#
2b3f93ea |
| 13-Oct-2023 |
Matthew Dillon <dillon@apollo.backplane.com> |
kernel - Add per-process capability-based restrictions
* This new system allows userland to set capability restrictions which turns off numerous kernel features and root accesses. These restricti
kernel - Add per-process capability-based restrictions
* This new system allows userland to set capability restrictions which turns off numerous kernel features and root accesses. These restrictions are inherited by sub-processes recursively. Once set, restrictions cannot be removed.
Basic restrictions that mimic an unadorned jail can be enabled without creating a jail, but generally speaking real security also requires creating a chrooted filesystem topology, and a jail is still needed to really segregate processes from each other. If you do so, however, you can (for example) disable mount/umount and most global root-only features.
* Add new system calls and a manual page for syscap_get(2) and syscap_set(2)
* Add sys/caps.h
* Add the "setcaps" userland utility and manual page.
* Remove priv.9 and the priv_check infrastructure, replacing it with a newly designed caps infrastructure.
* The intention is to add path restriction lists and similar features to improve jailess security in the near future, and to optimize the priv_check code.
show more ...
|
Revision tags: v6.4.0, v6.4.0rc1, v6.5.0, v6.2.2, v6.2.1, v6.2.0, v6.3.0, v6.0.1, v6.0.0, v6.0.0rc1, v6.1.0, v5.8.3, v5.8.2, v5.8.1, v5.8.0, v5.9.0, v5.8.0rc1, v5.6.3, v5.6.2, v5.6.1, v5.6.0, v5.6.0rc1, v5.7.0, v5.4.3, v5.4.2, v5.4.1, v5.4.0, v5.5.0, v5.4.0rc1, v5.2.2, v5.2.1, v5.2.0, v5.3.0, v5.2.0rc, v5.0.2, v5.0.1, v5.0.0, v5.0.0rc2, v5.1.0, v5.0.0rc1 |
|
#
93c84330 |
| 20-Sep-2017 |
Matthew Dillon <dillon@apollo.backplane.com> |
kernel - Fix races in kern_dmsg.c (hammer2)
* Fix kdmsg races during shutdown which can assert or panic
* Fixes numerous hammer2 assertions or panics related to unmounting, including mount failur
kernel - Fix races in kern_dmsg.c (hammer2)
* Fix kdmsg races during shutdown which can assert or panic
* Fixes numerous hammer2 assertions or panics related to unmounting, including mount failures due to missing labels.
show more ...
|
#
f156ae94 |
| 19-Sep-2017 |
Matthew Dillon <dillon@apollo.backplane.com> |
kernel - Remove some kdmsg debugging
* Remove '<blah> thread terminating' kdmsg debug messages.
|
Revision tags: v4.8.1, v4.8.0, v4.6.2, v4.9.0, v4.8.0rc |
|
#
895bb45a |
| 28-Dec-2016 |
Sascha Wildner <saw@online.de> |
kernel: Fix a -Wundef warning.
|
Revision tags: v4.6.1 |
|
#
57e09377 |
| 07-Aug-2016 |
Matthew Dillon <dillon@apollo.backplane.com> |
kernel - Cleanup gcc warnings
* Cleanup gcc warnings at higher optimization levels. This will allow us to build kernels -O2 or -O3.
|
Revision tags: v4.6.0, v4.6.0rc2, v4.6.0rc, v4.7.0, v4.4.3, v4.4.2, v4.4.1, v4.4.0, v4.5.0, v4.4.0rc, v4.2.4, v4.3.1, v4.2.3, v4.2.1, v4.2.0, v4.0.6, v4.3.0, v4.2.0rc, v4.0.5 |
|
#
5ab1caed |
| 10-Mar-2015 |
Matthew Dillon <dillon@apollo.backplane.com> |
dmsg - Formalize most of the debugging output, cleanup, fix uninit bug
* Macroize and formalize most of the debugging output.
* Add LNK_PING support.
* Fix a bug in kdmsg_iocom_uninit(). The RX t
dmsg - Formalize most of the debugging output, cleanup, fix uninit bug
* Macroize and formalize most of the debugging output.
* Add LNK_PING support.
* Fix a bug in kdmsg_iocom_uninit(). The RX thread can stall reading from the pipe and never wakeup to see the KILLRX flag if no traffic comes in.
To deal with this kdmsg_iocom_uninit() sends a LNK_PING over the link, then gives the threads 10 seconds to shutdown nicely. If they do not the pipe descriptor is not-so-nicely shutdown().
show more ...
|
#
0a9eefca |
| 09-Mar-2015 |
Matthew Dillon <dillon@apollo.backplane.com> |
dmsg - Stabilization work
* Refactor the circuit failure handling code. When a connection is lost circuits running through that connection and all sub-circuits/states (recursively) are aborted.
dmsg - Stabilization work
* Refactor the circuit failure handling code. When a connection is lost circuits running through that connection and all sub-circuits/states (recursively) are aborted. This will propagate through the graph and there are plenty of edge cases where a failure may be propagating in one direction and a request in the other direction.
The library is responsible for providing missing transaction closures when circuits and states fail.
* Add code to handle circuit failure races against newly created messages. The STATE_DYING flag is now inherited by the newly created message from its parent.
* The state structure on receive is now updated before the callback is made so it can be atomic with the lock, instead of after.
* Lots of debugging added and some cleanup.
show more ...
|
Revision tags: v4.0.4 |
|
#
a06d536b |
| 03-Mar-2015 |
Matthew Dillon <dillon@apollo.backplane.com> |
dmsg - Stabilization work
* Add a refs field to dmsg_state and kdmsg_state for retention and disposal.
* Separate out the tracking of state->subq and the state RB trees.
* Greatly simplify the i
dmsg - Stabilization work
* Add a refs field to dmsg_state and kdmsg_state for retention and disposal.
* Separate out the tracking of state->subq and the state RB trees.
* Greatly simplify the iocom shutdown code and functions related to handling communications failures. When iterating states for shutdown, which requires simulating a received failure message, we can now simply iterate via state->subq.
* Greatly simplify how the simulated failures are generated and handled (See dmsg_msg_simulate_failure()). This is probably the most complex part of the library.
* Fix a memory leak in kern_dmsg.c.
* Replace xdisk's per-softc token with a lockmgr lock. Atomicy has to be guaranteed across blocking conditions in certain cases and it was easier to simply use a lock for everything.
Cleanup the locking.
* Ripout the shutdown check in the I/O path, which can deadlock the disk management threads. This will need to be revisited as it means that /dev/xa* and /dev/serno* devices remain in /dev after a link failure even when there are no opens on the device.
* Add the B_FAILONDIS flag to struct buf. This flag allows the disk probe code to tell xdisk that it is ok for the I/O to fail, allowing xdisk to discard I/Os that would otherwise block or deadlock the disk probe code when the related network connection is lost.
show more ...
|
#
45c1a24b |
| 01-Mar-2015 |
Matthew Dillon <dillon@apollo.backplane.com> |
kernel - work on dmsg disk exports
* Refactor and clean up the kdmsg thread cleanup code.
* Add a workaround for a possible tx/rx race which can occur due to the transmit side not retiring the kd
kernel - work on dmsg disk exports
* Refactor and clean up the kdmsg thread cleanup code.
* Add a workaround for a possible tx/rx race which can occur due to the transmit side not retiring the kdmsg until after writing it. This can potentially block and allow a received response to be processed before the related transmitted kdmsg is cleaned up.
* Add sysctls to track operations in progress.
* Code documentation.
show more ...
|
#
1a2a529d |
| 28-Feb-2015 |
Matthew Dillon <dillon@apollo.backplane.com> |
hammer2 / kern_dmsg - Fix bugs
* Fix header size limt check.
* Do not free the message data out from under a running I/O. Introduce an API for detaching aux_data from a msg.
* Increase DMSG_AUX_
hammer2 / kern_dmsg - Fix bugs
* Fix header size limt check.
* Do not free the message data out from under a running I/O. Introduce an API for detaching aux_data from a msg.
* Increase DMSG_AUX_MAX to 1MB to ensure that xdisk (remote disks) work with any filesystem.
