From owner-freebsd-jail@FreeBSD.ORG Thu Jun 4 14:08:58 2009 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AFBB9106568A for ; Thu, 4 Jun 2009 14:08:58 +0000 (UTC) (envelope-from bsam@ipt.ru) Received: from services.ipt.ru (services.ipt.ru [194.62.233.110]) by mx1.freebsd.org (Postfix) with ESMTP id 43F1C8FC1B for ; Thu, 4 Jun 2009 14:08:58 +0000 (UTC) (envelope-from bsam@ipt.ru) Received: from bb.ipt.ru ([194.62.233.89]) by services.ipt.ru with esmtp (Exim 4.54 (FreeBSD)) id 1MCDck-000MO9-FX; Thu, 04 Jun 2009 18:08:54 +0400 To: Henrik =?utf-8?Q?Lidstr=C3=B6m?= References: <11979393@h30.sp.ipt.ru> <20090531174837.R3234@maildrop.int.zabbadoz.net> <20090603130503.202126d6v3glhhq8@mail.lidstrom.eu> From: Boris Samorodov Date: Thu, 04 Jun 2009 18:08:55 +0400 In-Reply-To: <20090603130503.202126d6v3glhhq8@mail.lidstrom.eu> ("Henrik =?utf-8?Q?Lidstr=C3=B6m=22's?= message of "Wed\, 03 Jun 2009 13\:05\:03 +0200") Message-ID: <36883384@bb.ipt.ru> User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Cc: freebsd-jail@FreeBSD.org, "Bjoern A. Zeeb" Subject: Re: sysvipc in jails + CURRENT X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Jun 2009 14:08:59 -0000 On Wed, 03 Jun 2009 13:05:03 +0200 Henrik Lidström wrote: > Quoting "Bjoern A. Zeeb" : > > On Sun, 31 May 2009, Boris Samorodov wrote: > > > > Hi, > > > >> has something changed at CURRENT with sysvipc jail handling? > >> This jail has been working fine for almost a year. > >> > >> I've upgrade CURRENT to yesterday's sources and can't start > >> postgresql in a jail anymore: > >> ----- the jail ----- > >> % tail -2 /var/log/messages > >> May 31 18:22:47 pg postgres[55425]: [1-1] FATAL: could not create > >> shared memory segment: Function not implemented > >> May 31 18:22:47 pg postgres[55425]: [1-2] DETAIL: Failed system > >> call was shmget(key=5432001, size=30384128, 03600). > >> % sysctl security.jail.sysvipc_allowed > >> security.jail.sysvipc_allowed: 0 > >> % grep sysvipc /etc/sysctl.conf > >> security.jail.sysvipc_allowed=1 > >> ----- the host ----- > >> % uname -a > >> FreeBSD tba.bsam.ru 8.0-CURRENT FreeBSD 8.0-CURRENT #0: Sun May 31 > >> 11:28:31 MSD 2009 root@tba.bsam.ru:/usr/obj/usr/src/sys/TBA > >> amd64 > >> % sysctl security.jail.sysvipc_allowed > >> security.jail.sysvipc_allowed: 1 > >> ----- > > > > I'll look into that; possibly the default option is not properly taken > > into account for the new jail framework. > > > > /bz > > > > -- > > Bjoern A. Zeeb The greatest risk is not taking one. > > _______________________________________________ > > freebsd-jail@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > > > Somehow I cant email to the mailinglist(it doesnt show up), so I send > directly to you. > I also noticed the problem with security.jail.sysvipc_allowed as above. > Also noticed that I from a jail now can see all filesystems (and that > jls -v is broken, probably a problem with cpuset?). > EXTBSD02-PROD# uname -a > FreeBSD EXTBSD02-PROD.digidoc.com 8.0-CURRENT FreeBSD 8.0-CURRENT #6: > Tue Jun 2 10:05:40 CEST 2009 > root@EXTBSD02-PROD.digidoc.com:/data01/obj/usr/src/sys/EXTBSD02 i386 > EXTBSD02-PROD# jls -v > jls: unknown parameter: cpuset > EXTBSD02-PROD# > EXTBSD02-PROD# jls > JID IP Address Hostname Path > 1 195.67.11.41 INTDB01-PROD > /data00/jails/INTDB01-PROD > 2 195.67.11.9 INTLOG01-PROD.digidoc.com > /data00/jails/INTLOG01-PROD > 3 62.20.119.164 EXTNS01-PROD > /data00/jails/EXTNS01-PROD > 4 62.20.119.230 PROXY03.digidoc.com /data00/jails/PROXY03 > EXTBSD02-PROD# jexec 1 /bin/csh > You have mail. > INTDB01-PROD# mount -v > /dev/da0s1a on / (ufs, local) > devfs on /dev (devfs, local) > /dev/da0s1e on /tmp (ufs, local, soft-updates) > /dev/da0s1f on /usr (ufs, local, noatime, soft-updates) > /dev/da0s1d on /var (ufs, local, noatime, soft-updates) > /dev/da0s2a on /data00 (ufs, local, noatime, soft-updates) > /dev/da1s1d on /data01 (ufs, local, noatime, soft-updates) > tmpfs on /data00/jails/PROXY03/usr/local/squid/scan_dir (tmpfs, local) > /data01/data/ports on /data00/jails/EXTNS01-PROD/usr/ports (nullfs, > local, noatime) > /data01/data/ports on /data00/jails/INTDB01-PROD/usr/ports (nullfs, > local, noatime) > /data01/data/ports on /data00/jails/INTLOG01-PROD/usr/ports (nullfs, > local, noatime) > /data01/data/ports on /data00/jails/INTSIM01-PROD/usr/ports (nullfs, > local, noatime) > /data01/data/ports on /data00/jails/PROXY03/usr/ports (nullfs, local, noatime) > /data01/backup/INTDB01PROD/databases on > /data00/jails/INTDB01-PROD/usr/backup (nullfs, local, noatime) > devfs on /data00/jails/INTDB01-PROD/dev (devfs, local) > procfs on /data00/jails/INTDB01-PROD/proc (procfs, local) > devfs on /data00/jails/INTLOG01-PROD/dev (devfs, local) > procfs on /data00/jails/INTLOG01-PROD/proc (procfs, local) > devfs on /data00/jails/EXTNS01-PROD/dev (devfs, local) > procfs on /data00/jails/EXTNS01-PROD/proc (procfs, local) > devfs on /data00/jails/PROXY03/dev (devfs, local) > procfs on /data00/jails/PROXY03/proc (procfs, local) > INTDB01-PROD# There is definitely some inconsistency. JAIL(8) at recent CURRENT talk about security.jail.param.allow.sysvipc and it is listed via "sysctl -d security.jail.param". But seems not to be used: ----- at the jail ----- # sysctl security.jail.param.allow.sysvipc # ----- WBR -- Boris Samorodov (bsam) Research Engineer, http://www.ipt.ru Telephone & Internet SP FreeBSD Committer, http://www.FreeBSD.org The Power To Serve