Scott Lambert | 2 Jul 22:22 2008

Migration of Jail from one host to another?

I'm probably doing this completely wrong.  I setup a couple of jails
using simple image files because I thought that would make migration
to another server more straightforward.  I am now trying to migrate my
first jail.

I am using the ezjail tools for creating and maintaining jails.

The existing jail host is 6.2-STABLE FreeBSD 6.2-STABLE #1: Sun Mar 11
21:46:01 CDT 2007, ezjail-2.0.1.

The new jail host is 7.0-STABLE FreeBSD 7.0-STABLE #0: Sat May 10
06:29:00 CDT 2008, ezjail-2.1.

I have created a test jail on the 7.0-STABLE box with ezjail-admin which
works perfectly, using what I believe were the exact same parameters
given, other than IP/hostname, when I created the 6.2-STABLE jail.

 # ezjail-admin create -i -s 1G test 192.168.8.237

I have moved over the fstab.migrate_jail file, and the
/u/l/e/ezjail/migrate_jail config file for the 6.2-STABLE jail to the
7.0-STABLE box and created an empty directory beside the 7.0 test jail's
empty directory.  I shut down the jail on the 6.2-STABLE host and
scp'd the image file to the 7.0-STABLE box.  I put it beside the empty
jail directory.  I made sure the fstab.test and the fstab.migrate_jail
look the same except for jail name changes.  I made sure the
/u/l/e/ezjail/test and /u/l/e/ezjail/migrate_jail files look the same
except for jail name changes.

 # more /etc/fstab.test
(Continue reading)

Miroslav Lachman | 3 Jul 12:01 2008
Picon

Re: Memory limits on 7.0

Christopher Thunes wrote:
> Hey everyone,
>   I spent some time working on getting cdjones' memory limit patches 
> updated for 7.0 and beyond and thought I'd post my progress. I've 
> attached my current patch which implements memory limits on 7.0-RELEASE, 
> but only for the older (and default in -RELEASE) bsd4 scheduler (won't 
> work at all on ULE). I haven't yet started work for ULE or getting CPU 
> sharing working. This patch also includes fixes for problems in the 
> original cdjones patches. If you want to give it a whirl it should apply 
> cleanly to a 7.0-RELEASE source tree and if you run into any issues let 
> me know.

Thanx for you work, I put it on Jails wiki! I hope I'll give it a try in 
next week after I setup new testing machine with ZFS, 4GB of RAM and lot 
of jails for testing :)

Do you plan to work on ULE version? (AFAIK ULE will be default for next 
release)

Miroslav Lachman
Christopher Thunes | 3 Jul 15:18 2008

Re: Memory limits on 7.0

Yes, my plan is to get everything working on both schedulers, but at 
this point I'm not sure what kind of time frame I'm looking at. At the 
moment I'm getting everything up to date on the 4bsd scheduler so once I 
finish that up I'll begin working on ULE.

- Chris

Miroslav Lachman wrote:
> Christopher Thunes wrote:
>> Hey everyone,
>>   I spent some time working on getting cdjones' memory limit patches 
>> updated for 7.0 and beyond and thought I'd post my progress. I've 
>> attached my current patch which implements memory limits on 
>> 7.0-RELEASE, but only for the older (and default in -RELEASE) bsd4 
>> scheduler (won't work at all on ULE). I haven't yet started work for 
>> ULE or getting CPU sharing working. This patch also includes fixes for 
>> problems in the original cdjones patches. If you want to give it a 
>> whirl it should apply cleanly to a 7.0-RELEASE source tree and if you 
>> run into any issues let me know.
> 
> Thanx for you work, I put it on Jails wiki! I hope I'll give it a try in 
> next week after I setup new testing machine with ZFS, 4GB of RAM and lot 
> of jails for testing :)
> 
> Do you plan to work on ULE version? (AFAIK ULE will be default for next 
> release)
> 
> Miroslav Lachman
FreeBSD bugmaster | 7 Jul 13:07 2008
Picon

freebsd-jail@...

Current FreeBSD problem reports
Critical problems
Serious problems

S Tracker      Resp.      Description
--------------------------------------------------------------------------------
s kern/89528   jail       [jail] [patch] impossible to kill a jail
o kern/119842  jail       [smbfs] [jail] "Bad address" with smbfs inside a jail

2 problems total.

Non-critical problems

S Tracker      Resp.      Description
--------------------------------------------------------------------------------
o bin/32828    jail       [jail] w(1) incorrectly handles stale utmp slots with 
o kern/68192   jail       [quotas] [jail] Cannot use quotas on jailed systems
o kern/72498   jail       [libc] [jail] timestamp code on jailed SMP machine gen
o kern/74314   jail       [resolver] [jail] DNS resolver broken under certain ja
o kern/84215   jail       [jail] [patch] wildcard ip (INADDR_ANY) should not bin
o kern/89989   jail       [jail] [patch] Add option -I (ASCII 73) PID  to specif
o kern/97071   jail       [jail] [patch] add security.jail.jid sysctl
o bin/99566    jail       [jail] [patch] fstat(1) according to specified jid
o kern/120753  jail       [jail] Zombie jails (jailed child process exits while 

9 problems total.

