Date: Mon, 16 Feb 2004 14:36:17 +0100 From: Pawel Jakub Dawidek <pjd@FreeBSD.org> To: Maxim Konovalov <maxim@macomnet.ru> Cc: current@freebsd.org Subject: Re: Jails that keep hanging around Message-ID: <20040216133617.GD14639@garage.freebsd.pl> In-Reply-To: <20040215191756.P49729@news1.macomnet.ru> References: <200402151714.26631.freebsd-current@webteckies.org> <20040215191756.P49729@news1.macomnet.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
--OjlPywxCsLltMP9x Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Feb 15, 2004 at 07:37:42PM +0300, Maxim Konovalov wrote: +> > I have yet to figure out what triggers the bug, but I end up with 'run= ning' +> > jails, without any processes. So I thought I'd create 'jld' to remove = a jail. +> > However - prison_find isn't exported to userland. Probably for good re= ason. +> > +> > Should I worry about these jails or is it harmless: +> [...] +>=20 +> Yes, it is a known bug, see kern/54163 for example. It seems we are +> leaking ucred reference somewhere. TIME_WAIT handling is involved +> too. You can reproduce it easily: +>=20 +> 1/ Start a jail: +>=20 +> # jail / j 127.0.0.1 /usr/local/bin/nc -p 1973 -l 127.0.0.1 +>=20 +> 2/ Telnet to it: +>=20 +> # telnet 127.0.0.1 1973 +>=20 +> 3/ Kill the jail: +>=20 +> # killall nc +>=20 +> 4/ Watch a leak: +>=20 +> # jls +> ... +>=20 +> or +>=20 +> # sysctl -o security.jail.list +> ... +>=20 +> I were trying to fix this for a long time but no success. Yeah, there is a cred leak and I am the one who track it down!:) http://garage.freebsd.pl/patches/tcp_subr.c.patch Don't do 'jls' just after killing 'nc', because cred will be freed after timeout, so wait few minutes and then try 'jls'. If there is no objections I'm going to commit it tomorrow. Am I Evil?:) --=20 Pawel Jakub Dawidek http://www.FreeBSD.org pjd@FreeBSD.org http://garage.freebsd.pl FreeBSD committer Am I Evil? Yes, I Am! --OjlPywxCsLltMP9x Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQFAMMdRForvXbEpPzQRApkhAKCzX7VtWHOiMUtmlxnYoK4EwaJanwCfe/yb 7JXv6nueApzd5LDTyhkj8/Y= =K8ko -----END PGP SIGNATURE----- --OjlPywxCsLltMP9x--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040216133617.GD14639>