From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Sun 22 Feb 2004 - 19:36:27 GMT
On Sun, Feb 22, 2004 at 08:56:06PM +0200, Alex Lyahkov wrote:
> ? ???, 22.02.2004, ? 19:27, Herbert Poetzl ?????:
> > Hi Folks!
> >
> > some people asked me about the 'advanced' features
> > FreeVPS provides over the Linux-Vserver patches ...
> >
> > so here is the 'list' provided at the FreeVPS site
> > http://www.freevps.com/docs/faq.html#General3
> > and my comments/questions to that ...
> >
> > > FreeVPS extends the original Linux VServer functionality.
> > > FreeVPS implementation include FreeVPS kernel patch and FreeVPS
> > > tools. Together they add the following new features to VPS:
> >
> > > * Limits on:
> > > - total memory usage
> > > - resident memory size
> >
> > in Linux-VServer, VM is accounted and enforced, RSS only accounted,
> > I don't know what 'total memory usage' means ...
> Current version (that in release candidate state, release been in few
> days later) implement new variant memory accounting - based on rmaps.
> Old variant implement has same with VServer model memory accounting -
> count total address space.
this is for 2.6.x or 2.4.x with or without the rmap
patches?
> > > - number of processes
> >
> > is accounted and enforced, as all limits, can be changed at runtime
> >
> > > - disk usage quota
> >
> > this is handled by the Quota Disk Limit (included in the quota patch)
> >
> > > - file handles
> > > - tcp sockets
> >
> > both are not accounted yet, and not limited.
> >
> > > * Advanced context management:
> > > - create/destroy a context
> > > - enter a context
> >
> > well, that is basic functionality ...
> >
> > > - running status
> >
> > vserver-stat and /proc/virtual provide this ...
> >
> > > - enable/disable creating new processes in a context
> > > - send signal to all processes in context
> >
> > this is done with the vkill command (via syscall since 1.1.6)
> >
> > > * inodes attributes management:
> > > - context tag
> >
> > xid tagging is used by Quota Disk Limits and Per Context Quota
> > and it comes in 3 flavours (UID32/GID16, UID24/GID24 and UID32/GID32)
> >
> > > - flag for files shared between contexts
> >
> > don't know what this is, but might be the IUNLINK flag
> Not. This flag allow read owned by other context when reader. Base
> functionality for uninfected vps. I don`t know how you have read inode
> from context 0 in context 5, for example.
xid=0 files are visible and accessable for xid!=0
only xid=N (with N>0) files are not accessible in
context M (N != M)
> > > - immutable flag
> >
> > well if that is what it says, then it's basic linux stuff
> >
> > ---
> >
> > so after this shoot out ;) the following differences
> > seem to remain:
> >
> > > * Limits on:
> > > - resident memory size
> > > - file handles
> > > - tcp sockets
> >
> > > * Advanced context management:
> > > - enable/disable creating new processes in a context
> >
> > and I don't know the FreeVPS status of the following
> > Linux-VServer features:
> >
> > - vroot device (security)
> What ? only for diskquota? FreeVPS have correctly virtual root, and not
> affected with all chroot atacks.
well, that won't help much to prevent the direct
access to a shared block device, you wan't to run
quota tools on, but I assume you do something else
to prevent unwanted access ...
> > - Token Bucket scheduler stuff (Sam)
> FreeVPS have load balacer and planig add CPU QoS.
any details about those plans?
> > - uts_name modifications (stealth)
> FreeVPS have it more above with VServer.
> > - procfs security
> > - uptime virtualization
> > - reboot userspace helper
> >
> Linux VServer not have
> 1) virtual network devices with bandwidth shaper
that is correct, but similar can be done with tc
and iptables/netfilter
> 2) private routing tables includes private loopback.
> 3) private routing caches
correct
> (2 and 3 need for correctly select packet source address.)
hmm, well, it seems that isn't an issue anymore ..
> 4) Correctly (rmap based) memory accounting. Herbert please try use you
> memory accounting at high load web server with apache1 or other fork
> based programs.
will/should this change anything? what do you expect?
what did your 'test' show in this regard?
> 5) Correctly created private namespace - not affected with any chroot
> exploit.
this is done in experimental (with alpha tools) and
mostly in userspace (only the enter requires kernel help)
> 6) CAP_NET_ADMIN/CAP_SYS_RESOURCE can be used inside vps without
> security problems.
which means?
TIA,
Herbert
PS: did you change your last name from Lyashkov to
Lyahkov or is/was it 'just' incorrectly spelled?
PPS: would like to have a look at a recent FreeVPS
version, what do I need and where do I get it?
> --
> Alex Lyahkov <shadow_at_psoft.net>
> _______________________________________________
> Vserver mailing list
> Vserver_at_list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver