[prev in list] [next in list] [prev in thread] [next in thread]
List: freebsd-hackers
Subject: Re: How to implement jail-aware SysV IPC (with my nasty patch)
From: Alfred Perlstein <alfred () freebsd ! org>
Date: 2015-06-12 2:15:10
Message-ID: 557A40AE.3010804 () freebsd ! org
[Download RAW message or body]
Thank you!
On 6/11/15 7:04 PM, kikuchan@uranus.dti.ne.jp wrote:
> Thank you for your reply!
>
> Just appended, is this OK?
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=48471
>
>
> On Thu, 11 Jun 2015 18:24:43 -0700, Alfred Perlstein <alfred@freebsd.org> wrote:
> > Can a bugzilla or github request please be made for this so that it
> > doesn't get lost?
> >
> > thank you,
> > -Alfred
> >
> > On 6/11/15 6:17 PM, kikuchan@uranus.dti.ne.jp wrote:
> > > Hello,
> > >
> > > I'm (still) trying to figure out how jail-aware SysV IPC mechanism should be.
> > >
> > > I want to run PostgreSQL in each jail without changing UID for each jail.
> > > If you don't change UID on each jail, it doesn't work due to IPC objects \
> > > conflict between jails. See also;
> > > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=48471
> > > http://www.freebsddiary.org/jail-multiple.php
> > > https://wiki.freebsd.org/Jails
> > > https://forums.freebsd.org/threads/postgresql-in-jail.51528/
> > >
> > > There is a patch for 4.7-STABLE on bugzilla (see above) to solve the problem by \
> > > completely separating namespace for each jail in kernel, but I couldn't find \
> > > any (other) implementation that works on recent FreeBSD. I've also tried to \
> > > re-write the patch for recent FreeBSD, but I couldn't make it properly due to \
> > > my limited kernel knowledge ;(
> > > Anyway, I created (and update) a patch to trying to solve the problem by simply \
> > > separating IPC key_t space for each jail. The attached patch can be applied to \
> > > 10-STABLE (or CURRENT?).
> > > After the patch is applied;
> > > - IPC objects created on parent jail, are invisible to children.
> > > - IPC objects created on neighbor jail, are also invisible each other.
> > > - IPC objects craeted on child jail, are VISIBLE from parent.
> > > - IPC key_t spaces are separated between jails. If you see the key_t named \
> > > object from parent, it's shown as IPC_PRIVATE.
> > > I choose this design of feature, however, I'm not sure this is the right design \
> > > for jail-aware IPC. If you prefer the completely separated namespace approach, \
> > > it's ok. I want to focus on how the IPC mechanism dealing with hierarchical \
> > > jail system.
> > > So I need more feedbacks. Could you help me please?
> > > You can dig and play with ipcs(1)/ipcrm(1) to see what happend on each jail.
> > >
> > > Thanks.
> > >
> > > --
> > > Kikuchan
> > >
> > >
> > > _______________________________________________
> > > freebsd-hackers@freebsd.org mailing list
> > > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> > > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
> > _______________________________________________
> > freebsd-hackers@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic