Re: podman on FreeBSD-14.2

Hi J.R.! 1st of all thanks a lot for using and testing Podman and OCI Containers in general on FreeBSD. Above all many thanks for digging deeper and coming to the root cause 👊. To help others who may not be on the FreeBSD Jails mailing list, whenever you have time would you please create an issu

Re: podman on FreeBSD-14.2

On Mon, 20 Jan 2025 23:33:57 +0100 "J.R. Oldroyd" wrote: > > ... > > # podman run --rm docker.io/dougrabson/hello > Error: OCI runtime error: ocijail: mounting > {"destination":"/etc/resolv.conf","source":"/var/run/containers/storage/zfs-containers/5c1e19e58fe4e99d419e0f4b717dfad80b984070f6056d4

Re: jail services in podman

configure the container to run off jail /etc/rc.conf services? If you do that, no issues, *but* the container will exit as soon as rc.conf startup finished (as the ENTRYPOINT or CMD has completed). OCI containers are not the same as jails in this respect, by default. This is interesting to note.

Re: Podman jail support

Hi Paige! I hope you had nice holidays and happy new year! On Mon, Dec 16, 2024 at 6:21 PM Mohammad Noureldin < moham...@thelightbird.com> wrote: > Hi Paige! > > On Fri, Dec 13, 2024 at 8:22 PM wrote: > >> Hey Mohammad, >> >> IIRC, that link you shared is the exact set of steps that I followed.

Re: jail services in podman

"Dave Cottlehuber" writes: On Fri, 3 Jan 2025, at 19:42, JH Foo wrote: Can you elaborate how CMD helps to determine (quote) minimal dependencies are for each daemon or service? What happens if I were to If you run a normal startup with /etc/rc then that container will expect all the freeb

Re: jail services in podman

"Dave Cottlehuber" writes: On Fri, 3 Jan 2025, at 19:42, JH Foo wrote: Can you elaborate how CMD helps to determine (quote) minimal dependencies are for each daemon or service? What happens if I were to If you run a normal startup with /etc/rc then that container will expect all the freeb

Re: jail services in podman

On Fri, 3 Jan 2025, at 19:42, JH Foo wrote: > Can you elaborate how CMD helps to determine (quote) minimal > dependencies are for each daemon or service? What happens if I were to If you run a normal startup with /etc/rc then that container will expect all the freebsd goodies - syslog, utx, cron,

Re: jail services in podman

Can you elaborate how CMD helps to determine (quote) minimal dependencies are for each daemon or service? What happens if I were to configure the container to run off jail /etc/rc.conf services? On 1/3/2025 1:56 AM, Dave Cottlehuber wrote: On Tue, 31 Dec 2024, at 17:16, JH Foo wrote: Not sure

Re: Podman jail support

On Fri, 13 Dec 2024, at 03:41, pa...@paige.bio wrote: > Hi, > > I was just wondering if anybody knew anything about this error: > > ❯ sudo podman run --rm docker.io/dougrabson/hello > Error: OCI runtime error: ocijail: error calling jail_attach: Invalid argument > > Was wondering if theres a k

Re: jail services in podman

On Tue, 31 Dec 2024, at 17:16, JH Foo wrote: > Not sure if this is a jail or podman thing: I'm learning about running > apps in Podman, and the recommendation seems to be to include a CMD in > Containerfile/Dockerfile. When the binary called by the CMD ends, the > jail is stopped. In the example

Re: setting VNET tunables in a new jail

eebsd.org/D41825><https://reviews.freebsd.org/D41825 > >> <https://reviews.freebsd.org/D41825>> . > >> > >> For short, `kenv some.kenv=foo`, and then create vnet jail, `jail -c xxx > >> persist` . > > > > Oh nice, I didn't know ab

Re: setting VNET tunables in a new jail

some.kenv=foo`, and then create vnet jail, `jail -c xxx >> persist` . > > Oh nice, I didn't know about that. > >> Those commits are not MFCed to stable/14 and stable/13, as I'm not satisfied >> with the implementation. The current implementation is somewha

Re: setting VNET tunables in a new jail

1825> . > > For short, `kenv some.kenv=foo`, and then create vnet jail, `jail -c xxx > persist` . Oh nice, I didn't know about that. > Those commits are not MFCed to stable/14 and stable/13, as I'm not satisfied > with the implementation. The current implementation

Re: setting VNET tunables in a new jail

ort, `kenv some.kenv=foo`, and then create vnet jail, `jail -c xxx > persist` . > > Those commits are not MFCed to stable/14 and stable/13, as I'm not satisfied > with the implementation. The current implementation is somewhat hacky > and I planed to re-work it. > >> I&#

