I have seen discussions on how to create static addresses for jails. I would like for a jail to get its address from DHCP. I normally assign addresses via DHCP reservation and would like to do this with my jails. How do I do this?
TrueNAS CORE with FreeBSD jails? Activate VNET and DHCP.
Make sure to statically create and assign your bridge interface beforehand.
Sorry Truenas Scale with Jailmaker. I edited the post to identify this correctly…Thanks for the post though.
Details on how to do this are on the Jailmaker Wiki under the Networking section:
Gotcha, Thanks. I guess reading is my downfall. I stopped reading when it described how to Static an address. If I dont do the static I guess it does dhcp. Thanks again…
Thanks for the direction. However when i set the config it still does not do dhcp. Here is the message I am seeing…
root@myjail:/etc/systemd/network# systemctl status systemd-networkd
○ systemd-networkd.service - Network Configuration
Loaded: loaded (/lib/systemd/system/systemd-networkd.service;
enabled; preset: enabled)
Active: inactive (dead)
TriggeredBy: ○ systemd-networkd.socket
Condition: start condition failed at Wed 2024-05-01 12:11:57 CDT; 5min ago
└─ ConditionCapability=CAP_NET_ADMIN was not met
Docs: man:systemd-networkd.service(8)
man:org.freedesktop.network1(5)
May 01 12:11:57 myjail systemd[1]: systemd-networkd.service - Network Configuration was skipped because of an unmet condition check
(ConditionCapability=CAP_NET_ADMIN).
I’d have to defer to @Jip-Hop since I’ve not set this up myself. Not sure if the guide needs updating, but it seems like it needs CAP_NET_ADMIN enabled from those error messages
When using bridge or macvlan networking your jail will by default get the IP address via DHCP. Then you just make this a static lease in your router. Did you try this? Perhaps if you post here you’ll get some more help: Linux Jails (sandboxes / containers) with Jailmaker
Sorry I didn’t realize there was a thread that was specifically for Jailmaker. Since you already replied would you like me to move my discussion to that thread?
My Truenas system is configured to talk static on br1 at 192.168.18.2/24
What i did was create a Jail and it ifconfigs as 192.168.18.2.
Then I edited the /mnt/…jail config as follows
uncommented the --network-bridge=br1 --resolv-conf=bind-host line
Restarted the jail
ifconfig shows no change to IP and I get the error documented about about CAP_NET_ADMIN.
BTW thanks for jailmaker it is a GREAT add to scale…
And the MAC address of the jail is hashed from its name, so as long as the jail isn’t renamed, it will get the same static lease… even if you recreate it
I made a video on setting up bridge networking
Please post your full config file.
As well as all output from jlmkr start yourjailname. Make sure you stop the jail before starting it.
It occurred to me that the OP may not realise that DHCP works, because it takes so long to acquire the DHCP lease at startup.
It takes about 30-45s.
Thanks for the help.
My Config:
root@TrueNas[/mnt/APPS/jailmaker/jails/myjail]# more config
startup=0
gpu_passthrough_intel=0
gpu_passthrough_nvidia=0
docker_compatible=0
# Add additional systemd-nspawn flags
# E.g. to mount host storage in the jail (--bind-ro for readonly):
# --bind='/mnt/pool/dataset:/home' --bind-ro=/etc/certificates
# E.g. macvlan networking:
# --network-macvlan=eno1 --resolv-conf=bind-host
# E.g. bridge networking:
--network-bridge=br1 --resolv-conf=bind-host
# E.g. add capabilities required by docker:
# --system-call-filter='add_key keyctl bpf'
systemd_nspawn_user_args=
# Specify command/script to run on the HOST before starting the jail
# For example to load kernel modules and config kernel settings
pre_start_hook=
# pre_start_hook=#!/usr/bin/bash
# set -euo pipefail
# echo 'PRE_START_HOOK_EXAMPLE'
# echo 1 > /proc/sys/net/ipv4/ip_forward
# modprobe br_netfilter
# echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables
# echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables
# Specify a command/script to run on the HOST after stopping the jail
post_stop_hook=
# post_stop_hook=echo 'POST_STOP_HOOK_EXAMPLE'
# Only used while creating the jail
distro=debian
release=bookworm
# Specify command/script to run IN THE JAIL before the first start
# Useful to install packages on top of the base rootfs
# NOTE: this script will run in the host networking namespace and
# ignores all systemd_nspawn_user_args such as bind mounts
initial_setup=
# initial_setup=bash -c 'apt-get update && apt-get -y upgrade'
# Usually no need to change systemd_run_default_args
systemd_run_default_args=--collect
--property=Delegate=yes
--property=RestartForceExitStatus=133
--property=SuccessExitStatus=133
--property=TasksMax=infinity
--property=Type=notify
--setenv=SYSTEMD_NSPAWN_LOCK=0
--property=KillMode=mixed
# Usually no need to change systemd_nspawn_default_args
systemd_nspawn_default_args=--bind-ro=/sys/module
--boot
--inaccessible=/sys/module/apparmor
--quiet
--keep-unit
My startup:
root@TrueNas[/mnt/APPS/jailmaker]# jlmkr start myjail
Starting jail myjail with the following command:
systemd-run --collect --property=Delegate=yes --property=RestartForceExitStatus=133 --property=SuccessExitStatus=133 --property=TasksMax=infinity --property=Type=notify --setenv=SYSTEMD_NSPAWN_LOCK=0 --property=KillMode=mixed --unit=jlmkr-myjail --working-directory=./jails/myjail '--description=My nspawn jail myjail [created with jailmaker]' -- systemd-nspawn --bind-ro=/sys/module --boot --inaccessible=/sys/module/apparmor --quiet --keep-unit --machine=myjail --directory=rootfs
Running as unit: jlmkr-myjail.service
root@TrueNas[/mnt/APPS/jailmaker]#
Thanks but I fully understand the dhcp discover/offer/request/acknowledge handshake process and I saw the delay post and waited a few minutes for it to work.
