/etc/jail.conf for automatically started jails listed in /etc/rc.conf

Joe fbsd8 at a1poweruser.com
Tue May 14 13:20:16 UTC 2013


David Demelier wrote:
> 2013/5/14 Joe <fbsd8 at a1poweruser.com>:
>> David Demelier wrote:
>>> Le lundi 13 mai 2013 16:32:01 Joe a écrit :
>>>> David Demelier wrote:
>>>>> Hello dear,
>>>>>
>>>>> Does jail.conf(5) does not work for jails listed in the rc.conf ?
>>>>>
>>>>> I've added in /etc/jail.conf:
>>>>>
>>>>> foo {
>>>>>
>>>>>     hostname=Foo;
>>>>>     path=/jails/foo;
>>>>>     allow.sysvipc=1;
>>>>>
>>>>> }
>>>>>
>>>>> And in /etc/rc.conf only foo in the jail_list parameter, but when I try
>>>>> to
>>>>> start the jail it still complain about missing hostname.
>>>>>
>>>>> Regards,
>>>> There are 2 methods for configuring jails.
>>>>
>>>> The legacy method which you put the jail config statements in the hosts
>>>> /etc/rc.conf file and start and stop control is done by the hosts
>>>> /etc/rc.d/jail script at boot time.
>>>>
>>>> The jail(8) method which has it's own jail config statements in the
>>>> hosts /etc/jail.conf file and uses the jail(8) program for starting and
>>>> stopping. You can create a jail.conf file for each jail(8) and start it
>>>> using  jail -c -f "/etc/jailname.jail.conf" and stop by issuing
>>>> jail -f "/etc/jailname.jail.conf" -r jailname
>>>>
>>>> You can not mix the 2 methods.
>>>
>>> My real problem is that I wanted to add allow.sysvipc only for *one* jail
>>> and I can't find a real solution by jail_* flags in /etc/rc.conf
>>>
>>> There is jail_allow_sysvipc but it enable it for all jails.
>>>
>>>
>>
>> The jail(8) method does have a allow_sysvipc on a per jail basis. To use it
>> you have to use the jail(8) method. The 9.1-RELEASE legacy method is a work
>> in process to incorporate the jail(8) parameters into the rc.conf config
>> statements.
>>
>> About the allow_sysvipc parameter, this breaks the security the jail is
>> designed to provide and should NOT be used on any jails having public
>> internet access.
>>
>> What are you trying to do that you think you need to use the allow_sysvipc
>> parameter?
>>
> 
> PostgreSQL, usually I install it on the host instead of jails, but I
> needed a second instance on a different port for a public access..
> 
> Regards,
> 
> --
> Demelier David
> 
> 
That all sounds logical and is what jails are designed to do.
Why would running PostgreSQL in a jail need sysvipc?
Have you tried it? Did you get some PostgreSQL error?



More information about the freebsd-questions mailing list