On Tue 19 May 2020 at 08:10:00 +0930, Brett Lymn wrote:
> On Sat, May 16, 2020 at 09:51:42AM +0100, Sad Clouds wrote:
> >
> > Just look at how Solaris does it - it has Zones (aka Jails) and LDOMs
> > (Logical Domains) on SPARC. LDOMs seem to be a much better way of
> > partitioning OS instances ve
At Thu, 21 May 2020 00:17:27 -0400, "Aaron B." wrote:
Subject: Re: NetBSD Jails
>
> On Wed, 20 May 2020 14:47:52 -0700
> "Greg A. Woods" wrote:
>
> > Well if all your chroot tree of processes runs as a single unique user
> > then from what I understan
On Thu, 21 May 2020 11:43:18 - (UTC)
mlel...@serpens.de (Michael van Elst) wrote:
> net...@precedence.co.uk (Stephen Borrill) writes:
>
> >RBAC using kauth was demonstrated in a talk by Alistair Crooks at
> >EuroBSDCon 2009. Unfortunately, any slides/recordings seem to have
> >been expunged
net...@precedence.co.uk (Stephen Borrill) writes:
>RBAC using kauth was demonstrated in a talk by Alistair Crooks at
>EuroBSDCon 2009. Unfortunately, any slides/recordings seem to have been
>expunged from the UKUUG website
>https://www.ukuug.org/events/eurobsdcon2009/history/
https://web.archi
On Thu, 21 May 2020, Sad Clouds wrote:
On Thu, 21 May 2020 00:17:27 -0400
"Aaron B." wrote:
There's still networking to worry about after that, but just isolating
processes in a more useful way is a huge step forward.
You can probably do that. If you use chroot to emulate containers,
simply
On Thu, 21 May 2020 00:17:27 -0400
"Aaron B." wrote:
> There's still networking to worry about after that, but just isolating
> processes in a more useful way is a huge step forward.
You can probably do that. If you use chroot to emulate containers,
simply partition UID and GID assignment into b
On Wed, 20 May 2020 14:47:52 -0700
"Greg A. Woods" wrote:
> Well if all your chroot tree of processes runs as a single unique user
> then from what I understand secmodel_extensions "Curtain Mode" already
> does actually do all of the rest of what you need.
>
Curtain mode does not.
Some applica
At Wed, 20 May 2020 09:43:12 -0400, "Aaron B." wrote:
Subject: Re: NetBSD Jails
>
> For the purpose of isolation of applications, I'd like to segment the
> process tree in the same way that chroot segments the filesystem tree.
> I don't necessarily need a &
On Tue, 19 May 2020 21:26:02 -0700
"Greg A. Woods" wrote:
> One of the things I've been hoping to learn in this discussion is
> more concretely what the true low-level requirements are, over and above
> what can be done with existing chroot and user/login-class rlimits in
> order to provide usefu
> Am 20.05.2020 um 06:26 schrieb Greg A. Woods :
>
> Sure, doing things smart/clean/elegant is definitely outdated when
> compared to the way many choose to work. As I said, most seem to see
> the apparent surface simplicity of "docker pull nginx" as elegant
> enough.
I don’t use docker too
On Tue, 19 May 2020 21:26:02 -0700
"Greg A. Woods" wrote:
> So what more is needed, beyond chroot and login classes, to make
> possible the kinds things like allowing a customer to install web-app
> "plugins" to their instance of a web server? I can't think of
> _anything_ else that's _actually_
On Tue, May 19, 2020 at 08:13:06AM +0100, Sad Clouds wrote:
>
> That's exactly what I was referring to. Yes this is specific to SPARC
> where they have a very small firmware hypervisor. The advantage is how
> hardware resources are dedicated to a specific domain, so the OS can
> use them directly
At Tue, 19 May 2020 10:21:52 +0200, Niels Dettenbach wrote:
Subject: Re: NetBSD Jails
>
> Am Dienstag, 19. Mai 2020, 03:15:53 CEST schrieb Greg A. Woods:
> >
> > I still think the security and complexity issues with containers, are a
> > very much bigger concern than the p
Am Dienstag, 19. Mai 2020, 03:15:53 CEST schrieb Greg A. Woods:
> (and what always dominates performance? I/O dominates!)
As all parameters, I/O is just one of - if I/O would be really anything,
VMware ESX would be not existing anymore...ß)
Dont get me wrong: i/O is "primary" for me in most of m
On Mon, 18 May 2020 18:15:53 -0700
"Greg A. Woods" wrote:
> I still think the security and complexity issues with containers, are
> a very much bigger concern than the pure efficiency losses of running
> full VMs. When it's all hidden behind a single command ("docker pull
> nginx") then it's too
On Tue, 19 May 2020 08:10:00 +0930
Brett Lymn wrote:
> On Sat, May 16, 2020 at 09:51:42AM +0100, Sad Clouds wrote:
> >
> > Just look at how Solaris does it - it has Zones (aka Jails) and
> > LDOMs (Logical Domains) on SPARC. LDOMs seem to be a much better
> > way of partitioning OS instances ver
At Sun, 17 May 2020 21:46:39 +0100, Sad Clouds
wrote:
Subject: Re: NetBSD Jails
>
> Your main gripe about jails/zones/containers is added complexity, well
> guess what, with Xen/VMware/VirtualBox the complexity is still there,
> you just pushed it over to the hypervisor vendor.
Act
On Sat, 16 May 2020, Aaron B. wrote:
> It also doesn't solve the ultimate issue here, which is isolation: a
> user (in the kernel sense of user, not necessary a human logged in via
> SSH) in one chroot could run 'ls' or equivalant syscalls and see
> activity inside a different chroot.
