From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Sun 22 Feb 2004 - 20:48:15 GMT
On Sun, Feb 22, 2004 at 10:14:29PM +0200, Alex Lyahkov wrote:
> > this is for 2.6.x or 2.4.x with or without the rmap
> > patches?
> Primary for all RH Linux, but can be addapted to other.
RH 9 and Fedora?
> > > > - procfs security
> > > > - uptime virtualization
> > > > - reboot userspace helper
> > > >
> > > Linux VServer not have
> > > 1) virtual network devices with bandwidth shaper
> > that is correct, but similar can be done with tc
> > and iptables/netfilter
> don`t. it been more slow. ;-)
you did some tests? where can I get the results?
please provide some data if available ...
> > > 2) private routing tables includes private loopback.
> > > 3) private routing caches
> > correct
> > > (2 and 3 need for correctly select packet source address.)
> > hmm, well, it seems that isn't an issue anymore ..
> > > 4) Correctly (rmap based) memory accounting. Herbert please try use you
> > > memory accounting at high load web server with apache1 or other fork
> > > based programs.
> > will/should this change anything? what do you expect?
> > what did your 'test' show in this regard?
> start many forked childrens with shared data segments and see shared
> area been accounted not one.
might be, but what is correct, when accounting
virtual memory space?
> > > 5) Correctly created private namespace - not affected with any chroot
> > > exploit.
> > this is done in experimental (with alpha tools) and
> > mostly in userspace (only the enter requires kernel help)
> but you say "it not vserver" way ? ;-)
the private namespace is one option for vservers
it always was, we had many discussions about it ...
now that we can do this in userspace, with CLONE_NEWNS
and without some tricks in the kernel, we are adding
this feature as an option ...
> > > 6) CAP_NET_ADMIN/CAP_SYS_RESOURCE can be used inside vps without
> > > security problems.
> > which means?
> provide private netlink stack.. and other network stack as tc ....
> can be start bind and other program who use manipulate get/set rlimit..
I'm not sure that it is such a good idear to allow
programs in a vserver to raise their rlimits, but
once all limits are per vserver, (which will be
completed soon) it might be an option to allow it
(up to the per context limits)
> and other..
> Vserver mailing list
Vserver mailing list