Commit Graph

48 Commits

Author SHA1 Message Date
Poul-Henning Kamp
75c1354190 This Implements the mumbled about "Jail" feature.
This is a seriously beefed up chroot kind of thing.  The process
is jailed along the same lines as a chroot does it, but with
additional tough restrictions imposed on what the superuser can do.

For all I know, it is safe to hand over the root bit inside a
prison to the customer living in that prison, this is what
it was developed for in fact:  "real virtual servers".

Each prison has an ip number associated with it, which all IP
communications will be coerced to use and each prison has its own
hostname.

Needless to say, you need more RAM this way, but the advantage is
that each customer can run their own particular version of apache
and not stomp on the toes of their neighbors.

It generally does what one would expect, but setting up a jail
still takes a little knowledge.

A few notes:

   I have no scripts for setting up a jail, don't ask me for them.

   The IP number should be an alias on one of the interfaces.

   mount a /proc in each jail, it will make ps more useable.

   /proc/<pid>/status tells the hostname of the prison for
   jailed processes.

   Quotas are only sensible if you have a mountpoint per prison.

   There are no privisions for stopping resource-hogging.

   Some "#ifdef INET" and similar may be missing (send patches!)

If somebody wants to take it from here and develop it into
more of a "virtual machine" they should be most welcome!

Tools, comments, patches & documentation most welcome.

Have fun...

Sponsored by:   http://www.rndassociates.com/
Run for almost a year by:       http://www.servetheweb.com/
1999-04-28 11:38:52 +00:00
Poul-Henning Kamp
1c308b817a Change suser_xxx() to suser() where it applies. 1999-04-27 12:21:16 +00:00
Poul-Henning Kamp
f711d546d2 Suser() simplification:
1:
  s/suser/suser_xxx/

2:
  Add new function: suser(struct proc *), prototyped in <sys/proc.h>.

3:
  s/suser_xxx(\([a-zA-Z0-9_]*\)->p_ucred, \&\1->p_acflag)/suser(\1)/

The remaining suser_xxx() calls will be scrutinized and dealt with
later.

There may be some unneeded #include <sys/cred.h>, but they are left
as an exercise for Bruce.

More changes to the suser() API will come along with the "jail" code.
1999-04-27 11:18:52 +00:00
Bruce Evans
6fc8f347cb Enforce monotonicity of apparent process user, system and interrupt times.
PR:		975, 10402
1999-03-13 19:46:13 +00:00
Bruce Evans
56ce1a8dc4 Fixed runtime accounting. The time since the previous context switch
was discarded on every call to calcru().  Hacking on the `switchtime'
global for a related fix in rev.1.38 of kern_resource.c was too fragile
and broke when p_switchtime went away.

PR:		10402
1999-03-11 21:53:12 +00:00
Bruce Evans
efc96764e0 The magic "no-cpu" cpu number is 0xff. Don't misrepresent cpu
numbers as chars or use bogus casts in an attempt to unmisrepresnt
them.  In top, don't assume that 0xff is the only negative cpu
number when cpu numbers are (mis)represented.
1999-03-05 16:38:13 +00:00
Bruce Evans
e7ba67f274 Removed all traces of `p_switchtime'. The relevant timestamp is per-cpu,
not per-process.  Keep it in `switchtime' consistently.

It is now clear that the timestamp is always valid in fork_trampoline()
except when the child is running on a previously idle cpu, which
can only happen if there are multiple cpus, so don't check or set
the timestamp in fork_trampoline except in the (i386) SMP case.
Just remove the alpha code for setting it unconditionally, since
there is no SMP case for alpha and the code had rotted.

Parts reviewed by:	dfr, phk
1999-02-28 10:53:29 +00:00
Bruce Evans
1b0b259ed2 Don't forget to update `switchticks' in corner cases (except for
the alpha fork_trampoline(), forget it because it I believe it is
only necessary for the unsupported SMP case).
1999-02-25 11:03:08 +00:00
Mark Newton
ba198b1c45 Added comments about non-staticization so it doesn't get un-done next
time someone goes on a staticization binge.

Suggested by: eivind
1999-01-31 03:15:13 +00:00
Mark Newton
69a6f20bc8 Unstaticized routines which are needed by the svr4 KLD and the streams
garbage needed to support SysVR4 networking.
1999-01-30 06:25:00 +00:00
Bruce Evans
bc9e7c3b42 Fixed double counting of runtime after a process exits. The last
timeslice of the exiting process was counted for both the exiting
process and the next process to run if the next process runs
immediately.

Broken in:	mostly in kern_clock.c rev.1.70 (1998/05/28)
1998-07-27 19:16:21 +00:00
Poul-Henning Kamp
e796e00de3 Some cleanups related to timecounters and weird ifdefs in <sys/time.h>.
Clean up (or if antipodic: down) some of the msgbuf stuff.

Use an inline function rather than a macro for timecounter delta.

Maintain process "on-cpu" time as 64 bits of microseconds to avoid
needless second rollover overhead.

