From owner-freebsd-jail@FreeBSD.ORG Sun May 20 02:02:57 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 09F62106564A for ; Sun, 20 May 2012 02:02:57 +0000 (UTC) (envelope-from mjguzik@gmail.com) Received: from mail-wg0-f50.google.com (mail-wg0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 907588FC0C for ; Sun, 20 May 2012 02:02:56 +0000 (UTC) Received: by wgbds11 with SMTP id ds11so4014489wgb.31 for ; Sat, 19 May 2012 19:02:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:subject:message-id:mime-version:content-type :content-disposition:user-agent; bh=As8II0FGMxj6XBVFJKZzV7FcCpCb/nYZ5Ee4hcIY2Bg=; b=wEMiTyjdyQxhXf0ATe4VgQNHJh+Sy6rrDBbhWKJg6dVzjKD/qrxUCkDpOGqNHH7dgV Qj8oIb/EE/1mYw2UBXZGS/TJZ2C5lDbiJGlIgi8gCxj1wxFxMvkULbdBp4Qk/J2sryYX mD+FLGRJ1ued42LhoyO2JvtylfFiklB5pVN7114ndy6zS1oxoNytr6iCtzwteSMzpMVD 663gHVKvzYNojKUI97i5X6xIKMBt689UuEQ6qmMAa1XKi6i6ApmlfPlDGW8cAQTr45o7 DqPkVl1/TgBvMAj+gOa5LGMn4NAa4toDC2U5DXaeYnsd/b5v94vITn+Gnrgcd1GSx6iu 4Xcg== Received: by 10.181.11.137 with SMTP id ei9mr13386785wid.21.1337479375294; Sat, 19 May 2012 19:02:55 -0700 (PDT) Received: from dft-labs.eu (dft-labs.eu. [80.87.128.179]) by mx.google.com with ESMTPS id bn9sm14032823wib.5.2012.05.19.19.02.53 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 19 May 2012 19:02:54 -0700 (PDT) Date: Sun, 20 May 2012 04:02:50 +0200 From: Mateusz Guzik To: freebsd-jail@freebsd.org Message-ID: <20120520020250.GB17691@dft-labs.eu> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline User-Agent: Mutt/1.5.20 (2009-06-14) Subject: [patch] use-after-free in kern_jail_set and lock leak in prison_racct_modify X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 May 2012 02:02:57 -0000 Hello, I'm using -CURRENT as of r235649. Bugs I'd like to report: 1. a use-after-free bug in kern_jail_set triggerable by attempts to clear persist flag from "empty" persistent jail. [..] if (!created) { prison_deref(pr, (flags & JAIL_ATTACH) /* free */ ? PD_DEREF : PD_DEREF | PD_LIST_SLOCKED); [..] #ifdef RACCT if (!created) prison_racct_modify(pr); /* dereference */ #endif td->td_retval[0] = pr->pr_id; /* dereference */ [..] 2. function prison_racct_modify leaks allprison and allproc locks when modifications don't cause rename. [..] sx_slock(&allproc_lock); sx_xlock(&allprison_lock); if (strcmp(pr->pr_name, pr->pr_prison_racct->prr_name) == 0) return; [..] ============================= How to reproduce: jail -c persist=1 jail -n 1 -m persist=0 or jail -c path=/ command=/usr/bin/true This causes panic: Fatal trap 12: page fault while in kernel mode cpuid = 1; apic id = 01 fault virtual address = 0xffffff8000e37010 fault code = supervisor read data, page not present instruction pointer = 0x20:0xffffffff80562e0b stack pointer = 0x28:0xffffff807c995830 frame pointer = 0x28:0xffffff807c995ad0 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 23244 (jail) [ thread pid 23244 tid 100077 ] Stopped at kern_jail_set+0x2dfb: movslq 0x10(%r13),%r12 db> bt Tracing pid 23244 tid 100077 td 0xfffffe0003075490 kern_jail_set() at kern_jail_set+0x2dfb sys_jail_set() at sys_jail_set+0x62 amd64_syscall() at amd64_syscall+0x29e Xfast_syscall() at Xfast_syscall+0xf7 --- syscall (507, FreeBSD ELF64, sys_jail_set), rip = 0x800ed9bdc, rsp = 0x7fffffffd718, rbp = 0x7fffff ffd790 --- Proposed trivial patch: http://student.agh.edu.pl/~mjguzik/patches/jail-use-after-free.patch -- Mateusz Guzik From owner-freebsd-jail@FreeBSD.ORG Mon May 21 11:07:16 2012 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B4E671065672 for ; Mon, 21 May 2012 11:07:16 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 9E37B8FC25 for ; Mon, 21 May 2012 11:07:16 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q4LB7GxL049140 for ; Mon, 21 May 2012 11:07:16 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q4LB7FDJ049138 for freebsd-jail@FreeBSD.org; Mon, 21 May 2012 11:07:15 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 21 May 2012 11:07:15 GMT Message-Id: <201205211107.q4LB7FDJ049138@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 May 2012 11:07:16 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o bin/167911 jail new jail(8) problem with removal, ifconfg -alias and k p bin/165515 jail [jail][patch] "jail: unknown parameter: allow.nomount" p bin/161957 jail jls(8): jls -v doesn't show anything if system compile o kern/159918 jail [jail] inter-jail communication failure o kern/156111 jail [jail] procstat -b not supported in jail o misc/155765 jail [patch] `buildworld' does not honors WITHOUT_JAIL o conf/154246 jail [jail] [patch] Bad symlink created if devfs mount poin o conf/149050 jail [jail] rcorder ``nojail'' too coarse for Jail+VNET s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 14 problems total. From owner-freebsd-jail@FreeBSD.ORG Mon May 21 13:47:56 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 59FC31065670; Mon, 21 May 2012 13:47:56 +0000 (UTC) (envelope-from dwindsor@gmail.com) Received: from mail-we0-f182.google.com (mail-we0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 7A6CA8FC18; Mon, 21 May 2012 13:47:54 +0000 (UTC) Received: by werg1 with SMTP id g1so4190212wer.13 for ; Mon, 21 May 2012 06:47:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:cc:content-type; bh=F4DZpLFC0dHIT9uEwYSWZElvWqepdi++zNk8IQ/LO78=; b=Bhxwiz6H5vvjTUyWE5GzXR0eKfuLGD889QPZGXlI7yom74uAl+bFfrS4r/4uZselIQ FcytGvEum4/0eSDtAwJ7UR1CBKhg48xfbyRtLW3ynCx3vkuLElXF4+N4t/XOD7w/2j6z SXQUMLpsiGGpt/ACwNDs7pmljPWKqIA4qhDXQCfRUyUCAOkbXVd4dr4MkmEY/zn1t2AI Tg6UD64jgSzkB37C0DGy8TuST6AIDHuX9ZDEdyn4dxqfveB8X/t+EBgtoy59VnoFslHG yLBvaoBDeA0FBnfoHjhyFISTDJsKj9xj2UAfCK97m55pJKC/WuexYLP8WQa8mxEJAmi5 vrMw== MIME-Version: 1.0 Received: by 10.180.107.99 with SMTP id hb3mr25671078wib.0.1337608073978; Mon, 21 May 2012 06:47:53 -0700 (PDT) Received: by 10.194.59.107 with HTTP; Mon, 21 May 2012 06:47:53 -0700 (PDT) Date: Mon, 21 May 2012 09:47:53 -0400 Message-ID: From: David Windsor To: freebsd-jail@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-hackers@freebsd.org Subject: PID/UID namespaces X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 May 2012 13:47:56 -0000 Hi, While doing some research on FreeBSD jails, I came across an item in the jails' TODO: - be able to have a separate PID space for it - be able to specify a separate UID space for it In other projects, these goals have been accomplished using namespaces. I tried to see if PID/UID namespaces existed in BSD and came across something called Capsicum, a sandboxing project which does not appear to implement outright namespaces for descriptors like PID/UID, but uses something called a "Process Descriptor." Is namespacing of PIDs and UIDs an eventual goal of the jails project of FreeBSD? Thanks, David PS: Excuse my ignorance of anything related to BSD, as I come from a Linux background. -- PGP: 6141 5FFD 11AE 9844 153E F268 7C98 7268 6B19 6CC9 From owner-freebsd-jail@FreeBSD.ORG Mon May 21 18:08:22 2012 Return-Path: Delivered-To: jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0756B10657D4 for ; Mon, 21 May 2012 18:08:22 +0000 (UTC) (envelope-from edschouten@gmail.com) Received: from mail-we0-f182.google.com (mail-we0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 91A9D8FC0C for ; Mon, 21 May 2012 18:08:18 +0000 (UTC) Received: by werg1 with SMTP id g1so4411255wer.13 for ; Mon, 21 May 2012 11:08:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:content-type; bh=0WVe2VfD6vg3Q7ed9h9A6oC8DE5iAmSClRGY/+e9eno=; b=ZtjGoOI8SqPWL2YPnLLnwJgt8Ppg5qgJrzI3b67gyJUhYdiNJGxZA4sjHQqHgDLXJy wh1KOoBHgWfXTdxF1oSOLWy33BM2P0c3yJs6U6kwFEadciNXlPc/tHwFdQB2+UIavHpQ JjkqQiMAwpemkB+YUO+Fj2Ve6qjbd1CdaCfVh+d8esixBqa5Iun7Zu1ky2p2YCrxJwfO im53afSHOd7U/oXuX8qV/602Ww+nERaoMCifftykCxi2ZbH2BvL+Pt4dpCaUR8As9Q7g EIBzTU//CtxhiitOFbrVbiUDM5BUNL8U43t+Q2eSL+47CgW8cMarEuq+iLMc+DS0Qa7G QNXA== MIME-Version: 1.0 Received: by 10.180.94.4 with SMTP id cy4mr27739374wib.2.1337623697394; Mon, 21 May 2012 11:08:17 -0700 (PDT) Sender: edschouten@gmail.com Received: by 10.223.103.197 with HTTP; Mon, 21 May 2012 11:08:17 -0700 (PDT) Date: Mon, 21 May 2012 20:08:17 +0200 X-Google-Sender-Auth: 8aJX7cUerHW0gOsIl3PePQGLcNU Message-ID: From: Ed Schouten To: jail@FreeBSD.org Content-Type: text/plain; charset=UTF-8 Cc: Subject: Breakage on 9 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 May 2012 18:08:22 -0000 Hi, Today I was bitten by the "jail: unknown parameter: allow.nomount" bug. It seems this bug is at least more than one month old -- on 9-STABLE! Why hasn't the commit that introduced this bug been backed out? The code worked before. Now it's broken and we're waiting for an MFC period? Using a Danish (Dutch?) axe, I was able to at least get my box working again: Index: lib/libjail/jail.c =================================================================== --- lib/libjail/jail.c (revision 235725) +++ lib/libjail/jail.c (working copy) @@ -890,7 +890,7 @@ snprintf(jail_errmsg, JAIL_ERRMSGLEN, "unknown parameter: %s", jp->jp_name); errno = ENOENT; - return (-1); + return (0); } snprintf(desc.s, sizeof(desc.s), SJPARAM ".%s", nname); free(nname); -- Ed Schouten From owner-freebsd-jail@FreeBSD.ORG Mon May 21 18:24:31 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7FFD9106566C for ; Mon, 21 May 2012 18:24:31 +0000 (UTC) (envelope-from nhs@schimke.net) Received: from mail.nurd.org (unknown [IPv6:2001:470:e88e::131]) by mx1.freebsd.org (Postfix) with ESMTP id 544698FC12 for ; Mon, 21 May 2012 18:24:31 +0000 (UTC) Received: from mail.nurd.org (mail.nurd.org [192.168.0.131]) by mail.nurd.org (Postfix) with ESMTP id BBDE31C36 for ; Mon, 21 May 2012 11:24:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=schimke.net; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; s=pickmepickme; bh=Wuba kL0mQ+R8uZm1qwboGAfVC+U=; b=RGN9Bf7iAR4daVDwlx+h3d06THyLElouELcu m3UUkpt08AuyeeH0fZxaLqEsoK3AxJ5x7gJWw2b1coprideDQ8Jp6fNcfCky0XFt Wp/zkbsEiqjlF7azL0CaI1DsUlsEFi3QeAivxdUOLyP/LWfeuNv7wG9w57tKqKlQ cWMvpL0= Received: from blitzwing.sea (sea02-v600-nat.marchex.com [174.137.113.40]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail.nurd.org (Postfix) with ESMTPSA id B2CA51C35 for ; Mon, 21 May 2012 11:24:30 -0700 (PDT) Message-ID: <4FBA8859.1040604@schimke.net> Date: Mon, 21 May 2012 11:24:25 -0700 From: Nathan Schimke User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20120329 Thunderbird/11.0.1 MIME-Version: 1.0 To: freebsd-jail@freebsd.org References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Breakage on 9 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 May 2012 18:24:31 -0000 On 05/21/2012 11:08 AM, Ed Schouten wrote: > Hi, > > Today I was bitten by the "jail: unknown parameter: allow.nomount" > bug. It seems this bug is at least more than one month old -- on > 9-STABLE! Why hasn't the commit that introduced this bug been backed > out? The code worked before. Now it's broken and we're waiting for an > MFC period? Using a Danish (Dutch?) axe, I was able to at least get my > box working again: I just hit the same error last night. Reverting r235624 (an MFC made 3 days ago) got my jails working again, but I haven't yet figured out why. Nathan From owner-freebsd-jail@FreeBSD.ORG Mon May 21 19:21:06 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 83D2C106564A; Mon, 21 May 2012 19:21:06 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) by mx1.freebsd.org (Postfix) with ESMTP id 5214C8FC0A; Mon, 21 May 2012 19:21:06 +0000 (UTC) Received: from julian-mac.elischer.org (c-67-180-24-15.hsd1.ca.comcast.net [67.180.24.15]) (authenticated bits=0) by vps1.elischer.org (8.14.5/8.14.5) with ESMTP id q4LJKxrW050526 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Mon, 21 May 2012 12:21:00 -0700 (PDT) (envelope-from julian@freebsd.org) Message-ID: <4FBA95A1.9050404@freebsd.org> Date: Mon, 21 May 2012 12:21:05 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US; rv:1.9.2.28) Gecko/20120306 Thunderbird/3.1.20 MIME-Version: 1.0 To: David Windsor References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-hackers@freebsd.org, freebsd-jail@freebsd.org Subject: Re: PID/UID namespaces X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 May 2012 19:21:06 -0000 On 5/21/12 6:47 AM, David Windsor wrote: > Hi, > > While doing some research on FreeBSD jails, I came across an item in the > jails' TODO: > > > - be able to have a separate PID space for it > - be able to specify a separate UID space for it > > In other projects, these goals have been accomplished using namespaces. I > tried to see if PID/UID namespaces existed in BSD and came across something > called Capsicum, a sandboxing project which does not appear to implement > outright namespaces for descriptors like PID/UID, but uses something called > a "Process Descriptor." > > Is namespacing of PIDs and UIDs an eventual goal of the jails project of > FreeBSD? "kinda" Note terribly explicitly, but somewhere in our collective subconscious.. > Thanks, > > David > > PS: Excuse my ignorance of anything related to BSD, as I come from a Linux > background. > > From owner-freebsd-jail@FreeBSD.ORG Mon May 21 19:26:47 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 564A61065674; Mon, 21 May 2012 19:26:47 +0000 (UTC) (envelope-from utisoft@gmail.com) Received: from mail-bk0-f54.google.com (mail-bk0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 9FAA28FC23; Mon, 21 May 2012 19:26:46 +0000 (UTC) Received: by bkvi18 with SMTP id i18so5868132bkv.13 for ; Mon, 21 May 2012 