From owner-freebsd-jail@freebsd.org Mon Jan 7 18:53:55 2019 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 90FD4149C04A for ; Mon, 7 Jan 2019 18:53:55 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id F3D1B73844 for ; Mon, 7 Jan 2019 18:53:54 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from tom.home (kib@localhost [127.0.0.1]) by kib.kiev.ua (8.15.2/8.15.2) with ESMTPS id x07IrlpS099983 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 7 Jan 2019 20:53:50 +0200 (EET) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua x07IrlpS099983 Received: (from kostik@localhost) by tom.home (8.15.2/8.15.2/Submit) id x07IrjZW099982; Mon, 7 Jan 2019 20:53:45 +0200 (EET) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Mon, 7 Jan 2019 20:53:45 +0200 From: Konstantin Belousov To: Fabian Freyer Cc: Christian Barthel , freebsd-jail@freebsd.org, stefan@gronke.net Subject: Re: kqueue(2) kevents for jails Message-ID: <20190107185345.GH2326@kib.kiev.ua> References: <106dc2ec-9b92-6885-ca4c-8422e0aa061c@physik.tu-berlin.de> <87k1jkmja7.fsf@x230.onfire.org> <20190104202910.GV2326@kib.kiev.ua> <5ca6662f-ec0d-a9a5-319f-af8b1fb011cc@physik.tu-berlin.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5ca6662f-ec0d-a9a5-319f-af8b1fb011cc@physik.tu-berlin.de> User-Agent: Mutt/1.11.1 (2018-12-01) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FORGED_GMAIL_RCVD,FREEMAIL_FROM, NML_ADSP_CUSTOM_MED autolearn=no autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tom.home X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Jan 2019 18:53:55 -0000 On Fri, Jan 04, 2019 at 10:22:07PM +0100, Fabian Freyer wrote: > > > On 1/4/19 9:29 PM, Konstantin Belousov wrote: > > On Fri, Jan 04, 2019 at 09:11:58PM +0100, Fabian Freyer wrote: > >> On 1/4/19 5:14 PM, Konstantin Belousov wrote: > >>> No, kevent(2) is not suitable mechanism to notify about jail state changes. > >>> If anything in the existing system can be reused for such notifications, > >>> it is devctl(4) notifications which are handled by devd(8). Look at the > >>> man pages and for existing notifications in kernel code, e.g. > >>> sys/kern/kern_conf.c notify*() for how devfs does it. > >> > >> Can any running binary subscribe to devd(8) events or does that require > >> a configuration change in /etc/devd.conf? > > > > Only one reader is supported, effectively. devctl(4) tries to limit opens > > naively. But then even if you have the file descriptor and fork or pass > > it over unix domain socket, single event can be only read by one reader. > > > > Ah, I see, thanks! Is there any other nice notification mechanism that a > process could 'subscribe' to to be notified of an event? devctl(4) is currently the best mechanism. Apparently there is a functionality in devd(8) which I was not aware of. In essence, it can operate as fan-out service, delivering kernel events to all clients connected to /var/run/devd.seqpacket.pipe socket. So despite /dev/devctl* not allowing multiple clients, you would make your service connect to devd(8) and get the events stream from there. > > I am still a bit confused as to why knotify would be such a bad fit, > maybe you could expand a bit on that? I have no idea what is knotify. > > > Not least because jail creation/destruction is relatively low frequency > > events with potentially rich secondary information that should be attached > > to them. Kevents are high-frequency, high-performance kind of events, > > Does this mean they cannot nicely be used for lower-frequency things? > I'm thinking of situations where jails may get spawned e.g. > per-network-request. They are