Re: BUG #15268: Documentation surrounding sysvipc configuration and isolation is out-of-date as of FreeBSD 11

On Mon, Jul 09, 2018 at 10:01:58AM +1200, Thomas Munro wrote:
> On Sun, Jul 8, 2018 at 9:50 PM, PG Bug reporting form
> <noreply(at)postgresql(dot)org> wrote:
> > The following bug has been logged on the website:
> >
> > Bug reference: 15268
> > Logged by: D. Ebdrup
> > Email address: debdrup(at)gmail(dot)com
> > PostgreSQL version: 10.0
> > Operating system: FreeBSD
> > Description:
> >
> > Owing to some rather big changes in FreeBSD, the steps recommended in the
> > documentation for all supported (and unsupported) versions of pgsql on
> > FreeBSD 11 and future versions regarding sysvipc are no longer accurate.
> > Notably, the security.jail.sysvipc_allowed sysctl has been marked deprecated
> > (ie. to be removed in a future version) and the sysvmsg, sysvsem, and
> > sysvshm properties for jails have been added which can function like
> > security.jail.sysvipc_allowed/allow.sysvipc used to work, in addition to
> > which a value named "new" has been added which offers proper per-jail
> > isolation of SysV messages, semaphores and shadow memory.
> > This can be confirmed by going to https://man.freebsd.org/jail(8) and
> > searching for the second result of sysvmsg as a text-search.
>
> Right, thanks for the report. Any chance you could propose some new
> wording for that paragraph, or a patch for doc/src/sgml/runtime.sgml?
>
> --
> Thomas Munro
> http://www.enterprisedb.com
I'd suggest adding a note with something along the following lines above the current paragraph covering security.jail.sysvipc_allowed:
Since FreeBSD 11 added per-jail SysV IPC isolation, it is recommended to use the jail properties sysvmsg, sysvsem, and sysvshm set to a value of "new", as this isolates SysV IPC from both the host
and other jails, meaning many instances of PostgreSQL can be run on the same FreeBSD host, each in their own jail.

I'd also suggest changing the line "If running in FreeBSD jails by enabling sysctl's security.jail.sysvipc_allowed" to be "If running in FreeBSD jails by enabling sysctl's
security.jail.sysvipc_allowed on FreeBSD 10" (which is likely going to be EOL'd within the next year anyway, so I'm not sure how much longer the note should be kept around but that's up to you.