sysvipc in jails + CURRENT

Isaac Levy ike at blackskyresearch.net
Thu Jul 22 19:46:22 UTC 2010 

Hi All,

I could be doing something stupid, or I've dug up an old bug, (http://www.mail-archive.com/freebsd-jail@freebsd.org/msg00859.html).

I cannot get good ol' trusty enforce_statfs to work, allowing me to see different mounts from within a jail.

--
The example jail command I'm using, (new-style),
  jail -c path=$JDIR host.hostname=$JHOSTNAME ip4.addr="$INET" enforce_statfs=1 command=/bin/sh /etc/rc

I've tried everything- including attempting to change my sysctls over and over, (including /etc/sysctl.conf with rebooting).
Interestingly:
The old standard 'security.jail.enforce_statfs' was not something I could modify, *until* I put a sysctl value in /etc/sysctl.conf which was not 0 (1 or 2 both will let me set the sysctl value once the system is booted).
If I have "security.jail.enforce_statfs=0", to my surprise, I cannot change that sysctl on the host system as I would usually expect.
(This is what makes me think this smells like a bug)

My extra mounts are UFS volumes, mounted right into the jail directory, (on another ufs volume).

What follows, are just machine stats if anyone wants them?

I'd love any thoughts, urls, no matter how brief...

Best,
.ike





--
$ sysctl security.jail
security.jail.param.cpuset.id: 0
security.jail.param.host.hostid: 0
security.jail.param.host.hostuuid: 64
security.jail.param.host.domainname: 256
security.jail.param.host.hostname: 256
security.jail.param.children.max: 0
security.jail.param.children.cur: 0
security.jail.param.enforce_statfs: 0
security.jail.param.securelevel: 0
security.jail.param.path: 1024
security.jail.param.name: 256
security.jail.param.parent: 0
security.jail.param.jid: 0
security.jail.enforce_statfs: 1
security.jail.mount_allowed: 0
security.jail.chflags_allowed: 0
security.jail.allow_raw_sockets: 0
security.jail.sysvipc_allowed: 0
security.jail.socket_unixiproute_only: 1
security.jail.set_hostname_allowed: 0
security.jail.jail_max_af_ips: 255
security.jail.jailed: 0
--

More system stats:
FreeBSD copper 8.0-RELEASE-p4 FreeBSD 8.0-RELEASE-p4 #5: Tue Jul 20 12:33:57 EDT 2010     ike at copper.vault.tab:/usr/obj/usr/src/sys/80-amd64kernMay2010  amd64

...
# ikenote: additives to generic kernel, FreeBSD 7.2->8.0:

# HTTPD/DNS Accept Filter Suport
# (queues requests in OS socket until entire request is in)
# Applications must make use of the syscall in their implementation,
# (Apache 1.x-2.x is a clear case of use).
# See the man page for accept_filter(9) for more info.
options ACCEPT_FILTER_HTTP
options ACCEPT_FILTER_DATA
options ACCEPT_FILTER_DNS #FreeBSD 8.0 onward only

# ZFS ADDITIVES
# http://wiki.freebsd.org/ZFSTuningGuide
# or alternatively, see: /usr/src/sys/i386/conf/NOTES
##options KVA_PAGES=512   # not required on amd64

# lagg(4) link aggregation and link failover interface
device lagg

# PF, CARP, ALTQ...
device  pf
device  pflog
device  pfsync
# ALTQ, network card queue offloading
# see the altq(4) man page for a list of supported drivers
options         ALTQ
options         ALTQ_CBQ        # Class Bases Queuing (CBQ)
options         ALTQ_RED        # Random Early Detection (RED)
options         ALTQ_RIO        # RED In/Out
options         ALTQ_HFSC       # Hierarchical Packet Scheduler (HFSC)
options         ALTQ_PRIQ       # Priority Queuing (PRIQ)
options         ALTQ_NOPCC      # Required for SMP build

