Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allow_sysvipc option #372

Closed
ntinti opened this issue Jan 15, 2019 · 6 comments
Closed

allow_sysvipc option #372

ntinti opened this issue Jan 15, 2019 · 6 comments
Assignees
@olevole

Comments

@ntinti
Copy link

ntinti commented Jan 15, 2019

FreeBSD version: 12.0p2
CBSD version: 12.0.4d

Are you shure "allow_sysvipc" is set up the right way in jail options (jcontrol-tui e.g.)
Imho it should be set to yes or no (1 or 0) and not inherit or new, this is for "sysvshm" and others. (see below)
From the FreeBSD Jail manpage:
allow.sysvipc
A process within the jail has access to System V IPC
primitives. This is deprecated in favor of the per-mod-
ule parameters (see below). When this parameter is set,
it is equivalent to setting sysvmsg, sysvsem, and sysvshm
all to ``inherit''.

Also it should not be used anymore:
from https://blog.tyk.nu/blog/freebsd-jails-and-sysv-ipc/ :

In FreeBSD 11 allow.sysvipc=1 is no longer recommended, instead three new permissions has been introduced:

sysvshm: Controls access to shared memory
sysvsem: Controls access to SYSV semaphores
sysvmsg: Controls access to SYSV message queues
Each of these can have three values:

disable: Disables access to this type of resource (default)
inherit: Makes the jail inherit the global SYSV namespace (the old behaviour, same as allow.sysvipc=1)
new: Creates a new seperate SYSV namespace for this jail. This is what you want.
So the example above with a PostgreSQL jail which needs shared memory and semaphores I add sysvshm=new and sysvsem=new instead of allow.sysvipc=1 in FreeBSD 11 and beyond.
@olevole olevole self-assigned this Jan 15, 2019
@olevole
Copy link
Member

olevole commented Jan 15, 2019

Thanks for clarification! So, allow.sysvipc=1 should be removed from CBSD on FreeBSD 11.0+.
Considering that FreeBSD version <10 already EoL, it seems we can remove completely.

@olevole
Copy link
Member

olevole commented Jan 15, 2019
edited

Hmm, current CBSD behavior:

% jset mode=quiet jname=jail12 allow_sysvipc="inherit"
allow_sysvipc: inherit

% cbsd makejconf jname=jail12 out=/tmp/out.txt

/tmp/out.txt :

sysvsem = "inherit";
sysvmsg = "inherit";
sysvmsg = "inherit";

% jset mode=quiet jname=jail12 allow_sysvipc="inherit"
allow_sysvipc: new

% cbsd makejconf jname=jail12 out=/tmp/out.txt

/tmp/out.txt :

sysvsem = "new";
sysvshm = "new";
sysvmsg = "new";

everything seems fine here ? the only thing that I did not do three parameters and all are regulated by one option.

@ntinti
Copy link
Author

ntinti commented Jan 15, 2019

OK I see. But this is obfuscating I think, because "allow_sysvipc" is a firmly parameter in FreeBSD that is set in another way. And maybe someone want's to set differentially options for that three parameters. Perhaps you can make a submenu for that?

@olevole
Copy link
Member

olevole commented Jan 15, 2019

yes, maybe it will be more correct

olevole added a commit that referenced this issue Jan 20, 2019
@olevole
split allow_sysvipc option
e87c940 
remove allow_sysvipc options (deprecated in all supported FreeBSD version)
Instead add sysvsem sysvshm sysvmsg options.

Pointed by ntinti, Issue #372
@olevole
Copy link
Member

olevole commented Jan 20, 2019

Your wish has been fulfilled ;)
waiting for more...

@olevole olevole closed this as completed Jan 20, 2019
@olevole
Copy link
Member

olevole commented Feb 16, 2019

commited to ports tree: 12.0.4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@olevole olevole

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@olevole @ntinti