From owner-freebsd-jail@FreeBSD.ORG Mon Jul 27 11:06:57 2009 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5BF4B1065678 for ; Mon, 27 Jul 2009 11:06:57 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 48E778FC2E for ; Mon, 27 Jul 2009 11:06:57 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n6RB6udY018995 for ; Mon, 27 Jul 2009 11:06:56 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n6RB6umC018991 for freebsd-jail@FreeBSD.org; Mon, 27 Jul 2009 11:06:56 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 27 Jul 2009 11:06:56 GMT Message-Id: <200907271106.n6RB6umC018991@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jul 2009 11:06:57 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/136899 jail [jail] [lor] upd/jail LOR after reboot o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 5 problems total. From owner-freebsd-jail@FreeBSD.ORG Mon Jul 27 14:53:25 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8BDAD1065670; Mon, 27 Jul 2009 14:53:25 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from mail.cksoft.de (mail.cksoft.de [195.88.108.3]) by mx1.freebsd.org (Postfix) with ESMTP id CCFA68FC1B; Mon, 27 Jul 2009 14:53:24 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from localhost (amavis.fra.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 9155241C67E; Mon, 27 Jul 2009 16:36:20 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([195.88.108.3]) by localhost (amavis.fra.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id 7TP9tbWxuD1K; Mon, 27 Jul 2009 16:36:20 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id 3A43941C67B; Mon, 27 Jul 2009 16:36:20 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id D502B4448E6; Mon, 27 Jul 2009 14:35:48 +0000 (UTC) Date: Mon, 27 Jul 2009 14:35:48 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Mykola Dzham In-Reply-To: <20090725163207.GP39538@expo.ukrweb.net> Message-ID: <20090727141808.R245@maildrop.int.zabbadoz.net> References: <20090725163207.GP39538@expo.ukrweb.net> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-jail@freebsd.org, freebsd-current@freebsd.org, Jamie Gritton Subject: Re: 8.0 still allow creating ipv6 udp socket in jail without ipv6 ip X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jul 2009 14:53:26 -0000 On Sat, 25 Jul 2009, Mykola Dzham wrote: Hi, > After r188146 creating tcp ipv6 socket in jail without ipv6 ip is not > allowed, but udp socket is allowed. I cannot really follow what you are trying to say as wrt IPv4 and IPv6 sockets and what about UDP. Your sample further down is trying to use an IPv4 address on an IPv6 Datagram socket which is an error either way. Prior to FreeBSD 7.2 IPv6 hadn't been supported at all for jails. With 7.2 it was possible to create IPv6 sockets (but only shortly and then fail on bind/connect/...). With the commit you reference the "Protocol not supported" came back in case there was no address of that address family for a given jail. With 8 the primary syntax for jails has changed and the "backward compat mode" again allows you to create a socket on a jail even if no address of the same family was configured for the jail. This should be addressed by the following patch: http://people.freebsd.org/~bz/20090727-01-jail8-legacy.diff Can you give it a try and report if that fixes your problem? Regards, Bjoern -- Bjoern A. Zeeb The greatest risk is not taking one. From owner-freebsd-jail@FreeBSD.ORG Tue Jul 28 14:36:23 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 453FE1065690 for ; Tue, 28 Jul 2009 14:36:23 +0000 (UTC) (envelope-from artis.caune@gmail.com) Received: from mail-bw0-f219.google.com (mail-bw0-f219.google.com [209.85.218.219]) by mx1.freebsd.org (Postfix) with ESMTP id C777A8FC18 for ; Tue, 28 Jul 2009 14:36:22 +0000 (UTC) (envelope-from artis.caune@gmail.com) Received: by bwz19 with SMTP id 19so67853bwz.43 for ; Tue, 28 Jul 2009 07:36:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=4RhRIt38LIkezUNjeI3ygO2NMdNb3ZIN563uCat/h98=; b=gqfSDBS7MqqkL0GezuB+qRX4L93HPefkTQnTH2uimy44Jtt2E8RLCf8di3/OAyRAgA NS9yvAiZjfDwzIYJXEyYH9rCRtJapWDGRHaI2FZ60w3rKBh+ua49BfgV6W0yYcZ5HM84 /MA8i7NqinWbnILtTri/ELoXT7T9SuCOhEaDk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=VhAwYEzEhmTLxKWqdbQj6xPX05AU1y1P2EYszOGwSAO+0MqDhd/j2XnRybVYjt5MWG 7aw2iJo2G1xt7GlLAEqjzNeqwbCSW29LgCQcBOoTUQUuawvcpKgpYqGNTSaNRCWXqDyC RfCIu89SIzFQxvGfhTJ7RXZpelTT3K1ITdis4= MIME-Version: 1.0 Received: by 10.103.242.1 with SMTP id u1mr3959550mur.113.1248790572123; Tue, 28 Jul 2009 07:16:12 -0700 (PDT) Date: Tue, 28 Jul 2009 17:16:12 +0300 Message-ID: <9e20d71e0907280716m3968f42pe7aeed2b0286302c@mail.gmail.com> From: Artis Caune To: freebsd-jail@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Jails on ZFS X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jul 2009 14:36:23 -0000 Hi, I'm playing with jails on ZFS and everything is fine, except annoying warnings (hopefully just warnings) when doing: # /etc/rc.d/jail stop zfs_umount:971[0]: Force unmount is experimental - report any problems. ... zfs_umount:971[0]: Force unmount is experimental - report any problems. I found that in rc.d/jail secure_umount() it always do "umount -f " Maybe it's better first try to unmount without -f and then use force? --- /etc/rc.d/jail 2009-07-22 23:29:29.000000000 +0300 +++ /etc/rc.d/jail 2009-07-28 14:00:19.998368729 +0300 @@ -270,7 +270,7 @@ _dir=$1 if is_current_mountpoint ${_dir}; then - umount -f ${_dir} >/dev/null 2>&1 + umount ${_dir} >/dev/null 2>&1 || { sleep 2; umount ${_dir} >/dev/null 2>&1 || umount -f ${_dir} >/dev/null 2>&1; } else debug "Nothing mounted on ${_dir} - not unmounting" fi -- Artis Caune Everything should be made as simple as possible, but not simpler. From owner-freebsd-jail@FreeBSD.ORG Tue Jul 28 15:19:52 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B0050106564A for ; Tue, 28 Jul 2009 15:19:52 +0000 (UTC) (envelope-from askjuise@gmail.com) Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.25]) by mx1.freebsd.org (Postfix) with ESMTP id 68E358FC08 for ; Tue, 