Re: setting VNET tunables in a new jail

FCed to stable/14 and stable/13, as I'm not satisfied with the implementation. The current implementation is somewhat hacky and I planed to re-work it. > I'd find it useful to be able to pass a set of tunables to jail_set(2), > so that corresponding VNET jail has tunables set to the sp

Re: setting VNET tunables in a new jail

On 12/17/24 16:11, Mark Johnston wrote: On Tue, Dec 17, 2024 at 03:46:53PM -0600, Kyle Evans wrote: On 12/17/24 15:19, Mark Johnston wrote: We have a number of sysctls which are defined as tunables, whose values cannot be changed after boot. Some of these sysctls, such as net.fibs, are per-VNE

Re: setting VNET tunables in a new jail

On Tue, Dec 17, 2024 at 03:46:53PM -0600, Kyle Evans wrote: > On 12/17/24 15:19, Mark Johnston wrote: > > We have a number of sysctls which are defined as tunables, whose values > > cannot be changed after boot. Some of these sysctls, such as net.fibs, > > are per-VNET so could in principle be cha

Re: setting VNET tunables in a new jail

On 17 Dec 2024, at 22:49, Mark Johnston wrote: > I do see one wrinkle: when an interface is moved into a jail with > net.fibs > 1 and assigned to a FIB that's invalid in the host, we need > to somehow reset the interface FIB when the interface is moved back. > > I suspect it's fine to just reset th

Re: setting VNET tunables in a new jail

them to be modified. > > I’m not aware of any where it’d be unsafe. Most of them are tuneables because > they’d be annoying to make run-time configurable. (e.g. > net.pf.states_hashsize would involve allocating a new hash table and > re-hashing existing states into it. It’s possible

Re: setting VNET tunables in a new jail

On 12/17/24 15:19, Mark Johnston wrote: We have a number of sysctls which are defined as tunables, whose values cannot be changed after boot. Some of these sysctls, such as net.fibs, are per-VNET so could in principle be changed at jail creation time. I'd find it useful to be able to pass a set

Re: setting VNET tunables in a new jail

t see many obvious problems > with allowing them to be modified. I’m not aware of any where it’d be unsafe. Most of them are tuneables because they’d be annoying to make run-time configurable. (e.g. net.pf.states_hashsize would involve allocating a new hash table and re-hashing existing

Re: Podman jail support

Hi Paige! On Fri, Dec 13, 2024 at 8:22 PM wrote: > Hey Mohammad, > > IIRC, that link you shared is the exact set of steps that I followed. > OK, I will try also from my side and come back to you on this as soon as I can. Thanks for sharing your findings so far 👍 > > Thanks, > > -Paige > > >

Re: Podman jail support

Hey Mohammad,IIRC, that link you shared is the exact set of steps that I followed. Thanks,-Paige Sent from my iPhoneOn Dec 13, 2024, at 2:48 AM, Mohammad Noureldin wrote:Hi Paige,On Fri, Dec 13, 2024 at 3:42 AM wrote:Hi, I was just wondering if anybody knew anything about this error: ❯ sudo

Re: Podman jail support

Hi Paige, On Fri, Dec 13, 2024 at 3:42 AM wrote: > Hi, > > I was just wondering if anybody knew anything about this error: > > ❯ sudo podman run --rm docker.io/dougrabson/hello > Error: OCI runtime error: ocijail: error calling jail_attach: Invalid > argument > > Was wondering if theres a kernel

Re: Devfs error with hierarchical jails

On 2024-09-27 05:01, Quentin Thébault wrote: I am trying to make iocage usable in hierarchical jail scenarios. I think I solved most issues in the code, but devfs is giving me a hard time. I put the following configuration both at the level1 and level2 jail: - allow_mount=1 - allow_mount_devfs

Re: I can get zfs snapshot/rollback in a jail to work 99% but it isn't quite 100% working. What am I missing?

> So as I mentioned I’ve able to mail the dataset. It gets mounted upon > starting the jail. It shows up in “zfs list”. If you can see your dataset with `zfs-list(8)` it does not mean that it is mounted. You should check it using `mount -t zfs` or `zfs mount`. > And when I do zfs snapshot on th

Re: I can get zfs snapshot/rollback in a jail to work 99% but it isn't quite 100% working. What am I missing?

So as I mentioned I’ve able to mail the dataset. It gets mounted upon starting the jail. It shows up in “zfs list”. And when I do zfs snapshot on the dataset it appears to create the snapshot as it shows up in a “zfs list -t snapshot” but the snapdir isn’t visible even after setting snapdir to visi

Re: I can get zfs snapshot/rollback in a jail to work 99% but it isn't quite 100% working. What am I missing?

