From owner-freebsd-stable@FreeBSD.ORG Thu Jun 30 20:56:31 2005 Return-Path: X-Original-To: stable@freebsd.org Delivered-To: freebsd-stable@FreeBSD.ORG Received: from green.homeunix.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id C292B16A41C; Thu, 30 Jun 2005 20:56:30 +0000 (GMT) (envelope-from green@green.homeunix.org) Received: from green.homeunix.org (green@localhost [127.0.0.1]) by green.homeunix.org (8.13.3/8.13.1) with ESMTP id j5UKuUFg055700; Thu, 30 Jun 2005 16:56:30 -0400 (EDT) (envelope-from green@green.homeunix.org) Received: (from green@localhost) by green.homeunix.org (8.13.3/8.13.1/Submit) id j5UKuTK1055699; Thu, 30 Jun 2005 16:56:30 -0400 (EDT) (envelope-from green) Date: Thu, 30 Jun 2005 16:56:29 -0400 From: Brian Fundakowski Feldman To: Eirik =?iso-8859-1?Q?=D8verby?= Message-ID: <20050630205629.GG1074@green.homeunix.org> References: <92135CB3-5540-4D06-A991-708C8AAD6AC7@unicore.no> <20050628145859.GC1074@green.homeunix.org> <20050629185803.GE1074@green.homeunix.org> <23ED6035-A1AE-4F38-853F-D0D42D42E934@unicore.no> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <23ED6035-A1AE-4F38-853F-D0D42D42E934@unicore.no> User-Agent: Mutt/1.5.6i Cc: stable@freebsd.org Subject: Re: Jails that won't die... X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jun 2005 20:56:31 -0000 On Thu, Jun 30, 2005 at 03:53:56PM +0200, Eirik Øverby wrote: > > On 29. jun. 2005, at 20.58, Brian Fundakowski Feldman wrote: > > >On Wed, Jun 29, 2005 at 03:28:09PM +0200, Eirik Øverby wrote: > > > >> > >>On 28. jun. 2005, at 16.58, Brian Fundakowski Feldman wrote: > >> > >> > >>>On Tue, Jun 28, 2005 at 10:37:29AM +0200, Eirik Øverby wrote: > >>> > >>> > >>>>Hi, > >>>> > >>>>I have, since upgrading to 5.x and updating my management tools, > >>>>seen > >>>>a number of problems relating to stopping jails. > >>>> > >>>>I'm maintaining several hosts with a number of full-featured jails > >>>>(i.e. full virtual FreeBSD installations in each jail), and in > >>>>general this works fine. However, whenever I stop a jail using > >>>>'jexec > >>>> kill -SIGNAL -1' or 'jexec /bin/sh /etc/rc.shutdown' (in > >>>>various combinations), jails have a tendency to stick around for > >>>>minutes or hours - according to 'jls'. Often I see an entry in > >>>>'netstat -a' indicating that there is one or more sockets in > >>>>FIN_WAIT > >>>>state, preventing the jail from coming down. Taking the virtual > >>>>network interface (alias) down does not help. All I can do at this > >>>>point is wait. > >>>> > >>>>I normally use 'jls' to determine whether or not a jail can be > >>>>restarted (i.e. it's not running), but this is pretty useless in > >>>>such > >>>>cases. And right now I have a case where 'netstat -a' shows me > >>>>nothing pertaining to the jail, though it has no processes > >>>>running. I > >>>>have therefore force-started the jail again, which seems to work > >>>>nicely, but now 'jls' gives me two entries for this jail, with > >>>>different JIDs. > >>>> > >>>>What am I doing wrong here? > >>>> > >>>> > >>> > >>>You could just use ps to check for jailed processes and check their > >>>respective jails using the procfs status entry (at least according > >>>to the ps manpage...) > >>> > >> > >>My jailctl script can do both - list by jls and list by processes in > >>the jail. There are NO processes running in the jail. > >> > > > >So it's obviously not running, and you can mark its state as such. > > ...which is what I do on FreeBSD 4.x, but on 5.x the 'jls' command > still claims the jail is running. I think this is unbelieveably > dirty. Also, using /proc to determine if a jail is still running is a > bad idea, as mounting /proc is depreceated. The deprecation is due to security concerns, not bit-rot. You can just mount it with root-readable-only permissions. The jls for current isn't incorrect, you're just expecting a different criteria to mean "alive" than it is using. It would take increased kernel complexity to do what you want if you're not going to do it in userland. Anyway, why aren't you just using a /var/run file in the "real" system to tell whether the jail is running or not? It's the corollary to pid files versus doing "killall"... Just seems like something really trivial to implement as you like it in the userland. -- Brian Fundakowski Feldman \'[ FreeBSD ]''''''''''\ <> green@FreeBSD.org \ The Power to Serve! \ Opinions expressed are my own. \,,,,,,,,,,,,,,,,,,,,,,\