This is a seriously beefed up chroot kind of thing. The process
is jailed along the same lines as a chroot does it, but with
additional tough restrictions imposed on what the superuser can do.
For all I know, it is safe to hand over the root bit inside a
prison to the customer living in that prison, this is what
it was developed for in fact: "real virtual servers".
Each prison has an ip number associated with it, which all IP
communications will be coerced to use and each prison has its own
hostname.
Needless to say, you need more RAM this way, but the advantage is
that each customer can run their own particular version of apache
and not stomp on the toes of their neighbors.
It generally does what one would expect, but setting up a jail
still takes a little knowledge.
A few notes:
I have no scripts for setting up a jail, don't ask me for them.
The IP number should be an alias on one of the interfaces.
mount a /proc in each jail, it will make ps more useable.
/proc/<pid>/status tells the hostname of the prison for
jailed processes.
Quotas are only sensible if you have a mountpoint per prison.
There are no privisions for stopping resource-hogging.
Some "#ifdef INET" and similar may be missing (send patches!)
If somebody wants to take it from here and develop it into
more of a "virtual machine" they should be most welcome!
Tools, comments, patches & documentation most welcome.
Have fun...
Sponsored by: http://www.rndassociates.com/
Run for almost a year by: http://www.servetheweb.com/
that doesn't have it. This is achieved by having minimal do-nothing stubs
enabled when there are no bpfilter devices configured.
Driver modules should be built with BPF enabled for maximum
convenience (but can be built without it for maximum performance).
i386 platform boots, it is no longer ISA-centric, and is fully dynamic.
Most old drivers compile and run without modification via 'compatability
shims' to enable a smoother transition. eisa, isapnp and pccard* are
not yet using the new resource manager. Once fully converted, all drivers
will be loadable, including PCI and ISA.
(Some other changes appear to have snuck in, including a port of Soren's
ATA driver to the Alpha. Soren, back this out if you need to.)
This is a checkpoint of work-in-progress, but is quite functional.
The bulk of the work was done over the last few years by Doug Rabson and
Garrett Wollman.
Approved by: core
only worked for configurations with "swap on generic".
usr.sbin/config/config.y:
- ignore all "swap [on] device ...' specifications except for
warning about them. They haven't done anything related to swap
for almost 4 years, and were previously silently ignored,
except for "swap on generic" which stopped swap${KERNEL}.c
from being generated. Code to support swapping is now deader
than before.
usr.sbin/config/mkswapconf.c:
- don't generate a dummy setconf() function in swap${KERNEL}.c.
sys/i386/conf/files.i386:
- swapgeneric.c is now standard. It should be merged into autoconf.c
so that it doesn't conflict with swap${KERNEL}.c for kernels named
"generic".
sys/i386/i386/autoconf.c:
- don't call setroot() for mfs roots. Since setroot() doesn't do anything
harmful, this was just a waste of time, except possibly for booting with
-a it may have helped prevent an undesireable call to setconf() by
finding a bogus rootdev.
- honor -a for ffs roots. -a now overrides all other ways of specifying
the root device. Previously, -r had precedence over -a, and the -a
handling was usually a no-op.
- don't honor -a for non-ffs roots, since it would currently just get in
the way of a clean panic.
sys/i386/i386/swapgeneric.c:
- don't declare things that are now always declared in swap${KERNEL}.c.
Don't decide things that are now decided in autoconf.c. Code to
support the "generic" case is now dead instead of useless.
All it did was match a specific device ID and turn on a quirk for
the wdc driver.
Incidently, at line 1462 there is a return that prevents the generic
ide_pci code from trying to look at the device. I'd be interested
to know if we can take out the return and let the generic code "see" it.
I've left the return in because that's the way it worked before.
(Be sure to rerun config after cvsup or you'll get undefined files!)
perform a cleanup/unifdef sweep over it to tidy things up. The atapi
code is permanently attached to the wd driver and is always probed.
I will add an extra option bit in the flags to disable an atapi probe on
either the master or slave if needed, if people want this.
Remember, this driver is destined to die some time. It's possible that
it will loose all atapi support down the track and only be used for
dumb non-ATA disks and all ata/atapi devices will be handled by the new
ata system.
ATAPI, ATAPI_STATIC and CMD640 are no longer options, all are implicit.
Previously discussed with: sos
Sense ${DEBUG} to decide on building kernel.debug or not.
Use a common install and install.debug target to minimize duplication.
(I deleted the ELF transition kernel warning, it was getting dated..)
Requested-by: ache
bde
dg
Modify targets for debug kernels: when -g was specified, make will
now build a debug kernel called kernel.debug, and create a stripped
version called kernel at the same time. The two targets install and
install.debug are otherwise unchanged.
Requested-by: dillon
Update man page accordingly.
2. Config complains if you use -g:
Debugging is enabled by default, there is no ned to specify the -g option
3. Config warns you if you don't use -s:
Building kernel with full debugging symbols. Do
"config -s BSD" for historic partial symbolic support.
To install the debugging kernel, do make install.debug
(BSD was the name of the config file I used; I print out the same
name).
4. Modify Makefile.i386, Makefile.alpha, Makefile.pc98 and config to
work if a kernel name other than 'kernel' is specified. This is
not absolutely necessary, but useful, and it was relatively easy.
I now have a kernel called /crapshit :-)
5. Modify Makefile.i386, Makefile.alpha, Makefile.pc98 "clean" target
to remove both the debug and normal kernel.
6. Modify all to install the stripped kernel by default and the debug
kernel if you enter "make install.debug".
7. Update version number of Makefiles and config.
Networks Tigon 1 and Tigon 2 chipsets. There are a _lot_ of OEM'ed
gigabit ethernet adapters out there which use the Alteon chipset so
this driver covers a fair amount of hardware. I know that it works with
the Alteon AceNIC, 3Com 3c985 and Netgear GA620, however it should also
work with the DEC/Compaq EtherWORKS 1000, Silicon Graphics Gigabit
ethernet board, NEC Gigabit Ethernet board and maybe even the IBM and
and Sun boards. The Netgear board is the cheapest (~$350US) but still
yields fairly good performance.
Support is provided for jumbo frames with all adapters (just set the
MTU to something larger than 1500 bytes), as well as hardware multicast
filtering and vlan tagging (in conjunction with the vlan support in
-current, which I should merge into -stable soon). There are some hooks
for checksum offload support, but they're turned off for now since
FreeBSD doesn't have an officially sanctioned way to support checksum
offloading (yet).
I have not added the 'device ti0' entry to GENERIC since the driver
with all the firmware compiled in is quite large, and it doesn't really
fit into the category of generic hardware.
Add Sound Card ID for the nss(NEC PC-9801-86 Sound System) driver.
Old name of this driver was pcm driver in FreeBSD 2.2.x.
Fix lack of the length of the name member of the synth_info structure.
(attach_mpu401 in sys/i386/isa/sound/mpu401.c requires 33 chars.)
o sys/i386/isa/sound/dev_table.h
Add the DMAbuf flags definition DMA_DISABLE.
Add the nss driver entry.
o sys/i386/isa/sound/dmabuf.c
Add the DMA_DISABLE flag check in DMAbuf_outputintr and DMAbuf_inputintr
to disable DMA control in FIFO only use (nss driver required).
o sys/i386/isa/sound/local.h
Add the nss driver entry.
o sys/i386/isa/sound/mpu401.c
Replace inb function in probe_mpu401 to mpu401_status macro.
Wrap macro argument for above replace.
Add I/O port maping macro for NEC PC-98x1 arch.
Add delay in NEC PC-98x1 arch.
o sys/i386/isa/sound/pcm86.c
Change driver name to avoid name space conflict to new pcm driver.
Fix NEC PC-9801-86 driver to work on RELENG_3 branch or latter.
o sys/i386/isa/sound/sound_calls.h
Fix the mpuintr definition.
Add the nss driver entry.
attach_nss, probe_nss, nssintr
o sys/i386/isa/sound/soundcard.c
Fix lack of the mpuintr registration.
Add the nss driver entry.
o sys/pc98/conf/files.pc98
Add the nss driver entry.
Reviewed by: kato
Submitted by: Akio Morita <amorita@meadow.scphys.kyoto-u.ac.jp>
Well, better late than newer, but things has been hectic
around here, sorry for the long delay.
DMA support has been added to the ATA disk driver.
This only works on Intel PIIX3/4, Acer Aladdin and Promise controllers.
The promise support works without the BIOS on the board,
and timing modes are set to support up to UDMA speed. This
solves the problems with having more than one promise controller
in the same system.
