Making Jails network DHCP in Truenas Scale with jailmaker

davistw · May 1, 2024, 2:31pm

I have seen discussions on how to create static addresses for jails. I would like for a jail to get its address from DHCP. I normally assign addresses via DHCP reservation and would like to do this with my jails. How do I do this?

pmh · May 1, 2024, 2:39pm

TrueNAS CORE with FreeBSD jails? Activate VNET and DHCP.

Make sure to statically create and assign your bridge interface beforehand.

davistw · May 1, 2024, 3:09pm

Sorry Truenas Scale with Jailmaker. I edited the post to identify this correctly…Thanks for the post though.

kris · May 1, 2024, 3:15pm

Details on how to do this are on the Jailmaker Wiki under the Networking section:

github.com

Jip-Hop/jailmaker/blob/main/NETWORKING.md

# Jailmaker

## Advanced Networking

These are notes on advanced networking setup you may want to try. Contributions are welcome!

### Bridge Networking

As an alternative to the default host networking mode, you may want to connect to a bridge interface instead and let the jail obtain its IP address via DHCP (although you may have to be patient for up to 20 seconds after the jail started for networking to work, [assigning the IP address is somehow slow](https://github.com/Jip-Hop/jailmaker/issues/7)).

[This YouTube video](https://www.youtube.com/watch?v=7clQw132w58) may be helpful when setting up the bridge interface. Note: You may lock yourself out... It may take several tries... TrueNAS is a bit picky when switching IP addresses and toggling DHCP. May be helpful to connect a monitor and keyboard to the NAS and use `/etc/netcli` to reset the networking interface. Kept bothering with "Register Default Gateway" warning... I just clicked Cancel.

Add the `--network-bridge=br1 --resolv-conf=bind-host` systemd-nspawn flag when asked for `Additional flags` during jail creation, or set it post-creation by [editing](./README.md#edit-jail-config) the `SYSTEMD_NSPAWN_USER_ARGS` variable inside the `config` file.

The TrueNAS host and the jail will be able to communicate with each other as if the jail was just another device on the LAN. It will use the same DNS servers as the TrueNAS host because the `--resolv-conf=bind-host` option bind mounts the `/etc/resolv.conf` file from the host inside the jail. If you want to use the DNS servers advertised via DHCP, then check [DNS via DHCP](#dns-via-dhcp).

