freebsd-skq/usr.sbin/jail
Kyle Evans 466df976ba jail(8): reset to root cpuset before attaching to run commands
Recent changes have made it such that attaching to a jail will augment
the attaching process' cpu mask with the jail's cpuset. While this is
convenient for allowing the administrator to cpuset arbitrary programs
that will attach to a jail, this is decidedly not convenient for
executing long-running daemons during jail creation.

This change inserts a reset of the process cpuset to the root cpuset
between the fork and attach to execute a command. This allows commands
executed to have the widest mask possible, and the administrator can
cpuset(1) it back down inside the jail as needed.

With this applied, one should be able to change a jail's cpuset at
exec.poststart in addition to exec.created.  The former was made
difficult if jail(8) itself was running with a constrained set, as then
some processes may have been spawned inside the jail with a non-root
set.  The latter is the preferred option so that processes starting in
the jail are constrained appropriately up front.

Note that all system commands are still run with the process' initial
cpuset applied.

PR:		253724
MFC after:	3 days
Reviewed by:	jamie
Differential Revision:	https://reviews.freebsd.org/D29008
2021-03-04 13:28:53 -06:00
..
tests usr.bin/jail: Fix tests when using kyua -v parallelism=N 2021-02-04 17:56:55 +00:00
command.c jail(8): reset to root cpuset before attaching to run commands 2021-03-04 13:28:53 -06:00
config.c Disregard jails in jail.conf that have bad parameters (parameter/variable 2020-08-27 17:04:55 +00:00
jail.8 jail: introduce per jail suser_enabled setting 2020-11-18 21:07:08 +00:00
jail.c jail: Add exec.prepare and exec.release command hooks 2020-05-14 23:38:11 +00:00
jail.conf.5 add ability to set watchdog timeout for a shutdown 2019-10-03 11:23:10 +00:00
jaillex.l Stop linking to libl by specifying we do not need yywrap 2019-09-10 07:25:37 +00:00
jailp.h jail: Add exec.prepare and exec.release command hooks 2020-05-14 23:38:11 +00:00
jailparse.y
Makefile revert r354935 and apply fix for cleandir failure 2019-11-21 13:56:16 +00:00
Makefile.depend
state.c [jail] removal by jid doesn't trigger pre/post stop scripts 2019-09-12 18:53:29 +00:00