28 Jul 2009 15:19:52 +0000 (UTC) (envelope-from askjuise@gmail.com) Received: by qw-out-2122.google.com with SMTP id 3so53413qwe.7 for ; Tue, 28 Jul 2009 08:19:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=7L/JHAtHZ4CfGLVX1190tO6kUQEyCM3Lsqo9YH5AniQ=; b=g6+ECNdwWdyPiqBnbCeLN3rGxGgNRdPkQ9eWLulHRPWxIWXixoucN+SzUcWXeVs3+c cphMhSOGaZ0OOy08A2QkyshdCs0XOScO1NysPKD+Z4Xi8aGHZ/ktgTFvK7fy24/yYzpt DsMNI8CqWVamkBE8XIQxeCC3Wqzu4wzSmclkc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=xswJi6CrDdC15X5bt1aDt39j2Ny0zNb3Sh3bmd3TZfpnXYWGiVYAAFMMYyInxNb6Gz nQdP20Bolwn4ocA+wfe9Izo5KDP13VTipukTqjwX/rPprGRBfHTVg0o5/dahtq8grxVo RTJ8D3ta1pSslb60GVszC4U73KlFT4s6MDfO0= MIME-Version: 1.0 Received: by 10.150.182.1 with SMTP id e1mr13718762ybf.306.1248792538331; Tue, 28 Jul 2009 07:48:58 -0700 (PDT) In-Reply-To: <9e20d71e0907280716m3968f42pe7aeed2b0286302c@mail.gmail.com> References: <9e20d71e0907280716m3968f42pe7aeed2b0286302c@mail.gmail.com> Date: Tue, 28 Jul 2009 23:48:58 +0900 Message-ID: <2ec071a80907280748p336f6356p78d2debcfd8cd18b@mail.gmail.com> From: Alexander Petrovsky To: freebsd-jail@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: Jails on ZFS X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jul 2009 15:19:52 -0000 > > Hi, > > I'm playing with jails on ZFS and everything is fine, except annoying > warnings (hopefully just warnings) when doing: > # /etc/rc.d/jail stop > > zfs_umount:971[0]: Force unmount is experimental - report any problems. > ... > zfs_umount:971[0]: Force unmount is experimental - report any problems. > > > I found that in rc.d/jail secure_umount() it always do "umount -f " > > Maybe it's better first try to unmount without -f and then use force? > > > --- /etc/rc.d/jail 2009-07-22 23:29:29.000000000 +0300 > +++ /etc/rc.d/jail 2009-07-28 14:00:19.998368729 +0300 > @@ -270,7 +270,7 @@ > _dir=3D$1 > > if is_current_mountpoint ${_dir}; then > - umount -f ${_dir} >/dev/null 2>&1 > + umount ${_dir} >/dev/null 2>&1 || { sleep 2; umount ${_di= r} > >/dev/null 2>&1 || umount -f ${_dir} >/dev/null 2>&1; } > else > debug "Nothing mounted on ${_dir} - not unmounting" > fi > Hi, it is may be good idea. But, I can't understand your code, why you do - umount ${_dir} >/dev/null 2>&1 || { sleep 2; umount ${_dir} >/dev/null 2>&= 1 || umount -f ${_dir} >/dev/null 2>&1; } instead umount ${_dir} >/dev/null 2>&1 || umount -f ${_dir} >/dev/null 2>&1 ? --=20 =D0=A1 =D1=83=D0=B2=D0=B0=D0=B6=D0=B5=D0=BD=D0=B8=D0=B5=D0=BC =D0=9F=D0=B5= =D1=82=D1=80=D0=BE=D0=B2=D1=81=D0=BA=D0=B8=D0=B9 =D0=90=D0=BB=D0=B5=D0=BA= =D1=81=D0=B0=D0=BD=D0=B4=D1=80, With the best regards Alexander Petrovsky, ICQ: 350342118 Jabber: juise@jabber.ru Phone: +7 914 8 820 815 From owner-freebsd-jail@FreeBSD.ORG Tue Jul 28 18:34:49 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 031871065673 for ; Tue, 28 Jul 2009 18:34:49 +0000 (UTC) (envelope-from artis.caune@gmail.com) Received: from mail-bw0-f216.google.com (mail-bw0-f216.google.com [209.85.218.216]) by mx1.freebsd.org (Postfix) with ESMTP id 7D95D8FC18 for ; Tue, 28 Jul 2009 18:34:48 +0000 (UTC) (envelope-from artis.caune@gmail.com) Received: by bwz12 with SMTP id 12so142777bwz.43 for ; Tue, 28 Jul 2009 11:34:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=Bgss2Tglphpguq9HrvtycNgI6pZIGzXIu+mQujp6LcI=; b=qpTrVIeVzn/EeGmEd97V/RNeGPKrO8QJRvtM6AMv4+C0ybyK9bZfPlSeQWXggIblnW zmhXc3+Fz6vGxNPOzYeY+FbkdbBQ31GGMIv2acI7UmCBIvolUe/WQhkRRk64np8jRls8 8qM816UioE8/NUwE7dfP+koKRRu38/5RljH9g= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=XIvrWoAY2IAX7E3cjWWdylNXM31KOY6L7r7XhLb1p9tEicrSqZ0CxlHbrRHsDPEDSd KHGnfNlXQYq2UROjemAceJnJeLfp8izUHqF8l7oOSkYTdZSqd+7o0sWjkG7Bgvb7GM28 MZcezClzdXwi9Ghpry/IS29wjxuNxTUMVJy+U= MIME-Version: 1.0 Received: by 10.103.95.1 with SMTP id x1mr3869495mul.92.1248806087405; Tue, 28 Jul 2009 11:34:47 -0700 (PDT) In-Reply-To: <2ec071a80907280748p336f6356p78d2debcfd8cd18b@mail.gmail.com> References: <9e20d71e0907280716m3968f42pe7aeed2b0286302c@mail.gmail.com> <2ec071a80907280748p336f6356p78d2debcfd8cd18b@mail.gmail.com> Date: Tue, 28 Jul 2009 21:34:47 +0300 Message-ID: <9e20d71e0907281134j41f767ddrf3dc2e3154d724a4@mail.gmail.com> From: Artis Caune To: Alexander Petrovsky Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-jail@freebsd.org Subject: Re: Jails on ZFS X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jul 2009 18:34:50 -0000 2009/7/28 Alexander Petrovsky : > Hi, it is may be good idea. But, I can't understand your code, why you do= - > =C2=A0umount ${_dir} >/dev/null 2>&1 || { sleep 2; umount ${_dir} >/dev/n= ull 2>&1 > || umount -f ${_dir} >/dev/null 2>&1; } > > instead > =C2=A0umount ${_dir} >/dev/null 2>&1 || umount -f ${_dir} >/dev/null 2>&1 > > ? Because when jail is shuting down, file system is still busy. I think this is because of syslogd, which has no rc.d shutdown keyword, and so it's been killed. Immediately after killing all jail processes, file systems are unmounted. It helps sleeping 1, 2 seconds and then trying to unmount it, and if fs is still busy, force unmount it. Maybe this is better: --- /etc/rc.d/jail 2009-07-22 23:29:29.000000000 +0300 +++ /etc/rc.d/jail 2009-07-28 21:23:30.436217867 +0300 @@ -270,7 +270,7 @@ _dir=3D$1 if is_current_mountpoint ${_dir}; then - umount -f ${_dir} >/dev/null 2>&1 + umount ${_dir} >/dev/null 2>&1 || umount -f ${_dir} >/dev/null 2>&1 else debug "Nothing mounted on ${_dir} - not unmounting" fi @@ -700,6 +700,7 @@ killall -j ${_jail_id} -TERM > /dev/null 2>&1 sleep 1 killall -j ${_jail_id} -KILL > /dev/null 2>&1 + sleep 2 jail_umount_fs echo -n " $_hostname" --=20 Artis Caune Everything should be made as simple as possible, but not simpler. From owner-freebsd-jail@FreeBSD.ORG Wed Jul 29 11:56:31 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0F7AC106564A for ; Wed, 29 Jul 2009 11:56:31 +0000 (UTC) (envelope-from freebsd@levsha.org.ua) Received: from expo.ukrweb.net (mail.univua.net [91.202.128.78]) by mx1.freebsd.org (Postfix) with ESMTP id BED268FC08 for ; Wed, 29 Jul 2009 11:56:30 +0000 (UTC) (envelope-from freebsd@levsha.org.ua) Received: from levsha by expo.ukrweb.net with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MW7SY-000Duk-W4; Wed, 29 Jul 2009 14:36:38 +0300 Date: Wed, 29 Jul 2009 14:36:38 +0300 From: Mykola Dzham To: "Bjoern A. Zeeb" Message-ID: <20090729113638.GC20855@expo.ukrweb.net> References: <20090725163207.GP39538@expo.ukrweb.net> <20090727141808.R245@maildrop.int.zabbadoz.