rctl monitoring jails

Hi. This forum has helped me solve a ton of problems. This is my first actual post!

The problem:

Using rctl to monitor process usage for the jails running on the machine. Using [CMD=""]rctl-a jail:jailname:maxproc:log=4[/CMD] makes log entries into /var/log/messages, so it's obviously working (properly compiled in rctl to kernel).

The problem is that [CMD=""]rctl -l jail:jailname[/CMD] doesn't give me any valuable output, but errors:
Code:
rctl: rctl_get_limits: Operation not supported
Is this an rctl bug, or did I miss something?

Running FreeBSD 9.1, with RCTL compiled in (obviously).

Cheers,
rob
 
tingo said:
Where did you get rctl from? I can't find it on FreshPorts.
It's part of the base system, but support isn't built into the kernel by default.
rwlg said:
The problem is that [CMD=""]rctl -l jail:jailname[/CMD] doesn't give me any valuable output, but errors:
Code:
rctl: rctl_get_limits: Operation not supported
Try it without -l.

Kevin Barry
 
@ta0kira/Kevin No dice. I'm thinking it might be a bug, but I'm too scared to submit the bug right now. I'll maybe let this thread sit for a week before I do anything rash.
 
rwlg said:
@ta0kira/Kevin No dice. I'm thinking it might be a bug, but I'm too scared to submit the bug right now. I'll maybe let this thread sit for a week before I do anything rash.
Are you running it as root?
 
ta0kira said:
It's part of the base system, but support isn't built into the kernel by default.Try it without -l.
Ah, I see - it's a 9.0 thing according to the man page. My main workstation is still on 8.x :)

You were right about it not working out of the box:
Code:
root@kg-v7# uname -a
FreeBSD kg-v7.kg4.no 9.1-STABLE FreeBSD 9.1-STABLE #0: Sun Jan  6 20:09:55 CET 2013
     root@kg-v7.kg4.no:/usr/obj/usr/src/sys/GENERIC  amd64
root@kg-v7# rctl
rctl: rctl_get_rules: Function not implemented
Unfortunately, the man page doesn't say what one needs to do to get it working.
 
I wonder why they didn't include that information in the man page? Perhaps they intend to have it in the GENERIC kernel at some point in the future.
 
Yep. I'm running as root, and it's all compiled in. I'm not sure why it's a compile-time option. Kind of unusual. Pretty nice tool if you're running many jails. I'm kind of loving it so far! But, kind of looks like I've stumbled onto a bug.
 
rwlg said:
I'm not sure why it's a compile-time option.
It adds attributes to each running process that aren't otherwise required, which can't be done with a dynamically-loaded module.
rwlg said:
But, kind of looks like I've stumbled onto a bug.
Before you consider it to be a bug, make sure you can add a new rule from the command like, and then from the same session run rctl with no arguments to see if any rules show up.

Also, I'm assuming that you're always getting "Operation not supported" and never "Operation not permitted", since you haven't indicated otherwise.

Kevin Barry
 
Yep. I've added rules to both users and jails. I can get the users to list their rules, but not the jails (though the rules still work). I've added via command line, and by restarting the jail.
 
rwlg said:
Yep. I've added rules to both users and jails. I can get the users to list their rules, but not the jails (though the rules still work)
I've added via command line, and by restarting the jail.
So when you call rctl with no arguments you get a list of user rules but no jail rules?
 
Further to this: I guess I was wrong about being able to rctl -l a user. It's possible to view processes, but not users or jails.

Code:
# rctl -a jail:test:maxproc:log=4
# rctl
jail:test:maxproc:log=4
# rctl -l jail:test
rctl: rctl_get_limits: Operation not supported
# rctl -a user:robg:maxproc:log=4
# rctl
user:robg:maxproc:log=4
jail:test:maxproc:log=4
# rctl -l user:robg
rctl: rctl_get_limits: Operation not supported
# rctl -a process:873:vmemoryuse:deny=1g
# rctl -l process:873
process:873:vmemoryuse:deny=1073741824

Very interesting. Clearly, not a major issue, as it's possible to view/grep for the user/jail that's wanted. Still it's interesting it doesn't work and gives such an odd error message.
 
rwlg said:
Very interesting. Clearly, not a major issue, as it's possible to view/grep for the user/jail that's wanted. Still it's interesting it doesn't work and gives such an odd error message.
As I said before, try it without the -l, e.g. rctl user:robg. It's possible that the -l functionality is implemented at the kernel level, but only for certain categories.

Kevin Barry
 
To see all rules set for a particular jail, do rctl jail:jailname, without the -l option. The -l option works only for processes, and does something quite different: it shows all rules that apply to that particular process. So, if you have per-user rules, and per-jail rules, and there is a process that fits both (runs as that particular user, in that jail), the rctl -l will show all of them.
 
Back
Top