not nice to be bolted on things which are not supposed to be performance-critical. Not least because _properly_ supporting kevents adds significant maintainance cost on the code. > > > and only naturally tied to file descriptors. > > according to kevent(2), > > EVFILT_PROC Takes the process ID to monitor as the identifier > > so there's also cases where it isn't tied to a file descriptor, but some > other descriptor (pid's don't seem to be too different to jid's?) Did you read what I wrote in previous message ? > > > There were lot of bugs in > > integration of kevents with e.g. processes notifications, and API is > > still somewhat racy > > Is this a kevents issue or an integration problem? It is architectural problem. > > In the end, might it be a good idea to add devctl(4) notifications as > well as kevent(2)? From owner-freebsd-jail@freebsd.org Tue Jan 8 19:27:52 2019 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5ED971488143 for ; Tue, 8 Jan 2019 19:27:52 +0000 (UTC) (envelope-from mwlucas@mail.michaelwlucas.com) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id D7DCF73553 for ; Tue, 8 Jan 2019 19:27:51 +0000 (UTC) (envelope-from mwlucas@mail.michaelwlucas.com) Received: by mailman.ysv.freebsd.org (Postfix) id 97F331488142; Tue, 8 Jan 2019 19:27:51 +0000 (UTC) Delivered-To: jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 84F031488141 for ; Tue, 8 Jan 2019 19:27:51 +0000 (UTC) (envelope-from mwlucas@mail.michaelwlucas.com) Received: from mail.michaelwlucas.com (mail.michaelwlucas.com [104.236.197.233]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 12CE573550 for ; Tue, 8 Jan 2019 19:27:51 +0000 (UTC) (envelope-from mwlucas@mail.michaelwlucas.com) Received: from mail.michaelwlucas.com (localhost [127.0.0.1]) by mail.michaelwlucas.com (8.15.2/8.15.2) with ESMTP id x08J3l21089297 for ; Tue, 8 Jan 2019 14:03:48 -0500 (EST) (envelope-from mwlucas@mail.michaelwlucas.com) Received: (from mwlucas@localhost) by mail.michaelwlucas.com (8.15.2/8.15.2/Submit) id x08J3lK8089296 for jail@freebsd.org; Tue, 8 Jan 2019 14:03:47 -0500 (EST) (envelope-from mwlucas) Date: Tue, 8 Jan 2019 14:03:47 -0500 From: "Michael W. Lucas" To: jail@freebsd.org Subject: enforce_statfs showing leading path Message-ID: <20190108190347.GA89234@mail.michaelwlucas.com> MIME-Version: 1.0 Content-Type: text/plain; charset=unknown-8bit Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.10.1 (2018-07-13) X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.2 (mail.michaelwlucas.com [127.0.0.1]); Tue, 08 Jan 2019 14:03:50 -0500 (EST) X-Rspamd-Queue-Id: 12CE573550 X-Spamd-Bar: ++++ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [4.42 / 15.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_SPAM_SHORT(0.87)[0.871,0]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[jail@freebsd.org]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_THREE(0.00)[3]; RCVD_TLS_LAST(0.00)[]; MX_GOOD(-0.01)[cached: mail.michaelwlucas.com]; NEURAL_SPAM_LONG(0.99)[0.993,0]; DMARC_NA(0.00)[michaelwlucas.com]; NEURAL_SPAM_MEDIUM(0.77)[0.770,0]; R_SPF_NA(0.00)[]; FORGED_SENDER(0.30)[mwlucas@michaelwlucas.com,mwlucas@mail.michaelwlucas.com]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:14061, ipnet:104.236.192.0/18, country:US]; FROM_NEQ_ENVFROM(0.00)[mwlucas@michaelwlucas.com,mwlucas@mail.michaelwlucas.com]; IP_SCORE(0.59)[asn: 14061(3.04), country: US(-0.08)] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jan 2019 19:27:52 -0000 Hi, I'm experimenting with enforce_statfs for the jails book, and have hit an inconsistency. Not sure if the bug should go to src or doc. Running