Hi Chris, Maybe your dataset is not mounted inside the jail. I thought that simply enabling `/etc/rc.d/zfs` was fine, but no, it just doesn't work. I don't know if this behavior is a bug or something else, but at the moment I don't have time to investigate. I have a similar setup for a jail wi

Re: Opening of /dev/pts/3 fails in jail (no such file), but it is visible in ls

Am 2023-09-22 14:02, schrieb Konstantin Belousov: On Fri, Sep 22, 2023 at 01:44:33PM +0200, Alexander Leidinger wrote: Hi, I'm trying to debug an issue with pinentry-tty. The reason is that I want to export a gpg secret key, but it fails when the gpg-agent tries to ask for the PW. An alternat

Re: Opening of /dev/pts/3 fails in jail (no such file), but it is visible in ls

On Fri, Sep 22, 2023 at 01:44:33PM +0200, Alexander Leidinger wrote: > Hi, > > I'm trying to debug an issue with pinentry-tty. The reason is that I want to > export a gpg secret key, but it fails when the gpg-agent tries to ask for > the PW. An alternative way to export the key works, but the main

Re: Add IP address ioctl (SIOCAIFADDR) from jail is called with host credentials

Thank you Alex. :) I checked with this patch. My changes are working with it. Best Regards, Shivank On Thu, 29 Jun 2023 at 12:35, Alexander Chernikov wrote: > > > On 28 Jun 2023, at 22:59, Alexander Chernikov > wrote: > > > > On Wed, 28 Jun 2023, at 6:30 AM, Shivank Garg wrote: > > Hi Alexande

Re: Add IP address ioctl (SIOCAIFADDR) from jail is called with host credentials

> On 28 Jun 2023, at 22:59, Alexander Chernikov wrote: > > > > On Wed, 28 Jun 2023, at 6:30 AM, Shivank Garg wrote: >> Hi Alexander, >> >> Thanks for replying. >> I think it would mean struct prison info is lost, when it reaches ioctl >> code, Is there some way we can get jail id? > Yes, yo

Re: Add IP address ioctl (SIOCAIFADDR) from jail is called with host credentials

On Wed, 28 Jun 2023, at 6:30 AM, Shivank Garg wrote: > Hi Alexander, > > Thanks for replying. > I think it would mean struct prison info is lost, when it reaches ioctl code, > Is there some way we can get jail id? Yes, you should add the hook to the netlink handler. > > Another question I have

Re: Add IP address ioctl (SIOCAIFADDR) from jail is called with host credentials

Hi Alexander, Thanks for replying. I think it would mean struct prison info is lost, when it reaches ioctl code, Is there some way we can get jail id? Another question I have: prison_check_ip4 still relies on checking struct prison for flags and ip addr. https://github.com/freebsd/freebsd-src/blo

Re: Add IP address ioctl (SIOCAIFADDR) from jail is called with host credentials

On Fri, 23 Jun 2023, at 10:27 AM, Alexander Chernikov wrote: > > > On Fri, 23 Jun 2023, at 7:53 AM, Shivank Garg wrote: >> Hi, >> >> I want to check credentials of the thread setting the IP address with >> SIOCAIFADDR ioctl. >> If the thread is jailed (jailed(td_ucred) == 1), I'm applying som

Re: Add IP address ioctl (SIOCAIFADDR) from jail is called with host credentials

On Fri, 23 Jun 2023, at 7:53 AM, Shivank Garg wrote: > Hi, > > I want to check credentials of the thread setting the IP address with > SIOCAIFADDR ioctl. > If the thread is jailed (jailed(td_ucred) == 1), I'm applying some checks on > ip address. > > My expectation was that (cred->cr_prison !

Re: What's going on with vnets and epairs w/ addresses?

On Tue, Dec 20, 2022 at 08:50:09PM +, Bjoern A. Zeeb wrote: > On Tue, 20 Dec 2022, Mark Johnston wrote: > > > On Sun, Dec 18, 2022 at 10:52:58AM -0600, Kyle Evans wrote: > >> On Sat, Dec 17, 2022 at 11:22 AM Gleb Smirnoff wrote: > >>> > >>> Zhenlei, > >>> > >>> On Fri, Dec 16, 2022 at 06:30

[Bug 222951] Re-starting a jail with mount.devfs mounts devfs multiple times

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=222951 --- Comment #2 from Zhenlei Huang --- (In reply to VK from comment #0) > The problem seems to be when the (nopersist) jail is stopped by itself > because all > the processes in it have exited, so it wasn't explicitly `jail -r`. When that

Re: prison_flag() check in hot path of in_pcblookup()

On Tue, Dec 13, 2022 at 11:54:17PM +, Bjoern A. Zeeb wrote: B> On Tue, 13 Dec 2022, Andrew Gallatin wrote: B> B> > [ I added pjd, since the original patch came from him ] B> > B> > Just to make sure I understand, I have a simple yes/no question: B> > B> > Can jails and the host ever share the

Re: Propose a new stage `vnet_shutdown` before `vnet_destroy`

> On Dec 19, 2022, at 1:44 AM, James Gritton wrote: > > On 2022-12-18 00:01, Zhenlei Huang wrote: >> I'm currently working on route nexthop caching feature for tunneling >> interfaces such as >> if_gif, if_gre, if_vxlan, and potentially if_wg. I encounter a nasty >> bug related to VNET lifecyc

Re: What's going on with vnets and epairs w/ addresses?

Hi, Happy New Year 2023! > On Dec 27, 2022, at 4:42 AM, Gleb Smirnoff wrote: > > Zhenlei, Bjoern, Mark, > > sorry for delayed response on this thread. Back when the problem > was first introduced, I made a code that forces purge of SMR zones. > However, I didn't push it in, hence the change on

Re: debian jail, setting max open files soft limit does not work

-- Mathias Picker Geschäftsführer mathias.pic...@virtual-earth.de virtual earth Gesellschaft für Wissens re/prä sentation mbH http://www.virtual-earth.de/ HRB126870 supp...@virtual-earth.de Westendstr. 142 089 / 1250 3943

Re: debian jail, setting max open files soft limit does not work

On 12/27/22, Mathias Picker wrote: > Hi all, > > > I’ve set up a jail on 13.1 running debian stretch, and now a > triplestore needing many openfiles for a data import. > > Since on Linux the soft limit is pretty hard :) I need to set the > soft limit. > > I’ve edited /etc/security/limits.conf to s

Re: What's going on with vnets and epairs w/ addresses?

Zhenlei, Bjoern, Mark, sorry for delayed response on this thread. Back when the problem was first introduced, I made a code that forces purge of SMR zones. However, I didn't push it in, hence the change on the test suite side to remove interfaces from inside the jail before destroying it was suf

Re: Is it possible to employ epoch to simplify managing prison lifecycle

> On 23 Dec 2022, at 15:27, Mateusz Guzik wrote: > > On 12/23/22, Alexander V. Chernikov wrote: >> >> >>> On 16 Dec 2022, at 16:29, Mateusz Guzik wrote: >>> >>> On 12/16/22, Zhenlei Huang wrote: Hi, While hacking `sys/kern/kern_jail.c` I got lost. There're lots

Re: Is it possible to employ epoch to simplify managing prison lifecycle

On 12/23/22, Alexander V. Chernikov wrote: > > >> On 16 Dec 2022, at 16:29, Mateusz Guzik wrote: >> >> On 12/16/22, Zhenlei Huang wrote: >>> Hi, >>> >>> While hacking `sys/kern/kern_jail.c` I got lost. >>> >>> There're lots of ref / unref and flags to prevent visit invalid prison >>> while >>> c

Re: Is it possible to employ epoch to simplify managing prison lifecycle

> On 16 Dec 2022, at 16:29, Mateusz Guzik wrote: > > On 12/16/22, Zhenlei Huang wrote: >> Hi, >> >> While hacking `sys/kern/kern_jail.c` I got lost. >> >> There're lots of ref / unref and flags to prevent visit invalid prison >> while >> concurrent modification is possible and some refs loo

Re: What's going on with vnets and epairs w/ addresses?

On Sun, Dec 18, 2022 at 10:52:58AM -0600, Kyle Evans wrote: K> It still behaved much better prior to eb93b99d6986, which you and Mark K> were going to work on a solution for to allow the cred "leak" to close K> up much more quickly. CC markj@, since I think it's been six months K> since the last ti

Re: What's going on with vnets and epairs w/ addresses?

> > On Dec 21, 2022, at 12:12 AM, Mark Johnston > wrote: > > On Sun, Dec 18, 2022 at 10:52:58AM -0600, Kyle Evans wrote: >> On Sat, Dec 17, 2022 at 11:22 AM Gleb Smirnoff > > wrote: >>> >>> Zhenlei, >>> >>> On Fri, Dec 16, 2022 at 06:30:57

Re: What's going on with vnets and epairs w/ addresses?

On Tue, 20 Dec 2022, Mark Johnston wrote: On Sun, Dec 18, 2022 at 10:52:58AM -0600, Kyle Evans wrote: On Sat, Dec 17, 2022 at 11:22 AM Gleb Smirnoff wrote: Zhenlei, On Fri, Dec 16, 2022 at 06:30:57PM +0800, Zhenlei Huang wrote: Z> I managed to repeat this issue on CURRENT/14 with this sma

Re: prison_flag() check in hot path of in_pcblookup()

On Tue, Dec 13, 2022 at 11:54:17PM +, Bjoern A. Zeeb wrote: > On Tue, 13 Dec 2022, Andrew Gallatin wrote: > > > [ I added pjd, since the original patch came from him ] > > > > Just to make sure I understand, I have a simple yes/no question: > > > > Can jails and the host ever share the same (

Re: What's going on with vnets and epairs w/ addresses?

On Sun, Dec 18, 2022 at 10:52:58AM -0600, Kyle Evans wrote: > On Sat, Dec 17, 2022 at 11:22 AM Gleb Smirnoff wrote: > > > > Zhenlei, > > > > On Fri, Dec 16, 2022 at 06:30:57PM +0800, Zhenlei Huang wrote: > > Z> I managed to repeat this issue on CURRENT/14 with this small snip: > > Z> > > Z>

Re: Propose a new stage `vnet_shutdown` before `vnet_destroy`

On 2022-12-18 00:01, Zhenlei Huang wrote: I'm currently working on route nexthop caching feature for tunneling interfaces such as if_gif, if_gre, if_vxlan, and potentially if_wg. I encounter a nasty bug related to VNET lifecycle. More preciously I'd like to call `rib_unsubscribe()` to unsubscribe

Re: What's going on with vnets and epairs w/ addresses?

On Sat, Dec 17, 2022 at 11:22 AM Gleb Smirnoff wrote: > > Zhenlei, > > On Fri, Dec 16, 2022 at 06:30:57PM +0800, Zhenlei Huang wrote: > Z> I managed to repeat this issue on CURRENT/14 with this small snip: > Z> > Z> --- > Z> #!/bin/sh > Z> > Z> # test jail

Re: What's going on with vnets and epairs w/ addresses?

stroying a jail, like I did in 80fc25025ff. Ok, move an em0 or cxl0 into the jail; the problem will be the same I bet and you need the physical interface to not disappear as then you cannot re-create a new jail with it. Re-read sys/kern/kern_jail.c, if pr_ref leaks, vnet_destroy() has

Re: What's going on with vnets and epairs w/ addresses?

ndergoes >> if_vmove doesn't >> carry any useful information. With Alexander melifaro@ we discussed better >> options >> for creating or attaching interfaces to jails that if_vmove. Until they are >> ready >> the most easy workaround to deal with annoying

Re: What's going on with vnets and epairs w/ addresses?

we discussed better options for creating or attaching interfaces to jails that if_vmove. Until they are ready the most easy workaround to deal with annoying epair(4) come back problem is to remove it manually before destroying a jail, like I did in 80fc25025ff. Ok, move an em0 or cxl0 into the ja

Re: What's going on with vnets and epairs w/ addresses?

Zhenlei, On Fri, Dec 16, 2022 at 06:30:57PM +0800, Zhenlei Huang wrote: Z> I managed to repeat this issue on CURRENT/14 with this small snip: Z> Z> --- Z> #!/bin/sh Z> Z> # test jail name Z> n="test_ref_leak" Z> Z> jail -c name=$n path=/ vnet persist Z>

Re: What's going on with vnets and epairs w/ addresses?

> On Dec 17, 2022, at 6:55 AM, Bjoern A. Zeeb > wrote: > > On Fri, 16 Dec 2022, Zhenlei Huang wrote: > > Hi, > >> I managed to repeat this issue on CURRENT/14 with this small snip: >> >> --- >> #!/bin/sh >> >> # test jail name

Re: What's going on with vnets and epairs w/ addresses?

On Fri, 16 Dec 2022, Zhenlei Huang wrote: Hi, I managed to repeat this issue on CURRENT/14 with this small snip: --- #!/bin/sh # test jail name n="test_ref_leak" jail -c name=$n path=/ vnet persist # The following line trigger jail pr_ref leak jexec $n

Re: Is it possible to employ epoch to simplify managing prison lifecycle

On 2022-12-16 06:41, Zhenlei Huang wrote: While hacking `sys/kern/kern_jail.c` I got lost. There're lots of ref / unref and flags to prevent visit invalid prison while concurrent modification is possible and some refs looks weird. Is it possible to employ epoch(9) to simplify managing of p

Re: Is it possible to employ epoch to simplify managing prison lifecycle

On 12/16/22, Zhenlei Huang wrote: > Hi, > > While hacking `sys/kern/kern_jail.c` I got lost. > > There're lots of ref / unref and flags to prevent visit invalid prison > while > concurrent modification is possible and some refs looks weird. > > Is it possible to employ epoch(9) to simplify managi

Re: What's going on with vnets and epairs w/ addresses?