There is support for "generic" DMA, that might work on other
controllers, but now you have been warned :)
More chipset specific code will come soon, I have to find testers
with the approbiate HW, more on that when I have it ready.
The system now uses its own major numbers, please run MAKEDEV
with the devices you need (ad?, acd?, afd?, ast?).
For now the disk driver will also attach to the old wd major
so one can at least boot without this step, but be warned, this
will eventually go away. The bootblocks will have to be changed
before one can boot directly from an "ad" device though.
Fixed problems:
All known hang problems should be solved
The probe code has been sligthly changed, this should solve
the reports I have lying around (I hope).
Hangs when accessing ata & atapi device on the same channel simultaniously.
A real braino in ata_start caused this, fixed.
As usual USE AT YOUR OWN RISK!!, this is still pre alpha level code.
Especially the DMA support can hose your disk real bad if anything
goes wrong, agaiin you have been warned :)
But please tell me how it works for you!
Enjoy!
-Søren
/usr/sbin/sysctl -> ${DESTDIR}/sbin/sysctl in some versions of 2.2,
and this link was broken if DESTDIR was set.
Added a SYMLINKS macro. This works the same as LINKS, except it
creates symlinks and the linked-to pathname may be relative. This
is more flexible than LN_FLAGS, since it supports installing
symlinks independently of hard links.
Use `ln -f[s] ...' instead of `rm -f ...; ln [-s] ...' for LINKS and
SYMLINKS. This is equivalent if the target is neither a directory nor
a symlink to a directory.
PR: 8279
or Qlogic 2100 cards. This to save substantial f/w code space if you really
care.
Add in options to enable expanded lun or fabric f/w downloads for Qlogic 2100.
bootblocks in order to boot the kernel after this! Also note that this
change breaks BSDI BSD/OS compatibility.
Also increased default NKPT to 17 so that FreeBSD can boot on machines
with >=2GB of RAM. Booting on machines with exactly 4GB requires other
patches, not included.
KBD_INSTALL_CDEV).
- Removed the note that the VESA option cannot be used on the SMP system;
this is not true.
- Moved the option VESA to more appropriate place.
- Refined internal interface in keyboard drivers so that:
1. the side effect of device probe is kept minimal,
2. polling mode function is added,
3. and new ioctl and configuration options are added (see below).
- Added new ioctl: KDSETREPEAT
Set keyboard typematic rate. There has existed an ioctl command,
KDSETRAD, for the same purpose. However, KDSETRAD is dependent on
the AT keyboard. KDSETREPEAT provides more generic interface.
KDSETRAD will still be supported in the atkbd driver.
- Added new configuration options:
ATKBD_DFLT_KEYMAP
Specify a keymap to be used as the default, built-in keymap.
(There has been undocumented options, DKKEYMAP, UKKEYMAP, GRKEYMAP,
SWKEYMAP, RUKEYMAP, ESKEYMAP, and ISKEYMAP to set the default keymap.
These options are now gone for good. The new option is more general.)
KBD_DISABLE_KEYMAP_LOADING
Don't allow the user to change the keymap.
Move the Olicom token ring driver to the officially sanctionned location of
/sys/contrib. Also fix some brokenness in the generic token ring support.
Be warned that if_dl.h has been changed and SOME programs might
like recompilation.
The much roumored replacement for our current IDE/ATA/ATAPI is
materialising in the CVS repositories around the globe.
So what does this bring us:
A new reengineered ATA/ATAPI subsystem, that tries to overcome
most of the deficiencies with the current drivers.
It supports PCI as well as ISA devices without all the hackery
in ide_pci.c to make PCI devices look like ISA counterparts.
It doesn't have the excessive wait problem on probe, in fact you
shouldn't notice any delay when your devices are getting probed.
Probing and attaching of devices are postponed until interrupts
are enabled (well almost, not finished yet for disks), making
things alot cleaner.
Improved performance, although DMA support is still WIP and not
in this pre alpha release, worldstone is faster with the new
driver compared to the old even with DMA.
So what does it take away:
There is NO support for old MFM/RLL/ESDI disks.
There is NO support for bad144, if your disk is bad, ditch it, it has
already outgrown its internal spare sectors, and is dying.
