Page MenuHomeFreeBSD

Provide process space virtualisation functionality for jails.
Needs ReviewPublic

Authored by bz on Jun 17 2018, 2:55 PM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Mar 11, 4:29 AM
Unknown Object (File)
Tue, Mar 4, 10:50 PM
Unknown Object (File)
Tue, Mar 4, 10:10 PM
Unknown Object (File)
Tue, Mar 4, 6:11 PM
Unknown Object (File)
Tue, Mar 4, 2:07 PM
Unknown Object (File)
Fri, Feb 28, 11:41 PM
Unknown Object (File)
Sat, Feb 22, 3:48 AM
Unknown Object (File)
Feb 1 2025, 12:52 AM

Details

Summary

This is the initial logic which will give a jail its own init,
have a dedicated kernel process "0" (swapper) per jail, its
own pid, etc. space if enabled.
Add ddb support to aid debugging as was done for vnet.

Obtained from: http://www.7he.at/freebsd/vps/files/diffs/vps-r215.diff

		(parts, originally as provided by iXsystems, Inc.)

Sponsored by: iXsystems, Inc.

Diff Detail

Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 17983
Build 17737: arc lint + arc unit

Event Timeline

sys/kern/init_main.c
708

Panicking seems harsh when kproc_create can fail simply because the process limit has been hit. Is there a way to just fail the jail creation, or if not that to destroy the jail? Perhaps with a warning - a sort of VPS panic.

sys/kern/kern_resource.c
1277

Is this something you've found to happen? I know that zombie jails often sit around indefinitely waiting for a cred hold to go away; perhaps it's something like that?

Follow-up on comments to @jamie

sys/kern/init_main.c
708

Yes. There's a few such situations; we would need to add a flag to the vps structure, check in between every sysinit invokation; in case of error, undo the exact bits we already allocated/initialised, and the return an error to jail creation. We never did for vnets; maybe it's time; but the cleanup can be "complex" to get fully symmetric. For the moment having well-defined errors (panic) seems better while developing.

sys/kern/kern_resource.c
1277

Yes I have but so far no one has ever tried to cleanly shutdown process space so (as with vnet) we expect to find certain leaks. I am sure that the buffer cache is a major problem for process space references. One thing at a time though. At the moment I am seeing linger DYING jails around with plain HEAD and not even vnets; took something over 50 days for one to go. Need a more general "tracker" which I do not want to intermix with this work.

  • Merge branch 'p2' into p3

From the Jails Production User call: This work is still of interest, particularly in the context of OCI jail progress.
DCH: "This needs serious rebasing." Do any developers have interest in this feature?

From the Jails Production User call: This work is still of interest, particularly in the context of OCI jail progress.
DCH: "This needs serious rebasing." Do any developers have interest in this feature?

I think @dfr is interested with this :)

From the Jails Production User call: This work is still of interest, particularly in the context of OCI jail progress.
DCH: "This needs serious rebasing." Do any developers have interest in this feature?

I think @dfr is interested with this :)

I read through the diff briefly and as far as I can tell, with this approach, processes inside the vps jail are not visible in the host (or parent jail). If so, this won't work for OCI containers where we need to be able to wait for and reap the initial container process on the host. With Linux pid namespaces, each process has a sequence of pids starting with a host pid, then a viritualised pid for each parent namespace (if any) of the container and finishes with the pid visible inside the container.