From owner-freebsd-stable@freebsd.org Tue Dec 13 15:08:23 2016 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1704BC756DB for ; Tue, 13 Dec 2016 15:08:23 +0000 (UTC) (envelope-from Mark.Martinec+freebsd@ijs.si) Received: from mail.ijs.si (mail.ijs.si [IPv6:2001:1470:ff80::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9F504165 for ; Tue, 13 Dec 2016 15:08:22 +0000 (UTC) (envelope-from Mark.Martinec+freebsd@ijs.si) Received: from amavis-ori.ijs.si (localhost [IPv6:::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.ijs.si (Postfix) with ESMTPS id 3tdNPb0Sxbz2X; Tue, 13 Dec 2016 16:08:19 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ijs.si; h= user-agent:message-id:references:in-reply-to:organization :subject:subject:from:from:date:date:content-transfer-encoding :content-type:content-type:mime-version:received:received :received:received; s=jakla4; t=1481641692; x=1484233693; bh=/kU Eo7LpgvtfMgjpWBaIMO/vujFSyx74PB4XtIXa3t8=; b=GDNiKdZ9+56i8m4RHg7 04veWlw0STC2F44g3S9t9hXL5d0Hu6/sq7vHsGhxJ0PeUxqAiNdt47tBINQLDXBb qcXKqPxJ98PWw6IQwMjv9UEe35jR9n/00ACVu6DMfePQvha8wZ96HT/PM3aKZGKS msSChPxoywXJioe/WO/I+2Sc= X-Virus-Scanned: amavisd-new at ijs.si Received: from mail.ijs.si ([IPv6:::1]) by amavis-ori.ijs.si (mail.ijs.si [IPv6:::1]) (amavisd-new, port 10026) with LMTP id 0rPl4MlmmUvw; Tue, 13 Dec 2016 16:08:12 +0100 (CET) Received: from mildred.ijs.si (mailbox.ijs.si [IPv6:2001:1470:ff80::143:1]) by mail.ijs.si (Postfix) with ESMTP id 3tdNPS3n6Sz2N; Tue, 13 Dec 2016 16:08:12 +0100 (CET) Received: from nabiralnik.ijs.si (nabiralnik.ijs.si [IPv6:2001:1470:ff80::80:16]) by mildred.ijs.si (Postfix) with ESMTP id 3tdNPS231Gzp; Tue, 13 Dec 2016 16:08:12 +0100 (CET) Received: from neli.ijs.si (2001:1470:ff80:88:21c:c0ff:feb1:8c91) by webmail.ijs.si with HTTP (HTTP/1.1 POST); Tue, 13 Dec 2016 16:08:12 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Tue, 13 Dec 2016 16:08:12 +0100 From: Mark Martinec To: freebsd-stable@freebsd.org Cc: Christian Schwarz Subject: Re: Is System V IPC namespace still shared across jails? Organization: Jozef Stefan Institute In-Reply-To: <20161212193817.hjax5jo5leb7ryjr@csarch.Speedport_W_724V_01011603_00_008> References: <20161212193817.hjax5jo5leb7ryjr@csarch.Speedport_W_724V_01011603_00_008> Message-ID: <9b85246e8cf5dfb34ddbbaaec528a4a7@ijs.si> X-Sender: Mark.Martinec+freebsd@ijs.si User-Agent: Roundcube Webmail/1.2.3 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Dec 2016 15:08:23 -0000 2016-12-12 20:38, Christian Schwarz wrote: > With the new jail parameters, new namespaces for SysV IPC are possible > on FreeBSD 11. > > For those ezjail users, add something like this to the jail's config > after creating it using 'ezjail-admin create': > > export jail_postgres_parameters="sysvmsg=new sysvsem=new sysvshm=new" > > Cheers, > Christian Thank you, this is it! I missed it in the JAIL(8) man page, and is not mentioned in release notes. Now if only the iocage would recognized the sysvmsg, sysvsem, and sysvshm options: # iocage set sysvmsg='new' xxx ERROR: Unsupported property: sysvmsg! I guess I should file a bug report. Mark > man 8 jail >> ... >> allow.sysvipc >> A process within the jail has access to System V IPC >> primitives. This is deprecated in favor of the per- >> module parameters (see below). When this parameter is >> set, it is equivalent to setting sysvmsg, sysvsem, and >> sysvshm all to ``inherit''. >> ... >> >> sysvmsg >> Allow access to SYSV IPC message primitives. If set to >> ``inherit'', all IPC objects on the system are visible to this >> jail, whether they were created by the jail itself, the base >> system, or other jails. If set to ``new'', the jail will have >> its own key namespace, and can only see the objects that it has >> created; the system (or parent jail) has access to the jail's >> objects, but not to its keys. If set to ``disable'', the jail >> cannot perform any sysvmsg-related system calls. >> >> sysvsem, sysvshm >> Allow access to SYSV IPC semaphore and shared memory primitives, >> in the same manner as sysvmsg. >>> Regarding installation of PostgreSQL in a FreeBSD jail, the web hold >>> plenty of >>> warnings/advice that each postgres instance should have a unique >>> UID, otherwise >>> they stumble across each other's feet: >>> >>> | allow.sysvipc >>> | A process within the jail has access to System V IPC primitives. >>> In the >>> | current jail implementation, System V primitives share a single >>> namespace >>> | across the host and jail environments, meaning that processes >>> within a jail >>> | would be able to communicate with (and potentially interfere with) >>> processes >>> | outside of the jail, and in other jails. >>> >>> >>> Is this still the case in FreeBSD 11.0 ??? >>> >>> I remember hearing rumors that the System V namespace >>> no longer is (will?) be shared across jails. >>> (Couldn't find it being mentioned in release notes.) >>> >>> Mark