About this list Date view Thread view Subject view Author view Attachment view

From: Paul Sladen (vserver_at_paul.sladen.org)
Date: Fri 01 Nov 2002 - 23:33:59 GMT


On 1 Nov 2002, Klavs Klavsen wrote:
> On Fri, 2002-11-01 at 16:57, Paul Sladen wrote:
> > I don't believe it was ever invisioned--you really don't want to be running
> > your vserver on the same IP address on the host-server;
> why not?

The `ctx' kernel patches provide the ability to restrict IP space with
chbind() and to restrict process space with chcontext().

Some scripts ("vserver") were written to usefully put these together *with
capabilities* and the *chroot() call* to make a pretty good impression of a
mainframe-style partitioned server.

> I can't see it defeats the point at all. My point for using vserver is
> to seperate the services I run on the same machine

It's probably not right to expect the scripts that were designed for that
/one particular purpose/ to cope with a /different sitution/... If you're
not wanting to run "virtual servers", don't use the vserver scripts!

Just use the context, chroot and capabilities directly:

  chcontext --secure chroot /jailed/fs/ /bin/bash

Translated that is:

  "give me a new context",
  "drop capabilities to make it secure",
  "chroot into this new /jailed/fs/ location" and
  "start the program /bin/bash"

Alternatively the `vserver' script only needs a couple of lines patching so
that it compares `IPROOT' with "" and doesn't bother calling the chbind()
step if that is the case.

        -Paul

-- 
Nottingham, GB


About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 06 Nov 2002 - 07:03:43 GMT by hypermail 2.1.3