Announce: many virtual servers on a single box

Announce: many virtual servers on a single box

[Jacques Gelinas]

I have enhanced the kernel to allow several independant virtual servers
running on the same box (sharing the same kernel as well). I introduced
2 new system calls (new_s_context and set_ipv4root) allowing
much independance between the virtual servers. Virtual servers are
independant enough and "real" enough that you can supply root password
to the virtual server administrators. Virtual servers may be described

-May run various network services, binding to the same ports
 without special configuration. Services are started normally (sysv script, whatever
 the distro you are using).

-Have independant process list, so they can't interfere. You can't see or send
  signal to process in other vservers (or the root server)

-I have also modified the capability system a little, so those virtual server
 administrators can't take over the machine. I have introduced a per-process
 capability ceiling, inherited by sub-process. Even setuid program can't grab
 more capabilities..

-Update packages normally, create users, Use any admin procedure/tool

Maybe such a project has already been done. Anyway, I have written a lot
of documentation about it (how it works, pro and con and so on). It works
on top of 2.4.10 or 2.4.11 (probably anything). I would really like to get
some comments.

You can find all the documentation and packages at
http://www.solucorp.qc.ca/miscprj/s_context.hc

All this is GPL...

---------------------------------------------------------
Jacques Gelinas <jack@solucorp.qc.ca>
vserver: run general purpose virtual servers on one box, full speed!
http://www.solucorp.qc.ca/miscprj/s_context.hc

Re: Announce: many virtual servers on a single box

[Pavel Machek]

Hi!

> -I have also modified the capability system a little, so those virtual server
>  administrators can't take over the machine. I have introduced a per-process
>  capability ceiling, inherited by sub-process. Even setuid program can't grab
>  more capabilities..

Really? What hardware do they see in /dev/? Do their servers have for
example mouse? What about ethernet cards?

Does /proc/kmem work in virtual servers?

[Why I'm asking? I'm trying to find ways to take over the machine. Do
you want to give me root on your machine stating that I can't
interfere?]

You might want to announce this on bugtraq. [And give solar designer
root account, he might be more creative ;)].

								Pavel
-- 
STOP THE WAR! Someone killed innocent Americans. That does not give
U.S. right to kill people in Afganistan.

Re: Announce: many virtual servers on a single box

[Bernd Eckenfels]

In article <20011012230104.A3069@bug.ucw.cz> you wrote:
> [Why I'm asking? I'm trying to find ways to take over the machine. Do
> you want to give me root on your machine stating that I can't
> interfere?]

Hve you looked on HP compartments, yet? Or on Brickhouse?

Both are there a bit longer, and at least for brickhouse you can get root
access by telneting into it.

Greetings
Bernd