Christopher Thunes | 7 Jul 18:49 2008

Re: new set of multi-IPv4/v6/noIP jail patches

Bjoern,
   Should these patches allow multiples IPs which are on multiple 
interfaces? I've been playing around with this and was unable to assign 
IP address from more than one interface correctly. jls will show all IPs 
correctly but from within the jail only IPs from one interface show up 
in ifconfig and are able to be binded to.

- Chris Thunes

Bjoern A. Zeeb | 7 Jul 19:05 2008
Picon

Re: new set of multi-IPv4/v6/noIP jail patches

On Mon, 7 Jul 2008, Christopher Thunes wrote:

Hi,

>  Should these patches allow multiples IPs which are on multiple interfaces? 
> I've been playing around with this and was unable to assign IP address from 
> more than one interface correctly. jls will show all IPs correctly but from 
> within the jail only IPs from one interface show up in ifconfig and are able 
> to be binded to.

Did the patch apply cleanly? Which one? Which release?

dopt# ifconfig lo1 create
dopt# ifconfig lo1 inet 192.0.2.100/32
dopt# ifconfig lo2 create
dopt# ifconfig lo2 inet 192.0.2.200/32
dopt# jail -n multiif /local/jails/j1 dopt 192.0.2.100,192.0.2.200 /sbin/ifconfig -a
fxp0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
         options=b<RXCSUM,TXCSUM,VLAN_MTU>
         ether 00:e0:81:31:db:62
         media: Ethernet autoselect (none)
         status: no carrier
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
         options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
         ether 00:e0:81:31:db:8c
         media: Ethernet autoselect (1000baseTX <full-duplex>)
         status: active
bge1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
         options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
         ether 00:e0:81:31:db:8d
(Continue reading)

Peter Ankerstål | 7 Jul 19:15 2008

Re: new set of multi-IPv4/v6/noIP jail patches


On Jun 17, 2008, at 8:03 PM, Bjoern A. Zeeb wrote:

> Hi,
>
> while for some stuff only infrastructure is there, there is more now.
> Any feedback would be welcome. I'll have to work on something else the
> next week so not going to implement the full set of "state", ...

Is there any possibility to get these patches to work together with  
the memory-limiting patches?
Christopher Thunes | 7 Jul 19:39 2008

Re: new set of multi-IPv4/v6/noIP jail patches

Hi Bjoern,
   I apologize for not including this information originally. This is 
the 7.0-RELEASE patch but I applied it against a kernel with the memory 
limits patch already in place. I had to manually merge most of 
kern_jail.c by hand.

I tried again to start a jail and found that I could run the following 
and it works as you demonstrated.

[root <at> virt] ~ # jail -n test1 /usr/jail/4001/ test1 
208.86.224.219,10.11.40.2 /sbin/ifconfig -a
priv0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
         options=19b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4>
         ether 00:30:48:c2:89:2a
         inet 10.11.40.2 netmask 0xffffffff broadcast 10.11.40.2
         media: Ethernet autoselect (1000baseTX <full-duplex>)
         status: active
pub0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
         options=19b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4>
         ether 00:30:48:c2:89:2b
         inet 208.86.224.219 netmask 0xffffffff broadcast 208.86.224.219
         media: Ethernet autoselect (100baseTX <half-duplex>)
         status: active

That is one IP each from two interfaces. I tried with two from the 
public interface and one from the private interface and then it failed 
to assign the address on the private interface. All necessary aliases 
have been created.

[root <at> virt] ~ # jail -n test1 /usr/jail/4001/ test1 
(Continue reading)

Bjoern A. Zeeb | 7 Jul 21:14 2008
Picon

Re: new set of multi-IPv4/v6/noIP jail patches

On Mon, 7 Jul 2008, Christopher Thunes wrote:

Hi,

I can reproduce this and I know the bug.
I'll post an updated patch in a few days.

/bz

--

-- 
Bjoern A. Zeeb              Stop bit received. Insert coin for new game.
Christopher Thunes | 11 Jul 08:54 2008

Re: new set of multi-IPv4/v6/noIP jail patches

Hey Peter,
   I've got some test system running with both of these in place. The 
memory limiting code I'm working with is still incomplete as of now but 
if you are interested I can put up a patch of what is currently 
available in a week or so. The extent of memory limit completeness is 
outlined here

http://lists.freebsd.org/pipermail/freebsd-jail/2008-June/000333.html

- Chris Thunes

Peter Ankerstål wrote:
> 
> On Jun 17, 2008, at 8:03 PM, Bjoern A. Zeeb wrote:
> 
>> Hi,
>>
>> while for some stuff only infrastructure is there, there is more now.
>> Any feedback would be welcome. I'll have to work on something else the
>> next week so not going to implement the full set of "state", ...
> 
> Is there any possibility to get these patches to work together with the 
> memory-limiting patches?
> _______________________________________________
> freebsd-jail@... mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-jail
> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@..."

Gmane