last week's -current. According to jail(8): When set to 1, only mount points below the jail's chroot directory are visible. In addition to that, the path to the jail's chroot directory is removed from the front of their path‐ names. Seems pretty clear that I shouldn't see anything other than # jls -h name enforce_statfs ... ioc-www1 1 So, as I read it, the jail's chroot directory should be stripped down to /. But inside the jail: root@www1:~ # mount iocage/iocage/jails/www1/root on / (zfs, local, nfsv4acls) devfs on /dev (devfs, local, multilabel) fdescfs on /dev/fd (fdescfs) I see the jail's chroot directory. This seems to contradict the man page, unless I'm misunderstanding. Is this a software bug? A ZFS thing? A doc bug? Or am I just an idiot? Also, should this path be stripped when enforce_statfs is set to 1 *or above*? Or is this strictly when set to 1? If I'm filing a bug, it might as well be complete... Thanks, ==ml -- Michael W. Lucas https://mwl.io/ author of: Absolute OpenBSD, SSH Mastery, git commit murder, Immortal Clay, PGP & GPG, Absolute FreeBSD, etc, etc, etc... From owner-freebsd-jail@freebsd.org Tue Jan 8 20:14:40 2019 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0A89914896AA for ; Tue, 8 Jan 2019 20:14:40 +0000 (UTC) (envelope-from mjguzik@gmail.com) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 5A72A75C0E for ; Tue, 8 Jan 2019 20:14:39 +0000 (UTC) (envelope-from mjguzik@gmail.com) Received: by mailman.ysv.freebsd.org (Postfix) id 1D7CE14896A9; Tue, 8 Jan 2019 20:14:39 +0000 (UTC) Delivered-To: jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EEECB14896A8 for ; Tue, 8 Jan 2019 20:14:38 +0000 (UTC) (envelope-from mjguzik@gmail.com) Received: from mail-wr1-x433.google.com (mail-wr1-x433.google.com [IPv6:2a00:1450:4864:20::433]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5A1A875C0D for ; Tue, 8 Jan 2019 20:14:38 +0000 (UTC) (envelope-from mjguzik@gmail.com) Received: by mail-wr1-x433.google.com with SMTP id q18so5345706wrx.9 for ; Tue, 08 Jan 2019 12:14:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=zmMc/kAFS8QTcpQ42dBV3KA98xE9DH/AGAb+icHrv5s=; b=R/2z1qW+scW52HhkvHZh0K1AKnVl7B/3a4tPk00JFwA/F0S2iKSO/9j3+HW4RDbqrT bAV+4XACbqHhAxRqyP8yFZJl+h3ZSj8fFIe34PqUEQHCNr/1h/ispVrXmlhwKsJBgBWP yfWx3RczBHKBqn6AsL2R4snCylXsiSTUPAD+STLLkuwLW2NbGeD/Dfb3eJCWaWlyNIVv mmELcrz4dSJbHdTKVJqLmAjAzr/XBgUhngiQfRhlK3+pdUIMLl/z1WMG8f64fTaz3ohy v1bIBk8byVBEOaSitt414qSX7rQOIwh5kC+1hckys0eoBx/dvb0CcYGvQ0O6TSTFcgbr 65ug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=zmMc/kAFS8QTcpQ42dBV3KA98xE9DH/AGAb+icHrv5s=; b=naLpYi6cCxuci11MWM9qFFwosnMl7YSAMbWlkZSnWTA8NzKL5Wr7SlxPCFOX8nUl5Z 1TPi2dvNK4j4UnWTQAlfBASgFejn6kGtLEjGCMqzAB7VZ/y+muSxxMeNSMxQhzjYYzwm IiBpplrCTMeQNw0yFV4sAsMiE1JT1XELtEfJxFDqhG1wjcc4l57I7pg1Esa7wEo4+LcM mq5XufT189JFjWppvqzQq0Kr0k8n47tbsCvhqUMy5U/HpfUR+rfLmEywStiQOWqi2FjM EQdR7njLAYOfq+E3s59zBHs9jbI64snTi7bpC/h+WZhm+FzIgTFhpBdKvMz/uqUnSjNX Argw== X-Gm-Message-State: AJcUukc4VUqHwHspzDAkgMWTnv4ywlnfX04VVzu7cIj0NufwqhyISide Xq+Fhq2+L+f73Br3XoPXwMGrlA6gZDm+zhRqSd1deg== X-Google-Smtp-Source: ALg8bN5nyljNkHCDYa0ucQLPs4jVFNs2Oey/qhw54iHX6eXCDJ2xMc7YnFbGVGJ56W39BUMs01APETSh7sS3/Z6PgbA= X-Received: by 2002:adf:8323:: with SMTP id 32mr2413214wrd.176.1546978477266; Tue, 08 Jan 2019 12:14:37 -0800 (PST) MIME-Version: 1.0 Received: by 2002:a5d:4602:0:0:0:0:0 with HTTP; Tue, 8 Jan 2019 12:14:36 -0800 (PST) In-Reply-To: <20190108190347.GA89234@mail.michaelwlucas.com> References: <20190108190347.GA89234@mail.michaelwlucas.com> From: Mateusz Guzik Date: Tue, 8 Jan 2019 21:14:36 +0100 Message-ID: Subject: Re: enforce_statfs showing leading