From: Alex Lyahkov (shadow_at_psoft.net)
Date: Sun 22 Feb 2004 - 20:14:29 GMT
> this is for 2.6.x or 2.4.x with or without the rmap
Primary for all RH Linux, but can be addapted to other.
> > > - procfs security
> > > - uptime virtualization
> > > - reboot userspace helper
> > >
> > Linux VServer not have
> > 1) virtual network devices with bandwidth shaper
> that is correct, but similar can be done with tc
> and iptables/netfilter
don`t. it been more slow. ;-)
> > 2) private routing tables includes private loopback.
> > 3) private routing caches
> > (2 and 3 need for correctly select packet source address.)
> hmm, well, it seems that isn't an issue anymore ..
> > 4) Correctly (rmap based) memory accounting. Herbert please try use you
> > memory accounting at high load web server with apache1 or other fork
> > based programs.
> will/should this change anything? what do you expect?
> what did your 'test' show in this regard?
start many forked childrens with shared data segments and see shared
area been accounted not one.
> > 5) Correctly created private namespace - not affected with any chroot
> > exploit.
> this is done in experimental (with alpha tools) and
> mostly in userspace (only the enter requires kernel help)
but you say "it not vserver" way ? ;-)
> > 6) CAP_NET_ADMIN/CAP_SYS_RESOURCE can be used inside vps without
> > security problems.
> which means?
provide private netlink stack.. and other network stack as tc ....
can be start bind and other program who use manipulate get/set rlimit..
Vserver mailing list