Re: BSD jail

From: Joshua Hudson
Date: Sun Aug 14 2005 - 18:26:45 EST

Next message: Alan Cox: "Re: [Patch] Support UTF-8 scripts"
Previous message: The Post Office: "Uqg"
In reply to: Joshua Hudson: "Re: BSD jail"
Next in thread: Joshua Hudson: "Re: BSD jail"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Quoting Serge E. Hallyn (serue@xxxxxxxxxx)
>Quoting Joshua Hudson (joshudson@xxxxxxxxx):
> Why would you want a virtual network device implementation? The whole
>
>So that a jailed process can use the net but can't use your network
>address (intercept ssh, imap/stunnel, etc).

[snip]

>But in the end vserver with read-only bind mounts seems a better way to
>go imo.
Latest version of linux vserver source: 100K bzipped
Latest version of linux-jail: 34K uncompressed

To build a virtual network device requires code for the device, code
for routing the device
in the kernel, some way to tell the router that this machine is hosted
through the host
machine's ethernet card, and control of which processes use which
network devices.

Way too much work for something intended to be simple and have essentially no
overhead. All this work only gets jailed processes the ability to use
127.0.0.1.
The rest I can already do with eth0:1 and the specs for jail(2) from BSD.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Alan Cox: "Re: [Patch] Support UTF-8 scripts"
Previous message: The Post Office: "Uqg"
In reply to: Joshua Hudson: "Re: BSD jail"
Next in thread: Joshua Hudson: "Re: BSD jail"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]