From owner-freebsd-jail@freebsd.org Thu Apr 21 17:18:17 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B35CCB1752F for ; Thu, 21 Apr 2016 17:18:17 +0000 (UTC) (envelope-from jamie@freebsd.org) Received: from gritton.org (gritton.org [162.220.209.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "www.gritton.org", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 96E281FD3 for ; Thu, 21 Apr 2016 17:18:14 +0000 (UTC) (envelope-from jamie@freebsd.org) Received: from gritton.org (gritton.org [162.220.209.3]) by gritton.org (8.15.2/8.15.2) with ESMTPS id u3LHI7KG049849 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Thu, 21 Apr 2016 11:18:07 -0600 (MDT) (envelope-from jamie@freebsd.org) Received: (from www@localhost) by gritton.org (8.15.2/8.15.2/Submit) id u3LHI7wh049848; Thu, 21 Apr 2016 11:18:07 -0600 (MDT) (envelope-from jamie@freebsd.org) X-Authentication-Warning: gritton.org: www set sender to jamie@freebsd.org using -f To: freebsd-jail@FreeBSD.org Subject: SYSV IPC on jails with separate key namespace X-PHP-Originating-Script: 0:rcube.php MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Thu, 21 Apr 2016 11:18:07 -0600 From: James Gritton Message-ID: <1c8ef6ff0a3a718d47d94abbcd861fe1@gritton.org> X-Sender: jamie@freebsd.org User-Agent: Roundcube Webmail/1.1.2 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Apr 2016 17:18:17 -0000 I've updated patch 48471 (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=48471) which had a patch to make jails work the way they should regarding SYSV IPC objects. There's a new patch there, that does the same thing, bit with some different infrastructure around it. With the patches (there are two), jails will work by default the same as they do now: if allow.sysvipc is set, then all jails share the same IPC namespace. If not, jails can't do anything with SYSV IPC. But there are new parameters with more control: sysvmsg, sysvsem, and sysvshm. Setting these to "disable" and "inherit" are the same as the old way of doing things, but setting to "new" will create a jail that has its own namespace for the SYSV IPC keys. The system can still see a jail's IPC objects by their IDs, but the keys will belong only to the jail. And jails won't be able to see each other's IPC, whether or key or by ID. This is the full separation that has been missing from jails so far. I plan to commit these patches pretty soon, to get into the 11 release. I'd like some feedback first if anyone wants to try them out, but barring that I'll accept my feedback after I commit :-). They work at least for some simple test cases, but I don't have anything handy that actually makes significant use of SYSV IPC and I know that others do and have been waiting to see something like this. - Jamie