[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: running services in their own little world

hanasaki wrote:

Any package in Debian that will automatically run all /etc/init.d based deamons in jail / chroot?

Whilst it is not automatic, you may wish to investigate the Linux vserver project;


There is a package in Debian for it (util-vserver, and kernel-patch-ctx), but it is perptually out of date, so go to the source.

In essence, vserver is something of a souped-up chroot environment - vservers can be built via `debootstrap', or a simple copy from a master image. Most services can then be installed without modification in their own complete, minimalist debian environment, and filesystem "unification" (implemented via special types of hard links) means that there can be minimal duplication of binaries and libraries between each vserver. Aside from dpkg/apt databases, each vserver can consume as little as 5MB extra disk space.

It covers much of the same ground as FreeBSD Jails, but is more complete, designed to provide independent, secure UNIX environments rather than constrain a particular service. Fork bombs, CPU and memory resource attacks are all handled with varying levels of grace. Work on the development branch, for 2.6, is beginning to include integration with the Class-based Kernel Resource Management project (http://ckrm.sourceforge.net/ - an IBM OSS project). This will (hopefully) eventually provide resource management for everything else.

One very secure configuration is to configure the vservers on a host on non-routable IP addresses, and use `fwbuilder', in combination with the kernel option CONFIG_IP_NF_NAT_LOCAL to set up appropriate SNAT, DNAT and filtering rules to connect the "external" IP range of the host to the internal, non-routable vservers.

In summary, using vserver + fwbuilder, you can configure multi-tier, firewalled collections of Debian GNU/Linux hosts on a single system.

Sam Vilain, sam /\T vilain |><>T net, PGP key ID: 0x05B52F13
(include my PGP key ID in personal replies to avoid spam filtering)

Reply to: