Application Jail Shutdown Problem

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Application Jail Shutdown Problem

squiggly foo
Hi All,

I use the mount.fstab parameter to mount a number of file systems before starting a jail which works without any problem.  However since it is an application jail, there are no other processes running inside the jail other than the one application.  As soon as that application terminates the jail is removed by the host.

This is actually my preferred behavior; I want the jail to be removed when the process inside of it terminates.  But the problem is that the mount points are not unmounted after the jail is removed that way.  The only way I can get the jails to unmount is if I do a "jail -r jailname" which is what I want to avoid as I would not do that while the process inside the jail is still running.


Does anyone know of a way for the jails to umount the mount points in its fstab file when the only process inside the jail exits?

Thanks! foo
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Application Jail Shutdown Problem

James Gritton-2
On 2019-04-30 12:03, squiggly foo wrote:

> Hi All,
>
> I use the mount.fstab parameter to mount a number of file systems
> before starting a jail which works without any problem.  However since
> it is an application jail, there are no other processes running inside
> the jail other than the one application.  As soon as that application
> terminates the jail is removed by the host.
>
> This is actually my preferred behavior; I want the jail to be removed
> when the process inside of it terminates.  But the problem is that the
> mount points are not unmounted after the jail is removed that way.
> The only way I can get the jails to unmount is if I do a "jail -r
> jailname" which is what I want to avoid as I would not do that while
> the process inside the jail is still running.
>
>
> Does anyone know of a way for the jails to umount the mount points in
> its fstab file when the only process inside the jail exits?

No easy way.  Those filesystems have to be unmounted by somebody; the
jail can't do it because it doesn't have the permission (because it
didn't
mount them).  So some process needs to be watching to see when the jail
goes away.  That would be some kind of watcher that wakes up
occasionally
and sees if the jail is still there.  It might be nice to have some
kqueue
support for jails.

- Jamie
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Application Jail Shutdown Problem

Michael W. Lucas-2
On Wed, May 01, 2019 at 08:53:18AM -0600, James Gritton wrote:

> On 2019-04-30 12:03, squiggly foo wrote:
> > Hi All,
> >
> > I use the mount.fstab parameter to mount a number of file systems
> > before starting a jail which works without any problem.  However since
> > it is an application jail, there are no other processes running inside
> > the jail other than the one application.  As soon as that application
> > terminates the jail is removed by the host.
> >
> > This is actually my preferred behavior; I want the jail to be removed
> > when the process inside of it terminates.  But the problem is that the
> > mount points are not unmounted after the jail is removed that way.
> > The only way I can get the jails to unmount is if I do a "jail -r
> > jailname" which is what I want to avoid as I would not do that while
> > the process inside the jail is still running.
> >
> >
> > Does anyone know of a way for the jails to umount the mount points in
> > its fstab file when the only process inside the jail exits?
>
> No easy way.  Those filesystems have to be unmounted by somebody; the
> jail can't do it because it doesn't have the permission (because it
> didn't
> mount them).  So some process needs to be watching to see when the jail
> goes away.  That would be some kind of watcher that wakes up
> occasionally
> and sees if the jail is still there.  It might be nice to have some
> kqueue
> support for jails.


Maybe I'm not understanding the problem.

Is there a reason why exec.poststop="umount -aF /whatever/jail.fstab"
won't do the trick?

==ml

--
Michael W. Lucas https://mwl.io/
author of: Absolute OpenBSD, SSH Mastery, git commit murder,
Immortal Clay, PGP & GPG, Absolute FreeBSD, etc, etc, etc...
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Application Jail Shutdown Problem

James Gritton-2
On 2019-05-01 09:22, Michael W. Lucas wrote:

> On Wed, May 01, 2019 at 08:53:18AM -0600, James Gritton wrote:
>> On 2019-04-30 12:03, squiggly foo wrote:
>> > Hi All,
>> >
>> > I use the mount.fstab parameter to mount a number of file systems
>> > before starting a jail which works without any problem.  However since
>> > it is an application jail, there are no other processes running inside
>> > the jail other than the one application.  As soon as that application
>> > terminates the jail is removed by the host.
>> >
>> > This is actually my preferred behavior; I want the jail to be removed
>> > when the process inside of it terminates.  But the problem is that the
>> > mount points are not unmounted after the jail is removed that way.
>> > The only way I can get the jails to unmount is if I do a "jail -r
>> > jailname" which is what I want to avoid as I would not do that while
>> > the process inside the jail is still running.
>> >
>> >
>> > Does anyone know of a way for the jails to umount the mount points in
>> > its fstab file when the only process inside the jail exits?
>>
>> No easy way.  Those filesystems have to be unmounted by somebody; the
>> jail can't do it because it doesn't have the permission (because it
>> didn't
>> mount them).  So some process needs to be watching to see when the
>> jail
>> goes away.  That would be some kind of watcher that wakes up
>> occasionally
>> and sees if the jail is still there.  It might be nice to have some
>> kqueue
>> support for jails.
>
>
> Maybe I'm not understanding the problem.
>
> Is there a reason why exec.poststop="umount -aF /whatever/jail.fstab"
> won't do the trick?

