Re: /etc/jail.conf for automatically started jails listed in /etc/rc.conf
On 14/05/2013 14:31, dweimer wrote: > I can confirm that PostgreSQL will not run in a jail without sysvipc > enabled, I just setup a jail running PostgreSQL a few weeks ago and had > to do that as well. PostgreSQL will not start without it enabled, > though perhaps there is some setting change in PostgreSQL that will make > it not require this. In my case its the only jail, and I am the only > user with access to both the base system and the jail so I wasn't to > concerned about it allowing more access to the base system from the jail. postgresql-9.3beta1 was announced a few days ago, and one of the key new features is switching largely away from sysvipc to mmap for shared memory. http://www.postgresql.org/docs/devel/static/release-9-3.html Unfortunately I don't think it's entirely sysV IPC free yet. But postgresql93 is available in ports. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey signature.asc Description: OpenPGP digital signature
Re: /etc/jail.conf for automatically started jails listed in /etc/rc.conf
2013/5/14 Joe :
> David Demelier wrote:
>>
>> 2013/5/14 Joe :
>>>
>>> David Demelier wrote:
Le lundi 13 mai 2013 16:32:01 Joe a écrit :
>
> David Demelier wrote:
>>
>> Hello dear,
>>
>> Does jail.conf(5) does not work for jails listed in the rc.conf ?
>>
>> I've added in /etc/jail.conf:
>>
>> foo {
>>
>> hostname=Foo;
>> path=/jails/foo;
>> allow.sysvipc=1;
>>
>> }
>>
>> And in /etc/rc.conf only foo in the jail_list parameter, but when I
>> try
>> to
>> start the jail it still complain about missing hostname.
>>
>> Regards,
>
> There are 2 methods for configuring jails.
>
> The legacy method which you put the jail config statements in the hosts
> /etc/rc.conf file and start and stop control is done by the hosts
> /etc/rc.d/jail script at boot time.
>
> The jail(8) method which has it's own jail config statements in the
> hosts /etc/jail.conf file and uses the jail(8) program for starting and
> stopping. You can create a jail.conf file for each jail(8) and start it
> using jail -c -f "/etc/jailname.jail.conf" and stop by issuing
> jail -f "/etc/jailname.jail.conf" -r jailname
>
> You can not mix the 2 methods.
My real problem is that I wanted to add allow.sysvipc only for *one*
jail
and I can't find a real solution by jail_* flags in /etc/rc.conf
There is jail_allow_sysvipc but it enable it for all jails.
>>>
>>> The jail(8) method does have a allow_sysvipc on a per jail basis. To use
>>> it
>>> you have to use the jail(8) method. The 9.1-RELEASE legacy method is a
>>> work
>>> in process to incorporate the jail(8) parameters into the rc.conf config
>>> statements.
>>>
>>> About the allow_sysvipc parameter, this breaks the security the jail is
>>> designed to provide and should NOT be used on any jails having public
>>> internet access.
>>>
>>> What are you trying to do that you think you need to use the
>>> allow_sysvipc
>>> parameter?
>>>
>>
>> PostgreSQL, usually I install it on the host instead of jails, but I
>> needed a second instance on a different port for a public access..
>>
>> Regards,
>>
>> --
>> Demelier David
>>
>>
> That all sounds logical and is what jails are designed to do.
> Why would running PostgreSQL in a jail need sysvipc?
> Have you tried it? Did you get some PostgreSQL error?
>
Yes, unfortunately this is a very very old issue that has been
reported so much often..
--
Demelier David
___
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[email protected]"
Re: /etc/jail.conf for automatically started jails listed in /etc/rc.conf
On 05/14/2013 8:20 am, Joe wrote:
David Demelier wrote:
2013/5/14 Joe :
David Demelier wrote:
Le lundi 13 mai 2013 16:32:01 Joe a écrit :
David Demelier wrote:
Hello dear,
Does jail.conf(5) does not work for jails listed in the rc.conf ?
I've added in /etc/jail.conf:
foo {
hostname=Foo;
path=/jails/foo;
allow.sysvipc=1;
}
And in /etc/rc.conf only foo in the jail_list parameter, but when I try
to
start the jail it still complain about missing hostname.
Regards,
There are 2 methods for configuring jails.
The legacy method which you put the jail config statements in the hosts
/etc/rc.conf file and start and stop control is done by the hosts
/etc/rc.d/jail script at boot time.
The jail(8) method which has it's own jail config statements in the
hosts /etc/jail.conf file and uses the jail(8) program for starting and
stopping. You can create a jail.conf file for each jail(8) and start it
using jail -c -f "/etc/jailname.jail.conf" and stop by issuing
jail -f "/etc/jailname.jail.conf" -r jailname
You can not mix the 2 methods.
My real problem is that I wanted to add allow.sysvipc only for *one*
jail
and I can't find a real solution by jail_* flags in /etc/rc.conf
There is jail_allow_sysvipc but it enable it for all jails.
