FreeBSD: jail can not set security.jail.sysvipc_allowed [closed]
Asked Answered
B

5

9

There is a problem when I init a PostgreSQL database in a FreeBSD jail.

I found an article about the problem. I tried its advice but I didn't have any luck and I don't know why. There is the link: PostgreSQL in jail .

I also read the PostgreSQL documentation on kernel resources:

If running in FreeBSD jails by enabling sysctl's security.jail.sysvipc_allowed, postmasters running in different jails should be run by different operating system users. This improves security because it prevents non-root users from interfering with shared memory or semaphores in different jails, and it allows the PostgreSQL IPC cleanup code to function properly. (In FreeBSD 6.0 and later the IPC cleanup code does not properly detect processes in other jails, preventing the running of postmasters on the same port in different jails.)

What I've done:

  • I edited /etc/rc.conf (on the host machine) and added the line jail_sysvipc_allow="YES"
  • In the jail machine's /etc/sysctl.conf, I add line security.jail.sysvipc_allowed=1

I restarted the jail machine multiple times. I haven't restarted the host machine and don't want to.

Hope someone can give me a solution or some advice. Thanks so much.

This is the message when I restart the jail:

 /etc/rc.d/sysctl: WARNING: unable to set security.jail.sysvipc_allowed=1

Or when I run sysctl manually: (on jail)

 root@xxxxx:/home/xxxx# sysctl security.jail.sysvipc_allowed=1
 security.jail.sysvipc_allowed: 0
 sysctl: security.jail.sysvipc_allowed: Operation not permitted

Freebsd version: FreeBSD xxxxxxx 9.1-PRERELEASE FreeBSD 9.1-PRERELEASE

postgreSQL version: postgresql-server-9.1.4

Error Message:

 root@xxxxxx:/home/xxx # /usr/local/etc/rc.d/postgresql initdb
 The files belonging to this database system will be owned by user "pgsql".
 This user must also own the server process.

 The database cluster will be initialized with locale C.
 The default text search configuration will be set to "english".

 creating directory /usr/local/pgsql/data ... ok
 creating subdirectories ... ok
 selecting default max_connections ... 10
 selecting default shared_buffers ... 400kB
 creating configuration files ... ok
 creating template1 database in /usr/local/pgsql/data/base/1 ... FATAL:  could not create      
 shared memory segment: Function not implemented
 DETAIL:  Failed system call was shmget(key=1, size=2146304, 03600).
 child process exited with exit code 1
 initdb: removing data directory "/usr/local/pgsql/data"

Update:

in host machine, /etc/sysctl.conf: security.jail.sysvipc_allowed=1 /etc/rc.conf : jail_sysvipc_allow="YES"

In Jail server, there is no extra jail_sysvipc configuration.

sysctl value in host machine:

   root@xxxxx:/home/xxxx# sysctl -a | grep 'sysvipc'
   security.jail.param.allow.sysvipc: 0
   security.jail.sysvipc_allowed: 1

I still get the same error message as I got before.

In additional, I am wondering if there is anything with security.jail.param.allow.sysvipc? Because, in host machine, I was not allowed to set it. (security.jail.param.allow.sysvipc 0-> 0)

Battled answered 10/8, 2012 at 22:18 Comment(4)
Which FreeBSD version are you using? Which PostgreSQL version?Flutterboard
Also, is this causing you a specific problem? Do you just want to improve inter-jail isolation? Are you having issues starting Pg up in a jail? What's the background? Include the commands you run and the errors they produce, just like you have for the attempted solution you've written about. Please update your question.Flutterboard
Same problem here, with FreeBSD-9.1, compiled two days ago..Roxieroxine
Mau be you hit this bug: freebsd.org/cgi/query-pr.cgi?pr=bin/173469Logia
B
3

I found the problem after my teammate's help.

Because I use /etc/jail.conf, I have to add a line "allow.sysvipc" to enable system share memory.

in host machine,

  /etc/sysctl.conf
  security.jail.sysvipc_allowed=1

  /etc/rc.conf 
  jail_sysvipc_allow="YES" (DO NOT have to do this, remove it) 
Battled answered 14/8, 2012 at 17:30 Comment(0)
R
18

Solution found. The following does work for me. On the host, do:

root@host# jls
   JID  IP Address      Hostname                      Path
     3  -               some.jail                     /usr/jails/somejail

Find the correct JID, 3 in my example. Then, on the host, issue:

jail -m jid=3 allow.sysvipc=1

Roxieroxine answered 10/9, 2012 at 13:34 Comment(2)
This poses a security risk because if another jail also shares memory and is pwned, they can mess with the rest of the jails sharing memory, semaphores, etc. Since FreeBSD 11, you can namespace shared memory, semaphores, etc with sysvshsem=new, sysvshmem=new. For a more in-depth explanation and commands, see blog.tyk.nu/blog/freebsd-jails-and-sysv-ipc or archive.fo/P10Cr if unavailable.Cryology
I meant sysvshm=new, sysvsem=new, and sysvmsg=new if you need namespaced shared memory, semaphores, and message queues respectively.Cryology
A
6

There are some new features for jail in special granularity, we need allow change sysvipc_allowed for each jail put this in /etc/rc.conf:

jail_example_parameters="allow.sysvipc=1"
Agonist answered 15/11, 2012 at 15:10 Comment(0)
B
3

I found the problem after my teammate's help.

Because I use /etc/jail.conf, I have to add a line "allow.sysvipc" to enable system share memory.

in host machine,

  /etc/sysctl.conf
  security.jail.sysvipc_allowed=1

  /etc/rc.conf 
  jail_sysvipc_allow="YES" (DO NOT have to do this, remove it) 
Battled answered 14/8, 2012 at 17:30 Comment(0)
G
2

The sysctl security.jail.sysvipc_allowed has to be set on the host, not in the jail. But if you set jail_sysvipc_allow="YES" in the host's rc.conf, that should set it for you, see /etc/rc.d/jail.

You should check on the host if the value of security.jail.sysvipc_allowed changes to 1 if you start the jail. If not, there is probably something wrong in your rc.conf. Try setting security.jail.sysvipc_allowed manually on the host.

Grandniece answered 12/8, 2012 at 23:31 Comment(0)
T
0

My system required modding /etc/rc.conf before restarting the jail, otherwise it would set both host and jail to 0. I did not need to set security.jail.sysvipc_allowed=1 in /etc/sysctl.conf.

/etc/rc.conf:
jail_sysvipc_allow="YES"
Trieste answered 8/5, 2013 at 1:17 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.