Hi, I managed to repeat this issue on CURRENT/14 with this small snip: --- #!/bin/sh # test jail name n="test_ref_leak" jail -c name=$n path=/ vnet persist # The following line trigger jail pr_ref leak jexec $n ifconfig lo0 inet 127.0.0.1/8 jail -R $n #

Re: What's going on with vnets and epairs w/ addresses?

> On 14 Dec 2022, at 20:28, Alexander Leidinger wrote: > >  > Quoting "Bjoern A. Zeeb" (from Tue, 13 Dec 2022 23:03:42 > + (UTC)): > >> Hi, >> >> I have used scripts like the below for almost a decade and a half >> (obviously doing more than that in the middle). I haven't used them >

Re: What's going on with vnets and epairs w/ addresses?

Quoting "Bjoern A. Zeeb" (from Tue, 13 Dec 2022 23:03:42 + (UTC)): Hi, I have used scripts like the below for almost a decade and a half (obviously doing more than that in the middle). I haven't used them much lately but given other questions I just wanted to fire up a test. I have a

Re: What's going on with vnets and epairs w/ addresses?

Hi, I also encounter this problem while testing gif tunnel between jails. My script is similar but with additional gif tunnels. There are reports in mailing list [1], [2], and another one in forum [3] . Seem to be a long standing issue. [1] https://lists.freebsd.org/pipermail/freebsd-stable/

Re: prison_flag() check in hot path of in_pcblookup()

On Tue, 13 Dec 2022, Andrew Gallatin wrote: [ I added pjd, since the original patch came from him ] Just to make sure I understand, I have a simple yes/no question: Can jails and the host ever share the same (local) port and the same IP? Can they currently (I tested only for TCP)? - local

Re: prison_flag() check in hot path of in_pcblookup()

On 2022-12-13 11:03, Bjoern A. Zeeb wrote: In either case, a perfect 4-tuple match should be enough to uniquely identify the connection. Even if this somehow is not the case and we have multiple connections somehow sharing the same 4-tuple, how does checking the prison flag help us? That

Re: prison_flag() check in hot path of in_pcblookup()

On Tue, 13 Dec 2022, Andrew Gallatin wrote: Are there regression tests for jails where this patch could be run to ensure it is safe? Not that I now of but it would certainly good to have one for that case. But it's likely not going to be deterministic so the question will be more of the case

Re: prison_flag() check in hot path of in_pcblookup()

On Tue, 13 Dec 2022, James Gritton wrote: Hi, Argh, sorry Drew, I looked at the wrong of the two checks in the function earlier. Sorry, that's what happens if trying to be helpful when firefighting elsewhere. On 2022-12-13 09:18, Andrew Gallatin wrote: I was trying to improve the performance

Re: prison_flag() check in hot path of in_pcblookup()

On 2022-12-13 09:18, Andrew Gallatin wrote: I was trying to improve the performance of in_pcblookup(), as it is a very hot path for us (Netflix). One thing I noticed was the prison_flag() check in in_pcblookup_hash_locked() can cause a cache miss just by deref'ing the cred pointer, and it can

Re: jail created with ip4=new and ipv4.addr shows ip4=disable on jail -s

Hi! > > On a 13.1 box: > > > > The jail is created with: > > > > /usr/sbin/jail -c allow.raw_sockets allow.sysvipc devfs_ruleset=4 > > host.hostname=somehostname path=/somepath ip4=new ip4.addr= > > ip6=new ip6.addr= command=/bin/sh /etc/rc > > But: > > jail -s > > displays: > > [...] ip4=disab

Re: jail created with ip4=new and ipv4.addr shows ip4=disable on jail -s

On 2022-07-23 04:56, Kurt Jaeger wrote: Hello, On a 13.1 box: The jail is created with: /usr/sbin/jail -c allow.raw_sockets allow.sysvipc devfs_ruleset=4 host.hostname=somehostname path=/somepath ip4=new ip4.addr= ip6=new ip6.addr= command=/bin/sh /etc/rc But: jail -s displays: [...] ip4=d

Re: Container Networking for jails

I think it's important that configuring the container network does not rely on any utilities from inside the container - for one thing, there are no guarantees that these utilities even exist inside the container and as you note, local versions may be incompatible. On the subject of risk, with the

Re: Container Networking for jails

I went with exactly the same design for the Docker port I started a while ago. The reason I went with that design is that there weren't any facilities to modify a jails vent network configuration from outside of the jail. So it's needed to enter the jail, run ifconfig et all. Linux jails will lac

