On Fri, 15 May 2020 15:23:32 -0700 "Greg A. Woods" <wo...@planix.com> wrote:
> I'm curious about what this means to you -- what do you need/want in > addition to the chroot environments you now have? > The filesystems of different containers are well isolated thanks to chroot, and occasional use of null mounts to bring in outside data. But currently: - Processes can "see" each other; I have to be careful not to reuse UID numbers. For example: if I build a chroot with an instance of nginx that runs as UID 2505, and then deploy multiple copies of that chroot, all of them can call kill(2) on a process in a different chroot. - All chroots share the same network stack. If I tell nginx to bind to '0.0.0.0' or '::', the first instance will startup fine, the others will fail with "address already in use." The wiki's projects list has a clean solution to this particular point, which may or may not be within scope of jails: https://wiki.netbsd.org/projects/project/virtual_network_stacks/ - Some way to set per-chroot resource limits would be helpful. I can manipulate ulimits, but that is basically driving screws with a hammer. It's simply the wrong tool. -- Aaron B. <aa...@zadzmo.org>