About this list Date view Thread view Subject view Author view Attachment view

From: Klavs Klavsen (klavs_at_EnableIT.dk)
Date: Sat 02 Nov 2002 - 09:10:57 GMT

On Sat, 2002-11-02 at 00:33, Paul Sladen wrote:
> On 1 Nov 2002, Klavs Klavsen wrote:
> > On Fri, 2002-11-01 at 16:57, Paul Sladen wrote:
> > > I don't believe it was ever invisioned--you really don't want to be running
> > > your vserver on the same IP address on the host-server;
> > why not?
> The `ctx' kernel patches provide the ability to restrict IP space with
> chbind() and to restrict process space with chcontext().
> Some scripts ("vserver") were written to usefully put these together *with
> capabilities* and the *chroot() call* to make a pretty good impression of a
> mainframe-style partitioned server.
> > I can't see it defeats the point at all. My point for using vserver is
> > to seperate the services I run on the same machine
> It's probably not right to expect the scripts that were designed for that
> /one particular purpose/ to cope with a /different sitution/... If you're
> not wanting to run "virtual servers", don't use the vserver scripts!
I do believe that I'm still running virtual servers - they just share
the IP interface, the same way as they share memory, with the potential
problems/limitations that puts on each vserver ofcourse.

> Just use the context, chroot and capabilities directly:
> chcontext --secure chroot /jailed/fs/ /bin/bash
> Translated that is:
> "give me a new context",
> "drop capabilities to make it secure",
> "chroot into this new /jailed/fs/ location" and
> "start the program /bin/bash"
But I like to be able to run it in exactly the same way, and just set in
the vserver.conf file, if it should have it's own IP or not. I do have
some vservers on their own IP - test servers and internal services. It's
a good thing that vserver allows me to run both kind of vservers on the
same box.

> Alternatively the `vserver' script only needs a couple of lines patching so
> that it compares `IPROOT' with "" and doesn't bother calling the chbind()
> step if that is the case.
this would probably be a good solution, so vserver supports both needs.
Any comments from jacques?

Klavs Klavsen

--------------| This mail has been sent to you by: |------------ Klavs Klavsen - Open Source Consultant klavs_at_EnableIT.dk - http://www.EnableIT.dk

Get PGP key from www.keyserver.net - Key ID: 0x586D5BCA Fingerprint = 2873 188C 968E 600D D8F8 B8DA 3D3A 0B79 7E06 3C62 ---------------------------------------------------------------- Open Source Software - Sometimes you get more than you paid for. -- unknown

About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 06 Nov 2002 - 07:03:43 GMT by hypermail 2.1.3