initdb dies during IpcSemaphoreCreate under BSD jail

On Mon, 25 Mar 2002, Joel Burton wrote:

(posted last week to pgsql-general; no responses there, so I'm seeing if
anyone here can contribute. Thanks!)

I'm working on a site hosted in a BSD Jail; they have MySQL installed but,
of course, I'd rather use PostgreSQL.

It installs fine but can't initdb; get the following:

Fixing permissions on existing directory /usr/local/pgsql/data... ok
creating directory /usr/local/pgsql/data/base... ok
creating directory /usr/local/pgsql/data/global... ok
creating directory /usr/local/pgsql/data/pg_xlog... ok
creating directory /usr/local/pgsql/data/pg_clog... ok
creating template1 database in /usr/local/pgsql/data/base/1...
IpcSemaphoreCreate: semget(key=1, num=17, 03600) failed:
Function not implemented

Earlier message traffic suggests that SYSV IPC has not been fixed to run
under BSD Jails.

The last time this was raised was ~1 year ago. Has there been any changes
here that anyone knows of? Any hope of getting PG running in our jail? (Or,
alternatively, can PG run on the real machine's processes so that the
different jails can access it?)

I don't know about running PG in a jail, but if you have it running
on the parent or real machine the jails can access it just fine but
not as localhost.

Vince.
--
==========================================================================
Vince Vielhaber -- KA8CSH email: vev@michvhf.com http://www.pop4.net
56K Nationwide Dialup from $16.00/mo at Pop4 Networking
Online Campground Directory http://www.camping-usa.com
Online Giftshop Superstore http://www.cloudninegifts.com
==========================================================================

You need to get your provider to set the sysctl jail.sysvipc_allowed to
1 in the host environment. If they're not willing to do this for you, we
provide this feature on our servers, and also have a shared Postgres
database you can use.

--
Alastair D'Silva B. Sc. mob: 0413 485 733
Networking Consultant
New Millennium Networking http://www.newmillennium.net.au

-----Original Message-----
From: pgsql-hackers-owner@postgresql.org
[mailto:pgsql-hackers-owner@postgresql.org] On Behalf Of
Vince Vielhaber
Sent: Tuesday, 26 March 2002 3:03 AM
To: Joel Burton
Cc: pgsql-hackers@postgresql.org
Subject: Re: [HACKERS] initdb dies during IpcSemaphoreCreate
under BSD jail

On Mon, 25 Mar 2002, Joel Burton wrote:

(posted last week to pgsql-general; no responses there, so

I'm seeing

if anyone here can contribute. Thanks!)

I'm working on a site hosted in a BSD Jail; they have MySQL

installed

but, of course, I'd rather use PostgreSQL.

It installs fine but can't initdb; get the following:

Fixing permissions on existing directory

/usr/local/pgsql/data... ok

creating directory /usr/local/pgsql/data/base... ok

creating directory

/usr/local/pgsql/data/global... ok creating directory
/usr/local/pgsql/data/pg_xlog... ok creating directory
/usr/local/pgsql/data/pg_clog... ok creating template1 database in
/usr/local/pgsql/data/base/1...
IpcSemaphoreCreate: semget(key=1, num=17, 03600) failed:

Function not

implemented

Earlier message traffic suggests that SYSV IPC has not been

fixed to

run under BSD Jails.

The last time this was raised was ~1 year ago. Has there been any
changes here that anyone knows of? Any hope of getting PG

running in

our jail? (Or, alternatively, can PG run on the real machine's
processes so that the different jails can access it?)

I don't know about running PG in a jail, but if you have it
running on the parent or real machine the jails can access it
just fine but not as localhost.

