From owner-freebsd-jail@FreeBSD.ORG Thu Apr 25 01:22:42 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 805F2853; Thu, 25 Apr 2013 01:22:42 +0000 (UTC) (envelope-from mjguzik@gmail.com) Received: from mail-we0-x230.google.com (mail-we0-x230.google.com [IPv6:2a00:1450:400c:c03::230]) by mx1.freebsd.org (Postfix) with ESMTP id E77901780; Thu, 25 Apr 2013 01:22:41 +0000 (UTC) Received: by mail-we0-f176.google.com with SMTP id s10so2177456wey.35 for ; Wed, 24 Apr 2013 18:22:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:date:from:to:cc:subject:message-id:references :mime-version:content-type:content-disposition:in-reply-to :user-agent; bh=6Ts3SIA2TK+PZMupQ7qvVMJNZ+Wc9ruBrcVzNLtrYhU=; b=QTwftxpVy7hOq6XV61EGm2fy9/iLQQ2Nk7yDPVr432EOoCeJ1xzoi1dU5egdQFjlmU fbikrTGOaAoUPBjcCxdMWLSIkFC+bz90ln1Mov4oLO/UAIKvZQ0UWiKdXWrimE6v/His Dnw9mSZx4GIrgnFqTdim1dmTp6xxECGbrhE/praoIqFzDwq3Ojcp96vZXohj23BuYQ+u bn6zu10/Gs6Lghxszq9jON11701Z+/lOBhdsB9hqAb/HY92mmyU0/JImK9Ll22jx2Cq8 iohxHkvpQY+Ag+nC3YBroeNSH8lccpJoe7Bd7seiGMJjW65tGhihdaLMMIiD/BPz03qA G3nA== X-Received: by 10.194.5.196 with SMTP id u4mr72199217wju.54.1366852960303; Wed, 24 Apr 2013 18:22:40 -0700 (PDT) Received: from dft-labs.eu (n1x0n-1-pt.tunnel.tserv5.lon1.ipv6.he.net. [2001:470:1f08:1f7::2]) by mx.google.com with ESMTPSA id q20sm7588432wiv.7.2013.04.24.18.22.38 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 24 Apr 2013 18:22:38 -0700 (PDT) Date: Thu, 25 Apr 2013 03:22:36 +0200 From: Mateusz Guzik To: Jamie Gritton Subject: Re: automatic garbage collection of stuff mounted (etc.) by jailed root Message-ID: <20130425012236.GB23151@dft-labs.eu> References: <20130422091711.GA3115@dft-labs.eu> <517553B0.6010602@FreeBSD.org> <517575BF.8020305@quip.cz> <51758192.2050300@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <51758192.2050300@FreeBSD.org> User-Agent: Mutt/1.5.20 (2009-06-14) Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Apr 2013 01:22:42 -0000 On Mon, Apr 22, 2013 at 12:29:38PM -0600, Jamie Gritton wrote: > On 04/22/13 11:39, Miroslav Lachman wrote: > >>This already happens when jails are created using a jail.conf file. Any > >>mounts there are unmounted as part of the jail removal process. Just > >>recently I fixed it to properly do this unmounting in reverse order. > > > >Do you mean mounts defined in jail.conf or all mounts manually done by > >root user in jail? > > > > Ah, I see the difference. Yes, that's only for mounts in the jail.conf. > For mounts done by the jail itself, I guess we would go off the mount > record's credential. So is this something you expect to be happening > entirely in the kernel? > If we want to clean this up from userspace, we need to teach the kernel how to export vnet and mount table of a jail and then it would be nice to teach jls how to print it (or maybe create a separate tool - jstat?), and of course jail(8) how to use this information to clean things up. Bonus points if jail(8) -r is able to clean up the jail without looking at config file. I would prefer if the jail would be able to just die if no problems were encountered and that is easly done with a kernel-only implementation, but this still would benefit from features described above (the difference would be that if someone wants to kill the jail, jail(8) would only call jail_remove). If jail could not die because some clean up operations failed, jls (or jstat) would show what resources are remaining along with error message (say, fs could not be unmounted because it was busy). And then the user can fix the problem and do jail(8) -r to re-run kernel clean up or clean on his own (say, unmount filesystems), which effectively should kill the jail. Thoughts? -- Mateusz Guzik