How to implement jail-aware SysV IPC (with my nasty patch)
Alfred Perlstein
alfred at freebsd.org
Fri Jun 12 01:23:19 UTC 2015
Can a bugzilla or github request please be made for this so that it
doesn't get lost?
thank you,
-Alfred
On 6/11/15 6:17 PM, kikuchan at uranus.dti.ne.jp wrote:
> Hello,
>
> I'm (still) trying to figure out how jail-aware SysV IPC mechanism should be.
>
> I want to run PostgreSQL in each jail without changing UID for each jail.
> If you don't change UID on each jail, it doesn't work due to IPC objects conflict between jails.
> See also;
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=48471
> http://www.freebsddiary.org/jail-multiple.php
> https://wiki.freebsd.org/Jails
> https://forums.freebsd.org/threads/postgresql-in-jail.51528/
>
> There is a patch for 4.7-STABLE on bugzilla (see above) to solve the problem by completely separating namespace for each jail in kernel,
> but I couldn't find any (other) implementation that works on recent FreeBSD.
> I've also tried to re-write the patch for recent FreeBSD, but I couldn't make it properly due to my limited kernel knowledge ;(
>
> Anyway, I created (and update) a patch to trying to solve the problem by simply separating IPC key_t space for each jail.
> The attached patch can be applied to 10-STABLE (or CURRENT?).
>
> After the patch is applied;
> - IPC objects created on parent jail, are invisible to children.
> - IPC objects created on neighbor jail, are also invisible each other.
> - IPC objects craeted on child jail, are VISIBLE from parent.
> - IPC key_t spaces are separated between jails. If you see the key_t named object from parent, it's shown as IPC_PRIVATE.
>
> I choose this design of feature, however, I'm not sure this is the right design for jail-aware IPC.
> If you prefer the completely separated namespace approach, it's ok. I want to focus on how the IPC mechanism dealing with hierarchical jail system.
>
> So I need more feedbacks. Could you help me please?
> You can dig and play with ipcs(1)/ipcrm(1) to see what happend on each jail.
>
> Thanks.
>
> --
> Kikuchan
>
>
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
More information about the freebsd-hackers
mailing list