[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Functionality simular to FreeBSD's jails

  if you have enough $$ go with ibm 390 (or whatever the number is)
otherwise try wmware (or other similar product), if you require
completely virtual machines (hw and all) you need a virtual machine, I
guess there's no way around it, chroot and I suspect jail (I don't know
jail) would not cut it.

	erik

Ilya Martynov wrote:
> 
> >>>>> "CC" == Colin Cashman <ccashman@mediaone.net> writes:
> 
>     >> No. chroot is not safe enough. I want to create virtual boxes in which
>     >> I can give root rights to other people and I want to be sure that they
>     >> can't break other boxes.
>     >>
>     >> AGAIK if you have root you can escape chroot'ed directory. Another
>     >> problems that root can have direct access to devices. I don't want to
>     >> allow it. Good solution is really independant virtual boxes which are
>     >> run from one real. This is what FreeBSD's jails provides. User-mode
>     >> linux kernel seems to allow it too but I'm not sure how stable is it
>     >> and if there are exist any limitations.
> 
>     CC> I just found a page that might contain what you are looking for:
> 
>     CC> http://www.gnu.org/directory/vsd.html
> 
>     CC> "VSD - Facilitates Linux Virtual Servers within a 'chroot'
>     CC> environment."
> 
> Yes, I've seen it and simular solutions. The problem is that as I have
> wrote 'chroot is not safe enough'. It is not possible to give root
> rights to people in chroot'ed environment if you don't want to trust them.
> 
> BTW except problems with direct access to devices and possibility to
> escape chroot by root there is exist another problem (for me) with
> chroot. Chroot only allows isolations of boxes at filesystem
> level. For example you can't have two mailservers running at the same
> time - first in first virtual box, second in another. At least you
> can't do it unless you configure them to listen on different
> interfaces. (BTW is it possible to create several loopback interfaces
> - I think no).
> 
> Let me describe my needs.
> 
> 1) I want to build testing and development envronment for developers
> in my company. Thereis several developers who works on different
> project. Often it is much more easier to give developers root access
> then try to fune tune sceurity system on development servers so they
> will be able to install/configure software there. So I want to just
> create several virtual boxes and give there freely root access. So I
> can be sure than one group of developers can't break things for
> another group.
> 
> 2) Another task is building automated tests for our software. One product
> our developers work on is maillist software. For creation of automated
> tests for this software it is *required* to have several boxes. If I
> just can create a bunch of virtual boxes it will be very usefull.
> 
> Combining 1) and 2) gives need for independant virtual boxes. 'chroot'
> is not good enough.
> 
>     CC> [..skip..]
> 
> --
> Ilya Martynov
> AGAVA Software Company, http://www.agava.com
> 
> --
> To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: