From: Paul Sladen (vserver_at_paul.sladen.org)
Date: Fri 01 Nov 2002 - 23:33:59 GMT
On 1 Nov 2002, Klavs Klavsen wrote:
> On Fri, 2002-11-01 at 16:57, Paul Sladen wrote:
> > I don't believe it was ever invisioned--you really don't want to be running
> > your vserver on the same IP address on the host-server;
> why not?
The `ctx' kernel patches provide the ability to restrict IP space with
chbind() and to restrict process space with chcontext().
Some scripts ("vserver") were written to usefully put these together *with
capabilities* and the *chroot() call* to make a pretty good impression of a
mainframe-style partitioned server.
> I can't see it defeats the point at all. My point for using vserver is
> to seperate the services I run on the same machine
It's probably not right to expect the scripts that were designed for that
/one particular purpose/ to cope with a /different sitution/... If you're
not wanting to run "virtual servers", don't use the vserver scripts!
Just use the context, chroot and capabilities directly:
chcontext --secure chroot /jailed/fs/ /bin/bash
Translated that is:
"give me a new context",
"drop capabilities to make it secure",
"chroot into this new /jailed/fs/ location" and
"start the program /bin/bash"
Alternatively the `vserver' script only needs a couple of lines patching so
that it compares `IPROOT' with "" and doesn't bother calling the chbind()
step if that is the case.
-- Nottingham, GB