From owner-freebsd-questions@FreeBSD.ORG Tue May 14 13:31:41 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 12140419 for ; Tue, 14 May 2013 13:31:41 +0000 (UTC) (envelope-from dweimer@dweimer.net) Received: from webmail.dweimer.net (24-240-198-187.static.stls.mo.charter.com [24.240.198.187]) by mx1.freebsd.org (Postfix) with ESMTP id C6A8AAEF for ; Tue, 14 May 2013 13:31:39 +0000 (UTC) Received: from www.dweimer.net (webmail.dweimer.local [192.168.5.2]) by webmail.dweimer.net (8.14.5/8.14.5) with ESMTP id r4EDVXG2034012 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 14 May 2013 08:31:33 -0500 (CDT) (envelope-from dweimer@dweimer.net) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Tue, 14 May 2013 08:31:33 -0500 From: dweimer To: freebsd-questions@freebsd.org Subject: Re: /etc/jail.conf for automatically started jails listed in /etc/rc.conf Organization: dweimer.net Mail-Reply-To: dweimer@dweimer.net In-Reply-To: <51923A06.7020206@a1poweruser.com> References: "\"<11698066.Kggl9cS1ZD@melon> <51914DC1.1050207@a1poweruser.com>" <1990818.dWVxsxnVR3@melon>" <519188FD.7010900@a1poweruser.com> <51923A06.7020206@a1poweruser.com> Message-ID: X-Sender: dweimer@dweimer.net User-Agent: Roundcube Webmail/0.8.1 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: dweimer@dweimer.net List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 May 2013 13:31:41 -0000 On 05/14/2013 8:20 am, Joe wrote: > David Demelier wrote: > 2013/5/14 Joe : > David Demelier wrote: > Le lundi 13 mai 2013 16:32:01 Joe a écrit : > David Demelier wrote: > Hello dear, > > Does jail.conf(5) does not work for jails listed in the rc.conf ? > > I've added in /etc/jail.conf: > > foo { > > hostname=Foo; > path=/jails/foo; > allow.sysvipc=1; > > } > > And in /etc/rc.conf only foo in the jail_list parameter, but when I try > to > start the jail it still complain about missing hostname. > > Regards, > There are 2 methods for configuring jails. > > The legacy method which you put the jail config statements in the hosts > /etc/rc.conf file and start and stop control is done by the hosts > /etc/rc.d/jail script at boot time. > > The jail(8) method which has it's own jail config statements in the > hosts /etc/jail.conf file and uses the jail(8) program for starting and > stopping. You can create a jail.conf file for each jail(8) and start it > using jail -c -f "/etc/jailname.jail.conf" and stop by issuing > jail -f "/etc/jailname.jail.conf" -r jailname > > You can not mix the 2 methods. > > My real problem is that I wanted to add allow.sysvipc only for *one* > jail > and I can't find a real solution by jail_* flags in /etc/rc.conf > > There is jail_allow_sysvipc but it enable it for all jails. > > > > The jail(8) method does have a allow_sysvipc on a per jail basis. To > use it > you have to use the jail(8) method. The 9.1-RELEASE legacy method is a > work > in process to incorporate the jail(8) parameters into the rc.conf > config > statements. > > About the allow_sysvipc parameter, this breaks the security the jail is > designed to provide and should NOT be used on any jails having public > internet access. > > What are you trying to do that you think you need to use the > allow_sysvipc > parameter? > > > PostgreSQL, usually I install it on the host instead of jails, but I > needed a second instance on a different port for a public access.. > > Regards, > > -- > Demelier David > > That all sounds logical and is what jails are designed to do. > Why would running PostgreSQL in a jail need sysvipc? > Have you tried it? Did you get some PostgreSQL error? > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" I can confirm that PostgreSQL will not run in a jail without sysvipc enabled, I just setup a jail running PostgreSQL a few weeks ago and had to do that as well. PostgreSQL will not start without it enabled, though perhaps there is some setting change in PostgreSQL that will make it not require this. In my case its the only jail, and I am the only user with access to both the base system and the jail so I wasn't to concerned about it allowing more access to the base system from the jail. -- Thanks, Dean E. Weimer http://www.dweimer.net/