Commit Graph

354 Commits

Author SHA1 Message Date
Poul-Henning Kamp
75c1354190 This Implements the mumbled about "Jail" feature.
This is a seriously beefed up chroot kind of thing.  The process
is jailed along the same lines as a chroot does it, but with
additional tough restrictions imposed on what the superuser can do.

For all I know, it is safe to hand over the root bit inside a
prison to the customer living in that prison, this is what
it was developed for in fact:  "real virtual servers".

Each prison has an ip number associated with it, which all IP
communications will be coerced to use and each prison has its own
hostname.

Needless to say, you need more RAM this way, but the advantage is
that each customer can run their own particular version of apache
and not stomp on the toes of their neighbors.

It generally does what one would expect, but setting up a jail
still takes a little knowledge.

A few notes:

   I have no scripts for setting up a jail, don't ask me for them.

   The IP number should be an alias on one of the interfaces.

   mount a /proc in each jail, it will make ps more useable.

   /proc/<pid>/status tells the hostname of the prison for
   jailed processes.

   Quotas are only sensible if you have a mountpoint per prison.

   There are no privisions for stopping resource-hogging.

   Some "#ifdef INET" and similar may be missing (send patches!)

If somebody wants to take it from here and develop it into
more of a "virtual machine" they should be most welcome!

Tools, comments, patches & documentation most welcome.

Have fun...

Sponsored by:   http://www.rndassociates.com/
Run for almost a year by:       http://www.servetheweb.com/
1999-04-28 11:38:52 +00:00
Poul-Henning Kamp
f711d546d2 Suser() simplification:
1:
  s/suser/suser_xxx/

2:
  Add new function: suser(struct proc *), prototyped in <sys/proc.h>.

3:
  s/suser_xxx(\([a-zA-Z0-9_]*\)->p_ucred, \&\1->p_acflag)/suser(\1)/

The remaining suser_xxx() calls will be scrutinized and dealt with
later.

There may be some unneeded #include <sys/cred.h>, but they are left
as an exercise for Bruce.

More changes to the suser() API will come along with the "jail" code.
1999-04-27 11:18:52 +00:00
Dmitrij Tejblum
c1eefce941 Fixed printf format errors on alpha. 1999-04-24 11:29:48 +00:00
Peter Wemm
ae3d216ad8 Close a potential mbuf and/or mbuf cluster leak in the client-side NFS
statfs() code.  Free the whole chain, not just the first one.
1999-04-10 18:53:29 +00:00
Peter Wemm
8a0d8193f2 Hold nfsd's upages in-core with PHOLD rather than P_NOSWAP. 1999-04-06 03:07:54 +00:00
Julian Elischer
8d17e69460 Catch a case spotted by Tor where files mmapped could leave garbage in the
unallocated parts of the last page when the file ended on a frag
but not a page boundary.
Delimitted by tags PRE_MATT_MMAP_EOF and POST_MATT_MMAP_EOF,
in files alpha/alpha/pmap.c i386/i386/pmap.c nfs/nfs_bio.c vm/pmap.h
    vm/vm_page.c vm/vm_page.h vm/vnode_pager.c miscfs/specfs/spec_vnops.c
    ufs/ufs/ufs_readwrite.c kern/vfs_bio.c

Submitted by: Matt Dillon <dillon@freebsd.org>
Reviewed by: Alan Cox <alc@freebsd.org>
1999-04-05 19:38:30 +00:00
Julian Elischer
4ef2094e45 Reviewed by: Many at differnt times in differnt parts,
including alan, john, me, luoqi, and kirk
Submitted by:	Matt Dillon <dillon@frebsd.org>

This change implements a relatively sophisticated fix to getnewbuf().
There were two problems with getnewbuf(). First, the writerecursion
can lead to a system stack overflow when you have NFS and/or VN
devices in the system. Second, the free/dirty buffer accounting was
completely broken. Not only did the nfs routines blow it trying to
manually account for the buffer state, but the accounting that was
done did not work well with the purpose of their existance: figuring
out when getnewbuf() needs to sleep.

The meat of the change is to kern/vfs_bio.c. The remaining diffs are
all minor except for NFS, which includes both the fixes for bp
interaction AND fixes for a 'biodone(): buffer already done' lockup.
Sys/buf.h also contains a chaining structure which is not used by
this patchset but is used by other patches that are coming soon.
This patch deliniated by tags PRE_MAT_GETBUF and POST_MAT_GETBUF.
(sorry for the missing T matt)
1999-03-12 02:24:58 +00:00
Peter Wemm
803870b48d Untangle the nfs send and receive queue locking a little. One lock
routine was [ab]used for two different things, and you couldn't tell from
the wait channel which one had wedged.
Catch a few things missing from NFS_NOSERVER.
1999-02-25 00:03:51 +00:00
Doug Rabson
ef5253d801 Move the declaration of the vfs.nfs sysctl node outside an ifdef so that
it builds if NFS_NOSERVER is defined.

