From owner-freebsd-stable@FreeBSD.ORG Sat May 4 13:41:49 2013 Return-Path: Delivered-To: stable@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id DEBA486D; Sat, 4 May 2013 13:41:49 +0000 (UTC) (envelope-from kiri@pis.elm.toba-cmt.ac.jp) Received: from pis.elm.toba-cmt.ac.jp (pis.elm.toba-cmt.ac.jp [202.26.248.196]) by mx1.freebsd.org (Postfix) with ESMTP id 9F26B1BC0; Sat, 4 May 2013 13:41:48 +0000 (UTC) Received: from kiri.pis.pis.elm.toba-cmt.ac.jp (kiri.pis [192.168.1.1] (may be forged)) by pis.elm.toba-cmt.ac.jp (8.14.5/8.14.5) with ESMTP id r44DfknO029532; Sat, 4 May 2013 22:41:46 +0900 (JST) (envelope-from kiri@pis.elm.toba-cmt.ac.jp) Message-Id: <201305041341.r44DfknO029532@pis.elm.toba-cmt.ac.jp> Date: Sat, 04 May 2013 22:41:46 +0900 From: KIRIYAMA Kazuhiko To: Mikolaj Golub Subject: Re: Vimage Jail kernel crashed In-Reply-To: <20130504120710.GB70992@gmail.com> References: <201305040552.r445qNB3023430@pis.elm.toba-cmt.ac.jp> <20130504120710.GB70992@gmail.com> User-Agent: Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) FLIM/1.14.9 (=?ISO-8859-4?Q?Goj=F2?=) APEL/10.6 MULE XEmacs/21.4 (patch 22) (Instant Classic) (amd64--freebsd) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: stable@FreeBSD.org, KIRIYAMA Kazuhiko X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 May 2013 13:41:49 -0000 Hi, At Sat, 4 May 2013 15:07:11 +0300, Mikolaj Golub wrote: > > On Sat, May 04, 2013 at 02:52:23PM +0900, KIRIYAMA Kazuhiko wrote: > > > May 4 11:19:46 xxxxxx kernel: Fatal trap 12: page fault while in kernel mode > > May 4 11:19:46 xxxxxx kernel: cpuid = 2; apic id = 02 > > May 4 11:19:46 xxxxxx kernel: fault virtual address = 0x7818c3798 > > May 4 11:19:46 xxxxxx kernel: fault code = supervisor write data, page not present > > May 4 11:19:46 xxxxxx kernel: instruction pointer = 0x20:0xffffffff8162c19e > > May 4 11:19:46 xxxxxx kernel: stack pointer = 0x28:0xffffff8121b22860 > > May 4 11:19:46 xxxxxx kernel: frame pointer = 0x28:0xffffff8121b22870 > > May 4 11:19:46 xxxxxx kernel: code segment = base 0x0, limit 0xfffff, type 0x1b > > May 4 11:19:46 xxxxxx kernel: = DPL 0, pres 1, long 1, def32 0, gran 1 > > May 4 11:19:46 xxxxxx kernel: processor eflags = interrupt enabled, resume, IOPL = 0 > > May 4 11:19:46 xxxxxx kernel: current process = 15360 (ifconfig) > > May 4 11:19:46 xxxxxx kernel: trap number = 12 > > May 4 11:19:46 xxxxxx kernel: panic: page fault > > May 4 11:19:46 xxxxxx kernel: cpuid = 2 > > May 4 11:19:46 xxxxxx kernel: KDB: stack backtrace: > > May 4 11:19:46 xxxxxx kernel: #0 0xffffffff80923446 at kdb_backtrace+0x66 > > May 4 11:19:46 xxxxxx kernel: #1 0xffffffff808ed0be at panic+0x1ce > > May 4 11:19:46 xxxxxx kernel: #2 0xffffffff80c7e330 at trap_fatal+0x290 > > May 4 11:19:46 xxxxxx kernel: #3 0xffffffff80c7e668 at trap_pfault+0x1e8 > > May 4 11:19:46 xxxxxx kernel: #4 0xffffffff80c7ec6e at trap+0x3be > > May 4 11:19:46 xxxxxx kernel: #5 0xffffffff80c682ef at calltrap+0x8 > > May 4 11:19:46 xxxxxx kernel: #6 0xffffffff8162c76d at pfi_change_group_event+0x4d > > May 4 11:19:46 xxxxxx kernel: #7 0xffffffff809a0d3b at if_delgroup+0x38b > > May 4 11:19:46 xxxxxx kernel: #8 0xffffffff809a7846 at if_clone_destroyif+0x136 > > May 4 11:19:46 xxxxxx kernel: #9 0xffffffff809a831a at if_clone_destroy+0x17a > > May 4 11:19:46 xxxxxx kernel: #10 0xffffffff809a5892 at ifioctl+0x482 > > May 4 11:19:46 xxxxxx kernel: #11 0xffffffff80934ef6 at kern_ioctl+0x106 > > May 4 11:19:46 xxxxxx kernel: #12 0xffffffff8093513d at sys_ioctl+0xfd > > May 4 11:19:46 xxxxxx kernel: #13 0xffffffff80c7dc10 at amd64_syscall+0x540 > > May 4 11:19:46 xxxxxx kernel: #14 0xffffffff80c685d7 at Xfast_syscall+0xf7 > > It looks like it crashed when referring vnet that had already been > destroyed, in pfi_change_group_event hook. > > > Is there any suggestions? > > VIMAGE+pf support is fragile. If it works for someone it is rather by > accident. I expect replacing pf with ipfw_nat or natd will give better > results. I've been used natd before using VIMAGE Jail private network. And I tried to use with ipfw+natd like this: /etc/rc.conf: defaultrouter="X.X.X.X" hostname="hoge.org" ifconfig_em0="inet X.X.X.X netmask 255.255.255.240" cloned_interfaces="bridge0" ifconfig_bridge0="inet 192.168.1.254 netmask 255.255.255.0 up" jail_v2_enable="YES" ezjail_enable="YES" gateway_enable="YES" firewall_enable="YES" firewall_type="OPEN" natd_enable="YES" natd_interface="em0" natd_flags="-config /etc/natd.cf" keymap="jp.106" sshd_enable="YES" ntpd_enable="YES" sendmail_enable="NONE" dumpdev="NO" /etc/natd.cf: log no deny_incoming yes use_sockets no same_ports yes verbose no port 8668 interface em0 unregistered_only yes redirect_port tcp 192.168.1.1:domain domain redirect_port udp 192.168.1.1:domain domain redirect_port tcp 192.168.1.3:cvspserver cvspserver redirect_port udp 192.168.1.4:cvspserver cvspserver redirect_port tcp 192.168.1.4:smtp smtp redirect_port tcp 192.168.1.4:pop3 pop3 redirect_port tcp 192.168.1.5:http http redirect_port tcp 192.168.1.254:ABCDE ABCDE redirect_port tcp 192.168.1.1:ssh ABBCA redirect_port tcp 192.168.1.2:ssh ABBCB redirect_port tcp 192.168.1.3:ssh ABBCC redirect_port tcp 192.168.1.4:ssh ABBCD redirect_port tcp 192.168.1.5:ssh ABBCE /boot/loader.conf: ipdivert_load="YES" ipfw_load="YES" But all packet redirection were neglected except 192.168.1.254 namely firewall itself ;) > If you still prefer pf, you may try destroying epair interface before > destroying vnet, e.g. using prestop rc.d/jail hooks instead of > poststop, if it is possible. In particular, execute following sequence? # ifconfig epairXa destroy # ifconfig bridge0 deletem epairXa > -- > Mikolaj Golub >