1. 02 Oct, 2017 1 commit
    • Mike Hibler's avatar
      Enable FreeBSD resource limits. · af1fd023
      Mike Hibler authored
      This was blocked waiting for ops.emulab.net to need a reboot so that
      we could turn on resource accounting. Now that happened and I have
      done some testing, defined some arbitrary limits for other resources,
      done some more testing, and here we are!
      This should enable issue #247 to be closed.
  2. 02 May, 2017 3 commits
    • Mike Hibler's avatar
      Argh! 0 != "0" · 7e33de51
      Mike Hibler authored
    • Mike Hibler's avatar
      Avoid needless error message. · b2407f0d
      Mike Hibler authored
    • Mike Hibler's avatar
      Add support for FreeBSD resource controls (rctl). · 87ff74ce
      Mike Hibler authored
      Right now we will just send SIGTERM to all processes in the jail
      after 5 minutes of wallclock. After an additional 10 seconds we
      send SIGKILL if necessary.
      Also added -N option to start up (-C) a standalone jail without
      and resource limits.
      Note that this won't work on ops yet as we have not enabled the
      kernel racct mechanism in /boot/loader.conf. On next reboot it
      should start being used.
  3. 28 Dec, 2016 1 commit
    • Leigh B Stoller's avatar
      Slight change to geni-lib portal wrap; requesting to dump param defs · 44b17a4d
      Leigh B Stoller authored
      does not result in immediate termination. Instead we dump the params
      defs to a different file now, and continue on to spit the rspec to the
      output file. This complicates returning back to ops though, since now we
      have two file. So I elected to do a cheesy tar pack/unpack on the return
  4. 06 Dec, 2016 1 commit
    • Mike Hibler's avatar
      Add the -B option to specify the "base" iocage to use. · fc02c625
      Mike Hibler authored
      This could make it easier in the future to try out different
      versions of the jail environment (e.g., FreeBSD 10.2 vs. 10.1)
      without manually tweaking a magic symlink in /iocage/tags.
      Also, document that you need to create the geni-lib mountpoint
      and may need to add some symlinks that are missing in newer
      FreeBSD packages.
  5. 14 Jul, 2016 1 commit
  6. 26 Aug, 2015 1 commit
  7. 13 Aug, 2015 1 commit
  8. 12 Aug, 2015 1 commit
    • Mike Hibler's avatar
      More tweaks. · 88a4a831
      Mike Hibler authored
      Loopback mount @TBROOT@/lib/geni-lib directory read-only in the jail.
      This way we don't have to copy geni-lib stuff into the base jail and worry
      about multiple versions. The version mounted in the jail can either be
      the standard version or a dev-tree version depending on which copy of the
      script is run.
      Create per-instance snapshots of the base jail rather than having one
      "current" snapshot that all instances used. Not as efficient, but allows
      us to update the base (e.g., with security fixes) without needing to
      remember to create a new "current" snapshot!
      Add -C option to just create a jail instance without running anything
      in it. Then you can use "jexec" to test stuff in the jail. Use the new
      -R option afterward to remove the instance.
      Try to sanitize the environment passed to the command script. We cannot
      just give it a "clean" environment because genilib passes stuff via the
      environment. So we get rid of SUDO_* and SSH_* and set the assorted USER*
      variables correctly. This may have to be refined depending on how much
      geni-lib scripts expect from the environment.
  9. 11 Aug, 2015 1 commit
    • Mike Hibler's avatar
      Two versions of a python jail for running geni-lib scripts. · 794fe4d4
      Mike Hibler authored
      genilib-iocage uses the FreeBSD "iocage" jail management package to
      setup a jail, run the script, and teardown the jail. Unfortunately,
      this version is really, really slow (11 seconds for a one-shot jail).
      So instead we will use genilib-jail which uses the template jail instance
      I built using iocage, but creates the one-off jails by using raw zfs and
      jail commands. It runs in about 1.3 seconds. genilib-iocage is left in
      case the author speeds it up someday.
      N.B. these are NOT plug in replacements for rungenilib.proxy.in.
      In particular, the new scripts run as root and don't do any validation
      of the caller or arguments. So genilib-jail will be called from rungenilib
      for now (though I have not done that part yet!)