On Oct 23, 2007, at 4:46 AM, Daniel Risacher wrote:
> My apologies in advance if this is re-opening old wounds.
>
> I recently set up VServer (mainly so I could run Zimbra w/ less pain)
> and I found that the network isolation did not work the way I
> (perhaps naively?) expected it to. (Mainly re: binding to TCP ports
> and IPADDR_ANY.)
>
> I write this message to (1) determine whether my understanding of
> VServer's functionality is correct, and possibly (2) suggest potential
> improvements for discussion.
>
> How I think it DOES work
> ------------------------
>
> * Host processes that bind to IPADDR_ANY can recieve connections to
> any
> host or guest address
I think that just about the only process the Host system should run is
SSH for remote management. Anything else should be in a vserver
guest.
> * Guest processes that bund to IPADDR_ANY show as having been bound to
> the guest primary IP address, but can receive connections to the
> localhost address that come from the same guest.
i dont understand
"but can receive connections to the
localhost address that come from the same guest"
> * Bind attempts to IPADDR_ANY from the host will fail if a guest is
> already listening on that port
>
> * Bind attempts to IPADDR_ANY from a guest will fail if the host is
> already listening to IPADDR_ANY on that port
The guest will also fail even if it uses it's own ip address and the
host
has already bound to IPADDR_ANY
> * Connection attempts to "localhost" from a guest can be answered by
> the host.
>
> How I think it SHOULD work
> --------------------------
>
> I start from the general assumption that a virtual machine should seem
> like an isolated, independent machine as much as possible. It seems
> to be a desirable goal to minimize the amount of application-level
> configuration tomfoolery that is required. Based on this...
To my understanding there is a difference between the stable and
development
series.
JonB
Received on Wed Oct 24 12:14:39 2007