Date: Sat, 7 Aug 2010 17:05:52 +0000 (UTC) From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: Isaac Levy <ike@blackskyresearch.net> Cc: freebsd-jail@freebsd.org Subject: Re: sysvipc in jails + CURRENT Message-ID: <20100807165417.M48418@maildrop.int.zabbadoz.net> In-Reply-To: <201007221934.o6MJYA7f020607@rs54.luxsci.com> References: <201007221934.o6MJYA7f020607@rs54.luxsci.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 22 Jul 2010, Isaac Levy wrote: Hi ike, long time no see. > I could be doing something stupid, or I've dug up an old bug, = > (http://www.mail-archive.com/freebsd-jail@freebsd.org/msg00859.html). > > I cannot get good ol' trusty enforce_statfs to work, allowing me to see = > different mounts from within a jail. > > -- > The example jail command I'm using, (new-style), > jail -c path=3D$JDIR host.hostname=3D$JHOSTNAME ip4.addr=3D"$INET" = > enforce_statfs=3D1 command=3D/bin/sh /etc/rc > > I've tried everything- including attempting to change my sysctls over = > and over, (including /etc/sysctl.conf with rebooting). > Interestingly: > The old standard 'security.jail.enforce_statfs' was not something I = > could modify, *until* I put a sysctl value in /etc/sysctl.conf which was = > not 0 (1 or 2 both will let me set the sysctl value once the system is = > booted). > If I have "security.jail.enforce_statfs=3D0", to my surprise, I cannot = > change that sysctl on the host system as I would usually expect. > (This is what makes me think this smells like a bug) > > My extra mounts are UFS volumes, mounted right into the jail directory, = > (on another ufs volume). > > What follows, are just machine stats if anyone wants them? > > I'd love any thoughts, urls, no matter how brief... I am confused but maybe I can help you with some explanation: 1) do not change the sysctl anywhere; that is neither in sysctl.conf nor by other magic or by hand. The default on 8 and 9 should be 2. You can check that with sysctl security.jail.enforce_statfs still I think. 2) Creating a new jail > jail -c path=/jail/j1 persist I can see: > jexec 1 mount 192.168.5.1:/zoo/bz/HEAD on / (nfs) And > jls -s -j 1 enforce_statfs enforce_statfs=2 confirms the default. 3) modifying the jail: > jail -m jid=1 enforce_statfs=1 I can now see: > jexec 1 mount 192.168.5.1:/zoo/bz/HEAD on / (nfs) devfs on /dev (devfs, local, multilabel) 192.168.5.1:/zoo/bz on /zoo/bz (nfs) And jls confirms that the modfication was successful: > jls -s -j 1 enforce_statfs enforce_statfs=1 4) If you lower the default by changing the sysctl, all your jails that have a higher level will be lowered as well. 5) But if you up the default again, they won't change back up. I think that you are right, that there is a bug here, as 4) and 5) should be working the other way round I think. Anyway, the summary is: if you don't change the default a jail -c enforce_statfs=1 ... should just work fine. Hope this helps. /bz -- Bjoern A. Zeeb This signature is about you not me.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100807165417.M48418>