Jail descriptor kevents, Plan A
AbandonedPublic
Actions

Authored by jamie on Sep 9 2025, 4:30 PM.

Details

Reviewers: None

Summary

Jails have kevent support, with events for set, attach, remove, and child creation. The last one allows for child jails to be automatically added to the vent list via the NOTE_TRACK that was already used by process forking.

Jail descriptors can also easily be tracked via kevent, but have a harder time with child jail tracking because kevent isn't able to open new jail descriptors (as they are process-specific). So something needs to be done to work around this.

Plan A: As with kevent for jails (by jid), NOTE_TRACK will automatically add a new EVFILT_JAIL event for the created jail, not an EVFILT_JAILDESC event. If the caller wants to track that jail via descriptor, they will need to get one with jail_get(2). This isn't optimal, since there are possible race conditions, but the fact that the returned EVFILT_JAIL event can report the jail's removal makes the workaround possible.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

jamie created this revision.Sep 9 2025, 4:30 PM

Herald added subscribers: olce, imp. · View Herald TranscriptSep 9 2025, 4:30 PM

jamie requested review of this revision.Sep 9 2025, 4:30 PM

Plan B is in D52462.

Advantages of Plan A: The new jail is immediately added to event tracking (though not as a jail descriptor), so nothing is missed. As with EVFILT_JAIL, the complex part (child jail notification) leverages existing kernel code.

Disadvantages of Plan B: It takes work on the caller's side to get a descriptor for the new jail, make sure it's synced up with any events that were reported on the jail in the meantime, and then add kevent tracking for the descriptor and remove it for the jid. There's the possibility of NOTE_TRACK returning NOTE_TRACKERR instead of a new event being created for the new jail. That's rate (only when no-wait kernel allocation is unavailable) but the possibility must be accounted for.

crest_freebsd_rlwinm.de added a subscriber: crest_freebsd_rlwinm.de.Sep 9 2025, 7:17 PM

Commit 66d8ffe30 has simpler kevent handling for jaildesc, without any recursion. Jail kevents have also have recussion removed. Its lack of guarantees and incomplete problem-solving meant that applications would need a way to handle when notifications weren't 100% collected. As long as that's the case, might as well get rid of the complexity.

The non-recursive kevents decided on, which are identical for jid-based and descriptor-based events, report a child creation event with the jid in the data, same as how the pid is in the data for attach events. And likewise, if more than one jail is created, the renamed NOTE_JAIL_MULTI flagfs is set. Now that there are two different event types using this, the data is set to zero in that situation instead of that last reported id.