From owner-freebsd-jail@FreeBSD.ORG Sun May 31 15:36:59 2009 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 097DA106564A for ; Sun, 31 May 2009 15:36:59 +0000 (UTC) (envelope-from bsam@ipt.ru) Received: from services.ipt.ru (services.ipt.ru [194.62.233.110]) by mx1.freebsd.org (Postfix) with ESMTP id BCF3B8FC16 for ; Sun, 31 May 2009 15:36:58 +0000 (UTC) (envelope-from bsam@ipt.ru) Received: from gate.ipt.ru ([194.62.233.123] helo=h30.sp.ipt.ru) by services.ipt.ru with esmtp (Exim 4.54 (FreeBSD)) id 1MAmj8-0002EA-Pw for freebsd-jail@FreeBSD.org; Sun, 31 May 2009 19:13:34 +0400 To: freebsd-jail@FreeBSD.org From: Boris Samorodov Date: Sun, 31 May 2009 19:13:34 +0400 Message-ID: <11979393@h30.sp.ipt.ru> User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Subject: sysvipc in jails + CURRENT X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 May 2009 15:36:59 -0000 Hello List, has something changed at CURRENT with sysvipc jail handling? This jail has been working fine for almost a year. I've upgrade CURRENT to yesterday's sources and can't start postgresql in a jail anymore: ----- the jail ----- % tail -2 /var/log/messages May 31 18:22:47 pg postgres[55425]: [1-1] FATAL: could not create shared memory segment: Function not implemented May 31 18:22:47 pg postgres[55425]: [1-2] DETAIL: Failed system call was shmget(key=5432001, size=30384128, 03600). % sysctl security.jail.sysvipc_allowed security.jail.sysvipc_allowed: 0 % grep sysvipc /etc/sysctl.conf security.jail.sysvipc_allowed=1 ----- the host ----- % uname -a FreeBSD tba.bsam.ru 8.0-CURRENT FreeBSD 8.0-CURRENT #0: Sun May 31 11:28:31 MSD 2009 root@tba.bsam.ru:/usr/obj/usr/src/sys/TBA amd64 % sysctl security.jail.sysvipc_allowed security.jail.sysvipc_allowed: 1 ----- WBR -- bsam From owner-freebsd-jail@FreeBSD.ORG Sun May 31 18:05:50 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 625E610656C4 for ; Sun, 31 May 2009 18:05:50 +0000 (UTC) (envelope-from bz@zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [195.88.108.3]) by mx1.freebsd.org (Postfix) with ESMTP id 1DD688FC1B for ; Sun, 31 May 2009 18:05:49 +0000 (UTC) (envelope-from bz@zabbadoz.net) Received: from localhost (amavis.fra.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 03E5B41C72F; Sun, 31 May 2009 19:50:06 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([195.88.108.3]) by localhost (amavis.fra.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id PAhuLVkL5IwI; Sun, 31 May 2009 19:50:05 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id 7E2FE41C732; Sun, 31 May 2009 19:50:05 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 197154448E6; Sun, 31 May 2009 17:49:23 +0000 (UTC) Date: Sun, 31 May 2009 17:49:23 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Boris Samorodov In-Reply-To: <11979393@h30.sp.ipt.ru> Message-ID: <20090531174837.R3234@maildrop.int.zabbadoz.net> References: <11979393@h30.sp.ipt.ru> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-jail@FreeBSD.org Subject: Re: sysvipc in jails + CURRENT X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 May 2009 18:05:50 -0000 On Sun, 31 May 2009, Boris Samorodov wrote: Hi, > has something changed at CURRENT with sysvipc jail handling? > This jail has been working fine for almost a year. > > I've upgrade CURRENT to yesterday's sources and can't start > postgresql in a jail anymore: > ----- the jail ----- > % tail -2 /var/log/messages > May 31 18:22:47 pg postgres[55425]: [1-1] FATAL: could not create shared memory segment: Function not implemented > May 31 18:22:47 pg postgres[55425]: [1-2] DETAIL: Failed system call was shmget(key=5432001, size=30384128, 03600). > % sysctl security.jail.sysvipc_allowed > security.jail.sysvipc_allowed: 0 > % grep sysvipc /etc/sysctl.conf > security.jail.sysvipc_allowed=1 > ----- the host ----- > % uname -a > FreeBSD tba.bsam.ru 8.0-CURRENT FreeBSD 8.0-CURRENT #0: Sun May 31 11:28:31 MSD 2009 root@tba.bsam.ru:/usr/obj/usr/src/sys/TBA amd64 > % sysctl security.jail.sysvipc_allowed > security.jail.sysvipc_allowed: 1 > ----- I'll look into that; possibly the default option is not properly taken into account for the new jail framework. /bz -- Bjoern A. Zeeb The greatest risk is not taking one. From owner-freebsd-jail@FreeBSD.ORG Sun May 31 19:06:17 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A7288106566B for ; Sun, 31 May 2009 19:06:17 +0000 (UTC) (envelope-from lists.freebsd@gmail.com) Received: from mail-bw0-f166.google.com (mail-bw0-f166.google.com [209.85.218.166]) by mx1.freebsd.org (Postfix) with ESMTP id 3782C8FC13 for ; Sun, 31 May 2009 