Dear colleagues, am I right concluding that under FreeBSD jail there is no way to attach two processes to the same port of external interface address and localhost? I tried to move rather standard two-tier nginx(ip:80)+apache(127.1:80) scheme into a jail and on apache start got [Thu Jan 29 00:09:32 2009] [crit] (48)Address already in use: make_sock: could not bind to address 127.0.0.1 port 80 (this is under RELENG_7 if it's relevant) Any thoughts? Thanks in advance. -- Sincerely, D.Marck [DM5020, MCK-RIPE, DM3-RIPN] [ FreeBSD committer: marck@FreeBSD.org ] ------------------------------------------------------------------------ *** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@rinet.ru *** ------------------------------------------------------------------------
Dmitry Morozovsky wrote:> am I right concluding that under FreeBSD jail there is no way to attach two > processes to the same port of external interface address and localhost? > > I tried to move rather standard two-tier nginx(ip:80)+apache(127.1:80) scheme > into a jail and on apache start gotIn FreeBSD jails, the loopback interface doesn't exist - 127.0.0.1 is hardwired internally to point to the (external) jail IP.
Dmitry Morozovsky wrote:
> am I right concluding that under FreeBSD jail there is no way to attach
two
> processes to the same port of external interface address and localhost?
It depends. Do those jailed processes have to communicate
with each other, or only with the host system?
If they do _not_ have to communicate with each other, it's
easy. You have to put the second jail on a locahost IP
address (not necessarily 172.1; you can create an alias on
lo0 like 127.2 or similar).
If they have to communicate with each other, it gets more
complicated. If they need to communicate directly, you
must put both jails on the same IP address, but then you
cannot bind the processes to different IP addresses.
Note that locahost is not handled specially within jails:
If you try to bind a process to a localhost IP, it is
forced to bind to the jail's IP instead. That's what is
causing your error message:
> [Thu Jan 29 00:09:32 2009] [crit] (48)Address already in use: make_sock:
could
> not bind to address 127.0.0.1 port 80
If they do have to communicate with each other, but you
need the jails to be on different IP addresses, there
are several ways to solve the problem, but they all
smell a bit like a dirty hack. One way (probably the
easiest one) is to forward packets between the jails
using IPFW "fwd" rules (or IPF ipnat "rdr" rules, or
PF translation rules).
Best regards
Oliver
--
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606, Gesch?ftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht M?n-
chen, HRB 125758, Gesch?ftsf?hrer: Maik Bachmann, Olaf Erb, Ralf Gebhart
FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd
I suggested holding a "Python Object Oriented Programming Seminar",
but the acronym was unpopular.
-- Joseph Strout
On Thu, 29 Jan 2009, Dmitry Morozovsky wrote:> am I right concluding that under FreeBSD jail there is no way to attach two > processes to the same port of external interface address and localhost? > > I tried to move rather standard two-tier nginx(ip:80)+apache(127.1:80) > scheme into a jail and on apache start got > > [Thu Jan 29 00:09:32 2009] [crit] (48)Address already in use: make_sock: > could not bind to address 127.0.0.1 port 80 > > (this is under RELENG_7 if it's relevant) > > Any thoughts? Thanks in advance.The way Jail is implemented is that the jail IP is silently substituted for the loopback IP is used. This has some downsides, and this is one of them. The virtual network stack (VIMAGE) project for FreeBSD 8.0 is intended to address this, among many other things, by providing full virtualization of all network stack data structures for jails. Robert N M Watson Computer Laboratory University of Cambridge