About this list Date view Thread view Subject view Author view Attachment view

From: Henrik Heil (hhml_at_zweipol.net)
Date: Wed 08 Sep 2004 - 12:00:54 BST

> hmm, basically the 1.3.x development branch is
> discontinued (or was some time ago), all new
> development is now done with the 2.6 kernels
> if you have good reasons to use the vs1.3.x
> branch (except for testing devel stuff) then
> let me know, I might be able to fix some things
> nevertheless, real development is done with
> vs1.9.x, which you might consider for testing ...

I see -- the reason why i chose this release is

---8<--- from http://www.13thfloor.at/vserver/project/
The development branch is where those experimental features are added,
if they have reached a point, where we consider inclusion into the
stable branch.

which met my requirements.

I plan to use vserver on a production system and i noticed that there
are currently many development effords that i would like to have on the
server if they are stable enough to unlikely break the system.
As far as i see the stable release is very stable (which i think this is
very good and should not be changed) but different in so many aspects
that i am tempted to use something newer -- but not something alpha ;-)

I don't understand some of the feature matrix entries -- so i have some
basic questions on the three most relevant for me:

1) Chroot Barrier Flag


Die Anfälligkeit gegen Symlinkattacken und andere Races ist ein weiterer
Nachteil des stable Branches, weshalb vom Einsatz in feindlichen
Umgebungen wie root-Server für Kunden abzuraten ist.

Is this still true -- does this mean that i cannot use the stable branch
in a possible hostile production environment?

2) Proc Security Flags

The matrix says stable has them -- but how do i use them with stable?

---8<--- http://www.linux-vserver.org/index.php?page=Proc-Security
if you're running an older version of Linux-VServer, you probably
already figured it out yourself anyways)
--->8--- ;-)

3) Advanced IP Selection

I had some problems with loopback in stable (and found mails that say
simply not to use loopback with stable). Does this feature cope with
loopback -- what is the feature-set of Advanced IP Selection compared to

Last but not least -- please don't get me wrong -- i appreciate your
work very much and understand that it is hard to maintain three branches
with limited development resources but i'm a bit helpless to choose a
reasonably stable yet somewhat future-proof version.

My primary concern is to never allow a vserver to sniff other vservers
memory-, filesystem- or network-data or to compromise other vservers or
the root server silently. Does the stable branch provide this?
As far as i understand there are DOS possibilities due to resource
exhaustion that cannot be fixed without kernel 2.6. and the experimental
branch -- i can live with these because i will notice the problem, maybe
have a short downtime and can rebuild the compromised vserver or talk to
the customer.

One last question: I would be interested in experiences with the
experimental branch in a production/hosting environment -- especially
downtimes, upgrade problems, security issues. Additional info on the
kind of hosting you provide on these systems is very welcome (i mean --
do you provide kind of a shared hosting replacement or kind of a
dedicated server replacement for your customers).

Thanks in advance,

Henrik Heil, zweipol Coy & Heil GbR
Vserver mailing list

About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 08 Sep 2004 - 11:59:10 BST by hypermail 2.1.3