12:26:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=RnV2xWrS9cGpVO/sgyoZ8src6UMP30WTcC8P1Ac/3cI=; b=VvUtGirvBZGmzcHeZgGfN1AvKM7MUCMaBB5mUm3eJBjUVTiEFc+kBhGHVAZT14QuTQ GiJ9dArEBvFCsgQXo+rqza4SUEA90I3fZ+Otp5OXgaXfEzDzsmXk8gjcvfvqWgACEXb3 gNJ5e4y0CiWIW7BWgx90Ev4qpY6J354I5yjqUImZmrcmsxToKnS2mRzZTtRPdCeHDDN1 AOzIOdBBkY/4Sn7EVf+pQFZ1R5Cg9X9h7dUxV2qLl5DzUMY5YjBYDSGIiW2XggRLzJbd g8rbMyxt2y0pXKgJ3H8lh/4RDSxP2wk0VJ5R3RA4rOZoBvNSfYudqK6CsdKg6j0Xl/C3 Dl4w== Received: by 10.204.154.214 with SMTP id p22mr8097532bkw.115.1337628405499; Mon, 21 May 2012 12:26:45 -0700 (PDT) MIME-Version: 1.0 Sender: utisoft@gmail.com Received: by 10.204.171.138 with HTTP; Mon, 21 May 2012 12:26:15 -0700 (PDT) In-Reply-To: References: From: Chris Rees Date: Mon, 21 May 2012 20:26:15 +0100 X-Google-Sender-Auth: BreNSxghnRaCkGnboNNdn2Koj34 Message-ID: To: David Windsor Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-hackers@freebsd.org, freebsd-jail@freebsd.org Subject: Re: PID/UID namespaces X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 May 2012 19:26:47 -0000 On 21 May 2012 14:47, David Windsor wrote: > Hi, > > While doing some research on FreeBSD jails, I came across an item in the > jails' TODO: > > > =A0 - be able to have a separate PID space for it > =A0 - be able to specify a separate UID space for it > > In other projects, these goals have been accomplished using namespaces. = =A0I > tried to see if PID/UID namespaces existed in BSD and came across somethi= ng > called Capsicum, a sandboxing project which does not appear to implement > outright namespaces for descriptors like PID/UID, but uses something call= ed > a "Process Descriptor." > > Is namespacing of PIDs and UIDs an eventual goal of the jails project of > FreeBSD? It would certainly prevent many common problems when setting up jails; UID collision is much more common than you'd think, given that the default UIDs remain the same. Chris From owner-freebsd-jail@FreeBSD.ORG Mon May 21 19:57:51 2012 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 35BD8106566C; Mon, 21 May 2012 19:57:51 +0000 (UTC) (envelope-from phk@phk.freebsd.dk) Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222]) by mx1.freebsd.org (Postfix) with ESMTP id A63638FC15; Mon, 21 May 2012 19:57:50 +0000 (UTC) Received: from critter.freebsd.dk (critter.freebsd.dk [192.168.61.3]) by phk.freebsd.dk (Postfix) with ESMTP id 64FEB13F36; Mon, 21 May 2012 19:57:48 +0000 (UTC) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.14.5/8.14.5) with ESMTP id q4LJvmKt039150; Mon, 21 May 2012 19:57:48 GMT (envelope-from phk@phk.freebsd.dk) To: Chris Rees From: "Poul-Henning Kamp" In-Reply-To: Your message of "Mon, 21 May 2012 20:26:15 +0100." Content-Type: text/plain; charset=ISO-8859-1 Date: Mon, 21 May 2012 19:57:48 +0000 Message-ID: <39149.1337630268@critter.freebsd.dk> Cc: freebsd-hackers@FreeBSD.org, freebsd-jail@FreeBSD.org, David Windsor Subject: Re: PID/UID namespaces X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 May 2012 19:57:51 -0000 In message , Chris Rees writes: >It would certainly prevent many common problems when setting up jails; >UID collision is much more common than you'd think, given that the >default UIDs remain the same. Uhm... jails have separate UID/GID spaces. Filesystems mounted or visible in multiple jails act as shared UID/GID (sub-)spaces for those jails, but there is now way to avoid that, it's a direct consequence of the sharing of the filesystems. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. From owner-freebsd-jail@FreeBSD.ORG Mon May 21 20:23:50 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 824EE1065689; Mon, 21 May 2012 20:23:50 +0000 (UTC) (envelope-from utisoft@gmail.com) Received: from mail-bk0-f54.google.com (mail-bk0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 6D0E98FC21; Mon, 21 May 2012 20:23:49 +0000 (UTC) Received: by bkvi18 with SMTP id i18so5921852bkv.13 for ; Mon, 21 May 2012 13:23:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=+3gUUACBlt1FRomjjF2sZQVa9sAGNd7ls/TNeLfSxJA=; b=DrvqpjhBkb7TZQcEbl4J6ZrMMfJ3aWEJnGJ3Mkpdfk4Br79u1U0T1beBdheQItGV+p Y1qnbstX0kpxvgq40aNrG4SeJ1zauxHOfeSpgtBVe+iurqAw3d6i+fbJueJQ5jUAKzcv 3GgkfvXtg073p5xqYTFgElf0j3WPcx6mfQQdBNikv7UQreoDNHMNghFRhMIoYSj0fnU2 FBuLgg5eO1m2oFjE9FShDyu3mJleJeGCkfHi+O20o3sxIyF1uMgEOTF+gMgkzL4ZGTat FxLyFfuLPOypKNlDuIoIE1bZjNa7B4l8Sz/SmPFJrPafMtH/NB+fCHJyx1WkXPH0WQcO BwFg== Received: by 10.204.154.214 with SMTP id p22mr8154969bkw.115.1337631828214; Mon, 21 May 2012 13:23:48 -0700 (PDT) MIME-Version: 1.0 Sender: utisoft@gmail.com Received: by 10.204.171.138 with HTTP; Mon, 21 May 2012 13:23:17 -0700 (PDT) In-Reply-To: <39149.1337630268@critter.freebsd.dk> References: <39149.1337630268@critter.freebsd.dk> From: Chris Rees Date: Mon, 21 May 2012 21:23:17 +0100 X-Google-Sender-Auth: i8E4VIzuT8icu-otOqTxWSu5MFA Message-ID: To: Poul-Henning Kamp Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-hackers@freebsd.org, freebsd-jail@freebsd.org, David Windsor Subject: Re: PID/UID namespaces X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 May 2012 20:23:50 -0000 On 21 May 2012 20:57, Poul-Henning Kamp wrote: > In message > , Chris Rees writes: > >>It would certainly prevent many common problems when setting up jails; >>UID collision is much more common than you'd think, given that the >>default UIDs remain the same. > > Uhm... jails have separate UID/GID spaces. > > Filesystems mounted or visible in multiple jails act as shared UID/GID > (sub-)spaces for those jails, but there is now way to avoid that, it's > a direct consequence of the sharing of the filesystems. Yes, beg pardon, my mistake-- that's what I was meaning to refer to. I still have a patch in GNATS for the docs about that, but it's been the subject of amazing controversy. Chris From owner-freebsd-jail@FreeBSD.ORG Mon May 21 21:09:46 2012 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3FCE4106564A for ; Mon, 21 May 2012 21:09:46 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from m2.gritton.org (gritton.org [199.192.164.235]) by mx1.freebsd.org (Postfix) with ESMTP id E65A98FC08 for ; Mon, 21 May 2012 21:09:45 +0000 (UTC) Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net [198.65.168.24]) (authenticated bits=0) by m2.gritton.org (8.14.5/8.14.5) with ESMTP id q4LL9cVs026533 for ; Mon, 21 May 2012 15:09:38 -0600 (MDT) (envelope-from jamie@FreeBSD.org) Message-ID: <4FBAAF0D.4000202@FreeBSD.org> Date: Mon, 21 May 2012 15:09:33 -0600 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:9.0) Gecko/20120126 Thunderbird/9.0 MIME-Version: 1.0 To: freebsd-jail@FreeBSD.org References: <4FBA8859.1040604@schimke.net> In-Reply-To: <4FBA8859.1040604@schimke.net> Content-Type: multipart/mixed; boundary="------------000009060703020009090207" Cc: Subject: