Date: Wed, 25 Jun 2003 19:46:27 +0400 From: Dmitry Sivachenko <demon@FreeBSD.org> To: Pawel Jakub Dawidek <nick@garage.freebsd.pl> Cc: freebsd-arch@FreeBSD.org Subject: Re: Jailed sysvipc implementation. Message-ID: <20030625154627.GA35011@fling-wing.demos.su> In-Reply-To: <20030625153153.GO7587@garage.freebsd.pl> References: <20030624164602.GW7587@garage.freebsd.pl> <20030625135106.GA19868@fling-wing.demos.su> <20030625140518.GA23435@fling-wing.demos.su> <20030625144849.GJ7587@garage.freebsd.pl> <20030625145233.GA28322@fling-wing.demos.su> <20030625150221.GL7587@garage.freebsd.pl> <20030625152119.GA31396@fling-wing.demos.su> <20030625153153.GO7587@garage.freebsd.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jun 25, 2003 at 05:31:53PM +0200, Pawel Jakub Dawidek wrote: > On Wed, Jun 25, 2003 at 07:21:19PM +0400, Dmitry Sivachenko wrote: > +> > +> > But you got still *one* memory zones for every jail and main host. > +> > +> > +> > +> Yes, that is exactly what I want. > +> > +> This is similar to separate IP stack for each jail: this is more powerful > +> > +> solution, but more expensive (uses more kernel memory). > +> > > +> > But note that my implementation allocates memory "on demand". > +> > +> This is part of the problem: with single memory zone for all jails, > +> less memory is allocated. With private memory zones, if m jails use IPC, > +> you need to allocate m*M kbytes (for some value of M you consider > +> sufficient for one jail). > +> > +> With one memory zone for all jails, it is enough to allocate N kbytes where > +> M < N < m*M, because every jail will not use all M kbytes at the same time. > > Of course, but please. We could start wondering if struct prison in every > ucred struct don't consume to much memory. Of course we allocate more memory, Common sence is your friend. > but if we want to run for example two instants of postgresql in two > diffrent jails? I propose to add additional checks for p->p_prison. If two different users (with different UIDs) can use IPC, then it is simple to allow processes from different jails to use it too (and do not interfere with each other). > > But ok, it will be good compromise to add sysctl security.jail.privipc IMHO. > So we could turn this feature on if it is needed. What is your opinion? > My point of view is that allowing jailed processes to safely use single memory zone is simple and sufficient solution.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030625154627.GA35011>