From owner-freebsd-jail@FreeBSD.ORG Mon Jun 23 11:06:56 2008 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E2EAF1065684 for ; Mon, 23 Jun 2008 11:06:56 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id D18A78FC18 for ; Mon, 23 Jun 2008 11:06:56 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m5NB6uP9065005 for ; Mon, 23 Jun 2008 11:06:56 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m5NB6uNZ065001 for freebsd-jail@FreeBSD.org; Mon, 23 Jun 2008 11:06:56 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 23 Jun 2008 11:06:56 GMT Message-Id: <200806231106.m5NB6uNZ065001@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jun 2008 11:06:57 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- s kern/89528 jail [jail] [patch] impossible to kill a jail o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail 2 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with o kern/68192 jail [quotas] [jail] Cannot use quotas on jailed systems o kern/72498 jail [libc] [jail] timestamp code on jailed SMP machine gen o kern/74314 jail [resolver] [jail] DNS resolver broken under certain ja o kern/84215 jail [jail] [patch] wildcard ip (INADDR_ANY) should not bin o kern/89989 jail [jail] [patch] Add option -I (ASCII 73) PID to specif o kern/97071 jail [jail] [patch] add security.jail.jid sysctl o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o kern/120753 jail [jail] Zombie jails (jailed child process exits while 9 problems total. From owner-freebsd-jail@FreeBSD.ORG Mon Jun 23 19:57:47 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5355B1065682 for ; Mon, 23 Jun 2008 19:57:47 +0000 (UTC) (envelope-from alexus@gmail.com) Received: from yx-out-2324.google.com (yx-out-2324.google.com [74.125.44.29]) by mx1.freebsd.org (Postfix) with ESMTP id F0FF48FC23 for ; Mon, 23 Jun 2008 19:57:46 +0000 (UTC) (envelope-from alexus@gmail.com) Received: by yx-out-2324.google.com with SMTP id 31so384144yxl.13 for ; Mon, 23 Jun 2008 12:57:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=5C3J+ZQeyS+bg4srbJqldfMU6JyL2rxfODRK1lkuHvE=; b=XMzJeRnVe0brEk5rrh1IR5xUzGzkSlj1EAm5gYrRugBHOpoSiBIZmMN2HxaRe7SIDp tS/FzX8ueRf1hOorHdSEUvfgZQUPtcqqs5Qbwk8pCwxAGuNftZPGsSo3x6YH3j1rngfd 7NaE8nYVMnbQ7tHlcEcF69ovjw03m2CVpPF/M= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=cyG3mcPEKbrbWJtDv85GrMiGv/K8EQ9DYqVbwfxYSCmsHBef5t4ZGBCAAasBQoPUaT lA6GnYoT7VB5U1fKyap9LiNfvisQ13n+eDezBDMQWN8fpMhcg9smBizW/lFzRl/ePjqn YXNZmXSOBMsQvvjq65BZYL5KVwZwwxJP8JUOM= Received: by 10.142.128.6 with SMTP id a6mr4417407wfd.331.1214251065556; Mon, 23 Jun 2008 12:57:45 -0700 (PDT) Received: by 10.114.67.7 with HTTP; Mon, 23 Jun 2008 12:57:45 -0700 (PDT) Message-ID: <6ae50c2d0806231257y48791f03r2b3518517f0af653@mail.gmail.com> Date: Mon, 23 Jun 2008 15:57:45 -0400 From: alexus To: "Bjoern A. Zeeb" In-Reply-To: <20080621212933.J83875@maildrop.int.zabbadoz.net> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <78553FE8-BB3A-4AD5-9926-7B095260741D@verweg.com> <6ae50c2d0806211035y73e09f15xde28403b824eb421@mail.gmail.com> <6ae50c2d0806211037g31d8e9beqeea36b480ee62f3b@mail.gmail.com> <20080621212933.J83875@maildrop.int.zabbadoz.net> Cc: freebsd-jail@freebsd.org Subject: Re: new set of multi-IPv4/v6/noIP jail patches X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jun 2008 19:57:47 -0000 yeah, I dont have IPV6, and whatever you gave me isn't enough at least for me, i don't know how incorporate this code into patch, can you post a new patch with these fixes? Thanks! On Sat, Jun 21, 2008 at 5:32 PM, Bjoern A. Zeeb wrote: > On Sat, 21 Jun 2008, alexus wrote: > >> this is against >> http://sources.zabbadoz.net/freebsd/jail/20080617-01-jail-7.0R.diff >> with 7.0-RELEASE-p2 >> >> On Sat, Jun 21, 2008 at 1:35 PM, alexus wrote: >>> >>> cc -c -O -pipe -std=c99 -g -Wall -Wredundant-decls -Wnested-externs >>> -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline >>> -Wcast-qual -Wundef -Wno-pointer-sign -fformat-extensions -nostdinc >>> -I. -I/usr/src/sys -I/usr/src/sys/contrib/altq -D_KERNEL >>> -DHAVE_KERNEL_OPTION_HEADERS -include opt_global.h -fno-common >>> -finline-limit=8000 --param inline-unit-growth=100 --param >>> large-function-growth=1000 -mno-align-long-strings >>> -mpreferred-stack-boundary=2 -mno-mmx -mno-3dnow -mno-sse -mno-sse2 >>> -mno-sse3 -ffreestanding -Werror /usr/src/sys/kern/kern_jail.c >>> cc1: warnings being treated as errors >>> /usr/src/sys/kern/kern_jail.c: In function 'prison_if': >>> /usr/src/sys/kern/kern_jail.c:876: warning: unused variable 'sai6' >>> *** Error code 1 > > Are you building without INET6 in your kernel config? > > This should fix it: > > struct sockaddr_in *sai; > +#ifdef INET6 > struct sockaddr_in6 *sai6; > +#endif > int ok; > > > I'll commit it and you'll have it with the next patchset. > > > /bz > > -- > Bjoern A. Zeeb Stop bit received. Insert coin for new game. > -- http://alexus.org/ From owner-freebsd-jail@FreeBSD.ORG Mon Jun 23 23:15:08 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A34031065677 for ; Mon, 23 Jun 2008 23:15:08 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id 5166C8FC13 for ; Mon, 23 Jun 2008 23:15:08 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 4B26341C7A4; Tue, 24 Jun 2008 01:15:06 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id 7s-OMCgZJ4MW; Tue, 24 Jun 2008 01:15:05 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id E742641C7A3; Tue, 24 Jun 2008 01:15:05 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 0B3E644487F; Mon, 23 Jun 2008 23:13:55 +0000 (UTC) Date: Mon, 23 Jun 2008 23:13:55 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: alexus In-Reply-To: <6ae50c2d0806231257y48791f03r2b3518517f0af653@mail.gmail.com> Message-ID: <20080623200215.J83875@maildrop.int.zabbadoz.net> References: <78553FE8-BB3A-4AD5-9926-7B095260741D@verweg.com> <6ae50c2d0806211035y73e09f15xde28403b824eb421@mail.gmail.com> <6ae50c2d0806211037g31d8e9beqeea36b480ee62f3b@mail.gmail.com> <20080621212933.J83875@maildrop.int.zabbadoz.net> <6ae50c2d0806231257y48791f03r2b3518517f0af653@mail.gmail.com> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-jail@freebsd.org Subject: Re: new set of multi-IPv4/v6/noIP jail patches X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jun 2008 23:15:08 -0000 On Mon, 23 Jun 2008, alexus wrote: > yeah, I dont have IPV6, and whatever you gave me isn't enough at least > for me, i don't know how incorporate this code into patch, can you > post a new patch with these fixes? Don't incorp it into the patch, edit the patched file and rebuild. you go to /usr/src/sys/kern (if your sources are in /usr/src) vi kern_jail.c go to the line from the error message and find the place where to add the two lines I had marked with +. I'll not re-roll another 7.0R patch before I have done the HEAD to RELENG_7 and then to 7.0-R chain entirely. It'll at least be another day or two once the builds and the boots and everything was tested. /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From owner-freebsd-jail@FreeBSD.ORG Tue Jun 24 10:38:01 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 53B4B106568C for ; Tue, 24 Jun 2008 10:38:01 +0000 (UTC) (envelope-from spry@anarchy.in.the.ph) Received: from po-out-1718.google.com (po-out-1718.google.com [72.14.252.159]) by mx1.freebsd.org (Postfix) with ESMTP id 345238FC24 for ; Tue, 24 Jun 2008 10:38:01 +0000 (UTC) (envelope-from spry@anarchy.in.the.ph) Received: by po-out-1718.google.com with SMTP id c31so702054poi.3 for ; Tue, 24 Jun 2008 03:38:00 -0700 (PDT) Received: by 10.141.123.4 with SMTP id a4mr14505680rvn.172.1214302896946; Tue, 24 Jun 2008 03:21:36 -0700 (PDT) Received: by 10.115.46.11 with HTTP; Tue, 24 Jun 2008 03:21:36 -0700 (PDT) Message-ID: Date: Tue, 24 Jun 2008 18:21:36 +0800 From: "Mars G Miro" To: freebsd-jail@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: new jail patches -- OK X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Jun 2008 10:38:01 -0000 Greetz, I've just tested, over the last month, bz@'s new jail patches for ipv4/ipv6 patches and they work OK. The only thing I haven't tested is the no-IP stuff. Prolly when I have the time. Thanks! -- cheers mars From owner-freebsd-jail@FreeBSD.ORG Tue Jun 24 21:56:33 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7FA831065672 for ; Tue, 24 Jun 2008 21:56:33 +0000 (UTC) (envelope-from c2thunes@brewtab.com) Received: from mail.brewtab.com (dauphin.brewtab.com [208.86.224.67]) by mx1.freebsd.org (Postfix) with ESMTP id 3D6BE8FC19 for ; Tue, 24 Jun 2008 21:56:33 +0000 (UTC) (envelope-from c2thunes@brewtab.com) Received: from [192.168.16.16] (cpe-075-182-109-034.nc.res.rr.com [75.182.109.34]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.brewtab.com (Postfix) with ESMTPSA id 57FD5610B for ; Tue, 24 Jun 2008 17:46:30 -0400 (EDT) Message-ID: <48616B3F.4030705@brewtab.com> Date: Tue, 24 Jun 2008 17:46:39 -0400 From: Christopher Thunes User-Agent: Mozilla-Thunderbird 2.0.0.14 (X11/20080509) MIME-Version: 1.0 To: freebsd-jail@freebsd.org Content-Type: multipart/mixed; boundary="------------040604060800000202080402" Subject: Memory limits on 7.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Jun 2008 21:56:33 -0000 This is a multi-part message in MIME format. --------------040604060800000202080402 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hey everyone, I spent some time working on getting cdjones' memory limit patches updated for 7.0 and beyond and thought I'd post my progress. I've attached my current patch which implements memory limits on 7.0-RELEASE, but only for the older (and default in -RELEASE) bsd4 scheduler (won't work at all on ULE). I haven't yet started work for ULE or getting CPU sharing working. This patch also includes fixes for problems in the original cdjones patches. If you want to give it a whirl it should apply cleanly to a 7.0-RELEASE source tree and if you run into any issues let me know. - Chris --------------040604060800000202080402 Content-Type: text/x-diff; name="memory_limits_70.