Thread: BUG #15268: Documentation surrounding sysvipc configuration andisolation is out-of-date as of FreeBSD 11
BUG #15268: Documentation surrounding sysvipc configuration andisolation is out-of-date as of FreeBSD 11
From
PG Bug reporting form
Date:
The following bug has been logged on the website: Bug reference: 15268 Logged by: D. Ebdrup Email address: debdrup@gmail.com PostgreSQL version: 10.0 Operating system: FreeBSD Description: Owing to some rather big changes in FreeBSD, the steps recommended in the documentation for all supported (and unsupported) versions of pgsql on FreeBSD 11 and future versions regarding sysvipc are no longer accurate. Notably, the security.jail.sysvipc_allowed sysctl has been marked deprecated (ie. to be removed in a future version) and the sysvmsg, sysvsem, and sysvshm properties for jails have been added which can function like security.jail.sysvipc_allowed/allow.sysvipc used to work, in addition to which a value named "new" has been added which offers proper per-jail isolation of SysV messages, semaphores and shadow memory. This can be confirmed by going to https://man.freebsd.org/jail(8) and searching for the second result of sysvmsg as a text-search.
Re: BUG #15268: Documentation surrounding sysvipc configuration andisolation is out-of-date as of FreeBSD 11
From
Thomas Munro
Date:
On Sun, Jul 8, 2018 at 9:50 PM, PG Bug reporting form <noreply@postgresql.org> wrote: > The following bug has been logged on the website: > > Bug reference: 15268 > Logged by: D. Ebdrup > Email address: debdrup@gmail.com > PostgreSQL version: 10.0 > Operating system: FreeBSD > Description: > > Owing to some rather big changes in FreeBSD, the steps recommended in the > documentation for all supported (and unsupported) versions of pgsql on > FreeBSD 11 and future versions regarding sysvipc are no longer accurate. > Notably, the security.jail.sysvipc_allowed sysctl has been marked deprecated > (ie. to be removed in a future version) and the sysvmsg, sysvsem, and > sysvshm properties for jails have been added which can function like > security.jail.sysvipc_allowed/allow.sysvipc used to work, in addition to > which a value named "new" has been added which offers proper per-jail > isolation of SysV messages, semaphores and shadow memory. > This can be confirmed by going to https://man.freebsd.org/jail(8) and > searching for the second result of sysvmsg as a text-search. Right, thanks for the report. Any chance you could propose some new wording for that paragraph, or a patch for doc/src/sgml/runtime.sgml? -- Thomas Munro http://www.enterprisedb.com
Re: BUG #15268: Documentation surrounding sysvipc configuration andisolation is out-of-date as of FreeBSD 11
From
Daniel Ebdrup
Date:
On Mon, Jul 09, 2018 at 10:01:58AM +1200, Thomas Munro wrote: > On Sun, Jul 8, 2018 at 9:50 PM, PG Bug reporting form > <noreply@postgresql.org> wrote: > > The following bug has been logged on the website: > > > > Bug reference: 15268 > > Logged by: D. Ebdrup > > Email address: debdrup@gmail.com > > PostgreSQL version: 10.0 > > Operating system: FreeBSD > > Description: > > > > Owing to some rather big changes in FreeBSD, the steps recommended in the > > documentation for all supported (and unsupported) versions of pgsql on > > FreeBSD 11 and future versions regarding sysvipc are no longer accurate. > > Notably, the security.jail.sysvipc_allowed sysctl has been marked deprecated > > (ie. to be removed in a future version) and the sysvmsg, sysvsem, and > > sysvshm properties for jails have been added which can function like > > security.jail.sysvipc_allowed/allow.sysvipc used to work, in addition to > > which a value named "new" has been added which offers proper per-jail > > isolation of SysV messages, semaphores and shadow memory. > > This can be confirmed by going to https://man.freebsd.org/jail(8) and > > searching for the second result of sysvmsg as a text-search. > > Right, thanks for the report. Any chance you could propose some new > wording for that paragraph, or a patch for doc/src/sgml/runtime.sgml? > > -- > Thomas Munro > http://www.enterprisedb.com I'd suggest adding a note with something along the following lines above the current paragraph covering security.jail.sysvipc_allowed: Since FreeBSD 11 added per-jail SysV IPC isolation, it is recommended to use the jail properties sysvmsg, sysvsem, and sysvshmset to a value of "new", as this isolates SysV IPC from both the host and other jails, meaning many instances of PostgreSQL can be run on the same FreeBSD host, each in their own jail. I'd also suggest changing the line "If running in FreeBSD jails by enabling sysctl's security.jail.sysvipc_allowed" to be"If running in FreeBSD jails by enabling sysctl's security.jail.sysvipc_allowed on FreeBSD 10" (which is likely going to be EOL'd within the next year anyway, so I'm not surehow much longer the note should be kept around but that's up to you.