Avoid calling microuptime the second time in mi_switch() if we do
not pass through _idle in cpu_switch()

This should reduce our context-switch overhead a bit, in particular
on pre-P5 and SMP systems.

WARNING:  Programs which muck about with struct proc in userland
will have to be fixed.

Reviewed, but found imperfect by:       bde
1998-05-28 09:30:28 +00:00
Poul-Henning Kamp
c21410e119 s/nanoruntime/nanouptime/g
s/microruntime/microuptime/g

Reviewed by:	bde
1998-05-17 11:53:46 +00:00
Peter Wemm
b90dcc0c5d Fix previous commit. Don't people read compiler messages or something?? 1998-04-05 02:59:10 +00:00
Poul-Henning Kamp
00af9731c9 Time changes mark 2:
* Figure out UTC relative to boottime.  Four new functions provide
      time relative to boottime.

    * move "runtime" into struct proc.  This helps fix the calcru()
      problem in SMP.

    * kill mono_time.

    * add timespec{add|sub|cmp} macros to time.h.  (XXX: These may change!)

    * nanosleep, select & poll takes long sleeps one day at a time

Reviewed by:    bde
Tested by:      ache and others
1998-04-04 13:26:20 +00:00
Peter Dufault
644d85f4ca Reviewed by: msmith, bde long ago
Fix for RTPRIO scheduler to eliminate invalid context switches.

POSIX.4 headers and sysctl variables.  Nothing should change
unless POSIX4 is defined or _POSIX_VERSION is set to 199309.
1998-03-04 10:25:55 +00:00
Eivind Eklund
303b270b0a Staticize. 1998-02-09 06:11:36 +00:00
David Greenman
1540674007 Restrict idleprio to superuser:
Realtime priority has to be restricted for reasons which should be
obvious. However, for idle priority, there is a potential for
system deadlock if an idleprio process gains a lock on a resource
that other processes need (and the idleprio process can't run
due to a CPU-bound normal process). Fix me! XXX
PR: 5639
1998-02-04 18:43:10 +00:00
Bruce Evans
ffbb164e19 Set p_retval for the correct process in getpriority(). This fixes
a null pointer panic when the pointer for the incorrect process is
NULL.  getpriority() was broken in rev.1.27.  Rev.1.28 broke the
warning instead of fixing the problem.

PR:	5495
1998-01-19 12:39:00 +00:00
Eivind Eklund
5591b823d1 Make COMPAT_43 and COMPAT_SUNOS new-style options. 1997-12-16 17:40:42 +00:00
Poul-Henning Kamp
4a11ca4e29 Remove a bunch of variables which were unused both in GENERIC and LINT.
Found by:	-Wunused
1997-11-07 08:53:44 +00:00
Poul-Henning Kamp
cb226aaa62 Move the "retval" (3rd) parameter from all syscall functions and put
it in struct proc instead.

This fixes a boatload of compiler warning, and removes a lot of cruft
from the sources.

I have not removed the /*ARGSUSED*/, they will require some looking at.

libkvm, ps and other userland struct proc frobbing programs will need
recompiled.
1997-11-06 19:29:57 +00:00
Bruce Evans
1d9655ae4d Print more info in the "calcru: negative time" message. 1997-08-26 00:20:11 +00:00
Peter Wemm
477a642cee Man the liferafts! Here comes the long awaited SMP -> -current merge!
There are various options documented in i386/conf/LINT, there is more to
come over the next few days.

The kernel should run pretty much "as before" without the options to
activate SMP mode.

There are a handful of known "loose ends" that need to be fixed, but
have been put off since the SMP kernel is in a moderately good condition
at the moment.

This commit is the result of the tinkering and testing over the last 14
months by many people.  A special thanks to Steve Passe for implementing
the APIC code!
1997-04-26 11:46:25 +00:00
Peter Wemm
6875d25465 Back out part 1 of the MCFH that changed $Id$ to $FreeBSD$. We are not
ready for it yet.
1997-02-22 09:48:43 +00:00
John Dyson
996c772f58 This is the kernel Lite/2 commit. There are some requisite userland
changes, so don't expect to be able to run the kernel as-is (very well)
without the appropriate Lite/2 userland changes.

The system boots and can mount UFS filesystems.

Untested: ext2fs, msdosfs, NFS
Known problems: Incorrect Berkeley ID strings in some files.
		Mount_std mounts will not work until the getfsent
		library routine is changed.

Reviewed by:	various people
Submitted by:	Jeffery Hsu <hsu@freebsd.org>
1997-02-10 02:22:35 +00:00
Jordan K. Hubbard
1130b656e5 Make the long-awaited change from $Id$ to $FreeBSD$
This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.

Boy, I'm glad we're not using sup anymore.  This update would have been
insane otherwise.
1997-01-14 07:20:47 +00:00
Joerg Wunsch
e9822d926c Make DFLDSIZ and MAXDSIZ fully-supported options.
"Don't forget to do a ``make depend''" :-)
1996-12-22 23:17:09 +00:00
Bruce Evans
604396ff31 Fixed accumulation of run time for processes that don't accumulate
any statclock ticks.  Pretend that all the time up to the first
statclock tick is system time.  .  This makes a difference mainly for
benchmarks that test short-lived processes - the user and system
times for processes that each lived for about 1ms only added up to
about 10% of the real time even when there was very little interrupt
activity.

Break the printing of a quad_t variable correctly.
1996-06-08 11:48:28 +00:00
Jeffrey Hsu
ec3f61ff36 From Lite2: proc LIST changes
stylistic changes to function prototypes
Reviewed by:	david & bde
1996-03-11 06:04:20 +00:00
Poul-Henning Kamp
505ae68ea8 Fix a printf, well, actually break it, that is...
We don't have the ability to print 64bit things yet...
1996-01-16 18:10:19 +00:00
David Greenman
efeaf95a41 Untangled the vm.h include file spaghetti. 1995-12-07 12:48:31 +00:00
Bruce Evans
d2d3e8751c Included <sys/sysproto.h> to get central declarations for syscall args
structs and prototypes for syscalls.

Ifdefed duplicated decentralized declarations of args structs.  It's
convenient to have this visible but they are hard to maintain.  Some
are already different from the central declarations.  4.4lite2 puts
them in comments in the function headers but I wanted to avoid the
large changes for that.
1995-11-12 06:43:28 +00:00
Bruce Evans
cf7e5eab8b Fixed types of rtprio(), osetrlimit() and setrlimit(). The args struct
tag and/or member names conflicted with the machine generated ones in
<sys/sysproto.h>.
1995-11-11 01:48:17 +00:00
Bruce Evans
8159bae9d0 Fix a sign extension bug that was unleashed by the previous change.
The total process time was sometimes 2^32 usec too large but that
wasn't a problem before because the time was bogusly truncated mod
2^32.
1995-10-23 19:05:50 +00:00
Bruce Evans
bcee717be5 Avoid overflow in calcru(). Fixes PR 788.
Submitted by:	imdave@synet.net (Dave Bodenstab)
1995-10-21 09:18:45 +00:00
Rodney W. Grimes
9b2e535452 Remove trailing whitespace. 1995-05-30 08:16:23 +00:00
Guido van Rooij
e6373c9ec0 Implement maxprocperuid and maxfilesperproc. They are tunable
via sysctl(8). The initial value of maxprocperuid is maxproc-1,
that of maxfilesperproc is maxfiles (untill maxfile will disappear)

Now it is at least possible to prohibit one user opening maxfiles

-Guido

Submitted by:
Obtained from:
1995-02-20 19:42:42 +00:00
Bruce Evans
a81b757af0 Don't allow negative limits at all. Convert them to RLIM_INFINITY instead
of returning EINVAL since something may depend on them being broken.
Allowing negative limits caused bugs almost everywhere.  The recent
fixes for MAXSSIZ checked the limits too late to stop anyone defeating
limits set by root...
1994-12-06 22:53:37 +00:00
Andreas Schulz
06935b59e5 Add one forgotten u_quad_t typecast in dosetrlimit. 1994-12-02 23:00:40 +00:00
Andreas Schulz
a7d72265c4 The values for setrlimit in the data size and stack size case are
used as an address value. Then all comparisons should be done unsigned
and not signed. Fix it with a typecast of u_quad_t.
Error can be demonstrated with the current bash in port, do a
ulimit -s unlimited and the machine hangs. bash delivers through
an internal error a large negative value for the stacksize, the
comparison saw this smaller than MAXSSIZ and then tried to expand
the stack to this size.
1994-12-01 20:20:21 +00:00
Poul-Henning Kamp
d93f860c60 Cosmetics. related to getting prototypes into view. 1994-10-10 01:00:49 +00:00
David Greenman
7216391e49 "idle priority" support. Based on code from Henrik Vestergaard Draboel,
but substantially rewritten by me.
1994-10-02 04:48:21 +00:00
Poul-Henning Kamp
bb56ec4a05 While in the real world, I had a bad case of being swapped out for a lot of
cycles.  While waiting there I added a lot of the extra ()'s I have, (I have
never used LISP to any extent).  So I compiled the kernel with -Wall and
shut up a lot of "suggest you add ()'s", removed a bunch of unused var's
and added a couple of declarations here and there.  Having a lap-top is
highly recommended.  My kernel still runs, yell at me if you kernel breaks.
1994-09-25 19:34:02 +00:00
David Greenman
e8fb0b2c17 Realtime priority scheduling support.
Submitted by:	Henrik Vestergaard Draboel
1994-09-01 05:12:53 +00:00
David Greenman
3c4dd3568f Added $Id$ 1994-08-02 07:55:43 +00:00
Rodney W. Grimes
26f9a76710 The big 4.4BSD Lite to FreeBSD 2.0.0 (Development) patch.
Reviewed by:	Rodney W. Grimes
Submitted by:	John Dyson and David Greenman
1994-05-25 09:21:21 +00:00
Rodney W. Grimes
df8bae1de4 BSD 4.4 Lite Kernel Sources 1994-05-24 10:09:53 +00:00