This is a seriously beefed up chroot kind of thing. The process
is jailed along the same lines as a chroot does it, but with
additional tough restrictions imposed on what the superuser can do.
For all I know, it is safe to hand over the root bit inside a
prison to the customer living in that prison, this is what
it was developed for in fact: "real virtual servers".
Each prison has an ip number associated with it, which all IP
communications will be coerced to use and each prison has its own
hostname.
Needless to say, you need more RAM this way, but the advantage is
that each customer can run their own particular version of apache
and not stomp on the toes of their neighbors.
It generally does what one would expect, but setting up a jail
still takes a little knowledge.
A few notes:
I have no scripts for setting up a jail, don't ask me for them.
The IP number should be an alias on one of the interfaces.
mount a /proc in each jail, it will make ps more useable.
/proc/<pid>/status tells the hostname of the prison for
jailed processes.
Quotas are only sensible if you have a mountpoint per prison.
There are no privisions for stopping resource-hogging.
Some "#ifdef INET" and similar may be missing (send patches!)
If somebody wants to take it from here and develop it into
more of a "virtual machine" they should be most welcome!
Tools, comments, patches & documentation most welcome.
Have fun...
Sponsored by: http://www.rndassociates.com/
Run for almost a year by: http://www.servetheweb.com/
that doesn't have it. This is achieved by having minimal do-nothing stubs
enabled when there are no bpfilter devices configured.
Driver modules should be built with BPF enabled for maximum
convenience (but can be built without it for maximum performance).
i386 platform boots, it is no longer ISA-centric, and is fully dynamic.
Most old drivers compile and run without modification via 'compatability
shims' to enable a smoother transition. eisa, isapnp and pccard* are
not yet using the new resource manager. Once fully converted, all drivers
will be loadable, including PCI and ISA.
(Some other changes appear to have snuck in, including a port of Soren's
ATA driver to the Alpha. Soren, back this out if you need to.)
This is a checkpoint of work-in-progress, but is quite functional.
The bulk of the work was done over the last few years by Doug Rabson and
Garrett Wollman.
Approved by: core
only worked for configurations with "swap on generic".
usr.sbin/config/config.y:
- ignore all "swap [on] device ...' specifications except for
warning about them. They haven't done anything related to swap
for almost 4 years, and were previously silently ignored,
except for "swap on generic" which stopped swap${KERNEL}.c
from being generated. Code to support swapping is now deader
than before.
usr.sbin/config/mkswapconf.c:
- don't generate a dummy setconf() function in swap${KERNEL}.c.
sys/i386/conf/files.i386:
- swapgeneric.c is now standard. It should be merged into autoconf.c
so that it doesn't conflict with swap${KERNEL}.c for kernels named
"generic".
sys/i386/i386/autoconf.c:
- don't call setroot() for mfs roots. Since setroot() doesn't do anything
harmful, this was just a waste of time, except possibly for booting with
-a it may have helped prevent an undesireable call to setconf() by
finding a bogus rootdev.
- honor -a for ffs roots. -a now overrides all other ways of specifying
the root device. Previously, -r had precedence over -a, and the -a
handling was usually a no-op.
- don't honor -a for non-ffs roots, since it would currently just get in
the way of a clean panic.
sys/i386/i386/swapgeneric.c:
- don't declare things that are now always declared in swap${KERNEL}.c.
Don't decide things that are now decided in autoconf.c. Code to
support the "generic" case is now dead instead of useless.
All it did was match a specific device ID and turn on a quirk for
the wdc driver.
Incidently, at line 1462 there is a return that prevents the generic
ide_pci code from trying to look at the device. I'd be interested
to know if we can take out the return and let the generic code "see" it.
I've left the return in because that's the way it worked before.
(Be sure to rerun config after cvsup or you'll get undefined files!)
perform a cleanup/unifdef sweep over it to tidy things up. The atapi
code is permanently attached to the wd driver and is always probed.
I will add an extra option bit in the flags to disable an atapi probe on
either the master or slave if needed, if people want this.
Remember, this driver is destined to die some time. It's possible that
it will loose all atapi support down the track and only be used for
dumb non-ATA disks and all ata/atapi devices will be handled by the new
ata system.
