From: Jacques Gelinas (jack_at_solucorp.qc.ca)
Date: Fri 09 May 2003 - 04:24:21 BST
On Fri, 9 May 2003 06:50:04 -0500, Mitchell Smith wrote
> Hi again list,
> In a production environment does UML http://user-mode-linux.sourceforge.net
> offer any security advantages over vserver?
UML may be more secure. More forgiving. For example, if there is a bug in
the UML kernel and the program kind of get out of it, it is locked as a user
process inside the other kernel.
But in practice there are very few security flaws at the kernel level, so if
both kernels (UML and vservers) are bug free, then they should be all fine.
But for sure, there is more opportunity for errors in vservers.
> Am just thinking in terms of UML running it's own kernel in userspace, vs a
> system running in a chrooted environment. Which would be easier to break
> out of?
Probably the vserver
> The other advantage I see over UML, is you would be able to enforce per user
> system resource limits, amount of memory etc, where as you probably couldn't
> do that with vserver, or no way that I have found yet.
Not really. uml does not offer a per user limitation. A vanilla linux kernel does
not either. Linux offers per process limitation. So you can run UML as a process with
those limitation and they are applied globally to all process (all users) in UML.
The security context feature of vserver is rather generic and could be use
to limit resource in a flexible way. It unrelated to vserver in a way. for example
security context could be used to limit resources and abilities for a single
user or for untrusted applications run by one user.
> Any suggestions on the advantages of one system over the other greatly
Quite frankly, it is the performance issue. UML is a linux inside linux. vservers
is faking that.
The other is the ease of administration (you can enter a vserver context without
having any network service running).
Jacques Gelinas <jack_at_solucorp.qc.ca>
vserver: run general purpose virtual servers on one box, full speed!