From owner-freebsd-current@FreeBSD.ORG Fri Jun 6 11:09:26 2008 Return-Path: Delivered-To: current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5E53E1065680 for ; Fri, 6 Jun 2008 11:09:26 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id 2B18D8FC29 for ; Fri, 6 Jun 2008 11:09:26 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id C1D4C46C83; Fri, 6 Jun 2008 07:09:25 -0400 (EDT) Date: Fri, 6 Jun 2008 12:09:25 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Michael Reifenberger In-Reply-To: <20080606054243.GA87241@gw.reifenberger.com> Message-ID: <20080606120355.N87970@fledge.watson.org> References: <20080606054243.GA87241@gw.reifenberger.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: current@freebsd.org Subject: Re: active/inactive jails X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jun 2008 11:09:26 -0000 On Fri, 6 Jun 2008, Michael Reifenberger wrote: > is the assumtion correct that an active jail has at least on process > associatet with it and that there can be only one active jail (with the same > hostname/ip-number) per system at the same time? > > Is there an convinient way to get the processes associatet with an jail. So > far I found only the method used by killall(1): jail_attach() to the jid and > read the process table... > > Thanks in advance! Michael-- No, those are incorrect assumptions: (1) Jails may exist without any processes -- jails are part of the process credential, and these may be cached and used asynchronously. The example many people run into is that the process credential that opened a TCP connection remains referenced until the TCP connection closes, so if a TCP connection enters TIME_WAIT, the jail will persist until the TIME_WAIT delay runs out. (2) It is quite possible, and in fact even quite reasonable, to have multiple jails with the same IP and hostname. When compartmentalizing services, there's no reason not to use the same (global) hostname for each service, and no reason not to attach the services to the same IP address. You can use jls(8) to list jails, and then for each jail ID, you can use ps(1) to list processes. You can find jid in the list of optional data to print for processes in the ps man page. Robert N M Watson Computer Laboratory University of Cambridge