# rctl monitoring jails



## rwlg (Apr 18, 2013)

Hi. This forum has helped me solve a ton of problems. This is my first actual post!

The problem:

Using rctl to monitor process usage for the jails running on the machine. Using [CMD=""]rctl-a jail:jailname:maxproc:log=4[/CMD] makes log entries into /var/log/messages, so it's obviously working (properly compiled in rctl to kernel).

The problem is that [CMD=""]rctl -l jail:jailname[/CMD] doesn't give me any valuable output, but errors:

```
rctl: rctl_get_limits: Operation not supported
```
Is this an rctl bug, or did I miss something?

Running FreeBSD 9.1, with RCTL compiled in (obviously).

Cheers,
rob


----------



## tingo (Apr 19, 2013)

Where did you get rctl from? I can't find it on FreshPorts.


----------



## ta0kira (Apr 19, 2013)

tingo said:
			
		

> Where did you get rctl from? I can't find it on FreshPorts.


It's part of the base system, but support isn't built into the kernel by default.





			
				rwlg said:
			
		

> The problem is that [CMD=""]rctl -l jail:jailname[/CMD] doesn't give me any valuable output, but errors:
> 
> ```
> rctl: rctl_get_limits: Operation not supported
> ```


Try it without -l.

Kevin Barry


----------



## rwlg (Apr 19, 2013)

@ta0kira/Kevin No dice. I'm thinking it might be a bug, but I'm too scared to submit the bug right now. I'll maybe let this thread sit for a week before I do anything rash.


----------



## ta0kira (Apr 20, 2013)

rwlg said:
			
		

> @ta0kira/Kevin No dice. I'm thinking it might be a bug, but I'm too scared to submit the bug right now. I'll maybe let this thread sit for a week before I do anything rash.


Are you running it as root?


----------



## tingo (Apr 20, 2013)

ta0kira said:
			
		

> It's part of the base system, but support isn't built into the kernel by default.Try it without -l.


Ah, I see - it's a 9.0 thing according to the man page. My main workstation is still on 8.x 

You were right about it not working out of the box:

```
root@kg-v7# uname -a
FreeBSD kg-v7.kg4.no 9.1-STABLE FreeBSD 9.1-STABLE #0: Sun Jan  6 20:09:55 CET 2013
     root@kg-v7.kg4.no:/usr/obj/usr/src/sys/GENERIC  amd64
root@kg-v7# rctl
rctl: rctl_get_rules: Function not implemented
```
Unfortunately, the man page doesn't say what one needs to do to get it working.


----------



## ShelLuser (Apr 20, 2013)

tingo said:
			
		

> Unfortunately, the man page doesn't say what one need to do to get it working.



Basically it requires a kernel rebuild, check out this page.


----------



## tingo (Apr 21, 2013)

I wonder why they didn't include that information in the man page? Perhaps they intend to have it in the GENERIC kernel at some point in the future.


----------



## rwlg (Apr 22, 2013)

Yep. I'm running as root, and it's all compiled in. I'm not sure why it's a compile-time option. Kind of unusual. Pretty nice tool if you're running many jails. I'm kind of loving it so far! But, kind of looks like I've stumbled onto a bug.


----------



## ta0kira (Apr 22, 2013)

rwlg said:
			
		

> I'm not sure why it's a compile-time option.


It adds attributes to each running process that aren't otherwise required, which can't be done with a dynamically-loaded module.





			
				rwlg said:
			
		

> But, kind of looks like I've stumbled onto a bug.


Before you consider it to be a bug, make sure you can add a new rule from the command like, and then _from the same session_ run rctl with no arguments to see if _any_ rules show up.

Also, I'm assuming that you're always getting "Operation not supported" and never "Operation not permitted", since you haven't indicated otherwise.

Kevin Barry


----------



## rwlg (Apr 22, 2013)

Yep. I've added rules to both users and jails. I can get the users to list their rules, but not the jails (though the rules still work). I've added via command line, and by restarting the jail.


----------



## ta0kira (Apr 23, 2013)

rwlg said:
			
		

> Yep. I've added rules to both users and jails. I can get the users to list their rules, but not the jails (though the rules still work)
> I've added via command line, and by restarting the jail.


So when you call rctl with no arguments you get a list of user rules but no jail rules?


----------



## rwlg (Apr 23, 2013)

Further to this: I guess I was wrong about being able to `rctl -l a user`. It's possible to view processes, but not users or jails.


```
# rctl -a jail:test:maxproc:log=4
# rctl
jail:test:maxproc:log=4
# rctl -l jail:test
rctl: rctl_get_limits: Operation not supported
# rctl -a user:robg:maxproc:log=4
# rctl
user:robg:maxproc:log=4
jail:test:maxproc:log=4
# rctl -l user:robg
rctl: rctl_get_limits: Operation not supported
# rctl -a process:873:vmemoryuse:deny=1g
# rctl -l process:873
process:873:vmemoryuse:deny=1073741824
```

Very interesting. Clearly, not a major issue, as it's possible to view/grep for the user/jail that's wanted. Still it's interesting it doesn't work and gives such an odd error message.


----------



## ta0kira (Apr 23, 2013)

rwlg said:
			
		

> Very interesting. Clearly, not a major issue, as it's possible to view/grep for the user/jail that's wanted. Still it's interesting it doesn't work and gives such an odd error message.


As I said before, try it without the -l, e.g. `rctl user:robg`. It's possible that the -l functionality is implemented at the kernel level, but only for certain categories.

Kevin Barry


----------



## trasz@ (Nov 24, 2014)

To see all rules set for a particular jail, do `rctl jail:jailname`, without the -l option.  The -l option works only for processes, and does something quite different: it shows all rules that apply to that particular process.  So, if you have per-user rules, and per-jail rules, and there is a process that fits both (runs as that particular user, in that jail), the `rctl -l` will show all of them.


----------

