Re: Vserver is cool but too dependent on the distribution

About this list Date view Thread view Subject view Author view Attachment view

From: Jacques Gelinas (
Date: Wed Jan 09 2002 - 13:25:31 EST

On Wed, 9 Jan 2002 04:06:45 -0500, David Wagner wrote
> Jacques Gelinas wrote:
> >I have reviewed jail a bit. What should we add in our project to make it
> >a superset of jail ? [...]
> One idea might be control over how jailed processes can access the
> network. This is not directly supported in BSD's jail, but two students
> in a security class I taught suggested the following clever trick to
> support this functionality: create a jail with a new IP address (using
> IP aliasing), put the process in this jail, and ensure the process can't
> access any other IP addresses. Then you can restrict how this process
> can use the network by creating IP firewalling rules that mention the
> jail's IP address. For instance, you can configure sendmail so that it
> is only allowed to send and receive incoming packets on port 25 and 53.
> I imagine vserver could support this easily (if it doesn't already).

This is exactly what the vserver does. A vserver is locked on one IP. It can only
bind (service and outgoing) to this IP. If it binds to, this is remap to the
allocated IP.

Another feature you can do with that is allocate on routing table per vserver
and use the from address to select the routing table. Since a vserver has to
use its IP address and this is the only one it can use, a vserver is force to
use its routing table. Linux can have 254 different routing table. Playing with that
you can have

        different gateway for different vserver
        different routing policies/priority per vserver

Note that this feature of the vserver is not vserver specific. It relies on a
new system call called set_ipv4root and it used by a /usr/sbin/chbind utility. Anyone
can do

        /usr/sbin/chbind --ip some_IP somecommands

and the command will be locked with this IP. You can also do

        /usr/sbin/chbind --ip some command

(I assume is not a valid IP interface of your server) and this command
won't be able to do any networking at all, since attempt to bind will
be remap to and binding to will be reject later by the kernel.

Jacques Gelinas <>
vserver: run general purpose virtual servers on one box, full speed!

About this list Date view Thread view Subject view Author view Attachment view

This archive was generated by hypermail 2.1.4 : Mon Aug 19 2002 - 12:01:00 EDT