path To: "Michael W. Lucas" Cc: jail@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 5A1A875C0D X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-7.00 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-1.00)[-0.997,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jan 2019 20:14:40 -0000 On 1/8/19, Michael W. Lucas wrote: > Hi, > > I'm experimenting with enforce_statfs for the jails book, and have hit > an inconsistency. Not sure if the bug should go to src or doc. Running > last week's -current. > > According to jail(8): > > When set to 1, only mount points below the jail's chroot > directory are visible. In addition to that, the path to the > jail's chroot directory is removed from the front of their > path=E2=80=90 > names. > > Seems pretty clear that I shouldn't see anything other than > > # jls -h name enforce_statfs > ... > ioc-www1 1 > > So, as I read it, the jail's chroot directory should be stripped down > to /. But inside the jail: > > root@www1:~ # mount > iocage/iocage/jails/www1/root on / (zfs, local, nfsv4acls) > devfs on /dev (devfs, local, multilabel) > fdescfs on /dev/fd (fdescfs) > > I see the jail's chroot directory. > > This seems to contradict the man page, unless I'm misunderstanding. > > Is this a software bug? A ZFS thing? A doc bug? Or am I just an idiot? > > Also, should this path be stripped when enforce_statfs is set to 1 *or > above*? Or is this strictly when set to 1? If I'm filing a bug, it > might as well be complete... > The "path" you are seeing is dataset name, which you made to resemble the mount point. Whether full dataset name should be exposed or not is a very different question, does illumos do it? Worst case it should be trivial to add a sysctl to just obfuscate the name. --=20 Mateusz Guzik From owner-freebsd-jail@freebsd.org Wed Jan 9 09:42:49 2019 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D8CA7149D24F for ; Wed, 9 Jan 2019 09:42:48 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 2B38E75D3E for ; Wed, 9 Jan 2019 09:42:48 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: by mailman.ysv.freebsd.org (Postfix) id E2D02149D24C; Wed, 9 Jan 2019 09:42:47 +0000 (UTC) Delivered-To: jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BD92A149D24B for ; Wed, 9 Jan 2019 09:42:47 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from mailgate.Leidinger.net (mailgate.leidinger.net [IPv6:2a00:1828:2000:313::1:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 49D0675D3D for ; Wed, 9 Jan 2019 09:42:46 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from [192.168.1.32] (unknown [192.168.1.32]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (Client did not present a certificate) (Authenticated sender: Alexander@Leidinger.net) by outgoing.leidinger.net (Postfix) with ESMTPSA id 3C191137B; Wed, 9 Jan 2019 10:42:14 +0100 (CET) From: Alexander Leidinger To: "Michael W. Lucas" , Date: Wed, 09 Jan 2019 10:42:13 +0100 Message-ID: <16831fcb2d8.27fa.fa4b1493b064008fe79f0f905b8e5741@Leidinger.net> In-Reply-To: <20190108190347.GA89234@mail.michaelwlucas.com> References: <20190108190347.GA89234@mail.michaelwlucas.com> Subject: Re: enforce_statfs showing leading path MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="UTF-8" Content-Transfer-Encoding: 8bit X-Leidinger-net-MailScanner-Information: Please contact the ISP for more information X-Leidinger-net-MailScanner-ID: 748C038B2.AA1D6 X-Leidinger-net-MailScanner: Found to be clean X-Leidinger-net-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-2.769, required 6, ALL_TRUSTED -1.00, BAYES_00 -1.90, DKIM_SIGNED 0.10, DKIM_VALID -0.10, DKIM_VALID_AU -0.10, TW_EV 0.08, TW_JL 0.08, TW_ZF 0.08) X-Leidinger-net-MailScanner-From: alexander@leidinger.net X-Leidinger-net-MailScanner-Watermark: 1547631750.9487@6Y+TElkjSYLQ5IN3cQOD3w X-Leidinger-net-Spam-Status: No X-Rspamd-Queue-Id: 49D0675D3D X-Spamd-Bar: ------ X-Spamd-Result: default: False [-6.99 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.99)[-0.986,0]; REPLY(-4.