Hey *, just as a side note, did anybody do some testing with aufs and LXC (cgroups)?
For me this looks way more promising than a "simple chroot" env. since memory, cputime and what-not can be controlled via cgroups. cheers flip Am 28.06.2010 19:53, schrieb Robert Wotzlaw: > Mr. Junjiro Okajima, > > Your script auroot "A sample script to build a chroot-ed/jail environment for > Internet service" has inspired me to write the script bldchraufs. The script > build a chroot environment based on AUFS. This environment opens a way to run > a desktop session like GNOME Desktop in a jail. In this jail I can play around > without damaging the installed GNOME Desktop. > > The idea having an environment that can execute the whole operation system in > a secure shell, is very excited. An secure environment gives an ordinary user > like me the ability to do things with the operation system he wouldn't never > do. This idea - not my script - is the reason why I wrote this letter. Perhaps > You could write something like the script bldchraufs and put it in Your > example > collection. I think, it's worth to show the user this ability of AUFS. This > gives the Linux user a tool to freely invastigate his system. For me it's > some- > thing like the live CD that Mr. Knopper gave the community. It's a step > further > to democratize the information technolgy. > > The attached script bldchraufs is very simple and more a base to give non IT > gurus hints how to build the on AUFS based chroot environment. The script is > very extensive commented. The comments should give the user enough information > how the script build the environment and how he can use the created environ- > ment. A other reason for the extensive commenting is my forgetfulness. The > comments helps me to pick up the thread after some weeks. > > I will thank You for, if You could take a look at the script. > > I have a question concerning the last lines of the script. In this lines the > mount command binds the devices /dev, /dev/pts and /dev/shm into the matched > directories of the union under /tmp/jail/. In this configuration the devices > aren't a part of a branch. Is this an acceptable mount? Should I create a read > only and a write branch for the above devices and mount the branches under an > union? > > My next question concerns the option bind of the mount command. In Your > example > script auroot You use the bind option to create aliases for devices, that You > put into the read only branches. In addition to the option bind You use the > option ro as argument in the calls of the mount command. According the manual > page of mount the bind option use no further options. Do You use the ro option > as a kind of a marker? According the manual page the ro has no meaning but in > the output of the mount command, that was called without any argument, the ro > option is displayed. I ask, because I copied a file into the read only branch > - the bind of a system device like /usr - and got no error message. The file > was stored. At first glance I was a little bit puzzled, but I think, You can't > change the access writes of a device during a bind mount. The bind of a device > is an alias - a other name for the same thing. The properties of a bound > device > are the same as the properties of the mounted device. Is this right? In the > chroot environment the kind of the binding makes no problem, because the > system > doesn't see the origin of the bind. > > I would be glad, if You have enough time to answer my questions. > > Regards, > Robert Wotzlaw > > Attachments: > 1. Chroot build script bldchraufs > 2. HAL init script hal.new > ___________________________________________________________ > GRATIS für alle WEB.DE Nutzer: Die maxdome Movie-FLAT! > Jetzt freischalten unter http://movieflat.web.de > > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Sprint > What will you do first with EVO, the first 4G phone? > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
