search

churchers / vm-bhyve

Shell based, minimal dependency bhyve manager
BSD 2-Clause "Simplified" License
823 stars 174 forks source link

Support for jailed bhyve, as will be possible with FreeBSD and Hardened BSD 12 [discussion?] #267

Open quite opened 5 years ago

quite commented 5 years ago

In FreeBSD 12, there will be support for running bhyve in a jail. Using this in practice can be read about here: https://github.com/lattera/articles/blob/master/freebsd/2018-10-27_jailed_bhyve/article.md I'm a rookie user of vm-bhyve, and also have not used jails very much at all, but I'm curious about how support for this might or might not be suitable to have in vm-bhyve (and perhaps how).

nihr43 commented 5 years ago

vm-bhyve works in a jail unchanged. I've been using it this way in a vnet-enabled jail. Its quite impressive.

Follow the guide you linked for devfs rules and vmm.allow, and then just install vm-bhyve like usual. uefi and graphics requires unhiding vmm.io and vmm.io/* as well.

The catch is that jails are not being given their own "context" for executing VMs. We are just exposing the host's vmm. So, jails can access and destroy each other's VMs, as well as VMs on the host.

maurizio-emmex commented 5 years ago

I am testing vm-bhyve in a jail in FreeBSD 12 (Xigmanas) but when, from the jail, I run: bhyve-01: ~# vm init /usr/local/sbin/vm: ERROR: failed to create bridge interface for switch public

What can I do ? Thanks

nihr43 commented 5 years ago

@maurizio-emmex are you using vimage jails? vnet would be a requirement to create a bridge

nihr43 commented 5 years ago

fwiw heres a sample jail.conf im using to run bhyve in jails..

allow.mount;
allow.mount.devfs;
allow.mount.fdescfs;
allow.mount.procfs;
mount.devfs;
mount.fdescfs;
mount.procfs;

allow.vmm;
allow.raw_sockets   = "1";
children.max        = "10";
allow.set_hostname  = "0";
allow.sysvipc       = "1";
host.hostname       = "${name}.local";
path                = "/usr/jail/${name}";
devfs_ruleset       = "4";
vnet;

exec.clean;
exec.prestart       = "ifconfig epair${if} create";
exec.prestart      += "ifconfig epair${if}a up";
exec.prestart      += "ifconfig epair${if}b up";
exec.prestart      += "ifconfig bridge1 addm epair${if}a";
exec.start          = "/sbin/ifconfig epair${if}b name vnet0";
exec.start         += "/bin/sh /etc/rc";
exec.stop           = "/usr/sbin/service netif stop";
exec.stop          += "/bin/sh /etc/rc.shutdown";
exec.poststop       = "ifconfig epair${if}a destroy";

jail-name { $if = "99"; vnet.interface = "epair${if}b"; }

This gives me an interface named vnet0 in my jails that i can then configure through the jail's rc.conf. for some reason SYNCDHCP works but not DHCP in the guest rc.conf however.