Theoretically we can break up READ and WRITE messages into pieces in order to allow DMSG_AUX_MAX to be made smaller (which is easier to manage in-kernel), but for now the implementation just uses a single message transaction.
* Adjust some comments.
show more ...
|
Revision tags: v4.0.3, v4.0.2, v4.0.1, v4.0.0, v4.0.0rc3, v4.0.0rc2, v4.0.0rc, v4.1.0, v3.8.2, v3.8.1, v3.6.3, v3.8.0, v3.8.0rc2, v3.9.0, v3.8.0rc |
|
#
323c0947 |
| 05-May-2014 |
Matthew Dillon <dillon@apollo.backplane.com> |
hammer2 - dmsg stabilization
This is a general stabilization pass testing xdisk resumption on various communications failures (killing the local or remote hammer2 service demon).
* Simulate failure
hammer2 - dmsg stabilization
This is a general stabilization pass testing xdisk resumption on various communications failures (killing the local or remote hammer2 service demon).
* Simulate failures on recursive transactions in a bottom-up fashion
* bcmp() does not return an inequality (neg, zero, or positive). It returns only 0 or 1. Change fs_label RBTREE test to strcmp()
* ref-count the state structure, use dmsg_state_hold()/dmsg_state_drop() to control it. Fix at least one memory leak.
* Consolidate simulated transaction failure core into a helper function dmsg_msg_simulate_failure().
* Clean up the tx state on the front-end after the msg has extracted necessary information from it, instead of in the transmit thread. This is so the state fields are updated synchronously and not delayed by the transmit queue.
* Change xdisk's error test to avoid accidently failing a BIO due to a communications issue (verses an actual IO error on the remote physical disk).
* Remove some invalid assertions, add assertions.
show more ...
|
#
d30cab67 |
| 05-May-2014 |
Matthew Dillon <dillon@apollo.backplane.com> |
hammer2 - Retool dmsg mechanics to improve virtual circuit design 2/2
* Use transaction stacking to effectively connect resources to consumers. Issuing a transaction over a received SPAN effective
hammer2 - Retool dmsg mechanics to improve virtual circuit design 2/2
* Use transaction stacking to effectively connect resources to consumers. Issuing a transaction over a received SPAN effectively creates a virtual circuit to the originator.
* The hammer2 service demon (userland) is currently being used to route, but direct kernel<->kernel socket connections are now theoretically possible for later performance work. Current performance is going to be low due to layering.
* Get subr_diskiocom and the xdisk driver mostly working again. The code is a lot cleaner but still needs considerable stability work and better unwinding during failure conditions.
* Start work on hammer2<->hammer2 communications.
show more ...
|
#
1b8eded1 |
| 23-Apr-2014 |
Matthew Dillon <dillon@apollo.backplane.com> |
hammer2 - Retool dmsg mechanics to improve virtual circuit design 1/2
* Rip-out the circuit structures and forging code. These changes simplify the DMSG code considerably.
* Retool the core comm
hammer2 - Retool dmsg mechanics to improve virtual circuit design 1/2
* Rip-out the circuit structures and forging code. These changes simplify the DMSG code considerably.
* Retool the core command/response messaging mechanics to allow either side of a transaction to initiate commands and receive responses.
This means we cannot use DMSGF_REPLY to determine whether the transmit-side or receive-side state RBTREE holds the msgid. Instead we add two more flags DMSGF_REVTRANS and DMSGF_REVCIRC to tell the receiver which RBTREE holds the msgid and/or circuit id.
* Retool to allow transaction stacking. Sub-transactions can now run under their parents.
* Retool the transaction code to provide virtual circuit functionality through the use of transaction stacking.
With these changes, the normal SPAN mechanism which operates using open transactions can also be used to route messages over the SPAN. There is no longer a need to forge a return path because sub-transaction commands can now be initiated 'out' over an active, received SPAN transaction.