19:06:16 +0000 (UTC) (envelope-from lists.freebsd@gmail.com) Received: by bwz10 with SMTP id 10so893503bwz.19 for ; Sun, 31 May 2009 12:06:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=OXu9zXDTzzemH+8XuqxNs8emuDcuI5uMDsX8eDZK94Q=; b=PazDoQ+fyC0ytvUYwxxO2RISdEAQOSuwOAmwY9ML1Omv0tQs7VFCnSXg1X50g8Nkow 2CbTPWjURIPbQdK1500KSSuaSoTgq53z8YxiaDyxM9cqHPFFDRUPRS9i9bmfSyRcIdlR IXkCRngj1ifpqNPR2Dg9iE1sXyY4lSJsKxQxU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=ko8VMH7UzHrG3470Aq410uNxqBvRg52F7euMmv6FBvd95tfn/9WRXhYHaGD19beMtH jekIlaXATWbPTBl+k4G8/T3r1ALc1ETYmOrHn9lHpZ7uXRVDI1KE7Ky33T/bo9Ft51G9 HTbm4rnbJkCpQ57C5jZdwBe8hNUer5+p4h6kU= MIME-Version: 1.0 Received: by 10.204.100.71 with SMTP id x7mr4910315bkn.130.1243795787957; Sun, 31 May 2009 11:49:47 -0700 (PDT) Date: Sun, 31 May 2009 20:49:47 +0200 Message-ID: <99c92b5f0905311149u4023d197s7302fae0b816d463@mail.gmail.com> From: Richard Noorlandt To: freebsd-jail@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Implications of allow_raw_sockets=1 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 May 2009 19:06:17 -0000 Hello everyone, I have a server running FreeBSD 7.1-RELEASE, which contains a bunch of jails that run all kinds of network services. One of the jails is running Nagios, which will monitor hosts in the network. The most straightforward way to let Nagios decide if a host is up or down, is by pinging other hosts. However, by default this won't work because the security.jail.allow_raw_sockets sysctl is set to '0'. It would be nice if I was able to ping from the Nagios jail, but the risks of setting security.jail.allow_raw_sockets=1 aren't really clear to me. Some online searching suggests that the sysctl defaults to 0 because raw sockets weren't fully virtualized in earlier versions of FreeBSD, but maybe this has changed. Unfortunately I can't find a clear overview of the security risks involved with allowing raw sockets. So, what are the exact security implications of allowing raw sockets inside jails on FreeBSD 7.1? And is there a way to restrict raw sockets to specific jails? Best regards, Richard From owner-freebsd-jail@FreeBSD.ORG Sun May 31 22:10:29 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B704B10656A3 for ; Sun, 31 May 2009 22:10:29 +0000 (UTC) (envelope-from justin@sigsegv.ca) Received: from yx-out-2324.google.com (yx-out-2324.google.com [74.125.44.28]) by mx1.freebsd.org (Postfix) with ESMTP id 810D68FC22 for ; Sun, 31 May 2009 22:10:29 +0000 (UTC) (envelope-from justin@sigsegv.ca) Received: by yx-out-2324.google.com with SMTP id 8so3739765yxb.13 for ; Sun, 31 May 2009 15:10:29 -0700 (PDT) MIME-Version: 1.0 Received: by 10.151.122.9 with SMTP id z9mr10214983ybm.196.1243806456190; Sun, 31 May 2009 14:47:36 -0700 (PDT) In-Reply-To: <99c92b5f0905311149u4023d197s7302fae0b816d463@mail.gmail.com> References: <99c92b5f0905311149u4023d197s7302fae0b816d463@mail.gmail.com> From: "Justin G." Date: Sun, 31 May 2009 14:47:16 -0700 Message-ID: <5da021490905311447ya99c484ucaeabc74e813f394@mail.gmail.com> To: freebsd-jail@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: Implications of allow_raw_sockets=1 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 May 2009 22:10:30 -0000 On Sun, May 31, 2009 at 11:49 AM, Richard Noorlandt wrote: > Hello everyone, > > I have a server running FreeBSD 7.1-RELEASE, which contains a bunch of > jails that run all kinds of network services. One of the jails is running > Nagios, which will monitor hosts in the network. The most straightforward > way to let Nagios decide if a host is up or down, is by pinging other > hosts. However, by default this won't work because the > security.jail.allow_raw_sockets sysctl is set to '0'. > > It would be nice if I was able to ping from the Nagios jail, but the risks > of setting security.jail.allow_raw_sockets=1 aren't really clear to me. > Some online searching suggests that the sysctl defaults to 0 because raw > sockets weren't fully virtualized in earlier versions of FreeBSD, but maybe > this has changed. Unfortunately I can't find a clear overview of the > security risks involved with allowing raw sockets. > > So, what are the exact security implications of allowing raw sockets inside > jails on FreeBSD 7.1? And is there a way to restrict raw sockets to > specific jails? > > Best regards, > > Richard > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > At this time there is no way to set allow_raw_sockets on a per-jail basis. Raw sockets can allow processes to sniff onto the network, craft malformed packets, execute DDoS attacks, inject packets, among