Date: Thu, 11 Jun 2015 19:15:10 -0700 From: Alfred Perlstein <alfred@freebsd.org> To: kikuchan@uranus.dti.ne.jp Cc: freebsd-jail@freebsd.org, freebsd-hackers@freebsd.org Subject: Re: How to implement jail-aware SysV IPC (with my nasty patch) Message-ID: <557A40AE.3010804@freebsd.org> In-Reply-To: <a4e44ca122fea4f175398a6bc72778b5@imap.cm.dream.jp> References: <cc18282ebe394476120a139239225782@imap.cm.dream.jp> <557A34DB.9070103@freebsd.org> <a4e44ca122fea4f175398a6bc72778b5@imap.cm.dream.jp>
next in thread | previous in thread | raw e-mail | index | archive | help
Thank you! On 6/11/15 7:04 PM, kikuchan@uranus.dti.ne.jp wrote: > Thank you for your reply! > > Just appended, is this OK? > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=48471 > > > On Thu, 11 Jun 2015 18:24:43 -0700, Alfred Perlstein <alfred@freebsd.org> wrote: >> Can a bugzilla or github request please be made for this so that it >> doesn't get lost? >> >> thank you, >> -Alfred >> >> On 6/11/15 6:17 PM, kikuchan@uranus.dti.ne.jp wrote: >>> Hello, >>> >>> I'm (still) trying to figure out how jail-aware SysV IPC mechanism should be. >>> >>> I want to run PostgreSQL in each jail without changing UID for each jail. >>> If you don't change UID on each jail, it doesn't work due to IPC objects conflict between jails. >>> See also; >>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=48471 >>> http://www.freebsddiary.org/jail-multiple.php >>> https://wiki.freebsd.org/Jails >>> https://forums.freebsd.org/threads/postgresql-in-jail.51528/ >>> >>> There is a patch for 4.7-STABLE on bugzilla (see above) to solve the problem by completely separating namespace for each jail in kernel, >>> but I couldn't find any (other) implementation that works on recent FreeBSD. >>> I've also tried to re-write the patch for recent FreeBSD, but I couldn't make it properly due to my limited kernel knowledge ;( >>> >>> Anyway, I created (and update) a patch to trying to solve the problem by simply separating IPC key_t space for each jail. >>> The attached patch can be applied to 10-STABLE (or CURRENT?). >>> >>> After the patch is applied; >>> - IPC objects created on parent jail, are invisible to children. >>> - IPC objects created on neighbor jail, are also invisible each other. >>> - IPC objects craeted on child jail, are VISIBLE from parent. >>> - IPC key_t spaces are separated between jails. If you see the key_t named object from parent, it's shown as IPC_PRIVATE. >>> >>> I choose this design of feature, however, I'm not sure this is the right design for jail-aware IPC. >>> If you prefer the completely separated namespace approach, it's ok. I want to focus on how the IPC mechanism dealing with hierarchical jail system. >>> >>> So I need more feedbacks. Could you help me please? >>> You can dig and play with ipcs(1)/ipcrm(1) to see what happend on each jail. >>> >>> Thanks. >>> >>> -- >>> Kikuchan >>> >>> >>> _______________________________________________ >>> freebsd-hackers@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers >>> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" >> _______________________________________________ >> freebsd-hackers@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers >> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?557A40AE.3010804>