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20090727141808.R245@maildrop.int.zabbadoz.net> X-Operating-System: FreeBSD/7.0-STABLE (i386) User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-jail@freebsd.org, freebsd-current@freebsd.org, Jamie Gritton Subject: Re: 8.0 still allow creating ipv6 udp socket in jail without ipv6 ip X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jul 2009 11:56:31 -0000 Bjoern A. Zeeb wrote: > On Sat, 25 Jul 2009, Mykola Dzham wrote: > > Hi, > > > After r188146 creating tcp ipv6 socket in jail without ipv6 ip is not > > allowed, but udp socket is allowed. > > I cannot really follow what you are trying to say as wrt IPv4 and IPv6 > sockets and what about UDP. > > Your sample further down is trying to use an IPv4 address on an IPv6 > Datagram socket which is an error either way. Some java programms attempt to use ipv6 sockets, then use ipv4 if socket(AF_INET6,...) fail. My sample imitate this > Prior to FreeBSD 7.2 IPv6 hadn't been supported at all for jails. > > With 7.2 it was possible to create IPv6 sockets (but only shortly and > then fail on bind/connect/...). With the commit you reference the > "Protocol not supported" came back in case there was no address of > that address family for a given jail. > > With 8 the primary syntax for jails has changed and the "backward > compat mode" again allows you to create a socket on a jail even if > no address of the same family was configured for the jail. > > This should be addressed by the following patch: > http://people.freebsd.org/~bz/20090727-01-jail8-legacy.diff > > Can you give it a try and report if that fixes your problem? Patch aplied cleanly on r195820 , but jail can not start after patching: # jail -l -U root -i /usr/home/d/guests/tap2 tap2.my.domain.com 10.112.0.151 /bin/sh /etc/rc jail: ip6: unknown boolean value "disable" -- LEFT-(UANIC|RIPE) JID: levsha@jabber.net.ua PGP fingerprint: 2A0B 7423 51AF B19B 74D5 31CA 2BFF 42F1 8094 7652 From owner-freebsd-jail@FreeBSD.ORG Wed Jul 29 12:20:09 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1F901106566C; Wed, 29 Jul 2009 12:20:09 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from mail.cksoft.de (mail.cksoft.de [195.88.108.3]) by mx1.freebsd.org (Postfix) with ESMTP id 900B68FC14; Wed, 29 Jul 2009 12:20:08 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from localhost (amavis.fra.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 43E2F41C70A; Wed, 29 Jul 2009 14:20:07 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([195.88.108.3]) by localhost (amavis.fra.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id DVMjxMaSXb0e; Wed, 29 Jul 2009 14:20:06 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id 4333141C705; Wed, 29 Jul 2009 14:20:06 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 3F1164448E6; Wed, 29 Jul 2009 12:19:35 +0000 (UTC) Date: Wed, 29 Jul 2009 12:19:35 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Mykola Dzham In-Reply-To: <20090729113638.GC20855@expo.ukrweb.net> Message-ID: <20090729121834.B245@maildrop.int.zabbadoz.net> References: <20090725163207.GP39538@expo.ukrweb.net> <20090727141808.R245@maildrop.int.zabbadoz.net> <20090729113638.GC20855@expo.ukrweb.net> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-jail@freebsd.org, freebsd-current@freebsd.org, Jamie Gritton Subject: Re: 8.0 still allow creating ipv6 udp socket in jail without ipv6 ip X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jul 2009 12:20:09 -0000 On Wed, 29 Jul 2009, Mykola Dzham wrote: Hi, > Bjoern A. Zeeb wrote: >> On Sat, 25 Jul 2009, Mykola Dzham wrote: >> >> Hi, >> >>> After r188146 creating tcp ipv6 socket in jail without ipv6 ip is not >>> allowed, but udp socket is allowed. >> >> I cannot really follow what you are trying to say as wrt IPv4 and IPv6 >> sockets and what about UDP. >> >> Your sample further down is trying to use an IPv4 address on an IPv6 >> Datagram socket which is an error either way. > > Some java programms attempt to use ipv6 sockets, then use ipv4 if > socket(AF_INET6,...) fail. My sample imitate this > >> Prior to FreeBSD 7.2 IPv6 hadn't been supported at all for jails. >> >> With 7.2 it was possible to create IPv6 sockets (but only shortly and >> then fail on bind/connect/...). With the commit you reference the >> "Protocol not supported" came back in case there was no address of >> that address family for a given jail. >> >> With 8 the primary syntax for jails has changed and the "backward >> compat mode" again allows you to create a socket on a jail even if >> no address of the same family was configured for the jail. >> >> This should be addressed by the following patch: >> http://people.freebsd.org/~bz/20090727-01-jail8-legacy.diff >> >> Can you give it a try and report if that fixes your problem? > > Patch aplied cleanly on r195820 , but jail can not start after patching: > > # jail -l -U root -i /usr/home/d/guests/tap2 tap2.my.domain.com 10.112.0.151 /bin/sh /etc/rc > jail: ip6: unknown boolean value "disable" r195820 is too old; but Jamie has a better solution; I would suggest to backout the jail(8) patch and wait for the next two commits of Jamie to HEAD and then update the machine again. /bz -- Bjoern A. Zeeb The greatest risk is not taking one. From owner-freebsd-jail@FreeBSD.ORG Wed Jul 29 17:48:06 2009 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B663F106566B; Wed, 29 Jul 2009 17:48:06 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from gritton.org (gritton.org [161.58.222.4]) by mx1.freebsd.org (Postfix) with ESMTP id 866778FC19; Wed, 29 Jul 2009 17:48:05 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from guppy.corp.verio.net (fw.oremut02.us.wh.verio.net [198.65.168.24]) (authenticated bits=0) by gritton.org (8.13.6.20060614/8.13.6) with ESMTP id n6TH9wCB006297; Wed, 29 Jul 2009 11:09:58 -0600 (MDT) Message-ID: <4A708261.7000509@FreeBSD.org> Date: Wed, 29 Jul 2009 11:09:53 -0600 From: Jamie Gritton User-Agent: Thunderbird 2.0.0.19 (X11/20090109) MIME-Version: 1.0 To: Mykola Dzham References: <20090725163207.GP39538@expo.ukrweb.net> <20090727141808.R245@maildrop.int.zabbadoz.net> <20090729113638.GC20855@expo.ukrweb.net> <20090729121834.B245@maildrop.int.zabbadoz.net> In-Reply-To: <20090729121834.B245@maildrop.int.zabbadoz.