Hello Andrew,
Friday, December 12, 2025, 12:46:06 PM, you wrote:
>> I'm again facing the problem of providing host-wide interface to all jails
>> in a host.
>> I want (for example) that there is a jail with unbound (DNS resolver/cacher)
>> inside, binded to a host-wide interface. Host-wide interface has a well
>> known address (IPv6 1::1/128 for example).
>> All other jails simply put "nameserver 1::1" in its resolv.conf.
>>
>> The problem that jails can't share one ip address ("address clashes") and
>> can't "inherit" one interface only. Inheriting is for a whole network as I
>> see.
>>
>> May be someone have some suggestions?
> Maybe I misunderstood your requirement, but it's not sufficient to add an IP
> alias to your host's interface, and assign that IP to the jail? It can be do
> easily at jail's startup (i.e., if your host has an igb0 interface:
> ip4.addr="igb0|172.16.0.1/32").
The problem is you can't start another jail with ip4.addr="igb0|172.16.0.1/32".
Imagine you have jail with "unbound" (DNS cache/resolver) and other jails in a
host will do not care about DNS just use IPu of "unbound jail" (host-wide
service). No firewall no packet leaks. No any work inside jails for DNS.
Than you want another service, say http proxy. You have another jail which
provide http proxy for all jails in a host. So it is a proxy host-wide service
(on IPp). Other jails in a host will use IPp for proxing.
The problem is that all jail in a host must be manually ajusted to use IPu for
DNS and IPp for proxy. Things get worse if you consider more than one host.
Copying jail to another host entail configuration adjustment, replacing IPu
and IPp by IPu2 and IPp2 specific to that host
The general idea is to move recurring binding to a service(s) from inside a
jails out to a separate jail. So you don't need to configure it in each jail.
Further, different host in a different places may have specific configuration
for, say, http proxying. But if a jail configured to use local host-wide
service it don't care.
The ideal solution is to have well-known local IPw for host-wide services on
every host. If a jail rely on host-wide service it configured once for IPw. If
a jail provide host-wide service it binds to IPw.
> --
> Andrew
--
Best regards,
Anthony
