On Tue, 19 May 2020 21:26:02 -0700 "Greg A. Woods" <wo...@planix.com> wrote:
> So what more is needed, beyond chroot and login classes, to make > possible the kinds things like allowing a customer to install web-app > "plugins" to their instance of a web server? I can't think of > _anything_ else that's _actually_ needed, other than management > tooling to make it all clickety-web-GUI-ish. You certainly don't > need/want to give them root in their chroot. Some things can be achieved with chroot and various other tools in NetBSD, other things are not going to work with chroot. It's nothing to do with GUI management, but the fundamental architecture of chroot. I've started looking into this some time ago, as I wanted to partition my applications into isolated zones, without using Xen or other hypervisors. I don't use NetBSD for anything serious, so not concerned about security implications at the moment, as this is mostly a toy project. So it is mainly looking at what NetBSD provides to restrict and manage resources (CPU and memory limits, Veriexec and other security frameworks, Rump, mount_null and mount_union, QoS for disk and network I/O, etc). Not quite sure how this will work out in the end.
