How To: Change IP address of FreeBSD Jail

June 24, 2010

JAIL: edit rc.conf and change ip address

# nano -w /etc/rc.conf
ifconfig_bge0="inet xxx.xxx.xxx.xxx netmask 255.255.255.0" <-- modify this line

JAIL: edit /etc/hosts if to-be-changed static-ip exists in file (replace with new ip)

# nano -w /etc/hosts

JAIL: edit /etc/resolv.conf if to-be-changed static-ip exists in file (replace with new ip)

# nano -w /etc/resolv.conf

HOST: edit rc.conf and change ip address on ifconfig line and jail line

# nano -w /etc/rc.conf
ifconfig_bge0="inet xxx.xxx.xxx.xxx netmask 255.255.255.0" <-- modify this line
jail_apachejail_ip="xxx.xxx.xxx.xxx"  <-modify this line

HOST: edit /etc/hosts if to-be-changed static-ip exists in file (replace with new ip)

# nano -w /etc/hosts

HOST: edit /etc/resolv.conf if to-be-changed static-ip exists in file (replace with new ip)

# nano -w /etc/resolv.conf

JAIL: edit sshd_conf and change listening IP to new ip

# nano -w  /etc/ssh/sshd_config
ListenAddress xxx.xxx.xxx.xxx  <--modify this line

JAIL: Don’t forget to edit your /usr/local/etc/apache22/httpd.conf and change listening ip!

HOST: find out which jail is running & kill it (when it is killed, the ‘jls’ command won’t show the jail anymore)

# 11:01:08[root@host]   $ jls
JID  IP Address      Hostname                      Path
4  xxx.xxx.xxx.xxx   yourjail_hostname       /usr/jails/apachejail
11:05:38[root@host]   $ jexec 4 kill -TERM -1
11:06:11[root@host]   $ jls
11:10:36[root@host]   $

HOST: Restart networking over ssh

# /etc/rc.d/netif restart && /etc/rc.d/routing restart
Stopping network: lo0 bge0.
lo0: flags=8049 mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet 127.0.0.1 netmask 0xff000000
bge0: flags=8843 mtu 1500
options=1b
inet6 fe80::206:5bff:fef3:1dca%bge0 prefixlen 64 scopeid 0x1
inet xxx.xxx.xxx.xxx netmask 0xffffff00 broadcast xxx.xxx.xxx.255
inet xxx.xxx.xxx.101 netmask 0xffffffff broadcast xxx.xxx.xxx.101
inet xxx.xxx.xxx.141 netmask 0xffffffff broadcast xxx.xxx.xxx.141
inet xxx.xxx.xxx.10 netmask 0xffffffff broadcast xxx.xxx.xxx.10
inet xxx.xxx.xxx.180 netmask 0xffffffff broadcast xxx.xxx.xxx.180
inet xxx.xxx.xxx.181 netmask 0xffffffff broadcast xxx.xxx.xxx.181
inet xxx.xxx.xxx.228 netmask 0xffffffff broadcast xxx.xxx.xxx.228
ether 00:06:5b:f3:1d:ca
media: Ethernet autoselect (100baseTX )
status: active
add net default: gateway xxx.xxx.xxx.1
Additional routing options:.
11:11:40[root@host]   $

HOST: Start the jail

# 11:14:00[root@host]   $ jail /usr/jails/apachejail hostname_jail xxx.xxx.xxx.101 /bin/sh /etc/rc
Loading configuration files.
ELF ldconfig path: /lib /usr/lib /usr/lib/compat /usr/local/lib /usr/local/lib/mysql
a.out ldconfig path: /usr/lib/aout /usr/lib/compat/aout
Creating and/or trimming log files:.
Starting syslogd.
Clearing /tmp (X related).
/etc/rc: WARNING: /usr/local/etc/smb.conf is not readable.
Starting local daemons:.
Updating motd.
Starting mysql.
Performing sanity check on apache22 configuration:
Syntax OK
Starting apache22.
Starting sshd.
/etc/mail/sendmail.cf: WARNING: dangerous write permissions
Starting cron.
Local package initialization:.

HOST: Find out what number the jail was assigned and jexec to bash prompt

# 11:14:00[root@host]   $ jls
JID  IP Address      Hostname            Path
5  xxx.xxx.xxx.101  hostname_jail    /usr/jails/apachejail
11:16:56[root@host]   $
Thu Apr  2 16:14:00 UTC 2009
11:14:00[root@host]   $
11:16:56[root@host]   $ jexec 5 bash
16:17:26[root@hostname_jail]  / $

JAIL: run ifconfig and make sure jail is using new ip

# 16:17:26[root@hostname_jail]  / $ ifconfig
bge0: flags=8843 mtu 1500
options=1b
inet xxx.xxx.xxx.101 netmask 0xffffffff broadcast xxx.xxx.xxx.101
ether 00:06:5b:f3:1d:ca
media: Ethernet autoselect (100baseTX )
status: active
bge1: flags=8802 mtu 1500
options=1b
ether 00:06:5b:f3:1d:cb
media: Ethernet autoselect (none)
status: no carrier
em0: flags=8802 mtu 1500
options=b
ether 00:02:b3:c3:0c:63
media: Ethernet autoselect
status: no carrier
lo0: flags=8049 mtu 16384

JAIL: do a netstat -an and make sure you are listening on port 22 (for ssh)

# 16:18:06[root@hostname_jail]  / $ netstat -an
netstat: kvm not available: /dev/mem: No such file or directory
Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp4       0      0  xxx.xxx.xxx.101.25      *.*                    LISTEN
tcp4       0      0  xxx.xxx.xxx.101.22      *.*                    LISTEN
tcp4       0      0  xxx.xxx.xxx.101.80      *.*                    LISTEN
tcp4       0      0  xxx.xxx.xxx.101.3306    *.*                    LISTEN
Active UNIX domain sockets
Address  Type   Recv-Q Send-Q    Inode     Conn     Refs  Nextref Addr
ca49b348 stream      0      0 cdd71220        0        0        0 /tmp/mysql.sock
c94af08c dgram       0      0        0 c94cf2bc        0 ca49b71c
ca49b71c dgram       0      0        0 c94cf2bc        0        0
c94cf2bc dgram       0      0 ccc31660        0 c94af08c        0 /var/run/logpriv
c94cf230 dgram       0      0 cf8d4880        0        0        0 /var/run/log

JAIL: restart apache if paranoid

# apachectl -k graceful

HOST: open a socket for the jail (so it can use the internet, ping machines, etc)

# sysctl security.jail.allow_raw_sockets=1

I Can’t SSH to machine!

JAIL: see if sshd is running, if it is kill it, then restart it, also check /etc/ssh/sshd_config

# ps auwx | grep 'sshd'
# kill -HUP
# /usr/sbin/sshd

I Can’t ping anything!! WTF!!!

HOST: you need to open a socket

# 10:57:28[root@host]  etc $ sysctl security.jail.allow_raw_sockets=1
security.jail.allow_raw_sockets: 0 -> 1