Bug 253724 - FreeBSD 13.0-BETA3: jail: cpuset: setaffinity: Resource deadlock avoided
Summary: FreeBSD 13.0-BETA3: jail: cpuset: setaffinity: Resource deadlock avoided
Status: In Progress
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 13.0-STABLE
Hardware: amd64 Any
: --- Affects Only Me
Assignee: Kyle Evans
URL: https://reviews.freebsd.org/D28952
Depends on:
Reported: 2021-02-20 17:47 UTC by rashey
Modified: 2021-02-27 18:38 UTC (History)
3 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description rashey 2021-02-20 17:47:21 UTC
I have upgraded FreeBSD from 12.1-RELEASE to 13.0-BETA3 (fresh install) and I can't assign different CPU cores to host userland and jail at the same time anymore.

# cat /boot/loader.conf

# cat /etc/init.sh
cpuset -C -c -l 0 -p 1

# cat /etc/jail.conf
path = "/usr/jail/${name}";
exec.start      = "sh /etc/rc";
exec.poststart  = "cpuset -l 1 -j ${name}";
exec.stop       = "sh /etc/rc.shutdown jail";
host.hostname   = "${name}";
test {

# cat /usr/jail/test/etc/rc.conf
cron_flags="-J 30"

# service jail onestart
Starting jails:test: created
ELF ldconfig path: /lib /usr/lib /usr/lib/compat
32-bit compatibility ldconfig path: /usr/lib32
Updating motd:.
Creating and/or trimming log files.
Clearing /tmp (X related).
Updating /var/run/os-release done.
Starting syslogd.
/etc/rc: WARNING: failed to start syslogd
Starting cron.

Sat Feb 20 18:40:41 CET 2021
cpuset: setaffinity: Resource deadlock avoided
jail: test: cpuset -l 1 -j test: failed
test: removed
Comment 1 Kyle Evans freebsd_committer 2021-02-26 22:37:33 UTC
Sorry about that; I think this is my preferred method to solve it: https://reviews.freebsd.org/D28952

The main need that I have is preventing unprivileged users who are restricted to a subset of available CPUs from bypassing that restriction by attaching (allowed by MAC policy) to a jail with a wider mask. The patch above restores the system root's ability to administer such a setup as yours, and allows the previous behavior entirely (i.e. unprivileged users) with a MAC policy.
Comment 2 Kyle Evans freebsd_committer 2021-02-27 18:38:14 UTC
You could workaround this initial problem by making your exec.poststart an exec.created, but you would need D28952 on top of that for jail creation to succeed as the next step won't be able to attach without widening its mask pre-attach. exec.created is debatably the more appropriate place for resource-control type stuff anyways, though it doesn't matter much at all for cpuset.

We're still discussing in that review and elsewhere whether this can be fixed quickly in a low-impact way besides reverting the original change; we should arrive at something before -rc1.