Spotted by: Bruce Evans <bde@zeta.org.au>
1999-02-18 09:19:41 +00:00
Bruce Evans
1f2e401efc Fixed bitrot in NFS_ACDEBUG option. 1999-02-17 13:59:29 +00:00
Doug Rabson
ce02431ffa * Change sysctl from using linker_set to construct its tree using SLISTs.
This makes it possible to change the sysctl tree at runtime.

* Change KLD to find and register any sysctl nodes contained in the loaded
  file and to unregister them when the file is unloaded.

Reviewed by: Archie Cobbs <archie@whistle.com>,
	Peter Wemm <peter@netplex.com.au> (well they looked at it anyway)
1999-02-16 10:49:55 +00:00
Matthew Dillon
2a2ecc3027 General additional cleanup of VOP API for NFS ops - mainly NFS ignoring
the API for freeing up cnp's.  This cleanup should not effect nominal
    operation one way or the other since NFS VOPs just happen to be called
    with flags that match what it actually does to the NAMEI components it
    gets.  Still, if an NFS error occured, there was probably some memory
    leakage of NAMEI components with certain NFS VOP ops.
1999-02-13 09:47:30 +00:00
Matthew Dillon
5e9d4f1303 PR: kern/9970
Remove incorrect vput() in nfs_link()
1999-02-13 08:01:59 +00:00
Matthew Dillon
61da17a62c Flush delayed-write data out prior to issuing a rename rpc. This appears
to fix the problem w/ NFSV3 whereby a make installworld would get into
    high-network-bandwidth situations continuously trying to retry nfs writes
    that fail with a 'stale file handle' error.
1999-02-06 07:48:56 +00:00
Matthew Dillon
697457a133 Fix warnings related to -Wall -Wcast-qual 1999-01-28 17:32:05 +00:00
Matthew Dillon
8aef171243 Fix warnings in preparation for adding -Wall -Wcast-qual to the
kernel compile
1999-01-28 00:57:57 +00:00
Matthew Dillon
fe08c21a53 Fix warnings in preparation for adding -Wall -Wcast-qual to the
kernel compile.

    This commit includes significant work to proper handle const arguments
    for the DDB symbol routines.
1999-01-27 23:45:44 +00:00
Matthew Dillon
cdb96ab470 Fix nasty bug in nfs_access(). A conditional was if (a = b) instead of
if (a == b).
1999-01-27 22:45:49 +00:00
Matthew Dillon
53b3bd0e25 Fix warnings in preparation for adding -Wall -Wcast-qual to the
kernel compile
1999-01-27 22:45:13 +00:00
Matthew Dillon
831a80b0d5 Fix warnings in preparation for adding -Wall -Wcast-qual to the
kernel compile
1999-01-27 22:42:27 +00:00
Matthew Dillon
1c7c3c6a86 This is a rather large commit that encompasses the new swapper,
changes to the VM system to support the new swapper, VM bug
    fixes, several VM optimizations, and some additional revamping of the
    VM code.  The specific bug fixes will be documented with additional
    forced commits.  This commit is somewhat rough in regards to code
    cleanup issues.

Reviewed by:	"John S. Dyson" <root@dyson.iquest.net>, "David Greenman" <dg@root.com>
1999-01-21 08:29:12 +00:00
Eivind Eklund
f65b39828c Remove two cases of unused variable sp3. 1999-01-12 12:39:14 +00:00
Eivind Eklund
fb1167777a Remove the 'waslocked' parameter to vfs_object_create(). 1999-01-05 18:50:03 +00:00
Tim Vanderhoek
dea9268b70 Silence -Wtrigraph.
Submitted by:	Bradley Dunn <bradley@dunn.org>  (pr: kern/8817)
1998-12-30 00:37:44 +00:00
Doug Rabson
6cd60632a6 Fix for creating files on a Solaris 7 server with NFSv3 (the request was
slightly garbled but older servers seemed to understand it).

Reviewed by: David O'Brien <obrien@nuxi.ucdavis.edu>
1998-12-25 10:34:27 +00:00
Dmitrij Tejblum
85f118c801 Added 3 new errno values, requred by various standards: EOVERFLOW,
ECANCELED, EILSEQ.

