FreeBSD11+Postgres+jail

Hi, I been surfing the net looking for an answer for this: I want to run PostgreSQL in a jail.
Code:
creating directory /usr/local/pgsql/data ... ok
creating subdirectories ... ok
selecting default max_connections ... 10
selecting default shared_buffers ... 400kB
creating configuration files ... ok
creating template1 database in /usr/local/pgsql/data/base/1 ... FATAL:  could not create shared memory segment: Function not implemented
DETAIL:  Failed system call was shmget(key=1, size=40, 03600).
child process exited with exit code 1
initdb: removing data directory "/usr/local/pgsql/data"

I saw many people that solved this problem by adding the line jail_sysvipc_allow="YES" in /etc/rc.conf and the line security.jail.sysvipc_allowed=1 in the /etc/sysctl.conf file.
I had no luck trying to make postgres run in a jail, always getting the same error. I'm running FreeBSD 11.0-RELEASE-p2 and trying to run postgres93-server.

I am brand new to FreeBSD and I'm already loving it (been using it for 1 day :D)

Anyway, I hope anyone of you can point me in the right direction.
Thanks in advance.

yozh.
 
I saw many people that solved this problem by adding the line "jail_sysvipc_allow="YES" in /etc/rc.conf and the line "security.jail.sysvipc_allowed=1" in the /etc/sysctl.conf file.
These settings are now done per jail. So you'll have to add them to the jail's configuration.

Note that enabling shared memory pretty much defeats the added security of a jail because everything will be in the same namespace.
Code:
             allow.sysvipc
                     A process within the jail has access to System V IPC
                     primitives.  In the current jail implementation, System V
                     primitives share a single namespace across the host and
                     jail environments, meaning that processes within a jail
                     would be able to communicate with (and potentially inter-
                     fere with) processes outside of the jail, and in other
                     jails.
 
These settings are now done per jail. So you'll have to add them to the jail's configuration.

Note that enabling shared memory pretty much defeats the added security of a jail because everything will be in the same namespace.
Code:
             allow.sysvipc
                     A process within the jail has access to System V IPC
                     primitives.  In the current jail implementation, System V
                     primitives share a single namespace across the host and
                     jail environments, meaning that processes within a jail
                     would be able to communicate with (and potentially inter-
                     fere with) processes outside of the jail, and in other
                     jails.
Thanks for your answer, however i added those lines into the specific jail in jails configuration and an error describing that the option was not found appeared every time i wanted to start the jail.

However i managed to make it work with a solution i found around

In the host machine:
Code:
root@host# jls
  JID  IP Address      Hostname                      Path
     3  -               some.jail                     /usr/jails/somejail
find the correct jail and issue:
Code:
jail -m jid=3 allow.sysvipc=1
Again not my solution i found it around.

Thx.

Yozh.
 
Note that enabling shared memory pretty much defeats the added security of a jail because everything will be in the same namespace.

This had somewhat changed in the 11-RELEASE. From the jail(8) manpage:
Code:
    sysvmsg
         Allow access to SYSV IPC message primitives.  If set to
         ``inherit'', all IPC objects on the system    are visible to this
         jail, whether they    were created by    the jail itself, the base sys-
         tem, or other jails.  If set to ``new'', the jail will have its
         own key namespace,    and can    only see the objects that it has cre-
         ated; the system (or parent jail) has access to the jail's
         objects, but not to its keys.  If set to ``disable'', the jail
         cannot perform any    sysvmsg-related    system calls.

     sysvsem, sysvshm
         Allow access to SYSV IPC semaphore    and shared memory primitives,
         in    the same manner    as sysvmsg.
 
This had somewhat changed in the 11-RELEASE. From the jail(8) manpage:
Code:
    sysvmsg
         Allow access to SYSV IPC message primitives.  If set to
         ``inherit'', all IPC objects on the system    are visible to this
         jail, whether they    were created by    the jail itself, the base sys-
         tem, or other jails.  If set to ``new'', the jail will have its
         own key namespace,    and can    only see the objects that it has cre-
         ated; the system (or parent jail) has access to the jail's
         objects, but not to its keys.  If set to ``disable'', the jail
         cannot perform any    sysvmsg-related    system calls.

     sysvsem, sysvshm
         Allow access to SYSV IPC semaphore    and shared memory primitives,
         in    the same manner    as sysvmsg.

Just a FYI, though these are documented, the rest of the support structure has not been committed, and so will not work. Only allow.sysvipc is still supported in 11.0 and 11.1.
 
Back
Top