From owner-freebsd-jail@FreeBSD.ORG Sat Aug 31 19:24:23 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id C6F7B24F; Sat, 31 Aug 2013 19:24:23 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 81BEB20C3; Sat, 31 Aug 2013 19:24:23 +0000 (UTC) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 4C44128423; Sat, 31 Aug 2013 21:14:18 +0200 (CEST) Received: from [192.168.1.2] (ip-89-177-49-222.net.upcbroadband.cz [89.177.49.222]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 4141828422; Sat, 31 Aug 2013 21:14:17 +0200 (CEST) Message-ID: <52224088.6040508@quip.cz> Date: Sat, 31 Aug 2013 21:14:16 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.1.19) Gecko/20110420 Lightning/1.0b1 SeaMonkey/2.0.14 MIME-Version: 1.0 To: Jamie Gritton Subject: Re: jail.conf & cpuset.id References: <076B486D-A526-4945-BA38-DD7167365749@inbox.im> <514B09B2.70607@FreeBSD.org> In-Reply-To: <514B09B2.70607@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: FreeBSD-Jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Aug 2013 19:24:23 -0000 Jamie Gritton wrote: > On 03/17/13 05:59, Nicolas de Bari Embriz Garcia Rojas wrote: >> Hi, all, I am start using the jail.conf for running my jails, in >> rc.local I have this line jail -c this to start my jails at boot time >> (any better ideas) >> >> Now checking the man pages for the jail I found a option that cough my >> attention, 'cpuset.id' any idea of how to use it ? >> >> I would like to found a way to prevent a root user within a jail to >> run a 'fork-bum' and freeze the host server. > > Take a look at cpuset(1). You use that utility (in the host environment) > to change the CPUs available to a jail. Don't worry about the cpuset.id > parameter itself - you don't need it. Just use cpuset's "-j" flag to > specify the jail itself (by jid only). When you're starting jails in rc, > add the appropriate cpuset commands an exec_poststart option. Such as: > > jail_backtest_poststart0="cpuset -c -l1,3-7 -j`cat > /var/run/jail_backtest.id`" Hi Jamie, I tried your suggestion with exec_poststart for setting the cpuset. It doesn't work. I don't know if it worked for you with any older version of FreeBSD. I tried it on FreeBSD 9.1-RELESE. I have this in rc.conf jail_fox_exec_poststart0="cpuset -c -l 5-6 -j `cat /var/run/jail_fox.id`" With rc_debug="YES", I get this error # service jail start fox cat: /var/run/jail_fox.id: No such file or directory cat: /var/run/jail_fox.id: No such file or directory [snip] /etc/rc.d/jail: DEBUG: fox exec post-start #1: cpuset -c -l 5-6 -j [snip] fox.example.comcpuset: option requires an argument -- j usage: cpuset [-l cpu-list] [-s setid] cmd ... cpuset [-l cpu-list] [-s setid] -p pid cpuset [-c] [-l cpu-list] -C -p pid cpuset [-cr] [-l cpu-list] [-j jailid | -p pid | -t tid | -s setid | -x irq] cpuset [-cgir] [-j jailid | -p pid | -t tid | -s setid | -x irq] I think the problem is, that the command is evaluated befor the jail is started. Or am I doing something wrong? I also tried following with no luck: jail_fox_exec_poststart0="cpuset -c -l 5-6 -j `jls -j fox jid`" Miroslav Lachman