LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 04-02-2008, 01:27 PM   #1
Mellar
LQ Newbie
 
Registered: Jan 2008
Posts: 29

Rep: Reputation: 15
Jails/Sandboxes/Operating system-level virtualization


Well, I can try to explain what I'm looking for, and then maybe someone will reply.

The chroot utility can be used to change the root directory of a set of processes, creating a safe environment, separate from the rest of the system. Processes created in the chrooted environment can not access files or resources outside of it. For that reason, compromising a service running in a chrooted environment should not allow the attacker to compromise the entire system. These features make it especially attractive to run daemons/services on a bastion host in a chrooted environment, like a httpd server, where php-code on the host can be used by an attacker to (in the worst scenario) gain root-privileges. Many ways have been found to escape from a chrooted environment and, although they have been fixed in modern versions of the Linux kernel, it is clear that chroot is not the ideal solution for securing services.


Example restrictions inside the container

* Modifying the running kernel by direct access and loading kernel modules is prohibited.
* Mounting and unmounting file systems is prohibited.
* Creating device nodes is prohibited.
* Accessing raw, divert, or routing sockets is prohibited.
* Modifying kernel runtime parameters, such as most sysctl settings, is prohibited.
* Changing securelevel-related file flags is prohibited.
* Accessing network resources not associated with the jail is prohibited.


I've used FreeBSD jails for this purpose earlier, but I struggle to find good solutions for Slackware. Jailkit is an insecure solution, since you are allowed to mount the host's file systems. OpenVZ provides rpm binaries, rpm sources and documentation specific to CentOS, Red Hat and Fedora only. FreeVPS seems also to be a good choice for CentOS and Red Hat systems only. Linux Vserver is lacking a lot on the documentation part, and shows only simple solutions which are relevant for Ubuntu and Debian only. Cilinder has on his blog written a tutorial for how to build vservers on your Slackware system. What I don't like about it, is a lot of prebuild packages and scripts I really don't know what is doing to my system. I also don't like this statement: Youll probably see a lot of error messages, this is due to the Slackware startup scripts that are executed in the VServer related to configuring and starting hardware devices. Im still working on a diff to patch the template directory to remove those.

The alternative to this is Capability-based security like SE_Linux and Apparmor. I know of a lot of people which really dislikes SE_Linux, and I honestly prefer the Jail solutions myself.

I hope some of you have experience to share.
 
Old 04-02-2008, 06:38 PM   #2
jlliagre
Moderator
 
Registered: Feb 2004
Location: Outside Paris
Distribution: Solaris10, Solaris 11, Mint, OL
Posts: 9,522

Rep: Reputation: 365Reputation: 365Reputation: 365Reputation: 365
If you like BSD Jails, you'll love OpenSolaris Zones

Of course, that isn't going to help that much if your goal is to run Slackware ... unless you are really adventurous.
 
Old 04-02-2008, 06:58 PM   #3
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
It sounds like you know what you want and what would be involved if you wanted to kludge something together. Any reason you're not running a FreeBSD jail if it meets your needs?
 
Old 04-03-2008, 04:38 AM   #4
acummings
Member
 
Registered: Jul 2004
Distribution: Slackware
Posts: 615

Rep: Reputation: 49
OP: Just a few paragraphs down herein is links with relevant howto, doc, not terribly old, but I'm not aware enough (I've experience in a nearby but not exactly your neighborhood). If you read, you'll see.

Ah, but Slack lends itself to "roll up your sleeves" while having fun working (or is it learning) (or is it learning/creating) with respect to "what makes it tick" (especially I mean here as far as the creating of an app/method for a specified task or my own customization of Slack).

I have fun customizing is one of the reasons that I use Slack.

Is it that "the creative side" (of me in my case) gets to take expression -- seems, to some degree, true. (I think Slack lends itself to this as one of the characteristics or reasons to use Slack).

I logged in then searched here at linuxquestions at the slackware forum using "virtualization" for the keyword/search_term.

