Re: RFC: jail functionality

From: serue@private
Date: Wed Jun 29 2005 - 11:42:24 PDT


Quoting James Morris (jmorris@private):
> On Wed, 29 Jun 2005, Stephen Smalley wrote:
> 
> > > The attached task-lookup patches?
> > 
> > Not sure it provides much value.
> 
> If yoy need this, why not look at proper isolation via Xen?

Xen may be overkill for some cases, as you need (almost) a whole OS
for each jail.  Zones and bsd jails (I believe) should easily be
able to run hundreds of jails - provided of course they don't all
peak at once.

Don't get me wrong, I'm a big fan of virtualization, and while I
don't get to right now, IBM is putting a lot of effort into Xen.

> LSM is about access control, not virtualization.

And jails require some amount of access control.  I don't want to
introduce a new LSM for this, but just put together the various
existing (and not-yet-existing) pieces into an easy to use package.

thanks,
-serge



This archive was generated by hypermail 2.1.3 : Wed Jun 29 2005 - 11:37:01 PDT