The works when it's jail(8) doing the removing.  But when the jail just
"runs out" on its own, because its last process has exited (and it
didn't
have "persist" set), there is no jail(8) to run the stop scripts.  
Normally
I would recommend setting persist and explicitly destroying the jail
later,
but that had already been mentioned as not preferred.

- Jamie
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Application Jail Shutdown Problem

Isaac (.ike) Levy-2
Hi Jamie, all,

>> On May 1, 2019, at 5:33 PM, James Gritton <[hidden email]> wrote:
>>
>>> On 2019-05-01 09:22, Michael W. Lucas wrote:
>>> On Wed, May 01, 2019 at 08:53:18AM -0600, James Gritton wrote:
>>>> On 2019-04-30 12:03, squiggly foo wrote:
>>>> Hi All,
>>>>
>>>> I use the mount.fstab parameter to mount a number of file systems
>>>> before starting a jail which works without any problem.  However since
>>>> it is an application jail, there are no other processes running inside
>>>> the jail other than the one application.  As soon as that application
>>>> terminates the jail is removed by the host.

Cool/interesting use case for jail.

I am wondering how you start the jails?

Is there some way to simply trap the jailed process when you start it, to call the unmount routine? (e.g. trap the jail call itself from userland on 0 and other nonzero exits?)

Best,
.ike


>>>>
>>>> This is actually my preferred behavior; I want the jail to be removed
>>>> when the process inside of it terminates.  But the problem is that the
>>>> mount points are not unmounted after the jail is removed that way.
>>>> The only way I can get the jails to unmount is if I do a "jail -r
>>>> jailname" which is what I want to avoid as I would not do that while
>>>> the process inside the jail is still running.
>>>>
>>>>
>>>> Does anyone know of a way for the jails to umount the mount points in
>>>> its fstab file when the only process inside the jail exits?
>>> No easy way.  Those filesystems have to be unmounted by somebody; the
>>> jail can't do it because it doesn't have the permission (because it
>>> didn't
>>> mount them).  So some process needs to be watching to see when the jail
>>> goes away.  That would be some kind of watcher that wakes up
>>> occasionally
>>> and sees if the jail is still there.  It might be nice to have some
>>> kqueue
>>> support for jails.
>> Maybe I'm not understanding the problem.
>> Is there a reason why exec.poststop="umount -aF /whatever/jail.fstab"
>> won't do the trick?
>
> The works when it's jail(8) doing the removing.  But when the jail just
> "runs out" on its own, because its last process has exited (and it didn't
> have "persist" set), there is no jail(8) to run the stop scripts.  Normally
> I would recommend setting persist and explicitly destroying the jail later,
> but that had already been mentioned as not preferred.
>
> - Jamie
> _______________________________________________
> [hidden email] mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-jail
> To unsubscribe, send any mail to "[hidden email]"

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Application Jail Shutdown Problem

Stefan Bethke-2
In reply to this post by squiggly foo
Am 30.04.2019 um 20:03 schrieb squiggly foo <[hidden email]>:
> I use the mount.fstab parameter to mount a number of file systems before starting a jail which works without any problem.  However since it is an application jail, there are no other processes running inside the jail other than the one application.  As soon as that application terminates the jail is removed by the host.

Would keeping the jail around be an alternative?

With the persist parameter, the jail doesn’t go away when the last process exits, and starting the same (or another) process with the same jail name will reuse the existing jail.

Only when you really want to get rid of the jail you destroy it explicitly, including unmounting the file systems.


Stefan

--
Stefan Bethke <[hidden email]>   Fon +49 151 14070811

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Application Jail Shutdown Problem

Dave Cottlehuber-2
In reply to this post by James Gritton-2

> mount them). So some process needs to be watching to see when the jail
> goes away. That would be some kind of watcher that wakes up
> occasionally
> and sees if the jail is still there. It might be nice to have some
> kqueue
> support for jails.

That or devfs notifications? Plumbing these up to general sysadmin tools would be nice.

Dave





_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Application Jail Shutdown Problem

squiggly foo
In reply to this post by Stefan Bethke-2
Hi Stefan,

Thanks for the suggestion.  I thought about just leaving the jail there but it drives me nuts when I run the mount command on the host and I see all these mounts from jails when I just want to see the host mounts.

