On October 4, 2017 1:07:07 PM GMT+02:00, Jonathan Adams <[email protected]> wrote: >Just as an aside, he completely downplays the benefits (particularly >with >licensed products) of the Solaris zones/containerisation, and the >complete >design differences. > >please follow the link to the discussion on Zones vs. Containers ... >https://blog.jessfraz.com/post/containers-zones-jails-vms/ > >"Sharing Namespaces ... You can have your application running in one >container, then in a different container sharing a net namespace you >can >run wireshark and inspect the packets from the first container." > >holy sh*t! this is exactly what IMHO Zones were designed to prevent! > >Keeping my "cool head" on for a moment ... The fact that this was done >by >design means that the 2 things are not the same, and trying to say that >converting from one to the other is a bit like saying that you can >convert >from Linux to Windows (or vice versa if we're being kind) > >Jon > > > > > >On 4 October 2017 at 08:28, Joshua M. Clulow <[email protected]> wrote: > >> On 2 October 2017 at 03:29, Sriram Narayanan <[email protected]> >wrote: >http://www.brendangregg.com/blog/2017-09-05/solaris-to-linux-2017.html >> > >> > I'm working on something that will benefit the Illumos community, >but >> > reading this post has deflated my enthusiasm :( >> >> I wouldn't worry about it. The illumos community is alive and well! >> >> I personally work for Joyent, and SmartOS (our distribution of >> illumos) is a huge part of what we do; it's definitely not going >away. >> >> Good luck with whatever you're working on! >> >> Cheers. >> >> -- >> Joshua M. Clulow >> Engineer @ Joyent >> http://blog.sysmgr.org
FWIW, my reading of your quote is that an admin *can* setup this sharing of namespace to get certain benefits - where sniffing for IDS purposes by a process that the sniffed container's root can not kill in case of container compomise can be indeed a benefit. And I believe there an admin can setup not-sharing too (and then that should guarantee lack of sniffing from other envs, maybe except host OS like our almighty global zone, etc.) So "shared net namespace" is similar to non-exclusive IP stack (essentially built upon multi-IP single-interface aliases) that we have since the beginning, but don't use often nowadays. Or rather many separate shared non-exclusive stacks. Jim -- Typos courtesy of K-9 Mail on my Android ------------------------------------------ illumos-discuss Archives: https://illumos.topicbox.com/groups/discuss/discussions/T6060bd522bd42b4d-Mf19c508e738b2efc124a822a Powered by Topicbox: https://topicbox.com
