|
Jails/Sandboxes/Operating system-level virtualization
Well, I can try to explain what I'm looking for, and then maybe someone will reply.
The chroot utility can be used to change the root directory of a set of processes, creating a safe environment, separate from the rest of the system. Processes created in the chrooted environment can not access files or resources outside of it. For that reason, compromising a service running in a chrooted environment should not allow the attacker to compromise the entire system. These features make it especially attractive to run daemons/services on a bastion host in a chrooted environment, like a httpd server, where php-code on the host can be used by an attacker to (in the worst scenario) gain root-privileges. Many ways have been found to escape from a chrooted environment and, although they have been fixed in modern versions of the Linux kernel, it is clear that chroot is not the ideal solution for securing services. Example restrictions inside the container * Modifying the running kernel by direct access and loading kernel modules is prohibited. * Mounting and unmounting file systems is prohibited. * Creating device nodes is prohibited. * Accessing raw, divert, or routing sockets is prohibited. * Modifying kernel runtime parameters, such as most sysctl settings, is prohibited. * Changing securelevel-related file flags is prohibited. * Accessing network resources not associated with the jail is prohibited. I've used FreeBSD jails for this purpose earlier, but I struggle to find good solutions for Slackware. Jailkit is an insecure solution, since you are allowed to mount the host's file systems. OpenVZ provides rpm binaries, rpm sources and documentation specific to CentOS, Red Hat and Fedora only. FreeVPS seems also to be a good choice for CentOS and Red Hat systems only. Linux Vserver is lacking a lot on the documentation part, and shows only simple solutions which are relevant for Ubuntu and Debian only. Cilinder has on his blog written a tutorial for how to build vservers on your Slackware system. What I don't like about it, is a lot of prebuild packages and scripts I really don't know what is doing to my system. I also don't like this statement: «You’ll probably see a lot of error messages, this is due to the Slackware startup scripts that are executed in the VServer related to configuring and starting hardware devices. I’m still working on a diff to patch the template directory to remove those.» The alternative to this is Capability-based security like SE_Linux and Apparmor. I know of a lot of people which really dislikes SE_Linux, and I honestly prefer the Jail solutions myself. I hope some of you have experience to share. |
If you like BSD Jails, you'll love OpenSolaris Zones ;)
Of course, that isn't going to help that much if your goal is to run Slackware ... unless you are really adventurous. |
It sounds like you know what you want and what would be involved if you wanted to kludge something together. Any reason you're not running a FreeBSD jail if it meets your needs?
|
OP: Just a few paragraphs down herein is links with relevant howto, doc, not terribly old, but I'm not aware enough (I've experience in a nearby but not exactly your neighborhood). If you read, you'll see.
Ah, but Slack lends itself to "roll up your sleeves" while having fun working (or is it learning) (or is it learning/creating) with respect to "what makes it tick" (especially I mean here as far as the creating of an app/method for a specified task or my own customization of Slack). I have fun customizing is one of the reasons that I use Slack. Is it that "the creative side" (of me in my case) gets to take expression -- seems, to some degree, true. (I think Slack lends itself to this as one of the characteristics or reasons to use Slack). I logged in then searched here at linuxquestions at the slackware forum using "virtualization" for the keyword/search_term. Next consists of a part of those hits (BTW some have howto and/or further doc on links/softwares/apps that you already shared in your post) and/or "one thing leads to another" ie "links" led off to other links etc. etc. http://www.linuxquestions.org/questi...virtualization http://wiki.linuxquestions.org/wiki/...-Links#Virtual http://www.cilinder.be/2007/11/14/bu...slackware.html I've (acummings at next url/thread) dinked around with Qemu and Vmware workstation/Vmware Player http://www.linuxquestions.org/questi...-kqemu-631610/ But I wasn't using it for server. I ran Win 2K in virtual machine on top of Slack (Slack is host, Win 2K is guest OS) (strange or maybe not strange desktop useage ie 2 (vastly) different OS's running at once on one hardware box). I could (but I won't) argue for that it's a server that serves up (for me to use) two different desktop OS's all at once in real time. While in the qemu monitor, I saw therein the ability to make snapshot(s) of the virtual machine. Snapshot allows "return to exact state" (of where it was when snapshot had been taken). (I just keep a copy of my Win 2k virtual machine file (the file, the so called "image" file that) runs inside Qemu -- I haven't yet used "snapshot" feature) Some virtual machine capable of "disallow write access" -- except only in a dedicated or safe area (maybe this be similar to "jail" here) and even then "only until this virt. mach. is turned off or rebooted" (said write access, anything written is discarded and erased upon reboot of this virt. mach.) IOW: "always boots up pristine" (this virt. mach.) I'm unaware of which all of the different virt. mach. out there as to which of them have whatever of the different capabilities. I don't know if Qemu can be set (has such an opt or setting) to boot an image "always boots pristine". Lots of different virtuals out there for a lot of different reasons/applications. It's worthy to explore/discover/investigate as to "what would best suit or some of the better fit(s) for what your specific need is. I saw reasons of "it saves on disk space" and "it saves on memory/resources" (to run one or some of the apps that you mentioned rather than to have the additional overhead of running a second OS inside a virtual machine). And I see and honor those reasons/points. I'm gung ho for the above reasons whenever the need is or can be met by those reasons/method(s). I'm not at all trying to sway you to the overhead of running a second OS in a virtual machine. But, much of what I've shared here, is merely where my experience has lied, until now. Until now. (grabs some more around toits). Hmm, Xen and KVM already on the (soon to happen in the future) agenda. Or, will I experiment first with some of the virtual server apps that you mentioned and then do Xen and KVM. So much to do, so little time. Writing is fun too. -- Alan. |
jlliagre and anomie: I'm sure Open Solaris Zones is some great stuff, and I know FreeBSD jail works very well. The thing is that I've been a Linux user for five years, where Slackware is the distribution I know best. I've been trying FreeBSD a bit on a test machine, but it's so much to learn since it's a completely different OS. There's really just one feature I miss at the moment and I would like to solve it on my main distro. But thanks anyway :)
Thanks for the links and long reply acummings, especially the first link was interesting. What is important to understand is: there is a difference between Virtual Private Servers (VPSs)or Virtual Environments (VEs) and Virtual Machines. A virtual private server is a method of partitioning a physical server computer into multiple servers that each has the appearance and capabilities of running on its own dedicated machine. Virtual Machine is a software implementation of a machine (computer) that executes programs like a real machine. Like you already said, VPs saves on disk space, memory/resources, and you don't get that additional overhead either. You get a lot of work to do when securing, updating and configuring a bunch of VMs. Remember, each service is supposed be isolated from the others, and that would mean one OS running on one VM for each and every service. VPs are a lot easier and more simple to manage. I will probably look a bit more into OpenVZ thanks to the LQ link you gave me :) Maybe I can provide a HOWTO or a package or something if I succeed. |
| All times are GMT -5. The time now is 04:57 PM. |