-foo

07.05.2019, 06:10, "Stefan Bethke" <[hidden email]>:

> Am 30.04.2019 um 20:03 schrieb squiggly foo <[hidden email]>:
>>  I use the mount.fstab parameter to mount a number of file systems before starting a jail which works without any problem. However since it is an application jail, there are no other processes running inside the jail other than the one application. As soon as that application terminates the jail is removed by the host.
>
> Would keeping the jail around be an alternative?
>
> With the persist parameter, the jail doesn’t go away when the last process exits, and starting the same (or another) process with the same jail name will reuse the existing jail.
>
> Only when you really want to get rid of the jail you destroy it explicitly, including unmounting the file systems.
>
> Stefan
>
> --
> Stefan Bethke <[hidden email]> Fon +49 151 14070811
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Application Jail Shutdown Problem

squiggly foo
In reply to this post by James Gritton-2
So I got around this problem by just not using the jail command to mount.fstab or exec.prestart etc commands.  I am now just using a shell script to mount the jail mount points, then run the jail.  When the jail exits, the rest of the script runs and umounts the jail filesystems.  However I found some interesting points that I just wanted to share:

Scenario 1) If I run "jail -c -f jailfile.txt" and "mount.fstab" & "exec.start = '/bin/csh'" are defined in the jailfile.txt

Then when I exit the csh session in the jail, being that csh is the only process running in the jail, the jail exits and all the jail file systems are still mounted; just as James said.  So mount.fstab is not being reversed.


Scenario 2) If I run "jail -c -f jailfile.txt" and "mount.fstab" & "exec.start = '/bin/csh && KILL -TERM -1'" are defined in the jailfile.txt

Then when I exit csh in the jail, everything IS umounted.  Since the kill command is last, it sends a terminate signal to all remaining jailed processes (which is none).  And jail seems to recognize when the term signal was sent inside the jail and run the exec.poststop and umounts whatever is in the jail fstab file.



Another issue slightly related and slightly not: After "jail -c -f jailfile.txt" is run and "mount.fstab" & "exec.start = '/bin/csh && KILL -TERM -1'" are defined in the jailfile.txt file, I used exec.prestart to do make a directory inside the jail root and then used exec.prestart to run another mount command to that newly created directory.  I need to make that directory and mount to it but mount.fstab is run by the jail first and I can't make a mkdir command inside of the fstab file.  

However when I comes time to exit the csh session in the jail, it correctly runs the KILL command which tells the jail to umount. but it cannot umount because I made a directory and mount inside of the jail tree that the jail.fstab file is not aware of.  There is not "exec.post_before_running_umount" type of command that I can use to do those things.

Again I solved all these problems just by using an external script.  But I was just mentioning that maybe there needs to be a way to run commands before the jail decides to umount automatically.

-foo


02.05.2019, 06:35, "James Gritton" <[hidden email]>:

> On 2019-05-01 09:22, Michael W. Lucas wrote:
>>  On Wed, May 01, 2019 at 08:53:18AM -0600, James Gritton wrote:
>>>  On 2019-04-30 12:03, squiggly foo wrote:
>>>  > Hi All,
>>>  >
>>>  > I use the mount.fstab parameter to mount a number of file systems
>>>  > before starting a jail which works without any problem. However since
>>>  > it is an application jail, there are no other processes running inside
>>>  > the jail other than the one application. As soon as that application
>>>  > terminates the jail is removed by the host.
>>>  >
>>>  > This is actually my preferred behavior; I want the jail to be removed
>>>  > when the process inside of it terminates. But the problem is that the
>>>  > mount points are not unmounted after the jail is removed that way.
>>>  > The only way I can get the jails to unmount is if I do a "jail -r
>>>  > jailname" which is what I want to avoid as I would not do that while
>>>  > the process inside the jail is still running.
>>>  >
>>>  >
>>>  > Does anyone know of a way for the jails to umount the mount points in
>>>  > its fstab file when the only process inside the jail exits?
>>>
>>>  No easy way. Those filesystems have to be unmounted by somebody; the
>>>  jail can't do it because it doesn't have the permission (because it
>>>  didn't
>>>  mount them). So some process needs to be watching to see when the
>>>  jail
>>>  goes away. That would be some kind of watcher that wakes up
>>>  occasionally
>>>  and sees if the jail is still there. It might be nice to have some
>>>  kqueue
>>>  support for jails.
>>
>>  Maybe I'm not understanding the problem.
>>
>>  Is there a reason why exec.poststop="umount -aF /whatever/jail.fstab"
>>  won't do the trick?
>
> The works when it's jail(8) doing the removing. But when the jail just
> "runs out" on its own, because its last process has exited (and it
> didn't
> have "persist" set), there is no jail(8) to run the stop scripts.
> Normally
> I would recommend setting persist and explicitly destroying the jail
> later,
> but that had already been mentioned as not preferred.
>
> - Jamie
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"