Date: Wed, 29 Apr 2026 09:05:47 +0200 From: Milan Obuch <freebsd-hackers@dino.sk> To: freebsd-hackers@freebsd.org Subject: SYSVIPC and jails Message-ID: <20260429090547.16709362.28181704.71119016@dino.sk>
index | next in thread | raw e-mail
Hi, I am trying to move some old data collecting system to recent OS. Jails (with vnet in old system, both non-vnet and vnet ones in newer in order to do some division of tasks for better maintainability) and shared memory is in use, allowing the jails to share some status data, possibly fast changing. Original system is over 10 years old, based on FreeBSD 9.3, basically no longer maintainable, and it started to show some problems. Jail here was created with simple command jail -c name=xxx vnet persist allow.sysvipc and everything just works. In base system a shared memory segment is created, filled with some data, subsequently it is used in both base system and jail. I can't get this behavior with FreeBSD 14.3 (I tested a bit with 15.0 as well, not fully). I know allow.sysvipc should be replaced with sysvshm and, additionally if usefull, sysvmsg and sysvsem, but that's not an issue. With 'jls -vs' I see following properties sysvmsg=inherit sysvsem=inherit sysvshm=inherit allow.sysvipc set, so, according to 'man jail' it should work. It does not, however - when using non-null integer for shmkey in shmget call, I see that number in 'ipcs -a' output in jail where this segment is created, but zero in another jail. This leads to No such file or directory error when calling shmget to attach existing shared memory segment. If I use zero value for shmkey in shmget call, fail moves to shmat call, and error is Permission denied even in the jail where this segment was created. Looking into sysctl for possible hint, I found two objects with sysvipc in their names, with jail in their tree, additionaly: security.jail.param.allow.sysvipc security.jail.sysvipc_allowed I am able to set the latter to 1, but not the former, executing sysctl security.jail.param.allow.sysvipc=1 does not change the value, while executing sysctl security.jail.sysvipc_allowed=1 changes the object's value from 0 to 1. Even after this change, shared memory segment is not shared among jails. What changed I am missing? How should I achieve desired behavior? I am out of ideas. By the way, I am using kernel modules, but all required are loaded - this approach works if no inter jail shared memory segment visibility is required. Regards, Milanhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20260429090547.16709362.28181704.71119016>