Next consists of a part of those hits (BTW some have howto and/or further doc on links/softwares/apps that you already shared in your post) and/or "one thing leads to another" ie "links" led off to other links etc. etc.

http://www.linuxquestions.org/questi...virtualization

http://wiki.linuxquestions.org/wiki/...-Links#Virtual

http://www.cilinder.be/2007/11/14/bu...slackware.html

I've (acummings at next url/thread) dinked around with Qemu and Vmware workstation/Vmware Player

http://www.linuxquestions.org/questi...-kqemu-631610/

But I wasn't using it for server. I ran Win 2K in virtual machine on top of Slack (Slack is host, Win 2K is guest OS) (strange or maybe not strange desktop useage ie 2 (vastly) different OS's running at once on one hardware box). I could (but I won't) argue for that it's a server that serves up (for me to use) two different desktop OS's all at once in real time.

While in the qemu monitor, I saw therein the ability to make snapshot(s) of the virtual machine. Snapshot allows "return to exact state" (of where it was when snapshot had been taken). (I just keep a copy of my Win 2k virtual machine file (the file, the so called "image" file that) runs inside Qemu -- I haven't yet used "snapshot" feature)

Some virtual machine capable of "disallow write access" -- except only in a dedicated or safe area (maybe this be similar to "jail" here) and even then "only until this virt. mach. is turned off or rebooted" (said write access, anything written is discarded and erased upon reboot of this virt. mach.) IOW: "always boots up pristine" (this virt. mach.)

I'm unaware of which all of the different virt. mach. out there as to which of them have whatever of the different capabilities. I don't know if Qemu can be set (has such an opt or setting) to boot an image "always boots pristine".

Lots of different virtuals out there for a lot of different reasons/applications. It's worthy to explore/discover/investigate as to "what would best suit or some of the better fit(s) for what your specific need is.

I saw reasons of "it saves on disk space" and "it saves on memory/resources" (to run one or some of the apps that you mentioned rather than to have the additional overhead of running a second OS inside a virtual machine).

And I see and honor those reasons/points. I'm gung ho for the above reasons whenever the need is or can be met by those reasons/method(s).

I'm not at all trying to sway you to the overhead of running a second OS in a virtual machine.

But, much of what I've shared here, is merely where my experience has lied, until now. Until now.

(grabs some more around toits). Hmm, Xen and KVM already on the (soon to happen in the future) agenda. Or, will I experiment first with some of the virtual server apps that you mentioned and then do Xen and KVM.

So much to do, so little time. Writing is fun too.

--
Alan.
 
Old 04-03-2008, 12:27 PM   #5
Mellar
LQ Newbie
 
Registered: Jan 2008
Posts: 29

Original Poster
Rep: Reputation: 15
jlliagre and anomie: I'm sure Open Solaris Zones is some great stuff, and I know FreeBSD jail works very well. The thing is that I've been a Linux user for five years, where Slackware is the distribution I know best. I've been trying FreeBSD a bit on a test machine, but it's so much to learn since it's a completely different OS. There's really just one feature I miss at the moment and I would like to solve it on my main distro. But thanks anyway


Thanks for the links and long reply acummings, especially the first link was interesting.

What is important to understand is: there is a difference between Virtual Private Servers (VPSs)or Virtual Environments (VEs) and Virtual Machines. A virtual private server is a method of partitioning a physical server computer into multiple servers that each has the appearance and capabilities of running on its own dedicated machine. Virtual Machine is a software implementation of a machine (computer) that executes programs like a real machine.

Like you already said, VPs saves on disk space, memory/resources, and you don't get that additional overhead either. You get a lot of work to do when securing, updating and configuring a bunch of VMs. Remember, each service is supposed be isolated from the others, and that would mean one OS running on one VM for each and every service. VPs are a lot easier and more simple to manage.

I will probably look a bit more into OpenVZ thanks to the LQ link you gave me Maybe I can provide a HOWTO or a package or something if I succeed.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
My grub is not loading on dual operating system with windows Xp Pro causing my system marlene tack Linux - Newbie 2 03-17-2008 08:54 AM
LXer: Mandriva First Linux to Include Operating System-Level Virtualization Technology LXer Syndicated Linux News 0 05-26-2006 08:33 PM
LXer: OpenVZ User Community Enthusiastic About Operating System Virtualization Project LXer Syndicated Linux News 0 05-21-2006 03:21 AM
LXer: OpenVZ Project Introduces Website to Support Operating System Virtualization Technology for Open Source Community LXer Syndicated Linux News 0 12-16-2005 02:31 AM
Why Linux is best Operating System for Learning/Doing System Programming ? ubaid_t General 6 03-21-2004 03:10 PM


All times are GMT -5. The time now is 12:58 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration