Broken create Jail with net address already available on host

[urosgruber]

I was trying to create a jail with IP address already used on host. I have this set up on machine with older ioc and it worked fine. Latest version add IP alias and that is why network is broken after process completes.

ioc create ioc/foo ip4_addr="igb1|8.8.8.8"

I tried a few other options but digging through source code I can see alias is added in all use cases except DHCP option

Is this intentional? Or broken feature?

[gronke]

Adding and removing IP addresses to the non-VNET interfaces is done deliberately by libioc as seen here in Jail.py https://github.com/bsdci/libioc/blob/ddded09715cf5ec9a98c352ec9955e2649ef7ce7/libioc/Jail.py#L1928-L1931

Before adding a new alias to an interface, we could verify that no other interface has claimed it, so that a jail does not steal the hosts default address. If that is the case, the jail should refuse to start, so that the IP is not removed on jail shutdown.

Actions to mitigate this issue:

• Verify the absence of non-VNET IPs before starting the jail

[urosgruber]

@gronke what if I need to just run a process inside jail but use the host IP?

[gronke]

@urosgruber sorry for the late response. You are right, in this case you would need to supply the jail with the ip4.addr parameter, while not removing the IP from the interface on teardown. I can't imagine a scenario where I would want to borrow an IP address of the host, but if you say that's a thing, we should find a solution for this.

I suggest that we allow users to override final jail parameters. ip4_addr is an ioc(age) config parameter. params.ip4.addr could be a user defined override for whatever ioc would start the jail with.