other things. From owner-freebsd-jail@FreeBSD.ORG Mon Jun 1 01:56:43 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 736991065674 for ; Mon, 1 Jun 2009 01:56:43 +0000 (UTC) (envelope-from lists.freebsd@gmail.com) Received: from mail-fx0-f161.google.com (mail-fx0-f161.google.com [209.85.220.161]) by mx1.freebsd.org (Postfix) with ESMTP id 044F48FC14 for ; Mon, 1 Jun 2009 01:56:42 +0000 (UTC) (envelope-from lists.freebsd@gmail.com) Received: by fxm5 with SMTP id 5so95599fxm.19 for ; Sun, 31 May 2009 18:56:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=DG4G2ivf0bs2WggtQRBJSka43bMjiZk1Pnas5WR2R/A=; b=xFJoqIFLv2YvjtW9GhblkOVBOuON0OnJsvfe9qhPddTExQiDQJU+vbjZMPaiEFCupo MPCbpOjaWIk7laJdlvQCI71pb5HnxjS6lyOrDe+4JJrEJW+OzKZxb4SffZ8tJtYUBrVI IGkNo4agrvOZ5tT3zvK+55YL+abaEJSLSB/DU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=JUTvhHHMVr2xj2hhKqzc/S2T9mHeSmPH7iICYpIJn4wlohsMWXeVsmHaJzv0wsWuqY w5Nw6iL9TGAv2bXiWsi3KTJkYIbthLBADKIqDQzpEqAr2TGC+GHycOEvbdk1K9YY+QIz PAnxqSKLBRxSOZj3WThX6PkhKD5OCkwIrMUrE= MIME-Version: 1.0 Received: by 10.204.102.15 with SMTP id e15mr5059155bko.196.1243821401919; Sun, 31 May 2009 18:56:41 -0700 (PDT) In-Reply-To: <5da021490905311447ya99c484ucaeabc74e813f394@mail.gmail.com> References: <99c92b5f0905311149u4023d197s7302fae0b816d463@mail.gmail.com> <5da021490905311447ya99c484ucaeabc74e813f394@mail.gmail.com> Date: Mon, 1 Jun 2009 03:56:41 +0200 Message-ID: <99c92b5f0905311856r4cb9e23apfd36b806b0250f45@mail.gmail.com> From: Richard Noorlandt To: freebsd-jail@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: Implications of allow_raw_sockets=1 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Jun 2009 01:56:43 -0000 2009/5/31 Justin G. : > Raw sockets can allow processes to sniff onto the network, craft > malformed packets, execute DDoS attacks, inject packets, among other > things. These are basically things that any non-virtualized server could do on the network. As such, disallowing raw sockets should give higher security than a 'normal' server running FreeBSD without a jail. But does the use of raw sockets open up holes that could allow the root user in a jail to break in on another jail? I'm particularly concerned in attack vectors that wouldn't exist with multiple real hosts connected through a dumb switch (which usually introduces all the risks you mentioned). Best regards, Richard From owner-freebsd-jail@FreeBSD.ORG Mon Jun 1 11:06:54 2009 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BE61D1065678 for ; Mon, 1 Jun 2009 11:06:54 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id A5F5F8FC08 for ; Mon, 1 Jun 2009 11:06:54 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n51B6s5U021130 for ; Mon, 1 Jun 2009 11:06:54 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n51B6s7e021126 for freebsd-jail@FreeBSD.org; Mon, 1 Jun 2009 11:06:54 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 1 Jun 2009 11:06:54 GMT Message-Id: <200906011106.n51B6s7e021126@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Jun 2009 11:06:59 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/134583 jail [jail] [hang] Machine with jail freezes after random a o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/132092 jail [jail] jail can listen on *:port when jail_socket_unix o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 6 problems total. From owner-freebsd-jail@FreeBSD.ORG Wed Jun 3 21:20:05 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6830B106566B for ; Wed, 3 Jun 2009 21:20:05 +0000 (UTC) (envelope-from scrappy@hub.org) Received: from hub.org (hub.org [200.46.204.220]) by mx1.freebsd.org (Postfix) with ESMTP id 353428FC20 for ; Wed, 3 Jun 2009 21:20:04 +0000 (UTC) (envelope-from scrappy@hub.org) Received: from localhost (maia-1.hub.org [200.46.208.211]) by hub.org (Postfix) with ESMTP id DDBD83455949 for ; Wed, 3 Jun 2009 18:03:02 -0300 (ADT) Received: from hub.org ([200.46.204.220]) by localhost (mx1.hub.org [200.46.208.211]) (amavisd-maia, port 10024) with ESMTP id 51560-07 for ; Wed, 3 Jun 2009 18:02:58 -0300 (ADT) Received: by hub.org (Postfix, from userid 1002) id 747EA3455946; Wed, 3 Jun 2009 18:03:02 -0300 (ADT) Received: from localhost (localhost [127.0.0.1]) by hub.org (Postfix) with ESMTP id 7427B34558C6 for ; Wed, 3 Jun 2009 18:03:02 -0300 (ADT) Date: Wed, 3 Jun 2009 18:03:02 -0300 (ADT) From: "Marc G. Fournier" To: freebsd-jail@freebsd.org Message-ID: <20090603180221.E56412@hub.