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="memory_limits_70.patch" diff -burN src.old/lib/libc/sys/Symbol.map src.new/lib/libc/sys/Symbol.map --- src.old/lib/libc/sys/Symbol.map 2007-08-21 21:56:35.000000000 -0400 +++ src.new/lib/libc/sys/Symbol.map 2008-05-28 19:55:04.000000000 -0400 @@ -131,6 +131,7 @@ issetugid; jail; jail_attach; + jail_set_resource_limits; kenv; kevent; kill; @@ -580,6 +581,8 @@ __sys_jail; _jail_attach; __sys_jail_attach; + _jail_set_resource_limits; + __sys_jail_set_resource_limits; _kenv; __sys_kenv; _kevent; diff -burN src.old/sys/kern/init_sysent.c src.new/sys/kern/init_sysent.c --- src.old/sys/kern/init_sysent.c 2007-08-16 01:32:25.000000000 -0400 +++ src.new/sys/kern/init_sysent.c 2008-05-28 19:49:37.000000000 -0400 @@ -2,8 +2,8 @@ * System call switch table. * * DO NOT EDIT-- this file is automatically generated. - * $FreeBSD: src/sys/kern/init_sysent.c,v 1.230 2007/08/16 05:32:25 davidxu Exp $ - * created from FreeBSD: src/sys/kern/syscalls.master,v 1.232 2007/07/04 22:47:37 peter Exp + * $FreeBSD$ + * created from FreeBSD: src/sys/kern/syscalls.master,v 1.233 2007/08/16 05:26:41 davidxu Exp */ #include "opt_compat.h" @@ -511,4 +511,5 @@ { AS(truncate_args), (sy_call_t *)truncate, AUE_TRUNCATE, NULL, 0, 0 }, /* 479 = truncate */ { AS(ftruncate_args), (sy_call_t *)ftruncate, AUE_FTRUNCATE, NULL, 0, 0 }, /* 480 = ftruncate */ { AS(thr_kill2_args), (sy_call_t *)thr_kill2, AUE_KILL, NULL, 0, 0 }, /* 481 = thr_kill2 */ + { AS(jail_set_resource_limits_args), (sy_call_t *)jail_set_resource_limits, AUE_NULL, NULL, 0, 0 }, /* 482 = jail_set_resource_limits */ }; diff -burN src.old/sys/kern/kern_jail.c src.new/sys/kern/kern_jail.c --- src.old/sys/kern/kern_jail.c 2007-04-13 19:54:22.000000000 -0400 +++ src.new/sys/kern/kern_jail.c 2008-06-19 03:16:43.000000000 -0400 @@ -5,8 +5,38 @@ * can do whatever you want with this stuff. If we meet some day, and you think * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp * ---------------------------------------------------------------------------- + * + * Portions copyright (c) 2006 Chris Jones, + * All rights reserved. + * + * This software was developed for the FreeBSD Project by Chris Jones + * thanks to the support of Google's Summer of Code program and + * mentoring by Kip Macy. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * */ + #include __FBSDID("$FreeBSD: src/sys/kern/kern_jail.c,v 1.70 2007/04/13 23:54:22 pjd Exp $"); @@ -15,6 +45,7 @@ #include #include #include +#include #include #include #include @@ -33,6 +64,12 @@ #include #include #include +#include +#include +#include +#include +#include +#include #include #include @@ -78,12 +115,27 @@ &jail_mount_allowed, 0, "Processes in jail can mount/unmount jail-friendly file systems"); +int jail_limit_memory = 0; +SYSCTL_INT(_security_jail, OID_AUTO, limit_jail_memory, CTLFLAG_RW, + &jail_limit_memory, 0, + "Limit jails' memory usage"); + +int jail_memory_pager_interval = 5; +SYSCTL_INT(_security_jail, OID_AUTO, jail_pager_interval, + CTLTYPE_INT | CTLFLAG_RW, + &jail_memory_pager_interval, 0, + "Interval between jail memory limit checks"); + + /* allprison, lastprid, and prisoncount are protected by allprison_lock. */ struct prisonlist allprison; struct sx allprison_lock; int lastprid = 0; int prisoncount = 0; +/* Make the sched_lock visible */ +extern struct mtx sched_lock; + /* * List of jail services. Protected by allprison_lock. */ @@ -114,6 +166,104 @@ SYSINIT(prison, SI_SUB_INTRINSIC, SI_ORDER_ANY, init_prison, NULL); +static void +jpager_td(void *arg) +{ + struct proc *p; + struct prison *pr = arg; + struct thread *td; + long limit, cursize, newsize, usage; + int breakout; + int flags = J_PAGER_TD_ACTIVE; + pr->pr_pager_flags_ptr = &flags; + + for (;;) { + if (flags & J_PAGER_TD_DIE) + break; + + if (jail_limit_memory && pr->pr_mem_limit) { + /* + * TODO: consider whether it might be better to start + * pushing back when we approach the limit, rather than + * when we hit it. + * + */ + limit = prison_memory_limit(pr); + usage = prison_memory(pr); + + /* Copy the current memory usage to the prison struct */ + mtx_lock(&pr->pr_mtx); + pr->pr_mem_usage = usage; + mtx_unlock(&pr->pr_mtx); + + /* + * The logic from vm_daemon() really needs to go here. + * Problem: we want to push things below their rlimits, + * and vm_daemon doesn't do that. It'd be better to + * refactor vm_daemon to fit, but this'll do for now. + * + */ + + if ((usage - limit) > 0) { + sx_slock(&allproc_lock); + LIST_FOREACH(p, &allproc, p_list) { + + if (pr != p->p_ucred->cr_prison || !p->p_vmspace) + continue; + + PROC_LOCK(p); + if (p->p_flag & (P_SYSTEM | P_WEXIT)) { + PROC_UNLOCK(p); + continue; + } + + mtx_lock_spin(&sched_lock); + breakout = 0; + FOREACH_THREAD_IN_PROC(p, td) { + if (!TD_ON_RUNQ(td) && + !TD_IS_RUNNING(td) && + !TD_IS_SLEEPING(td)) { + breakout = 1; + break; + } + } + mtx_unlock_spin(&sched_lock); + if (breakout) { + PROC_UNLOCK(p); + continue; + } + + /* NOTE: we differ here from vm_daemon b/c we don't + * care about the rlimit; things that are exceeding that will + * get caught in due course. We need, however, to decrease + * the pressure on our permitted memory allocation. Fortunately, + * we only care about eventually hitting the limit, so if we + * don't get there right away, it's okay. + */ + + /* TODO: this arbitrarily reduces each process's space by + * 6.25% (until it's completely swapped out) while + * we're under memory pressure. A better way would be + * to either hit large processes first, or to hit the + * least-active processes first, or go proportionally, + * or .... + */ + newsize = cursize = vmspace_resident_count(p->p_vmspace); + newsize -= newsize / 16; + if (cursize < 0) + newsize = 0; + PROC_UNLOCK(p); + vm_pageout_map_deactivate_pages(&p->p_vmspace->vm_map, newsize); + } /* end LIST_FOREACH procs */ + sx_sunlock(&allproc_lock); + } + } + tsleep(pr, 0, "-", jail_memory_pager_interval * hz); + } + + kthread_exit(0); +} + /* * struct jail_args { * struct jail *jail; @@ -127,6 +277,7 @@ struct prison_service *psrv; struct jail j; struct jail_attach_args jaa; + struct proc *j_pager_proc = NULL; int vfslocked, error, tryprid; error = copyin(uap->jail, &j, sizeof(j)); @@ -135,6 +286,7 @@ if (j.version != 0) return (EINVAL); + MALLOC(pr, struct prison *, sizeof(*pr), M_PRISON, M_WAITOK | M_ZERO); mtx_init(&pr->pr_mtx, "jail mutex", NULL, MTX_DEF); pr->pr_ref = 1; @@ -156,7 +308,10 @@ goto e_dropvnref; pr->pr_ip = j.ip_number; pr->pr_linux = NULL; + pr->pr_sched_shares = j.sched_shares; pr->pr_securelevel = securelevel; + pr->pr_mem_limit = j.mem_limit; + if (prison_service_slots == 0) pr->pr_slots = NULL; else { @@ -169,6 +324,7 @@ tryprid = lastprid + 1; if (tryprid == JAIL_MAX) tryprid = 1; + next: LIST_FOREACH(tpr, &allprison, pr_list) { if (tpr->pr_id == tryprid) { @@ -190,6 +346,11 @@ } sx_sunlock(&allprison_lock); + if (kthread_create(jpager_td, pr, (void *) j_pager_proc, 0, 0, "jpager %d", pr->pr_id)) + goto e_dropprref; + KASSERT(j_pager_proc != NULL, ("NULL j_pager_proc")); + pr->pr_pager = j_pager_proc; + error = jail_attach(td, &jaa); if (error) goto e_dropprref; @@ -199,6 +360,11 @@ td->td_retval[0] = jaa.jid; return (0); e_dropprref: + if (j_pager_proc != NULL) { + *pr->pr_pager_flags_ptr = J_PAGER_TD_DIE; + wakeup(pr); + } + sx_xlock(&allprison_lock); LIST_REMOVE(pr, pr_list); prisoncount--; @@ -267,11 +433,13 @@ newcred = crget(); PROC_LOCK(p); + oldcred = p->p_ucred; setsugid(p); crcopy(newcred, oldcred); newcred->cr_prison = pr; p->p_ucred = newcred; + PROC_UNLOCK(p); crfree(oldcred); return (0); @@ -314,6 +482,9 @@ pr->pr_ref--; if (pr->pr_ref == 0) { mtx_unlock(&pr->pr_mtx); + *pr->pr_pager_flags_ptr = J_PAGER_TD_DIE; + wakeup(pr); + TASK_INIT(&pr->pr_task, 0, prison_complete, pr); taskqueue_enqueue(taskqueue_thread, &pr->pr_task); return; @@ -436,6 +607,92 @@ return (ok); } +/* Given credential, return memory usage in bytes. */ +long +prison_memory(struct prison *pr) +{ + struct proc *p; + long mem_used = 0; + + /* + * TODO: this is a really bad way of doing the + * search, as we end up going across all processes + * for each jail. It'd be more efficient to just do + * this once in a period and update the relevant jail. + * + */ + FOREACH_PROC_IN_SYSTEM(p) { + PROC_LOCK(p); + if (!jailed(p->p_ucred) || + (pr != p->p_ucred->cr_prison) || + !p->p_vmspace) { + PROC_UNLOCK(p); + continue; + } + mem_used += vmspace_resident_count(p->p_vmspace); + PROC_UNLOCK(p); + } + mem_used *= PAGE_SIZE; + return mem_used; +} + +/* Given credential, return permitted memory usage in bytes. */ +long +prison_memory_limit(struct prison *pr) +{ + vm_pindex_t memlimit; + mtx_lock(&pr->pr_mtx); + memlimit = (vm_pindex_t) pr->pr_mem_limit; + mtx_unlock(&pr->pr_mtx); + return memlimit; +} + +/* + * Change resource limit for a prison. + * + * unsigned int jid: id of jail to mess with + * + * int cpushares: 0 -> remove prison from cpu limits + * -1 -> don't change existing shares + * >0 -> set cpu shares + * + * int memlimit: 0 -> remove prison from mem limits + * -1 -> don't change existing limit + * >1 -> set memory limit (bytes) + * + * TODO: might this be better handled via a writable + * sysctl than with a new syscall? + */ +int +jail_set_resource_limits(struct thread *td, struct jail_set_resource_limits_args *uap) +{ + struct prison *pr; + int error; + + error = suser(td); + if (error) + return (error); + + sx_xlock(&allprison_lock); + LIST_FOREACH(pr, &allprison, pr_list) { + if (pr->pr_id == uap->jid) + break; + } + if (NULL == pr) { + sx_unlock(&allprison_lock); + return 1; + } + + mtx_lock(&pr->pr_mtx); + if (-1 != uap->cpushares) + pr->pr_sched_shares = uap->cpushares; + if (-1 != uap->memlimit) + pr->pr_mem_limit = uap->memlimit; + mtx_unlock(&pr->pr_mtx); + sx_unlock(&allprison_lock); + return 0; +} + /* * Return 0 if jails permit p1 to frob p2, otherwise ESRCH. */ @@ -955,9 +1212,15 @@ xp->pr_id = pr->pr_id; xp->pr_ip = pr->pr_ip; strlcpy(xp->pr_path, pr->pr_path, sizeof(xp->pr_path)); + mtx_lock(&pr->pr_mtx); + xp->pr_sched_shares = pr->pr_sched_shares; + xp->pr_estcpu = pr->pr_estcpu; + xp->pr_mem_limit = pr->pr_mem_limit; + xp->pr_mem_usage = pr->pr_mem_usage; strlcpy(xp->pr_host, pr->pr_host, sizeof(xp->pr_host)); mtx_unlock(&pr->pr_mtx); + xp++; } sx_sunlock(&allprison_lock); diff -burN src.old/sys/kern/syscalls.c src.new/sys/kern/syscalls.c --- src.old/sys/kern/syscalls.c 2007-08-16 01:32:26.000000000 -0400 +++ src.new/sys/kern/syscalls.c 2008-05-28 19:49:37.000000000 -0400 @@ -2,8 +2,8 @@ * System call names. * * DO NOT EDIT-- this file is automatically generated. - * $FreeBSD: src/sys/kern/syscalls.c,v 1.214 2007/08/16 05:32:26 davidxu Exp $ - * created from FreeBSD: src/sys/kern/syscalls.master,v 1.232 2007/07/04 22:47:37 peter Exp + * $FreeBSD$ + * created from FreeBSD: src/sys/kern/syscalls.master,v 1.233 2007/08/16 05:26:41 davidxu Exp */ const char *syscallnames[] = { @@ -489,4 +489,5 @@ "truncate", /* 479 = truncate */ "ftruncate", /* 480 = ftruncate */ "thr_kill2", /* 481 = thr_kill2 */ + "jail_set_resource_limits", /* 482 = jail_set_resource_limits */ }; diff -burN src.old/sys/kern/syscalls.master src.new/sys/kern/syscalls.master --- src.old/sys/kern/syscalls.master 2007-08-16 01:26:41.000000000 -0400 +++ src.new/sys/kern/syscalls.master 2008-05-28 11:03:25.000000000 -0400 @@ -847,5 +847,7 @@ 479 AUE_TRUNCATE STD { int truncate(char *path, off_t length); } 480 AUE_FTRUNCATE STD { int ftruncate(int fd, off_t length); } 481 AUE_KILL STD { int thr_kill2(pid_t pid, long id, int sig); } +482 AUE_NULL STD { int jail_set_resource_limits(unsigned int jid, \ + int cpushares, int memlimit); } ; Please copy any additions and changes to the following compatability tables: ; sys/compat/freebsd32/syscalls.master diff -burN src.old/sys/kern/systrace_args.c src.new/sys/kern/systrace_args.c --- src.old/sys/kern/systrace_args.c 2007-08-16 01:32:26.000000000 -0400 +++ src.new/sys/kern/systrace_args.c 2008-05-28 19:49:37.000000000 -0400 @@ -2,7 +2,7 @@ * System call argument to DTrace register array converstion. * * DO NOT EDIT-- this file is automatically generated. - * $FreeBSD: src/sys/kern/systrace_args.c,v 1.14 2007/08/16 05:32:26 davidxu Exp $ + * $FreeBSD$ * This file is part of the DTrace syscall provider. */ @@ -2871,6 +2871,15 @@ *n_args = 3; break; } + /* jail_set_resource_limits */ + case 482: { + struct jail_set_resource_limits_args *p = params; + uarg[0] = p->jid; /* unsigned int */ + iarg[1] = p->cpushares; /* int */ + iarg[2] = p->memlimit; /* int */ + *n_args = 3; + break; + } default: *n_args = 0; break; diff -burN src.old/sys/sys/jail.h src.new/sys/sys/jail.h --- src.old/sys/sys/jail.h 2007-04-05 19:19:13.000000000 -0400 +++ src.new/sys/sys/jail.h 2008-05-28 09:35:21.000000000 -0400 @@ -18,6 +18,8 @@ char *path; char *hostname; u_int32_t ip_number; + unsigned int sched_shares; + unsigned int mem_limit; }; struct xprison { @@ -26,13 +28,24 @@ char pr_path[MAXPATHLEN]; char pr_host[MAXHOSTNAMELEN]; u_int32_t pr_ip; + unsigned int pr_sched_shares; + unsigned int pr_estcpu; + unsigned int pr_mem_limit; + unsigned int pr_mem_usage; }; -#define XPRISON_VERSION 1 +#define XPRISON_VERSION 2 + +#define JAIL_MINIMUM_SHARES 1 + +#define J_PAGER_TD_ACTIVE 0x01 +#define J_PAGER_TD_DIE 0x02 +#define J_PAGER_TD_DEAD 0x04 #ifndef _KERNEL int jail(struct jail *); int jail_attach(int); +int jail_set_resource_limits(unsigned int, int, int); #else /* _KERNEL */ @@ -73,6 +86,12 @@ int pr_securelevel; /* (p) securelevel */ struct task pr_task; /* (d) destroy task */ struct mtx pr_mtx; + u_int32_t pr_sched_shares; /* (p) jail priority */ + u_int pr_estcpu; /* (p) est. cpu of jail */ + struct proc *pr_pager; /* (c) pager pid */ + int *pr_pager_flags_ptr; /* (p) communication to pager */ + size_t pr_mem_limit; /* (p) memory allocation limit */ + size_t pr_mem_usage; /* (p) memory in use */ void **pr_slots; /* (p) additional data */ }; #endif /* _KERNEL || _WANT_PRISON */ @@ -113,6 +132,8 @@ void prison_hold(struct prison *pr); int prison_if(struct ucred *cred, struct sockaddr *sa); int prison_ip(struct ucred *cred, int flag, u_int32_t *ip); +long prison_memory(struct prison *pr); +long prison_memory_limit(struct prison *pr); int prison_priv_check(struct ucred *cred, int priv); void prison_remote_ip(struct ucred *cred, int flags, u_int32_t *ip); diff -burN src.old/sys/sys/syscall.h src.new/sys/sys/syscall.h --- src.old/sys/sys/syscall.h 2007-08-16 01:32:26.000000000 -0400 +++ src.new/sys/sys/syscall.h 2008-05-28 19:49:37.000000000 -0400 @@ -2,8 +2,8 @@ * System call numbers. * * DO NOT EDIT-- this file is automatically generated. - * $FreeBSD: src/sys/sys/syscall.h,v 1.211 2007/08/16 05:32:26 davidxu Exp $ - * created from FreeBSD: src/sys/kern/syscalls.master,v 1.232 2007/07/04 22:47:37 peter Exp + * $FreeBSD$ + * created from FreeBSD: src/sys/kern/syscalls.master,v 1.233 2007/08/16 05:26:41 davidxu Exp */ #define SYS_syscall 0 @@ -401,4 +401,5 @@ #define SYS_truncate 479 #define SYS_ftruncate 480 #define SYS_thr_kill2 481 -#define SYS_MAXSYSCALL 482 +#define SYS_jail_set_resource_limits 482 +#define SYS_MAXSYSCALL 483 diff -burN src.old/sys/sys/syscall.mk src.new/sys/sys/syscall.mk --- src.old/sys/sys/syscall.mk 2007-08-16 01:32:26.000000000 -0400 +++ src.new/sys/sys/syscall.mk 2008-05-28 19:49:37.000000000 -0400 @@ -1,7 +1,7 @@ # FreeBSD system call names. # DO NOT EDIT-- this file is automatically generated. -# $FreeBSD: src/sys/sys/syscall.mk,v 1.166 2007/08/16 05:32:26 davidxu Exp $ -# created from FreeBSD: src/sys/kern/syscalls.master,v 1.232 2007/07/04 22:47:37 peter Exp +# $FreeBSD$ +# created from FreeBSD: src/sys/kern/syscalls.master,v 1.233 2007/08/16 05:26:41 davidxu Exp MIASM = \ syscall.o \ exit.o \ @@ -349,4 +349,5 @@ lseek.o \ truncate.o \ ftruncate.o \ - thr_kill2.o + thr_kill2.o \ + jail_set_resource_limits.o diff -burN src.old/sys/sys/sysproto.h src.new/sys/sys/sysproto.h --- src.old/sys/sys/sysproto.h 2007-08-16 01:32:26.000000000 -0400 +++ src.new/sys/sys/sysproto.h 2008-05-28 19:49:37.000000000 -0400 @@ -2,8 +2,8 @@ * System call prototypes. * * DO NOT EDIT-- this file is automatically generated. - * $FreeBSD: src/sys/sys/sysproto.h,v 1.215 2007/08/16 05:32:26 davidxu Exp $ - * created from FreeBSD: src/sys/kern/syscalls.master,v 1.232 2007/07/04 22:47:37 peter Exp + * $FreeBSD$ + * created from FreeBSD: src/sys/kern/syscalls.master,v 1.233 2007/08/16 05:26:41 davidxu Exp */ #ifndef _SYS_SYSPROTO_H_ @@ -1520,6 +1520,11 @@ char id_l_[PADL_(long)]; long id; char id_r_[PADR_(long)]; char sig_l_[PADL_(int)]; int sig; char sig_r_[PADR_(int)]; }; +struct jail_set_resource_limits_args { + char jid_l_[PADL_(unsigned int)]; unsigned int jid; char jid_r_[PADR_(unsigned int)]; + char cpushares_l_[PADL_(int)]; int cpushares; char cpushares_r_[PADR_(int)]; + char memlimit_l_[PADL_(int)]; int memlimit; char memlimit_r_[PADR_(int)]; +}; int nosys(struct thread *, struct nosys_args *); void sys_exit(struct thread *, struct sys_exit_args *); int fork(struct thread *, struct fork_args *); @@ -1859,6 +1864,7 @@ int truncate(struct thread *, struct truncate_args *); int ftruncate(struct thread *, struct ftruncate_args *); int thr_kill2(struct thread *, struct thr_kill2_args *); +int jail_set_resource_limits(struct thread *, struct jail_set_resource_limits_args *); #ifdef COMPAT_43 @@ -2423,6 +2429,7 @@ #define SYS_AUE_truncate AUE_TRUNCATE #define SYS_AUE_ftruncate AUE_FTRUNCATE #define SYS_AUE_thr_kill2 AUE_KILL +#define SYS_AUE_jail_set_resource_limits AUE_NULL #undef PAD_ #undef PADL_ diff -burN src.old/sys/vm/vm_pageout.c src.new/sys/vm/vm_pageout.c --- src.old/sys/vm/vm_pageout.c 2007-09-25 02:25:06.000000000 -0400 +++ src.new/sys/vm/vm_pageout.c 2008-05-28 13:05:44.000000000 -0400 @@ -208,7 +208,6 @@ int vm_page_max_wired; /* XXX max # of wired pages system-wide */ #if !defined(NO_SWAPPING) -static void vm_pageout_map_deactivate_pages(vm_map_t, long); static void vm_pageout_object_deactivate_pages(pmap_t, vm_object_t, long); static void vm_req_vmdaemon(int req); #endif @@ -594,7 +593,7 @@ * deactivate some number of pages in a map, try to do it fairly, but * that is really hard to do. */ -static void +void vm_pageout_map_deactivate_pages(map, desired) vm_map_t map; long desired; diff -burN src.old/sys/vm/vm_pageout.h src.new/sys/vm/vm_pageout.h --- src.old/sys/vm/vm_pageout.h 2005-01-06 21:29:27.000000000 -0500 +++ src.new/sys/vm/vm_pageout.h 2008-05-28 09:37:17.000000000 -0400 @@ -87,6 +87,8 @@ * Exported routines. */ +void vm_pageout_map_deactivate_pages(vm_map_t map, long desired); + /* * Signal pageout-daemon and wait for it. */ diff -burN src.old/usr.sbin/jail/jail.8 src.new/usr.sbin/jail/jail.8 --- src.old/usr.sbin/jail/jail.8 2007-04-05 17:17:52.000000000 -0400 +++ src.new/usr.sbin/jail/jail.8 2008-05-28 19:58:58.000000000 -0400 @@ -45,6 +45,8 @@ .Op Fl J Ar jid_file .Op Fl s Ar securelevel .Op Fl l u Ar username | Fl U Ar username +.Op Fl S Ar cpu_shares +.Op Fl M Ar mem_limit .Ar path hostname ip-number command ... .Sh DESCRIPTION The @@ -88,6 +90,10 @@ The user name from jailed environment as whom the .Ar command should run. +.It Fl S Ar cpu_shares +CPU shares to assign to the prison. +.It Fl M Ar mem_limit +Amount of memory (in MB) to allow the