# DTRACE
options KDTRACE_HOOKS
options DDB_CTF
options KDTRACE_FRAME # amd64 only
--

dmesg
--
Copyright (c) 1992-2009 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
	The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 8.0-RELEASE-p4 #5: Tue Jul 20 12:33:57 EDT 2010
    ike at copper.vault.tab:/usr/obj/usr/src/sys/80-amd64kernMay2010
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Intel(R) Xeon(R) CPU           E5405  @ 2.00GHz (2000.08-MHz K8-class CPU)
  Origin = "GenuineIntel"  Id = 0x1067a  Stepping = 10
  Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>
  Features2=0x40ce33d<SSE3,DTES64,MON,DS_CPL,VMX,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,XSAVE>
  AMD Features=0x20100800<SYSCALL,NX,LM>
  AMD Features2=0x1<LAHF>
  TSC: P-state invariant
real memory  = 34359738368 (32768 MB)
avail memory = 33150808064 (31615 MB)
ACPI APIC Table: <PTLTD  	 APIC  >
FreeBSD/SMP: Multiprocessor System Detected: 8 CPUs
FreeBSD/SMP: 1 package(s) x 8 core(s)
 cpu0 (BSP): APIC ID:  0
 cpu1 (AP): APIC ID:  1
 cpu2 (AP): APIC ID:  2
 cpu3 (AP): APIC ID:  3
 cpu4 (AP): APIC ID:  4
 cpu5 (AP): APIC ID:  5
 cpu6 (AP): APIC ID:  6
 cpu7 (AP): APIC ID:  7
ioapic0 <Version 2.0> irqs 0-23 on motherboard
ioapic1 <Version 2.0> irqs 24-47 on motherboard
kbd1 at kbdmux0
acpi0: <PTLTD   RSDT> on motherboard
acpi0: [ITHREAD]
acpi0: Power Button (fixed)
unknown: I/O range not supported
Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x1008-0x100b on acpi0
pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0
pci0: <ACPI PCI bus> on pcib0
pcib1: <ACPI PCI-PCI bridge> at device 2.0 on pci0
pci1: <ACPI PCI bus> on pcib1
pcib2: <ACPI PCI-PCI bridge> irq 16 at device 0.0 on pci1
pci2: <ACPI PCI bus> on pcib2
pcib3: <ACPI PCI-PCI bridge> irq 16 at device 0.0 on pci2
pci3: <ACPI PCI bus> on pcib3
pcib4: <ACPI PCI-PCI bridge> irq 17 at device 1.0 on pci2
pci4: <ACPI PCI bus> on pcib4
pcib5: <ACPI PCI-PCI bridge> irq 18 at device 2.0 on pci2
pci5: <ACPI PCI bus> on pcib5
em0: <Intel(R) PRO/1000 Network Connection 6.9.14> port 0x2000-0x201f mem 0xda220000-0xda23ffff,0xda200000-0xda21ffff irq 18 at device 0.0 on pci5
em0: Using MSI interrupt
em0: [FILTER]
em0: Ethernet address: 00:30:48:f5:af:68
em1: <Intel(R) PRO/1000 Network Connection 6.9.14> port 0x2020-0x203f mem 0xda260000-0xda27ffff,0xda240000-0xda25ffff irq 19 at device 0.1 on pci5
em1: Using MSI interrupt
em1: [FILTER]
em1: Ethernet address: 00:30:48:f5:af:69
pcib6: <ACPI PCI-PCI bridge> at device 0.3 on pci1
pci6: <ACPI PCI bus> on pcib6
pcib7: <ACPI PCI-PCI bridge> at device 4.0 on pci0
pci7: <ACPI PCI bus> on pcib7
3ware device driver for 9000 series storage controllers, version: 3.70.05.001
twa0: <3ware 9000 series Storage Controller> port 0x3000-0x30ff mem 0xd8000000-0xd9ffffff,0xdad00000-0xdad00fff irq 16 at device 0.0 on pci7
twa0: [ITHREAD]
twa0: INFO: (0x04: 0x0053): Battery capacity test is overdue: 
twa0: INFO: (0x15: 0x1300): Controller details:: Model 9650SE-12ML, 12 ports, Firmware FE9X 4.08.00.006, BIOS BE9X 4.08.00.001
pcib8: <ACPI PCI-PCI bridge> at device 6.0 on pci0
pci8: <ACPI PCI bus> on pcib8
igb0: <Intel(R) PRO/1000 Network Connection version - 1.7.3> port 0x4000-0x401f mem 0xdac00000-0xdac1ffff,0xda400000-0xda7fffff,0xdac40000-0xdac43fff irq 18 at device 0.0 on pci8
igb0: Using MSIX interrupts with 3 vectors
igb0: [ITHREAD]
igb0: [ITHREAD]
igb0: [ITHREAD]
igb0: Ethernet address: 00:1b:21:61:91:28
igb1: <Intel(R) PRO/1000 Network Connection version - 1.7.3> port 0x4020-0x403f mem 0xdac20000-0xdac3ffff,0xda800000-0xdabfffff,0xdac44000-0xdac47fff irq 19 at device 0.1 on pci8
igb1: Using MSIX interrupts with 3 vectors
igb1: [ITHREAD]
igb1: [ITHREAD]
igb1: [ITHREAD]
igb1: Ethernet address: 00:1b:21:61:91:29
pci0: <base peripheral> at device 8.0 (no driver attached)
uhci0: <Intel 631XESB/632XESB/3100 USB controller USB-1> port 0x1800-0x181f irq 17 at device 29.0 on pci0
uhci0: [ITHREAD]
uhci0: LegSup = 0x003b
usbus0: <Intel 631XESB/632XESB/3100 USB controller USB-1> on uhci0