For you to try this out, you will have to modify your kernel config
file to use the "ata" controller instead of all wdc? entries.
example:
# for a PCI only system (most modern machines)
controller ata0
device atadisk0 # ATA disks
device atapicd0 # ATAPI CDROM's
device atapist0 # ATAPI tapes
#You should add the following on ISA systems:
controller ata1 at isa? port "IO_WD1" bio irq 14
controller ata2 at isa? port "IO_WD2" bio irq 15
You can leave it all in there, the system knows how to manage.
For now this driver reuses the device entries from the old system
(that will probably change later), but remember that disks are
now numbered in the sequence they are found (like the SCSI system)
not as absolute positions as the old system.
Although I have tested this on all the systems I can get my hands on,
there might very well be gremlins in there, so use AT YOU OWN RISK!!
This is still WIP, so there are lots of rough edges and unfinished
things in there, and what I have in my lab might look very different
from whats in CVS at any given time. So please have all eventual
changes go through me, or chances are they just dissapears...
I would very much like to hear from you, both good and bad news
are very welcome.
Enjoy!!
-Søren
their ttl). This can be used - in combination with the proper ipfw
incantations - to make a firewall or router invisible to traceroute
and other exploration tools.
This behaviour is controlled by a sysctl variable (net.inet.ip.stealth)
and hidden behind a kernel option (IPSTEALTH).
Reviewed by: eivind, bde
This is for various Olicom cards. An IBM driver is following.
This patch also adds support to tcpdump to decode packets on tokenring.
Congratulations to the proud father.. (below)
Submitted by: Larry Lile <lile@stdio.com>
is not implied by -Wall as claimed by gcc.1. Adding it causes a
measly 7193 new warnings for LINT, mostly for "unused parameter" and
"comparison between signed and unsigned".
This changes the definitions of a few items so that structures are the
same whether or not the option itself is enabled. This allows
people to enable and disable the option without recompilng the world.
As the author says:
|I ran into a problem pulling out the VM_STACK option. I was aware of this
|when I first did the work, but then forgot about it. The VM_STACK stuff
|has some code changes in the i386 branch. There need to be corresponding
|changes in the alpha branch before it can come out completely.
what is done:
|
|1) Pull the VM_STACK option out of the header files it appears in. This
|really shouldn't affect anything that executes with or without the rest
|of the VM_STACK patches. The vm_map_entry will then always have one
|extra element (avail_ssize). It just won't be used if the VM_STACK
|option is not turned on.
|
|I've also pulled the option out of vm_map.c. This shouldn't harm anything,
|since the routines that are enabled as a result are not called unless
|the VM_STACK option is enabled elsewhere.
|
|2) Add what appears to be appropriate code the the alpha branch, still
|protected behind the VM_STACK switch. I don't have an alpha machine,
|so we would need to get some testers with alpha machines to try it out.
|
|Once there is some testing, we can consider making the change permanent
|for both i386 and alpha.
|
[..]
|
|Once the alpha code is adequately tested, we can pull VM_STACK out
|everywhere.
|
Submitted by: "Richard Seaman, Jr." <dick@tar.com>
changes to the VM system to support the new swapper, VM bug
fixes, several VM optimizations, and some additional revamping of the
VM code. The specific bug fixes will be documented with additional
forced commits. This commit is somewhat rough in regards to code
cleanup issues.
Reviewed by: "John S. Dyson" <root@dyson.iquest.net>, "David Greenman" <dg@root.com>
lock, and add some macros and function parameters to make sure that
the information get to the point where it can be put in the lock
structure.
While I'm here, add DEBUG_VFS_LOCKS to LINT.
- Bring down the splash screen when a vty is opened for the first
time.
- Make sure the splash screen/screen saver is stopped before
switching vtys.
- Read and save initial values in the BIOS data area early.
VESA BIOS may change BIOS data values when switching modes.
- Fix missing '&' operator.
- Move ISA specific part of driver initialization to syscons_isa.c.
atkbd
- kbdtables.h is now in /sys/dev/kbd.
all
- Adjust for forthcoming alpha port. Submitted by: dfr
o Add the EB64PLUS systype into the kernel configuration files
and add it to the GENERIC kernel
o Correct mcclock_isa.c's dependence on cia, it should depend on isa.
This will allow avanti and eb64+ kernels to be built without the cia
chipset support code.
one in the kernel source, and that one is already used for modules.