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Subject: Calculating per jail memory usage ... X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Jun 2009 21:20:05 -0000 Are there any tools for this that are either in ports, or others would like to share? ---- Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . scrappy@hub.org MSN . scrappy@hub.org Yahoo . yscrappy Skype: hub.org ICQ . 7615664 From owner-freebsd-jail@FreeBSD.ORG Wed Jun 3 23:03:08 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9D0031065715 for ; Wed, 3 Jun 2009 23:03:08 +0000 (UTC) (envelope-from lists@c0mplx.org) Received: from home.opsec.eu (home.opsec.eu [IPv6:2001:14f8:200::1]) by mx1.freebsd.org (Postfix) with ESMTP id 4EAEC8FC19 for ; Wed, 3 Jun 2009 23:03:08 +0000 (UTC) (envelope-from lists@c0mplx.org) Received: from pi by home.opsec.eu with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MBzUA-000Dmm-Rj; Thu, 04 Jun 2009 01:03:06 +0200 Date: Thu, 4 Jun 2009 01:03:06 +0200 From: Kurt Jaeger To: "Marc G. Fournier" Message-ID: <20090603230306.GF10978@home.opsec.eu> References: <20090603180221.E56412@hub.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20090603180221.E56412@hub.org> Cc: freebsd-jail@freebsd.org Subject: Re: Calculating per jail memory usage ... X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Jun 2009 23:03:09 -0000 Hi! > Are there any tools for this that are either in ports, or others would > like to share? This perl snippet works pretty good: # return memory/proc usage per jail and system sub vmem { my(@res); my($i); my($ip); my(@t); @res = `/bin/ps ax -o 'pid,jid,rss,vsz,args' 2>&1`; shift(@res); foreach $i (@res) { $i = " ".$i; @t=split(/ +/,$i); # print "i: $i t1: $t[2]\n"; $jproc{$t[2]}++; $jrealm{$t[2]} += $t[3]; $jvirtm{$t[2]} += $t[4]; } foreach $i (keys(%running)) { $ip=$vs2ip{$i}; if ( defined($jproc{$ip2jid{$ip}}) ) { $runproc{$i} = $jproc{$ip2jid{$ip}} - 1 } else { $runproc{$i} = 0; } $runrealm{$i} = $jrealm{$ip2jid{$ip}}; $runvirtm{$i} = $jvirtm{$ip2jid{$ip}}; } } -- pi@opsec.eu +49 171 3101372 11 years to go ! From owner-freebsd-jail@FreeBSD.ORG Thu Jun 4 05:35:03 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BE0041065673 for ; Thu, 4 Jun 2009 05:35:03 +0000 (UTC) (envelope-from kostjn@peterhost.ru) Received: from mail.z8.ru (mail.z8.ru [80.93.58.56]) by mx1.freebsd.org (Postfix) with ESMTP id 6D2218FC18 for ; Thu, 4 Jun 2009 05:35:03 +0000 (UTC) (envelope-from kostjn@peterhost.ru) Received: from [85.235.196.139] (helo=kostjn.pht) by mail.z8.ru with esmtpa (Exim 4.67 (FreeBSD)) (envelope-from ) id 1MC5bN-000Fdz-8I for freebsd-jail@freebsd.org; Thu, 04 Jun 2009 09:34:57 +0400 Message-ID: <4A275D80.5050408@peterhost.ru> Date: Thu, 04 Jun 2009 09:37:04 +0400 From: Menshikov Konstantin User-Agent: Thunderbird 2.0.0.18 (X11/20090328) MIME-Version: 1.0 CC: freebsd-jail@freebsd.org References: <20090603180221.E56412@hub.org> In-Reply-To: <20090603180221.E56412@hub.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Calculating per jail memory usage ... X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jun 2009 05:35:07 -0000 Marc G. Fournier wrote: > > Are there any tools for this that are either in ports, or others would > like to share? > > ---- > Marc G. Fournier Hub.Org Networking Services > (http://www.hub.org) > Email . scrappy@hub.org MSN . > scrappy@hub.org > Yahoo . yscrappy Skype: hub.org ICQ . 7615664 > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > Hi. You can consider memory occupied with processes in jail as sum RSS of these processes, but it is wrong. Processes divide memory among themselves, a segment of the text or all memory (if not to do exec after fork). Now in a kernel there is no mechanism with which help it is possible to count a memory size occupied with processes in jail. After this mechanism will appear, it will be possible to add top :) There is a patch for restriction of resources jail, http://wiki.freebsd.org/Jails, CPU + RAM Limits for Current. In it, it is considered memory which is used by processes in jail. Further using a system call jail_get it is possible to receive a memory size used jail. The program jget thus works. Example [root@book /home/kostjn]# ./jget.o 1 Jail limits and rusage, jid = 1 Limits: CPU 5, MEM 64M, NPROC 128, NOFILE 512 Usage: CPU 0, MEM 6M, NPROC 9, NOFILE 65 -- Menshikov Konstantin From owner-freebsd-jail@FreeBSD.ORG Thu Jun 4 05:54:26 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C825C1065673 for ; Thu, 4 Jun 2009 05:54:26 +0000 (UTC) (envelope-from andrew@modulus.org) Received: from email.octopus.com.au (email.octopus.com.au [122.100.2.232]) by mx1.freebsd.org (Postfix) with ESMTP id 88D818FC26 for ; Thu, 4 Jun 2009 05:54:26 +0000 (UTC) (envelope-from andrew@modulus.org) Received: by email.octopus.com.au (Postfix, from userid 1002) id 3F2881735C; Thu, 4 Jun 2009 15:38:28 +1000 (EST) X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on email.octopus.com.au X-Spam-Level: X-Spam-Status: No, score=-1.4 required=10.0 tests=ALL_TRUSTED autolearn=failed version=3.2.3 Received: from [220.233.52.14] (14.52.233.220.static.exetel.com.au [220.233.52.