New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
allow_sysvipc option #372
Comments
Thanks for clarification! So, allow.sysvipc=1 should be removed from CBSD on FreeBSD 11.0+. |
Hmm, current CBSD behavior: % jset mode=quiet jname=jail12 allow_sysvipc="inherit" % cbsd makejconf jname=jail12 out=/tmp/out.txt /tmp/out.txt :
% jset mode=quiet jname=jail12 allow_sysvipc="inherit" % cbsd makejconf jname=jail12 out=/tmp/out.txt /tmp/out.txt :
everything seems fine here ? the only thing that I did not do three parameters and all are regulated by one option. |
OK I see. But this is obfuscating I think, because "allow_sysvipc" is a firmly parameter in FreeBSD that is set in another way. And maybe someone want's to set differentially options for that three parameters. Perhaps you can make a submenu for that? |
yes, maybe it will be more correct |
remove allow_sysvipc options (deprecated in all supported FreeBSD version) Instead add sysvsem sysvshm sysvmsg options. Pointed by ntinti, Issue #372
Your wish has been fulfilled ;) |
commited to ports tree: 12.0.4 |
FreeBSD version: 12.0p2
CBSD version: 12.0.4d
Are you shure "allow_sysvipc" is set up the right way in jail options (jcontrol-tui e.g.)
Imho it should be set to yes or no (1 or 0) and not inherit or new, this is for "sysvshm" and others. (see below)
From the FreeBSD Jail manpage:
allow.sysvipc
A process within the jail has access to System V IPC
primitives. This is deprecated in favor of the per-mod-
ule parameters (see below). When this parameter is set,
it is equivalent to setting sysvmsg, sysvsem, and sysvshm
all to ``inherit''.
Also it should not be used anymore:
from https://blog.tyk.nu/blog/freebsd-jails-and-sysv-ipc/ :
In FreeBSD 11 allow.sysvipc=1 is no longer recommended, instead three new permissions has been introduced:
sysvshm: Controls access to shared memory
sysvsem: Controls access to SYSV semaphores
sysvmsg: Controls access to SYSV message queues
Each of these can have three values:
disable: Disables access to this type of resource (default)
inherit: Makes the jail inherit the global SYSV namespace (the old behaviour, same as allow.sysvipc=1)
new: Creates a new seperate SYSV namespace for this jail. This is what you want.
So the example above with a PostgreSQL jail which needs shared memory and semaphores I add sysvshm=new and sysvsem=new instead of allow.sysvipc=1 in FreeBSD 11 and beyond.
The text was updated successfully, but these errors were encountered: