From owner-freebsd-questions@FreeBSD.ORG Tue May 14 15:38:38 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id E7D4B6C for ; Tue, 14 May 2013 15:38:38 +0000 (UTC) (envelope-from demelier.david@gmail.com) Received: from mail-we0-x22b.google.com (mail-we0-x22b.google.com [IPv6:2a00:1450:400c:c03::22b]) by mx1.freebsd.org (Postfix) with ESMTP id 82AF6280 for ; Tue, 14 May 2013 15:38:38 +0000 (UTC) Received: by mail-we0-f171.google.com with SMTP id u55so629868wes.16 for ; Tue, 14 May 2013 08:38:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:content-transfer-encoding; bh=5C3Pgxnr4+GCfXAjh16uxHZzsjcfhvT7ZwGewvrJwwQ=; b=IUGaZzvYErc86BqUU3vzw8Yk8yr+Wav2SdqLf1kyMQtWy4T5HCtT845Z27byTZRT6y lPJ7k74E1WSDG2bEedeIJxFxs059IOOG4hgBHjGcvjkVIH0hpDzaMVvcd7ShWMvR1I6l FBWehiBEExbZRXRaGYN0Gxa2lw+2oJCCcohp5A2QOXv0aiWOH+kdeZZ3TGB9ox51+FV0 BVW9RND9vri9T3/6vhhrSu9jUsnyTWEyUy8NP5pgUjE3iG9tz6u2HW8uZPb9UGMP8SOK Ax7LlZTPXAIURymMs5Y9vZmcw9gugSiveErOPSzetBDRybTxwJY9DfuNPJRYyLUOez50 ei4w== MIME-Version: 1.0 X-Received: by 10.180.14.129 with SMTP id p1mr7746030wic.6.1368545917744; Tue, 14 May 2013 08:38:37 -0700 (PDT) Received: by 10.194.165.67 with HTTP; Tue, 14 May 2013 08:38:37 -0700 (PDT) In-Reply-To: <51923A06.7020206@a1poweruser.com> References: <11698066.Kggl9cS1ZD@melon> <51914DC1.1050207@a1poweruser.com> <1990818.dWVxsxnVR3@melon> <519188FD.7010900@a1poweruser.com> <51923A06.7020206@a1poweruser.com> Date: Tue, 14 May 2013 17:38:37 +0200 Message-ID: Subject: Re: /etc/jail.conf for automatically started jails listed in /etc/rc.conf From: David Demelier To: Joe Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 May 2013 15:38:39 -0000 2013/5/14 Joe : > David Demelier wrote: >> >> 2013/5/14 Joe : >>> >>> David Demelier wrote: >>>> >>>> Le lundi 13 mai 2013 16:32:01 Joe a =C3=A9crit : >>>>> >>>>> David Demelier wrote: >>>>>> >>>>>> Hello dear, >>>>>> >>>>>> Does jail.conf(5) does not work for jails listed in the rc.conf ? >>>>>> >>>>>> I've added in /etc/jail.conf: >>>>>> >>>>>> foo { >>>>>> >>>>>> hostname=3DFoo; >>>>>> path=3D/jails/foo; >>>>>> allow.sysvipc=3D1; >>>>>> >>>>>> } >>>>>> >>>>>> And in /etc/rc.conf only foo in the jail_list parameter, but when I >>>>>> try >>>>>> to >>>>>> start the jail it still complain about missing hostname. >>>>>> >>>>>> Regards, >>>>> >>>>> There are 2 methods for configuring jails. >>>>> >>>>> The legacy method which you put the jail config statements in the hos= ts >>>>> /etc/rc.conf file and start and stop control is done by the hosts >>>>> /etc/rc.d/jail script at boot time. >>>>> >>>>> The jail(8) method which has it's own jail config statements in the >>>>> hosts /etc/jail.conf file and uses the jail(8) program for starting a= nd >>>>> stopping. You can create a jail.conf file for each jail(8) and start = it >>>>> using jail -c -f "/etc/jailname.jail.conf" and stop by issuing >>>>> jail -f "/etc/jailname.jail.conf" -r jailname >>>>> >>>>> You can not mix the 2 methods. >>>> >>>> >>>> My real problem is that I wanted to add allow.sysvipc only for *one* >>>> jail >>>> and I can't find a real solution by jail_* flags in /etc/rc.conf >>>> >>>> There is jail_allow_sysvipc but it enable it for all jails. >>>> >>>> >>> >>> The jail(8) method does have a allow_sysvipc on a per jail basis. To us= e >>> it >>> you have to use the jail(8) method. The 9.1-RELEASE legacy method is a >>> work >>> in process to incorporate the jail(8) parameters into the rc.conf confi= g >>> statements. >>> >>> About the allow_sysvipc parameter, this breaks the security the jail is >>> designed to provide and should NOT be used on any jails having public >>> internet access. >>> >>> What are you trying to do that you think you need to use the >>> allow_sysvipc >>> parameter? >>> >> >> PostgreSQL, usually I install it on the host instead of jails, but I >> needed a second instance on a different port for a public access.. >> >> Regards, >> >> -- >> Demelier David >> >> > That all sounds logical and is what jails are designed to do. > Why would running PostgreSQL in a jail need sysvipc? > Have you tried it? Did you get some PostgreSQL error? > Yes, unfortunately this is a very very old issue that has been reported so much often.. -- Demelier David