To configure a **static IP** with our bridge interface, we need to edit the `80-container-host0.network` file located in `/etc/systemd/network`. Change the `[Network]` section to look like this:

```ini
[Network]

This file has been truncated. show original

davistw · May 1, 2024, 3:28pm

Gotcha, Thanks. I guess reading is my downfall. I stopped reading when it described how to Static an address. If I dont do the static I guess it does dhcp. Thanks again…

davistw · May 1, 2024, 5:36pm

Thanks for the direction. However when i set the config it still does not do dhcp. Here is the message I am seeing…

root@myjail:/etc/systemd/network# systemctl status systemd-networkd
○ systemd-networkd.service - Network Configuration
Loaded: loaded (/lib/systemd/system/systemd-networkd.service;
enabled; preset: enabled)
Active: inactive (dead)
TriggeredBy: ○ systemd-networkd.socket
Condition: start condition failed at Wed 2024-05-01 12:11:57 CDT; 5min ago
└─ ConditionCapability=CAP_NET_ADMIN was not met
Docs: man:systemd-networkd.service(8)
man:org.freedesktop.network1(5)

May 01 12:11:57 myjail systemd[1]: systemd-networkd.service - Network Configuration was skipped because of an unmet condition check
(ConditionCapability=CAP_NET_ADMIN).

kris · May 1, 2024, 5:53pm

I’d have to defer to @Jip-Hop since I’ve not set this up myself. Not sure if the guide needs updating, but it seems like it needs CAP_NET_ADMIN enabled from those error messages

Jip-Hop · May 1, 2024, 6:18pm

When using bridge or macvlan networking your jail will by default get the IP address via DHCP. Then you just make this a static lease in your router. Did you try this? Perhaps if you post here you’ll get some more help: Linux Jails (sandboxes / containers) with Jailmaker

davistw · May 1, 2024, 7:22pm

Sorry I didn’t realize there was a thread that was specifically for Jailmaker. Since you already replied would you like me to move my discussion to that thread?

My Truenas system is configured to talk static on br1 at 192.168.18.2/24
What i did was create a Jail and it ifconfigs as 192.168.18.2.
Then I edited the /mnt/…jail config as follows
uncommented the --network-bridge=br1 --resolv-conf=bind-host line
Restarted the jail
ifconfig shows no change to IP and I get the error documented about about CAP_NET_ADMIN.

BTW thanks for jailmaker it is a GREAT add to scale…

Stux · May 2, 2024, 2:06am

And the MAC address of the jail is hashed from its name, so as long as the jail isn’t renamed, it will get the same static lease… even if you recreate it

Jip-Hop · May 2, 2024, 5:24am

Please post your full config file.

Jip-Hop · May 2, 2024, 5:48am

As well as all output from jlmkr start yourjailname. Make sure you stop the jail before starting it.

Stux · May 2, 2024, 5:59am

It occurred to me that the OP may not realise that DHCP works, because it takes so long to acquire the DHCP lease at startup.

It takes about 30-45s.

davistw · May 2, 2024, 1:22pm

Thanks for the help.

My Config:
root@TrueNas[/mnt/APPS/jailmaker/jails/myjail]# more config
startup=0
gpu_passthrough_intel=0
gpu_passthrough_nvidia=0
docker_compatible=0

# Add additional systemd-nspawn flags
# E.g. to mount host storage in the jail (--bind-ro for readonly):
# --bind='/mnt/pool/dataset:/home' --bind-ro=/etc/certificates
# E.g. macvlan networking:
# --network-macvlan=eno1 --resolv-conf=bind-host
# E.g. bridge networking:
--network-bridge=br1 --resolv-conf=bind-host
# E.g. add capabilities required by docker:
# --system-call-filter='add_key keyctl bpf'
systemd_nspawn_user_args=

# Specify command/script to run on the HOST before starting the jail
# For example to load kernel modules and config kernel settings
pre_start_hook=
# pre_start_hook=#!/usr/bin/bash
#     set -euo pipefail
#     echo 'PRE_START_HOOK_EXAMPLE'
#     echo 1 > /proc/sys/net/ipv4/ip_forward
#     modprobe br_netfilter
#     echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables
#     echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables

# Specify a command/script to run on the HOST after stopping the jail
post_stop_hook=
# post_stop_hook=echo 'POST_STOP_HOOK_EXAMPLE'

# Only used while creating the jail
distro=debian
release=bookworm

# Specify command/script to run IN THE JAIL before the first start
# Useful to install packages on top of the base rootfs
# NOTE: this script will run in the host networking namespace and
# ignores all systemd_nspawn_user_args such as bind mounts
initial_setup=
# initial_setup=bash -c 'apt-get update && apt-get -y upgrade'

# Usually no need to change systemd_run_default_args
systemd_run_default_args=--collect
        --property=Delegate=yes
        --property=RestartForceExitStatus=133
        --property=SuccessExitStatus=133
        --property=TasksMax=infinity
        --property=Type=notify
        --setenv=SYSTEMD_NSPAWN_LOCK=0
        --property=KillMode=mixed

# Usually no need to change systemd_nspawn_default_args
systemd_nspawn_default_args=--bind-ro=/sys/module
        --boot
        --inaccessible=/sys/module/apparmor
        --quiet
        --keep-unit

My startup:
root@TrueNas[/mnt/APPS/jailmaker]# jlmkr start myjail

Starting jail myjail with the following command:

systemd-run --collect --property=Delegate=yes --property=RestartForceExitStatus=133 --property=SuccessExitStatus=133 --property=TasksMax=infinity --property=Type=notify --setenv=SYSTEMD_NSPAWN_LOCK=0 --property=KillMode=mixed --unit=jlmkr-myjail --working-directory=./jails/myjail '--description=My nspawn jail myjail [created with jailmaker]' -- systemd-nspawn --bind-ro=/sys/module --boot --inaccessible=/sys/module/apparmor --quiet --keep-unit --machine=myjail --directory=rootfs

