Re: Jail seperation patch
On Tue, Feb 25, 2003 at 02:47:11PM -0800, Mooneer Salem wrote: + I've been working on extending the jail feature of FreeBSD to make it + more friendly to VPS providers. I added the following features: + + * Rudimentary CPU/RAM/number of processes per-jail limits + * Multiple IP support (from Pawel Jakub Dawidek's mijail patch for 4.7) + * Proper INADDR_ANY support added (so INADDR_ANY will bind to all IP + addresses + within a jail) And what when we got situation like: 1. main host ips: 1.1.1.2, 1.1.1.3, 1.1.1.4 jailed host ips: 1.1.1.2, 1.1.1.3 Daemon in jail binds to INADDR_ANY to port X, somebody connects to port X, but to IP 1.1.1.4 (outside jail). Connection will success? 2. main host ips: 1.1.1.2, 1.1.1.3, 1.1.1.4 jailed host ips: 1.1.1.2, 1.1.1.3 Daemon outside jail binds to port X on IP 1.1.1.4. User in jail connects to port X to INADDR_ANY. Connection will success? What when daemon idside jail and daemon outside jail binds to those same port? If I'm connectin to this port who will handle connection? + * struct prison added to SysV IPC code (to allow for secure use) Better solution is created separated memory zones for main host and every jail, look at my patch agains 5.0-CURRENT: http://garage.freebsd.pl/privipc.tbz http://garage.freebsd.pl/privipc.README + * Disk mount hiding Better way is IMHO hiding and cutting pathnames, look at: http://garage.freebsd.pl/jailfsstat.tgz http://garage.freebsd.pl/jailfsstat.README + * Hot add/remove IP addresses from jail using sysctl + * Process hiding (non-root users outside jails cannot see jailed processes) This isn't a complete solution and I think it couldn't be, because you still could modify files owned by jailed users with UID notjailed user, so... + The patch is for 5.0-CURRENT/5.0-RELEASE. I would be interested in + any comments or suggestions. If anyone's interested, it can be retrieved + at http://msalem.translator.cx/dist/jail_seperation.v5.patch. You could add multi-level jailing, IMHO it's cool: http://garage.freebsd.pl/mljail.tbz http://garage.freebsd.pl/mljail.README Nice work, I'm wondering if something will be ever commited:) -- Pawel Jakub Dawidek UNIX Systems Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am. pgp0.pgp Description: PGP signature
Re: Jdk13/14 still hangs in 4.8 Prerelease. Outstanding Fix need (fwd)
Hi, At 22:01 25/2/03, Robert Watson wrote: [...] I would oppose simply enabling the current CANSIGNAL check -- it has serious problems. On the other hand, putting in a refined check sounds reasonable and I'd be happy to review such a patch. Although the code from 5.x won't instantly work with 4.x without substantial modification, it might make a good starting point. OK, so what's the score with the patch at the end of the kern/40611 audit trail? Thanks -- Bob Bishop +44 (0)118 977 4017 [EMAIL PROTECTED] fax +44 (0)118 989 4254 To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
ESS1868 sound card and the *infamous* play interrupt timeout,channel dead:)
Lo all, Running 5.0-RELEASE with 'device pcm' in my kernel, and now I see this is happening: Dump from /var/log/messages: Feb 23 14:59:20 Hobbes kernel: sbc0: ESS ES1868 at port 0x300-0x301,0x388-0x38b,0x220-0x22f irq 10 drq 0,1 on isa0 Feb 23 14:59:20 Hobbes kernel: pcm0: ESS 18xx DSP on sbc0 Feb 23 14:59:20 Hobbes kernel: midi0: SB Midi Interface on sbc0 Feb 23 14:59:20 Hobbes kernel: midi1: SB OPL FM Synthesizer on sbc0 Feb 23 14:59:20 Hobbes kernel: joy0: ESS0001 PnP Joystick at port 0x201 on isa0 Feb 23 14:59:20 Hobbes kernel: unknown: ESS ES1868 Plug and Play AudioDrive can't assign resources (irq) So, according to the BIOS startup messages and DMESG, should be assigned no DMA, and an IRQ of 10. And no, I do *not* have device sbc in my kernel. Anyway, I added this line to /boot/device.hints: hint.pcm.0.irq=10 Has no effect, still getting the same message. Any ideas? Oh, if I ignore the fact that the error's there, and try mpg321 or anything to play sound (even if I cat a .au into /dev/dsp0), it gives me this: Feb 23 14:59:44 Hobbes kernel: pcm0:play:0: play interrupt timeout, channel dead Interestingly enough, there appear to be problems with a lot of interrupt assignments. When I had ACPI disabled in the BIOS, then it moaned about assigning interrupts to the AGP card. ACPI and APM are enabled in the BIOS, I've tried disabling APM (don't ask why I thought it would make a difference:) Also, the BIOS (Award) has some simple settings for enabling/disabling a PNP-OS, allowing the OS to set IRQs et. al. Dunno if that has any bearing tho... Thanks, Riccardo JediHobbes Spagni == Download ringtones, logos and picture messages at Ananzi Mobile Fun. http://www.ananzi.co.za/cgi-bin/goto.pl?mobile To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: patch: (forw) linux_sigvec.c
