sysvipc in jails + CURRENT

Boris Samorodov bsam at ipt.ru
Thu Jun 4 14:08:59 UTC 2009 

On Wed, 03 Jun 2009 13:05:03 +0200 Henrik Lidström wrote:

> Quoting "Bjoern A. Zeeb" <bz at zabbadoz.net>:

> > On Sun, 31 May 2009, Boris Samorodov wrote:
> >
> > Hi,
> >
> >> has something changed at CURRENT with sysvipc jail handling?
> >> This jail has been working fine for almost a year.
> >>
> >> I've upgrade CURRENT to yesterday's sources and can't start
> >> postgresql in a jail anymore:
> >> ----- the jail -----
> >> % tail -2 /var/log/messages
> >> May 31 18:22:47 pg postgres[55425]: [1-1] FATAL:  could not create
> >> shared memory segment: Function not implemented
> >> May 31 18:22:47 pg postgres[55425]: [1-2] DETAIL:  Failed system
> >> call was shmget(key=5432001, size=30384128, 03600).
> >> % sysctl security.jail.sysvipc_allowed
> >> security.jail.sysvipc_allowed: 0
> >> % grep sysvipc /etc/sysctl.conf
> >> security.jail.sysvipc_allowed=1
> >> ----- the host -----
> >> % uname -a
> >> FreeBSD tba.bsam.ru 8.0-CURRENT FreeBSD 8.0-CURRENT #0: Sun May 31
> >> 11:28:31 MSD 2009     root at tba.bsam.ru:/usr/obj/usr/src/sys/TBA
> >> amd64
> >> % sysctl security.jail.sysvipc_allowed
> >> security.jail.sysvipc_allowed: 1
> >> -----
> >
> > I'll look into that; possibly the default option is not properly taken
> > into account for the new jail framework.
> >
> > /bz
> >
> > -- 
> > Bjoern A. Zeeb                      The greatest risk is not taking one.
> > _______________________________________________
> > freebsd-jail at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-jail
> > To unsubscribe, send any mail to "freebsd-jail-unsubscribe at freebsd.org"
> >

> Somehow I cant email to the mailinglist(it doesnt show up), so I send
> directly to you.

> I also noticed the problem with security.jail.sysvipc_allowed as above.
> Also noticed that I from a jail now can see all filesystems (and that
> jls -v is broken, probably a problem with cpuset?).

> EXTBSD02-PROD# uname -a
> FreeBSD EXTBSD02-PROD.digidoc.com 8.0-CURRENT FreeBSD 8.0-CURRENT #6:
> Tue Jun  2 10:05:40 CEST 2009
> root at EXTBSD02-PROD.digidoc.com:/data01/obj/usr/src/sys/EXTBSD02  i386

> EXTBSD02-PROD# jls -v
> jls: unknown parameter: cpuset
> EXTBSD02-PROD#

> EXTBSD02-PROD# jls
>    JID  IP Address      Hostname                      Path
>      1  195.67.11.41    INTDB01-PROD
> /data00/jails/INTDB01-PROD
>      2  195.67.11.9     INTLOG01-PROD.digidoc.com
> /data00/jails/INTLOG01-PROD
>      3  62.20.119.164   EXTNS01-PROD
> /data00/jails/EXTNS01-PROD
>      4  62.20.119.230   PROXY03.digidoc.com           /data00/jails/PROXY03
> EXTBSD02-PROD# jexec 1 /bin/csh
> You have mail.
> INTDB01-PROD# mount -v
> /dev/da0s1a on / (ufs, local)
> devfs on /dev (devfs, local)
> /dev/da0s1e on /tmp (ufs, local, soft-updates)
> /dev/da0s1f on /usr (ufs, local, noatime, soft-updates)
> /dev/da0s1d on /var (ufs, local, noatime, soft-updates)
> /dev/da0s2a on /data00 (ufs, local, noatime, soft-updates)
> /dev/da1s1d on /data01 (ufs, local, noatime, soft-updates)
> tmpfs on /data00/jails/PROXY03/usr/local/squid/scan_dir (tmpfs, local)
> /data01/data/ports on /data00/jails/EXTNS01-PROD/usr/ports (nullfs,
> local, noatime)
> /data01/data/ports on /data00/jails/INTDB01-PROD/usr/ports (nullfs,
> local, noatime)
> /data01/data/ports on /data00/jails/INTLOG01-PROD/usr/ports (nullfs,
> local, noatime)
> /data01/data/ports on /data00/jails/INTSIM01-PROD/usr/ports (nullfs,
> local, noatime)
> /data01/data/ports on /data00/jails/PROXY03/usr/ports (nullfs, local, noatime)
> /data01/backup/INTDB01PROD/databases on
> /data00/jails/INTDB01-PROD/usr/backup (nullfs, local, noatime)
> devfs on /data00/jails/INTDB01-PROD/dev (devfs, local)
> procfs on /data00/jails/INTDB01-PROD/proc (procfs, local)
> devfs on /data00/jails/INTLOG01-PROD/dev (devfs, local)
> procfs on /data00/jails/INTLOG01-PROD/proc (procfs, local)
> devfs on /data00/jails/EXTNS01-PROD/dev (devfs, local)
> procfs on /data00/jails/EXTNS01-PROD/proc (procfs, local)
> devfs on /data00/jails/PROXY03/dev (devfs, local)
> procfs on /data00/jails/PROXY03/proc (procfs, local)
> INTDB01-PROD#

There is definitely some inconsistency. JAIL(8) at recent
CURRENT talk about security.jail.param.allow.sysvipc and
it is listed via "sysctl -d security.jail.param". But seems
not to be used:
----- at the jail -----
# sysctl security.jail.param.allow.sysvipc
#
-----


WBR
-- 
Boris Samorodov (bsam)
Research Engineer, http://www.ipt.ru Telephone & Internet SP
FreeBSD Committer, http://www.FreeBSD.org The Power To Serve

More information about the freebsd-jail mailing list