Re: sysvipc only for one jail
On 12.08.2013 19:46, Trond Endrestøl wrote:
On Mon, 12 Aug 2013 14:09+0200, Trond Endrestøl wrote:
On Mon, 12 Aug 2013 13:57+0200, David Demelier wrote:
2013/8/12 Trond Endrestøl :
On Mon, 12 Aug 2013 12:40+0200, David Demelier wrote:
2013/8/11 Maciej Suszko :
Maciej Suszko wrote:
[...]
You can specify different params for each jail using _parameters, for
example:
jail_jailname_params="allow.chflags=1 allow.sysvipc=1"
Sorry, my mistake - it should be jail_jailname_parameters= of course.
--
regards, Maciej Suszko.
Thanks for your message,
However, I could not find this setting in the manual of rc.conf(5)
neither in /etc/rc.d/jail :(. It does not seems to be applied.
Have a look at jail(8) and the last lines of /etc/default/rc.conf.
I see,
I've added what Maciej Suszko told me but the sysctls in the jail is
not set as it should be :
security.jail.param.allow.sysvipc: 0
security.jail.param.allow.chflags: 0
And thus, it's not enabled as postgresql tells:
creating template1 database in /usr/local/pgsql/data/base/1 ... FATAL:
could not create shared memory segment: Function not implemented
I'll look into this by creating a new jail for PostgreSQL 9.2 when I
get home.
My host is running 9.2-PRERELEASE, r254150, in VirtualBox 4.2.16.
The jails are running world, also at r254150.
I added the following to the host's /etc/rc.conf:
jail_enable="YES"
jail_list="postgresql"
jail_postgresql_rootdir="/jails/postgresql"
jail_postgresql_hostname="postgresql.bsd.net"
jail_postgresql_interface="vtnet0"
jail_postgresql_fib="0"
jail_postgresql_ip="10.0.2.103,2001:db8::103"
jail_postgresql_exec_start="/bin/sh /etc/rc"
jail_postgresql_exec_stop="/bin/sh /etc/rc.shutdown"
jail_postgresql_devfs_enable="YES"
jail_postgresql_parameters="enforce_statfs=1 allow.chflags=1 allow.sysvipc=1
allow.mount=1 allow.mount.zfs=1"
I added the following to the host's /etc/jail.conf:
postgresql {
path = /jails/postgresql;
enforce_statfs = 1;
allow.chflags;
allow.sysvipc;
allow.mount;
allow.mount.zfs;
mount.devfs;
host.hostname = postgresql.bsd.net;
ip4.addr = 10.0.2.103;
ip6.addr = 2001:db8::103;
interface = vtnet0;
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
}
PostgreSQL 9.2.4 had no problems running initdb nor running postgres
inside the jail:
root@freebsd-jails:/ # jexec 4 csh
root@postgresql:/ # /usr/local/etc/rc.d/postgresql status
pg_ctl: server is running (PID: 46623)
/usr/local/bin/postgres "-D" "/usr/local/pgsql/data"
root@postgresql:/ #
If you start the jail manually using jail(8), then /etc/jail.conf
comes into play, whereas the lines in /etc/rc.conf is used during
automatic startup of the jails when the host is rebooted. The whole
arrangement seems unnecessary redundant, and I truly wish this can be
merged sooner rather than later.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
I've updated to 9.2-RC1 and the _parameters did the trick, thanks!
