sysvipc in jails + CURRENT

Bjoern A. Zeeb bzeeb-lists at lists.zabbadoz.net
Sat Aug 7 17:10:07 UTC 2010 

On Thu, 22 Jul 2010, Isaac Levy wrote:

Hi ike,

long time no see.

> I could be doing something stupid, or I've dug up an old bug, =
> (http://www.mail-archive.com/freebsd-jail@freebsd.org/msg00859.html).
>
> I cannot get good ol' trusty enforce_statfs to work, allowing me to see =
> different mounts from within a jail.
>
> --
> The example jail command I'm using, (new-style),
>  jail -c path=3D$JDIR host.hostname=3D$JHOSTNAME ip4.addr=3D"$INET" =
> enforce_statfs=3D1 command=3D/bin/sh /etc/rc
>
> I've tried everything- including attempting to change my sysctls over =
> and over, (including /etc/sysctl.conf with rebooting).
> Interestingly:
> The old standard 'security.jail.enforce_statfs' was not something I =
> could modify, *until* I put a sysctl value in /etc/sysctl.conf which was =
> not 0 (1 or 2 both will let me set the sysctl value once the system is =
> booted).
> If I have "security.jail.enforce_statfs=3D0", to my surprise, I cannot =
> change that sysctl on the host system as I would usually expect.
> (This is what makes me think this smells like a bug)
>
> My extra mounts are UFS volumes, mounted right into the jail directory, =
> (on another ufs volume).
>
> What follows, are just machine stats if anyone wants them?
>
> I'd love any thoughts, urls, no matter how brief...

I am confused but maybe I can help you with some explanation:

1) do not change the sysctl anywhere; that is neither in sysctl.conf
    nor by other magic or by hand.   The default on 8 and 9 should be
    2.  You can check that with sysctl security.jail.enforce_statfs
    still I think.

2) Creating a new jail
 	> jail -c path=/jail/j1 persist
    I can see:
 	> jexec 1 mount
 	192.168.5.1:/zoo/bz/HEAD on / (nfs)
    And
 	> jls -s -j 1 enforce_statfs
 	enforce_statfs=2
    confirms the default.

3) modifying the jail:
 	> jail -m jid=1 enforce_statfs=1
    I can now see:
 	> jexec 1 mount
 	192.168.5.1:/zoo/bz/HEAD on / (nfs)
 	devfs on /dev (devfs, local, multilabel)
 	192.168.5.1:/zoo/bz on /zoo/bz (nfs)
    And jls confirms that the modfication was successful:
 	> jls -s -j 1 enforce_statfs
 	enforce_statfs=1

4) If you lower the default by changing the sysctl, all your jails
    that have a higher level will be lowered as well.

5) But if you up the default again, they won't change back up.


I think that you are right, that there is a bug here, as 4) and 5)
should be working the other way round I think.


Anyway, the summary is: if you don't change the default a
 	jail -c enforce_statfs=1 ...
should just work fine.


Hope this helps.

/bz

-- 
Bjoern A. Zeeb                       This signature is about you not me.

More information about the freebsd-jail mailing list