From owner-freebsd-jail@FreeBSD.ORG Thu Aug 21 11:05:51 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DDBCFB6 for ; Thu, 21 Aug 2014 11:05:51 +0000 (UTC) Received: from mail-qa0-f45.google.com (mail-qa0-f45.google.com [209.85.216.45]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9EE063733 for ; Thu, 21 Aug 2014 11:05:50 +0000 (UTC) Received: by mail-qa0-f45.google.com with SMTP id cm18so7963654qab.4 for ; Thu, 21 Aug 2014 04:05:43 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=1sEt309tN0gEkZOAk+I/pfXLOZ3p3sRoTXJLtLv427U=; b=NZQtUrnBs7VxsnE383IFk0jGNhcjzW6hmAWUp7CArry/C8FxRVbQIki5okad2MPqbm iggBNAYsBgmQzUFw7NFuqlnvmszDDCbueD3DV7UPoCCfJoA/3DjqOy1Ld6Vzrc/Hk2Wn 9KtC7g+2h+XmbjkI6DztRP6NIjgE/WoUS+kYB/mDTflG0RRIxyXA6R5/eWevT+OMfmt3 xln322/YaXIQBclDPwb1GgEm7nPqt9ghVGZTCrF/PcSMViLUjMjrHZQqdv34kkfs4BnU fGxAIO/0TaSNdCE2Ww/uruFKV4C42WL7G3j8oZ6J6Tdg1V1x+LHCSmUk4xhYfoFfXyci A5xA== X-Gm-Message-State: ALoCoQmdkjFjmRZXRmUzgLt3X0xXg1OPhAwp1yW5UPX+hH7Hfd0kVOIgsNFhhkenn+RKQSH+VHCi X-Received: by 10.140.28.245 with SMTP id 108mr80814703qgz.45.1408619143619; Thu, 21 Aug 2014 04:05:43 -0700 (PDT) MIME-Version: 1.0 Received: by 10.140.85.18 with HTTP; Thu, 21 Aug 2014 04:05:23 -0700 (PDT) X-Originating-IP: [109.188.124.74] From: =?UTF-8?B?0JLQsNGB0LjQu9C40Lkg0KLQsNGC0LDRgNC10L3QutC+?= Date: Thu, 21 Aug 2014 15:05:23 +0400 Message-ID: Subject: heartbeat inside jail To: freebsd-jail@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2014 11:05:52 -0000 I use FreeBSD 10.0-p7 I try use heartbeat (/usr/ports/sysutils/heartbeat) inside jail. My /etc/jail.conf: > allow.raw_sockets = "true"; > allow.mount = "true"; > allow.mount.devfs = "true"; > mount.devfs = "true"; > exec.start = "sh /etc/rc"; > exec.stop = "sh /etc/rc.shutdown"; > webcl { > enforce_statfs = "1"; > vnet = "new"; > exec.prestart = "ifconfig epair1 create up"; > exec.prestart += "ifconfig bridge0 addm epair1a"; > exec.start = "ifconfig epair1b link **:**:**:**:**:**"; > exec.start += "sh /etc/rc"; > vnet.interface = "epair1b"; > exec.poststop = "ifconfig bridge0 deletem epair1a"; > exec.poststop += "ifconfig epair1a destroy"; > path = "/jails/webcl"; > name = "webcl"; > host.hostname = "************"; > allow.mount.nullfs = "true"; > allow.mount.procfs = "true"; > allow.sysvipc = "true"; > } When i start heartbeat by > service heartbeat onestart I get errors like this: > Aug 21 10:38:39 de heartbeat: [40637]: ERROR: Unable to set scheduler > parameters.: Operation not permitted > Aug 21 10:38:39 de heartbeat: [40637]: ERROR: Unable to lock pid 40637 in > memory: Operation not permitted Aug 21 10:39:10 de heartbeat: [40647]: ERROR: unable to (re)set scheduler > parameters.: Operation not permitted I tried to figure out what function exactly get Operation not permitted by > find /usr/ports/sysutils/heartbeat -exec grep -l 'Unable to set scheduler > parameters' "{}" \; > And only file which is source is > /usr/ports/sysutils/heartbeat/work/STABLE-2.1.4/lib/clplumbing/realtime.c So i dig inside and see that: > if ((staticp=sched_getscheduler(0)) < 0) { > cl_perror("unable to get scheduler parameters."); > }else{ > memset(&sp, 0, sizeof(sp)); > sp.sched_priority = priority; > if (sched_setscheduler(0, spolicy, &sp) < 0) { > cl_perror("Unable to set scheduler parameters."); > } > } heartbeat process are all run from root. What can i do to make it work? From owner-freebsd-jail@FreeBSD.ORG Thu Aug 21 12:40:24 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 972053CF for ; Thu, 21 Aug 2014 12:40:24 +0000 (UTC) Received: from m2.gritton.org (gritton.org [63.246.134.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 731AC307D for ; Thu, 21 Aug 2014 12:40:23 +0000 (UTC) Received: œ(authenticated bits=0) by m2.gritton.org (8.14.9/8.14.9) with ESMTP id s7LCeIj0030765; Thu, 21 Aug 2014 08:40:18 -0400 (EDT) (envelope-from jamie@gritton.org) Message-ID: <53F5E8AB.2010404@gritton.org> Date: Thu, 21 Aug 2014 06:40:11 -0600 From: James Gritton User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: freebsd-jail@freebsd.org Subject: Re: heartbeat inside jail References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2014 12:40:24 -0000 On 8/21/2014 5:05 AM, Василий Π’Π°Ρ‚Π°Ρ€Π΅Π½ΠΊΠΎ wrote: > I use FreeBSD 10.0-p7 > I try use heartbeat (/usr/ports/sysutils/heartbeat) inside jail. > My /etc/jail.conf: > >> allow.raw_sockets = "true"; >> allow.mount = "true"; >> allow.mount.devfs = "true"; >> mount.devfs = "true"; >> exec.start = "sh /etc/rc"; >> exec.stop = "sh /etc/rc.shutdown"; >> webcl { >> enforce_statfs = "1"; >> vnet = "new"; >> exec.prestart = "ifconfig epair1 create up"; >> exec.prestart += "ifconfig bridge0 addm epair1a"; >> exec.start = "ifconfig epair1b link **:**:**:**:**:**"; >> exec.start += "sh /etc/rc"; >> vnet.interface = "epair1b"; >> exec.poststop = "ifconfig bridge0 deletem epair1a"; >> exec.poststop += "ifconfig epair1a destroy"; >> path = "/jails/webcl"; >> name = "webcl"; >> host.hostname = "************"; >> allow.mount.nullfs = "true"; >> allow.mount.procfs = "true"; >> allow.sysvipc = "true"; >> } > When i start heartbeat by > >> service heartbeat onestart > I get errors like this: > >> Aug 21 10:38:39 de heartbeat: [40637]: ERROR: Unable to set scheduler >> parameters.: Operation not permitted >> Aug 21 10:38:39 de heartbeat: [40637]: ERROR: Unable to lock pid 40637 in >> memory: Operation not permitted > Aug 21 10:39:10 de heartbeat: [40647]: ERROR: unable to (re)set scheduler >> parameters.: Operation not permitted > > I tried to figure out what function exactly get Operation not permitted by > >> find /usr/ports/sysutils/heartbeat -exec grep -l 'Unable to set scheduler >> parameters' "{}" \; >> > And only file which is source is > >> /usr/ports/sysutils/heartbeat/work/STABLE-2.1.4/lib/clplumbing/realtime.c > So i dig inside and see that: > >> if ((staticp=sched_getscheduler(0)) < 0) { >> cl_perror("unable to get scheduler parameters."); >> }else{ >> memset(&sp, 0, sizeof(sp)); >> sp.sched_priority = priority; >> if (sched_setscheduler(0, spolicy, &sp) < 0) { >> cl_perror("Unable to set scheduler parameters."); >> } >> } > heartbeat process are all run from root. > What can i do to make it work? You'll have to excise the sched_setscheduler call, and possibly similar bits in other places (I haven't looked at heartbeat code). That's the kind of thing that affects the rest of the system, and jails don't allow it for that reason. If heartbeat won't work (or won't work well) without it, and you're inclined to hack around in the kernel, you could add PRIV_SCHED_SET to prison_priv_check in kern_jail.c. But my guess is heartbeat will work well enough without setting scheduler priorities. If it doesn't, it's questionable whether that's the kind of thing you want to run in hails anyway. - Jamie From owner-freebsd-jail@FreeBSD.ORG Thu Aug 21 18:05:09 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B178A286; Thu, 21 Aug 2014 18:05:09 +0000 (UTC) Received: from erg.verweg.com (erg.verweg.com [IPv6:2a02:898:96::5e8e:f508]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "erg.verweg.com", Issuer "Verweg Dot Com CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 2D403347D; Thu, 21 Aug 2014 18:05:08 +0000 (UTC) Received: from [192.168.0.103] (a80-127-246-33.mobile.xs4all.nl [80.127.246.33]) (authenticated bits=0) by erg.verweg.com (8.14.9/8.14.9) with ESMTP id s7LI53IR022893 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Thu, 21 Aug 2014 18:05:05 GMT (envelope-from ruben@verweg.com) X-Authentication-Warning: erg.verweg.com: Host a80-127-246-33.mobile.xs4all.nl [80.127.246.33] claimed to be [192.168.0.103] From: Ruben van Staveren Content-Type: multipart/signed; boundary="Apple-Mail=_F9A5EBF7-8F5F-4A65-BE1C-132C75B54437"; protocol="application/pgp-signature"; micalg=pgp-sha1 Message-Id: <3D042FC9-7CD9-4842-8D18-8354F9E1BB80@verweg.com> Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) Subject: Re: mounting fdescfs in a nested/hierarchical jail? Date: Thu, 21 Aug 2014 20:04:57 +0200 References: <3CB0C5BC-3864-418E-A59F-467D39B7E1EA@verweg.com> <53F55F7E.4010309@gritton.org> To: "freebsd-stable@FreeBSD.org Stable" , freebsd-jail@freebsd.org In-Reply-To: <53F55F7E.4010309@gritton.org> X-Mailer: Apple Mail (2.1878.6) X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3 (erg.verweg.com [94.142.245.8]); Thu, 21 Aug 2014 18:05:05 +0000 (UTC) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2014 18:05:09 -0000 --Apple-Mail=_F9A5EBF7-8F5F-4A65-BE1C-132C75B54437 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 Hi Jamie, others, On 21 Aug 2014, at 4:54, James Gritton wrote: > On 8/18/2014 6:26 AM, Ruben van Staveren wrote: >> Hi list, >>=20 >> I have a FreeBSD 10 zfs based ezjail setup. In one of the jails I am = using ezjail again to set up a nested jail. My goal is to eventually = have my jails use these nested jails as containers for certain services. >>=20 >> However, I am not able to mount a nested fdescfs. When I leave out = fdesc, the nested jail starts up just fine. >>=20 >> There is no allow.mount.fdescfs. Do we need one? >>=20 >> Cheers, >> Ruben >=20 > That's probably the answer. It seems a little inelegant to have this = proliferation of pesudo-fs type allowances, but it's the direction we've = gone. Ok, I=92ve written a little patch for that. Seems to work on r268794 http://pastebin.com/5t9zEzkV I am not sure about the consequences of having this permission. Best Regards, Ruben --Apple-Mail=_F9A5EBF7-8F5F-4A65-BE1C-132C75B54437 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAlP2NMkACgkQZ88+mcQxRw0kegCfYDARKjfr4VslsFo2tAA2Ri6g SogAnRTCPTE9T5QrJTar2PkSp2YYR5iG =UL84 -----END PGP SIGNATURE----- --Apple-Mail=_F9A5EBF7-8F5F-4A65-BE1C-132C75B54437--