Jail + sysv shmem

Koen Martens fbsd at metro.cx
Sun Nov 28 12:03:33 PST 2004 

On Sun, Nov 28, 2004 at 12:00:58PM +0000, freebsd-hackers-request at freebsd.org wrote:
> From: Justin Hopper <jhopper at bsdhosting.net>
> 
> I know that Pawel @ http://garage.freebsd.pl has a patch for making
> private SysV IPC memory spaces for the host system and each jail:
> 
> http://garage.freebsd.pl/privipc.README
> 
> The patch is against 4.x though, and I've never tried it.  I would
> really like to see something like this implemented for 5.x though.  Does
> anyone know if there are plans to implement this in the future 5.x
> releases?  If not, I would be interested in helping anyone that wishes
> to try implementing this in 5.3 soon, as we have a lot of clients who
> ask for SysV IPC inside of jailed hosting environments.

Interesting, I will download that and see if it is of any help in my
effort to implementing this in freebsd 5.x. Thanks for the pointer.

> ------------------------------
> 
> Date: Sun, 28 Nov 2004 18:21:06 +1100
> From: Peter Jeremy <PeterJeremy at optushome.com.au>
> 
> The sysadmin is likely to need access to:
> 1) look at SysV IPC usage across the entire system
> 2) clean up after a process has died unexpectedly.
> 
> Whilst it's possible for the sysadmin to enter the relevant jail and
> look at what is used in that jail, it's very difficult to get an
> overall view of the system in this way - especially if there are lots
> of jails.

Hmm, there is a trade-off: ease of maintenance vs security. I personally
would not want to have the host system to have access to the jail
systems by IPC. It seems reasonable to make this a sysctl (which can
only be set at boot time).

> Robert Watson was also looking into this recently.

I had some contact with him a while back, about his jailng project.
However, that has been abandonded afaik. How recently have you heard him
talk about this?


Kind regards,

Koen Martens


-- 
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

More information about the freebsd-hackers mailing list