Nix on Linux runs all builds and tests in a sandboxed environment by
default. Nix on Darwin/macOS doesn't enable the sandbox by default,
because macOS' native sandboxing capabilities are limited. We'd like to
enable the sandbox by default in the future. Currently, this prevents
running PostgreSQL's test suite or building extensions with cargo-pgrx,
both of which require *running* initdb / postgres inside the sandbox.
This is because the Darwin sandbox doesn't allow creating System V
shared memory segments. Nix' Linux sandbox is able to create IPC
namespaces, which allows creating these safely. To our knowledge it's
not possible to create these namespaces with the native darwin
sandboxing capabilities. Enabling IPC regardless would allow
communicating with other sandboxes and the host system, defeating the
point of the sandbox.
System V shared memory segments are used by PostgreSQL to provide a lock
on the data directory, as explained in sysv_shmem.c. The comment also
mentions the possibility to introduce a compile and/or run-time test
here. For our use-case, a run-time test seems much better, because we'd
want the same binaries to not do this inside the sandbox, but work as
before when actually run on the host.
Right now, initdb fails with his error:
FATAL: could not create shared memory segment: Operation not permitted
DETAIL: Failed system call was shmget(key=80109247, size=56, 03600).
It would be great if this was fixed to allow running PostgreSQL in this
environment.
Thanks,
Wolfgang