This part is not completely working yet, it needs the actual routing code and some adjustments to the SPAN mechanism to prevent path ripups from interfering with any in-progress transactions. Ultimately the availability of a new path would have two be detected by the end points so new 'connections' can be forged over the new, better path.
show more ...
|
#
8e226bc8 |
| 21-Apr-2014 |
Matthew Dillon <dillon@apollo.backplane.com> |
hammer2 - more dmsg/separation work
* More separation work in libdmsg, kern_dmsg.c, and kernel dmsg consumers.
* subr_diskiocom.c should no longer need hammer2_disk.h (sys/dmsg.h) for the kernel
hammer2 - more dmsg/separation work
* More separation work in libdmsg, kern_dmsg.c, and kernel dmsg consumers.
* subr_diskiocom.c should no longer need hammer2_disk.h (sys/dmsg.h) for the kernel build.
* Add dmsg->tcmd to smooth some switch() use cases.
show more ...
|
Revision tags: v3.6.2, v3.6.1, v3.6.0, v3.7.1, v3.6.0rc, v3.7.0, v3.4.3 |
|
#
0a2f67af |
| 06-Aug-2013 |
Matthew Dillon <dillon@apollo.backplane.com> |
kernel - Adjust impossible conditions in kdmsg_state_*()
* kdmsg_state_reply() and kdmsg_state_result() require a non-NULL state. Assert the condition and remove the else clause that was broken in
kernel - Adjust impossible conditions in kdmsg_state_*()
* kdmsg_state_reply() and kdmsg_state_result() require a non-NULL state. Assert the condition and remove the else clause that was broken in the first place.
Reported-by: Joris giovannang
show more ...
|
Revision tags: v3.4.2, v3.4.0, v3.4.1, v3.4.0rc, v3.5.0 |
|
#
085cb1dd |
| 01-Feb-2013 |
Matthew Dillon <dillon@apollo.backplane.com> |
kernel - Fix memory leak on iocom terminaion
* freerd_state was being cleaned up by the reader thread, but during decomissioning the writer thread can simulate incoming packets to cleanly shutdo
kernel - Fix memory leak on iocom terminaion
* freerd_state was being cleaned up by the reader thread, but during decomissioning the writer thread can simulate incoming packets to cleanly shutdown open transactions, and this can reload freerd_state.
* Move the cleanup for freerd_state and freewr_state out of the reader/writer threads and into kdmsg_iocom_uninit() proper.
* Fixes dangling 112 bytes of memory left allocated after uninit.
show more ...
|
Revision tags: v3.2.2 |
|
#
1f4b0713 |
| 04-Dec-2012 |
Matthew Dillon <dillon@apollo.backplane.com> |
cluster - Kernel cluster code work
* Major stability work.
* Misc bug fixes and cleanups.
* xdisk/diskiocom links are now relatively stable over a real network. Still need to deal with reconnect
cluster - Kernel cluster code work
* Major stability work.
* Misc bug fixes and cleanups.
* xdisk/diskiocom links are now relatively stable over a real network. Still need to deal with reconnects properly.
show more ...
|
#
8d6d37b8 |
| 03-Dec-2012 |
Matthew Dillon <dillon@apollo.backplane.com> |
cluster - Major kernel component work (diskiocom, xdisk, kdmsg)
* Major implementation and stabilization work. Fix lots of bugs, improve the AUTO flags and APIs.
* xdisk and diskiocom are now op
cluster - Major kernel component work (diskiocom, xdisk, kdmsg)
* Major implementation and stabilization work. Fix lots of bugs, improve the AUTO flags and APIs.
* xdisk and diskiocom are now operational for the first time.
xdisk is a consumer of remote block devices. You pass it one end of a pipe and use an ioctl to create /dev/xa* devices. The kernel's nominal disk management subsystem handles /dev/serno/* and will also probe the /dev/xa* devices to create the slices.
diskiocom is a block device service. An ioctl is used to connect a raw disk device to the network via a pipe.
* The hammer2 service demon ties the two together over the network.
* Initial testing with a local hammer2 service daemon looping da0 to xa0 succeeded, ~46MB/sec unoptimized using dd.
show more ...
|
#
0c98b966 |
| 01-Dec-2012 |
Matthew Dillon <dillon@apollo.backplane.com> |
cluster - remote block device work
* xdisk(client) <-> diskiocom(server) now successfully does a full message transaction over a VC for xa_open(). Still lots to do.
