From owner-freebsd-questions Wed Dec 4 9:11: 8 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 57E3B37B401 for ; Wed, 4 Dec 2002 09:11:07 -0800 (PST) Received: from hub.org (hub.org [64.49.215.141]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0DAAA43E88 for ; Wed, 4 Dec 2002 09:11:07 -0800 (PST) (envelope-from scrappy@hub.org) Received: from hub.org (hub.org [64.49.215.141]) by hub.org (Postfix) with ESMTP id F386C8A8DF6; Wed, 4 Dec 2002 13:10:58 -0400 (AST) Date: Wed, 4 Dec 2002 13:10:58 -0400 (AST) From: "Marc G. Fournier" To: Jeff MacDonald Cc: Alex Hayward , Subject: RE: Another Jail Question In-Reply-To: Message-ID: <20021204130341.Q36076-100000@hub.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, 4 Dec 2002, Jeff MacDonald wrote: > > You can run PostgreSQL in a jail - though you do need to turn the > > jail.sysvipc_allowed sysctl on first. You can also run it in the host > > environment and talk via TCP if you wish. > > some folks have said this is a security risk, as the shared mem is not > "per jail" Note that the 'security risk' is more based on the trust level you have for your users ... if its just you, or you and a few friends, you shouldn't have an issue with it ... the one issue you will have with shared memory and jails is that I *believe* that Apache2 requires shared memory to work, so if you decide to start working with that, you have to open it up anyway ... > The machine hardly has any load on it now, but i'd effectivly be going from > running 1 instance of fbsd to 3. figure on ~20 or so processes extra per instance ... about the only major difference between runnig a process in a jail vs outside ... if you look at /proc/*/status, you will see that the processes are 'tag'd so that ps knows whether which processes to list ... beyond that, from what I've been able to determine, the changes are in how a socket is bound ... for instance, normally when you run inetd, it binds to ADDR_IANY(?), whereas when yousetu pa server for ajail'd env, you bind inetd to a specific IP so that the other ones are more or less 'dangling' until you bind somethingto them... processes inside of the jail only *see* the one IP, so binding to ADDR_IANY will only see the one IP to bind to ... One thing to note when you are setting things up ... if you are using sendmail, make sure you sent DontProbeInterfaces to True (Default is false), else you get some weird results when not all jails are up and running ... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message