uhci1: <Intel 631XESB/632XESB/3100 USB controller USB-2> port 0x1820-0x183f irq 19 at device 29.1 on pci0
uhci1: [ITHREAD]
uhci1: LegSup = 0x0010
usbus1: <Intel 631XESB/632XESB/3100 USB controller USB-2> on uhci1
uhci2: <Intel 631XESB/632XESB/3100 USB controller USB-3> port 0x1840-0x185f irq 18 at device 29.2 on pci0
uhci2: [ITHREAD]
uhci2: LegSup = 0x0010
usbus2: <Intel 631XESB/632XESB/3100 USB controller USB-3> on uhci2
ehci0: <Intel 63XXESB USB 2.0 controller> mem 0xdaf00000-0xdaf003ff irq 17 at device 29.7 on pci0
ehci0: [ITHREAD]
usbus3: EHCI version 1.0
usbus3: <Intel 63XXESB USB 2.0 controller> on ehci0
pcib9: <ACPI PCI-PCI bridge> at device 30.0 on pci0
pci9: <ACPI PCI bus> on pcib9
vgapci0: <VGA-compatible display> port 0x5000-0x50ff mem 0xd0000000-0xd7ffffff,0xdae00000-0xdae0ffff irq 18 at device 1.0 on pci9
isab0: <PCI-ISA bridge> at device 31.0 on pci0
isa0: <ISA bus> on isab0
atapci0: <Intel 63XXESB2 UDMA100 controller> port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0x1860-0x186f at device 31.1 on pci0
ata0: <ATA channel 0> on atapci0
ata0: [ITHREAD]
pci0: <serial bus, SMBus> at device 31.3 (no driver attached)
acpi_button0: <Power Button> on acpi0
atrtc0: <AT realtime clock> port 0x70-0x71 irq 8 on acpi0
atkbdc0: <Keyboard controller (i8042)> port 0x60,0x64 irq 1 on acpi0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
kbd0 at atkbd0
atkbd0: [GIANT-LOCKED]
atkbd0: [ITHREAD]
uart0: <16550 or compatible> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
uart0: [FILTER]
uart1: <16550 or compatible> port 0x2f8-0x2ff irq 3 on acpi0
uart1: [FILTER]
fdc0: <floppy drive controller> port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on acpi0
fdc0: [FILTER]
cpu0: <ACPI CPU> on acpi0
p4tcc0: <CPU Frequency Thermal Control> on cpu0
cpu1: <ACPI CPU> on acpi0
p4tcc1: <CPU Frequency Thermal Control> on cpu1
cpu2: <ACPI CPU> on acpi0
p4tcc2: <CPU Frequency Thermal Control> on cpu2
cpu3: <ACPI CPU> on acpi0
p4tcc3: <CPU Frequency Thermal Control> on cpu3
cpu4: <ACPI CPU> on acpi0
p4tcc4: <CPU Frequency Thermal Control> on cpu4
cpu5: <ACPI CPU> on acpi0
p4tcc5: <CPU Frequency Thermal Control> on cpu5
cpu6: <ACPI CPU> on acpi0
p4tcc6: <CPU Frequency Thermal Control> on cpu6
cpu7: <ACPI CPU> on acpi0
p4tcc7: <CPU Frequency Thermal Control> on cpu7
orm0: <ISA Option ROMs> at iomem 0xc0000-0xcafff,0xcb000-0xccfff on isa0
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
ppc0: cannot reserve I/O port range
Timecounters tick every 1.000 msec
usbus0: 12Mbps Full Speed USB v1.0
usbus1: 12Mbps Full Speed USB v1.0
usbus2: 12Mbps Full Speed USB v1.0
usbus3: 480Mbps High Speed USB v2.0
ugen0.1: <Intel> at usbus0
uhub0: <Intel UHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus0
ugen1.1: <Intel> at usbus1
uhub1: <Intel UHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus1
ugen2.1: <Intel> at usbus2
uhub2: <Intel UHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus2
ugen3.1: <Intel> at usbus3
uhub3: <Intel EHCI root HUB, class 9/0, rev 2.00/1.00, addr 1> on usbus3
uhub0: 2 ports with 2 removable, self powered
uhub1: 2 ports with 2 removable, self powered
uhub2: 2 ports with 2 removable, self powered
uhub3: 6 ports with 6 removable, self powered
da0 at twa0 bus 0 target 0 lun 0
da0: <AMCC 9650SE-12M DISK 4.08> Fixed Direct Access SCSI-5 device 
da0: 100.000MB/s transfers
da0: 2861002MB (5859332096 512 byte sectors: 255H 63S/T 364726C)
da1 at twa0 bus 0 target 1 lun 0
da1: <AMCC 9650SE-12M DISK 4.08> Fixed Direct Access SCSI-5 device 
da1: 100.000MB/s transfers
da1: 2861002MB (5859332096 512 byte sectors: 255H 63S/T 364726C)
SMP: AP CPU #3 Launched!
SMP: AP CPU #1 Launched!
SMP: AP CPU #2 Launched!
SMP: AP CPU #7 Launched!
SMP: AP CPU #5 Launched!
SMP: AP CPU #6 Launched!
SMP: AP CPU #4 Launched!
GEOM: da0: partition 1 does not end on a track boundary.
GEOM: da1: partition 1 does not end on a track boundary.
Trying to mount root from ufs:/dev/da0s1a
--

More information about the freebsd-jail mailing list