SYSV IPC on jails with separate key namespace
James Gritton
jamie at freebsd.org
Thu Apr 21 17:18:17 UTC 2016
I've updated patch 48471
(https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=48471) which had a
patch to make jails work the way they should regarding SYSV IPC objects.
There's a new patch there, that does the same thing, bit with some
different infrastructure around it.
With the patches (there are two), jails will work by default the same as
they do now: if allow.sysvipc is set, then all jails share the same IPC
namespace. If not, jails can't do anything with SYSV IPC. But there
are new parameters with more control: sysvmsg, sysvsem, and sysvshm.
Setting these to "disable" and "inherit" are the same as the old way of
doing things, but setting to "new" will create a jail that has its own
namespace for the SYSV IPC keys. The system can still see a jail's IPC
objects by their IDs, but the keys will belong only to the jail. And
jails won't be able to see each other's IPC, whether or key or by ID.
This is the full separation that has been missing from jails so far.
I plan to commit these patches pretty soon, to get into the 11 release.
I'd like some feedback first if anyone wants to try them out, but
barring that I'll accept my feedback after I commit :-). They work at
least for some simple test cases, but I don't have anything handy that
actually makes significant use of SYSV IPC and I know that others do and
have been waiting to see something like this.
- Jamie
More information about the freebsd-jail
mailing list