Re: FreeBSD 12.3-p5: problems vnet on if_bridge

On Tue, 24 May 2022 09:52:46 + Ole wrote: Hello, > Hello, > > could you solve the problem? I think I ran into the same problem. > I opened a Ticket. I couldn't solve the problem. > > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=264198 > > I seems to be related to IPFW and effects

Re: FreeBSD 12.3-p5: problems vnet on if_bridge

Hello, could you solve the problem? I think I ran into the same problem. I opened a Ticket. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=264198 I seems to be related to IPFW and effects vnet-Jails and also bhyve VMs. regards Ole Wed, 11 May 2022 20:47:55 +0200 - FreeBSD User : > On Tue,

Re: Auto-jailing of services - 2nd implementation

Quoting FreeBSD User (from Sun, 15 May 2022 12:49:06 +0200): On Sun, 03 Apr 2022 21:48:42 +0200 Alexander Leidinger wrote: Hi, attached is a new implementation of service jails (auto-jailing of services). This one now supports rc command prefixes (e.g. onestart) and I tested it in nested

Re: Auto-jailing of services - 2nd implementation

On Sun, 03 Apr 2022 21:48:42 +0200 Alexander Leidinger wrote: > Hi, > > attached is a new implementation of service jails (auto-jailing of > services). This one now supports rc command prefixes (e.g. onestart) > and I tested it in nested jails. The benefit of auto-jailing services > is, th

Re: FreeBSD containers with podman and buildah

This is great!. El sáb, 14 may 2022 a la(s) 09:04, Doug Rabson (d...@rabson.org) escribió: > Recently I've been working on porting the buildah and podman container > tools to FreeBSD. Podman is a drop-in replacement for docker and > buildah focuses on the narrower problem of building container i

Re: FreeBSD 12.3-p5: problems vnet on if_bridge

On Tue, 10 May 2022 21:21:29 +0200 FreeBSD User wrote: > Hello, > > I ran into serious trouble setting up a FreeBSD 12.3-RELEASE-p5 host having a > second NIC > and vnt jails attached to that second NIC (basically, the host is a recent > Xigmanas with > Bastille jails, but the issue also occur

Re: injecting vars into rc-service-scripts at jail-start?

Quoting Jens Schweikhardt (from Fri, 1 Apr 2022 14:26:27 +0200 (CEST)): Identifier confusion? You use _rc_svcs and _rc_svcj in your description. Typo s/svcs/svcj/ in the explanation. The diff/code has the vars correct (svcj) and the conditional and the setting are close to each other

Re: running cron jobs setpriority permission denied

Hi, Thank You!! indeed that helped! Sami On Wed, Mar 9, 2022 at 11:03 AM Ronald Klop wrote: > It sounds similar to this issue. > > https://github.com/cbsd/cbsd/issues/437 "default nice 1 prevents cron in > jail #437" > > Does that help? > > Regards, > Ronald. > > > > *Van:* Sami Halabi > *Datu

Re: linux debian jail - network problems

> On Mar 1, 2022, at 6:42 PM, Sami Halabi wrote: > > How can I see the netlink wip status ? Sorry it is not currently public visible. FreeBSD's Phabricator is a tool that is development focused. If you're interested in it, please CC the author Alexander V. Chernikov . > > בתאריך יום ו׳, 25

Re: linux debian jail - network problems

Hi, Thank you for your response.. I wonder if Is it really only netlink problem? Their are fee problems in the logs.. I dont kbow if they all related only to netlink (prctl immutable for example).. I also saw oncompatibilities in socket.c Btw: I tried to enter the link you sent and it asked f

Re: linux debian jail - network problems

Hi, Added Current, maybe will be lucky ;) Anyone have idea how approach and fix this? Sami בתאריך יום ג׳, 22 בפבר׳ 2022, 23:30, מאת Sami Halabi ‏: > Hi all, > sorry for the cross post but I need help and I'm not sure where it hangs. > > I create linux jail (debian bullseye) via cbsd. > the jail

[Bug 222951] Re-starting a jail with mount.devfs mounts devfs multiple times

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=222951 Robert Wing changed: What|Removed |Added CC||r...@freebsd.org --- Comment #1 from

Re: [Bug 251046] bhyve PCI passthrough does not work inside jail

bugzilla-nore...@freebsd.org wrote: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251046 --- Comment #15 from Anatoli --- Mark, All, --- Comment #3 from Mark Johnston --- PRIV_IO access is not required only by /dev/io, it is also required for sysarch(I386_SET_IOPERM), which is otherwise