Cheers,
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sysvipc only for one jail
On Tue, Aug 13, 2013 at 12:14 AM, Shane Ambler wrote: > On 12/08/2013 21:39, Trond Endrestøl wrote: >> >> On Mon, 12 Aug 2013 13:57+0200, David Demelier wrote: > > >>> And thus, it's not enabled as postgresql tells: >>> >>> creating template1 database in /usr/local/pgsql/data/base/1 ... FATAL: >>> could not create shared memory segment: Function not implemented >> >> >> I'll look into this by creating a new jail for PostgreSQL 9.2 when I >> get home. >> > > While it is currently in beta maybe you could also try 9.3 and verify that > the shared memory update works or eliminates this configuration? > No need for any complication. Pg will work just fine by following this simple recipe. I compute a UID unique to the overall system by concatenating 70 (the natural UID for the pgsql user user in FBSD) and the last 3 digits of the Jails'IP, but you can come up with any numbering scheme as long as it's consistent and easily associated to a specific jail. For example for the Pg running on jail 192.168.101.124, install PostgreSQL and before doing anything else: pw usermod pgsql -u 70124 pw groupmod pgsql -g 70124 pw usermod pgsql -g 70124 chown -R pgsql /usr/local/pgsql/ chgrp -R pgsql /usr/local/pgsql/ Any other application that uses SYSV IPC should follow a similar recipe, and it's compatible with al versions of Jails. And that's it. I have dozens of jails with Pg running this way. Likewise also make sure all of your network daemons listen _specifically_ to that jail's IP, in Pg that would be postgresql.conf: listen_addresses = 'xx' although the default 'localhost' should work most of the time. Always double check all daemons with sockstat (e.g. sockstat -4l) to make sure they only listen on that jail's IP(s). Best, -- Alejandro Imass ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sysvipc only for one jail
On Tue, 13 Aug 2013 07:53-0400, Fbsd8 wrote: > What 9.3 are you talking about > 9.2-RC1 is the newest available. > Is 9.3 a typo and you really mean 9.2?? PostgreSQL 9.3beta2, you'll find it in ports as databases/postgresql93-server, etc. http://wiki.postgresql.org/wiki/What's_new_in_PostgreSQL_9.3 Among other things: o Switch to Posix shared memory and mmap(). (DONE) -- +---++ | Vennlig hilsen, | Best regards, | | Trond Endrestøl, | Trond Endrestøl, | | IT-ansvarlig, | System administrator, | | Fagskolen Innlandet, | Gjøvik Technical College, Norway, | | tlf. mob. 952 62 567, | Cellular...: +47 952 62 567, | | sentralbord 61 14 54 00. | Switchboard: +47 61 14 54 00. | +---++___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sysvipc only for one jail
Terje Elde wrote: On 12. aug. 2013, at 19.46, Trond Endrestøl wrote: If you start the jail manually using jail(8), then /etc/jail.conf comes into play, whereas the lines in /etc/rc.conf is used during automatic startup of the jails when the host is rebooted. The whole arrangement seems unnecessary redundant, and I truly wish this can be merged sooner rather than later. It *is* unnecessary redundant. If you're using /etc/rc.conf to define the jails, then start them with: /etc/rc.d/jail start jailname That is, if you're mostly using /etc/rc.conf to define the jails, then start them manually using that as well? Problem solved? Terje Here is a writeup about jails that you may find useful. It includes a boot time jail startup script for jail(8) defined jails. http://www.a1poweruser.com/35.00-Jails_guide_article.php ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sysvipc only for one jail
Shane Ambler wrote: On 12/08/2013 21:39, Trond Endrestøl wrote: While it is currently in beta maybe you could also try 9.3 and verify that the shared memory update works or eliminates this configuration? If you missed the change, 9.3 is implementing shared memory using mmap. What 9.3 are you talking about 9.2-RC1 is the newest available. Is 9.3 a typo and you really mean 9.2?? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sysvipc only for one jail
On 12. aug. 2013, at 19.46, Trond Endrestøl wrote: > If you start the jail manually using jail(8), then /etc/jail.conf > comes into play, whereas the lines in /etc/rc.conf is used during > automatic startup of the jails when the host is rebooted. The whole > arrangement seems unnecessary redundant, and I truly wish this can be > merged sooner rather than later. It *is* unnecessary redundant. If you're using /etc/rc.conf to define the jails, then start them with: /etc/rc.d/jail start jailname That is, if you're mostly using /etc/rc.conf to define the jails, then start them manually using that as well? Problem solved? Terje ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sysvipc only for one jail
On 13. aug. 2013, at 06:14, Shane Ambler wrote: > If you missed the change, 9.3 is implementing shared memory using mmap. But still using sysvipc for some locks/mutexes, so doesn't allow you to run "sysvipc-free". Terje ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sysvipc only for one jail
On 12/08/2013 21:39, Trond Endrestøl wrote: On Mon, 12 Aug 2013 13:57+0200, David Demelier wrote: And thus, it's not enabled as postgresql tells: creating template1 database in /usr/local/pgsql/data/base/1 ... FATAL: could not create shared memory segment: Function not implemented I'll look into this by creating a new jail for PostgreSQL 9.2 when I get home. While it is currently in beta maybe you could also try 9.3 and verify that the shared memory update works or eliminates this configuration? If you missed the change, 9.3 is implementing shared memory using mmap. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sysvipc only for one jail
On Mon, 12 Aug 2013 14:09+0200, Trond Endrestøl wrote:
> On Mon, 12 Aug 2013 13:57+0200, David Demelier wrote:
>
> > 2013/8/12 Trond Endrestøl :
> > > On Mon, 12 Aug 2013 12:40+0200, David Demelier wrote:
> > >
> > >> 2013/8/11 Maciej Suszko :
> > >> > Maciej Suszko wrote:
> > >> > [...]
> > >> >>
> > >> >> You can specify different params for each jail using _parameters, for
> > >> >> example:
> > >> >>
> > >> >> jail_jailname_params="allow.chflags=1 allow.sysvipc=1"
> > >> >
> > >> > Sorry, my mistake - it should be jail_jailname_parameters= of course.
> > >> > --
> > >> > regards, Maciej Suszko.
> > >>
> > >> Thanks for your message,
> > >>
> > >> However, I could not find this setting in the manual of rc.conf(5)
> > >> neither in /etc/rc.d/jail :(. It does not seems to be applied.
> > >
> > > Have a look at jail(8) and the last lines of /etc/default/rc.conf.
> >
> > I see,
> >
> > I've added what Maciej Suszko told me but the sysctls in the jail is
> > not set as it should be :
> >
> > security.jail.param.allow.sysvipc: 0
> > security.jail.param.allow.chflags: 0
> >
> > And thus, it's not enabled as postgresql tells:
> >
> > creating template1 database in /usr/local/pgsql/data/base/1 ... FATAL:
> > could not create shared memory segment: Function not implemented
>
> I'll look into this by creating a new jail for PostgreSQL 9.2 when I
> get home.
My host is running 9.2-PRERELEASE, r254150, in VirtualBox 4.2.16.
The jails are running world, also at r254150.
I added the following to the host's /etc/rc.conf:
jail_enable="YES"
jail_list="postgresql"
jail_postgresql_rootdir="/jails/postgresql"
jail_postgresql_hostname="postgresql.bsd.net"
jail_postgresql_interface="vtnet0"
jail_postgresql_fib="0"
jail_postgresql_ip="10.0.2.103,2001:db8::103"
jail_postgresql_exec_start="/bin/sh /etc/rc"
jail_postgresql_exec_stop="/bin/sh /etc/rc.shutdown"
jail_postgresql_devfs_enable="YES"
jail_postgresql_parameters="enforce_statfs=1 allow.chflags=1 allow.sysvipc=1
allow.mount=1 allow.mount.zfs=1"
I added the following to the host's /etc/jail.conf:
postgresql {
path = /jails/postgresql;
enforce_statfs = 1;
allow.chflags;
allow.sysvipc;
allow.mount;
allow.mount.zfs;
mount.devfs;
host.hostname = postgresql.bsd.net;
ip4.addr = 10.0.2.103;
ip6.addr = 2001:db8::103;
interface = vtnet0;
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
}
PostgreSQL 9.2.4 had no problems running initdb nor running postgres
inside the jail:
root@freebsd-jails:/ # jexec 4 csh
root@postgresql:/ # /usr/local/etc/rc.d/postgresql status
pg_ctl: server is running (PID: 46623)
/usr/local/bin/postgres "-D" "/usr/local/pgsql/data"
root@postgresql:/ #
If you start the jail manually using jail(8), then /etc/jail.conf
comes into play, whereas the lines in /etc/rc.conf is used during
automatic startup of the jails when the host is rebooted. The whole
arrangement seems unnecessary redundant, and I truly wish this can be
merged sooner rather than later.
--
+---++
| Vennlig hilsen, | Best regards, |
| Trond Endrestøl, | Trond Endrestøl, |
| IT-ansvarlig, | System administrator, |
| Fagskolen Innlandet, | Gjøvik Technical College, Norway, |
| tlf. mob. 952 62 567, | Cellular...: +47 952 62 567, |
| sentralbord 61 14 54 00. | Switchboard: +47 61 14 54 00. |
+---++___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sysvipc only for one jail
David Demelier wrote: > 2013/8/11 Maciej Suszko : > > Maciej Suszko wrote: > > [...] > >> > >> You can specify different params for each jail using _parameters, > >> for example: > >> > >> jail_jailname_params="allow.chflags=1 allow.sysvipc=1" > > > > Sorry, my mistake - it should be jail_jailname_parameters= of > > course. -- > > regards, Maciej Suszko. > > Thanks for your message, > > However, I could not find this setting in the manual of rc.conf(5) > neither in /etc/rc.d/jail :(. It does not seems to be applied. I suppose jail_(jname)_parameters rc.conf option is available in at least 9-STABLE. -- regards, Maciej Suszko. signature.asc Description: PGP signature
Re: sysvipc only for one jail
On Mon, 12 Aug 2013 13:57+0200, David Demelier wrote: > 2013/8/12 Trond Endrestøl : > > On Mon, 12 Aug 2013 12:40+0200, David Demelier wrote: > > > >> 2013/8/11 Maciej Suszko : > >> > Maciej Suszko wrote: > >> > [...] > >> >> > >> >> You can specify different params for each jail using _parameters, for > >> >> example: > >> >> > >> >> jail_jailname_params="allow.chflags=1 allow.sysvipc=1" > >> > > >> > Sorry, my mistake - it should be jail_jailname_parameters= of course. > >> > -- > >> > regards, Maciej Suszko. > >> > >> Thanks for your message, > >> > >> However, I could not find this setting in the manual of rc.conf(5) > >> neither in /etc/rc.d/jail :(. It does not seems to be applied. > > > > Have a look at jail(8) and the last lines of /etc/default/rc.conf. > > I see, > > I've added what Maciej Suszko told me but the sysctls in the jail is > not set as it should be : > > security.jail.param.allow.sysvipc: 0 > security.jail.param.allow.chflags: 0 > > And thus, it's not enabled as postgresql tells: > > creating template1 database in /usr/local/pgsql/data/base/1 ... FATAL: > could not create shared memory segment: Function not implemented I'll look into this by creating a new jail for PostgreSQL 9.2 when I get home. -- +---++ | Vennlig hilsen, | Best regards, | | Trond Endrestøl, | Trond Endrestøl, | | IT-ansvarlig, | System administrator, | | Fagskolen Innlandet, | Gjøvik Technical College, Norway, | | tlf. mob. 952 62 567, | Cellular...: +47 952 62 567, | | sentralbord 61 14 54 00. | Switchboard: +47 61 14 54 00. | +---++___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sysvipc only for one jail
2013/8/12 Trond Endrestøl : > On Mon, 12 Aug 2013 12:40+0200, David Demelier wrote: > >> 2013/8/11 Maciej Suszko : >> > Maciej Suszko wrote: >> > [...] >> >> >> >> You can specify different params for each jail using _parameters, for >> >> example: >> >> >> >> jail_jailname_params="allow.chflags=1 allow.sysvipc=1" >> > >> > Sorry, my mistake - it should be jail_jailname_parameters= of course. >> > -- >> > regards, Maciej Suszko. >> >> Thanks for your message, >> >> However, I could not find this setting in the manual of rc.conf(5) >> neither in /etc/rc.d/jail :(. It does not seems to be applied. > > Have a look at jail(8) and the last lines of /etc/default/rc.conf. > > -- > +---++ > | Vennlig hilsen, | Best regards, | > | Trond