Re: Functionality simular to FreeBSD's jails

To: "Colin Cashman" <ccashman@mediaone.net>
Cc: <debian-user@lists.debian.org>
Subject: Re: Functionality simular to FreeBSD's jails
From: Ilya Martynov <m_ilya@agava.com>
Date: 16 Mar 2001 13:06:55 +0300
Message-id: <[🔎] 861yryvxhc.fsf@juil.domain>
In-reply-to: <[🔎] 017601c0ad8b$8ea1ed50$6b10a8c0@ccashman>
References: <[🔎] 86y9u7w2mz.fsf@juil.domain> <[🔎] 20010315104410.C9876@sherohman.org> <[🔎] 86ae6nvubn.fsf@juil.domain> <[🔎] 017601c0ad8b$8ea1ed50$6b10a8c0@ccashman>

>>>>> "CC" == Colin Cashman <ccashman@mediaone.net> writes:

    >> No. chroot is not safe enough. I want to create virtual boxes in which
    >> I can give root rights to other people and I want to be sure that they
    >> can't break other boxes.
    >> 
    >> AGAIK if you have root you can escape chroot'ed directory. Another
    >> problems that root can have direct access to devices. I don't want to
    >> allow it. Good solution is really independant virtual boxes which are
    >> run from one real. This is what FreeBSD's jails provides. User-mode
    >> linux kernel seems to allow it too but I'm not sure how stable is it
    >> and if there are exist any limitations.

    CC> I just found a page that might contain what you are looking for:

    CC> http://www.gnu.org/directory/vsd.html

    CC> "VSD - Facilitates Linux Virtual Servers within a 'chroot'
    CC> environment."

Yes, I've seen it and simular solutions. The problem is that as I have
wrote 'chroot is not safe enough'. It is not possible to give root
rights to people in chroot'ed environment if you don't want to trust them.

BTW except problems with direct access to devices and possibility to
escape chroot by root there is exist another problem (for me) with
chroot. Chroot only allows isolations of boxes at filesystem
level. For example you can't have two mailservers running at the same
time - first in first virtual box, second in another. At least you
can't do it unless you configure them to listen on different
interfaces. (BTW is it possible to create several loopback interfaces
- I think no).

Let me describe my needs.

1) I want to build testing and development envronment for developers
in my company. Thereis several developers who works on different
project. Often it is much more easier to give developers root access
then try to fune tune sceurity system on development servers so they
will be able to install/configure software there. So I want to just
create several virtual boxes and give there freely root access. So I
can be sure than one group of developers can't break things for
another group.

2) Another task is building automated tests for our software. One product
our developers work on is maillist software. For creation of automated
tests for this software it is *required* to have several boxes. If I
just can create a bunch of virtual boxes it will be very usefull.

Combining 1) and 2) gives need for independant virtual boxes. 'chroot'
is not good enough.

    CC> [..skip..]

-- 
Ilya Martynov
AGAVA Software Company, http://www.agava.com

Reply to:

Follow-Ups:
- Re: Functionality simular to FreeBSD's jails
  - From: Erik Steffl <steffl@bigfoot.com>

References:
- Functionality simular to FreeBSD's jails
  - From: Ilya Martynov <m_ilya@agava.com>
- Re: Functionality simular to FreeBSD's jails
  - From: Dave Sherohman <esper@sherohman.org>
- Re: Functionality simular to FreeBSD's jails
  - From: Ilya Martynov <m_ilya@agava.com>
- Re: Functionality simular to FreeBSD's jails
  - From: "Colin Cashman" <ccashman@mediaone.net>

Prev by Date: RE: changing from twm to ??????
Next by Date: bonnie++ results
Previous by thread: Re: Functionality simular to FreeBSD's jails
Next by thread: Re: Functionality simular to FreeBSD's jails
Index(es):
- Date
- Thread