Re: Breakage on 9 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 May 2012 21:09:46 -0000 This is a multi-part message in MIME format. --------------000009060703020009090207 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit I've got a fix that's going in as soon as it's confirmed. I'm including the patch here. Backing out r235624 will work, unless you happen to be on a box where r235624 was necessary. I had said something before about the long MFC, but that turned out to be wrong. That was for the new jail(8) code, but the nomount fix is in the libjail code. Actually, that was fixed a while back, but then I re-broke it (in a different way) with r235624. If anyone continues to have problems on 9 with the included patch, let me know. But I think this will bring it all into working order. - Jamie On 05/21/12 12:24, Nathan Schimke wrote: > On 05/21/2012 11:08 AM, Ed Schouten wrote: >> Hi, >> >> Today I was bitten by the "jail: unknown parameter: allow.nomount" >> bug. It seems this bug is at least more than one month old -- on >> 9-STABLE! Why hasn't the commit that introduced this bug been backed >> out? The code worked before. Now it's broken and we're waiting for an >> MFC period? Using a Danish (Dutch?) axe, I was able to at least get my >> box working again: > > I just hit the same error last night. Reverting r235624 (an MFC made 3 > days ago) got my jails working again, but I haven't yet figured out why. > > Nathan > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" --------------000009060703020009090207 Content-Type: text/plain; name="jail.diff" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="jail.diff" SW5kZXg6IGphaWwuYwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBqYWlsLmMJKHJldmlzaW9uIDIzNTY2 OCkKKysrIGphaWwuYwkod29ya2luZyBjb3B5KQpAQCAtODUzLDcgKzg1Myw3IEBACiBzdGF0 aWMgaW50CiBqYWlscGFyYW1fdHlwZShzdHJ1Y3QgamFpbHBhcmFtICpqcCkKIHsKLQljaGFy ICpwLCAqbm5hbWU7CisJY2hhciAqcCwgKm5hbWUsICpubmFtZTsKIAlzaXplX3QgbWlibGVu LCBkZXNjbGVuOwogCWludCBpLCBpc2FycmF5OwogCXN0cnVjdCB7CkBAIC04NjMsNyArODYz LDggQEAKIAlpbnQgbWliW0NUTF9NQVhOQU1FXTsKIAogCS8qIFRoZSAibGFzdGppZCIgcGFy YW1ldGVyIGlzbid0IHJlYWwuICovCi0JaWYgKCFzdHJjbXAoanAtPmpwX25hbWUsICJsYXN0 amlkIikpIHsKKwluYW1lID0ganAtPmpwX25hbWU7CisJaWYgKCFzdHJjbXAobmFtZSwgImxh c3RqaWQiKSkgewogCQlqcC0+anBfdmFsdWVsZW4gPSBzaXplb2YoaW50KTsKIAkJanAtPmpw X2N0bHR5cGUgPSBDVExUWVBFX0lOVCB8IENUTEZMQUdfV1I7CiAJCXJldHVybiAoMCk7CkBA IC04NzIsMTkgKzg3MywxOSBAQAogCS8qIEZpbmQgdGhlIHN5c2N0bCB0aGF0IGRlc2NyaWJl cyB0aGUgcGFyYW1ldGVyLiAqLwogCW1pYlswXSA9IDA7CiAJbWliWzFdID0gMzsKLQlzbnBy aW50ZihkZXNjLnMsIHNpemVvZihkZXNjLnMpLCBTSlBBUkFNICIuJXMiLCBqcC0+anBfbmFt ZSk7CisJc25wcmludGYoZGVzYy5zLCBzaXplb2YoZGVzYy5zKSwgU0pQQVJBTSAiLiVzIiwg bmFtZSk7CiAJbWlibGVuID0gc2l6ZW9mKG1pYikgLSAyICogc2l6ZW9mKGludCk7CiAJaWYg KHN5c2N0bChtaWIsIDIsIG1pYiArIDIsICZtaWJsZW4sIGRlc2Mucywgc3RybGVuKGRlc2Mu cykpIDwgMCkgewogCQlpZiAoZXJybm8gIT0gRU5PRU5UKSB7CiAJCQlzbnByaW50ZihqYWls X2Vycm1zZywgSkFJTF9FUlJNU0dMRU4sCi0JCQkgICAgInN5c2N0bCgwLjMuJXMpOiAlcyIs IGpwLT5qcF9uYW1lLCBzdHJlcnJvcihlcnJubykpOworCQkJICAgICJzeXNjdGwoMC4zLiVz KTogJXMiLCBuYW1lLCBzdHJlcnJvcihlcnJubykpOwogCQkJcmV0dXJuICgtMSk7CiAJCX0K IAkJLyoKIAkJICogVGhlIHBhcmFtZXRlciBwcm9iYWJseSBkb2Vzbid0IGV4aXN0LiAgQnV0 IGl0IG1pZ2h0IGJlCiAJCSAqIHRoZSAibm8iIGNvdW50ZXJwYXJ0IHRvIGEgYm9vbGVhbi4K IAkJICovCi0JCW5uYW1lID0gbm9ub25hbWUoanAtPmpwX25hbWUpOworCQlubmFtZSA9IG5v bm9uYW1lKG5hbWUpOwogCQlpZiAobm5hbWUgPT0gTlVMTCkgewogCQl1bmtub3duX3BhcmFt ZXRlcjoKIAkJCXNucHJpbnRmKGphaWxfZXJybXNnLCBKQUlMX0VSUk1TR0xFTiwKQEAgLTg5 Miw4ICs4OTMsMTAgQEAKIAkJCWVycm5vID0gRU5PRU5UOwogCQkJcmV0dXJuICgtMSk7CiAJ CX0KLQkJc25wcmludGYoZGVzYy5zLCBzaXplb2YoZGVzYy5zKSwgU0pQQVJBTSAiLiVzIiwg bm5hbWUpOworCQluYW1lID0gYWxsb2NhKHN0cmxlbihubmFtZSkgKyAxKTsKKwkJc3RyY3B5 KG5hbWUsIG5uYW1lKTsKIAkJZnJlZShubmFtZSk7CisJCXNucHJpbnRmKGRlc2Mucywgc2l6 ZW9mKGRlc2MucyksIFNKUEFSQU0gIi4lcyIsIG5hbWUpOwogCQltaWJsZW4gPSBzaXplb2Yo bWliKSAtIDIgKiBzaXplb2YoaW50KTsKIAkJaWYgKHN5c2N0bChtaWIsIDIsIG1pYiArIDIs ICZtaWJsZW4sIGRlc2MucywKIAkJICAgIHN0cmxlbihkZXNjLnMpKSA8IDApCkBAIC05MDYs NyArOTA5LDcgQEAKIAlpZiAoc3lzY3RsKG1pYiwgKG1pYmxlbiAvIHNpemVvZihpbnQpKSAr IDIsICZkZXNjLCAmZGVzY2xlbiwKIAkgICAgTlVMTCwgMCkgPCAwKSB7CiAJCXNucHJpbnRm KGphaWxfZXJybXNnLCBKQUlMX0VSUk1TR0xFTiwKLQkJICAgICJzeXNjdGwoMC40LiVzKTog JXMiLCBqcC0+anBfbmFtZSwgc3RyZXJyb3IoZXJybm8pKTsKKwkJICAgICJzeXNjdGwoMC40 LiVzKTogJXMiLCBuYW1lLCBzdHJlcnJvcihlcnJubykpOwogCQlyZXR1cm4gKC0xKTsKIAl9 CiAJanAtPmpwX2N0bHR5cGUgPSBkZXNjLmk7CkBAIC05NTIsNyArOTU1LDcgQEAKIAkJaWYg KHN5c2N0bChtaWIgKyAyLCBtaWJsZW4gLyBzaXplb2YoaW50KSwgZGVzYy5zLCAmZGVzY2xl biwKIAkJICAgIE5VTEwsIDApIDwgMCkgewogCQkJc25wcmludGYoamFpbF9lcnJtc2csIEpB SUxfRVJSTVNHTEVOLAotCQkJICAgICJzeXNjdGwoIiBTSlBBUkFNICIuJXMpOiAlcyIsIGpw LT5qcF9uYW1lLAorCQkJICAgICJzeXNjdGwoIiBTSlBBUkFNICIuJXMpOiAlcyIsIG5hbWUs CiAJCQkgICAgc3RyZXJyb3IoZXJybm8pKTsKIAkJCXJldHVybiAoLTEpOwogCQl9CkBAIC05 NzAsNyArOTczLDcgQEAKIAkJCWlmIChzeXNjdGwobWliICsgMiwgbWlibGVuIC8gc2l6ZW9m KGludCksCiAJCQkgICAgTlVMTCwgJmpwLT5qcF92YWx1ZWxlbiwgTlVMTCwgMCkgPCAwKSB7 CiAJCQkJc25wcmludGYoamFpbF9lcnJtc2csIEpBSUxfRVJSTVNHTEVOLAotCQkJCSAgICAi c3lzY3RsKCIgU0pQQVJBTSAiLiVzKTogJXMiLCBqcC0+anBfbmFtZSwKKwkJCQkgICAgInN5 c2N0bCgiIFNKUEFSQU0gIi4lcyk6ICVzIiwgbmFtZSwKIAkJCQkgICAgc3RyZXJyb3IoZXJy bm8pKTsKIAkJCQlyZXR1cm4gKC0xKTsKIAkJCX0KQEAgLTk5NSwxMCArOTk4LDkgQEAKIAkJ CQkgICAgInN5c2N0bCgwLjEpOiAlcyIsIHN0cmVycm9yKGVycm5vKSk7CiAJCQkJcmV0dXJu ICgtMSk7CiAJCQl9Ci0JCQlpZiAoZGVzY2xlbiA9PQotCQkJICAgIHNpemVvZihTSlBBUkFN KSArIHN0cmxlbihqcC0+anBfbmFtZSkgKyAyICYmCisJCQlpZiAoZGVzY2xlbiA9PSBzaXpl b2YoU0pQQVJBTSkgKyBzdHJsZW4obmFtZSkgKyAyICYmCiAJCQkgICAgbWVtY21wKFNKUEFS QU0gIi4iLCBkZXNjLnMsIHNpemVvZihTSlBBUkFNKSkgPT0gMCAmJgotCQkJICAgIG1lbWNt cChqcC0+anBfbmFtZSwgZGVzYy5zICsgc2l6ZW9mKFNKUEFSQU0pLAorCQkJICAgIG1lbWNt cChuYW1lLCBkZXNjLnMgKyBzaXplb2YoU0pQQVJBTSksCiAJCQkgICAgZGVzY2xlbiAtIHNp emVvZihTSlBBUkFNKSAtIDIpID09IDAgJiYKIAkJCSAgICBkZXNjLnNbZGVzY2xlbiAtIDJd ID09ICcuJykKIAkJCQlnb3RvIG1pYl9kZXNjOwo= --------------000009060703020009090207-- From owner-freebsd-jail@FreeBSD.ORG Wed May 23 14:52:43 2012 Return-Path: Delivered-To: freebsd-jail@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2CEF0106564A; Wed, 23 May 2012 14:52:43 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 010228FC16; Wed, 23 May 2012 14:52:43 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q4NEqgYo038123; Wed, 23 May 2012 14:52:42 GMT (envelope-from jamie@freefall.freebsd.org) Received: (from jamie@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q4NEqg8q038119; Wed, 23 May 2012 14:52:42 GMT (envelope-from jamie) Date: Wed, 23 May 2012 14:52:42 GMT Message-Id: <201205231452.q4NEqg8q038119@freefall.freebsd.org> To: gjb@FreeBSD.org, jamie@FreeBSD.org, freebsd-jail@FreeBSD.org From: jamie@FreeBSD.org Cc: Subject: Re: bin/165515: [jail][patch] "jail: unknown parameter: allow.nomount" when starting jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 May 2012 14:52:43 -0000 Synopsis: [jail][patch] "jail: unknown parameter: allow.nomount" when starting jail State-Changed-From-To: patched->closed State-Changed-By: jamie State-Changed-When: Wed May 23 14:51:08 UTC 2012 State-Changed-Why: MFCd as r232728 http://www.freebsd.org/cgi/query-pr.cgi?pr=165515 From owner-freebsd-jail@FreeBSD.ORG Wed May 23 15:47:56 2012 Return-Path: Delivered-To: freebsd-jail@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 86F361065673; Wed, 23 May 2012 15:47:56 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 5A7C08FC17; Wed, 23 May 2012 15:47:56 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q4NFluBn085990; Wed, 23 May 2012 15:47:56 GMT (envelope-from jamie@freefall.freebsd.org) Received: (from jamie@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q4NFltLM085985; Wed, 23 May 2012 15:47:55 GMT (envelope-from jamie) Date: Wed, 23 May 2012 15:47:55 GMT Message-Id: <201205231547.q4NFltLM085985@freefall.freebsd.org> To: redrat@mail.ru, jamie@FreeBSD.org, freebsd-jail@FreeBSD.org From: jamie@FreeBSD.org Cc: Subject: Re: bin/161957: jls(8): jls -v doesn't show anything if system compiled with WITHOUT_INET6 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 May 2012 15:47:56 -0000 Synopsis: jls(8): jls -v doesn't show anything if system compiled with WITHOUT_INET6 State-Changed-From-To: patched->closed State-Changed-By: jamie State-Changed-When: Wed May 23 15:47:24 UTC 2012 State-Changed-Why: MFCd as r235841 http://www.freebsd.org/cgi/query-pr.cgi?pr=161957 From owner-freebsd-jail@FreeBSD.ORG Wed May 23 15:50:06 2012 Return-Path: Delivered-To: freebsd-jail@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4407A106564A for ; Wed, 23 May 2012 15:50:06 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 257948FC17 for ; Wed, 23 May 2012 15:50:06 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q4NFo6kC086371 for ; Wed, 23 May 2012 15:50:06 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q4NFo6MB086370; Wed, 23 May 2012 15:50:06 GMT (envelope-from gnats) Date: Wed, 23 May 2012 15:50:06 GMT Message-Id: <201205231550.q4NFo6MB086370@freefall.freebsd.org> To: freebsd-jail@FreeBSD.org From: dfilter@FreeBSD.ORG (dfilter service) Cc: Subject: Re: bin/161957: commit references a PR X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dfilter service List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 May 2012 15:50:06 -0000 The following reply was made to PR bin/161957; it has been noted by GNATS. From: dfilter@FreeBSD.ORG (dfilter service) To: bug-followup@FreeBSD.org Cc: Subject: Re: bin/161957: commit references a PR Date: Wed, 23 May 2012 15:47:28 +0000 (UTC) Author: jamie Date: Wed May 23 15:47:07 2012 New Revision: 235841 URL: http://svn.freebsd.org/changeset/base/235841 Log: MFC r222465, r223224, r224841, r232613: Check for IPv4 or IPv6 to be available by the kernel to not provoke errors trying to query options not available. Make it possible to compile out INET or INET6 only parts. PR: bin/161957 Modified: stable/8/usr.sbin/jls/Makefile stable/8/usr.sbin/jls/jls.c Directory Properties: stable/8/usr.sbin/jls/ (props changed) Modified: stable/8/usr.sbin/jls/Makefile ============================================================================== --- stable/8/usr.sbin/jls/Makefile Wed May 23 15:30:13 2012 (r235840) +++ stable/8/usr.sbin/jls/Makefile Wed May 23 15:47:07 2012 (r235841) @@ -1,5 +1,7 @@ # $FreeBSD$ +.include + PROG= jls MAN= jls.8 DPADD= ${LIBJAIL} @@ -7,4 +9,11 @@ LDADD= -ljail WARNS?= 6 +.if ${MK_INET6_SUPPORT} != "no" +CFLAGS+= -DINET6 +.endif +.if ${MK_INET_SUPPORT} != "no" +CFLAGS+= -DINET +.endif + .include Modified: stable/8/usr.sbin/jls/jls.c ============================================================================== --- stable/8/usr.sbin/jls/jls.c Wed May 23 15:30:13 2012 (r235840) +++ stable/8/usr.sbin/jls/jls.c Wed May 23 15:47:07 2012 (r235841) @@ -59,6 +59,12 @@ __FBSDID("$FreeBSD$"); static struct jailparam *params; static int *param_parent; static int nparams; +#ifdef INET6 +static int ip6_ok; +#endif +#ifdef INET +static int ip4_ok; +#endif static int add_param(const char *name, void *value, size_t valuelen, struct jailparam *source, unsigned flags); @@ -112,6 +118,13 @@ main(int argc, char **argv) errx(1, "usage: jls [-dhnqv] [-j jail] [param ...]"); } +#ifdef INET6 + ip6_ok = feature_present("inet6"); +#endif +#ifdef INET + ip4_ok = feature_present("inet"); +#endif + /* Add the parameters to print. */ if (optind == argc) { if (pflags & (PRINT_HEADER | PRINT_NAMEVAL)) @@ -124,13 +137,24 @@ main(int argc, char **argv) add_param("name", NULL, (size_t)0, NULL, JP_USER); add_param("dying", NULL, (size_t)0, NULL, JP_USER); add_param("cpuset.id", NULL, (size_t)0, NULL, JP_USER); - add_param("ip4.addr", NULL, (size_t)0, NULL, JP_USER); - add_param("ip6.addr", NULL, (size_t)0, NULL, - JP_USER | JP_OPT); +#ifdef INET + if (ip4_ok) + add_param("ip4.addr", NULL, (size_t)0, NULL, + JP_USER); +#endif +#ifdef INET6 + if (ip6_ok) + add_param("ip6.addr", NULL, (size_t)0, NULL, + JP_USER | JP_OPT); +#endif } else { pflags |= PRINT_DEFAULT; add_param("jid", NULL, (size_t)0, NULL, JP_USER); - add_param("ip4.addr", NULL, (size_t)0, NULL, JP_USER); +#ifdef INET + if (ip4_ok) + add_param("ip4.addr", NULL, (size_t)0, NULL, + JP_USER); +#endif add_param("host.hostname", NULL, (size_t)0, NULL, JP_USER); add_param("path", NULL, (size_t)0, NULL, JP_USER); @@ -327,7 +351,7 @@ print_jail(int pflags, int jflags) { char *nname; char **param_values; - int i, ai, jid, count, spc; + int i, ai, jid, count, n, spc; char ipbuf[INET6_ADDRSTRLEN]; jid = jailparam_get(params, nparams, jflags); @@ -345,31 +369,47 @@ print_jail(int pflags, int jflags) *(int *)params[4].jp_value ? "DYING" : "ACTIVE", "", *(int *)params[5].jp_value); - count = params[6].jp_valuelen / sizeof(struct in_addr); - for (ai = 0; ai < count; ai++) - if (inet_ntop(AF_INET, - &((struct in_addr *)params[6].jp_value)[ai], - ipbuf, sizeof(ipbuf)) == NULL) - err(1, "inet_ntop"); - else - printf("%6s %-15.15s\n", "", ipbuf); - if (!strcmp(params[7].jp_name, "ip6.addr")) { - count = params[7].jp_valuelen / sizeof(struct in6_addr); + n = 6; +#ifdef INET + if (ip4_ok && !strcmp(params[n].jp_name, "ip4.addr")) { + count = params[n].jp_valuelen / sizeof(struct in_addr); + for (ai = 0; ai < count; ai++) + if (inet_ntop(AF_INET, + &((struct in_addr *)params[n].jp_value)[ai], + ipbuf, sizeof(ipbuf)) == NULL) + err(1, "inet_ntop"); + else + printf("%6s %-15.15s\n", "", ipbuf); + n++; + } +#endif +#ifdef INET6 + if (ip6_ok && !strcmp(params[n].jp_name, "ip6.addr")) { + count = params[n].jp_valuelen / sizeof(struct in6_addr); for (ai = 0; ai < count; ai++) if (inet_ntop(AF_INET6, - &((struct in6_addr *)params[7].jp_value)[ai], + &((struct in6_addr *) + params[n].jp_value)[ai], ipbuf, sizeof(ipbuf)) == NULL) err(1, "inet_ntop"); else printf("%6s %s\n", "", ipbuf); + n++; } +#endif } else if (pflags & PRINT_DEFAULT) printf("%6d %-15.15s %-29.29s %.74s\n", *(int *)params[0].jp_value, - params[1].jp_valuelen == 0 ? "-" +#ifdef INET + (!ip4_ok || params[1].jp_valuelen == 0) ? "-" : inet_ntoa(*(struct in_addr *)params[1].jp_value), - (char *)params[2].jp_value, - (char *)params[3].jp_value); + (char *)params[2-!ip4_ok].jp_value, + (char *)params[3-!ip4_ok].jp_value); +#else + "-", + (char *)params[1].jp_value, + (char *)params[2].jp_value); +#endif else { param_values = alloca(nparams * sizeof(*param_values)); for (i = 0; i < nparams; i++) { _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org" From owner-freebsd-jail@FreeBSD.ORG Thu May 24 21:47:00 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3003C106566C for ; Thu, 24 May 2012 21:47:00 +0000 (UTC) (envelope-from tomdean@speakeasy.org) Received: from asbnvacz-mailrelay01.megapath.net (asbnvacz-mailrelay01.megapath.net [207.145.128.243]) by mx1.freebsd.org (Postfix) with ESMTP id E44F78FC08 for ; Thu, 24 May 2012 21:46:59 +0000 (UTC) Received: from mail1.sea5.speakeasy.net (mail1.sea5.speakeasy.net [69.17.117.39]) by asbnvacz-mailrelay01.megapath.net (Postfix) with ESMTP id 127C9A70586 for ; Thu, 24 May 2012 17:46:58 -0400 (EDT) Received: (qmail 2871 invoked from network); 24 May 2012 21:46:58 -0000 Received: by simscan 1.4.0 ppid: 2328, pid: 19519, t: 1.3019s scanners: clamav: m: Received: from unknown (HELO P9X79.tddhome) (tomdean@[24.113.107.31]) (envelope-sender ) by mail1.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 24 May 2012 21:46:57 -0000 Message-ID: <4FBEAC50.4020703@speakeasy.org> Date: Thu, 24 May 2012 14:46:56 -0700 From: "Thomas D. Dean" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:10.0.2) Gecko/20120310 Thunderbird/10.0.2 MIME-Version: 1.0 To: freebsd-jail@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail1.sea5 X-Spam-Level: X-Spam-Status: No, score=0.9 required=8.0 tests=FORGED_RCVD_HELO, RATWARE_GECKO_BUILD autolearn=disabled version=3.0.4 Subject: i386 in jail on amd64 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 May 2012 21:47:00 -0000 I have i386 running in jail on amd64, sort of. I need the i386 environment to develop for a nanoBSD installaion on an ELAN SC520. I am very inexperienced with jail (both kinds, I hope). Setting all this up was not easy. Or, maybe I am slow. How do I get a writeup into the handbook of building the i386 distribution on amd64 and using jail to run the i386 system? I can create a text file of what I did if someone can do the insert into the handbook. There seem to be some problems. Often things are just flaky. No problem I can describe, just things are 'off'. For example, in the jail, I had etc/rc.conf. When I tried to edit it with vi, I got something completely different. A very old version of rc.conf. But, cat etc/rc.conf shows the new one. I rebooted the host and that problem cleared itself. But, after some time other funny things happen. I can use emacs on the host to write code for the i386 jail, compile in the jail and execute in the nanoBSD system. I can launch an xterm from within the jail on the host display. I can access the network, for example, to fetch ports. I can use emacs on the host to write code for the i386 jail, compile in the jail and execute in the nanoBSD system. However, emacs from within the jail warns of problems and frequently exits without warning or error. > emacs (emacs:90036): GLib-WARNING **: In call to g_spawn_sync(), exit status of a child process was requested but SIGCHLD action was set to SIG_IGN and ECHILD was received by waitpid(), so exit status can't be returned. This is a bug in the program calling g_spawn_sync(); either don't request the exit status, or don't set the SIGCHLD action. GConf Error: Failed to contact configuration server; some possible causes are that you need to enable TCP/IP networking for ORBit, or you have stale NFS locks due to a system crash. See http://projects.gnome.org/gconf/ for information. (Details - 1: Failed to get connection to session: Command line `dbus-launch --autolaunch=9376113602d18a766c6d6bf100035e9d --binary-syntax --close-stderr' exited with non-zero exit status 2655172: Unable to create /root/.dbus\nUnable to create /root/.dbus/session-bus\n) (emacs:90036): GLib-WARNING **: In call to g_spawn_sync(), exit status of a child process was requested but SIGCHLD action was set to SIG_IGN and ECHILD was received by waitpid(), so exit status can't be returned. This is a bug in the program calling g_spawn_sync(); either don't request the exit status, or don't set the SIGCHLD action. (emacs:90036): GdkPixbuf-WARNING **: Cannot open pixbuf loader modu # exit from sh will terminate the jail le file '/usr/local/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache': No such file or directory (emacs:90036): GdkPixbuf-WARNING **: Cannot open pixbuf loader module file '/usr/local/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache': No such file or directory (emacs:90036): GdkPixbuf-WARNING **: Error loading XPM image loader: Image type 'xpm' is not supported (emacs:90036): Gdk-WARNING **: shmget failed: error 78 (Function not implemented) (emacs:90036): Gdk-WARNING **: XID collision, trouble ahead (emacs:90036): Gdk-WARNING **: XID collision, trouble ahead Tom Dean I built the i386 system on amd64 and it seems to be Ok. Here is what I did Prepare i386KRNCFG and place in /usr/src/sys/i386/conf env -i MACHINE_ARCH=amd64 \ MACHINE=amd64 \ DESTDIR=/diskless/i386 \ make TARGET=i386 buildworld env -i MACHINE_ARCH=amd64 \ MACHINE=amd64 \ DESTDIR=/diskless/i386 \ make TARGET=i386 KERNCONF=GENERIC buildkernel env -i MACHINE_ARCH=amd64 \ MACHINE=amd64 \ DESTDIR=/diskless/i386 \ make installworld env -i MACHINE_ARCH=amd64 \ MACHINE=amd64 \ DESTDIR=/diskless/i386 \ make installkernel KERNCONF=GENERIC env -i MACHINE_ARCH=amd64 \ MACHINE=amd64 \ DESTDIR=/diskless/i386 \ make TARGET=i386 distribution mergemaster -A i386 -D /diskless/i386 ======================================= start the jail sudo mount -t devfs devfs /diskless/i386/dev sudo sudo ifconfig em0 inet alias 192.168.2.23 sudo mount -t procfs proc /diskless/i386/proc sudo jail -c -U path=/diskless/i386 \ host.hostname=p9x79 ip4.addr=192.168.2.23 command=/bin/tcsh from within the jail, execute /etc/rc > su > sh /etc/rc on the host: xhost +192.168.2.23 in the jail xterm, emacs, etc emacs is funny. From owner-freebsd-jail@FreeBSD.ORG Thu May 24 23:39:06 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 03371106566C for ; Thu, 24 May 2012 23:39:06 +0000 (UTC) (envelope-from rickvanderzwet@gmail.com) Received: from mail-we0-f182.google.com (mail-we0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 8D9B88FC19 for ; Thu, 24 May 2012 23:39:05 +0000 (UTC) Received: by werg1 with SMTP id g1so278361wer.13 for ; Thu, 24 May 2012 16:39:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=5yqjH0cgZ3zULb7osqyS3sqbZqcqrz2fiOfRslyoDfU=; b=vHw3FIORojoLZYqyVTPujDs1hRd5ADrTONVdF36CLch030VH+qloWmWcTc/xQ6ii3p vUkMMBSOxEiwivG8gf0kSiOnLHfwOW1JxbZbbhbSNMQ2kyXJvJhRp0nftaD8ddfB54f7 qQGU5gY9gNEXfwouTdjFvJ+tsw+5ZXdB2DHCijWV2jnSNEVm3TmHL8T8kzeNj0rJPzdG B8X7bpGaD3hvoXMg0O3SgSG4nWXhuELOvWkdkr1BGyWffUlnHjZtdgKBwMychpid8tCC HK/dhSsF3uB1pae8LFBzg0ppta8k4UqPyDzuw+cRlyd/xaTerDTdFCIeL8ZN+Mz9vaDp Xo9g== Received: by 10.180.107.230 with SMTP id hf6mr14203632wib.11.1337902744731; Thu, 24 May 2012 16:39:04 -0700 (PDT) MIME-Version: 1.0 Sender: rickvanderzwet@gmail.com Received: by 10.223.64.83 with HTTP; Thu, 24 May 2012 16:38:44 -0700 (PDT) In-Reply-To: <4FBEAC50.4020703@speakeasy.org> References: <4FBEAC50.4020703@speakeasy.org> From: Rick van der Zwet Date: Fri, 25 May 2012 01:38:44 +0200 X-Google-Sender-Auth: sPuJgoUYHAIhl5JXIcOi9m1OBS8 Message-ID: To: "Thomas D. Dean" Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-jail@freebsd.org Subject: Re: i386 in jail on amd64 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 May 2012 23:39:06 -0000 On 24 May 2012 23:46, Thomas D. Dean wrote: > I have i386 running in jail on amd64, sort of. > I need the i386 environment to develop for a nanoBSD installaion > on an ELAN SC520. ... > There seem to be some problems. Often things are just flaky. No problem I > can describe, just things are 'off'. I have been down that road as well, but it failed. These are my 2cts, somebody please correct me if I am wrong. Your /dev pseudo system inside your jail is an amd64 type where as your userland within your jail are of i386 type. Those conflict with each-other, causing all kind of weird and wonderful behavior. My biggest hint of things really going wrong, came when creating md(4) devices, from within the jail. Br. /Rick -- http://rickvanderzwet.nl From owner-freebsd-jail@FreeBSD.ORG Fri May 25 00:08:02 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0A4DB1065677 for ; Fri, 25 May 2012 00:08:02 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from cosmo.uchicago.edu (cosmo.uchicago.edu [128.135.52.97]) by mx1.freebsd.org (Postfix) with ESMTP id D33448FC14 for ; Fri, 25 May 2012 00:08:01 +0000 (UTC) Received: by cosmo.uchicago.edu (Postfix, from userid 48) id C48CBCB8C82; Thu, 24 May 2012 18:45:05 -0500 (CDT) Received: from 128.135.70.6 (SquirrelMail authenticated user valeri) by cosmo.uchicago.edu with HTTP; Thu, 24 May 2012 18:45:05 -0500 (CDT) Message-ID: <58333.128.135.70.6.1337903105.squirrel@cosmo.uchicago.edu> In-Reply-To: References: <4FBEAC50.4020703@speakeasy.org> Date: Thu, 24 May 2012 18:45:05 -0500 (CDT) From: "Valeri Galtsev" To: "Rick van der Zwet" User-Agent: SquirrelMail/1.4.8-5.el5.centos.7 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-jail@freebsd.org Subject: Re: i386 in jail on amd64 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: galtsev@kicp.uchicago.edu List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 May 2012 00:08:02 -0000 Is there any reason to not use virtual machine (e.g. VirtualBox) with real i386 in it instead of jail? Just curious. Valeri On Thu, May 24, 2012 6:38 pm, Rick van der Zwet wrote: > On 24 May 2012 23:46, Thomas D. Dean wrote: >> I have i386 running in jail on amd64, sort of. >> I need the i386 environment to develop for a nanoBSD installaion >> on an ELAN SC520. > ... >> There seem to be some problems. Often things are just flaky. No >> problem I >> can describe, just things are 'off'. > > > I have been down that road as well, but it failed. These are my 2cts, > somebody please correct me if I am wrong. Your /dev pseudo system > inside your jail is an amd64 type where as your userland within your > jail are of i386 type. Those conflict with each-other, causing all > kind of weird and wonderful behavior. > > My biggest hint of things really going wrong, came when creating md(4) > devices, from within the jail. > > Br. /Rick > -- > http://rickvanderzwet.nl > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++ From owner-freebsd-jail@FreeBSD.ORG Fri May 25 00:09:42 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4A0BC106564A for ; Fri, 25 May 2012 00:09:42 +0000 (UTC) (envelope-from glen.j.barber@gmail.com) Received: from mail-qc0-f182.google.com (mail-qc0-f182.google.com [209.85.216.182]) by mx1.freebsd.org (Postfix) with ESMTP id EDE4B8FC1B for ; Fri, 25 May 2012 00:09:41 +0000 (UTC) Received: by qcsg15 with SMTP id g15so333870qcs.13 for ; Thu, 24 May 2012 17:09:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:x-operating-system :user-agent; bh=zRtHoJ5dv6R3yaLG+c0uJwR1u9+e14NteDM3xD5qtNQ=; b=Wv9iwfEBL/n/aJirzppM8777xHMXEIAZdynat3Uz5MRIRDMERtWsAMt7VGlKqF1APg OQ4Y4+alDi819MFRMLvfUDMn8Y1l2JXp/qtgXG+qmRq6NBNFMcjXN2fuCmgtZOGXFRUh 7O3aac8UrzdorQet3Nl+REAYxHG4Nu8SVZRQFuXGHM0Vhh3M10Er5DkCMKntseG9rdhO WNKFUqwZacolxgaRIQ+JHNyEDwS+Ti/mhI2jI64bpuArK2NJzjiEg1PfHnE/OTGm0uwJ 3GlKETn1BBYH/VxHGNALkyEpuz4DI5V/rJH6Dm3cuNa1sBBnqnuZ0dPiUzvI5jb2YptK bMgw== Received: by 10.224.206.198 with SMTP id fv6mr12815228qab.6.1337904581287; Thu, 24 May 2012 17:09:41 -0700 (PDT) Received: from schism.local (c-76-124-49-145.hsd1.pa.comcast.net. [76.124.49.145]) by mx.google.com with ESMTPS id gb7sm10497893qab.12.2012.05.24.17.09.39 (version=SSLv3 cipher=OTHER); Thu, 24 May 2012 17:09:40 -0700 (PDT) Date: Thu, 24 May 2012 20:09:38 -0400 From: Glen Barber To: Valeri Galtsev Message-ID: <20120525000937.GA1377@schism.local> References: <4FBEAC50.4020703@speakeasy.org> <58333.128.135.70.6.1337903105.squirrel@cosmo.uchicago.