BUG #15268: Documentation surrounding sysvipc configuration and isolation is out-of-date as of FreeBSD 11
The following bug has been logged on the website:
Bug reference: 15268
Logged by: D. Ebdrup
Email address: debdrup@gmail.com
PostgreSQL version: 10.0
Operating system: FreeBSD
Description:
Owing to some rather big changes in FreeBSD, the steps recommended in the
documentation for all supported (and unsupported) versions of pgsql on
FreeBSD 11 and future versions regarding sysvipc are no longer accurate.
Notably, the security.jail.sysvipc_allowed sysctl has been marked deprecated
(ie. to be removed in a future version) and the sysvmsg, sysvsem, and
sysvshm properties for jails have been added which can function like
security.jail.sysvipc_allowed/allow.sysvipc used to work, in addition to
which a value named "new" has been added which offers proper per-jail
isolation of SysV messages, semaphores and shadow memory.
This can be confirmed by going to https://man.freebsd.org/jail(8) and
searching for the second result of sysvmsg as a text-search.
On Sun, Jul 8, 2018 at 9:50 PM, PG Bug reporting form
<noreply@postgresql.org> wrote:
The following bug has been logged on the website:
Bug reference: 15268
Logged by: D. Ebdrup
Email address: debdrup@gmail.com
PostgreSQL version: 10.0
Operating system: FreeBSD
Description:Owing to some rather big changes in FreeBSD, the steps recommended in the
documentation for all supported (and unsupported) versions of pgsql on
FreeBSD 11 and future versions regarding sysvipc are no longer accurate.
Notably, the security.jail.sysvipc_allowed sysctl has been marked deprecated
(ie. to be removed in a future version) and the sysvmsg, sysvsem, and
sysvshm properties for jails have been added which can function like
security.jail.sysvipc_allowed/allow.sysvipc used to work, in addition to
which a value named "new" has been added which offers proper per-jail
isolation of SysV messages, semaphores and shadow memory.
This can be confirmed by going to https://man.freebsd.org/jail(8) and
searching for the second result of sysvmsg as a text-search.
Right, thanks for the report. Any chance you could propose some new
wording for that paragraph, or a patch for doc/src/sgml/runtime.sgml?
--
Thomas Munro
http://www.enterprisedb.com
On Mon, Jul 09, 2018 at 10:01:58AM +1200, Thomas Munro wrote:
On Sun, Jul 8, 2018 at 9:50 PM, PG Bug reporting form
<noreply@postgresql.org> wrote:The following bug has been logged on the website:
Bug reference: 15268
Logged by: D. Ebdrup
Email address: debdrup@gmail.com
PostgreSQL version: 10.0
Operating system: FreeBSD
Description:Owing to some rather big changes in FreeBSD, the steps recommended in the
documentation for all supported (and unsupported) versions of pgsql on
FreeBSD 11 and future versions regarding sysvipc are no longer accurate.
Notably, the security.jail.sysvipc_allowed sysctl has been marked deprecated
(ie. to be removed in a future version) and the sysvmsg, sysvsem, and
sysvshm properties for jails have been added which can function like
security.jail.sysvipc_allowed/allow.sysvipc used to work, in addition to
which a value named "new" has been added which offers proper per-jail
isolation of SysV messages, semaphores and shadow memory.
This can be confirmed by going to https://man.freebsd.org/jail(8) and
searching for the second result of sysvmsg as a text-search.Right, thanks for the report. Any chance you could propose some new
wording for that paragraph, or a patch for doc/src/sgml/runtime.sgml?--
Thomas Munro
http://www.enterprisedb.com
I'd suggest adding a note with something along the following lines above the current paragraph covering security.jail.sysvipc_allowed:
Since FreeBSD 11 added per-jail SysV IPC isolation, it is recommended to use the jail properties sysvmsg, sysvsem, and sysvshm set to a value of "new", as this isolates SysV IPC from both the host
and other jails, meaning many instances of PostgreSQL can be run on the same FreeBSD host, each in their own jail.
I'd also suggest changing the line "If running in FreeBSD jails by enabling sysctl's security.jail.sysvipc_allowed" to be "If running in FreeBSD jails by enabling sysctl's
security.jail.sysvipc_allowed on FreeBSD 10" (which is likely going to be EOL'd within the next year anyway, so I'm not sure how much longer the note should be kept around but that's up to you.