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: admin@email.octopus.com.au) by email.octopus.com.au (Postfix) with ESMTP id 801B717D9C; Thu, 4 Jun 2009 15:38:23 +1000 (EST) Message-ID: <4A275CE4.9020408@modulus.org> Date: Thu, 04 Jun 2009 15:34:28 +1000 From: Andrew Snow User-Agent: Thunderbird 2.0.0.6 (X11/20070926) MIME-Version: 1.0 To: Menshikov Konstantin , freebsd-jail@freebsd.org References: <20090603180221.E56412@hub.org> <4A275D80.5050408@peterhost.ru> In-Reply-To: <4A275D80.5050408@peterhost.ru> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: Calculating per jail memory usage ... X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jun 2009 05:54:27 -0000 Menshikov Konstantin wrote: > Now in a kernel there is no mechanism with which help it is possible to > count a memory size occupied with processes in jail. > After this mechanism will appear, it will be possible to add top :) Are there any plans to add this? There needs to be a way more generally (ie. not just for jails) to find out total memory used by a set of processes which may or may not have shared memory. - Andrew From owner-freebsd-jail@FreeBSD.ORG Thu Jun 4 05:59:53 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 14E4B1065674 for ; Thu, 4 Jun 2009 05:59:53 +0000 (UTC) (envelope-from kostjn@peterhost.ru) Received: from mail.z8.ru (mail.z8.ru [80.93.58.56]) by mx1.freebsd.org (Postfix) with ESMTP id C14DB8FC14 for ; Thu, 4 Jun 2009 05:59:52 +0000 (UTC) (envelope-from kostjn@peterhost.ru) Received: from [85.235.196.139] (helo=kostjn.pht) by mail.z8.ru with esmtpa (Exim 4.67 (FreeBSD)) (envelope-from ) id 1MC5zR-000L6q-Ay for freebsd-jail@freebsd.org; Thu, 04 Jun 2009 09:59:49 +0400 Message-ID: <4A276356.7040704@peterhost.ru> Date: Thu, 04 Jun 2009 10:01:58 +0400 From: Menshikov Konstantin User-Agent: Thunderbird 2.0.0.18 (X11/20090328) MIME-Version: 1.0 CC: freebsd-jail@freebsd.org References: <20090603180221.E56412@hub.org> <4A275D80.5050408@peterhost.ru> <4A275CE4.9020408@modulus.org> In-Reply-To: <4A275CE4.9020408@modulus.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Calculating per jail memory usage ... X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jun 2009 05:59:53 -0000 Andrew Snow wrote: > Menshikov Konstantin wrote: >> Now in a kernel there is no mechanism with which help it is possible >> to count a memory size occupied with processes in jail. >> After this mechanism will appear, it will be possible to add top :) > > Are there any plans to add this? > > There needs to be a way more generally (ie. not just for jails) to > find out total memory used by a set of processes which may or may not > have shared memory. > > > - Andrew > > The patch will be added, after testing, I hope. In a case jail it was necessary for memory size restriction. I do not think that in a kernel it is necessary to add possibility of definition of the size of memory occupied with any group of processes. Easier to count memory as conclusion parsing pmap (/usr/ports/sysutils/pmap/) output for several processes. From owner-freebsd-jail@FreeBSD.ORG Thu Jun 4 14:08:58 2009 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AFBB9106568A for ; Thu, 4 Jun 2009 14:08:58 +0000 (UTC) (envelope-from bsam@ipt.ru) Received: from services.ipt.ru (services.ipt.ru [194.62.233.110]) by mx1.freebsd.org (Postfix) with ESMTP id 43F1C8FC1B for ; Thu, 4 Jun 2009 14:08:58 +0000 (UTC) (envelope-from bsam@ipt.ru) Received: from bb.ipt.ru ([194.62.233.89]) by services.ipt.ru with esmtp (Exim 4.54 (FreeBSD)) id 1MCDck-000MO9-FX; Thu, 04 Jun 2009 18:08:54 +0400 To: Henrik =?utf-8?Q?Lidstr=C3=B6m?= References: <11979393@h30.sp.ipt.ru> <20090531174837.R3234@maildrop.int.zabbadoz.net> <20090603130503.202126d6v3glhhq8@mail.lidstrom.eu> From: Boris Samorodov Date: Thu, 04 Jun 2009 18:08:55 +0400 In-Reply-To: <20090603130503.202126d6v3glhhq8@mail.lidstrom.eu> ("Henrik =?utf-8?Q?Lidstr=C3=B6m=22's?