Hello Dave, Tuesday, December 16, 2025, 10:39:55 PM, you wrote:
> On Wed, 10 Dec 2025, at 11:10, Anthony Pankov wrote: >> Hello, >> >> I'm again facing the problem of providing host-wide interface to all >> jails in a host. > Hi Anthony, > You can run local_unbound for exactly this purpose, chrooted on the jail > host, bound to a jails-only loopback interface lo1 say on 10.0.0.0/8. It > can listen on an IP thats accessible from all jails. You can use the new > svcj support (service jail) to improve the security a bit further, > but I've not tried this yet. I do that in my previous iteration and the bad thing for me is a necessity to manual assign addresses to jails: 10.0.0.1, 10.0.0.2, 10.0.0.3 etc. And to do that in every hosts and keep it actual in case of jails adding/removing. > I have other services like haproxy that run on jails, the same lo1 > network is used on each jail host to provide generic services to all jails. > pf rules make the traffic go the right way, if you want to run your own > jailed DNS services there's not really anything that should stop you > doing this. > I can share my ansible config for this privately if thats of interest. Thank you Dave. I try to move all things from a base system to jails to make any update/upgrade safe by design to the basic host functioning. And I try to make it as more native as I can without traffic manipulation. > A+ > Dave -- Best regards, Anthony