* Fix I/O request deferrals s
cluster - remote block device work
* xdisk(client) <-> diskiocom(server) now successfully does a full message transaction over a VC for xa_open(). Still lots to do.
* Fix I/O request deferrals since the open can occur before the VC is fully established. This fixes a deadlock.
* Fix state->msg tracking in kern_dmsg.c. Fixes a double-free.
show more ...
|
#
03d99ea4 |
| 30-Nov-2012 |
Matthew Dillon <dillon@apollo.backplane.com> |
hammer2 - kernel cluster messaging support API work
* Rework the API significantly
* Add circuit tracking and sniffing features
* Add flags to automate the LNK_CONN, LNK_SPAN, and LNK_CIRC state m
hammer2 - kernel cluster messaging support API work
* Rework the API significantly
* Add circuit tracking and sniffing features
* Add flags to automate the LNK_CONN, LNK_SPAN, and LNK_CIRC state machines.
* Misc improvemenets.
show more ...
|
#
ddfbb283 |
| 26-Oct-2012 |
Matthew Dillon <dillon@apollo.backplane.com> |
hammer2 - dmsg blockdev work
* Adjust the LNK_CONN and LNK_SPAN messages to provide a cluster label and a filesystem label instead of just a filesystem label.
* Change the cluster controller to i
hammer2 - dmsg blockdev work
* Adjust the LNK_CONN and LNK_SPAN messages to provide a cluster label and a filesystem label instead of just a filesystem label.
* Change the cluster controller to index clusters based on the peer_type, pfs_clid, and cl_label instead of just the pfs_clid.
HAMMER2 PFS's are primarily identified by pfs_clid and unique nodes are identified by pfs_fsid. fs_label holds the HAMMER2 super-root name.
BLOCK devices are primarily identified by cl_label and unique nodes are identified by pfs_fsid. pfs_clid and fs_label are empty.
* Adjust the cluster controller's matching filters such that, e.g. BLOCK device clients only have visibility to the BLOCK device server for the cl_label in question, and do not have visibility to other BLOCK device clients.
* Flesh out the hammer2 service daemons disk monitoring, have it attach a pipe to the in-kernel disk via an ioctl().
* Continued work on the skeleton network disk exporter (kern/subr_disk*) and network disk importer (dev/disk/xdisk/*). xdisk has not been added to the build yet.
* Move a few more definitions from HAMMER2 to DMSG.
show more ...
|
#
185ace93 |
| 25-Oct-2012 |
Matthew Dillon <dillon@apollo.backplane.com> |
hammer2 - Add server-side disk advertisements
* The hammer2 service demon now tracks disks and connects the cluster controller to each one.
* Add a new ioctl to the subr_disk subsystem and add su
hammer2 - Add server-side disk advertisements
* The hammer2 service demon now tracks disks and connects the cluster controller to each one.
* Add a new ioctl to the subr_disk subsystem and add subr_diskiocom.c to implement it, associating a cluster controller messaging descriptor with a disk device.
* disk device initiates LNK_CONN and LNK_SPAN. Disk block devices now advertised through the spanning tree. Nothing else implemented yet.
show more ...
|
#
8a9471c3 |
| 25-Oct-2012 |
Matthew Dillon <dillon@apollo.backplane.com> |
hammer2 - Messaging layer separation work part 4
* Cleanup, bug fixes, operations tests successful now.
|
#
3a5aa68f |
| 25-Oct-2012 |
Matthew Dillon <dillon@apollo.backplane.com> |
hammer2 - Messaging layer separation work part 3
* Move more hammer2 vfs message code into kern_dmsg.c, renaming and implementing callbacks as needed.
* Move hammer2_icrc.c (the iscsi crc support
hammer2 - Messaging layer separation work part 3
* Move more hammer2 vfs message code into kern_dmsg.c, renaming and implementing callbacks as needed.
* Move hammer2_icrc.c (the iscsi crc support) to libkern/icrc32.c
show more ...
|