From owner-freebsd-hackers@FreeBSD.ORG Sun Nov 28 20:03:33 2004 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C1D1916A4CE for ; Sun, 28 Nov 2004 20:03:33 +0000 (GMT) Received: from sendmail.metro.cx (sonolo.xs4all.nl [80.126.206.91]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3A66743D39 for ; Sun, 28 Nov 2004 20:03:32 +0000 (GMT) (envelope-from fbsd@metro.cx) Received: from dave.dh.sono (dave.dh.sono [10.1.2.5]) by sendmail.metro.cx (8.13.1/8.13.1) with ESMTP id iASK3V8p076162 for ; Sun, 28 Nov 2004 20:03:31 GMT Received-SPF: none (sendmail.metro.cx: 10.1.2.5 is neither permitted nor denied by domain of metro.cx>) client-ip=10.1.2.5; envelope-from=; helo=dave.dh.sono; Received: from dave.dh.sono (localhost [127.0.0.1]) by dave.dh.sono (8.12.9-20030917/8.12.9) with ESMTP id iASK3V6B004726 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sun, 28 Nov 2004 21:03:31 +0100 Received: (from gmc@localhost) by dave.dh.sono (8.12.9-20030917/8.12.9/Submit) id iASK3VE8004725 for freebsd-hackers@freebsd.org; Sun, 28 Nov 2004 21:03:31 +0100 X-Authentication-Warning: dave.dh.sono: gmc set sender to fbsd@metro.cx using -f Date: Sun, 28 Nov 2004 21:03:31 +0100 From: Koen Martens To: freebsd-hackers@freebsd.org Message-ID: <20041128200330.GA4640@metro.cx> References: <20041128120058.DC71716A4CE@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041128120058.DC71716A4CE@hub.freebsd.org> User-Agent: Mutt/1.4.1i X-PGP-Key: http://www.metro.cx/pubkey-gmc.asc X-Helo-Milter-Helo: dave.dh.sono X-Helo-Milter-Hostname: dave.dh.sono X-Helo-Milter-Ip: 10.1.2.5 Subject: Re: Jail + sysv shmem X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Nov 2004 20:03:33 -0000 On Sun, Nov 28, 2004 at 12:00:58PM +0000, freebsd-hackers-request@freebsd.org wrote: > From: Justin Hopper > > I know that Pawel @ http://garage.freebsd.pl has a patch for making > private SysV IPC memory spaces for the host system and each jail: > > http://garage.freebsd.pl/privipc.README > > The patch is against 4.x though, and I've never tried it. I would > really like to see something like this implemented for 5.x though. Does > anyone know if there are plans to implement this in the future 5.x > releases? If not, I would be interested in helping anyone that wishes > to try implementing this in 5.3 soon, as we have a lot of clients who > ask for SysV IPC inside of jailed hosting environments. Interesting, I will download that and see if it is of any help in my effort to implementing this in freebsd 5.x. Thanks for the pointer. > ------------------------------ > > Date: Sun, 28 Nov 2004 18:21:06 +1100 > From: Peter Jeremy > > The sysadmin is likely to need access to: > 1) look at SysV IPC usage across the entire system > 2) clean up after a process has died unexpectedly. > > Whilst it's possible for the sysadmin to enter the relevant jail and > look at what is used in that jail, it's very difficult to get an > overall view of the system in this way - especially if there are lots > of jails. Hmm, there is a trade-off: ease of maintenance vs security. I personally would not want to have the host system to have access to the jail systems by IPC. It seems reasonable to make this a sysctl (which can only be set at boot time). > Robert Watson was also looking into this recently. I had some contact with him a while back, about his jailng project. However, that has been abandonded afaik. How recently have you heard him talk about this? Kind regards, Koen Martens -- K.F.J. Martens, Sonologic, http://www.sonologic.nl/ Networking, embedded systems, unix expertise, artificial intelligence. Public PGP key: http://www.metro.cx/pubkey-gmc.asc Wondering about the funny attachment your mail program can't read? Visit http://www.openpgp.org/