Endrestøl, | Trond Endrestøl, | > | IT-ansvarlig, | System administrator, | > | Fagskolen Innlandet, | Gjøvik Technical College, Norway, | > | tlf. mob. 952 62 567, | Cellular...: +47 952 62 567, | > | sentralbord 61 14 54 00. | Switchboard: +47 61 14 54 00. | > +---++ I see, I've added what Maciej Suszko told me but the sysctls in the jail is not set as it should be : security.jail.param.allow.sysvipc: 0 security.jail.param.allow.chflags: 0 And thus, it's not enabled as postgresql tells: creating template1 database in /usr/local/pgsql/data/base/1 ... FATAL: could not create shared memory segment: Function not implemented Cheers, -- Demelier David ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sysvipc only for one jail
On Mon, 12 Aug 2013 12:40+0200, David Demelier wrote: > 2013/8/11 Maciej Suszko : > > Maciej Suszko wrote: > > [...] > >> > >> You can specify different params for each jail using _parameters, for > >> example: > >> > >> jail_jailname_params="allow.chflags=1 allow.sysvipc=1" > > > > Sorry, my mistake - it should be jail_jailname_parameters= of course. > > -- > > regards, Maciej Suszko. > > Thanks for your message, > > However, I could not find this setting in the manual of rc.conf(5) > neither in /etc/rc.d/jail :(. It does not seems to be applied. Have a look at jail(8) and the last lines of /etc/default/rc.conf. -- +---++ | Vennlig hilsen, | Best regards, | | Trond Endrestøl, | Trond Endrestøl, | | IT-ansvarlig, | System administrator, | | Fagskolen Innlandet, | Gjøvik Technical College, Norway, | | tlf. mob. 952 62 567, | Cellular...: +47 952 62 567, | | sentralbord 61 14 54 00. | Switchboard: +47 61 14 54 00. | +---++___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sysvipc only for one jail
2013/8/11 Maciej Suszko : > Maciej Suszko wrote: > [...] >> >> You can specify different params for each jail using _parameters, for >> example: >> >> jail_jailname_params="allow.chflags=1 allow.sysvipc=1" > > Sorry, my mistake - it should be jail_jailname_parameters= of course. > -- > regards, Maciej Suszko. Thanks for your message, However, I could not find this setting in the manual of rc.conf(5) neither in /etc/rc.d/jail :(. It does not seems to be applied. Cheers, -- Demelier David ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: sysvipc only for one jail
Maciej Suszko wrote: [...] > > You can specify different params for each jail using _parameters, for > example: > > jail_jailname_params="allow.chflags=1 allow.sysvipc=1" Sorry, my mistake - it should be jail_jailname_parameters= of course. -- regards, Maciej Suszko. signature.asc Description: PGP signature
Re: sysvipc only for one jail
David Demelier wrote: > Hi, > > I would like to enable sysvipc only for one jail (defined in > /etc/rc.conf). It's possible with jail.conf but this is not supported > with jails listed in /etc/rc.conf. > > Is it possible without using the global jail_sysvipc_allow ? You can specify different params for each jail using _parameters, for example: jail_jailname_params="allow.chflags=1 allow.sysvipc=1" -- regards, Maciej Suszko. signature.asc Description: PGP signature
sysvipc only for one jail
Hi, I would like to enable sysvipc only for one jail (defined in /etc/rc.conf). It's possible with jail.conf but this is not supported with jails listed in /etc/rc.conf. Is it possible without using the global jail_sysvipc_allow ? Cheers, -- Demelier David ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
