Should killed process deref a jail?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Should killed process deref a jail?

Kyle Evans-3
Hi,

In doing some testing of qemu-user-static recently, I noticed that
killing the last process in a non-persist jail doesn't kill off the
jail:

root@viper:/usr/src# jail -c path=/ command=yes
## ^C out

root@viper:/usr/src# jls
   JID  IP Address      Hostname                      Path
   181                                                /

root@viper:/usr/src# ps fxJ 181
PID TT  STAT TIME COMMAND

As a result, I ended up with 82 jails pointed at my armv7 sysroot and
much surprise when I checked out `jls`. This vaguely smells like a
bug, is this something that should be fixed?

Thanks,

Kyle Evans
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Should killed process deref a jail?

Kurt Jaeger-6
Hi!

> In doing some testing of qemu-user-static recently, I noticed that
> killing the last process in a non-persist jail doesn't kill off the
> jail:
>
> root@viper:/usr/src# jail -c path=/ command=yes
> ## ^C out
>
> root@viper:/usr/src# jls
>    JID  IP Address      Hostname                      Path
>    181                                                /
>
> root@viper:/usr/src# ps fxJ 181
> PID TT  STAT TIME COMMAND
>
> As a result, I ended up with 82 jails pointed at my armv7 sysroot and
> much surprise when I checked out `jls`. This vaguely smells like a
> bug, is this something that should be fixed?

Depends. If the last process held some socket and the socket
is still in the state LINGER.

See

https://deepix.github.io/2016/10/21/tcprst.html

for more details, after the heading 'What is SO_LINGER?'

You can probably see those sockets with

sockstat -s | grep -v ESTAB | grep -v LISTEN | grep -v TIME_WAIT | grep -v stream

--
[hidden email]            +49 171 3101372                    Now what ?
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Should killed process deref a jail?

Kyle Evans-3
On Wed, May 6, 2020 at 1:49 PM Kurt Jaeger <[hidden email]> wrote:

>
> Hi!
>
> > In doing some testing of qemu-user-static recently, I noticed that
> > killing the last process in a non-persist jail doesn't kill off the
> > jail:
> >
> > root@viper:/usr/src# jail -c path=/ command=yes
> > ## ^C out
> >
> > root@viper:/usr/src# jls
> >    JID  IP Address      Hostname                      Path
> >    181                                                /
> >
> > root@viper:/usr/src# ps fxJ 181
> > PID TT  STAT TIME COMMAND
> >
> > As a result, I ended up with 82 jails pointed at my armv7 sysroot and
> > much surprise when I checked out `jls`. This vaguely smells like a
> > bug, is this something that should be fixed?
>
> Depends. If the last process held some socket and the socket
> is still in the state LINGER.
>
> See
>
> https://deepix.github.io/2016/10/21/tcprst.html
>
> for more details, after the heading 'What is SO_LINGER?'
>
> You can probably see those sockets with
>

That'd make sense, but in this case it's actually reproducible with
yes(1), which doesn't open up any sockets or actually use any external
resources other than write()ing to stdout.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Should killed process deref a jail?

Kyle Evans-3
On Wed, May 6, 2020 at 1:55 PM Kyle Evans <[hidden email]> wrote:

>
> On Wed, May 6, 2020 at 1:49 PM Kurt Jaeger <[hidden email]> wrote:
> >
> > Hi!
> >
> > > In doing some testing of qemu-user-static recently, I noticed that
> > > killing the last process in a non-persist jail doesn't kill off the
> > > jail:
> > >
> > > root@viper:/usr/src# jail -c path=/ command=yes
> > > ## ^C out
> > >
> > > root@viper:/usr/src# jls
> > >    JID  IP Address      Hostname                      Path
> > >    181                                                /
> > >
> > > root@viper:/usr/src# ps fxJ 181
> > > PID TT  STAT TIME COMMAND
> > >
> > > As a result, I ended up with 82 jails pointed at my armv7 sysroot and
> > > much surprise when I checked out `jls`. This vaguely smells like a
> > > bug, is this something that should be fixed?
> >
> > Depends. If the last process held some socket and the socket
> > is still in the state LINGER.
> >
> > See
> >
> > https://deepix.github.io/2016/10/21/tcprst.html
> >
> > for more details, after the heading 'What is SO_LINGER?'
> >
> > You can probably see those sockets with
> >
>
> That'd make sense, but in this case it's actually reproducible with
> yes(1), which doesn't open up any sockets or actually use any external
> resources other than write()ing to stdout.

This turns out to be PEBCAK, as jail(8) will always set persist if
there's a command to be run. Sorry for the noise...
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Should killed process deref a jail?

Kyle Evans-3
In reply to this post by Kyle Evans-3
On Wed, May 6, 2020 at 1:42 PM Kyle Evans <[hidden email]> wrote:

>
> Hi,
>
> In doing some testing of qemu-user-static recently, I noticed that
> killing the last process in a non-persist jail doesn't kill off the
> jail:
>
> root@viper:/usr/src# jail -c path=/ command=yes
> ## ^C out
>
> root@viper:/usr/src# jls
>    JID  IP Address      Hostname                      Path
>    181                                                /
>
> root@viper:/usr/src# ps fxJ 181
> PID TT  STAT TIME COMMAND
>
> As a result, I ended up with 82 jails pointed at my armv7 sysroot and
> much surprise when I checked out `jls`. This vaguely smells like a
> bug, is this something that should be fixed?
>

I wrote a small utility to workaround this behavior:
https://git.kevans.dev/kevans/quickjail

I hope to quickly deprecate it with this review or something similar,
if it seems reasonable: https://reviews.freebsd.org/D24745 -> my
problem is entirely centered around sending ^C to the jail command=
that's hanging, which sends SIGINT to the entire foreground process
group, thus killing jail(8) in the process and preventing the cleanup
that should happen when the command terminates.

I think it's perhaps reasonable to just ignore SIGINT and let the
child deal with it or terminate to let jail(8) cleanup afterwards.
Perhaps the surface area in that review that's ignoring SIGINT (read:
the whole thing) is too large, but this is an exercise left up to
someone way more familiar with jail than I am.

Thanks,

Kyle Evans
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"