On Wed, Feb 26, 2003 at 02:39:34PM +0100, Martin Blapp wrote: + Nice work, I'm wondering if something will be ever commited:) + + Of course it will be committed ! But many of us are rather + busy, that explains why you don't get instant feedback sometimes. + + And I really really think that you need a mentor to be able to + be a src committer. I'll ask whoever I can. Hmm, sounds cool:) + Better solution is created separated memory zones for main host and every + jail, look at my patch agains 5.0-CURRENT: + + http://garage.freebsd.pl/privipc.tbz=20 + http://garage.freebsd.pl/privipc.README + + Ehrm. This patch is still against STABLE. Can you make a version + for 5.X (shouldn't be that hard) which we can review and commit ? When I announced this patch, I've wrote, that I could prepare patches against -CURRENT when somebody review those against -STABLE:) + Can you change your homepage to reflect which parts are for 4.X and + 5.X ? Cool homepage btw, many cool patches on it ;) Hmm, I'll think this over. + I'll test it this evening on a old STABLE box. Thanks! -- Pawel Jakub Dawidek UNIX Systems Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am. pgp0.pgp Description: PGP signature
Re: Jdk13/14 still hangs in 4.8 Prerelease. Outstanding Fix need
On 26-Feb-2003 Bob Bishop wrote: Hi, At 22:01 25/2/03, Robert Watson wrote: [...] I would oppose simply enabling the current CANSIGNAL check -- it has serious problems. On the other hand, putting in a refined check sounds reasonable and I'd be happy to review such a patch. Although the code from 5.x won't instantly work with 4.x without substantial modification, it might make a good starting point. OK, so what's the score with the patch at the end of the kern/40611 audit trail? Thanks I think that we would prefer that someone fix the CANSIGNAL check as Robert desires and then enable it. The patch in the PR basically allows one to get information about any process even if you aren't root, so I think that may be a bad idea. -- John Baldwin [EMAIL PROTECTED]http://www.FreeBSD.org/~jhb/ Power Users Use the Power to Serve! - http://www.FreeBSD.org/ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: C coding editor
Wes Peters wrote: e your last scan of this sector. ;^) Seriously, limiting your programming for a lifetime to 80 columns because you couldn't figure out how to make some grotty old dot matrix printer do 8-point printing a decade ago really isn't all that smart, is it? Even if I never have to print out on a printer like that, who's to say nobody else is? You will no doubt turn people away if they open up your code in their favorite programming editor and all of the lines wrap a few characters. Worse if they are already at the maximum size their screen/eyeballs can support. I'm still disappointed at programming editors that can't make sense of normal typefaces and have to be used with monospaced fonts. Same for email, but that's a different argument. I find that monospace fonts are quite nice in programming on occasion when you want to line up output or just nicely format blocks of text. What about when someone opens up your project with a different font and all of the comments and blocks of code are all scattered across the screen in some haphazard looking mess? Visual distinctiveness and effective use of whitespace can be invaluble in helping people understand your code (or understanding other people's code). That's why people have settled on a format they can reproduce in almost all instances. Very few compilers accept code with formatting markup beyond ^Ls and TABs. You can't compile a Word document. -- \ |_ _|__ __|_ \ __| Jason Andresen[EMAIL PROTECTED] |\/ | ||/ _| Network and Distributed Systems Engineer _| _|___| _| _|_\___| Office: 703-883-7755 To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: C coding editor
On Wed, 26 Feb 2003, Jason Andresen wrote: Very few compilers accept code with formatting markup beyond ^Ls and TABs. You can't compile a Word document. As we plunge completely off topic, there is (was) at least one literate programming system that grokked winword. -- jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/ Tel +44(0)117 9287088 Fax +44 (0)117 9287112 http://ioctl.org/jan/ The Java disclaimer: values of 'anywhere' may vary between regions. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: HOWTO track resource leaks in kernel modules?
Re: Resource leaks HOWTO track resource leaks in kernel modules? Hi -- A question like yours (How to?) usually gets ignored on the hackers list. I've tried it before. I believe that they're only interested in bugs/hacks in the current source. I am not aware of any newsletter/questions digest that can/will answer a technical how-to like yours. My suggestion is to place panic(9) calls in strategic places in your code and see where it blows. Also putting strategic printf statements before the panic will help. Finally: don't compile as a module because the kernel.debug file will not have the module symbols in it, which makes it difficult to debug; you can load the module symbols with gdb (see the developers handbook) but that is a pain in the neck after a while. It's easy to switch from in-kernel to module after you have developed your package. I am not aware of any software that you can use to debug leaking resources except gdb -k. Look at the v_usecount, v_writecount, v_holdcount values in the struct vnode.h. Things like that. Ed Alley To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: HOWTO track resource leaks in kernel modules?
On Wed, 26 Feb 2003, Ed Alley wrote: Re: Resource leaks HOWTO track resource leaks in kernel modules? what KIND of resource leaks? Hi -- A question like yours (How to?) usually gets ignored on the hackers list. I've tried it before. I believe that they're only interested in bugs/hacks in the current source. I am not aware of any newsletter/questions digest that can/will answer a technical how-to like yours. My suggestion is to place panic(9) calls in strategic places in your code and see where it blows. Also putting strategic printf statements before the panic will help. Finally: don't compile as a module because the kernel.debug file will not have the module symbols in it, which makes it difficult to debug; you can load the module symbols with gdb (see the developers handbook) but that is a pain in the neck after a while. It's easy to switch from in-kernel to module after you have developed your package. I am not aware of any software that you can use to debug leaking resources except gdb -k. Look at the v_usecount, v_writecount, v_holdcount values in the struct vnode.h. Things like that. Ed Alley To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
kernel design questions
hi! i was looking for some kernel documentation and i had to find out it was justas the words say it use the source luke. so i just want ask whether the freebsd kernel can be called a monolithic kernel? as far as i understood a monolithic kernel is just one big binary that does not get modified during beeing loaded into memory and as freebsd is able to load modules into kernel during runtime its not monolithic anymore? greets, josef -- www: http://www.daemon.li nic-hdl: JER1080312-NICAT To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
RE: Jail seperation patch
Hello, 1. It handles at least case 1 just fine: %telnet 10.0.0.2 25 Trying 10.0.0.2... Connected to pacific.lifeafterking.org. Escape character is '^]'. 220 pacific.lifeafterking.org ESMTP Sendmail 8.12.6/8.12.6; Wed, 26 Feb 2003 07:45:39 -0700 (MST) quit 221 2.0.0 pacific.lifeafterking.org closing connection Connection closed by foreign host. %telnet 10.0.0.3 25 Trying 10.0.0.3... Connected to test.lifeafterking.org.. Escape character is '^]'. 220 test.lifeafterking.org ESMTP Sendmail 8.12.6/8.12.6; Wed, 26 Feb 2003 07:45:46 -0700 (MST) quit 221 2.0.0 test.lifeafterking.org closing connection Connection closed by foreign host. %telnet 10.0.0.4 25 Trying 10.0.0.4... Connected to blah.lifeafterking.org.. Escape character is '^]'. 220 test.lifeafterking.org ESMTP Sendmail 8.12.6/8.12.6; Wed, 26 Feb 2003 07:45:52 -0700 (MST) quit 221 2.0.0 test.lifeafterking.org closing connection Connection closed by foreign host. %ssh [EMAIL PROTECTED] Password: Last login: Tue Feb 25 22:41:12 2003 from test2.lifeafter Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 5.0-RELEASE-p1 (VMWARE-SERVER) #38: Mon Feb 24 18:24:18 MST 2003 %telnet 10.0.0.2 25 Trying 10.0.0.2... Connected to pacific.lifeafterking.org. Escape character is '^]'. 220 pacific.lifeafterking.org ESMTP Sendmail 8.12.6/8.12.6; Wed, 26 Feb 2003 07:46:16 -0700 (MST) quit 221 2.0.0 pacific.lifeafterking.org closing connection Connection closed by foreign host. %hostname test.lifeafterking.org %exit logout Connection to 10.0.0.3 closed. % However, I just checked and it appears I can connect to 0.0.0.0: %telnet 0.0.0.0 25 Trying 0.0.0.0... Connected to 0.0.0.0. Escape character is '^]'. 