changing cpuset of jail from inside of jail - is it feature?
Miroslav Lachman
000.fbsd at quip.cz
Mon Apr 27 21:48:34 UTC 2009
Bjoern A. Zeeb wrote:
> On Fri, 24 Apr 2009, Miroslav Lachman wrote:
>
>> Bjoern A. Zeeb wrote:
>>
>> [...]
>>
>>> Ok, I am not sure what is going wrong here; well I know but I don't
>>> know if it's intended in cpuset. Trying to talk to the right people
>>> but they seen to be AWOL atm.
>>>
>>>
>>> If you are brave, you could try:
>>>
>>> http://people.freebsd.org/~bz/20090423-01-cpuset-jails.diff
>>>
>>> I haven't even compiled it yet. It may work, it may not work, it may
>>> make your machine panicing, ... just to warn you.
>>>
>>> it should still allow you to create further sets within a jail but you
>>> should not be able to change the "root set" of the jail from inside
>>> the jail anymore (in case it works;)
>>
>>
>> I did just a quick test. (OK, not so quick, because compilation inside
>> Qemu on my old PC takes 2 hours ;])
>> It compiles without problems and did what I expect:
>>
> ...
>
>> I have no real multicore machine to test it more deeply. (can't test
>> it on production servers and spare machine is blocked by another task)
>>
>> Will this fix be included in 7.2-RELEASE or is it too late to commit
>> this fix?
>
>
> FreeBSD 7/7.2 just got a BUGS entry for the man pages. The patch will
> not make it; it's still waiting review for HEAD and possibly
> discussion if a super user inside a jail would still be allowed to
> further restrict the cpuset (but not extend it).
OK, thank you for information.
Allowing root inside jail to further restrict the cpuset for some
services running inside jail seems useful to me.
Just to inform others, this issue has PR number 134050
http://www.freebsd.org/cgi/query-pr.cgi?pr=134050
Miroslav Lachman
More information about the freebsd-jail
mailing list