Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

allow_sysvipc option #372

Closed
ntinti opened this issue Jan 15, 2019 · 6 comments
Assignees

Comments

@ntinti
Copy link

@ntinti ntinti commented Jan 15, 2019

FreeBSD version: 12.0p2
CBSD version: 12.0.4d

Are you shure "allow_sysvipc" is set up the right way in jail options (jcontrol-tui e.g.)
Imho it should be set to yes or no (1 or 0) and not inherit or new, this is for "sysvshm" and others. (see below)
From the FreeBSD Jail manpage:
allow.sysvipc
A process within the jail has access to System V IPC
primitives. This is deprecated in favor of the per-mod-
ule parameters (see below). When this parameter is set,
it is equivalent to setting sysvmsg, sysvsem, and sysvshm
all to ``inherit''.

Also it should not be used anymore:
from https://blog.tyk.nu/blog/freebsd-jails-and-sysv-ipc/ :

In FreeBSD 11 allow.sysvipc=1 is no longer recommended, instead three new permissions has been introduced:

sysvshm: Controls access to shared memory
sysvsem: Controls access to SYSV semaphores
sysvmsg: Controls access to SYSV message queues
Each of these can have three values:

disable: Disables access to this type of resource (default)
inherit: Makes the jail inherit the global SYSV namespace (the old behaviour, same as allow.sysvipc=1)
new: Creates a new seperate SYSV namespace for this jail. This is what you want.
So the example above with a PostgreSQL jail which needs shared memory and semaphores I add sysvshm=new and sysvsem=new instead of allow.sysvipc=1 in FreeBSD 11 and beyond.

@olevole olevole self-assigned this Jan 15, 2019
@olevole

This comment has been minimized.

Copy link
Collaborator

@olevole olevole commented Jan 15, 2019

Thanks for clarification! So, allow.sysvipc=1 should be removed from CBSD on FreeBSD 11.0+.
Considering that FreeBSD version <10 already EoL, it seems we can remove completely.

@olevole

This comment has been minimized.

Copy link
Collaborator

@olevole olevole commented Jan 15, 2019

Hmm, current CBSD behavior:

% jset mode=quiet jname=jail12 allow_sysvipc="inherit"
allow_sysvipc: inherit

% cbsd makejconf jname=jail12 out=/tmp/out.txt

/tmp/out.txt :

sysvsem = "inherit";
sysvmsg = "inherit";
sysvmsg = "inherit";

% jset mode=quiet jname=jail12 allow_sysvipc="inherit"
allow_sysvipc: new

% cbsd makejconf jname=jail12 out=/tmp/out.txt

/tmp/out.txt :

sysvsem = "new";
sysvshm = "new";
sysvmsg = "new";

everything seems fine here ? the only thing that I did not do three parameters and all are regulated by one option.

@ntinti

This comment has been minimized.

Copy link
Author

@ntinti ntinti commented Jan 15, 2019

OK I see. But this is obfuscating I think, because "allow_sysvipc" is a firmly parameter in FreeBSD that is set in another way. And maybe someone want's to set differentially options for that three parameters. Perhaps you can make a submenu for that?

@olevole

This comment has been minimized.

Copy link
Collaborator

@olevole olevole commented Jan 15, 2019

yes, maybe it will be more correct

olevole added a commit that referenced this issue Jan 20, 2019
remove allow_sysvipc options (deprecated in all supported FreeBSD version)
Instead add sysvsem sysvshm sysvmsg options.

Pointed by ntinti, Issue #372
@olevole

This comment has been minimized.

Copy link
Collaborator

@olevole olevole commented Jan 20, 2019

Your wish has been fulfilled ;)
waiting for more...

@olevole olevole closed this Jan 20, 2019
@olevole

This comment has been minimized.

Copy link
Collaborator

@olevole olevole commented Feb 16, 2019

commited to ports tree: 12.0.4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.