ATAPI, ATAPI_STATIC and CMD640 are no longer options, all are implicit.
Previously discussed with: sos
Sense ${DEBUG} to decide on building kernel.debug or not.
Use a common install and install.debug target to minimize duplication.
(I deleted the ELF transition kernel warning, it was getting dated..)
Requested-by: ache
bde
dg
Modify targets for debug kernels: when -g was specified, make will
now build a debug kernel called kernel.debug, and create a stripped
version called kernel at the same time. The two targets install and
install.debug are otherwise unchanged.
Requested-by: dillon
Update man page accordingly.
2. Config complains if you use -g:
Debugging is enabled by default, there is no ned to specify the -g option
3. Config warns you if you don't use -s:
Building kernel with full debugging symbols. Do
"config -s BSD" for historic partial symbolic support.
To install the debugging kernel, do make install.debug
(BSD was the name of the config file I used; I print out the same
name).
4. Modify Makefile.i386, Makefile.alpha, Makefile.pc98 and config to
work if a kernel name other than 'kernel' is specified. This is
not absolutely necessary, but useful, and it was relatively easy.
I now have a kernel called /crapshit :-)
5. Modify Makefile.i386, Makefile.alpha, Makefile.pc98 "clean" target
to remove both the debug and normal kernel.
6. Modify all to install the stripped kernel by default and the debug
kernel if you enter "make install.debug".
7. Update version number of Makefiles and config.
Networks Tigon 1 and Tigon 2 chipsets. There are a _lot_ of OEM'ed
gigabit ethernet adapters out there which use the Alteon chipset so
this driver covers a fair amount of hardware. I know that it works with
the Alteon AceNIC, 3Com 3c985 and Netgear GA620, however it should also
work with the DEC/Compaq EtherWORKS 1000, Silicon Graphics Gigabit
ethernet board, NEC Gigabit Ethernet board and maybe even the IBM and
and Sun boards. The Netgear board is the cheapest (~$350US) but still
yields fairly good performance.
Support is provided for jumbo frames with all adapters (just set the
MTU to something larger than 1500 bytes), as well as hardware multicast
filtering and vlan tagging (in conjunction with the vlan support in
-current, which I should merge into -stable soon). There are some hooks
for checksum offload support, but they're turned off for now since
FreeBSD doesn't have an officially sanctioned way to support checksum
offloading (yet).
I have not added the 'device ti0' entry to GENERIC since the driver
with all the firmware compiled in is quite large, and it doesn't really
fit into the category of generic hardware.
Add Sound Card ID for the nss(NEC PC-9801-86 Sound System) driver.
Old name of this driver was pcm driver in FreeBSD 2.2.x.
Fix lack of the length of the name member of the synth_info structure.
(attach_mpu401 in sys/i386/isa/sound/mpu401.c requires 33 chars.)
o sys/i386/isa/sound/dev_table.h
Add the DMAbuf flags definition DMA_DISABLE.
Add the nss driver entry.
o sys/i386/isa/sound/dmabuf.c
Add the DMA_DISABLE flag check in DMAbuf_outputintr and DMAbuf_inputintr
to disable DMA control in FIFO only use (nss driver required).
o sys/i386/isa/sound/local.h
Add the nss driver entry.
o sys/i386/isa/sound/mpu401.c
Replace inb function in probe_mpu401 to mpu401_status macro.
Wrap macro argument for above replace.
Add I/O port maping macro for NEC PC-98x1 arch.
Add delay in NEC PC-98x1 arch.
o sys/i386/isa/sound/pcm86.c
Change driver name to avoid name space conflict to new pcm driver.
Fix NEC PC-9801-86 driver to work on RELENG_3 branch or latter.
o sys/i386/isa/sound/sound_calls.h
Fix the mpuintr definition.
Add the nss driver entry.
attach_nss, probe_nss, nssintr
o sys/i386/isa/sound/soundcard.c
Fix lack of the mpuintr registration.
Add the nss driver entry.
o sys/pc98/conf/files.pc98
Add the nss driver entry.
Reviewed by: kato
Submitted by: Akio Morita <amorita@meadow.scphys.kyoto-u.ac.jp>