The jail(8) method does have a allow_sysvipc on a per jail basis. To
use it
you have to use the jail(8) method. The 9.1-RELEASE legacy method is a
work
in process to incorporate the jail(8) parameters into the rc.conf
config
statements.
About the allow_sysvipc parameter, this breaks the security the jail is
designed to provide and should NOT be used on any jails having public
internet access.
What are you trying to do that you think you need to use the
allow_sysvipc
parameter?
PostgreSQL, usually I install it on the host instead of jails, but I
needed a second instance on a different port for a public access..
Regards,
--
Demelier David
That all sounds logical and is what jails are designed to do.
Why would running PostgreSQL in a jail need sysvipc?
Have you tried it? Did you get some PostgreSQL error?
___
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"[email protected]"
I can confirm that PostgreSQL will not run in a jail without sysvipc
enabled, I just setup a jail running PostgreSQL a few weeks ago and had
to do that as well. PostgreSQL will not start without it enabled,
though perhaps there is some setting change in PostgreSQL that will make
it not require this. In my case its the only jail, and I am the only
user with access to both the base system and the jail so I wasn't to
concerned about it allowing more access to the base system from the
jail.
--
Thanks,
Dean E. Weimer
http://www.dweimer.net/
___
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[email protected]"
Re: /etc/jail.conf for automatically started jails listed in /etc/rc.conf
David Demelier wrote:
2013/5/14 Joe :
David Demelier wrote:
Le lundi 13 mai 2013 16:32:01 Joe a écrit :
David Demelier wrote:
Hello dear,
Does jail.conf(5) does not work for jails listed in the rc.conf ?
I've added in /etc/jail.conf:
foo {
hostname=Foo;
path=/jails/foo;
allow.sysvipc=1;
}
And in /etc/rc.conf only foo in the jail_list parameter, but when I try
to
start the jail it still complain about missing hostname.
Regards,
There are 2 methods for configuring jails.
The legacy method which you put the jail config statements in the hosts
/etc/rc.conf file and start and stop control is done by the hosts
/etc/rc.d/jail script at boot time.
The jail(8) method which has it's own jail config statements in the
hosts /etc/jail.conf file and uses the jail(8) program for starting and
stopping. You can create a jail.conf file for each jail(8) and start it
using jail -c -f "/etc/jailname.jail.conf" and stop by issuing
jail -f "/etc/jailname.jail.conf" -r jailname
You can not mix the 2 methods.
My real problem is that I wanted to add allow.sysvipc only for *one* jail
and I can't find a real solution by jail_* flags in /etc/rc.conf
There is jail_allow_sysvipc but it enable it for all jails.
The jail(8) method does have a allow_sysvipc on a per jail basis. To use it
you have to use the jail(8) method. The 9.1-RELEASE legacy method is a work
in process to incorporate the jail(8) parameters into the rc.conf config
statements.
About the allow_sysvipc parameter, this breaks the security the jail is
designed to provide and should NOT be used on any jails having public
internet access.
What are you trying to do that you think you need to use the allow_sysvipc
parameter?
PostgreSQL, usually I install it on the host instead of jails, but I
needed a second instance on a different port for a public access..
Regards,
--
Demelier David
That all sounds logical and is what jails are designed to do.
Why would running PostgreSQL in a jail need sysvipc?
Have you tried it? Did you get some PostgreSQL error?
___
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[email protected]"
Re: /etc/jail.conf for automatically started jails listed in /etc/rc.conf
2013/5/14 Joe :
> David Demelier wrote:
>>
>> Le lundi 13 mai 2013 16:32:01 Joe a écrit :
>>>
>>> David Demelier wrote:
Hello dear,
Does jail.conf(5) does not work for jails listed in the rc.conf ?
I've added in /etc/jail.conf:
foo {
hostname=Foo;
path=/jails/foo;
allow.sysvipc=1;
}
And in /etc/rc.conf only foo in the jail_list parameter, but when I try
to
start the jail it still complain about missing hostname.
Regards,
>>>
>>> There are 2 methods for configuring jails.
>>>
>>> The legacy method which you put the jail config statements in the hosts
>>> /etc/rc.conf file and start and stop control is done by the hosts
>>> /etc/rc.d/jail script at boot time.
>>>
>>> The jail(8) method which has it's own jail config statements in the
>>> hosts /etc/jail.conf file and uses the jail(8) program for starting and
>>> stopping. You can create a jail.conf file for each jail(8) and start it
>>> using jail -c -f "/etc/jailname.jail.conf" and stop by issuing
>>> jail -f "/etc/jailname.jail.conf" -r jailname
>>>
>>> You can not mix the 2 methods.
>>
>>
>> My real problem is that I wanted to add allow.sysvipc only for *one* jail
>> and I can't find a real solution by jail_* flags in /etc/rc.conf
>>
>> There is jail_allow_sysvipc but it enable it for all jails.
