Re: running services in their own little world
hanasaki wrote:
Any package in Debian that will automatically run all /etc/init.d
based deamons in jail / chroot?
Whilst it is not automatic, you may wish to investigate the Linux
vserver project;
http://www.linux-vserver.net/
There is a package in Debian for it (util-vserver, and
kernel-patch-ctx), but it is perptually out of date, so go to the source.
In essence, vserver is something of a souped-up chroot environment -
vservers can be built via `debootstrap', or a simple copy from a master
image. Most services can then be installed without modification in
their own complete, minimalist debian environment, and filesystem
"unification" (implemented via special types of hard links) means that
there can be minimal duplication of binaries and libraries between each
vserver. Aside from dpkg/apt databases, each vserver can consume as
little as 5MB extra disk space.
It covers much of the same ground as FreeBSD Jails, but is more
complete, designed to provide independent, secure UNIX environments
rather than constrain a particular service. Fork bombs, CPU and memory
resource attacks are all handled with varying levels of grace. Work on
the development branch, for 2.6, is beginning to include integration
with the Class-based Kernel Resource Management project
(http://ckrm.sourceforge.net/ - an IBM OSS project). This will
(hopefully) eventually provide resource management for everything else.
One very secure configuration is to configure the vservers on a host on
non-routable IP addresses, and use `fwbuilder', in combination with the
kernel option CONFIG_IP_NF_NAT_LOCAL to set up appropriate SNAT, DNAT
and filtering rules to connect the "external" IP range of the host to
the internal, non-routable vservers.
In summary, using vserver + fwbuilder, you can configure multi-tier,
firewalled collections of Debian GNU/Linux hosts on a single system.
--
Sam Vilain, sam /\T vilain |><>T net, PGP key ID: 0x05B52F13
(include my PGP key ID in personal replies to avoid spam filtering)
Reply to: