From owner-freebsd-jail@FreeBSD.ORG Mon Mar 30 15:52:14 2015 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5F7D22E5 for ; Mon, 30 Mar 2015 15:52:14 +0000 (UTC) Received: from internal.electricembers.net (internal.electricembers.net [208.90.215.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.electricembers.net", Issuer "DigiCert High Assurance CA-3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 413A369D for ; Mon, 30 Mar 2015 15:52:13 +0000 (UTC) Received: from [192.168.1.4] (cpe-66-66-190-62.rochester.res.rr.com [66.66.190.62]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: ben) by internal.electricembers.net (Postfix) with ESMTPSA id BBB6F27333 for ; Mon, 30 Mar 2015 08:42:12 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\)) Subject: Re: ftasv and ScoreBoardFile on FreeBSD 10 with jails From: Benjamin Connelly In-Reply-To: <88a082c0bbf3a1bae7e5a6864f73884d@gritton.org> Date: Mon, 30 Mar 2015 08:42:11 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <16C8A490-722C-464D-AFA5-6E3CED4B2EDD@electricembers.coop> References: <88a082c0bbf3a1bae7e5a6864f73884d@gritton.org> To: freebsd-jail@freebsd.org X-Mailer: Apple Mail (2.2070.6) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Mar 2015 15:52:14 -0000 >> We recently upgraded some FreeBSD 9.1 servers to FreeBSD 10.1 and >> found it broke the scoreboard viewing utility we were using, the >> "ftasv" port (ftss). >> For that tool to work apache is supposed to be configured to use 'a >> "name based" shared memory segment' (from their README) by the >> directive >> ScoreBoardFile /var/run/apache_status >> That used to (on FreeBSD 9.1) create that "file". Then we could >> execute 'ftasv /var/run/apache_status' to interpret it and see what >> requests apache was working to serve. >> This even worked with many different apache instances running each in >> their own jail, where all the jails actually share the same basejail >> /usr/local/sbin/httpd binary. Inside each jail we could see just the >> requests that instance of apache was working on. >> But after the FreeBSD upgrade to 10.1 we no longer see the >> apache_status file in the filesystem, and ftasv seems to actually >> report the most recent hits from the most recently restarted instance >> of apache, even if that's in another jail!? (On a system with no = jails >> and just the one instance of apache, it's not actually a problem!) >> Can anybody point me toward the right dials to turn if it's still >> possible to do this scoreboard viewing of each independent apache >> instance? (Like I think I may need = security.jail.param.allow.sysvipc=3D1 >> in the jails, but I'm also finding with ezjail I'm not actually able >> to get that set because it's creating the /var/run/jail.JAILNAME.conf >> file with both these lines in it: >> allow.sysvipc =3D 0; >> allow.sysvipc=3D1; >> Ben >=20 > You definitely don't want to try setting anything under = security.jail.param.* - those are just informational, used by jail(8) to = know the identities and formats of the currently available parameters. = One of the two lines that is ending up in /var/run/jail.JAILNAME.conf is = correct, though it's not immediately obvious which one. >=20 > ftss claims you need name-based shared memory, i.e. memory-mapped = files. This has nothing to do with SYSV-style shared memory, except = that it's the modern (i.e. right) way to do shared memory and SYSV IPC = is the old (i.e. wrong) way. So that would make me think it doesn't = matter what you do with allow.sysvipc. Maybe ftss first tries SYSV, and = if that works it goes with that, and if it doesn't then it tries the = memory-mapped file (which isn't what it says it does, but that's neither = here nor there). Jails that allow SYSV IPC don't segregate it into = per-jail namespaces, which is IMHO a bug and which would explain it = seeing some other jail's status. Memory-mapped files on the other hand = depend on the file being the same (and not just the same name), so a = typical jail will not be able to share another jail's memory-mapped = files because it can't see another jail's filesystem namespace. >=20 > This is making me think you want allow.syscipc=3D0. I'm not sure how = you would set that in ezjail, but I would assume it's ... well ... easy. >=20 > - Jamie Well I have heard back from the developers of ftss that it uses = =E2=80=9Cwhatever apr uses=E2=80=9D for shared memory.=20 It sure seems like something changed here and that jails should each = have their own apache scoreboard shared memory and not be able to see = the others, like it was in the FreeBSD 9=E2=80=99s. . .=20 Does anybody know anything about this? Benjamin=