Fixed ibcs2 and especially linux EIDRM and ENOMSG errno mapping.
Reviewed by:	Dan Nelson <dnelson@emsphone.com>
1998-12-14 18:54:04 +00:00
Dmitrij Tejblum
10db74e96d (Hopefully) fix support for "large" files. Mostly cast block numbers to off_t
before they multiplied to block sizes.
1998-12-14 17:51:30 +00:00
Eivind Eklund
5fd7941bd3 Remove the if fixed in the last commit; bde quite correctly point out
that it can never fail.
1998-12-09 15:12:53 +00:00
Eivind Eklund
d27dddc9d5 Fix typo (; in "if (vp == NULL);"). 1998-12-08 23:11:24 +00:00
Archie Cobbs
f1d19042b0 The "easy" fixes for compiling the kernel -Wunused: remove unreferenced static
and local variables, goto labels, and functions declared but not defined.
1998-12-07 21:58:50 +00:00
Archie Cobbs
2127f26023 Examine all occurrences of sprintf(), strcat(), and str[n]cpy()
for possible buffer overflow problems. Replaced most sprintf()'s
with snprintf(); for others cases, added terminating NUL bytes where
appropriate, replaced constants like "16" with sizeof(), etc.

These changes include several bug fixes, but most changes are for
maintainability's sake. Any instance where it wasn't "immediately
obvious" that a buffer overflow could not occur was made safer.

Reviewed by:	Bruce Evans <bde@zeta.org.au>
Reviewed by:	Matthew Dillon <dillon@apollo.backplane.com>
Reviewed by:	Mike Spengler <mks@networkcs.com>
1998-12-04 22:54:57 +00:00
Matthew Dillon
aeb728f0d5 Make bootp error message slightly more verbose 1998-12-03 20:28:23 +00:00
Mike Smith
ad6d02135b Reimplement the NFS ACCESS RPC cache as an "accelerator" rather than a true
cache.  If the cached result lets us say "yes", then go with that.  If
we're not sure, or we think the answer might be "no", go to the wire to be
certain.    This avoids all of the possible false veto cases, and allows us
to key the cached value with just the UID for which the cached value holds,
reducing the bloat of the nfsnode structure from 104 bytes to just 12 bytes.

Since the "yes" case is by far the most common, this should still provide
a substantial performance improvement.  Also default the cache to on, with
a conservative timeout (2 seconds).  This improves performance if NFS is
loaded as a KLD module, as there's not (yet) code to parse an option out
of the module arguments to set it, and sysctl doesn't work (yet) for OIDs
in modules.

The 'accelerator' mode was suggested by Bjoern Groenvall (bg@sics.se)

Feedback on this would be appreciated as testing has been necessarily
limited by Comdex, and it would be valuable to have this in 2.2.8.
1998-11-15 20:36:18 +00:00
Mike Smith
692c33253b Avoid a null pointer reference if the target of an NFS rename has been
sillrenamed, or if the source vnode doesn't have an associated nfsnode.

Bug report from Andrew Gallatin <gallatin@cs.duke.edu>
1998-11-13 22:58:48 +00:00
Doug Rabson
86442b5201 Fix a panic in nfsrv_dorec() where a NULL pointer could be passed to
free() sometimes.

Reviewed by: Eric Haug <ejh@eas.slu.edu>
1998-11-13 09:44:12 +00:00
Mike Smith
c5118de899 Implement NFS ACCESS RPC result caching.
This yields startling performance increases for NFS clients for many
access profiles, due to the fact that ACCESS results are persistently
cached in the namecache in many cases.

Note that the code is somewhat conservative in that it requires an
exact credential match for a cache hit.  This bloats the nfsnode
structure by sizeof(struct ucred) (96 bytes).  Any less conservative
approach opens the possibility for a false veto in eg. setuid
applications.  Alternative suggestions would be welcomed.

The cache is normally disabled, to activate set the sysctl variable
vfs.nfs.access_cache_timeout to a nonzero value.  This is the time in
seconds that a cached entry will be considered valid; useful values appear
to be 2-10 seconds.  Performance of the cache can be monitored with the
vfs.nfs.access_cache_hits and vfs.nfs.access_cache_hits variables.
1998-11-13 02:39:09 +00:00
Peter Wemm
dad00f4e9c Remove [apparently] bogus casts to u_long for the vnode_pager_setsize()
second argument.  np_size is a 64 bit int, so is the second arg.  This
might have caused needless 2G/4G file size problems.

