Date: Sat, 27 Aug 2011 01:22:48 -0700 From: Devin Teske <devin.teske@fisglobal.com> To: FreeBSD Mailing List <freebsd-questions@freebsd.org> Cc: Dave Robison <daver@vicor.com>, Devin Teske <dteske@vicor.com> Subject: jail vnet bug Message-ID: <3A1BA4AA-3949-4FD5-AE80-6C3436911414@fisglobal.com>
next in thread | raw e-mail | index | archive | help
Hi all,
Not sure if this is a bug, but I'm using 8.1-RELEASE-p4 with VIMAGE enabled=
and am experiencing something odd.
I set sysctl security.jail.mount_allowed=3D1 and then fire up a jail, all i=
s good (jail has value of 1).
I then set sysctl security.jail.enforce_statfs=3D1 and then restart the jai=
l. Again, all is good (jail has value of 1).
I then fire up my vimage jails, and all is bad. Values still show 0 (mount_=
allowed) and 2 (enforce_statfs).
So I went into the kernel and forced their default values, which appeared t=
o work, but only partly.
The following [undesirable] patch was enough to get enforce_statfs working:
--- sys/kern/kern_jail.c.orig 2011-08-26 23:41:27.000000000 -0700+++ sys/=
kern/kern_jail.c 2011-08-27 00:44:45.000000000 -0700
@@ -202,7 +202,7 @@
#define JAIL_DEFAULT_ALLOW PR_ALLOW_SET_HOSTNAME
-#define JAIL_DEFAULT_ENFORCE_STATFS 2
+#define JAIL_DEFAULT_ENFORCE_STATFS 1
static unsigned jail_default_allow =3D JAIL_DEFAULT_ALLOW;
static int jail_default_enforce_statfs =3D JAIL_DEFAULT_ENFORCE_STATFS;
#if defined(INET) || defined(INET6)
However, the following [equally undesirable] patch was NOT enough to get mo=
unt(8) to work:
@@ -4113,4 +4114,4 @@
SYSCTL_PROC(_security_jail, OID_AUTO, mount_allowed,
CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE,
- NULL, PR_ALLOW_MOUNT, sysctl_jail_default_allow, "I",
+ (void *)1, PR_ALLOW_MOUNT, sysctl_jail_default_allow, "I",
"Processes in jail can mount/unmount jail-friendly file systems");
Here's what I'm getting for an error...
vnettest# ifconfig
lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3D3<RXCSUM,TXCSUM>
inet 127.0.0.1 netmask 0xff000000=20
epair0b: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu =
1500
ether XX:XX:XX:XX:XX:XX
inet X.X.X.X netmask 0xffffff00 broadcast X.X.X.X
vnettest# sysctl security.jail.{jailed,mount_allowed,enforce_statfs}
security.jail.jailed: 1
security.jail.mount_allowed: 1
security.jail.enforce_statfs: 1
vnettest# mount build1:/repos /mnt
mount_nfs: /mnt, : Operation not permitted
Meanwhile, over in the jail (non-vnet):
vnettest# ifconfig -l
bge0 fxp0 plip0 ipfw0 lo0 epair0a bridge0
vnettest# sysctl security.jail.{jailed,mount_allowed,enforce_statfs}
security.jail.jailed: 1
security.jail.mount_allowed: 0
security.jail.enforce_statfs: 1
vnettest# mount build1:/repos /mnt
vnettest# df -Th
Filesystem Type Size Used Avail Capacity Mounted on
/dev/ad4s1f ufs 137G 4.1G 122G 3% /
devfs devfs 1.0K 1.0K 0B 100% /dev
build1:/repos nfs 99G 63G 29G 69% /mnt
vnettest# umount /mnt
vnettest# df -Th
Filesystem Type Size Used Avail Capacity Mounted on
/dev/ad4s1f ufs 137G 4.1G 122G 3% /
devfs devfs 1.0K 1.0K 0B 100% /dev
Any advice would be helpful. The core issue is that we've finally achieved =
NFS mounting within a jail (many thanks to Martin Matuska for his patch), b=
ut are not able to replicate our success in a vnet jail.
--=20
Devin
_____________
The information contained in this message is proprietary and/or confidentia=
l. If you are not the intended recipient, please: (i) delete the message an=
d all copies; (ii) do not disclose, distribute or use the message in any ma=
nner; and (iii) notify the sender immediately. In addition, please be aware=
that any message addressed to our domain is subject to archiving and revie=
w by persons other than the intended recipient. Thank you.
_____________
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A1BA4AA-3949-4FD5-AE80-6C3436911414>