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-current@FreeBSD.org, "Bjoern A. Zeeb" , freebsd-jail@FreeBSD.org Subject: Re: 8.0 still allow creating ipv6 udp socket in jail without ipv6 ip X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jul 2009 17:48:07 -0000 Bjoern A. Zeeb wrote: > On Wed, 29 Jul 2009, Mykola Dzham wrote: >> Bjoern A. Zeeb wrote: >>> On Sat, 25 Jul 2009, Mykola Dzham wrote: >>>> After r188146 creating tcp ipv6 socket in jail without ipv6 ip is not >>>> allowed, but udp socket is allowed. >>> >>> I cannot really follow what you are trying to say as wrt IPv4 and IPv6 >>> sockets and what about UDP. >>> >>> Your sample further down is trying to use an IPv4 address on an IPv6 >>> Datagram socket which is an error either way. >> >> Some java programms attempt to use ipv6 sockets, then use ipv4 if >> socket(AF_INET6,...) fail. My sample imitate this >> >>> Prior to FreeBSD 7.2 IPv6 hadn't been supported at all for jails. >>> >>> With 7.2 it was possible to create IPv6 sockets (but only shortly and >>> then fail on bind/connect/...). With the commit you reference the >>> "Protocol not supported" came back in case there was no address of >>> that address family for a given jail. >>> >>> With 8 the primary syntax for jails has changed and the "backward >>> compat mode" again allows you to create a socket on a jail even if >>> no address of the same family was configured for the jail. >>> >>> This should be addressed by the following patch: >>> http://people.freebsd.org/~bz/20090727-01-jail8-legacy.diff >>> >>> Can you give it a try and report if that fixes your problem? >> >> Patch aplied cleanly on r195820 , but jail can not start after patching: >> >> # jail -l -U root -i /usr/home/d/guests/tap2 tap2.my.domain.com >> 10.112.0.151 /bin/sh /etc/rc >> jail: ip6: unknown boolean value "disable" > > r195820 is too old; but Jamie has a better solution; I would suggest > to backout the jail(8) patch and wait for the next two commits of > Jamie to HEAD and then update the machine again. OK, with r195945 things should be back to disallowing sockets when no addresses were assigned for that family. You'll need to rebuild the kernel for the fix, and libjail and possibly jail(8) to get past the "unknown boolean value" error. - Jamie From owner-freebsd-jail@FreeBSD.ORG Thu Jul 30 13:50:43 2009 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E5F82106566B; Thu, 30 Jul 2009 13:50:43 +0000 (UTC) (envelope-from freebsd@levsha.org.ua) Received: from expo.ukrweb.net (mail.univua.net [91.202.128.78]) by mx1.freebsd.org (Postfix) with ESMTP id 9BBE18FC13; Thu, 30 Jul 2009 13:50:43 +0000 (UTC) (envelope-from freebsd@levsha.org.ua) Received: from levsha by expo.ukrweb.net with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1MWW2l-0009zQ-6h; Thu, 30 Jul 2009 16:51:39 +0300 Date: Thu, 30 Jul 2009 16:51:39 +0300 From: Mykola Dzham To: Jamie Gritton Message-ID: <20090730135139.GF20855@expo.ukrweb.net> References: <20090725163207.GP39538@expo.ukrweb.net> <20090727141808.R245@maildrop.int.zabbadoz.net> <20090729113638.GC20855@expo.ukrweb.net> <20090729121834.B245@maildrop.int.zabbadoz.net> <4A708261.7000509@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4A708261.7000509@FreeBSD.org> X-Operating-System: FreeBSD/7.0-STABLE (i386) User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-current@FreeBSD.org, "Bjoern A. Zeeb" , freebsd-jail@FreeBSD.org Subject: Re: 8.0 still allow creating ipv6 udp socket in jail without ipv6 ip X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jul 2009 13:50:44 -0000 Jamie Gritton wrote: > Bjoern A. Zeeb wrote: > > On Wed, 29 Jul 2009, Mykola Dzham wrote: > >> Bjoern A. Zeeb wrote: > >>> On Sat, 25 Jul 2009, Mykola Dzham wrote: > >>>> After r188146 creating tcp ipv6 socket in jail without ipv6 ip is not > >>>> allowed, but udp socket is allowed. > >>> > >>> I cannot really follow what you are trying to say as wrt IPv4 and IPv6 > >>> sockets and what about UDP. > >>> > >>> Your sample further down is trying to use an IPv4 address on an IPv6 > >>> Datagram socket which is an error either way. > >> > >> Some java programms attempt to use ipv6 sockets, then use ipv4 if > >> socket(AF_INET6,...) fail. My sample imitate this > >> > >>> Prior to FreeBSD 7.2 IPv6 hadn't been supported at all for jails. > >>> > >>> With 7.2 it was possible to create IPv6 sockets (but only shortly and > >>> then fail on bind/connect/...). With the commit you reference the > >>> "Protocol not supported" came back in case there was no address of > >>> that address family for a given jail. > >>> > >>> With 8 the primary syntax for jails has changed and the "backward > >>> compat mode" again allows you to create a socket on a jail even if > >>> no address of the same family was configured for the jail. > >>> > >>> This should be addressed by the following patch: > >>> http://people.freebsd.org/~bz/20090727-01-jail8-legacy.diff > >>> > >>> Can you give it a try and report if that fixes your problem? > >> > >> Patch aplied cleanly on r195820 , but jail can not start after patching: > >> > >> # jail -l -U root -i /usr/home/d/guests/tap2 tap2.my.domain.com > >> 10.112.0.151 /bin/sh /etc/rc > >> jail: ip6: unknown boolean value "disable" > > > > r195820 is too old; but Jamie has a better solution; I would suggest > > to backout the jail(8) patch and wait for the next two commits of > > Jamie