prison to use. .It Ar path Directory which is to be the root of the prison. .It Ar hostname @@ -550,6 +556,17 @@ This MIB entry determines if a privileged user inside a jail will be able to mount and unmount file system types marked as jail-friendly. The +.It Va security.jail.limit_jail_memory, Va security.jail.jail_pager_interval +These MIB entries determine whether and how often (in seconds) a +jail's memory-limit monitoring daemon will run, and consequently the +period during which a jail can be overcommitted for resident memory. +.It Va kern.sched.limit_jail_cpu +This MIB entry sets whether CPU usage limits will be enforced +against processes in jails with CPU limits. +.It Va kern.sched.system_cpu_shares +Number of CPU usage shares to allocate to unjailed processes for the +purposes of determining CPU usage permitted for jailed processes. +Unjailed processes are not subject to CPU usage limits. .Xr lsvfs 1 command can be used to find file system types available for mount from within a jail. diff -burN src.old/usr.sbin/jail/jail.c src.new/usr.sbin/jail/jail.c --- src.old/usr.sbin/jail/jail.c 2006-05-12 11:14:43.000000000 -0400 +++ src.new/usr.sbin/jail/jail.c 2008-05-28 10:02:59.000000000 -0400 @@ -56,6 +56,8 @@ struct in_addr in; gid_t groups[NGROUPS]; int ch, i, iflag, Jflag, lflag, ngroups, securelevel, uflag, Uflag; + unsigned int mem_limit = 0; + unsigned int sched_shares = 0; char path[PATH_MAX], *ep, *username, *JidFile; static char *cleanenv; const char *shell, *p = NULL; @@ -67,7 +69,7 @@ username = JidFile = cleanenv = NULL; fp = NULL; - while ((ch = getopt(argc, argv, "ils:u:U:J:")) != -1) { + while ((ch = getopt(argc, argv, "ilS:M:s:u:U:J:")) != -1) { switch (ch) { case 'i': iflag = 1; @@ -76,6 +78,13 @@ JidFile = optarg; Jflag = 1; break; + case 'M': + mem_limit = atoi(optarg); + mem_limit *= 1024 * 1024; + break; + case 'S': + sched_shares = atoi(optarg); + break; case 's': ltmp = strtol(optarg, &ep, 0); if (*ep || ep == optarg || ltmp > INT_MAX || !ltmp) @@ -118,6 +127,8 @@ if (inet_aton(argv[2], &in) == 0) errx(1, "Could not make sense of ip-number: %s", argv[2]); j.ip_number = ntohl(in.s_addr); + j.mem_limit = mem_limit; + j.sched_shares = sched_shares; if (Jflag) { fp = fopen(JidFile, "w"); if (fp == NULL) @@ -182,8 +193,10 @@ usage(void) { - (void)fprintf(stderr, "%s%s%s\n", - "usage: jail [-i] [-J jid_file] [-s securelevel] [-l -u ", + (void)fprintf(stderr, "%s%s%s%s%s\n", + "usage: jail [-i] [-J jid_file] [-M mem_limit] ", + "[-S cpu_shares] [-s securelevel]", + " [-l -u ", "username | -U username]", " path hostname ip-number command ..."); exit(1); diff -burN src.old/usr.sbin/jls/jls.8 src.new/usr.sbin/jls/jls.8 --- src.old/usr.sbin/jls/jls.8 2003-04-08 23:04:12.000000000 -0400 +++ src.new/usr.sbin/jls/jls.8 2008-05-28 10:18:45.000000000 -0400 @@ -42,7 +42,8 @@ .Sh SEE ALSO .Xr jail 2 , .Xr jail 8 , -.Xr jexec 8 +.Xr jexec 8 , +.Xr jtune 8 .Sh HISTORY The .Nm diff -burN src.old/usr.sbin/jtune/Makefile src.new/usr.sbin/jtune/Makefile --- src.old/usr.sbin/jtune/Makefile 1969-12-31 19:00:00.000000000 -0500 +++ src.new/usr.sbin/jtune/Makefile 2008-05-28 03:41:05.000000000 -0400 @@ -0,0 +1,10 @@ +# $FreeBSD$ + +PROG= jtune +MAN= jtune.8 +DPADD= ${LIBUTIL} +LDADD= -lutil + +WARNS?= 6 + +.include diff -burN src.old/usr.sbin/jtune/jtune.8 src.new/usr.sbin/jtune/jtune.8 --- src.old/usr.sbin/jtune/jtune.8 1969-12-31 19:00:00.000000000 -0500 +++ src.new/usr.sbin/jtune/jtune.8 2008-05-28 10:19:33.000000000 -0400 @@ -0,0 +1,75 @@ +.\" Copyright (c) 2006 Chris Jones +.\" All rights reserved. +.\" +.\" This software was developed for the FreeBSD Project by Chris Jones +.\" thanks to the support of Google's Summer of Code program and +.\" mentoring by Kip Macy. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd August 21, 2006 +.Dt JTUNE 8 +.Os +.Sh NAME +.Nm jtune +.Nd "modify jail resource limits" +.Sh SYNOPSIS +.Nm +.Fl j Ar jail_id +.Op Fl i +.Op Fl m Ar mem_limit +.Op Fl s Ar cpu_shares +.Sh DESCRIPTION +The +.Nm +utility modifies a jail's memory and CPU usage limits. +.Pp +The options are as follows: +.Bl -tag -width ".Fl u Ar cpu_shares" +.It Ar jail_id +Jail identifier (JID) of the jail whose limits are being tuned. +.It Fl i +Show jail's resource limits. +.It Fl m Ar mem_limit +Limit a jail's memory usage (resident set size) to +.Ar mem_limit +megabytes. +.It Fl s Ar cpu_shares +Set a jail's CPU shares to +.Ar cpu_shares +shares. +.Sh SEE ALSO +.Xr jail 2 , +.Xr jail 8 , +.Xr jexec 8 +.Xr jls 8 +.Sh HISTORY +The +.Nm +utility first appeared in +.Fx FIXME . +.Pp +.Nm +was written by Chris Jones through the 2006 Google Summer of Code +program. Files src.old/usr.sbin/jtune/jtune.8.gz and src.new/usr.sbin/jtune/jtune.8.gz differ diff -burN src.old/usr.sbin/jtune/jtune.c src.new/usr.sbin/jtune/jtune.c --- src.old/usr.sbin/jtune/jtune.c 1969-12-31 19:00:00.000000000 -0500 +++ src.new/usr.sbin/jtune/jtune.c 2008-05-28 03:39:15.000000000 -0400 @@ -0,0 +1,188 @@ +/*- + * Copyright (c) 2006 Chris Jones + * All rights reserved. + * + * This software was developed for the FreeBSD Project by Chris Jones + * thanks to the support of Google's Summer of Code program and + * mentoring by Kip Macy. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + */ + +#include +__FBSDID("$FreeBSD"); + +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +static void usage(void); +static struct xprison *getxprison(int); +extern char **environ; + +int +main(int argc, char **argv) +{ + struct xprison *xp; + int jid = 0; + int memlimit = -1; + int shares = -1; + int iflag = 0; + int retval; + int ch; + + while ((ch = getopt(argc, argv, "ij:m:s:")) != -1) { + switch (ch) { + case 'i': + iflag = 1; + break; + case 'j': + jid = atoi(optarg); + if (!jid && errno) + err(1, "invalid jail id '%s'", optarg); + break; + + case 'm': + memlimit = atoi(optarg); + if (!memlimit && errno) + err(1, "invalid memory limit '%s'", optarg); + if (memlimit < 0) + errx(1, "invalid memory limit '%s'", optarg); + memlimit *= 1024 * 1024; + break; + + case 's': + shares = atoi(optarg); + if (!shares && errno) + err(1, "invalid cpu share '%s'", optarg); + if (shares < 0) + errx(1, "invalid cpu share '%s'", optarg); + break; + + default: + usage(); + } + } + + argc -= optind; + argv += optind; + + if (!jid) + usage(); + + xp = getxprison(jid); + if (NULL == xp) + errx(1, "no jail with id %d", jid); + + if (iflag) { + char *memlimstr, *memusestr; + + asprintf(&memusestr, "%d M", + xp->pr_mem_usage / (1024 * 1024)); + if (xp->pr_mem_limit) { + asprintf(&memlimstr, "%d M", + xp->pr_mem_limit / (1024 * 1024)); + } else { + asprintf(&memlimstr, "None"); + } + + if (NULL == memusestr || NULL == memlimstr) + err(1, "couldn't allocate memory"); + + printf(" JID Hostname Memory Used / Limit CPU Shares\n"); + printf("%6d %-24.24s %6s / %-6.6s %-4d\n", + xp->pr_id, xp->pr_host, + memusestr, memlimstr, + xp->pr_sched_shares); + exit(0); + } + + retval = jail_set_resource_limits(jid, shares, memlimit); + if (retval) { + errx(1, "jail_set_resource_limit(%d, %d, %d) failed", + jid, memlimit, shares); + } + exit(0); + +} + +static void +usage() +{ + (void)fprintf(stderr, "%s\n", + "usage: jtune -j jid_id [-m mem_limit] [-s cpu_shares]"); + exit(0); +} + +static struct xprison * +getxprison(int jid) +{ + size_t i, len; + struct xprison *xpl, *sxpl; + if (sysctlbyname("security.jail.list", NULL, &len, NULL, 0) == -1) + err(1, "sysctlbyname(): security.jail.list"); + + if (len <= 0) + errx(1, "sysctl security.jail.list has no entries for jid %d", jid); + + /* getxprison allocates the structure, caller frees */ + sxpl = xpl = malloc(len); + if (NULL == xpl) + err(1, "malloc()"); + + if (sysctlbyname("security.jail.list", xpl, &len, NULL, 0) == -1) { + free(xpl); + err(1, "sysctlbyname(): security.jail.list"); + } + + if (len < sizeof(*xpl) || len % sizeof(*xpl) || + xpl->pr_version != XPRISON_VERSION) + errx(1, "Kernel and userland out of sync"); + + for (i = 0; i < len / sizeof(*xpl); i++) { + if (jid == xpl->pr_id) { + struct xprison *xp; + xp = malloc(sizeof (struct xprison)); + if (NULL == xp) + err(1, "malloc()"); + memcpy(xp, xpl, sizeof (struct xprison)); + free(sxpl); + return xp; + } + xpl++; + } + + free(sxpl); + return NULL; +} --------------040604060800000202080402-- From owner-freebsd-jail@FreeBSD.ORG Wed Jun 25 14:30:32 2008 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CBBE7106566C for ; Wed, 25 Jun 2008 14:30:32 +0000 (UTC) (envelope-from bsam@ipt.ru) Received: from services.ipt.ru (services.ipt.ru [194.62.233.110]) by mx1.freebsd.org (Postfix) with ESMTP id 8C01A8FC0C for ; Wed, 25 Jun 2008 14:30:32 +0000 (UTC) (envelope-from bsam@ipt.ru) Received: from bb.ipt.ru ([194.62.233.89]) by services.ipt.ru with esmtp (Exim 4.54 (FreeBSD)) id 1KBVRf-000KS6-QO for freebsd-jail@FreeBSD.org; Wed, 25 Jun 2008 17:53:59 +0400 To: freebsd-jail@FreeBSD.org From: Boris Samorodov Date: Wed, 25 Jun 2008 17:53:49 +0400 Message-ID: <62852722@bb.ipt.ru> User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Subject: is nfs mount inside jail possible? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jun 2008 14:30:32 -0000 Hello FreeBSD jail gurus, I've found at google some advices how to do a nfs mount inside a jail. Those advices don't help me. And according to jail(8): ----- # uname -a FreeBSD box.bsam.ru 8.0-CURRENT FreeBSD 8.0-CURRENT #0: Mon Jun 16 17:18:23 MSD 2008 root@box.bsam.ru:/usr/obj/usr/src/sys/BOX amd64 # lsvfs Filesystem Refs Flags -------------------------------- ----- --------------- nfs4 0 network zfs 6 jail ntfs 0 ufs 4 nfs 0 network msdosfs 0 procfs 4 synthetic cd9660 0 read-only devfs 5 synthetic nullfs 7 loopback fdescfs 4 synthetic ----- ... nfs seems not to be jail friendly. Here is the question at subject. Thanks! WBR -- Boris Samorodov (bsam) Research Engineer, http://www.ipt.ru Telephone & Internet SP FreeBSD committer, http://www.FreeBSD.org The Power To Serve From owner-freebsd-jail@FreeBSD.ORG Wed Jun 25 14:49:48 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BEAE4106564A for ; Wed, 25 Jun 2008 14:49:48 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from mx00.pub.collaborativefusion.com (mx00.pub.collaborativefusion.com [206.210.89.199]) by mx1.freebsd.org (Postfix) with ESMTP id 70AA58FC0A for ; Wed, 25 Jun 2008 14:49:48 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from vanquish.ws.pitbpa0.priv.collaborativefusion.com (vanquish.ws.pitbpa0.priv.collaborativefusion.com [192.168.2.162]) (SSL: TLSv1/SSLv3,256bits,AES256-SHA) by wingspan with esmtp; Wed, 25 Jun 2008 10:38:33 -0400 id 00056432.48625869.000146F2 Date: Wed, 25 Jun 2008 10:37:21 -0400 From: Bill Moran To: Boris Samorodov Message-Id: <20080625103721.bdc7daee.wmoran@collaborativefusion.com> In-Reply-To: <62852722@bb.ipt.ru> References: <62852722@bb.ipt.ru> Organization: Collaborative Fusion X-Mailer: Sylpheed 2.4.8 (GTK+ 2.12.9; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-jail@FreeBSD.org Subject: Re: is nfs mount inside jail possible? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jun 2008 14:49:48 -0000 In response to Boris Samorodov : > > ... nfs seems not to be jail friendly. Here is the question at > subject. Thanks! You can NFS mount on the host, and it will be visible within the jail. Don't know if that helps your situation or not. -- Bill Moran Collaborative Fusion Inc. http://people.collaborativefusion.com/~wmoran/ wmoran@collaborativefusion.com Phone: 412-422-3463x4023 **************************************************************** IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. **************************************************************** From owner-freebsd-jail@FreeBSD.ORG Wed Jun 25 14:56:50 2008 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 490861065675 for ; Wed, 25 Jun 2008 14:56:50 +0000 (UTC) (envelope-from bsam@ipt.ru) Received: from services.ipt.ru (services.ipt.ru [194.62.233.110]) by mx1.freebsd.org (Postfix) with ESMTP id E6D688FC16 for ; Wed, 25 Jun 2008 14:56:49 +0000 (UTC) (envelope-from bsam@ipt.ru) Received: from bb.ipt.ru ([194.62.233.89]) by services.ipt.ru with esmtp (Exim 4.54 (FreeBSD)) id 1KBWQS-000LL2-4n; Wed, 25 Jun 2008 18:56:48 +0400 To: Bill Moran References: <62852722@bb.ipt.ru> <20080625103721.bdc7daee.wmoran@collaborativefusion.com> From: Boris Samorodov Date: Wed, 25 Jun 2008 18:56:38 +0400 In-Reply-To: <20080625103721.bdc7daee.wmoran@collaborativefusion.com> (Bill Moran's message of "Wed\, 25 Jun 2008 10\:37\:21 -0400") Message-ID: <93253417@bb.ipt.ru> User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: freebsd-jail@FreeBSD.org Subject: Re: is nfs mount inside jail possible? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jun 2008 14:56:50 -0000 On Wed, 25 Jun 2008 10:37:21 -0400 Bill Moran wrote: > In response to Boris Samorodov : > > > > ... nfs seems not to be jail friendly. Here is the question at > > subject. Thanks! > You can NFS mount on the host, and it will be visible within the jail. > Don't know if that helps your situation or not. Yep, I know it. I'd prefer to use mounts within a jail. They should be dynamic: a process mounts it, uses and unmounts. Otherwise there will be too many mounts... Bill, thanks for your try. WBR -- Boris Samorodov (bsam) Research Engineer, http://www.ipt.ru Telephone & Internet SP FreeBSD committer, http://www.FreeBSD.org The Power To Serve From owner-freebsd-jail@FreeBSD.ORG Wed Jun 25 15:34:12 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 795981065671 for ; Wed, 25 Jun 2008 15:34:12 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from redbull.bpaserver.net (redbullneu.bpaserver.net [213.198.78.217]) by mx1.freebsd.org (Postfix) with ESMTP id 210F38FC1D for ; Wed, 25 Jun 2008 15:34:11 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from outgoing.leidinger.net (p54A54EEB.dip.t-dialin.net [84.165.78.235]) by redbull.bpaserver.net (Postfix) with ESMTP id 32C152E16C; Wed, 25 Jun 2008 17:34:05 +0200 (CEST) Received: from webmail.leidinger.net (webmail.leidinger.net [192.168.1.102]) by outgoing.leidinger.net (Postfix) with ESMTP id 5B1A412FAD8; Wed, 25 Jun 2008 17:34:02 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=Leidinger.net; s=outgoing-alex; t=1214408042; bh=NpQsE49B+qo/RHKLNBpmMDyvkq0rD6l17 NDP/JCs5Zw=; h=Message-ID:Date:From:To:Cc:Subject:References: In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=cNzRy8sOcuhc25h70rcGjnciKy6mOFVp5n7EzdkGzAJsRnmRV/iAEuTk0/Vk+sH3v dxD12HaCwO9c4bZhgIG/KU5r5KDDoJTvqic6y3ZZTPTxZuUj1rzJJrXWWw3YgRg9NGD o3bqodM6IR8Q8nF2qDdBAmZmyZ2SzcicOuA+IC94ox7eMTeXkOKWJNtWQ7vyrahpPkT dumDQC1RT6uQJvi9i3J1+vANP8mllxUU+TKM0swxy2okhCOIjkkAwgXduPUMsn0ohpm YFoHsCB+UWSbRfpF4sZulKmACeWYmz0gLk+d3jeK/cJXdQMJXD+aP3f4qHXTugW8PSi 7AdgwBwcg== Received: (from www@localhost) by webmail.leidinger.net (8.14.2/8.13.8/Submit) id m5PFY1Ew030922; Wed, 25 Jun 2008 17:34:01 +0200 (CEST) (envelope-from Alexander@Leidinger.net) Received: from pslux.cec.eu.int (pslux.cec.eu.int [158.169.9.14]) by webmail.leidinger.net (Horde Framework) with HTTP; Wed, 25 Jun 2008 17:34:01 +0200 Message-ID: <20080625173401.116369ceeiewif40@webmail.leidinger.net> X-Priority: 3 (Normal) Date: Wed, 25 Jun 2008 17:34:01 +0200 From: Alexander Leidinger To: Boris Samorodov References: <62852722@bb.ipt.ru> In-Reply-To: <62852722@bb.ipt.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.2-RC2) / FreeBSD-8.0 X-BPAnet-MailScanner-Information: Please contact the ISP for more information X-BPAnet-MailScanner: Found to be clean X-BPAnet-MailScanner-SpamCheck: not spam, ORDB-RBL, SpamAssassin (not cached, score=-13.196, required 6, BAYES_00 -15.00, DKIM_SIGNED 0.00, DKIM_VERIFIED -0.00, MIME_QP_LONG_LINE 1.40, RDNS_DYNAMIC 0.10, TW_EV 0.08, TW_OC 0.08, TW_SV 0.08, TW_ZF 0.08) X-BPAnet-MailScanner-From: alexander@leidinger.net X-Spam-Status: No Cc: freebsd-jail@FreeBSD.org Subject: Re: is nfs mount inside jail possible? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jun 2008 15:34:12 -0000 Quoting Boris Samorodov (from Wed, 25 Jun 2008 17:53:49 +0400)= : > # lsvfs > Filesystem Refs Flags > -------------------------------- ----- --------------- > nfs4 0 network > zfs 6 jail > ntfs 0 > ufs 4 > nfs 0 network > msdosfs 0 > procfs 4 synthetic > cd9660 0 read-only > devfs 5 synthetic > nullfs 7 loopback > fdescfs 4 synthetic > ----- > > ... nfs seems not to be jail friendly. Here is the question at > subject. Thanks! Correct. If you are not afraid to patch the system: zfs has the JAIL =20 flag set, you just need to do the same with nfs. To do this edit src/sys/nfsclient/nfs_vfsopts.c, search VFS_SET and =20 change it to VFS_SET(nfs_vfsops, nfs, VFCF_NETWORK|VFCF_JAIL); I suggest to not do this with tmpfs if you do shared hosting (you =20 don't want that strangers eat up all your physical RAM). Bye, Alexander. --=20 Peers's Law: The solution to a problem changes the nature of the problem. http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137 From owner-freebsd-jail@FreeBSD.ORG Wed Jun 25 15:53:05 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E19A91065672 for ; Wed, 25 Jun 2008 15:53:05 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from redbull.bpaserver.net (redbullneu.bpaserver.net [213.198.78.217]) by mx1.freebsd.org (Postfix) with ESMTP id 869AB8FC12 for ; Wed, 25 Jun 2008 15:53:05 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from outgoing.leidinger.net (p54A54EEB.dip.t-dialin.net [84.165.78.235]) by redbull.bpaserver.net (Postfix) with ESMTP id C3B5E2E16C; Wed, 25 Jun 2008 17:52:55 +0200 (CEST) Received: from webmail.leidinger.net (webmail.leidinger.net [192.168.1.102]) by outgoing.leidinger.net (Postfix) with ESMTP id 2C8F51325F9; Wed, 25 Jun 2008 17:52:53 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=Leidinger.net; s=outgoing-alex; t=1214409173; bh=utMRpCsOwVgYBWS0TDntsHgu4BNnMI4DF rVYALaarTI=; h=Message-ID:Date:From:To:Cc:Subject:References: In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=IeahjUSsj0xNZNIl/P9hLoVPvyzEn2jn4Az3RtpVoZDYHZs13IJCHKh2C3a3Oa8n+ CHDt4rB2njIl5gKcxXm9htKyynmXIql+3EdO6YJnIbnv6ZaBPMgjoDI0N3SIkL56Eb3 A7ujm+qP9mOsiuNuuW2cEaV0orxEZTRaNewEAqZ+DF0h/6idNgF9/PqPMkBPg+0wwa6 W0+pUNu//vP6mlwKlfR69dBxHtDDJQnHIqf+zVVNo2K5n75jZ7oe10w7e04BU+ug0Pi R44QO+i99y21gRTISS4WHptSQdMIpm6YWdrd44V8x2P7shHZvYalmsWLrUaRUnARiHA m7E4pTiqw== Received: (from www@localhost) by webmail.leidinger.net (8.14.2/8.13.8/Submit) id m5PFqqrS033995; Wed, 25 Jun 2008 17:52:52 +0200 (CEST) (envelope-from Alexander@Leidinger.net) Received: from pslux.cec.eu.int (pslux.cec.eu.int [158.169.9.14]) by webmail.leidinger.net (Horde Framework) with HTTP; Wed, 25 Jun 2008 17:52:52 +0200 Message-ID: <20080625175252.18342qpk0oc2zc4k@webmail.leidinger.net> X-Priority: 3 (Normal) Date: Wed, 25 Jun 2008 17:52:52 +0200 From: Alexander Leidinger To: Alexander Leidinger References: <62852722@bb.ipt.ru> <20080625173401.116369ceeiewif40@webmail.leidinger.net> In-Reply-To: <20080625173401.116369ceeiewif40@webmail.leidinger.net> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.2-RC2) / FreeBSD-8.0 X-BPAnet-MailScanner-Information: Please contact the ISP for more information X-BPAnet-MailScanner: Found to be clean X-BPAnet-MailScanner-SpamCheck: not spam, ORDB-RBL, SpamAssassin (not cached, score=-14.9, required 6, BAYES_00 -15.00, DKIM_SIGNED 0.00, DKIM_VERIFIED -0.00, RDNS_DYNAMIC 0.10) X-BPAnet-MailScanner-From: alexander@leidinger.net X-Spam-Status: No Cc: freebsd-jail@FreeBSD.org Subject: Re: is nfs mount inside jail possible? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jun 2008 15:53:06 -0000 Quoting Alexander Leidinger (from Wed, 25 =20 Jun 2008 17:34:01 +0200): > To do this edit src/sys/nfsclient/nfs_vfsopts.c, search VFS_SET and =20 > change it to > VFS_SET(nfs_vfsops, nfs, VFCF_NETWORK|VFCF_JAIL); Oh: I haven't checked if this actually works. I don't know if all =20 places DTRT then. Normally it should work, but you better test if it =20 really puts the FS in the place where you want it, that you can =20 mount/umount it, that "mount -v" shows the expected output on the host =20 and in the jail, and so on. Similar things can be done for =20 src/sys/fs/{cd9660|msdosfs|ntfs|nullfs|smbfs|udf|unionfs}. Those are =20 the FS's which _should_ be safe, either because they work with =20 untrusted data anyway, or because it's a loopback mount. But again, I =20 haven't tested any of them (I have them patched locally, but even the =20 initial testing is on my TODO list with a low priority). Bye, Alexander. --=20 At the end of the semester you will recall having enrolled in a course at the beginning of the semester -- and never attending. http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137 From owner-freebsd-jail@FreeBSD.ORG Wed Jun 25 16:03:44 2008 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1EE47106566B for ; Wed, 25 Jun 2008 16:03:44 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id EFF118FC15 for ; Wed, 25 Jun 2008 16:03:43 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 4DA8946C12; Wed, 25 Jun 2008 11:57:17 -0400 (EDT) Date: Wed, 25 Jun 2008 16:57:17 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Alexander Leidinger In-Reply-To: <20080625175252.18342qpk0oc2zc4k@webmail.leidinger.net> Message-ID: <20080625165505.P87282@fledge.watson.org> References: <62852722@bb.ipt.ru> <20080625173401.116369ceeiewif40@webmail.leidinger.net> <20080625175252.18342qpk0oc2zc4k@webmail.leidinger.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-jail@FreeBSD.org Subject: Re: is nfs mount inside jail possible? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jun 2008 16:03:44 -0000 On Wed, 25 Jun 2008, Alexander Leidinger wrote: > Oh: I haven't checked if this actually works. I don't know if all places > DTRT then. Normally it should work, but you better test if it really puts > the FS in the place where you want it, that you can mount/umount it, that > "mount -v" shows the expected output on the host and in the jail, and so on. > > Similar things can be done for > src/sys/fs/{cd9660|msdosfs|ntfs|nullfs|smbfs|udf|unionfs}. Those are the > FS's which _should_ be safe, either because they work with untrusted data > anyway, or because it's a loopback mount. But again, I haven't tested any of > them (I have them patched locally, but even the initial testing is on my > TODO list with a low priority). Safe in the sense that they might, or might not, immediately panic. Not safe in the sense that the resulting system would necessarily have the expected or desired security properties. It wouldn't surprise me if, just for example, allowing user mounting of nullfs from within jail allowed the user to escape from the jail and access files outside the jail in the host system. Establishing that this is not the case is fairly non-trivial and has to be done very carefully. I would recommend extreme caution. Robert N M Watson Computer Laboratory University of Cambridge From owner-freebsd-jail@FreeBSD.ORG Wed Jun 25 16:08:44 2008 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 16AB6106567B for ; Wed, 25 Jun 2008 16:08:44 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id D9C098FC13 for ; Wed, 25 Jun 2008 16:08:43 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 1AB7D46B2A; Wed, 25 Jun 2008 11:50:58 -0400 (EDT) Date: Wed, 25 Jun 2008 16:50:58 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Alexander Leidinger In-Reply-To: <20080625173401.116369ceeiewif40@webmail.leidinger.net> Message-ID: <20080625164434.J87282@fledge.watson.org> References: <62852722@bb.ipt.ru> <20080625173401.116369ceeiewif40@webmail.leidinger.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-jail@FreeBSD.org Subject: Re: is nfs mount inside jail possible? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jun 2008 16:08:44 -0000 On Wed, 25 Jun 2008, Alexander Leidinger wrote: >> ... nfs seems not to be jail friendly. Here is the question at subject. >> Thanks! > > Correct. If you are not afraid to patch the system: zfs has the JAIL flag > set, you just need to do the same with nfs. > > To do this edit src/sys/nfsclient/nfs_vfsopts.c, search VFS_SET and change > it to VFS_SET(nfs_vfsops, nfs, VFCF_NETWORK|VFCF_JAIL); > > I suggest to not do this with tmpfs if you do shared hosting (you don't want > that strangers eat up all your physical RAM). The security implications of doing this are rather non-trivial, and should be carefully taken carefully into account. This is not a configuration I would recommend for most sites on the basis that they might not be well-equipped to reason about the indirect security consequences. There are also some potentially tricky technical elements here -- for example, some versions of FreeBSD are known to have TCP implementations that are not entirely happy with NFS running in a jail. Likewise, some of the associated services of NFS, such as rpc.statd and rpc.lockd, will not work properly with virtualization prior to 8.x (and possibly after) as they both have interesting security requirements and rely on things like each IP address being associated with at most one client. Robert N M Watson Computer Laboratory University of Cambridge From owner-freebsd-jail@FreeBSD.ORG Wed Jun 25 16:42:02 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6008B106566B; Wed, 25 Jun 2008 16:42:02 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from redbull.bpaserver.net (redbullneu.bpaserver.net [213.198.78.217]) by mx1.freebsd.org (Postfix) with ESMTP id CD4588FC14; Wed, 25 Jun 2008 16:42:01 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from outgoing.leidinger.net (p54A54EEB.dip.t-dialin.net [84.165.78.235]) by redbull.bpaserver.net (Postfix) with ESMTP id B42DF2E2A2; Wed, 25 Jun 2008 18:41:54 +0200 (CEST) Received: from webmail.leidinger.net (webmail.leidinger.net [192.168.1.102]) by outgoing.leidinger.net (Postfix) with ESMTP id EE0F7134837; Wed, 25 Jun 2008 18:41:51 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=Leidinger.net; s=outgoing-alex; t=1214412112; bh=2KlfQurgBl9/dJ917fZRqHCNQ3HisUVoa CDVzs/mKWE=; h=Message-ID:Date:From:To:Cc:Subject:References: In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=lIJ5a3UiVL2X5BKq2jurWFzZupsV4owdowY+Rd/nn/keFEp2re1FxSbi/VJWPNVi6 XYibNpCw6gncZXidz49hzvJJPjDCGfvxAyAcNcAL+JHTKwCL6lUIRQOx3k5d8z7KLGb AJGwI/7ztwINIfsP+E1zs0qj80y/SGBfdZbi2VU5yid/XoA1EcqduAOqGepbp4zcC+e mfiuQg2CZFGVerM1q+LmJOq0Ci76xZIjaM+C5RxWH1gA+FEVlsM17XxTcc6C7vsYHJn 68UOhyleMiZHlpvT5Dm/3EyZxnSn/YHJDyCw0SX8Zmuserv7hswZbHeQAvq4knf6W6H eOdJyK4Ww== Received: (from www@localhost) by webmail.leidinger.net (8.14.2/8.13.8/Submit) id m5PGfp8q042135; Wed, 25 Jun 2008 18:41:51 +0200 (CEST) (envelope-from Alexander@Leidinger.net) Received: from pslux.cec.eu.int (pslux.cec.eu.int [158.169.9.14]) by webmail.leidinger.net (Horde Framework) with HTTP; Wed, 25 Jun 2008 18:41:51 +0200 Message-ID: <20080625184151.20404iq2r7t4iomc@webmail.leidinger.net> X-Priority: 3 (Normal) Date: Wed, 25 Jun 2008 18:41:51 +0200 From: Alexander Leidinger To: Robert Watson References: <62852722@bb.ipt.ru> <20080625173401.116369ceeiewif40@webmail.leidinger.net> <20080625175252.18342qpk0oc2zc4k@webmail.leidinger.net> <20080625165505.P87282@fledge.watson.org> In-Reply-To: <20080625165505.P87282@fledge.watson.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.2-RC2) / FreeBSD-8.0 X-BPAnet-MailScanner-Information: Please contact the ISP for more information X-BPAnet-MailScanner: Found to be clean X-BPAnet-MailScanner-SpamCheck: not spam, ORDB-RBL, SpamAssassin (not cached, score=-14.9, required 6, BAYES_00 -15.00, DKIM_SIGNED 0.00, DKIM_VERIFIED -0.00, RDNS_DYNAMIC 0.10) X-BPAnet-MailScanner-From: alexander@leidinger.net X-Spam-Status: No Cc: freebsd-jail@FreeBSD.org Subject: Re: is nfs mount inside jail possible? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jun 2008 16:42:02 -0000 Quoting Robert Watson (from Wed, 25 Jun 2008 =20 16:57:17 +0100 (BST)): > On Wed, 25 Jun 2008, Alexander Leidinger wrote: > >> Oh: I haven't checked if this actually works. I don't know if all =20 >> places DTRT then. Normally it should work, but you better test if =20 >> it really puts the FS in the place where you want it, that you can =20 >> mount/umount it, that "mount -v" shows the expected output on the =20 >> host and in the jail, and so on. >> >> Similar things can be done for =20 >> src/sys/fs/{cd9660|msdosfs|ntfs|nullfs|smbfs|udf|unionfs}. Those =20 >> are the FS's which _should_ be safe, either because they work with =20 >> untrusted data anyway, or because it's a loopback mount. But again, =20 >> I haven't tested any of them (I have them patched locally, but even =20 >> the initial testing is on my TODO list with a low priority). > > Safe in the sense that they might, or might not, immediately panic. =20 > Not safe in the sense that the resulting system would necessarily =20 > have the expected or desired security properties. It wouldn't =20 > surprise me if, just for example, allowing user mounting of nullfs =20 > from within jail allowed the user to escape from the jail and access =20 > files outside the jail in the host system. I just had a look at the man page of nmount (that's what is used to =20 mount nullfs, and some other FS's). nmount gets the pathname =20 (realpath). realpath prints the path relative to the jail root, not =20 the real name in the jail-host. If nmount is not jail aware, then we =20 have a meltdown. nmount is using NDINIT/namei. If I read namei/NDINIT =20 correctly, it picks the correct path in a jail (else name lookups in a =20 jail wouldn't work, right?). Any filesystem which gets a source path =20 also needs to use namei (AFAIK, please correct me if I'm wrong), so =20 this side of the mounting has the same properties. For FS's which don't use nmount but the old mount stuff, I don't know. > Establishing that this is not the case is fairly non-trivial and has =20 > to be done very carefully. I would recommend extreme caution. At least for nmount based things this would implicitly mean we have a =20 _very_ big problem with jails (if my above analysis of the code is =20 correct) in other places, as the mountpoint is resolved via namei in =20 the kernel. Bye, Alexander. --=20 Personnel recruiting is a triumph of hope over experience. http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137 From owner-freebsd-jail@FreeBSD.ORG Wed Jun 25 16:53:37 2008 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 600551065673 for ; Wed, 25 Jun 2008 16:53:37 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id 1AA828FC0A for ; Wed, 25 Jun 2008 16:53:36 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 6FAA346B06; Wed, 25 Jun 2008 12:53:36 -0400 (EDT) Date: Wed, 25 Jun 2008 17:53:36 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Alexander Leidinger In-Reply-To: <20080625184151.20404iq2r7t4iomc@webmail.leidinger.net> Message-ID: <20080625174425.W87282@fledge.watson.org> References: <62852722@bb.ipt.ru> <20080625173401.116369ceeiewif40@webmail.leidinger.net> <20080625175252.18342qpk0oc2zc4k@webmail.leidinger.net> <20080625165505.P87282@fledge.watson.org> <20080625184151.20404iq2r7t4iomc@webmail.leidinger.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-jail@FreeBSD.org Subject: Re: is nfs mount inside jail possible? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jun 2008 16:53:37 -0000 On Wed, 25 Jun 2008, Alexander Leidinger wrote: >> Safe in the sense that they might, or might not, immediately panic. Not >> safe in the sense that the resulting system would necessarily have the >> expected or desired security properties. It wouldn't surprise me if, just >> for example, allowing user mounting of nullfs from within jail allowed the >> user to escape from the jail and access files outside the jail in the host >> system. > > I just had a look at the man page of nmount (that's what is used to mount > nullfs, and some other FS's). nmount gets the pathname (realpath). realpath > prints the path relative to the jail root, not the real name in the > jail-host. If nmount is not jail aware, then we have a meltdown. nmount is > using NDINIT/namei. If I read namei/NDINIT correctly, it picks the correct > path in a jail (else name lookups in a jail wouldn't work, right?). Any > filesystem which gets a source path also needs to use namei (AFAIK, please > correct me if I'm wrong), so this side of the mounting has the same > properties. > > For FS's which don't use nmount but the old mount stuff, I don't know. > >> Establishing that this is not the case is fairly non-trivial and has to be >> done very carefully. I would recommend extreme caution. > > At least for nmount based things this would implicitly mean we have a _very_ > big problem with jails (if my above analysis of the code is correct) in > other places, as the mountpoint is resolved via namei in the kernel. Jail is carefully structured around the idea that, in general, processes running with root privilege need very few actual privileges, they mostly just run with the root uid and override file permissions, signal protection, and low port number restrictions. So we scope the name spaces available to root processes in jail and grant a few specific privileges we believe are safe. Things like mounting file systems, raw device access, kernel module loading, etc, are in stark contrast to this as they frob (to use the term loosely) the substrate in which processes run: the integrity of the file system name space, the kernel, etc. Preventing those operations is part of what gives jail its integrity guarantees, and chipping away at those protections is inherently a risky activity. I don't know of any specific vulnerabilities that will open up, and I don't have time to read the source code to find them now, but I do promise you that if you allow arbitrary mounting of file systems in jail, you will likely run into quite a few, simply because mounting of file systems is a sensitive operation, modifies the file system name space that we rely on for containment, and because file systems and the file system infrastructure have generally not been designed with this in mind. Especially not for the idea of an unprivileged root user. So, per my comments, I would recommend extreme caution because the implications are very tricky to reason about, requiring careful auditing of source code to ensure that expected protections will continue to be enforced. Caveat emptor. Beware the dog. Enter at your own risk. There be dragons. Run away! Robert N M Watson Computer Laboratory University of Cambridge From owner-freebsd-jail@FreeBSD.ORG Wed Jun 25 17:05:15 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 695C8106566C for ; Wed, 25 Jun 2008 17:05:15 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from mx00.pub.collaborativefusion.com (mx00.pub.collaborativefusion.com [206.210.89.199]) by mx1.freebsd.org (Postfix) with ESMTP id 16DDD8FC14 for ; Wed, 25 Jun 2008 17:05:14 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from vanquish.ws.pitbpa0.priv.collaborativefusion.com (vanquish.ws.pitbpa0.priv.collaborativefusion.com [192.168.2.162]) (SSL: TLSv1/SSLv3,256bits,AES256-SHA) by wingspan with esmtp; Wed, 25 Jun 2008 13:05:13 -0400 id 00056438.48627ACA.00016689 Date: Wed, 25 Jun 2008 13:04:01 -0400 From: Bill Moran To: Boris Samorodov Message-Id: <20080625130401.e03329dc.wmoran@collaborativefusion.com> In-Reply-To: <93253417@bb.ipt.ru> References: <62852722@bb.ipt.ru> <20080625103721.bdc7daee.wmoran@collaborativefusion.com> <93253417@bb.ipt.ru> Organization: Collaborative Fusion X-Mailer: Sylpheed 2.4.8 (GTK+ 2.12.9; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-jail@FreeBSD.org Subject: Re: is nfs mount inside jail possible? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jun 2008 17:05:15 -0000 In response to Boris Samorodov : > On Wed, 25 Jun 2008 10:37:21 -0400 Bill Moran wrote: > > > In response to Boris Samorodov : > > > > > > ... nfs seems not to be jail friendly. Here is the question at > > > subject. Thanks! > > > You can NFS mount on the host, and it will be visible within the jail. > > Don't know if that helps your situation or not. > > Yep, I know it. I'd prefer to use mounts within a jail. They should be > dynamic: a process mounts it, uses and unmounts. Otherwise there will > be too many mounts... How many is too many? Why do you think that number is too many? You could run the automounter on the host. -- Bill Moran Collaborative Fusion Inc. http://people.collaborativefusion.com/~wmoran/ wmoran@collaborativefusion.com Phone: 412-422-3463x4023 From owner-freebsd-jail@FreeBSD.ORG Thu Jun 26 06:06:35 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B07FA1065673; Thu, 26 Jun 2008 06:06:35 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from redbull.bpaserver.net (redbullneu.bpaserver.net [213.198.78.217]) by mx1.freebsd.org (Postfix) with ESMTP id 36E098FC16; Thu, 26 Jun 2008 06:06:35 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from outgoing.leidinger.net (p54A54EEB.dip.t-dialin.net [84.165.78.235]) by redbull.bpaserver.net (Postfix) with ESMTP id EC1712E27E; Thu, 26 Jun 2008 08:06:31 +0200 (CEST) Received: from webmail.leidinger.net (webmail.leidinger.net [192.168.1.102]) by outgoing.leidinger.net (Postfix) with ESMTP id EE9E712FE08; Thu, 26 Jun 2008 08:06:26 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=Leidinger.net; s=outgoing-alex; t=1214460387; bh=l5IVDjtuf6Dy6Ds6IdY+MYof/LmORJR88 CL5z6ngagg=; h=Message-ID:Date:From:To:Cc:Subject:References: In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=PWjhduZYOCeLVzfnfAPMawb7rU+hlf7jRH6WiAtcwlh/FVQnBuZYKZp9Ylzz87on9 3omUayAuiZTcpJoggQMLF+HsbB0NTaoB5uR7xJgKNJBkVLKWCJtUskwFTvoQtowT/kb N1yzwRfff6NiJ2alGNbMdhVPJ7JABo+QTG2IojOsCt+SpbcnBcH8MJ+1hkwWYxcjpEg umD8p9UD2a4ML+BJix1acX3yOnbzbl3crQEYREx5YMKhxT5+xacBAmwHc7guA4mihd+ 1tpZe4Gb079VenqwZRP5X8SENXb/aD1jQ2XstaRjLftwhkgRaqycszL2FU/GJ6t7QI8 W49dXDkkw== Received: (from www@localhost) by webmail.leidinger.net (8.14.2/8.13.8/Submit) id m5Q66P49087724; Thu, 26 Jun 2008 08:06:25 +0200 (CEST) (envelope-from Alexander@Leidinger.net) Received: from pslux.cec.eu.int (pslux.cec.eu.int [158.169.9.14]) by webmail.leidinger.net (Horde Framework) with HTTP; Thu, 26 Jun 2008 08:06:25 +0200 Message-ID: <20080626080625.12031sjuk9s5fp5w@webmail.leidinger.net> X-Priority: 3 (Normal) Date: Thu, 26 Jun 2008 08:06:25 +0200 From: Alexander Leidinger To: Robert Watson References: <62852722@bb.ipt.ru> <20080625173401.116369ceeiewif40@webmail.leidinger.net> <20080625175252.18342qpk0oc2zc4k@webmail.leidinger.net> <20080625165505.P87282@fledge.watson.org> <20080625184151.20404iq2r7t4iomc@webmail.leidinger.net> <20080625174425.W87282@fledge.watson.org> In-Reply-To: <20080625174425.W87282@fledge.watson.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.2-RC2) / FreeBSD-8.0 X-BPAnet-MailScanner-Information: Please contact the ISP for more information X-BPAnet-MailScanner: Found to be clean X-BPAnet-MailScanner-SpamCheck: not spam, ORDB-RBL, SpamAssassin (not cached, score=-15.323, required 6, autolearn=not spam, BAYES_00 -15.00, DKIM_SIGNED 0.00, DKIM_VERIFIED -0.00, RDNS_DYNAMIC 0.10, SMILEY -0.50, TW_OC 0.08) X-BPAnet-MailScanner-From: alexander@leidinger.net X-Spam-Status: No Cc: freebsd-jail@FreeBSD.org Subject: Re: is nfs mount inside jail possible? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jun 2008 06:06:35 -0000 Quoting Robert Watson (from Wed, 25 Jun 2008 =20 17:53:36 +0100 (BST)): > I don't know of any specific vulnerabilities that will open up, and =20 > I don't have time to read the source code to find them now, but I do =20 > promise you that if you allow arbitrary mounting of file systems in =20 > jail, you will likely run into quite a few, simply because mounting =20 > of file systems is a sensitive operation, modifies the file system I agree, but I put the focus on "arbitrary". What I specially did not =20 include in the list was ufs, procfs, fdescfs and some more. UFS can cause a kernel panic if used with a bad FS image. For procfs =20 we even recommend to not mount it in a normal system, and for others I =20 don't know if they are robust enough. For nullfs all depends if it can break out of the jail or not. If it =20 can not, I don't see why we should not allow to mount it in a jail. =20 Based upon what I've read in the source, it's even easy to test. As it =20 gets path names the kernel resolves itself, the test would be to =20 modify mount_nullfs to not do the realpath, and test by adding some =20 "../" into the path (ok, this is a simplified description, there are =20 several cases which have to be tested, but it is not rocked science). For other FS it depends what they are/do and how robust they are. =20 Wasn't there a FS-fuzzing paper a while ago which tested several =20 FreeBSD FS for robustness? Very interesting would be the robustness =20 for cd9660, msdosfs and udf. Those are candidates which would be =20 interesting to use in a jail. > So, per my comments, I would recommend extreme caution because the =20 > implications are very tricky to reason about, requiring careful =20 > auditing of source code to ensure that expected protections will =20 > continue to be enforced. Caveat emptor. Beware the dog. Enter at =20 > your own risk. There be dragons. Run away! I agree with everything except the "Run away!" :) This is CS, the =20 outcome should be deterministic... :) Bye, Alexander. --=20 Man who sleep in beer keg wake up stickey. http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137 From owner-freebsd-jail@FreeBSD.ORG Thu Jun 26 12:32:00 2008 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BD6571065674 for ; Thu, 26 Jun 2008 12:32:00 +0000 (UTC) (envelope-from bsam@ipt.ru) Received: from services.ipt.ru (services.ipt.ru [194.62.233.110]) by mx1.freebsd.org (Postfix) with ESMTP id 6C4788FC22 for ; Thu, 26 Jun 2008 12:32:00 +0000 (UTC) (envelope-from bsam@ipt.ru) Received: from bb.ipt.ru ([194.62.233.89]) by services.ipt.ru with esmtp (Exim 4.54 (FreeBSD)) id 1KBqdq-000Hij-8t; Thu, 26 Jun 2008 16:31:58 +0400 To: Alexander Leidinger References: <62852722@bb.ipt.ru> <20080625173401.116369ceeiewif40@webmail.leidinger.net> <20080625175252.18342qpk0oc2zc4k@webmail.leidinger.net> From: Boris Samorodov Date: Thu, 26 Jun 2008 16:31:49 +0400 In-Reply-To: <20080625175252.18342qpk0oc2zc4k@webmail.leidinger.net> (Alexander Leidinger's message of "Wed\, 25 Jun 2008 17\:52\:52 +0200") Message-ID: <82521962@bb.ipt.ru> User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: freebsd-jail@FreeBSD.org Subject: Re: is nfs mount inside jail possible? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jun 2008 12:32:00 -0000 On Wed, 25 Jun 2008 17:52:52 +0200 Alexander Leidinger wrote: > Quoting Alexander Leidinger (from Wed, 25 > Jun 2008 17:34:01 +0200): > > To do this edit src/sys/nfsclient/nfs_vfsopts.c, search VFS_SET and > > change it to > > VFS_SET(nfs_vfsops, nfs, VFCF_NETWORK|VFCF_JAIL); > Oh: I haven't checked if this actually works. I don't know if all > places DTRT then. Normally it should work, but you better test if it > really puts the FS in the place where you want it, that you can > mount/umount it, that "mount -v" shows the expected output on the host > and in the jail, and so on. > Similar things can be done for > src/sys/fs/{cd9660|msdosfs|ntfs|nullfs|smbfs|udf|unionfs}. Those are > the FS's which _should_ be safe, either because they work with > untrusted data anyway, or because it's a loopback mount. But again, I > haven't tested any of them (I have them patched locally, but even the > initial testing is on my TODO list with a low priority). I see. If my task won't change I'll check what I ca do. Thanks! WBR -- Boris Samorodov (bsam) Research Engineer, http://www.ipt.ru Telephone & Internet SP FreeBSD committer, http://www.FreeBSD.org The Power To Serve From owner-freebsd-jail@FreeBSD.ORG Thu Jun 26 12:37:02 2008 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B2789106567F for ; Thu, 26 Jun 2008 12:37:02 +0000 (UTC) (envelope-from bsam@ipt.ru) Received: from services.ipt.ru (services.ipt.ru [194.62.233.110]) by mx1.freebsd.org (Postfix) with ESMTP id 5FA718FC16 for ; Thu, 26 Jun 2008 12:37:02 +0000 (UTC) (envelope-from bsam@ipt.ru) Received: from bb.ipt.ru ([194.62.233.89]) by services.ipt.ru with esmtp (Exim 4.54 (FreeBSD)) id 1KBqij-000HnO-4o; Thu, 26 Jun 2008 16:37:01 +0400 To: Robert Watson References: <62852722@bb.ipt.ru> <20080625173401.116369ceeiewif40@webmail.leidinger.net> <20080625164434.J87282@fledge.watson.org> From: Boris Samorodov Date: Thu, 26 Jun 2008 16:36:51 +0400 In-Reply-To: <20080625164434.J87282@fledge.watson.org> (Robert Watson's message of "Wed\, 25 Jun 2008 16\:50\:58 +0100 \(BST\)") Message-ID: <16441660@bb.ipt.ru> User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Alexander Leidinger , freebsd-jail@FreeBSD.org Subject: Re: is nfs mount inside jail possible? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jun 2008 12:37:02 -0000 On Wed, 25 Jun 2008 16:50:58 +0100 (BST) Robert Watson wrote: > On Wed, 25 Jun 2008, Alexander Leidinger wrote: > >> ... nfs seems not to be jail friendly. Here is the question at > >> subject. Thanks! > > > > Correct. If you are not afraid to patch the system: zfs has the JAIL > > flag set, you just need to do the same with nfs. > > > > To do this edit src/sys/nfsclient/nfs_vfsopts.c, search VFS_SET and > > change it to VFS_SET(nfs_vfsops, nfs, VFCF_NETWORK|VFCF_JAIL); > > > > I suggest to not do this with tmpfs if you do shared hosting (you > > don't want that strangers eat up all your physical RAM). > The security implications of doing this are rather non-trivial, and > should be carefully taken carefully into account. This is not a > configuration I would recommend for most sites on the basis that they > might not be well-equipped to reason about the indirect security > consequences. > There are also some potentially tricky technical elements here -- for > example, some versions of FreeBSD are known to have TCP > implementations that are not entirely happy with NFS running in a > jail. Likewise, some of the associated services of NFS, such as > rpc.statd and rpc.lockd, will not work properly with virtualization > prior to 8.x (and possibly after) as they both have interesting > security requirements and rely on things like each IP address being > associated with at most one client. Thanks, Robert. Security issues are surely should be taken into consideration here. I'll check if the task may be changed towards static mounts (i.e. outside the jail). WBR -- Boris Samorodov (bsam) Research Engineer, http://www.ipt.ru Telephone & Internet SP FreeBSD committer, http://www.FreeBSD.org The Power To Serve From owner-freebsd-jail@FreeBSD.ORG Thu Jun 26 12:42:15 2008 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A2E76106567C for ; Thu, 26 Jun 2008 12:42:15 +0000 (UTC) (envelope-from bsam@ipt.ru) Received: from services.ipt.ru (services.ipt.ru [194.62.233.110]) by mx1.freebsd.org (Postfix) with ESMTP id 51B798FC21 for ; Thu, 26 Jun 2008 12:42:15 +0000 (UTC) (envelope-from bsam@ipt.ru) Received: from bb.ipt.ru ([194.62.233.89]) by services.ipt.ru with esmtp (Exim 4.54 (FreeBSD)) id 1KBqnm-000Hs2-3I; Thu, 26 Jun 2008 16:42:14 +0400 To: Bill Moran References: <62852722@bb.ipt.ru> <20080625103721.bdc7daee.wmoran@collaborativefusion.com> <93253417@bb.ipt.ru> <20080625130401.e03329dc.wmoran@collaborativefusion.com> From: Boris Samorodov Date: Thu, 26 Jun 2008 16:42:04 +0400 In-Reply-To: <20080625130401.e03329dc.wmoran@collaborativefusion.com> (Bill Moran's message of "Wed\, 25 Jun 2008 13\:04\:01 -0400") Message-ID: <50361347@bb.ipt.ru> User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: freebsd-jail@FreeBSD.org Subject: Re: is nfs mount inside jail possible? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jun 2008 12:42:15 -0000 On Wed, 25 Jun 2008 13:04:01 -0400 Bill Moran wrote: > In response to Boris Samorodov : > > On Wed, 25 Jun 2008 10:37:21 -0400 Bill Moran wrote: > > > > > In response to Boris Samorodov : > > > > > > > > ... nfs seems not to be jail friendly. Here is the question at > > > > subject. Thanks! > > > > > You can NFS mount on the host, and it will be visible within the jail. > > > Don't know if that helps your situation or not. > > > > Yep, I know it. I'd prefer to use mounts within a jail. They should be > > dynamic: a process mounts it, uses and unmounts. Otherwise there will > > be too many mounts... > How many is too many? Why do you think that number is too many? Approx. a thousand. For _me_ it is too many. ;-) > You could run the automounter on the host. Hm, I didn't think about it. Thanks for the pointer! WBR -- Boris Samorodov (bsam) Research Engineer, http://www.ipt.ru Telephone & Internet SP FreeBSD committer, http://www.FreeBSD.org The Power To Serve