+------------------------------------------------------------------------------ | On (04/10/05 12:33), Felix Schulte wrote: | | Date: Tue, 4 Oct 2005 12:33:48 +0200 | From: Felix Schulte <[EMAIL PROTECTED]> | To: Darren J Moffat <[EMAIL PROTECTED]> | Subject: Re: [osol-discuss] OpenSolaris kernel running as Solaris process? | Cc: opensolaris-discuss@opensolaris.org | Reply-To: Felix Schulte <[EMAIL PROTECTED]> | | On 10/4/05, Darren J Moffat <[EMAIL PROTECTED]> wrote: | > On Tue, 2005-10-04 at 10:56, Felix Schulte wrote: | > > > | > > > - Webhosting is made secure and without performance penalties | > > > using zones. | > > What if the customer wants root access, | > | > Every zone has its own unique root user. | I know. | | > > the ability to load own kernel | > > modules or create his own set of zones? Solaris zones are a very | > > limited design as you do not have support for zones within zones. | > | > Thats on purpose, having zones within zones would make things very | > complex and could put quite a strain on the security model. | Why? AFAIK this feature has been requested quite often.
As a way to get around a problem. The request of the masses isn't always the best option for security. Zones are cool, yet they seem to be in-part a business thing where it would be desired to have a big 20k server with 10 things running in different zones instead of 10 3k servers, etc. I still use containers, just think they aren't the magic answer. Looks like more people are looking for trustedos design features in a non- trustedos designed os. More trustedos you go, more admin nightmare you go, yet that is where all the fine grained isolation and seperation is at. Zones are what they are, and what they were meant to be. They seem to do exactly as they are supposed to do. | | > > Okok, but it does not help me when my stupid code kills the kernel. | > | > Have you tried using mdb(1) ? Particularly putting mdb in place on the | > live system before loading your module ? have you tried looking at the | > crash dumps ? | mdb is not a kernel debugger, right? | -- | _ Felix Schulte | _|_|_ mailto:[EMAIL PROTECTED] | (0 0) | ooO--(_)--Ooo | _______________________________________________ | opensolaris-discuss mailing list | opensolaris-discuss@opensolaris.org _______________________________________________ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