Vince.
--
==============================================================
============
Vince Vielhaber -- KA8CSH email: vev@michvhf.com

http://www.pop4.net
56K Nationwide Dialup from $16.00/mo at Pop4 Networking
Online Campground Directory http://www.camping-usa.com
Online Giftshop Superstore http://www.cloudninegifts.com
========================================================================
==

---------------------------(end of broadcast)---------------------------
TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org

-----Original Message-----
From: Alastair D'Silva [mailto:deece@newmillennium.net.au]
Sent: Tuesday, March 26, 2002 10:52 PM
To: 'Vince Vielhaber'; 'Joel Burton'
Cc: pgsql-hackers@postgresql.org
Subject: RE: [HACKERS] initdb dies during IpcSemaphoreCreate under BSD
jail

You need to get your provider to set the sysctl jail.sysvipc_allowed to
1 in the host environment. If they're not willing to do this for you, we
provide this feature on our servers, and also have a shared Postgres
database you can use.

Thanks for the tip. I'm not a *BSD guru, so I'm not familiar with this
configuration change, but I've written to the Powers That Be at my ISP to
see if this is something that they feel they could change.

You need to get your provider to set the sysctl jail.sysvipc_allowed to
1 in the host environment. If they're not willing to do this for you, we
provide this feature on our servers, and also have a shared Postgres
database you can use.

My ISP responds to this point:

"""

In the thread on the pgsql-hackers list, someone wrote to me to say that
"You need to get your provider to set the sysctl jail.sysvipc_allowed to
1 in the host environment." Apparently, according to this person, this will
allow the use of PG in the jailed environments. Is this something that

imeme

can configure? If this isn't clear, I'd be happy to find out more
information for you about this configuration change and what other
ramifications it might have for your servers.

This will allow you to run a single postgres in a single jail only one
user would have access to it. If you try to run more then one it will
try to use the same shared memory and crash.
"""

Is this, in fact, the case?

Thanks!

"Joel Burton" <joel@joelburton.com> writes:

This will allow you to run a single postgres in a single jail only one
user would have access to it. If you try to run more then one it will
try to use the same shared memory and crash.

Is this, in fact, the case?

Unless BSD jails have very bizarre shared memory behavior, this is
nonsense. PG can easily run multiple postmasters in the same machine
(there are currently four postmasters of different vintages alive on
the machine I'm typing this on). Give each one a different database
directory and a unique port number, and you're good to go.

It might be that postmasters in different jails on the same machine
would have to be assigned different port numbers to keep them from
conflicting. Don't know exactly how airtight a BSD jail is ...
but there is an interaction between port number and shared memory
key. I can imagine that a jail that hides processes but not shared
memory segments might confuse our startup logic that tries to detect
whether an existing shared memory segment is safe to reuse or not.
Perhaps your ISP has seen failures of that type from trying to
start multiple postmasters on the same port number in different
jails.

regards, tom lane

On Wed, 27 Mar 2002, Tom Lane wrote:

"Joel Burton" <joel@joelburton.com> writes:

This will allow you to run a single postgres in a single jail only one
user would have access to it. If you try to run more then one it will
try to use the same shared memory and crash.

Is this, in fact, the case?

Unless BSD jails have very bizarre shared memory behavior, this is
nonsense. PG can easily run multiple postmasters in the same machine
(there are currently four postmasters of different vintages alive on
the machine I'm typing this on). Give each one a different database
directory and a unique port number, and you're good to go.

It might be that postmasters in different jails on the same machine
would have to be assigned different port numbers to keep them from
conflicting. Don't know exactly how airtight a BSD jail is ...
but there is an interaction between port number and shared memory
key. I can imagine that a jail that hides processes but not shared
memory segments might confuse our startup logic that tries to detect
whether an existing shared memory segment is safe to reuse or not.
Perhaps your ISP has seen failures of that type from trying to
start multiple postmasters on the same port number in different
jails.

FreeBSD jails are supposed to put just about everything in to different
namespaces/contention domains/whatever. You can't see processes running
outside a jail from within it, you can't see files outside your jail, you
can only use your jail's IP address, etc. However, this doesn't work for
SYSV IPC (not in FreeBSD-STABLE, at least) and everything goes in to one
machine-wide namespace - hence the sysctl to turn it on/off.

PostgreSQL will run quite happily using different port numbers in
different jails - but the port numbers MUST be different. Since the ISP is
probably using jails to make multiple users as unaware of each other as
possible this might be a problem for them...

You should probably also consider that someone in /another/ jail might be
able to get access to your shared memory segments. This would, most
likely, be a bad thing to happen.