= message of "Wed\, 03 Jun 2009 13\:05\:03 +0200") Message-ID: <36883384@bb.ipt.ru> User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Cc: freebsd-jail@FreeBSD.org, "Bjoern A. Zeeb" Subject: Re: sysvipc in jails + CURRENT X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jun 2009 14:08:59 -0000 On Wed, 03 Jun 2009 13:05:03 +0200 Henrik Lidström wrote: > Quoting "Bjoern A. Zeeb" : > > On Sun, 31 May 2009, Boris Samorodov wrote: > > > > Hi, > > > >> has something changed at CURRENT with sysvipc jail handling? > >> This jail has been working fine for almost a year. > >> > >> I've upgrade CURRENT to yesterday's sources and can't start > >> postgresql in a jail anymore: > >> ----- the jail ----- > >> % tail -2 /var/log/messages > >> May 31 18:22:47 pg postgres[55425]: [1-1] FATAL: could not create > >> shared memory segment: Function not implemented > >> May 31 18:22:47 pg postgres[55425]: [1-2] DETAIL: Failed system > >> call was shmget(key=5432001, size=30384128, 03600). > >> % sysctl security.jail.sysvipc_allowed > >> security.jail.sysvipc_allowed: 0 > >> % grep sysvipc /etc/sysctl.conf > >> security.jail.sysvipc_allowed=1 > >> ----- the host ----- > >> % uname -a > >> FreeBSD tba.bsam.ru 8.0-CURRENT FreeBSD 8.0-CURRENT #0: Sun May 31 > >> 11:28:31 MSD 2009 root@tba.bsam.ru:/usr/obj/usr/src/sys/TBA > >> amd64 > >> % sysctl security.jail.sysvipc_allowed > >> security.jail.sysvipc_allowed: 1 > >> ----- > > > > I'll look into that; possibly the default option is not properly taken > > into account for the new jail framework. > > > > /bz > > > > -- > > Bjoern A. Zeeb The greatest risk is not taking one. > > _______________________________________________ > > freebsd-jail@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > > > Somehow I cant email to the mailinglist(it doesnt show up), so I send > directly to you. > I also noticed the problem with security.jail.sysvipc_allowed as above. > Also noticed that I from a jail now can see all filesystems (and that > jls -v is broken, probably a problem with cpuset?). > EXTBSD02-PROD# uname -a > FreeBSD EXTBSD02-PROD.digidoc.com 8.0-CURRENT FreeBSD 8.0-CURRENT #6: > Tue Jun 2 10:05:40 CEST 2009 > root@EXTBSD02-PROD.digidoc.com:/data01/obj/usr/src/sys/EXTBSD02 i386 > EXTBSD02-PROD# jls -v > jls: unknown parameter: cpuset > EXTBSD02-PROD# > EXTBSD02-PROD# jls > JID IP Address Hostname Path > 1 195.67.11.41 INTDB01-PROD > /data00/jails/INTDB01-PROD > 2 195.67.11.9 INTLOG01-PROD.digidoc.com > /data00/jails/INTLOG01-PROD > 3 62.20.119.164 EXTNS01-PROD > /data00/jails/EXTNS01-PROD > 4 62.20.119.230 PROXY03.digidoc.com /data00/jails/PROXY03 > EXTBSD02-PROD# jexec 1 /bin/csh > You have mail. > INTDB01-PROD# mount -v > /dev/da0s1a on / (ufs, local) > devfs on /dev (devfs, local) > /dev/da0s1e on /tmp (ufs, local, soft-updates) > /dev/da0s1f on /usr (ufs, local, noatime, soft-updates) > /dev/da0s1d on /var (ufs, local, noatime, soft-updates) > /dev/da0s2a on /data00 (ufs, local, noatime, soft-updates) > /dev/da1s1d on /data01 (ufs, local, noatime, soft-updates) > tmpfs on /data00/jails/PROXY03/usr/local/squid/scan_dir (tmpfs, local) > /data01/data/ports on /data00/jails/EXTNS01-PROD/usr/ports (nullfs, > local, noatime) > /data01/data/ports on /data00/jails/INTDB01-PROD/usr/ports (nullfs, > local, noatime) > /data01/data/ports on /data00/jails/INTLOG01-PROD/usr/ports (nullfs, > local, noatime) > /data01/data/ports on /data00/jails/INTSIM01-PROD/usr/ports (nullfs, > local, noatime) > /data01/data/ports on /data00/jails/PROXY03/usr/ports (nullfs, local, noatime) > /data01/backup/INTDB01PROD/databases on > /data00/jails/INTDB01-PROD/usr/backup (nullfs, local, noatime) > devfs on /data00/jails/INTDB01-PROD/dev (devfs, local) > procfs on /data00/jails/INTDB01-PROD/proc (procfs, local) > devfs on /data00/jails/INTLOG01-PROD/dev (devfs, local) > procfs on /data00/jails/INTLOG01-PROD/proc (procfs, local) > devfs on /data00/jails/EXTNS01-PROD/dev (devfs, local) > procfs on /data00/jails/EXTNS01-PROD/proc (procfs, local) > devfs on /data00/jails/PROXY03/dev (devfs, local) > procfs on /data00/jails/PROXY03/proc (procfs, local) > INTDB01-PROD# There is definitely some inconsistency. JAIL(8) at recent CURRENT talk about security.jail.param.allow.sysvipc and it is listed via "sysctl -d security.jail.param". But seems not to be used: ----- at the jail ----- # sysctl security.jail.param.allow.sysvipc # ----- WBR -- Boris Samorodov (bsam) Research Engineer, http://www.ipt.ru Telephone & Internet SP FreeBSD Committer, http://www.FreeBSD.org The Power To Serve From owner-freebsd-jail@FreeBSD.ORG Thu Jun 4 20:55:07 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6CB20106564A for ; Thu, 4 Jun 2009 20:55:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [195.88.108.3]) by mx1.freebsd.org (Postfix) with ESMTP id 2427F8FC0A for ; Thu, 4 Jun 2009 20:55:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.fra.