From owner-freebsd-stable@freebsd.org Tue Dec 13 15:29:32 2016 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BB952C753A0 for ; Tue, 13 Dec 2016 15:29:32 +0000 (UTC) (envelope-from asomers@gmail.com) Received: from mail-qt0-x243.google.com (mail-qt0-x243.google.com [IPv6:2607:f8b0:400d:c0d::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 76E771804 for ; Tue, 13 Dec 2016 15:29:32 +0000 (UTC) (envelope-from asomers@gmail.com) Received: by mail-qt0-x243.google.com with SMTP id m48so14132308qta.2 for ; Tue, 13 Dec 2016 07:29:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=J5pCubNg3+AGjqW2kRngIwTuHEXP06K8UuqmvSUNeRs=; b=ADl1X9RUVGEKHVHjItNnStRxhlzuArMlldhnEzst5V/7E4PsSSCdj9/3CmcYGSG567 oOtfrltKISLuDVxN5Kkj0dkHSlPoFCChvXsQmxiu7aDfrqeMKX2eVIL22mhtaIJI3JMX 0BCgkSj4PBIFRgbcMnS1AtPsjjop2Mf9/4pG8p7Jhpo2S4fHT/yNFPqsTQn5DT8+5F3p dSY1s7hV2wQys0YcKAuuZkSJd50ozx/UetwBfQc6IB1SeYP/SHGLjHd0fd+/cLY1Hvbj Czcm1NtQTRS4mykF/QF5sLatYM7KqJSbmAp8zqHjqBEDvICRgp3/CtqnSO43BJ/K7mTg lwNw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=J5pCubNg3+AGjqW2kRngIwTuHEXP06K8UuqmvSUNeRs=; b=YNwDzEbE2/HO2nbifn9UX7OucPdKNQbntBImdf+bzSyi/e2/kTuHXxpfNE/ReQFka6 Tw3aH72bxNd0Poxood+QvTCZE4kuNWqCkMJhAFrbQ9CaWAL+HtzkIXsjKuV4mm1sZTp2 XhE+T/ZbJFrH+Yh6dzTx3XTLl77w4r/udEtf4BIRyRpIXxGrUirzVhwde7YafBdWFSbP 3731Oh4CfQQRU3XC92HC76FlaSI6/XgediGDAuf2JH98lHCAwF1oLeon7WDKnF3WHu+g xHXSuSAVIGAvTLcOAUQ6L1Gm7zpIKejyt178iNCyeaaFO5faRLLKSdaD06A1jvm0EfCf N31g== X-Gm-Message-State: AKaTC03XogbRIwzGOlu+mbvJqQC3nc6VPoo8QRkqX0k5NqZzMnzY+BRKwwYOcZSlR4TgKs9sgE8Vt0kRMojsMA== X-Received: by 10.200.39.178 with SMTP id w47mr93425003qtw.15.1481642971575; Tue, 13 Dec 2016 07:29:31 -0800 (PST) MIME-Version: 1.0 Sender: asomers@gmail.com Received: by 10.12.174.145 with HTTP; Tue, 13 Dec 2016 07:29:31 -0800 (PST) In-Reply-To: <9b85246e8cf5dfb34ddbbaaec528a4a7@ijs.si> References: <20161212193817.hjax5jo5leb7ryjr@csarch.Speedport_W_724V_01011603_00_008> <9b85246e8cf5dfb34ddbbaaec528a4a7@ijs.si> From: Alan Somers Date: Tue, 13 Dec 2016 08:29:31 -0700 X-Google-Sender-Auth: i1NDfjjVxWQfVdE3gAE7-2lGATA Message-ID: Subject: Re: Is System V IPC namespace still shared across jails? To: Mark Martinec Cc: FreeBSD , Christian Schwarz Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Dec 2016 15:29:32 -0000 I've already added support for sysvmsg, sysvsem, and sysvshm to iocage. They all default to "new", which means you won't have to do anything special in your jail config to make postgres work. You can find the patch below. The only reason it hasn't been merged is because it can't (yet) be made to work correctly on the develop branch of iocage. But it works fine on the master branch. https://github.com/iocage/iocage/pull/370 -Alan On Tue, Dec 13, 2016 at 8:08 AM, Mark Martinec wrote: > 2016-12-12 20:38, Christian Schwarz wrote: >> >> With the new jail parameters, new namespaces for SysV IPC are possible >> on FreeBSD 11. >> >> For those ezjail users, add something like this to the jail's config >> after creating it using 'ezjail-admin create': >> >> export jail_postgres_parameters="sysvmsg=new sysvsem=new sysvshm=new" >> >> Cheers, >> Christian > > > > Thank you, this is it! > I missed it in the JAIL(8) man page, and is not mentioned in release notes. > > > Now if only the iocage would recognized the sysvmsg, sysvsem, and sysvshm > options: > > # iocage set sysvmsg='new' xxx > ERROR: Unsupported property: sysvmsg! > > I guess I should file a bug report. > > > Mark > > > >> man 8 jail >>> >>> ... >>> allow.sysvipc >>> A process within the jail has access to System V IPC >>> primitives. This is deprecated in favor of the per- >>> module parameters (see below). When this parameter is >>> set, it is equivalent to setting sysvmsg, sysvsem, and >>> sysvshm all to ``inherit''. >>> ... >>> >>> sysvmsg >>> Allow access to SYSV IPC message primitives. If set to >>> ``inherit'', all IPC objects on the system are visible to this >>> jail, whether they were created by the jail itself, the base >>> system, or other jails. If set to ``new'', the jail will have >>> its own key namespace, and can only see the objects that it has >>> created; the system (or parent jail) has access to the jail's >>> objects, but not to its keys. If set to ``disable'', the jail >>> cannot perform any sysvmsg-related system calls. >>> >>> sysvsem, sysvshm >>> Allow access to SYSV IPC semaphore and shared memory primitives, >>> in the same manner as sysvmsg. > > >>>> Regarding installation of PostgreSQL in a FreeBSD jail, the web hold >>>> plenty of >>>> warnings/advice that each postgres instance should have a unique UID, >>>> otherwise >>>> they stumble across each other's feet: >>>> >>>> | allow.sysvipc >>>> | A process within the jail has access to System V IPC primitives. In >>>> the >>>> | current jail implementation, System V primitives share a single >>>> namespace >>>> | across the host and jail environments, meaning that processes within >>>> a jail >>>> | would be able to communicate with (and potentially interfere with) >>>> processes >>>> | outside of the jail, and in other jails. >>>> >>>> >>>> Is this still the case in FreeBSD 11.0 ??? >>>> >>>> I remember hearing rumors that the System V namespace >>>> no longer is (will?) be shared across jails. >>>> (Couldn't find it being mentioned in release notes.) >>>> >>>> Mark > > _______________________________________________ > freebsd-stable@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"