From owner-freebsd-jail@FreeBSD.ORG Mon Apr 27 21:48:34 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3C5BF1065676 for ; Mon, 27 Apr 2009 21:48:34 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) by mx1.freebsd.org (Postfix) with ESMTP id EC5948FC12 for ; Mon, 27 Apr 2009 21:48:33 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from localhost (localhost.codelab.cz [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 47CF619E019; Mon, 27 Apr 2009 23:48:32 +0200 (CEST) Received: from [192.168.1.2] (r5bb235.net.upc.cz [86.49.61.235]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 1794319E023; Mon, 27 Apr 2009 23:48:30 +0200 (CEST) Message-ID: <49F6282E.8020807@quip.cz> Date: Mon, 27 Apr 2009 23:48:30 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: cz, cs, en, en-us MIME-Version: 1.0 To: "Bjoern A. Zeeb" References: <49EE4B6B.5020005@quip.cz> <20090422094447.A15361@maildrop.int.zabbadoz.net> <49EEF5DB.4030408@quip.cz> <20090423141908.T15361@maildrop.int.zabbadoz.net> <49F0F81F.8050503@quip.cz> <20090427205719.T15361@maildrop.int.zabbadoz.net> In-Reply-To: <20090427205719.T15361@maildrop.int.zabbadoz.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org Subject: Re: changing cpuset of jail from inside of jail - is it feature? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Apr 2009 21:48:34 -0000 Bjoern A. Zeeb wrote: > On Fri, 24 Apr 2009, Miroslav Lachman wrote: > >> Bjoern A. Zeeb wrote: >> >> [...] >> >>> Ok, I am not sure what is going wrong here; well I know but I don't >>> know if it's intended in cpuset. Trying to talk to the right people >>> but they seen to be AWOL atm. >>> >>> >>> If you are brave, you could try: >>> >>> http://people.freebsd.org/~bz/20090423-01-cpuset-jails.diff >>> >>> I haven't even compiled it yet. It may work, it may not work, it may >>> make your machine panicing, ... just to warn you. >>> >>> it should still allow you to create further sets within a jail but you >>> should not be able to change the "root set" of the jail from inside >>> the jail anymore (in case it works;) >> >> >> I did just a quick test. (OK, not so quick, because compilation inside >> Qemu on my old PC takes 2 hours ;]) >> It compiles without problems and did what I expect: >> > ... > >> I have no real multicore machine to test it more deeply. (can't test >> it on production servers and spare machine is blocked by another task) >> >> Will this fix be included in 7.2-RELEASE or is it too late to commit >> this fix? > > > FreeBSD 7/7.2 just got a BUGS entry for the man pages. The patch will > not make it; it's still waiting review for HEAD and possibly > discussion if a super user inside a jail would still be allowed to > further restrict the cpuset (but not extend it). OK, thank you for information. Allowing root inside jail to further restrict the cpuset for some services running inside jail seems useful to me. Just to inform others, this issue has PR number 134050 http://www.freebsd.org/cgi/query-pr.cgi?pr=134050 Miroslav Lachman