Re: Operating system-level virtualization: how to make it?

On Wed, May 27, 2009 at 8:40 AM, Douglas A. Tutty <dtutty@xxxxxxxxx> wrote:

On Tue, May 26, 2009 at 08:46:49PM +0200, Laurent Guignard wrote:
On Fri, 22 May 2009 18:02:27 +0000, Sylvain Le Gall wrote:
On 22-05-2009, Sthu Deus <sthu.deus@xxxxxxxxx> wrote:
How I can organize a Operating system-level virtualization on a
server
for every service I would isolate?

Use a chroot (standard) or a vserver (search for vserver in debian
archives there is a kernel version and two packages for userland
tools).

vserver is more flexible and allow you to assign IP address et al.

Beyond the question, what is the interest to virtualize services. I
understand
the need to virtualize different machine for OS specific server software,
tests and so on.
Is there anywhere to find when virtualization is the best way to solve a
problem and when it isn't ?


Unless something has changed, to be really secure, virtualization has to
be fully supported in the hardware of the CPU so that there are no CPU
instructions that can be issued from within the virtual machine to break
out of it. i386/amd64 don't meet that criteria. I don't know what
other vendors have, but e.g. IBM's Power architecture does, and provides
logical partitions (LPARs) at the firmware level which appear to the OS
as a real piece of hardware.

AFAIK, virtualization on i386/amd64, beyond the os-specific software or
testing issues, is a gimmick. It may provide one extra layer for
someone to try to break out of but it also adds an extra layer to hold
bugs.

Doug.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact
listmaster@xxxxxxxxxxxxxxxx


There is nothing like LPAR in x86/amd64 architecture. Totally different
arch.

Believe me I work for the eye bee m company.


--
"It is human nature to think wisely and act in an absurd fashion."

"Todo el desorden del mundo proviene de las profesiones mal o mediocremente
servidas"

Relevant Pages

  • Re: Which virtualization is the best for Debian?
    ... If you are forced to run Windows, the commercial virtualization choices ... Xen also supports running unmodified guest OSes. ... w/kqemu, vserver, openvz, all have their merits. ...
    (Debian-User)
  • Re: Operating system-level virtualization: how to make it?
    ... Use a chroot or a vserver (search for vserver in debian ... Unless something has changed, to be really secure, virtualization has to ... someone to try to break out of but it also adds an extra layer to hold ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
    (Debian-User)
  • Re: Operating system-level virtualization: how to make it?
    ... How I can organize a Operating system-level virtualization on a server ... Use a chroot or a vserver (search for vserver in debian ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
    (Debian-User)
  • Re: sys_vserver
    ... >> I believe a reasonable portion of vserver can become a security module, ... >> but there would clearly remain a need for some of the virtualization ... send the line "unsubscribe linux-kernel" in ...
    (Linux-Kernel)
  • Re: Freeze SO Linux, its possible?
    ... your probably going to be getting a lot of nasty messages - cross posting to multiple lists like this, and sending a non-security related message to a security list is deeply frowned upon. ... you might want to look at some sort of virtualization answer like VMware or Xen. ... To UNSUBSCRIBE, email to debian-security-REQUEST@xxxxxxxxxxxxxxxx ...
    (Debian-User)