to HEAD and then update the machine again. > > OK, with r195945 things should be back to disallowing sockets when no > addresses were assigned for that family. You'll need to rebuild the > kernel for the fix, and libjail and possibly jail(8) to get past the > "unknown boolean value" error. On r195949 test program work correctly: it fail on socket(AF_INET6,...) on jail without ipv6 address. Thanks! -- Mykola Dzham, LEFT-(UANIC|RIPE) JID: levsha@jabber.net.ua From owner-freebsd-jail@FreeBSD.ORG Thu Jul 30 14:30:08 2009 Return-Path: Delivered-To: freebsd-jail@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 220CA106564A for ; Thu, 30 Jul 2009 14:30:08 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 0FA6B8FC18 for ; Thu, 30 Jul 2009 14:30:08 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n6UEU8w0009983 for ; Thu, 30 Jul 2009 14:30:08 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n6UEU81X009974; Thu, 30 Jul 2009 14:30:08 GMT (envelope-from gnats) Date: Thu, 30 Jul 2009 14:30:08 GMT Message-Id: <200907301430.n6UEU81X009974@freefall.freebsd.org> To: freebsd-jail@FreeBSD.org From: dfilter@FreeBSD.ORG (dfilter service) Cc: Subject: Re: kern/136899: commit references a PR X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dfilter service List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jul 2009 14:30:08 -0000 The following reply was made to PR kern/136899; it has been noted by GNATS. From: dfilter@FreeBSD.ORG (dfilter service) To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/136899: commit references a PR Date: Thu, 30 Jul 2009 14:29:07 +0000 (UTC) Author: jamie Date: Thu Jul 30 14:28:56 2009 New Revision: 195974 URL: http://svn.freebsd.org/changeset/base/195974 Log: Remove a LOR, where the the sleepable allprison_lock was being obtained in prison_equal_ip4/6 while an inp mutex was held. Locking allprison_lock can be avoided by making a restriction on the IP addresses associated with jails: Don't allow the "ip4" and "ip6" parameters to be changed after a jail is created. Setting the "ip4.addr" and "ip6.addr" parameters is allowed, but only if the jail was already created with either ip4/6=new or ip4/6=disable. With this restriction, the prison flags in question (PR_IP4_USER and PR_IP6_USER) become read-only and can be checked without locking. This also allows the simplification of a messy code path that was needed to handle an existing prison gaining an IP address list. PR: kern/136899 Reported by: Dirk Meyer Approved by: re (kib), bz (mentor) Modified: head/sys/kern/kern_jail.c Modified: head/sys/kern/kern_jail.c ============================================================================== --- head/sys/kern/kern_jail.c Thu Jul 30 13:19:12 2009 (r195973) +++ head/sys/kern/kern_jail.c Thu Jul 30 14:28:56 2009 (r195974) @@ -484,10 +484,10 @@ kern_jail_set(struct thread *td, struct int ii, ij; #endif #ifdef INET - int ip4s, ip4a, redo_ip4; + int ip4s, redo_ip4; #endif #ifdef INET6 - int ip6s, ip6a, redo_ip6; + int ip6s, redo_ip6; #endif unsigned pr_flags, ch_flags; unsigned pr_allow, ch_allow, tallow; @@ -518,17 +518,12 @@ kern_jail_set(struct thread *td, struct if (error) return (error); #ifdef INET - ip4a = 0; ip4 = NULL; #endif #ifdef INET6 - ip6a = 0; ip6 = NULL; #endif -#if defined(INET) || defined(INET6) - again: -#endif error = vfs_copyopt(opts, "jid", &jid, sizeof(jid)); if (error == ENOENT) jid = 0; @@ -610,6 +605,20 @@ kern_jail_set(struct thread *td, struct goto done_errmsg; } #endif +#ifdef INET + if ((flags & JAIL_UPDATE) && (ch_flags & PR_IP4_USER)) { + error = EINVAL; + vfs_opterror(opts, "ip4 cannot be changed after creation"); + goto done_errmsg; + } +#endif +#ifdef INET6 + if ((flags & JAIL_UPDATE) && (ch_flags & PR_IP6_USER)) { + error = EINVAL; + vfs_opterror(opts, "ip6 cannot be changed after creation"); + goto done_errmsg; + } +#endif pr_allow = ch_allow = 0; for (fi = 0; fi < sizeof(pr_allow_names) / sizeof(pr_allow_names[0]); @@ -708,7 +717,6 @@ kern_jail_set(struct thread *td, struct pr_flags |= PR_HOST; } - /* This might be the second time around for this option. */ #ifdef INET error = vfs_getopt(opts, "ip4.addr", &op, &ip4s); if (error == ENOENT) @@ -730,14 +738,7 @@ kern_jail_set(struct thread *td, struct vfs_opterror(opts, "too many IPv4 addresses"); goto done_errmsg; } - if (ip4a < ip4s) { - ip4a = ip4s; - free(ip4, M_PRISON); - ip4 = NULL; - } - if (ip4 == NULL) - ip4 = malloc(ip4a * sizeof(*ip4), M_PRISON, - M_WAITOK); + ip4 = malloc(ip4s * sizeof(*ip4), M_PRISON, M_WAITOK); bcopy(op, ip4, ip4s * sizeof(*ip4)); /* * IP addresses are all sorted but ip[0] to preserve @@ -793,14 +794,7 @@ kern_jail_set(struct thread *td, struct vfs_opterror(opts, "too many IPv6 addresses"); goto done_errmsg; } - if (ip6a < ip6s) { - ip6a = ip6s; - free(ip6, M_PRISON); - ip6 = NULL; - } - if (ip6 == NULL) - ip6 = malloc(ip6a * sizeof(*ip6), M_PRISON, - M_WAITOK); + ip6 = malloc(ip6s * sizeof(*ip6), M_PRISON, M_WAITOK); bcopy(op, ip6, ip6s * sizeof(*ip6)); if (ip6s > 1) qsort(ip6 + 1, ip6s - 1, sizeof(*ip6), qcmp_v6); @@ -1152,10 +1146,36 @@ kern_jail_set(struct thread *td, struct #endif { #ifdef INET - pr->pr_flags |= PR_IP4 | PR_IP4_USER | PR_IP4_DISABLE; + if (!(ch_flags & PR_IP4_USER)) + pr->pr_flags |= + PR_IP4 | PR_IP4_USER | PR_IP4_DISABLE; + else if (!(pr_flags & PR_IP4_USER)) { + pr->pr_flags |= ppr->pr_flags & PR_IP4; + if (ppr->pr_ip4 != NULL) { + pr->pr_ip4s = ppr->pr_ip4s; + pr->pr_ip4 = malloc(pr->pr_ip4s * + sizeof(struct in_addr), M_PRISON, + M_WAITOK); + bcopy(ppr->pr_ip4, pr->pr_ip4, + pr->pr_ip4s * sizeof(*pr->pr_ip4)); + } + } #endif #ifdef INET6 - pr->pr_flags |= PR_IP6 | PR_IP6_USER | PR_IP6_DISABLE; + if (!(ch_flags & PR_IP6_USER)) + pr->pr_flags |= + PR_IP6 | PR_IP6_USER | PR_IP6_DISABLE; + else if (!