On Sat, Feb 04, 2012 at 05:15:26PM +0100, Marco d'Itri wrote:
> On Feb 03, Bastian Blank <wa...@debian.org> wrote:
>
> > > http://blog.bofh.it/debian/id_413
> > This example shows nothing new. If you have CAP_SYS_MOUNT, you can also
> > just mount the root filesystem into your own tree.
> >
> > Linux-VServer does not help against processes with too much
> > capabilities, not sure about OpenVZ.
> OpenVZ does: /sys is there but you cannot use it to influence the host
> (because it was designed from ground up to be secure).
VServer uses a slightly different approach: there is (usually?) no /sys, and
but a handful entries in /dev. Once you have a device node, you can use it
unhindered (unless blocked by permissions or capabilities, of course).
/proc is censored and thus safe, I'm not sure if /sys would be censored as
well (never had a need to).
I believe VServer and OpenVZ are mostly equivalent when it comes to the
feature set. It's hard to compare them without a good knowledge of the
latter, but the only big difference I'm aware of is vhashify.
If you have 400 containers, common code will require 400 separate copies in
memory -- unless the files share the same inode. Common CoW methods will
sadly keep the kernel from sharing common pages -- at least LVM cow, btrfs
and (AFAIK) unionfs. A part of the vserver patch (not fundamentally
connected to the rest) provides a new file attribute "iunlink": an attempt
to modify such a file will break hardlinks and make a copy. This is worse
than extent-level cow (the whole file has to be copied), but it keeps the
inode shared, and works on all filesystems that allow chattr. vunify and
vhashify are two userland tools that deduplicate files using path+content
check (slooow) and hash, respectively.
> > > > * how to execute a command in a running VM? lxc-execute complains that
> > > > the
> > > Lack of something like VE_ENTER also makes it unsuitable for me.
> > ssh works.
> Not for my use case, I wrote a pam_vz module which removes the need to
> have sshd, ftpd and cron in guests.
vserver {exec,suexec,enter}, out of the box. File sharing can be done with
bind mounts.
--
// If you believe in so-called "intellectual property", please immediately
// cease using counterfeit alphabets. Instead, contact the nearest temple
// of Amon, whose priests will provide you with scribal services for all
// your writing needs, for Reasonable and Non-Discriminatory prices.
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120204191446.ga...@angband.pl
