new jail(8) ignoring devfs_ruleset?

2013-02-15 Thread Harald Schmalzbauer 
 Hello,

like already posted, on 9.1-R, I highly appreciate the new jail(8) and
jail.conf capabilities. Thanks for that extension!

Accidentally I saw that "devfs_ruleset" seems to be ignored.
If I list /dev/ I see all the hosts disk devices etc.
I set "devfs_ruleset = 4;" and "enforce_statfs = 1;" in jail.conf.
  Inside the jail,
sysctl security.jail.devfs_ruleset returnes "1".
But like mentioned, I can access all devices...

Thanks for any help,

-Harry

(not subscribed to freebsd-jail@)



signature.asc
Description: OpenPGP digital signature

Re: mount lag, umounting returns wrong "Device busy"

2013-02-15 Thread Harald Schmalzbauer 
 schrieb Mateusz Guzik am 15.02.2013 17:50 (localtime):
> On Fri, Feb 15, 2013 at 05:43:16PM +0100, Harald Schmalzbauer wrote:
>>  Hello,
>>
>> while playing with new jail features, I recognized that manually
>> umounting doesn't work as I'd expect.
>> After jail has been destroyed, the following mountpoint is active:
>> /dev/gpt/jailname1ROOT on /.jail.jailname1 (ufs, local, read-only)
>>
>> There was var mounted to /.jail.jailname1/var but that sucessfully umounted.
>> 'fstat' also shows no open files in /.jail.jailname1
>>
>> But when I do 'umount /.jail.jailname' I get "Device busy" returned.
>> Some minutes later umounting works.
>> But I always have to wait some time, although nothing is open and
>> nothing is mounted above.
>>
>> Does anybody have an idea what could cause that false "Device busy"?
>>
> My guess is that the jail was not dead yet and it held a reference for
> /.jail.jailname1's vnode.
>
> jls -v should show the jail.
>
> I don't know if this can happen, but my guess is that not-yet-expired
> network connections hold reference to a jail preventing it from being
> destroyed. So I would definitely checkout netstat output. There may be
> other posibilities, but nothing obvious comes to my mind at the moment.

Good hint, I found out that returning the NIC (using jail with vnet)
takes some time and as soon as the NIC shows up back in the host, I also
can umount the jail's root mount point.
I have no idea about the internals of moving NICs. Is it "normal" that
it takes some time to return the NIC?
Almost every time I remove the jail (jail -r), I have to issue the
command twice. First, I see services getting stoped, but then the line:
  jail: kevent: No such process
'jail -r' cancels at that point (jls shows it active)
After the second 'jail -r' I get the following lines:
.
Terminated
gentlemail: removed
umount: unmount of /.jail.jailname1 failed: Device busy

Then 'jls' doesn't list the jail anymore, but the NIC still doesn't show
up in the hosts network stack.
And that's the cause for keeping the root mountpoint busy...
Could that be related to the wrong umount-order with 'jail -r'?

Thanks,

-Harry



signature.asc
Description: OpenPGP digital signature

Re: new jail(8) ignoring devfs_ruleset?

2013-02-15 Thread Jamie Gritton 

On 02/15/13 09:27, Harald Schmalzbauer wrote:

  Hello,

like already posted, on 9.1-R, I highly appreciate the new jail(8) and
jail.conf capabilities. Thanks for that extension!

Accidentally I saw that "devfs_ruleset" seems to be ignored.
If I list /dev/ I see all the hosts disk devices etc.
I set "devfs_ruleset = 4;" and "enforce_statfs = 1;" in jail.conf.
   Inside the jail,
sysctl security.jail.devfs_ruleset returnes "1".
But like mentioned, I can access all devices...

Thanks for any help,

-Harry


devfs_ruleset is only used along with mount.devfs - do you also have
that set in jail.conf?

- Jamie
___
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"