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <58333.128.135.70.6.1337903105.squirrel@cosmo.uchicago.edu> X-Operating-System: FreeBSD 10.0-CURRENT amd64 User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-jail@freebsd.org Subject: Re: i386 in jail on amd64 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 May 2012 00:09:42 -0000 On Thu, May 24, 2012 at 06:45:05PM -0500, Valeri Galtsev wrote: > Is there any reason to not use virtual machine (e.g. VirtualBox) with real > i386 in it instead of jail? Just curious. Overhead of VirtualBox. Glen From owner-freebsd-jail@FreeBSD.ORG Fri May 25 17:04:39 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 76A4B1065674; Fri, 25 May 2012 17:04:39 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (bird.sbone.de [46.4.1.90]) by mx1.freebsd.org (Postfix) with ESMTP id 23B018FC0A; Fri, 25 May 2012 17:04:39 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 21EB725D389C; Fri, 25 May 2012 17:04:38 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 2C1E9BE7B6D; Fri, 25 May 2012 17:04:37 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id tFypQbVmH0nJ; Fri, 25 May 2012 17:04:36 +0000 (UTC) Received: from orange-en1.sbone.de (orange-en1.sbone.de [IPv6:fde9:577b:c1a9:31:cabc:c8ff:fecf:e8e3]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 4C2A2BE7B6C; Fri, 25 May 2012 17:04:34 +0000 (UTC) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: "Bjoern A. Zeeb" In-Reply-To: <1337964514.8951.2.camel@powernoodle-l7.corp.yahoo.com> Date: Fri, 25 May 2012 17:04:34 +0000 Content-Transfer-Encoding: 7bit Message-Id: <8EE125C9-9FA7-495B-A6ED-CF3F7C2E8A3E@lists.zabbadoz.net> References: <1337964514.8951.2.camel@powernoodle-l7.corp.yahoo.com> To: sbruno@freebsd.org X-Mailer: Apple Mail (2.1084) Cc: FreeBSD Hackers , FreeBSD-Jail Subject: Re: [jail] Allowing root privledged users to renice X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 May 2012 17:04:39 -0000 On 25. May 2012, at 16:48 , Sean Bruno wrote: > I've been toying with the idea of letting jails renice processes ... how > dangerous and/or stupid is this idea? > > ==== //depot/yahoo/ybsd_9/src/sys/kern/kern_jail.c#5 - > /home/seanbru/ybsd_9/src/sys/kern/kern_jail.c ==== > 270a271,275 > + int jail_allow_renice = 0; > + SYSCTL_INT(_security_jail, OID_AUTO, allow_renice, CTLFLAG_RW, > + &jail_allow_renice, 0, > + "Prison root can renice processes"); > > 3857a3863,3865 > + case PRIV_SCHED_SETPRIORITY: > + if (!jail_allow_renice) > + return (EPERM); I think sysctls are a bad idea given jails have per-jail flags these days. Maybe also only allow re-nicing to be nicer but not less nice? /bz -- Bjoern A. Zeeb You have to have visions! It does not matter how good you are. It matters what good you do! From owner-freebsd-jail@FreeBSD.ORG Fri May 25 17:23:48 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 20D901065672; Fri, 25 May 2012 17:23:48 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) by mx1.freebsd.org (Postfix) with ESMTP id E25568FC1D; Fri, 25 May 2012 17:23:47 +0000 (UTC) Received: from julian-mac.elischer.org (c-67-180-24-15.hsd1.ca.comcast.net [67.180.24.15]) (authenticated bits=0) by vps1.elischer.org (8.14.5/8.14.5) with ESMTP id q4PHNhRS075645 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Fri, 25 May 2012 10:23:45 -0700 (PDT) (envelope-from julian@freebsd.org) Message-ID: <4FBFC029.10401@freebsd.org> Date: Fri, 25 May 2012 10:23:53 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US; rv:1.9.2.28) Gecko/20120306 Thunderbird/3.1.20 MIME-Version: 1.0 To: "Bjoern A. Zeeb" References: <1337964514.8951.2.camel@powernoodle-l7.corp.yahoo.com> <8EE125C9-9FA7-495B-A6ED-CF3F7C2E8A3E@lists.zabbadoz.net> In-Reply-To: <8EE125C9-9FA7-495B-A6ED-CF3F7C2E8A3E@lists.zabbadoz.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: FreeBSD Hackers , sbruno@freebsd.org, FreeBSD-Jail Subject: Re: [jail] Allowing root privledged users to renice X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 May 2012 17:23:48 -0000 On 5/25/12 10:04 AM, Bjoern A. Zeeb wrote: > On 25. May 2012, at 16:48 , Sean Bruno wrote: > >> I've been toying with the idea of letting jails renice processes ... how >> dangerous and/or stupid is this idea? >> >> ==== //depot/yahoo/ybsd_9/src/sys/kern/kern_jail.c#5 - >> /home/seanbru/ybsd_9/src/sys/kern/kern_jail.c ==== >> 270a271,275 >> + int jail_allow_renice = 0; >> + SYSCTL_INT(_security_jail, OID_AUTO, allow_renice, CTLFLAG_RW, >> +&jail_allow_renice, 0, >> + "Prison root can renice processes"); >> >> 3857a3863,3865 >> + case PRIV_SCHED_SETPRIORITY: >> + if (!jail_allow_renice) >> + return (EPERM); > > I think sysctls are a bad idea given jails have per-jail flags these days. > > Maybe also only allow re-nicing to be nicer but not less nice? ^^^^ for sure ! start a jail with it's max priority and the root within can allow nicer priorities only.. you can always add priority from teh master (parent) environment outside. > /bz > From owner-freebsd-jail@FreeBSD.ORG Fri May 25 19:24:25 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CD3941065672 for ; Fri, 25 May 2012 19:24:25 +0000 (UTC) (envelope-from peter.toth@cellcontainer.com) Received: from mgw.cellcontainer.com (mgw.cellcontainer.com [87.229.77.135]) by mx1.freebsd.org (Postfix) with ESMTP id 6BFC48FC1A for ; Fri, 25 May 2012 19:24:25 +0000 (UTC) Received: from mgw.cellcontainer.com (unknown [192.168.1.10]) by mgw.cellcontainer.com (Postfix) with ESMTP id 05A2FBB0C for ; Fri, 25 May 2012 19:18:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cellcontainer.com; h= message-id:date:subject:from:to:mime-version:content-type; s= selector1; bh=RQyEd+vI0wKTjNrDe7sGMlZq5hU=; b=zQnuV3E+XO0JPV5H8d YOu1Yc6Sgl8ZTF8HZaBLFHQRMOJCAlf5YadfCh52QE92qPneEeQ1XtvznKOhg+iL mWTWyhKFJ9NE0WRjlQwpwsySTIVf/djqw/GM1Ko4ptllqbMwkUH2B4i2XNIxutdm t87VbViiJGgR+HgBCmWA0Mses= DomainKey-Signature: a=rsa-sha1; c=nofws; d=cellcontainer.com; h= message-id:date:subject:from:to:mime-version:content-type; q= dns; s=selector1; b=mVqi8VwHiTLVo6m79/U5C3NWkji0cTJkk1XA/QcuXc8e Q9tFtC1Maxga7VkAPc3yenXp5OgkMQDYntczeJ2Zo1yzHoZgK3dasyzgGCzvFHSk e5Ueeu93k38uhs7l0h2E2Of2HnUd56N5IKCH9jqdGX863ctPdvjL2uhEYnGgpKU= Received: from gpo.cellcontainer.com (unknown [192.168.1.15]) by mgw.cellcontainer.com (Postfix) with ESMTP id DD428BB0B for ; Fri, 25 May 2012 19:18:14 +0000 (UTC) Received: by gpo.cellcontainer.com (Postfix, from userid 58) id C81CD3BFEA; Fri, 25 May 2012 19:18:14 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on gpo.cellcontainer.com X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,HTML_MESSAGE autolearn=ham version=3.3.2 Received: from gpo.cellcontainer.com (gpo.cellcontainer.com [192.168.1.15]) by gpo.cellcontainer.com (Postfix) with ESMTP id 021EF3BFD3 for ; Fri, 25 May 2012 19:18:09 +0000 (UTC) Message-ID: <1337973488.4fbfdaf0e8c6d@gpo.cellcontainer.com> Date: Fri, 25 May 2012 21:18:08 +0200 From: Peter Toth To: "freebsd-jail@freebsd.org" MIME-Version: 1.0 X-MimeOLE: Produced by Group-Office 3.7.41 X-Mailer: Group-Office 3.7.41 X-Priority: 3 (Normal) Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: zjails VNET and ZFS jails X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 May 2012 19:24:25 -0000 Hi all, Just a quick note that I have uploaded a = perl script with VNET and ZFS jails support to sourceforge.n= et. It is in very early stages (expect a lot of bugs) and int= ended only for testing purposes, README documentation is sparse too = (will change over time). If anyone is interested please che= ck it here: http://sourceforge.net/projects/zjails/ C= heers, Peter