>>
>>
>
>
> The jail(8) method does have a allow_sysvipc on a per jail basis. To use it
> you have to use the jail(8) method. The 9.1-RELEASE legacy method is a work
> in process to incorporate the jail(8) parameters into the rc.conf config
> statements.
>
> About the allow_sysvipc parameter, this breaks the security the jail is
> designed to provide and should NOT be used on any jails having public
> internet access.
>
> What are you trying to do that you think you need to use the allow_sysvipc
> parameter?
>
PostgreSQL, usually I install it on the host instead of jails, but I
needed a second instance on a different port for a public access..
Regards,
--
Demelier David
___
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[email protected]"
Re: /etc/jail.conf for automatically started jails listed in /etc/rc.conf
David Demelier wrote:
Le lundi 13 mai 2013 16:32:01 Joe a écrit :
David Demelier wrote:
Hello dear,
Does jail.conf(5) does not work for jails listed in the rc.conf ?
I've added in /etc/jail.conf:
foo {
hostname=Foo;
path=/jails/foo;
allow.sysvipc=1;
}
And in /etc/rc.conf only foo in the jail_list parameter, but when I try to
start the jail it still complain about missing hostname.
Regards,
There are 2 methods for configuring jails.
The legacy method which you put the jail config statements in the hosts
/etc/rc.conf file and start and stop control is done by the hosts
/etc/rc.d/jail script at boot time.
The jail(8) method which has it's own jail config statements in the
hosts /etc/jail.conf file and uses the jail(8) program for starting and
stopping. You can create a jail.conf file for each jail(8) and start it
using jail -c -f "/etc/jailname.jail.conf" and stop by issuing
jail -f "/etc/jailname.jail.conf" -r jailname
You can not mix the 2 methods.
My real problem is that I wanted to add allow.sysvipc only for *one* jail and
I can't find a real solution by jail_* flags in /etc/rc.conf
There is jail_allow_sysvipc but it enable it for all jails.
The jail(8) method does have a allow_sysvipc on a per jail basis. To use
it you have to use the jail(8) method. The 9.1-RELEASE legacy method is
a work in process to incorporate the jail(8) parameters into the rc.conf
config statements.
About the allow_sysvipc parameter, this breaks the security the jail is
designed to provide and should NOT be used on any jails having public
internet access.
What are you trying to do that you think you need to use the
allow_sysvipc parameter?
___
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[email protected]"
Re: /etc/jail.conf for automatically started jails listed in /etc/rc.conf
Le lundi 13 mai 2013 16:32:01 Joe a écrit :
> David Demelier wrote:
> > Hello dear,
> >
> > Does jail.conf(5) does not work for jails listed in the rc.conf ?
> >
> > I've added in /etc/jail.conf:
> >
> > foo {
> >
> > hostname=Foo;
> > path=/jails/foo;
> > allow.sysvipc=1;
> >
> > }
> >
> > And in /etc/rc.conf only foo in the jail_list parameter, but when I try to
> > start the jail it still complain about missing hostname.
> >
> > Regards,
>
> There are 2 methods for configuring jails.
>
> The legacy method which you put the jail config statements in the hosts
> /etc/rc.conf file and start and stop control is done by the hosts
> /etc/rc.d/jail script at boot time.
>
> The jail(8) method which has it's own jail config statements in the
> hosts /etc/jail.conf file and uses the jail(8) program for starting and
> stopping. You can create a jail.conf file for each jail(8) and start it
> using jail -c -f "/etc/jailname.jail.conf" and stop by issuing
> jail -f "/etc/jailname.jail.conf" -r jailname
>
> You can not mix the 2 methods.
My real problem is that I wanted to add allow.sysvipc only for *one* jail and
I can't find a real solution by jail_* flags in /etc/rc.conf
There is jail_allow_sysvipc but it enable it for all jails.
___
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[email protected]"
Re: /etc/jail.conf for automatically started jails listed in /etc/rc.conf
David Demelier wrote:
Hello dear,
Does jail.conf(5) does not work for jails listed in the rc.conf ?
I've added in /etc/jail.conf:
foo {
hostname=Foo;
path=/jails/foo;
allow.sysvipc=1;
}
And in /etc/rc.conf only foo in the jail_list parameter, but when I try to
start the jail it still complain about missing hostname.
Regards,
There are 2 methods for configuring jails.
The legacy method which you put the jail config statements in the hosts
/etc/rc.conf file and start and stop control is done by the hosts
/etc/rc.d/jail script at boot time.
The jail(8) method which has it's own jail config statements in the
hosts /etc/jail.conf file and uses the jail(8) program for starting and
stopping. You can create a jail.conf file for each jail(8) and start it
using jail -c -f "/etc/jailname.jail.conf" and stop by issuing
jail -f "/etc/jailname.jail.conf" -r jailname
You can not mix the 2 methods.
___
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[email protected]"
