|
From: | Joe Cooper |
Subject: | Re: [Openvds-devel] Control Panel for OpenVDS-2 |
Date: | Mon, 14 Jan 2002 13:31:52 -0600 |
User-agent: | Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.7) Gecko/20011221 |
Dave Cost wrote:
Mind if I ask how?Please be patient.
Hmmmm...Oh, alright. Patient I will be.
Again the BSD jail() is actually relying on *capabilities*offered withinthe BSD process system (and the extra entry in the PS structthat ensurespass-down of the restrictions from father to child. This would be a useful thing to have; however...This is the same way linux works. There's a way of droppingcapabilites tochild processes that prevent even root from getting them back.Like I said,root is just another user. Once a capability is dropped,there's no turningback.Proving myself to be a nuisance yet again: How? Ok, not how does capabilities go only one way--that I get. How are you logging in the virtual root user and creating a running environment within the chroot? I know (from my reading up on capabilities in detail over the past few hours) that if init has been limited in capabilities, then all processes on the system will be equally limited...so what process are you locking to your capabilities subset that logs in the new virt-root, and runs all of her daemons etc. so that they are similarly restricted?You answer your questions ;-) If you limit a process, all childs will be limited too with no way back. Furter, the process can elect to loose a capability for ever and won't be able to get if back. If you start an "init" process in a virtual, all it's childs will be limited to the max of the first process.
After studying vserver this morning (Solucorp's solution to this problem), I think I get it. And I like it. And he (Jacques GĂ©linas) has actually solved some of the problems of dedicated virts in amazingly elegant ways--vunify with a sort of 'magic' immutable attribute is just a jaw-dropping thing. I'm going to be playing with the vserver stuff over the next few days...I think it is probably worth considering as a basis for the next OpenVDS. It isn't a whole solution, but it sure is neat. No reason not to leverage existing work (while being wary of its reliance on kernel patches--I'll have to study them to make sure I can maintain those patches on my own in case solucorp bores of maintaining them ;-). I just hope it is more stable than LinuxConf...If so, I'll forgive him for hosing my Sendmail configuration the first time I tried LinuxConf.
-- Joe Cooper <address@hidden> http://www.swelltech.com Web Caching Appliances and Support
[Prev in Thread] | Current Thread | [Next in Thread] |