220 pacific.lifeafterking.org ESMTP Sendmail 8.12.6/8.12.6; Wed, 26 Feb 2003 07:49:30 -0700 (MST) quit 221 2.0.0 pacific.lifeafterking.org closing connection Connection closed by foreign host. %hostname test.lifeafterking.org % Hey, I found a bug! :) 2. Neat. :) I'm going to add sysctls when I get a chance for the mount hiding. Also, I'm going to take a look at the VFS code and see if I can hide files from non-root non-jailed users. 3. Does multi-level jailing add any further restrictions to the jails within the jails, besides the standard ones imposed? Thanks, -- Mooneer Salem GPLTrans: http://www.translator.cx/ lifeafterking.org: http://www.lifeafterking.org/ -Original Message- From: Pawel Jakub Dawidek [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 26, 2003 12:05 AM To: Mooneer Salem Cc: FreeBSD Hackers Subject: Re: Jail seperation patch On Tue, Feb 25, 2003 at 02:47:11PM -0800, Mooneer Salem wrote: + I've been working on extending the jail feature of FreeBSD to make it + more friendly to VPS providers. I added the following features: + + * Rudimentary CPU/RAM/number of processes per-jail limits + * Multiple IP support (from Pawel Jakub Dawidek's mijail patch for 4.7) + * Proper INADDR_ANY support added (so INADDR_ANY will bind to all IP + addresses + within a jail) And what when we got situation like: 1. main host ips: 1.1.1.2, 1.1.1.3, 1.1.1.4 jailed host ips: 1.1.1.2, 1.1.1.3 Daemon in jail binds to INADDR_ANY to port X, somebody connects to port X, but to IP 1.1.1.4 (outside jail). Connection will success? 2. main host ips: 1.1.1.2, 1.1.1.3, 1.1.1.4 jailed host ips: 1.1.1.2, 1.1.1.3 Daemon outside jail binds to port X on IP 1.1.1.4. User in jail connects to port X to INADDR_ANY. Connection will success? What when daemon idside jail and daemon outside jail binds to those same port? If I'm connectin to this port who will handle connection? + * struct prison added to SysV IPC code (to allow for secure use) Better solution is created separated memory zones for main host and every jail, look at my patch agains 5.0-CURRENT: http://garage.freebsd.pl/privipc.tbz http://garage.freebsd.pl/privipc.README + * Disk mount hiding Better way is IMHO hiding and cutting pathnames, look at: http://garage.freebsd.pl/jailfsstat.tgz http://garage.freebsd.pl/jailfsstat.README + * Hot add/remove IP addresses from jail using sysctl + * Process hiding (non-root users outside jails cannot see jailed processes) This isn't a complete solution and I think it couldn't be, because you still could modify files owned by jailed users with UID notjailed user, so... + The patch is for 5.0-CURRENT/5.0-RELEASE. I would be interested in + any comments or suggestions. If anyone's interested, it can be retrieved + at http://msalem.translator.cx/dist/jail_seperation.v5.patch. You could add multi-level jailing, IMHO it's cool: http://garage.freebsd.pl/mljail.tbz http://garage.freebsd.pl/mljail.README Nice work, I'm wondering if something will be ever commited:) -- Pawel Jakub Dawidek UNIX Systems Administrator http://garage.freebsd.pl Am I Evil? Yes, I
Re: HOWTO track resource leaks in kernel modules?
Quoting Julian Elischer [EMAIL PROTECTED]: On Wed, 26 Feb 2003, Ed Alley wrote: Re: Resource leaks HOWTO track resource leaks in kernel modules? what KIND of resource leaks? I guess I asked this question of the wrong list. I'm interested in finding dma allocs, memory allocs, and IRQ/IO allocs which occur during a LKM's attached life. I'm adding the ability to detach if_de and was hoping to find assistance on where to look for resource tracking tools. --daxbert To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: HOWTO track resource leaks in kernel modules?
On Wed, 26 Feb 2003, Daxbert wrote: Quoting Julian Elischer [EMAIL PROTECTED]: On Wed, 26 Feb 2003, Ed Alley wrote: Re: Resource leaks HOWTO track resource leaks in kernel modules? what KIND of resource leaks? I guess I asked this question of the wrong list. I'm interested in finding dma allocs, memory allocs, and IRQ/IO allocs which occur during a LKM's attached life. I'm adding the ability to detach if_de and was hoping to find assistance on where to look for resource tracking tools. For malloc (in the kernel) you can specify a separate pool for a module, so that it will account for mallocs for that module separatly. you can then look at them with vmstat -m check out sys/malloc.h and look at MALLOC_DECLARE is this for 4.x or 5.x? --daxbert To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
-=Îïåðàòèâíàÿ ïîëèãðàôèÿ ïî îòëè÷íûì öåíàì!=-
( 1200dpi) ! - , , , , - . , - ( 15 1,5 ). - ! - : !!( ): ($) 50 7,5 100 9 200 19 500 40 1000 75 * 300 /2 ( - ): ($) 50 5 100 7 200 15 500 25 1000 40 * 300 /2 3: ($) 1 5 5 20 10 35 50 150 : ($) 50 20 100 35 300 80 : : : ($) 50 30 100 38 200 50,7 500 110 1000 195 , - 100 ! ! :(095) 275-24-50 (). JVBTOWNFXFGPGSJIQCRXPSDMWBJBDNCPBKRKLC To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message