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 6B8E941C7A4; Thu, 4 Jun 2009 22:55:06 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([195.88.108.3]) by localhost (amavis.fra.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id IGoIH8ZR6eDl; Thu, 4 Jun 2009 22:55:06 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id 13CEF41C7A3; Thu, 4 Jun 2009 22:55:06 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id E5A2B4448E6; Thu, 4 Jun 2009 20:52:46 +0000 (UTC) Date: Thu, 4 Jun 2009 20:52:46 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Boris Samorodov In-Reply-To: <36883384@bb.ipt.ru> Message-ID: <20090604204751.Y12292@maildrop.int.zabbadoz.net> References: <11979393@h30.sp.ipt.ru> <20090531174837.R3234@maildrop.int.zabbadoz.net> <20090603130503.202126d6v3glhhq8@mail.lidstrom.eu> <36883384@bb.ipt.ru> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-jail@FreeBSD.org Subject: Re: sysvipc in jails + CURRENT X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jun 2009 20:55:07 -0000 On Thu, 4 Jun 2009, Boris Samorodov wrote: Hi, > There is definitely some inconsistency. JAIL(8) at recent > CURRENT talk about security.jail.param.allow.sysvipc and > it is listed via "sysctl -d security.jail.param". But seems > not to be used: > ----- at the jail ----- > # sysctl security.jail.param.allow.sysvipc > # > ----- If you can use an old jail binary things should work for you for the moment. The jail(8) compat code that still supports the old syntax but already uses the new syscall does not take the old sysctls into account - the problem you are seeing. Alternatively you could try updating the jail by hand using the new syntax and switch sysvipc on. The bug will probably be fixed latest somewhen next week and I just got back and have a huge backlog and Jamie will be back in a few days I think. /bz -- Bjoern A. Zeeb The greatest risk is not taking one. From owner-freebsd-jail@FreeBSD.ORG Fri Jun 5 09:02:24 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 680861065674 for ; Fri, 5 Jun 2009 09:02:24 +0000 (UTC) (envelope-from scrappy@hub.org) Received: from hub.org (hub.org [200.46.204.220]) by mx1.freebsd.org (Postfix) with ESMTP id 339F48FC1D for ; Fri, 5 Jun 2009 09:02:24 +0000 (UTC) (envelope-from scrappy@hub.org) Received: from maia.hub.org (maia-4.hub.org [200.46.204.183]) by hub.org (Postfix) with ESMTP id 0C8A23455949; Fri, 5 Jun 2009 06:02:23 -0300 (ADT) Received: from hub.org ([200.46.204.220]) by maia.hub.org (mx1.hub.org [200.46.204.183]) (amavisd-maia, port 10024) with ESMTP id 02943-01; Fri, 5 Jun 2009 06:02:23 -0300 (ADT) Received: by hub.org (Postfix, from userid 1002) id 98DE6345593B; Fri, 5 Jun 2009 06:02:22 -0300 (ADT) Received: from localhost (localhost [127.0.0.1]) by hub.org (Postfix) with ESMTP id 988853455937; Fri, 5 Jun 2009 06:02:22 -0300 (ADT) Date: Fri, 5 Jun 2009 06:02:22 -0300 (ADT) From: "Marc G. Fournier" To: Menshikov Konstantin In-Reply-To: <4A275D80.5050408@peterhost.ru> Message-ID: <20090605055852.N56412@hub.org> References: <20090603180221.E56412@hub.org> <4A275D80.5050408@peterhost.ru> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-jail@freebsd.org Subject: Re: Calculating per jail memory usage ... X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jun 2009 09:02:24 -0000 On Thu, 4 Jun 2009, Menshikov Konstantin wrote: > Hi. > You can consider memory occupied with processes in jail as sum RSS of these > processes, but it is wrong. > > Processes divide memory among themselves, a segment of the text or all memory > (if not to do exec after fork). > > Now in a kernel there is no mechanism with which help it is possible to count > a memory size occupied with processes in jail. > After this mechanism will appear, it will be possible to add top :) > > There is a patch for restriction of resources jail, > http://wiki.freebsd.org/Jails, CPU + RAM Limits for Current. Is this the ChrisJones patch that is labeled "Not fully working / stalled" you are referring to? For 7.x, all we can really go back is RSS, from what I can tell ... it won't be until 8.x(?) that we will be able to get more accurate ... ? And even then, it will be a patch we have to add, not stuff that has been yet integrated into 8.x? ---- Marc G. Fournier Hub.Org Networking Services (http://www.hub.org) Email . scrappy@hub.org MSN . scrappy@hub.org Yahoo . yscrappy Skype: hub.org ICQ . 