You’re supposed to add the flags after systemd_nspawn_user_args=
. Please have a look at the other (multiline) config values in the config file and jailmaker/templates/docker/config at main · Jip-Hop/jailmaker · GitHub
Perhaps try the interactive create process wizard. It should protect you from mistakes made by manually editing the config file.
I understand I thought the config meant that uncommenting the lines automaticly added it and the systemd_nspawn_user_args= was for anything other than the defaults above…
So I did what you recommended and did a default jail create taking the default Y/N and when it prompted for systemd settings I added
–network-bridge=br1–resolv-conf=bind-host.
When it started the jail it threw the following error
Starting jail myjail with the following command:
systemd-run --collect --property=Delegate=yes --property=RestartForceExitStatus=133 --property=SuccessExitStatus=133 --property=TasksMax=infinity --property=Type=notify --setenv=SYSTEMD_NSPAWN_LOCK=0 --property=KillMode=mixed --unit=jlmkr-myjail --working-directory=./jails/myjail ‘–description=My nspawn jail myjail [created with jailmaker]’ – systemd-nspawn --bind-ro=/sys/module --boot --inaccessible=/sys/module/apparmor --quiet --keep-unit --machine=myjail --directory=rootfs --network-bridge=br1 --resolv-conf=bind-host
Job for jlmkr-myjail.service failed.
See “systemctl status jlmkr-myjail.service” and “journalctl -xeu jlmkr-myjail.service” for details.
Failed to start jail myjail…
In case of a config error, you may fix it with:
jlmkr edit myjail
The config shows:
systemd_nspawn_user_args=–network-bridge=br1
–resolv-conf=bind-host
Looking at systemctl status jlmkr-myjail.service shows:
Unit jlmkr-myjail.service could not be found.
root@TrueNas[/mnt/APPS/jailmaker/jails/myjail]# journalctl -xeu jlmkr-myjail.service
░░ Defined-By: systemd
░░ Support: Debian -- User Support
░░
░░ A start job for unit jlmkr-myjail.service has begun execution.
░░
░░ The job identifier is 86763.
May 02 09:38:56 TrueNas systemd-nspawn[2567666]: Failed to add interface vb-myjail to bridge br1: No such device
May 02 09:38:56 TrueNas systemd-nspawn[2567668]: Parent died too early
May 02 09:38:56 TrueNas systemd[1]: jlmkr-myjail.service: Main process exited, code=exited, status=1/FAILURE
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: Debian -- User Support
░░
░░ An ExecStart= process belonging to unit jlmkr-myjail.service has exited.
░░
░░ The process’ exit code is ‘exited’ and its exit status is 1.
May 02 09:38:56 TrueNas systemd[1]: jlmkr-myjail.service: Failed with result ‘exit-code’.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: Debian -- User Support
░░
░░ The unit jlmkr-myjail.service has entered the ‘failed’ state with result ‘exit-code’.
May 02 09:38:56 TrueNas systemd[1]: Failed to start jlmkr-myjail.service - My nspawn jail myjail [created with jailmaker].
░░ Subject: A start job for unit jlmkr-myjail.service has failed
░░ Defined-By: systemd
░░ Support: Debian -- User Support
░░
░░ A start job for unit jlmkr-myjail.service has finished with a failure.
░░
░░ The job identifier is 86763 and the job result is failed.
Thanks again for the help…
Do you have a bridge interface called br1? It appears not:
Failed to add interface vb-myjail to bridge br1: No such device
Yes, Here is an ifconfig of the sysem:
root@TrueNas[~]# ifconfig
br01: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
** inet 192.168.18.2 netmask 255.255.255.0 broadcast 192.168.18.255**
** ether 5a:cf:af:5c:27:87 txqueuelen 1000 (Ethernet)**
** RX packets 4373161 bytes 10477934792 (9.7 GiB)**
** RX errors 0 dropped 25492 overruns 0 frame 0**
** TX packets 1011106 bytes 139038947 (132.5 MiB)**
** TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0**
eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::1a03:73ff:fef8:2d6f prefixlen 64 scopeid 0x20
ether 18:03:73:f8:2d:6f txqueuelen 1000 (Ethernet)
RX packets 12848320 bytes 12600316837 (11.7 GiB)
RX errors 0 dropped 58728 overruns 0 frame 0
TX packets 2945871 bytes 439332678 (418.9 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1000 (Local Loopback)
RX packets 8486489 bytes 545746453 (520.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8486489 bytes 545746453 (520.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vnet0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::fca0:98ff:fe5b:4c5c prefixlen 64 scopeid 0x20
ether fe:a0:98:5b:4c:5c txqueuelen 1000 (Ethernet)
RX packets 1230956 bytes 220789512 (210.5 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4261361 bytes 959019552 (914.5 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vnet1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::fca0:98ff:fe33:bdd8 prefixlen 64 scopeid 0x20
ether fe:a0:98:33:bd:d8 txqueuelen 1000 (Ethernet)
RX packets 675281 bytes 61370108 (58.5 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4335476 bytes 2031047574 (1.8 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
DUOH…My bridge interface is “br01” not br1…
Fixed that in the config and Problem solved…
Thanks again for helping me with my ID10T error…
I think the problem was somewhere between the keyboard and chair.
Thanks again…BTW Thanks Jip-Hop, this capability is GREAT.