I can find plenty of documentation for using zones, but none
for programming with them. The best I can get is the .h files
(undocumented), and random snippets from googling.
In the Apache webserver community, we have a lot of demand from
hosting companies and their users for better separation of
Hi Nic,
I have the feeling you are on the wrong track, if you want to start and
maintain a apache server from the global zone and then fork worker procs
into the zones.
This is not intended and also not needed - and here is why:
Security:
From the zones point of view, it cannot see the global
On Fri 03 Oct 2008 at 03:27PM, Nick Kew wrote:
> In normal operation, copy-on-write gives us this model for free.
> Does copy-on-write work across a zone_enter()?
Yes.
> In the past, we've had some efforts to improve separation, based on
> worker children running under different user IDs. See fo
On Fri, Oct 03, 2008 at 03:27:38PM +0100, Nick Kew wrote:
> In the past, we've had some efforts to improve separation, based on
> worker children running under different user IDs. See for example
> the perchild MPM at apache.org. There's a lot of demand for
> perchild-like solutions, but no reall
You and Dan both talked about user authentication and therefore the need
for the zone_enter to happen "late", but I don't think that's part of
the picture here at all.
Nick is trying to isolate virtual systems, not users. I've seen this
problem on my personal hosting providers - my CGI scripts
On Fri, Oct 03, 2008 at 04:18:23PM -0500, Nicolas Williams wrote:
> - You probably don't actually need zones for this. Just being able to
>isolate processes by making them run as different UIDs will suffice.
>
> - Though, of course, to the extent that different sites hosted on
> th
On Fri, Oct 03, 2008 at 02:37:28PM -0700, Jordan Brown wrote:
> Nick is trying to isolate virtual systems, not users. I've seen this
That was, obviously, not the impression tat I got. It's trivial to
separate virtual systems by just running them in zones. But if I
misread what Nick was asking,
Nicolas Williams wrote:
> On Fri, Oct 03, 2008 at 02:37:28PM -0700, Jordan Brown wrote:
>> Nick is trying to isolate virtual systems, not users. I've seen this
>
> That was, obviously, not the impression tat I got. It's trivial to
> separate virtual systems by just running them in zones. But i