7615664 From owner-freebsd-jail@FreeBSD.ORG Fri Jun 5 09:32:01 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ABCA7106566B for ; Fri, 5 Jun 2009 09:32:01 +0000 (UTC) (envelope-from kostjn@peterhost.ru) Received: from mail.z8.ru (mail.z8.ru [80.93.58.56]) by mx1.freebsd.org (Postfix) with ESMTP id 6835B8FC12 for ; Fri, 5 Jun 2009 09:31:56 +0000 (UTC) (envelope-from kostjn@peterhost.ru) Received: from [85.235.196.139] (helo=kostjn.pht) by mail.z8.ru with esmtpa (Exim 4.67 (FreeBSD)) (envelope-from ) id 1MCVmD-00016I-3f for freebsd-jail@freebsd.org; Fri, 05 Jun 2009 13:31:53 +0400 Message-ID: <4A28E691.9010301@peterhost.ru> Date: Fri, 05 Jun 2009 13:34:09 +0400 From: Menshikov Konstantin User-Agent: Thunderbird 2.0.0.18 (X11/20090328) MIME-Version: 1.0 CC: freebsd-jail@freebsd.org References: <20090603180221.E56412@hub.org> <4A275D80.5050408@peterhost.ru> <20090605055852.N56412@hub.org> In-Reply-To: <20090605055852.N56412@hub.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Calculating per jail memory usage ... X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jun 2009 09:32:01 -0000 Marc G. Fournier wrote: > On Thu, 4 Jun 2009, Menshikov Konstantin wrote: > >> Hi. >> You can consider memory occupied with processes in jail as sum RSS of >> these processes, but it is wrong. >> >> Processes divide memory among themselves, a segment of the text or >> all memory (if not to do exec after fork). >> >> Now in a kernel there is no mechanism with which help it is possible >> to count a memory size occupied with processes in jail. >> After this mechanism will appear, it will be possible to add top :) >> >> There is a patch for restriction of resources jail, >> http://wiki.freebsd.org/Jails, CPU + RAM Limits for Current. > > Is this the ChrisJones patch that is labeled "Not fully working / > stalled" you are referring to? No, it is a patch written with zero. > > For 7.x, all we can really go back is RSS, from what I can tell ... it > won't be until 8.x(?) that we will be able to get more accurate ... ? > And even then, it will be a patch we have to add, not stuff that has > been yet integrated into 8.x? Yes, the kernel has no counters of memory for jail in 7 branch, also has no system calls jail_get, jail_set, therefore on there is no place to take the information. In 8 branch are added jail_set, jail_get, it gives the chance to obtain any data about jail. I hope that after a while, after testing, the patch for restriction of use of resources jail will be accepted. After that, reception of the information on use of resources jail will be trivial. From owner-freebsd-jail@FreeBSD.ORG Fri Jun 5 09:35:28 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A81021065672 for ; Fri, 5 Jun 2009 09:35:28 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) by mx1.freebsd.org (Postfix) with ESMTP id 64EA38FC08 for ; Fri, 5 Jun 2009 09:35:28 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from localhost (localhost.codelab.cz [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 92C7519E044; Fri, 5 Jun 2009 11:19:03 +0200 (CEST) Received: from [192.168.1.2] (r5bb235.net.upc.cz [86.49.61.235]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 853AE19E043; Fri, 5 Jun 2009 11:19:00 +0200 (CEST) Message-ID: <4A28E305.8080608@quip.cz> Date: Fri, 05 Jun 2009 11:19:01 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: cz, cs, en, en-us MIME-Version: 1.0 To: "Marc G. Fournier" References: <20090603180221.E56412@hub.org> <4A275D80.5050408@peterhost.ru> <20090605055852.N56412@hub.org> In-Reply-To: <20090605055852.N56412@hub.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org Subject: Re: Calculating per jail memory usage ... X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jun 2009 09:35:29 -0000 Marc G. Fournier wrote: > On Thu, 4 Jun 2009, Menshikov Konstantin wrote: > >> Hi. >> You can consider memory occupied with processes in jail as sum RSS of >> these processes, but it is wrong. >> >> Processes divide memory among themselves, a segment of the text or all >> memory (if not to do exec after fork). >> >> Now in a kernel there is no mechanism with which help it is possible >> to count a memory size occupied with processes in jail. >> After this mechanism will appear, it will be possible to add top :) >> >> There is a patch for restriction of resources jail, >> http://wiki.freebsd.org/Jails, CPU + RAM Limits for Current. > > > Is this the ChrisJones patch that is labeled "Not fully working / > stalled" you are referring to? Yes and no. Patches in the last column of this table is from different authors. Chris Jones is no longer working on this. The latest patch is from Menshikov Konstantin :) see http://kostjn.spb.ru/patch-jail-limit-8CURRENT.README Miroslav Lachman