Panicking seems harsh when kproc_create can fail simply because the process limit has been hit. Is there a way to just fail the jail creation, or if not that to destroy the jail? Perhaps with a warning - a sort of VPS panic.

Is this something you've found to happen? I know that zombie jails often sit around indefinitely waiting for a cred hold to go away; perhaps it's something like that?

Yes. There's a few such situations; we would need to add a flag to the vps structure, check in between every sysinit invokation; in case of error, undo the exact bits we already allocated/initialised, and the return an error to jail creation. We never did for vnets; maybe it's time; but the cleanup can be "complex" to get fully symmetric. For the moment having well-defined errors (panic) seems better while developing.

Yes I have but so far no one has ever tried to cleanly shutdown process space so (as with vnet) we expect to find certain leaks. I am sure that the buffer cache is a major problem for process space references. One thing at a time though. At the moment I am seeing linger DYING jails around with plain HEAD and not even vnets; took something over 50 days for one to go. Need a more general "tracker" which I do not want to intermix with this work.