Assuming th
On Sat, May 16, 2020 at 09:51:42AM +0100, Sad Clouds wrote:
>
> Just look at how Solaris does it - it has Zones (aka Jails) and LDOMs
> (Logical Domains) on SPARC. LDOMs seem to be a much better way of
> partitioning OS instances versus something like VMware or Xen.
>
almost but not quite. A SPA
At Sun, 17 May 2020 21:52:58 +0100, Sad Clouds
wrote:
Subject: Re: NetBSD Jails
>
> On Sun, 17 May 2020 14:07:21 -0500
> Ted Spradley wrote:
>
> > How well will all this modern container and virtualization stuff work
> > on the older platforms that only have
On Sun, 17 May 2020 14:07:21 -0500
Ted Spradley wrote:
> How well will all this modern container and virtualization stuff work
> on the older platforms that only have megabytes of memory, not
> gigabytes?
Quite well, since containers are very lightweight. It's not the
container technology that s
On Sun, 17 May 2020 12:06:36 -0700
"Greg A. Woods" wrote:
> If you actually really need a fully isolated and completely full
> featured environment where you can run complex applications in
> "reasonably secure" sandbox style isolation then why not choose the
> best possible hardware you can affo
On Sun, 17 May 2020 12:06:36 -0700
"Greg A. Woods" wrote:
> Many folks are doing it because others do it.
>
> Well, all I can say to that is have fun on your bandwagon, and don't
> let me stop you!
>
>
> Some think there are some security benefits.
>
> I continue to see security issues which
On Sun, 17 May 2020 10:12:06 -0400
Julien Savard wrote:
> jail like feature in NetBSD. As I previously said
> VMs are great, however, they are mostly targeted to some
> architectures ( amd64 and maybe aarch64?). I chose NetBSD because it
> can run on most "exotic" platforms ( Isn't its motto "Of
At Sun, 17 May 2020 11:11:22 +0200, Niels Dettenbach wrote:
Subject: Re: NetBSD Jails
>
> Am 17.05.2020 um 06:01 schrieb Greg A. Woods :
> >
> > I know some people do allow human users to login to FreeBSD "jails", but
> > I really have to wonder why. I thi
Julien Savard writes:
> I won't debate on which is better between VM or containers. Both have their
> strength and weaknesses and in my opinion, usually your needs and skills
> makes one or the other the right choice for you. Nevertheless, I wanted
> (and still want) for a jail like feature in Ne
, what
does they need to do it?"
On Sun, May 17, 2020 at 12:01 AM Greg A. Woods wrote:
> At Sat, 16 May 2020 22:52:24 -0400, "Aaron B." wrote:
> Subject: Re: NetBSD Jails
> >
> > It also doesn't solve the ultimate issue here, which is isolation: a
> &g
Am 17.05.2020 um 06:01 schrieb Greg A. Woods :
>
> I know some people do allow human users to login to FreeBSD "jails", but
> I really have to wonder why. I think if you want to give human users
> the idea that they have their own machine then you really do need to
> give them a whole VM (at le
At Sat, 16 May 2020 22:52:24 -0400, "Aaron B." wrote:
Subject: Re: NetBSD Jails
>
> It also doesn't solve the ultimate issue here, which is isolation: a
> user (in the kernel sense of user, not necessary a human logged in via
> SSH) in one chroot could run 'ls
On Sat, 16 May 2020 10:57:55 -0700
"Greg A. Woods" wrote:
> Perhaps all that's required is a tool which extracts the minimum
> required entries from the real /etc/master.passwd for each chroot?
> (and some way to maintain chroot copies?)
>
> (Another way would be a new service behind nsdispatch(
Am 16.05.2020 um 00:23 schrieb Greg A. Woods :
>
> I'm curious about what this means to you -- what do you need/want in
> addition to the chroot environments you now have?
at least dedicated „networking“ / network isolation, but ideally ressource
„isolation“ / system limits etc., i.e. similiar
At Fri, 15 May 2020 20:18:28 -0400, "Aaron B." wrote:
Subject: Re: NetBSD Jails
>
> - Processes can "see" each other; I have to be careful not to reuse
> UID numbers. For example: if I build a chroot with an instance of nginx
> that runs as UID 2505, and then deplo
On Fri, 15 May 2020 15:23:32 -0700
"Greg A. Woods" wrote:
> I'm curious about what this means to you -- what do you need/want in
> addition to the chroot environments you now have?
Here is a good comparison:
https://en.wikipedia.org/wiki/OS-level_virtualization#Implementations
Just look at how
On Fri, 15 May 2020 15:23:32 -0700
"Greg A. Woods" wrote:
> I'm curious about what this means to you -- what do you need/want in
> addition to the chroot environments you now have?
>
The filesystems of different containers are well isolated thanks to
chroot, and occasional use of null mounts to
At Fri, 15 May 2020 16:56:04 -0400, "Aaron B." wrote:
Subject: Re: NetBSD Jails
>
> > Can't wait to have jails on NetBSD.
>
> I have also wanted this feature for a long time. Currently I manage a
> lot of applications in running in self contained chroot'ed
On Fri, 15 May 2020 11:15:47 -0400
Julien Savard wrote:
> Hi,
> According to the current virtualization roadmap, a jail like feature is
> coming to netbsd (
> https://ftp.netbsd.org/pub/NetBSD/NetBSD-current/src/doc/roadmaps/virtualization
> ).
This file looks pretty stale, dated 2012 at the bo
Hi,
According to the current virtualization roadmap, a jail like feature is
coming to netbsd (
https://ftp.netbsd.org/pub/NetBSD/NetBSD-current/src/doc/roadmaps/virtualization
).
Any Idea when it will be available ?
Can't wait to have jails on NetBSD.
37 matches
Mail list logo
