Hi,
I have to run many instances of PostgreSQL in different jails. And it seems it's not currently possible to run PostgreSQL in a jail without setting sysvipc_allow="YES" in the jail config.
(Or is it? I stumbled onto this: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=48471 where someone is apparently proposing a patch implementing private IPC for every jail. This would be completely awesome if this was added to the base system but it doesn't seem to be the case.)
Well, so, I have to use many jails with sysvipc_allow="YES". If I had the choice, I would choose to use MySQL to avoid all this, but unfortunately, this is not an option for this project.
I don't really understand how SysV IPC work and what's its relation to jails. I'd like to understand this. And I'd like to know what I can do to minimize the risks of crashes, races, and security issues (even if I understand it can't be perfect).
I read some posts saying shared memory has some relation with a process's owner's UID. I have no clue how that works. Do I have to make sure all the UIDs in each jails and in the host are different? For example, should I give each root user in each jail a different UID? Would that even work without the system crashing?
I read some people set a distinct port for the PostgreSQL server of each jail. Why do they do that?
I hope I didn't ask too many question. I'd be happy to read any view you have on this.
I have to run many instances of PostgreSQL in different jails. And it seems it's not currently possible to run PostgreSQL in a jail without setting sysvipc_allow="YES" in the jail config.
(Or is it? I stumbled onto this: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=48471 where someone is apparently proposing a patch implementing private IPC for every jail. This would be completely awesome if this was added to the base system but it doesn't seem to be the case.)
Well, so, I have to use many jails with sysvipc_allow="YES". If I had the choice, I would choose to use MySQL to avoid all this, but unfortunately, this is not an option for this project.
I don't really understand how SysV IPC work and what's its relation to jails. I'd like to understand this. And I'd like to know what I can do to minimize the risks of crashes, races, and security issues (even if I understand it can't be perfect).
I read some posts saying shared memory has some relation with a process's owner's UID. I have no clue how that works. Do I have to make sure all the UIDs in each jails and in the host are different? For example, should I give each root user in each jail a different UID? Would that even work without the system crashing?
I read some people set a distinct port for the PostgreSQL server of each jail. Why do they do that?
I hope I didn't ask too many question. I'd be happy to read any view you have on this.