Re: Focker 2.0 released

I know but this is too much reinventing the wheel to my taste. I think the entirety of Python should be left alone to manage using pip. Pip should take care of the signatures, checksums, etc. It is unrealistic to expect a port for every Python package. Is it supposed to be the case for every langua

Re: Focker 2.0 released

On 18/08/2021 12:04, Stanislaw Adaszewski wrote: Hi Miroslav, Thanks. For me it is really useful. Ever since I developed it, I started deploying jails like crazy. In the v1 branch there is an old port, looking for a maintainer I guess. For the moment, the only official way of installing is: pi

Re: Focker 2.0 released

Hi Miroslav, Thanks. For me it is really useful. Ever since I developed it, I started deploying jails like crazy. In the v1 branch there is an old port, looking for a maintainer I guess. For the moment, the only official way of installing is: pip install git+https://github.com/sadaszewski/focker

Re: Focker 2.0 released

On 17/08/2021 22:47, Stanislaw Adaszewski wrote: I have released Focker 2.0 today with numerous improvements to API, Configurability, Plugins, Facets, Bootstrap and many other aspects. Hope you give it a try: https://github.com/sadaszewski/focker/ It looks interesting. Will it be available as

Re: POSIX shared memory, jails, and (lack of) limits

On Mon, 2 Aug 2021 22:38:54 +0200 Michael Gmelin wrote: > > On 2. Aug 2021, at 21:40, Mark Johnston wrote: > > ... > > racct/rctl provides the "swapuse" resource which should account for > > this. It does not apply to largepage objects, though. > > I tried to limit swapuse for a jail and

Re: POSIX shared memory, jails, and (lack of) limits

On Mon, Aug 02, 2021 at 09:58:08PM +0200, Thomas Steen Rasmussen wrote: > On 8/2/21 9:40 PM, Mark Johnston wrote: > > Cyril has written a few patches for racct, including one which includes > > POSIX shared memory objects in rctl's "nshm" and "shmsize" resources, > > which currently only apply to S

Re: POSIX shared memory, jails, and (lack of) limits

> On 2. Aug 2021, at 21:40, Mark Johnston wrote: > > On Mon, Aug 02, 2021 at 10:03:27PM +0300, Konstantin Belousov wrote: >>> On Mon, Aug 02, 2021 at 05:06:43PM +0200, Michael Gmelin wrote: >>> >>> On 2. Aug 2021, at 15:56, Konstantin Belousov wrote: On Mon, Aug 02, 2021 a

Re: POSIX shared memory, jails, and (lack of) limits

On 8/2/21 9:40 PM, Mark Johnston wrote: Cyril has written a few patches for racct, including one which includes POSIX shared memory objects in rctl's "nshm" and "shmsize" resources, which currently only apply to SysV shm objects: https://reviews.freebsd.org/D30775 We plan to get them committed in

Re: POSIX shared memory, jails, and (lack of) limits

On Mon, Aug 02, 2021 at 10:03:27PM +0300, Konstantin Belousov wrote: > On Mon, Aug 02, 2021 at 05:06:43PM +0200, Michael Gmelin wrote: > > > > > > > On 2. Aug 2021, at 15:56, Konstantin Belousov wrote: > > > > > > On Mon, Aug 02, 2021 at 02:19:00PM +0200, Michael Gmelin wrote: > > >> Hi, > > >

Re: POSIX shared memory, jails, and (lack of) limits

On Mon, Aug 02, 2021 at 05:06:43PM +0200, Michael Gmelin wrote: > > > > On 2. Aug 2021, at 15:56, Konstantin Belousov wrote: > > > > On Mon, Aug 02, 2021 at 02:19:00PM +0200, Michael Gmelin wrote: > >> Hi, > >> > >> I've been playing a bit with POSIX shared memory and, unlike for SysV > >> sh

Re: POSIX shared memory, jails, and (lack of) limits

> On 2. Aug 2021, at 15:56, Konstantin Belousov wrote: > > On Mon, Aug 02, 2021 at 02:19:00PM +0200, Michael Gmelin wrote: >> Hi, >> >> I've been playing a bit with POSIX shared memory and, unlike for SysV >> shared memory, I couldn't find any way to limit its use by jails. >> >> First, I l

Re: POSIX shared memory, jails, and (lack of) limits

On Mon, Aug 02, 2021 at 02:19:00PM +0200, Michael Gmelin wrote: > Hi, > > I've been playing a bit with POSIX shared memory and, unlike for SysV > shared memory, I couldn't find any way to limit its use by jails. > > First, I looked at racct/rctl, but there is no resource for POSIX shared > memory

  1   2   3   4   5   6   7   8   9   10   >