Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 30 Sep 2015 18:06:10 -0700
From:      Felix Gallo <felixgallo@gmail.com>
To:        freebsd-pf@freebsd.org
Subject:   PF appears to lock up a machine with a large number of jails
Message-ID:  <CAJfDOsT52xtQ3w3BOVRu2zCF-mhku79-_8-ed6_15=TKmNkb7Q@mail.gmail.com>

next in thread | raw e-mail | index | archive | help
FreeBSD ip-172-31-63-223 10.2-RELEASE FreeBSD 10.2-RELEASE #0 r286666: Wed
Aug 12 15:26:37 UTC 2015
root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC
 amd64

I am using the github dev version of 'iocage' (an ezjail-like shell script)
to generate a large number of jails.

SITUATION 1.

When I am creating the jails, which all use a shared ipv6 interface to the
hosts' loopback, in a loop, after a certain number of jails (sometimes ~70,
sometimes ~100), the machine appears to hang.  Upon reboot, the machine has
nothing interesting in the logs.

SITUATION 2.

I then realized that I had TSO enabled on the interface, which seems to
interact very badly with pf.  So I disabled it and started creating the
jails again.  Again, it hung the box, but this time seemed to take a lot
longer to do so (over 100 jails created).

SITUATION 3.

I rebooted.  I then disabled pf and created the jails.  This went fine and
I was able to create and run 750 jails without issue.

SITUATION 4.

I rebooted.  I disabled TSO.  I then attempted to re-enable pf with pfctl
-e.  This immediately killed the box.

SITUATION 5.

I rebooted.  I then deleted all my jails, recreated a smaller number (150)
with PF disabled and TSO disabled, and then re-enabled PF.  This appeared
to work for a time, but after some period of time, the machine again hung.

Not sure how else to help debug this one; happy to help if given direction.

F.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAJfDOsT52xtQ3w3BOVRu2zCF-mhku79-_8-ed6_15=TKmNkb7Q>