RE: [vserver] shrink wrap it

About this list Date view Thread view Subject view Author view Attachment view

From: klavs klavsen (
Date: Sun Feb 10 2002 - 10:52:14 EST

On Sun, 2002-02-10 at 03:43, wrote:
> On Saturday, 9 February 2002 at 19:36, klavs klavsen wrote:
> > Do you know, if I can run OpenLDAP, Samba, Apache+php and MySQL on a
> > vserver?
> LDAP, Apache+PHP and MySQL should be totally transparent.
sounds good.

> Samba is a bit tricky because of the netbios broadcasts
> ( nmbd only ).
Please bear with me.. but why? because listening for broadcast packages
requires some speciel ability of some sort?
shouldn't it just be covered by listening for packages on port 137 - and
then broadcasts to that port should be forwarded to the process also?

> Mind you, you don't _have_ to restrict the IP address of vserver with "chbind",
> especially if you are only running one of them.
I have 2 scenario questions:

if the server only has One IP, and

1) all the services listening on that IP, ran under each vserver - would
there be security issues?

2) 1 of the services (ssh for instance) ran on the root-server - would
there be security issues?

> Something you have to understand is that vserver is not a
> rigid "must use every feature" package.
luckily. I like to have choices.

> There's security contexts, separating processes namespaces so they don't see
> each other and cannot interact with each other.
but only if they don't run on the same vserver?

Can I run - 2 or more chroot'ed services on 1 vserver? or can vserver it
self restrict/chroot each service - kinda like LIDS does?

> And there's "chbind" feature which allows you to restrict local ip address for all ipv4 connectivity
> inside vserver and transparently convert ( functionally) "Listen" to "Listen" ( if you
> did chbind --ip ) so you don't have to change config files inside each vserver.
sounds like a smart way to do it. Am looking forward to actually trying

I hope I can help with the progress of vserver.

If there were a Todo list, with status of each bullit - one could get a
quick idea of weather or not ones expertice could help the project in
any way.

btw. can or will vserver be implemented in the standard kernel source
tree? that would expand it's knowledge and usage to a much broader
user-base and just like it did for ReiserFS help the project gain
developers and bug-hunters. Are there any reasons why vserver should not
be a part of the standard kernel source? I don't know so much about
this, only know what I can read from LWN and such.

Klavs Klavsen

-------------| This mail has been sent to you by: |------------ Klavs Klavsen - OpenSource Consultant -

Get PGP key from - Key ID: 0x586D5BCA Fingerprint = A95E B57B 3CE0 9131 9D15 94DA E1CD 641E 586D 5BCA --------------------[ I believe that... ]----------------------- It is a myth that people resist change. People resist what other people make them do, not what they themselves choose to do... That's why companies that innovate successfully year after year seek their peopl's ideas, let them initiate new projects and encourage more experiments. -- Rosabeth Moss Kanter

About this list Date view Thread view Subject view Author view Attachment view

This archive was generated by hypermail 2.1.4 : Mon Aug 19 2002 - 12:01:00 EDT