| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Mischa Sandberg <mischa_sandberg(at)telus(dot)net> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: postgresql in FreeBSD jails: proposal |
| Date: | 2008-01-16 17:50:41 |
| Message-ID: | 20080116175041.GQ5031@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin pgsql-bugs pgsql-committers pgsql-general pgsql-hackers pgsql-jdbc pgsql-odbc pgsql-patches |
* Mischa Sandberg (mischa_sandberg(at)telus(dot)net) wrote:
> Here (@sophos.com) we run machine cluster tests using FreeBSD jails. A
> jail is halfway between a chroot and a VM. Jails blow a number of
> assumptions about a unix environment: sysv ipc's are global to all
> jails; but a process can only "see" other processes also running in the
> jail. In fact, the quickest way to tell whether you're running in a jail
> is to test for process 1.
I've got a couple of concerns about this-
#1: Having the shared memory be global is a rather large problem when it
comes to something like PG which can have a fair bit of data going
through that area that could be sensitive.
#2: Isn't there already a uid check that's done? Wouldn't this make
more sense anyway (and hopefully minimize the impact of a bad person
getting control of the PG database/user in a given jail)?
#3: At least in the linux-equivilant to jails (linux-vservers, imv
anyway), they started w/o an init process and eventually decided it
made sense to have one, so I'm not sure that this test will always
work and the result might catch someone by suprise at some later
date. Is there a better/more explicit test?
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Steve Holdoway | 2008-01-16 18:55:36 | Re: Backup of live database |
| Previous Message | Tom Arthurs | 2008-01-16 17:42:44 | Re: Backup of live database |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2008-01-16 20:51:16 | Re: postgresql in FreeBSD jails: proposal |
| Previous Message | Tom Lane | 2008-01-16 17:33:32 | Re: postgresql in FreeBSD jails: proposal |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2008-01-16 20:13:44 | pgsql: Improve usage message for pgindent. |
| Previous Message | Tom Lane | 2008-01-16 17:33:32 | Re: postgresql in FreeBSD jails: proposal |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dirk Riehle | 2008-01-16 18:25:45 | Re: Sun acquires MySQL |
| Previous Message | Tom Lane | 2008-01-16 17:33:32 | Re: postgresql in FreeBSD jails: proposal |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Kevin Grittner | 2008-01-16 18:01:30 | Re: Some ideas about Vacuum |
| Previous Message | Greg Smith | 2008-01-16 17:40:23 | Re: Some ideas about Vacuum |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Albretch Mueller | 2008-01-16 17:58:58 | Re: trying to connect to pg from within a local network |
| Previous Message | Tom Lane | 2008-01-16 17:33:32 | Re: postgresql in FreeBSD jails: proposal |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Benjamin Krajmalnik | 2008-01-16 20:30:42 | Strange client encoding issue |
| Previous Message | Tom Lane | 2008-01-16 17:33:32 | Re: postgresql in FreeBSD jails: proposal |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2008-01-16 20:51:16 | Re: postgresql in FreeBSD jails: proposal |
| Previous Message | Tom Lane | 2008-01-16 17:33:32 | Re: postgresql in FreeBSD jails: proposal |