam cachujuci BIND, takze v
/etc/resolv.conf mam ako prvy nameserver uvedeny 127.0.0.1. Pre jaily
som to vyriesil tak, ze BIND je nainstalovany v host environmente a
pocuva na vsetkych dostupnych interfacoch. Potom je BIND dostupny aj vo
vsetkych jailoch, ale aj napriek tomu nefunguje nameserver 127.0.0.1 v
resolv.conf, pretoze DNS dotaz bol polozeny na 127.0.0.1, ale odpoved
dojde z IP adresy jailu a resolver kontroluje, ci sa IP adresa odpovede
zhoduje (kedze ide o UDP). Riesenim bolo do resolv.conf uviest miesto
127.0.0.1 IP adresu jailu.

Marian



More information about the Users-l mailing list