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jan 2019 09:42:49 -0000 Hi. You see the dataset name of zfs without stripping. The mount point is correctly stripped. I don't remember how this looks on ufs. With jailed datasets we would need more than just some code to remove parts of the name. So it's a doc bug (clarity about mount points and dataset names) and a zfs issue. Bye, Alexander. -- Send from a mobile device, please forgive brevity and misspellings. Am 8. Januar 2019 8:34:17 nachm. schrieb "Michael W. Lucas" : > Hi, > > I'm experimenting with enforce_statfs for the jails book, and have hit > an inconsistency. Not sure if the bug should go to src or doc. Running > last week's -current. > > According to jail(8): > > When set to 1, only mount points below the jail's chroot > directory are visible. In addition to that, the path to the > jail's chroot directory is removed from the front of their path‐ > names. > > Seems pretty clear that I shouldn't see anything other than > > # jls -h name enforce_statfs > ... > ioc-www1 1 > > So, as I read it, the jail's chroot directory should be stripped down > to /. But inside the jail: > > root@www1:~ # mount > iocage/iocage/jails/www1/root on / (zfs, local, nfsv4acls) > devfs on /dev (devfs, local, multilabel) > fdescfs on /dev/fd (fdescfs) > > I see the jail's chroot directory. > > This seems to contradict the man page, unless I'm misunderstanding. > > Is this a software bug? A ZFS thing? A doc bug? Or am I just an idiot? > > Also, should this path be stripped when enforce_statfs is set to 1 *or > above*? Or is this strictly when set to 1? If I'm filing a bug, it > might as well be complete... > > Thanks, > ==ml > > -- > Michael W. Lucas https://mwl.io/ > author of: Absolute OpenBSD, SSH Mastery, git commit murder, > Immortal Clay, PGP & GPG, Absolute FreeBSD, etc, etc, etc... > > > > ---------- > _______________________________________________ > freebsd-jail@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" From owner-freebsd-jail@freebsd.org Wed Jan 9 11:52:44 2019 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7823E14A099A for ; Wed, 9 Jan 2019 11:52:44 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 185D082A4A for ; Wed, 9 Jan 2019 11:52:43 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: by mailman.ysv.freebsd.org (Postfix) id CFC9314A0999; Wed, 9 Jan 2019 11:52:42 +0000 (UTC) Delivered-To: jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AD06514A0998 for ; Wed, 9 Jan 2019 11:52:42 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:13b:39f::9f:25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.sbone.de", Issuer "SBone.DE" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 2969782A49 for ; Wed, 9 Jan 2019 11:52:41 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id E48E98D4A142; Wed, 9 Jan 2019 11:52:31 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id B35AED2022D; Wed, 9 Jan 2019 11:52:30 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id Kl0Xe9HctKLz; Wed, 9 Jan 2019 11:52:28 +0000 (UTC) Received: from [192.168.1.159] (fresh-ayiya.sbone.de [IPv6:fde9:577b:c1a9:f001::2]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 78B68D2022C; Wed, 9 Jan 2019 11:52:15 +0000 (UTC) From: "Bjoern A. Zeeb" To: "Alexander Leidinger" Cc: "Michael W. Lucas" , jail@freebsd.org Subject: Re: enforce_statfs showing leading path Date: Wed, 09 Jan 2019 11:52:12 +0000 X-Mailer: MailMate (2.0BETAr6133) Message-ID: In-Reply-To: <16831fcb2d8.27fa.fa4b1493b064008fe79f0f905b8e5741@Leidinger.net> References: <20190108190347.GA89234@mail.michaelwlucas.com> <16831fcb2d8.27fa.fa4b1493b064008fe79f0f905b8e5741@Leidinger.