(pr_flags & PR_IP6_USER)) { + pr->pr_flags |= ppr->pr_flags & PR_IP6; + if (ppr->pr_ip6 != NULL) { + pr->pr_ip6s = ppr->pr_ip6s; + pr->pr_ip6 = malloc(pr->pr_ip6s * + sizeof(struct in6_addr), M_PRISON, + M_WAITOK); + bcopy(ppr->pr_ip6, pr->pr_ip6, + pr->pr_ip6s * sizeof(*pr->pr_ip6)); + } + } #endif } #endif @@ -1189,6 +1209,11 @@ kern_jail_set(struct thread *td, struct */ } else { created = 0; + /* + * Grab a reference for existing prisons, to ensure they + * continue to exist for the duration of the call. + */ + pr->pr_ref++; #if defined(VIMAGE) && (defined(INET) || defined(INET6)) if ((pr->pr_flags & PR_VNET) && (ch_flags & (PR_IP4_USER | PR_IP6_USER))) { @@ -1198,11 +1223,22 @@ kern_jail_set(struct thread *td, struct goto done_deref_locked; } #endif - /* - * Grab a reference for existing prisons, to ensure they - * continue to exist for the duration of the call. - */ - pr->pr_ref++; +#ifdef INET + if (PR_IP4_USER & ch_flags & (pr_flags ^ pr->pr_flags)) { + error = EINVAL; + vfs_opterror(opts, + "ip4 cannot be changed after creation"); + goto done_deref_locked; + } +#endif +#ifdef INET6 + if (PR_IP6_USER & ch_flags & (pr_flags ^ pr->pr_flags)) { + error = EINVAL; + vfs_opterror(opts, + "ip6 cannot be changed after creation"); + goto done_deref_locked; + } +#endif } /* Do final error checking before setting anything. */ @@ -1225,254 +1261,138 @@ kern_jail_set(struct thread *td, struct } } #ifdef INET - if (ch_flags & PR_IP4_USER) { + if (ip4s > 0) { if (ppr->pr_flags & PR_IP4) { - if (!(pr_flags & PR_IP4_USER)) { - /* - * Silently ignore attempts to make the IP - * addresses unrestricted when the parent is - * restricted; in other words, interpret - * "unrestricted" as "as unrestricted as - * possible". - */ - ip4s = ppr->pr_ip4s; - if (ip4s == 0) { - free(ip4, M_PRISON); - ip4 = NULL; - } else if (ip4s <= ip4a) { - /* Inherit the parent's address(es). */ - bcopy(ppr->pr_ip4, ip4, - ip4s * sizeof(*ip4)); - } else { - /* - * There's no room for the parent's - * address list. Allocate some more. - */ - ip4a = ip4s; - free(ip4, M_PRISON); - ip4 = malloc(ip4a * sizeof(*ip4), - M_PRISON, M_NOWAIT); - if (ip4 != NULL) - bcopy(ppr->pr_ip4, ip4, - ip4s * sizeof(*ip4)); - else { - /* Allocation failed without - * sleeping. Unlocking the - * prison now will invalidate - * some checks and prematurely - * show an unfinished new jail. - * So let go of everything and - * start over. - */ - prison_deref(pr, created - ? PD_LOCKED | - PD_LIST_XLOCKED - : PD_DEREF | PD_LOCKED | - PD_LIST_XLOCKED); - if (root != NULL) { - vfslocked = - VFS_LOCK_GIANT( - root->v_mount); - vrele(root); - VFS_UNLOCK_GIANT( - vfslocked); - } - ip4 = malloc(ip4a * - sizeof(*ip4), M_PRISON, - M_WAITOK); - goto again; - } - } - } else if (ip4s > 0) { - /* - * Make sure the new set of IP addresses is a - * subset of the parent's list. Don't worry - * about the parent being unlocked, as any - * setting is done with allprison_lock held. - */ - for (ij = 0; ij < ppr->pr_ip4s; ij++) - if (ip4[0].s_addr == - ppr->pr_ip4[ij].s_addr) + /* + * Make sure the new set of IP addresses is a + * subset of the parent's list. Don't worry + * about the parent being unlocked, as any + * setting is done with allprison_lock held. + */ + for (ij = 0; ij < ppr->pr_ip4s; ij++) + if (ip4[0].s_addr == ppr->pr_ip4[ij].s_addr) + break; + if (ij == ppr->pr_ip4s) { + error = EPERM; + goto done_deref_locked; + } + if (ip4s > 1) { + for (ii = ij = 1; ii < ip4s; ii++) { + if (ip4[ii].s_addr == + ppr->pr_ip4[0].s_addr) + continue; + for (; ij < ppr->pr_ip4s; ij++) + if (ip4[ii].s_addr == + ppr->pr_ip4[ij].s_addr) + break; + if (ij == ppr->pr_ip4s) break; + } if (ij == ppr->pr_ip4s) { error = EPERM; goto done_deref_locked; } - if (ip4s > 1) { - for (ii = ij = 1; ii < ip4s; ii++) { - if (ip4[ii].s_addr == - ppr->pr_ip4[0].s_addr) - continue; - for (; ij < ppr->pr_ip4s; ij++) - if (ip4[ii].s_addr == - ppr->pr_ip4[ij].s_addr) - break; - if (ij == ppr->pr_ip4s) - break; - } - if (ij == ppr->pr_ip4s) { - error = EPERM; - goto done_deref_locked; - } - } } } - if (ip4s > 0) { - /* - * Check for conflicting IP addresses. We permit them - * if there is no more than one IP on each jail. If - * there is a duplicate on a jail with more than one - * IP stop checking and return error. - */ - tppr = ppr; + /* + * Check for conflicting IP addresses. We permit them + * if there is no more than one IP on each jail. If + * there is a duplicate on a jail with more than one + * IP stop checking and return error. + */ + tppr = ppr; #ifdef VIMAGE - for (; tppr != &prison0; tppr = tppr->pr_parent) - if (tppr->pr_flags & PR_VNET) - break; + for (; tppr != &prison0; tppr = tppr->pr_parent) + if (tppr->pr_flags & PR_VNET) + break; #endif - FOREACH_PRISON_DESCENDANT(tppr, tpr, descend) { - if (tpr == pr || + FOREACH_PRISON_DESCENDANT(tppr, tpr, descend) { + if (tpr == pr || #ifdef VIMAGE - (tpr != tppr && - (tpr->pr_flags & PR_VNET)) || + (tpr != tppr && (tpr->pr_flags & PR_VNET)) || #endif - tpr->pr_uref == 0) { - descend = 0; - continue; - } - if (!(tpr->pr_flags & PR_IP4_USER)) - continue; + tpr->pr_uref == 0) { descend = 0; - if (tpr->pr_ip4 == NULL || - (ip4s == 1 && tpr->pr_ip4s == 1)) - continue; - for (ii = 0; ii < ip4s; ii++) { - if (_prison_check_ip4(tpr, - &ip4[ii]) == 0) { - error = EADDRINUSE; - vfs_opterror(opts, - "IPv4 addresses clash"); - goto done_deref_locked; - } + continue; + } + if (!(tpr->pr_flags & PR_IP4_USER)) + continue; + descend = 0; + if (tpr->pr_ip4 == NULL || + (ip4s == 1 && tpr->pr_ip4s == 1)) + continue; + for (ii = 0; ii < ip4s; ii++) { + if (_prison_check_ip4(tpr, &ip4[ii]) == 0) { + error = EADDRINUSE; + vfs_opterror(opts, + "IPv4 addresses clash"); + goto done_deref_locked; } } } } #endif #ifdef INET6 - if (ch_flags & PR_IP6_USER) { + if (ip6s > 0) { if (ppr->pr_flags & PR_IP6) { - if (!