Running as unit: jlmkr-myjail.service
root@TrueNas[/mnt/APPS/jailmaker]#

davistw · May 2, 2024, 1:36pm

Thanks but I fully understand the dhcp discover/offer/request/acknowledge handshake process and I saw the delay post and waited a few minutes for it to work.

Jip-Hop · May 2, 2024, 1:46pm

You’re supposed to add the flags after systemd_nspawn_user_args=. Please have a look at the other (multiline) config values in the config file and jailmaker/templates/docker/config at main · Jip-Hop/jailmaker · GitHub

Perhaps try the interactive create process wizard. It should protect you from mistakes made by manually editing the config file.

davistw · May 2, 2024, 2:48pm

I understand I thought the config meant that uncommenting the lines automaticly added it and the systemd_nspawn_user_args= was for anything other than the defaults above…

So I did what you recommended and did a default jail create taking the default Y/N and when it prompted for systemd settings I added
–network-bridge=br1–resolv-conf=bind-host.
When it started the jail it threw the following error

Starting jail myjail with the following command:

systemd-run --collect --property=Delegate=yes --property=RestartForceExitStatus=133 --property=SuccessExitStatus=133 --property=TasksMax=infinity --property=Type=notify --setenv=SYSTEMD_NSPAWN_LOCK=0 --property=KillMode=mixed --unit=jlmkr-myjail --working-directory=./jails/myjail ‘–description=My nspawn jail myjail [created with jailmaker]’ – systemd-nspawn --bind-ro=/sys/module --boot --inaccessible=/sys/module/apparmor --quiet --keep-unit --machine=myjail --directory=rootfs --network-bridge=br1 --resolv-conf=bind-host

Job for jlmkr-myjail.service failed.
See “systemctl status jlmkr-myjail.service” and “journalctl -xeu jlmkr-myjail.service” for details.

Failed to start jail myjail…
In case of a config error, you may fix it with:
jlmkr edit myjail

The config shows:
systemd_nspawn_user_args=–network-bridge=br1
–resolv-conf=bind-host

Looking at systemctl status jlmkr-myjail.service shows:
Unit jlmkr-myjail.service could not be found.
root@TrueNas[/mnt/APPS/jailmaker/jails/myjail]# journalctl -xeu jlmkr-myjail.service
░░ Defined-By: systemd
░░ Support: Debian -- User Support
░░
░░ A start job for unit jlmkr-myjail.service has begun execution.
░░
░░ The job identifier is 86763.
May 02 09:38:56 TrueNas systemd-nspawn[2567666]: Failed to add interface vb-myjail to bridge br1: No such device
May 02 09:38:56 TrueNas systemd-nspawn[2567668]: Parent died too early
May 02 09:38:56 TrueNas systemd[1]: jlmkr-myjail.service: Main process exited, code=exited, status=1/FAILURE
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: Debian -- User Support
░░
░░ An ExecStart= process belonging to unit jlmkr-myjail.service has exited.
░░
░░ The process’ exit code is ‘exited’ and its exit status is 1.
May 02 09:38:56 TrueNas systemd[1]: jlmkr-myjail.service: Failed with result ‘exit-code’.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: Debian -- User Support
░░
░░ The unit jlmkr-myjail.service has entered the ‘failed’ state with result ‘exit-code’.
May 02 09:38:56 TrueNas systemd[1]: Failed to start jlmkr-myjail.service - My nspawn jail myjail [created with jailmaker].
░░ Subject: A start job for unit jlmkr-myjail.service has failed
░░ Defined-By: systemd
░░ Support: Debian -- User Support
░░
░░ A start job for unit jlmkr-myjail.service has finished with a failure.
░░
░░ The job identifier is 86763 and the job result is failed.

Thanks again for the help…

Jip-Hop · May 2, 2024, 3:12pm

Do you have a bridge interface called br1? It appears not:

Failed to add interface vb-myjail to bridge br1: No such device

davistw · May 2, 2024, 3:40pm

Yes, Here is an ifconfig of the sysem:
root@TrueNas[~]# ifconfig
br01: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
** inet 192.168.18.2 netmask 255.255.255.0 broadcast 192.168.18.255**
** ether 5a:cf:af:5c:27:87 txqueuelen 1000 (Ethernet)**
** RX packets 4373161 bytes 10477934792 (9.7 GiB)**
** RX errors 0 dropped 25492 overruns 0 frame 0**
** TX packets 1011106 bytes 139038947 (132.5 MiB)**
** TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0**

eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::1a03:73ff:fef8:2d6f prefixlen 64 scopeid 0x20
ether 18:03:73:f8:2d:6f txqueuelen 1000 (Ethernet)
RX packets 12848320 bytes 12600316837 (11.7 GiB)
RX errors 0 dropped 58728 overruns 0 frame 0
TX packets 2945871 bytes 439332678 (418.9 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1000 (Local Loopback)
RX packets 8486489 bytes 545746453 (520.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8486489 bytes 545746453 (520.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

vnet0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::fca0:98ff:fe5b:4c5c prefixlen 64 scopeid 0x20
ether fe:a0:98:5b:4c:5c txqueuelen 1000 (Ethernet)
RX packets 1230956 bytes 220789512 (210.5 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4261361 bytes 959019552 (914.5 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

vnet1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::fca0:98ff:fe33:bdd8 prefixlen 64 scopeid 0x20
ether fe:a0:98:33:bd:d8 txqueuelen 1000 (Ethernet)
RX packets 675281 bytes 61370108 (58.5 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4335476 bytes 2031047574 (1.8 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

davistw · May 2, 2024, 3:53pm

DUOH…My bridge interface is “br01” not br1…
Fixed that in the config and Problem solved…
Thanks again for helping me with my ID10T error…
I think the problem was somewhere between the keyboard and chair.
Thanks again…BTW Thanks Jip-Hop, this capability is GREAT.