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 2969782A49 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.99 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[]; NEURAL_HAM_SHORT(-0.99)[-0.991,0] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jan 2019 11:52:44 -0000 On 9 Jan 2019, at 9:42, Alexander Leidinger via freebsd-jail wrote: Hi, I’ll be a bit verbose also for mwlucas. > You see the dataset name of zfs without stripping. The mount point is > correctly stripped. I don't remember how this looks on ufs. /dev/ada0p19 on / (ufs, local, journaled soft-updates) /local/data/www1/users/johndoe on /usr/home/johndoe/www1 (nullfs, local) The “device” is also visible there, as well as file system type and specific options. I also added a nullfs example. For that the mount point is properly treated and lost the /local/jails/whatever/ prefix with enforce_statfs=1 but the “device” side is just as visible in full as it is for a any other real device. > With jailed datasets we would need more than just some code to remove > parts of the name. > > So it's a doc bug (clarity about mount points and dataset names) and a > zfs issue. Well, no it’s not a zfs specific issue. And the docs talk about mount points not about the “device” (or dataset in zfs parlance). If anything for clarity one could add a sentence to the jail(8) page saying that the “device” part of the mount output is not being restricted or altered. One of the reasons for enforce_statfs certainly was to limit the amount of information; that also has the side-effect of scripts parsing the mount (mount points) output actually finding the paths they might be looking for. The df command output might make some of this all a bit more clear. > Am 8. Januar 2019 8:34:17 nachm. schrieb "Michael W. Lucas" > : > >> Hi, >> >> I'm experimenting with enforce_statfs for the jails book, and have >> hit >> an inconsistency. Not sure if the bug should go to src or doc. >> Running >> last week's -current. >> >> According to jail(8): >> >> When set to 1, only mount points below the jail's chroot >> directory are visible. In addition to that, the path to >> the >> jail's chroot directory is removed from the front of >> their path‐ >> names. >> >> Seems pretty clear that I shouldn't see anything other than >> >> # jls -h name enforce_statfs >> ... >> ioc-www1 1 >> >> So, as I read it, the jail's chroot directory should be stripped down >> to /. But inside the jail: >> >> root@www1:~ # mount >> iocage/iocage/jails/www1/root on / (zfs, local, nfsv4acls) ^^^^ it is stripped down to / >> devfs on /dev (devfs, local, multilabel) >> fdescfs on /dev/fd (fdescfs) >> >> I see the jail's chroot directory. >> >> This seems to contradict the man page, unless I'm misunderstanding. >> >> Is this a software bug? A ZFS thing? A doc bug? Or am I just an >> idiot? >> >> Also, should this path be stripped when enforce_statfs is set to 1 >> *or >> above*? Or is this strictly when set to 1? If I'm filing a bug, it >> might as well be complete... >> >> Thanks, >> ==ml >> >> -- >> Michael W. Lucas https://mwl.io/ >> author of: Absolute OpenBSD, SSH Mastery, git commit murder, >> Immortal Clay, PGP & GPG, Absolute FreeBSD, etc, etc, etc... >> >> >> >> ---------- >> _______________________________________________ >> freebsd-jail@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-jail >> To unsubscribe, send any mail to >> "freebsd-jail-unsubscribe@freebsd.org" > > > > _______________________________________________ > freebsd-jail@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to > "freebsd-jail-unsubscribe@freebsd.org" From owner-freebsd-jail@freebsd.org Thu Jan 10 17:37:13 2019 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 27355149378F for ; Thu, 10 Jan 2019 17:37:13 +0000 (UTC) (envelope-from mwlucas@mail.michaelwlucas.com) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id C2FBD8E06A for ; Thu, 10 Jan 2019 17:37:12 +0000 (UTC) (envelope-from mwlucas@mail.michaelwlucas.com) Received: by mailman.ysv.freebsd.org (Postfix) id 830CE1493787; Thu, 10 Jan 2019 17:37:12 +0000 (UTC) Delivered-To: jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7014F1493786 for ; Thu, 10 Jan 2019 17:37:12 +0000 (UTC) (envelope-from mwlucas@mail.michaelwlucas.com) Received: from mail.michaelwlucas.com (mail.michaelwlucas.com [104.236.197.233]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id F11E18E068 for ; Thu, 10 Jan 2019 17:37:11 +0000 (UTC) (envelope-from mwlucas@mail.michaelwlucas.com) Received: from mail.michaelwlucas.com (localhost [127.0.0.1]) by mail.michaelwlucas.com (8.15.2/8.15.2) with ESMTP id x0AHb2Fj005883; Thu, 10 Jan 2019 12:37:02 -0500 (EST) (envelope-from mwlucas@mail.michaelwlucas.com) Received: (from mwlucas@localhost) by mail.michaelwlucas.com (8.15.2/8.15.2/Submit) id x0AHb0qQ005882; Thu, 10 Jan 2019 12:37:00 -0500 (EST) (envelope-from mwlucas) Date: Thu, 10 Jan 2019 12:37:00 -0500 From: "Michael W. Lucas" To: "Bjoern A. Zeeb" Cc: Alexander Leidinger , "Michael W. Lucas" , jail@freebsd.org Subject: Re: enforce_statfs showing leading path Message-ID: <20190110173700.GA5873@mail.michaelwlucas.com> References: <20190108190347.GA89234@mail.michaelwlucas.com> <16831fcb2d8.27fa.fa4b1493b064008fe79f0f905b8e5741@Leidinger.net> MIME-Version: 1.0 Content-Type: text/plain; charset=unknown-8bit Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.2 (mail.michaelwlucas.com [127.0.0.1]); Thu, 10 Jan 2019 12:37:04 -0500 (EST) X-Rspamd-Queue-Id: F11E18E068 X-Spamd-Bar: ++++ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [4.59 / 15.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; TO_DN_SOME(0.00)[]; NEURAL_SPAM_SHORT(0.98)[0.985,0]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[michaelwlucas.com]; AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(0.83)[0.831,0]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[cached: mail.michaelwlucas.com]; NEURAL_SPAM_LONG(0.99)[0.993,0]; R_SPF_NA(0.00)[]; FORGED_SENDER(0.30)[mwlucas@michaelwlucas.com,mwlucas@mail.michaelwlucas.com]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:14061, ipnet:104.236.192.0/18, country:US]; FROM_NEQ_ENVFROM(0.00)[mwlucas@michaelwlucas.com,mwlucas@mail.michaelwlucas.com]; IP_SCORE(0.59)[asn: 14061(3.02), country: US(-0.08)] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jan 2019 17:37:13 -0000 On Wed, Jan 09, 2019 at 11:52:12AM +0000, Bjoern A. Zeeb wrote: > On 9 Jan 2019, at 9:42, Alexander Leidinger via freebsd-jail wrote: > > Hi, > > I’ll be a bit verbose also for mwlucas. Thanks, everyone. I got it. I'll polish this up and put it in the book to save others confusion. Cheers! ==ml -- Michael W. Lucas https://mwl.io/ author of: Absolute OpenBSD, SSH Mastery, git commit murder, Immortal Clay, PGP & GPG, Absolute FreeBSD, etc, etc, etc...