(pr_flags & PR_IP6_USER)) { - /* - * Silently ignore attempts to make the IP - * addresses unrestricted when the parent is - * restricted. - */ - ip6s = ppr->pr_ip6s; - if (ip6s == 0) { - free(ip6, M_PRISON); - ip6 = NULL; - } else if (ip6s <= ip6a) { - /* Inherit the parent's address(es). */ - bcopy(ppr->pr_ip6, ip6, - ip6s * sizeof(*ip6)); - } else { - /* - * There's no room for the parent's - * address list. - */ - ip6a = ip6s; - free(ip6, M_PRISON); - ip6 = malloc(ip6a * sizeof(*ip6), - M_PRISON, M_NOWAIT); - if (ip6 != NULL) - bcopy(ppr->pr_ip6, ip6, - ip6s * sizeof(*ip6)); - else { - prison_deref(pr, created - ? PD_LOCKED | - PD_LIST_XLOCKED - : PD_DEREF | PD_LOCKED | - PD_LIST_XLOCKED); - if (root != NULL) { - vfslocked = - VFS_LOCK_GIANT( - root->v_mount); - vrele(root); - VFS_UNLOCK_GIANT( - vfslocked); - } - ip6 = malloc(ip6a * - sizeof(*ip6), M_PRISON, - M_WAITOK); - goto again; - } - } - } else if (ip6s > 0) { - /* - * Make sure the new set of IP addresses is a - * subset of the parent's list. - */ - for (ij = 0; ij < ppr->pr_ip6s; ij++) - if (IN6_ARE_ADDR_EQUAL(&ip6[0], - &ppr->pr_ip6[ij])) + /* + * Make sure the new set of IP addresses is a + * subset of the parent's list. + */ + for (ij = 0; ij < ppr->pr_ip6s; ij++) + if (IN6_ARE_ADDR_EQUAL(&ip6[0], + &ppr->pr_ip6[ij])) + break; + if (ij == ppr->pr_ip6s) { + error = EPERM; + goto done_deref_locked; + } + if (ip6s > 1) { + for (ii = ij = 1; ii < ip6s; ii++) { + if (IN6_ARE_ADDR_EQUAL(&ip6[ii], + &ppr->pr_ip6[0])) + continue; + for (; ij < ppr->pr_ip6s; ij++) + if (IN6_ARE_ADDR_EQUAL( + &ip6[ii], &ppr->pr_ip6[ij])) + break; + if (ij == ppr->pr_ip6s) break; + } if (ij == ppr->pr_ip6s) { error = EPERM; goto done_deref_locked; } - if (ip6s > 1) { - for (ii = ij = 1; ii < ip6s; ii++) { - if (IN6_ARE_ADDR_EQUAL(&ip6[ii], - &ppr->pr_ip6[0])) - continue; - for (; ij < ppr->pr_ip6s; ij++) - if (IN6_ARE_ADDR_EQUAL( - &ip6[ii], - &ppr->pr_ip6[ij])) - break; - if (ij == ppr->pr_ip6s) - break; - } - if (ij == ppr->pr_ip6s) { - error = EPERM; - goto done_deref_locked; - } - } } } - if (ip6s > 0) { - /* Check for conflicting IP addresses. */ - tppr = ppr; + /* Check for conflicting IP addresses. */ + tppr = ppr; #ifdef VIMAGE - for (; tppr != &prison0; tppr = tppr->pr_parent) - if (tppr->pr_flags & PR_VNET) - break; + for (; tppr != &prison0; tppr = tppr->pr_parent) + if (tppr->pr_flags & PR_VNET) + break; #endif - FOREACH_PRISON_DESCENDANT(tppr, tpr, descend) { - if (tpr == pr || + FOREACH_PRISON_DESCENDANT(tppr, tpr, descend) { + if (tpr == pr || #ifdef VIMAGE - (tpr != tppr && - (tpr->pr_flags & PR_VNET)) || + (tpr != tppr && (tpr->pr_flags & PR_VNET)) || #endif - tpr->pr_uref == 0) { - descend = 0; - continue; - } - if (!(tpr->pr_flags & PR_IP6_USER)) - continue; + tpr->pr_uref == 0) { descend = 0; - if (tpr->pr_ip6 == NULL || - (ip6s == 1 && tpr->pr_ip6s == 1)) - continue; - for (ii = 0; ii < ip6s; ii++) { - if (_prison_check_ip6(tpr, - &ip6[ii]) == 0) { - error = EADDRINUSE; - vfs_opterror(opts, - "IPv6 addresses clash"); - goto done_deref_locked; - } + continue; + } + if (!(tpr->pr_flags & PR_IP6_USER)) + continue; + descend = 0; + if (tpr->pr_ip6 == NULL || + (ip6s == 1 && tpr->pr_ip6s == 1)) + continue; + for (ii = 0; ii < ip6s; ii++) { + if (_prison_check_ip6(tpr, &ip6[ii]) == 0) { + error = EADDRINUSE; + vfs_opterror(opts, + "IPv6 addresses clash"); + goto done_deref_locked; } } } @@ -1514,28 +1434,12 @@ kern_jail_set(struct thread *td, struct /* Set the parameters of the prison. */ #ifdef INET redo_ip4 = 0; - if (ch_flags & PR_IP4_USER) { - if (pr_flags & PR_IP4_USER) { - /* Some restriction set. */ - pr->pr_flags |= PR_IP4; - if (ip4s >= 0) { - free(pr->pr_ip4, M_PRISON); - pr->pr_ip4s = ip4s; - pr->pr_ip4 = ip4; - ip4 = NULL; - } - } else if (ppr->pr_flags & PR_IP4) { - /* This restriction cleared, but keep inherited. */ - free(pr->pr_ip4, M_PRISON); - pr->pr_ip4s = ip4s; - pr->pr_ip4 = ip4; - ip4 = NULL; - } else { - /* Restriction cleared, now unrestricted. */ - pr->pr_flags &= ~PR_IP4; - free(pr->pr_ip4, M_PRISON); - pr->pr_ip4s = 0; - } + if (pr_flags & PR_IP4_USER) { + pr->pr_flags |= PR_IP4; + free(pr->pr_ip4, M_PRISON); + pr->pr_ip4s = ip4s; + pr->pr_ip4 = ip4; + ip4 = NULL; FOREACH_PRISON_DESCENDANT_LOCKED(pr, tpr, descend) { #ifdef VIMAGE if (tpr->pr_flags & PR_VNET) { @@ -1552,28 +1456,12 @@ kern_jail_set(struct thread *td, struct #endif #ifdef INET6 redo_ip6 = 0; - if (ch_flags & PR_IP6_USER) { - if (pr_flags & PR_IP6_USER) { - /* Some restriction set. */ - pr->pr_flags |= PR_IP6; - if (ip6s >= 0) { - free(pr->pr_ip6, M_PRISON); - pr->pr_ip6s = ip6s; - pr->pr_ip6 = ip6; - ip6 = NULL; - } - } else if (ppr->pr_flags & PR_IP6) { - /* This restriction cleared, but keep inherited. */ - free(pr->pr_ip6, M_PRISON); - pr->pr_ip6s = ip6s; - pr->pr_ip6 = ip6; - ip6 = NULL; - } else { - /* Restriction cleared, now unrestricted. */ - pr->pr_flags &= ~PR_IP6; - free(pr->pr_ip6, M_PRISON); - pr->pr_ip6s = 0; - } + if (pr_flags & PR_IP6_USER) { + pr->pr_flags |= PR_IP6; + free(pr->pr_ip6, M_PRISON); + pr->pr_ip6s = ip6s; + pr->pr_ip6 = ip6; + ip6 = NULL; FOREACH_PRISON_DESCENDANT_LOCKED(pr, tpr, descend) { #ifdef VIMAGE if (tpr->pr_flags & PR_VNET) { @@ -2661,7 +2549,6 @@ prison_restrict_ip4(struct prison *pr, s free(pr->pr_ip4, M_PRISON); pr->pr_ip4 = newip4; pr->pr_ip4s = ppr->pr_ip4s; - pr->pr_flags |= PR_IP4; } return (used); } @@ -2673,9 +2560,7 @@ prison_restrict_ip4(struct prison *pr, s free(pr->pr_ip4, M_PRISON); pr->pr_ip4 = NULL; } - pr->pr_flags = - (pr->pr_flags & ~PR_IP4) | (ppr->pr_flags & PR_IP4); - } else if (pr->pr_ip4s > 0 && (ppr->pr_flags & PR_IP4)) { + } else if (pr->pr_ip4s > 0) { /* Remove addresses that aren't in the parent. */ for (ij = 0; ij < ppr->pr_ip4s; ij++) if (pr->pr_ip4[0].s_addr == ppr->pr_ip4[ij].s_addr) @@ -2762,12 +2647,9 @@ prison_equal_ip4(struct prison *pr1, str return (1); /* - * jail_set maintains an exclusive hold on allprison_lock while it - * changes the IP addresses, so only a shared hold is needed. This is - * easier than locking the two prisons which would require finding the - * proper locking order and end up needing allprison_lock anyway. + * No need to lock since the PR_IP4_USER flag can't be altered for + * existing prisons. */ - sx_slock(&allprison_lock); while (pr1 != &prison0 && #ifdef VIMAGE !(pr1->pr_flags & PR_VNET) && @@ -2780,7 +2662,6 @@ prison_equal_ip4(struct prison *pr1, str #endif !