Date: Tue, 21 Dec 2004 22:41:25 +0000 (GMT) From: Robert Watson <rwatson@freebsd.org> To: Tom Dymond <tom@kmem.org> Cc: freebsd-stable@freebsd.org Subject: Re: 5.3-R : jail bug ? Message-ID: <Pine.NEB.3.96L.1041221223825.58276F-100000@fledge.watson.org> In-Reply-To: <51722.83.146.61.204.1102776812.squirrel@j2.kmem.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 11 Dec 2004, Tom Dymond wrote: > I'm having a serious problem with jails on my 5.3-RELEASE machine. When > I stop a jail using '/etc/rc.d jail stop <jail name>' the jail stops but > jls still shows it running. > > I have tried fstat, lsof, nothing is running in this jail, yet if there > is a reason why jls says it is running, how can i kill it ? > > I thought it could be related to time but it's been 1 hour now since the > jail has been stopped. Jails are reference counted objects, generally referenced from process credentials. Process credentials are in turn reference counted objects, generally referenced by threads, processes, file descriptors, sockets, network protocol control blocks, mountpoints, and a couple of other misc bits and pieces (such as the accounting code). Jails are garbage collected when the last process credential reference to the jail is released, which generally occurs because the last process credential refering to the jail is also released. A straggling jail is almost always a sign of one of two things: - A long-lived object persisting beyond the death of the last process in a jail. For example, a TCP connection in the TIME_WAIT state. - A credential reference count leak. While the second is not impossible (such as the bug mentioned in the PRs you reference), it's more likely to be the first. Could you check "netstat -na" for references to the jail, especially in TCP connections? Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Principal Research Scientist, McAfee Research > > ruby# ps aux | grep J > root 46737 0.0 0.2 1472 808 p3 S+ 12:37PM 0:00.01 grep J > > ruby# killall -j 9 > No matching processes were found > > ruby# lsof | grep jail > ruby# > > ruby# jls > JID IP Address Hostname Path > 9 10.0.0.17 green.vps.kmem.org > /usr/local/jails/green.vps.kmem.org > > > ruby# sysctl -a -o | grep jail > security.jail.set_hostname_allowed: 0 > security.jail.socket_unixiproute_only: 1 > security.jail.sysvipc_allowed: 0 > security.jail.getfsstatroot_only: 1 > security.jail.allow_raw_sockets: 1 > security.jail.list: Format:S Length:1292 > Dump:0x01000000090000002f7573722f6c6f63... > security.jail.jailed: 0 > > ------------------------------------- > > kernel : > ruby# uname -a > FreeBSD ruby.london.kmem.org 5.3-RELEASE FreeBSD 5.3-RELEASE #0: Tue Nov > 16 12:08:02 GMT 2004 > tom@ruby.london.kmem.org:/usr/obj/usr/src/sys/EPIA i386 > > My kernel and world are in sync. > > > I have looked on google and found the Following PR's that describes my > problem but it is said to have been resolved. Guess not for me though :( > > http://www.freebsd.org/cgi/query-pr.cgi?pr=65442 > http://www.freebsd.org/cgi/query-pr.cgi?pr=54163 > > My version of tcp_subr.c: > > ruby# grep "FreeBSD" /sys/netinet/tcp_subr.c > * $FreeBSD: src/sys/netinet/tcp_subr.c,v 1.201.2.1.2.1 2004/10/21 > 09:30:47 rwatson Exp $ > > If there is any data/information missing here, please let me know and i > will provide it. > > > Thanks > > Tom > > > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1041221223825.58276F-100000>