I believe it was Bruce who queried this.
1998-11-09 07:00:14 +00:00
Peter Wemm
1f2edded90 vm_object_page_clean() last arg changed from TRUE to OBJPC_SYNC. I'm not
sure that this is necessary to be a sync write here since a VOP_FSYNC()
follows and it will schedule, sort and complete the writes that the
vm_object_page_clean() started (as I think I understand things).
1998-10-31 15:39:31 +00:00
Peter Wemm
40c8cfe552 Use TAILQ macros for clean/dirty block list processing. Set b_xflags
rather than abusing the list next pointer with a magic number.
1998-10-31 15:31:29 +00:00
Kirk McKusick
b5cf6d7984 In nfs_link(), check for a cross-device mount *before* looking
in the v_data field.
Obtained from: Charles Hannum, via Frank van der Linden <frank@wins.uva.nl>
1998-09-29 23:39:37 +00:00
Kirk McKusick
d25ad74791 Missing vput when cross-device link error is detected in nfs_link. 1998-09-29 23:29:48 +00:00
Kirk McKusick
b6b74f2f4e During truncation, have to notify the VM about the new size
of the NFS file *before* doing the nfs_vinvalbuf operation.
Otherwise some invalid data may show up in an mmap.
1998-09-29 23:28:32 +00:00
Kirk McKusick
e68e908bda Frank sez: 'It fixes a problem with servers that return 0 values
for some of the fsinfo RPC fields. It is strictly speaking not
wrong to do this, as the spec says that "it is expected that a
server will make a best effort at supporting all the attributes",
but pretty unusual. You guessed it, it's NT servers that do it.'
Obtained from: Frank van der Linden <frank@wins.uva.nl>
1998-09-29 23:15:53 +00:00
Kirk McKusick
35800d700a Do not need (or want) to take a reference on an NFS file that
is being deleted due to an forcible unmount. The problem is
that vgone calls vclean() which then calls calls nfs_inactive()
with VXLOCK set on the vnode. Nfs_inactive() was calling vget()
to get a reference on the vnode, which in turn hung on VXLOCK.
Nfs_inactive() now checks v_usecount to make sure that the vnode
is not coming from vclean() before it does a vget().
1998-09-29 23:15:25 +00:00
Kirk McKusick
96438eb911 The code checks each fragment mark to see if it's valid; if the fragment
is less than NFS_MINPACKET or greater than NFS_MAXPACKET in size, it
barfs and, I think, drops the connection.

However, there's no guarantee that in a multi-fragment RPC, all the
fragments will be at least as large as NFS_MINPACKET.

In fact, with the version of "tclnfs" we have here, which supports NFS
over TCP, at least when built under SunOS 4.1.3 (i.e., with 4.1.3's
user-mode ONC RPC library), I can *repeatably* cause "tclnfs" to send a
request with more than one fragment, one of which is only 8 bytes long.
I just do a 3877-byte write to a file, at an offset of 0.

The check that "slp->ns_reclen" is greater than or equal to
NFS_MINPACKET serves no useful purpose - if the NFS server code can't
handle packets < NFS_MINPACKET bytes, it can't handle them over *any*
protocol, so the check has to be done above the RPC-over-TCP layer - and
should be removed.
Obtained from: Fix from Guy Harris, forwarded by Rick Macklem.
1998-09-29 22:33:05 +00:00
Kirk McKusick
1cda241131 Mark directory buffers that have no valid data with B_INVAL
so that they are not put in the cache.
1998-09-29 22:01:10 +00:00
Kirk McKusick
113b88d241 When adding data to a buffer, we need to clear the B_NEEDCOMMIT flag
which says that the data is on server but not committed.
1998-09-29 21:46:54 +00:00
Bruce Evans
8994ca3ce9 Removed statically configured mount type numbers (MOUNT_*) and all
references to them.

The change a couple of days ago to ignore these numbers in statically
configured vfsconf structs was slightly premature because the cd9660,
cfs, devfs, ext2fs, nfs vfs's still used MOUNT_* instead of the number
in their vfsconf struct.
1998-09-07 13:17:06 +00:00
Bruce Evans
cae300be0f Made unloading of the nfs LKM sort of work. This is mainly to test
detachment of vfs sysctls.  Unloading of vfs LKMs doesn't actually
work for any vfs, since it leaves garbage pointers to memory
allocation control structures.
1998-09-07 05:42:15 +00:00
Bruce Evans
e99ea9ec2b Ignore the statically configured vfs type numbers and assign vfs
type numbers in vfs attach order (modulo incomplete reuse of old
numbers after vfs LKMs are unloaded).  This requires reinitializing
the sysctl tree (or at least the vfs subtree) for vfs's that support
sysctls (currently only nfs).  sysctl_order() already handled
reinitialization reasonably except it checked for annulled self
references in the wrong place.

Fixed sysctls for vfs LKMs.
1998-09-05 17:13:28 +00:00