(pr2->pr_flags & PR_IP4_USER)) pr2 = pr2->pr_parent; - sx_sunlock(&allprison_lock); return (pr1 == pr2); } @@ -2972,7 +2853,6 @@ prison_restrict_ip6(struct prison *pr, s free(pr->pr_ip6, M_PRISON); pr->pr_ip6 = newip6; pr->pr_ip6s = ppr->pr_ip6s; - pr->pr_flags |= PR_IP6; } return (used); } @@ -2984,9 +2864,7 @@ prison_restrict_ip6(struct prison *pr, s free(pr->pr_ip6, M_PRISON); pr->pr_ip6 = NULL; } - pr->pr_flags = - (pr->pr_flags & ~PR_IP6) | (ppr->pr_flags & PR_IP6); - } else if (pr->pr_ip6s > 0 && (ppr->pr_flags & PR_IP6)) { + } else if (pr->pr_ip6s > 0) { /* Remove addresses that aren't in the parent. */ for (ij = 0; ij < ppr->pr_ip6s; ij++) if (IN6_ARE_ADDR_EQUAL(&pr->pr_ip6[0], @@ -3073,7 +2951,6 @@ prison_equal_ip6(struct prison *pr1, str if (pr1 == pr2) return (1); - sx_slock(&allprison_lock); while (pr1 != &prison0 && #ifdef VIMAGE !(pr1->pr_flags & PR_VNET) && @@ -3086,7 +2963,6 @@ prison_equal_ip6(struct prison *pr1, str #endif !(pr2->pr_flags & PR_IP6_USER)) pr2 = pr2->pr_parent; - sx_sunlock(&allprison_lock); return (pr1 == pr2); } @@ -4172,12 +4048,14 @@ SYSCTL_JAIL_PARAM_NODE(cpuset, "Jail cpu SYSCTL_JAIL_PARAM(_cpuset, id, CTLTYPE_INT | CTLFLAG_RD, "I", "Jail cpuset ID"); #ifdef INET -SYSCTL_JAIL_PARAM_SYS_NODE(ip4, CTLFLAG_RW, "Jail IPv4 address virtualization"); +SYSCTL_JAIL_PARAM_SYS_NODE(ip4, CTLFLAG_RDTUN, + "Jail IPv4 address virtualization"); SYSCTL_JAIL_PARAM_STRUCT(_ip4, addr, CTLFLAG_RW, sizeof(struct in_addr), "S,in_addr,a", "Jail IPv4 addresses"); #endif #ifdef INET6 -SYSCTL_JAIL_PARAM_SYS_NODE(ip6, CTLFLAG_RW, "Jail IPv6 address virtualization"); +SYSCTL_JAIL_PARAM_SYS_NODE(ip6, CTLFLAG_RDTUN, + "Jail IPv6 address virtualization"); SYSCTL_JAIL_PARAM_STRUCT(_ip6, addr, CTLFLAG_RW, sizeof(struct in6_addr), "S,in6_addr,a", "Jail IPv6 addresses"); #endif _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org" From owner-freebsd-jail@FreeBSD.ORG Thu Jul 30 15:54:37 2009 Return-Path: Delivered-To: freebsd-jail@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 74B8F106566C; Thu, 30 Jul 2009 15:54:37 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 4A0578FC0A; Thu, 30 Jul 2009 15:54:37 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from freefall.freebsd.org (jamie@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n6UFsbhq079889; Thu, 30 Jul 2009 15:54:37 GMT (envelope-from jamie@freefall.freebsd.org) Received: (from jamie@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n6UFsZMf079883; Thu, 30 Jul 2009 15:54:35 GMT (envelope-from jamie) Date: Thu, 30 Jul 2009 15:54:35 GMT Message-Id: <200907301554.n6UFsZMf079883@freefall.freebsd.org> To: dirk.meyer+gnats@dinoex.sub.org, jamie@FreeBSD.org, freebsd-jail@FreeBSD.org From: jamie@FreeBSD.org Cc: Subject: Re: kern/136899: [jail] [lor] upd/jail LOR after reboot X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jul 2009 15:54:37 -0000 Synopsis: [jail] [lor] upd/jail LOR after reboot State-Changed-From-To: open->closed State-Changed-By: jamie State-Changed-When: Thu Jul 30 15:42:26 UTC 2009 State-Changed-Why: Fixed by r195974, which restricts the prison "ip4" and "ip6" parameters in order to avoid locking allprison_lock in prison_equal_ip4/6. http://www.freebsd.org/cgi/query-pr.cgi?pr=136899 From owner-freebsd-jail@FreeBSD.ORG Fri Jul 31 07:46:27 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 477441065678 for ; Fri, 31 Jul 2009 07:46:27 +0000 (UTC) (envelope-from nvass9573@gmx.com) Received: from mail.gmx.com (unknown [213.165.64.42]) by mx1.freebsd.org (Postfix) with SMTP id EBC4C8FC12 for ; Fri, 31 Jul 2009 07:46:23 +0000 (UTC) (envelope-from nvass9573@gmx.com) Received: (qmail invoked by alias); 31 Jul 2009 07:46:20 -0000 Received: from ipa71.82.91.tellas.gr (EHLO [169.254.0.10]) [91.140.82.71] by mail.gmx.com (mp-eu001) with SMTP; 31 Jul 2009 09:46:20 +0200 X-Authenticated: #46156728 X-Provags-ID: V01U2FsdGVkX1+g/s9LmwKgOuswjQ0zzndlil0ABCd0gneKT3PZn6 bBH7o2iu0U4eFn Message-ID: <4A72A133.2030801@gmx.com> Date: Fri, 31 Jul 2009 10:45:55 +0300 From: Nikos Vassiliadis User-Agent: Thunderbird 2.0.0.22 (Windows/20090605) MIME-Version: 1.0 To: freebsd-jail@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 X-FuHaFi: 0.78 Subject: creating vimage with jail(8)? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Jul 2009 07:46:31 -0000 Hi, Is it possible to create a vimage with the jail(8) command? Or one have still to use the tools/tools/vimage command? Thanks, Nikos From owner-freebsd-jail@FreeBSD.ORG Fri Jul 31 07:57:08 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2A4601065670 for ; Fri, 31 Jul 2009 07:57:08 +0000 (UTC) (envelope-from nvass9573@gmx.com) Received: from mail.gmx.com (unknown [213.165.64.42]) by mx1.freebsd.org (Postfix) with SMTP id 754768FC0C for ; Fri, 31 Jul 2009 07:57:07 +0000 (UTC) (envelope-from nvass9573@gmx.com) Received: (qmail invoked by alias); 31 Jul 2009 07:57:06 -0000 Received: from ipa71.82.91.tellas.gr (EHLO [169.254.0.10]) [91.140.82.71] by mail.gmx.com (mp-eu005) with SMTP; 31 Jul 2009 09:57:06 +0200 X-Authenticated: #46156728 X-Provags-ID: V01U2FsdGVkX1/qR1lyWTPqd/E1zWtdKlA+3paCULF9eNtd1vrbP5 uZlkAH8xH0GSKy Message-ID: <4A72A3BD.1030208@gmx.com> Date: Fri, 31 Jul 2009 10:56:45 +0300 From: Nikos Vassiliadis User-Agent: Thunderbird 2.0.0.22 (Windows/20090605) MIME-Version: 1.0 To: freebsd-jail@freebsd.org References: <4A72A133.2030801@gmx.com> In-Reply-To: <4A72A133.2030801@gmx.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 X-FuHaFi: 0.68 Subject: Re: creating vimage with jail(8)? X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Jul 2009 07:57:08 -0000 Nikos Vassiliadis wrote: > Is it possible to create a vimage with the jail(8) command? > Or one have still to use the tools/tools/vimage command? Sorry for the noise, I've just saw a two weeks old post from Jamie Gritton, mentioning that the vnet parameter should be used: > This patch deals with jailed subsystems that may or may not be > virtualized. At first, there was a boolean to describe this > situation: for example in the VIMAGE kernels, the setting "vnet" > parameter would create a jail with a virtual network stack.