Are you shure "allow_sysvipc" is set up the right way in jail options (jcontrol-tui e.g.)
Imho it should be set to yes or no (1 or 0) and not inherit or new, this is for "sysvshm" and others. (see below)
From the FreeBSD Jail manpage: allow.sysvipc
A process within the jail has access to System V IPC
primitives. This is deprecated in favor of the per-mod-
ule parameters (see below). When this parameter is set,
it is equivalent to setting sysvmsg, sysvsem, and sysvshm
all to ``inherit''.
In FreeBSD 11 allow.sysvipc=1 is no longer recommended, instead three new permissions has been introduced:
sysvshm: Controls access to shared memory
sysvsem: Controls access to SYSV semaphores
sysvmsg: Controls access to SYSV message queues
Each of these can have three values:
disable: Disables access to this type of resource (default)
inherit: Makes the jail inherit the global SYSV namespace (the old behaviour, same as allow.sysvipc=1)
new: Creates a new seperate SYSV namespace for this jail. This is what you want.
So the example above with a PostgreSQL jail which needs shared memory and semaphores I add sysvshm=new and sysvsem=new instead of allow.sysvipc=1 in FreeBSD 11 and beyond.
The text was updated successfully, but these errors were encountered:
OK I see. But this is obfuscating I think, because "allow_sysvipc" is a firmly parameter in FreeBSD that is set in another way. And maybe someone want's to set differentially options for that three parameters. Perhaps you can make a submenu for that?