From: Henrik Heil (hhml_at_zweipol.net)
Date: Wed 08 Sep 2004 - 12:00:54 BST
> hmm, basically the 1.3.x development branch is
> discontinued (or was some time ago), all new
> development is now done with the 2.6 kernels
>
> if you have good reasons to use the vs1.3.x
> branch (except for testing devel stuff) then
> let me know, I might be able to fix some things
>
> nevertheless, real development is done with
> vs1.9.x, which you might consider for testing ...
I see -- the reason why i chose this release is
---8<--- from http://www.13thfloor.at/vserver/project/
The development branch is where those experimental features are added,
if they have reached a point, where we consider inclusion into the
stable branch.
--->8---
which met my requirements.
I plan to use vserver on a production system and i noticed that there
are currently many development effords that i would like to have on the
server if they are stable enough to unlikely break the system.
As far as i see the stable release is very stable (which i think this is
very good and should not be changed) but different in so many aspects
that i am tempted to use something newer -- but not something alpha ;-)
I don't understand some of the feature matrix entries -- so i have some
basic questions on the three most relevant for me:
1) Chroot Barrier Flag
http://www-user.tu-chemnitz.de/~ensc/util-vserver/doc/lt2004/paper.html#fig:rmattack
---8<---
Die Anfälligkeit gegen Symlinkattacken und andere Races ist ein weiterer
Nachteil des stable Branches, weshalb vom Einsatz in feindlichen
Umgebungen wie root-Server für Kunden abzuraten ist.
--->8---
Is this still true -- does this mean that i cannot use the stable branch
in a possible hostile production environment?
2) Proc Security Flags
The matrix says stable has them -- but how do i use them with stable?
---8<--- http://www.linux-vserver.org/index.php?page=Proc-Security
if you're running an older version of Linux-VServer, you probably
already figured it out yourself anyways)
--->8--- ;-)
3) Advanced IP Selection
I had some problems with loopback in stable (and found mails that say
simply not to use loopback with stable). Does this feature cope with
loopback -- what is the feature-set of Advanced IP Selection compared to
stable.
Last but not least -- please don't get me wrong -- i appreciate your
work very much and understand that it is hard to maintain three branches
with limited development resources but i'm a bit helpless to choose a
reasonably stable yet somewhat future-proof version.
My primary concern is to never allow a vserver to sniff other vservers
memory-, filesystem- or network-data or to compromise other vservers or
the root server silently. Does the stable branch provide this?
As far as i understand there are DOS possibilities due to resource
exhaustion that cannot be fixed without kernel 2.6. and the experimental
branch -- i can live with these because i will notice the problem, maybe
have a short downtime and can rebuild the compromised vserver or talk to
the customer.
One last question: I would be interested in experiences with the
experimental branch in a production/hosting environment -- especially
downtimes, upgrade problems, security issues. Additional info on the
kind of hosting you provide on these systems is very welcome (i mean --
do you provide kind of a shared hosting replacement or kind of a
dedicated server replacement for your customers).
Thanks in advance,
Henrik
-- Henrik Heil, zweipol Coy & Heil GbR http://www.zweipol.net/ _______________________________________________ Vserver mailing list Vserver_at_list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver