Date: Thu, 21 Apr 2016 11:18:07 -0600 From: James Gritton <jamie@freebsd.org> To: freebsd-jail@FreeBSD.org Subject: SYSV IPC on jails with separate key namespace Message-ID: <1c8ef6ff0a3a718d47d94abbcd861fe1@gritton.org>
next in thread | raw e-mail | index | archive | help
I've updated patch 48471 (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=48471) which had a patch to make jails work the way they should regarding SYSV IPC objects. There's a new patch there, that does the same thing, bit with some different infrastructure around it. With the patches (there are two), jails will work by default the same as they do now: if allow.sysvipc is set, then all jails share the same IPC namespace. If not, jails can't do anything with SYSV IPC. But there are new parameters with more control: sysvmsg, sysvsem, and sysvshm. Setting these to "disable" and "inherit" are the same as the old way of doing things, but setting to "new" will create a jail that has its own namespace for the SYSV IPC keys. The system can still see a jail's IPC objects by their IDs, but the keys will belong only to the jail. And jails won't be able to see each other's IPC, whether or key or by ID. This is the full separation that has been missing from jails so far. I plan to commit these patches pretty soon, to get into the 11 release. I'd like some feedback first if anyone wants to try them out, but barring that I'll accept my feedback after I commit :-). They work at least for some simple test cases, but I don't have anything handy that actually makes significant use of SYSV IPC and I know that others do and have been waiting to see something like this. - Jamie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1c8ef6ff0a3a718d47d94abbcd861fe1>