I don't _think_ this will hurt releases, aout-to-elf, etc, but it is
possible. In all the cases I've looked at, config(8) has been
generated straight after a make world, so if /usr/sbin/config exists and
is the right version for the kernel, then we can pretty much count on
/usr/bin/gensetdefs being there too.
if option CY_PCI_FASTINTR is configured and mapping the irq to a
fastintr is possible. Unfortunately, this has to be optional because
pci_map_int_right() doesn't handle the INTR_EXCL flag right --
INTR_EXCL is honoured even if the interrupt needs to be non-exclusive
for other devices to work.
keyboard and video card drivers.
Because of the changes, you are required to update your kernel
configuration file now!
The files in sys/dev/syscons are still i386-specific (but less so than
before), and won't compile for alpha and PC98 yet.
syscons still directly accesses the video card registers here and
there; this will be rectified in the later stages.
It was nay'ed before committing on the grounds that this is not
the way to do it, and has been decided as such several times in
the past.
There is not point in loading gobs of ascii into the kernel when
the only use of that ascii is presentation to the user.
Next thing we'd be adding all section 4 man pages to the loaded
kernel as well.
The argument about KLD's is bogus, klds can store a file in
/usr/share/doc/sysctl/dev/foo/thisvar.txt with a description and
sysctl or other facilities can pick it up there.
Proper documentation will take several K worth of text for many
sysctl variables, we don't want that in the kernel under any
circumstances.
I will welcome any well thought out attempt at improving the
situation wrt. sysctl documentation, but this wasn't it.
than ".so". The old extension conflicted with well-established
naming conventions for dynamically loadable modules.
The "clean" targets continue to remove ".so" files too, to deal with
old systems.
on the ASIX AX88140A chip. Update /sys/conf/files, RELNOTES.TXT,
/sys/i388/i386/userconfig.c, sysinstall/devices.c, GENERIC and LINT
accordingly.
For now, the only board that I know of that uses this chip is the
Alfa Inc. GFC2204. (Its predecessor, the GFC2202, was a DEC tulip card.)
Thanks again to Ulf for obtaining the board for me. If anyone runs
across another, please feel free to update the man page and/or the
release notes. (The same applies for the other drivers.)
FreeBSD should now have support for all of the DEC tulip workalike
chipsets currently on the market (Macronix, Lite-On, Winbond, ASIX).
And unless I'm mistaken, it should also have support for all PCI fast
ethernet chipsets in general (except maybe the SMC FEAST chip, which
nobody seems to ever use, including SMC). Now if only we could convince
3Com, Intel or whoever to cough up some documentation for gigabit
ethernet hardware.
Also updated RELNOTEX.TXT to mention that the SVEC PN102TX is supported
by the Macronix driver (assuming you actually have an SVEC PN102TX with
a Macronix chip on it; I tried to order a PN102TX once and got a box
labeled 'Hawking Technology PN102TX' that had a VIA Rhine board inside
it).
that they might be about to blow their feet off if they have not been
reading their mail. I don't know if or how well this will work, but it's
worth a try.
CPU_WT_ALLOC does not work correctly for K6-2s of model 8+ and
probably K6-3s (when they appear on the market soon). In addition,
print_AMD_info() incorrectly printfs write allocation's size. I've
fixed them, so they now Do The Right Thing, and added a
"NO_MEMORY_HOLE" option to easily allow 15-16mb range handling for us
K6 and K6-2 users.
Submitted by: Brian Feldman <green@unixhelp.org>
ISDN4BSD is the work of our brand-new comitter: Hellmuth Michaelis,
who has done a tremendous amount of work to bring us this far.
There are still some outstanding issues and files to bring into
the tree, and for now it will be needed to pick up all the extra
docs from the isdn4bsd release.
It is probably also a very good idea to subscribe to the isdn@freebsd.org
mailing list before you try this out.
These files correspond to release "beta Version 0.70.00 / December
1998" from Hellmuth.
linker sets don't work and thus neither does the kernel.
This should stop being a problem with an improved linker set mechanism in
the pipeline (see the bootloader) but for now this has to stay like this.
This has the useful side-effect of ensuring that opt_smp.h is
always generated, so we can assume it will always be available.
Prompted by: Andrew Gallatin <gallatin@cs.duke.edu>