Re: Operating system-level virtualization: how to make it?
Laurent: Beyond the question, what is the interest to virtualize services. I understand the need to virtualize different machine for OS specific server software, tests and so on. For the Internet services security reasons - for me. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Operating system-level virtualization: how to make it?
Thank You for Your time and answer, Douglas: Unless something has changed, to be really secure, virtualization has to be fully supported in the hardware of the CPU so that there are no CPU instructions that can be issued from within the virtual machine to break out of it. i386/amd64 don't meet that criteria. I don't know what other vendors have, but e.g. IBM's Power architecture does, and provides logical partitions (LPARs) at the firmware level which appear to the OS as a real piece of hardware. How is it if I see CPU virtualization instructions for, say, amd64? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Operating system-level virtualization: how to make it?
Thank You for Your time and answer, Victor: OpenVZ is the best alternative for operating system level virtualization, like Boyd I don't like VServer either. BTW Boyd, Xen is backed up by Citrix, not Novell. ;-) KVM and Xen are hardware virtualization technologies. Can You argument, at least a bit - just for better understanding of Your opinion? AFAIK - vserver gives much greater perfomance - comparing w/ KVM - do not know about OpenVZ. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Operating system-level virtualization: how to make it?
On Wed, May 27, 2009 at 09:39:38AM -0500, Victor Padro wrote: On Wed, May 27, 2009 at 8:40 AM, Douglas A. Tutty dtu...@vianet.ca wrote: On Tue, May 26, 2009 at 08:46:49PM +0200, Laurent Guignard wrote: On Fri, 22 May 2009 18:02:27 +, Sylvain Le Gall wrote: On 22-05-2009, Sthu Deus sthu.d...@gmail.com wrote: AFAIK, virtualization on i386/amd64, beyond the os-specific software or testing issues, is a gimmick. It may provide one extra layer for someone to try to break out of but it also adds an extra layer to hold bugs. There is nothing like LPAR in x86/amd64 architecture. Totally different arch. Believe me I work for the eye bee m company. That was my point. Unless the hardware provides the virtualization (such as LPARs), then it doesn't accomplish much. doug. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Operating system-level virtualization: how to make it?
On Wed, May 27, 2009 at 11:18 AM, Douglas A. Tutty dtu...@vianet.ca wrote: On Wed, May 27, 2009 at 09:39:38AM -0500, Victor Padro wrote: On Wed, May 27, 2009 at 8:40 AM, Douglas A. Tutty dtu...@vianet.ca wrote: On Tue, May 26, 2009 at 08:46:49PM +0200, Laurent Guignard wrote: On Fri, 22 May 2009 18:02:27 +, Sylvain Le Gall wrote: On 22-05-2009, Sthu Deus sthu.d...@gmail.com wrote: AFAIK, virtualization on i386/amd64, beyond the os-specific software or testing issues, is a gimmick. It may provide one extra layer for someone to try to break out of but it also adds an extra layer to hold bugs. There is nothing like LPAR in x86/amd64 architecture. Totally different arch. Believe me I work for the eye bee m company. That was my point. Unless the hardware provides the virtualization (such as LPARs), then it doesn't accomplish much. doug. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Agree. -- It is human nature to think wisely and act in an absurd fashion. Todo el desorden del mundo proviene de las profesiones mal o mediocremente servidas
Re: Operating system-level virtualization: how to make it?
On Tue, May 26, 2009 at 08:46:49PM +0200, Laurent Guignard wrote: On Fri, 22 May 2009 18:02:27 +, Sylvain Le Gall wrote: On 22-05-2009, Sthu Deus sthu.d...@gmail.com wrote: How I can organize a Operating system-level virtualization on a server for every service I would isolate? Use a chroot (standard) or a vserver (search for vserver in debian archives there is a kernel version and two packages for userland tools). vserver is more flexible and allow you to assign IP address et al. Beyond the question, what is the interest to virtualize services. I understand the need to virtualize different machine for OS specific server software, tests and so on. Is there anywhere to find when virtualization is the best way to solve a problem and when it isn't ? Unless something has changed, to be really secure, virtualization has to be fully supported in the hardware of the CPU so that there are no CPU instructions that can be issued from within the virtual machine to break out of it. i386/amd64 don't meet that criteria. I don't know what other vendors have, but e.g. IBM's Power architecture does, and provides logical partitions (LPARs) at the firmware level which appear to the OS as a real piece of hardware. AFAIK, virtualization on i386/amd64, beyond the os-specific software or testing issues, is a gimmick. It may provide one extra layer for someone to try to break out of but it also adds an extra layer to hold bugs. Doug. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Operating system-level virtualization: how to make it?
On Wed, May 27, 2009 at 8:40 AM, Douglas A. Tutty dtu...@vianet.ca wrote: On Tue, May 26, 2009 at 08:46:49PM +0200, Laurent Guignard wrote: On Fri, 22 May 2009 18:02:27 +, Sylvain Le Gall wrote: On 22-05-2009, Sthu Deus sthu.d...@gmail.com wrote: How I can organize a Operating system-level virtualization on a server for every service I would isolate? Use a chroot (standard) or a vserver (search for vserver in debian archives there is a kernel version and two packages for userland tools). vserver is more flexible and allow you to assign IP address et al. Beyond the question, what is the interest to virtualize services. I understand the need to virtualize different machine for OS specific server software, tests and so on. Is there anywhere to find when virtualization is the best way to solve a problem and when it isn't ? Unless something has changed, to be really secure, virtualization has to be fully supported in the hardware of the CPU so that there are no CPU instructions that can be issued from within the virtual machine to break out of it. i386/amd64 don't meet that criteria. I don't know what other vendors have, but e.g. IBM's Power architecture does, and provides logical partitions (LPARs) at the firmware level which appear to the OS as a real piece of hardware. AFAIK, virtualization on i386/amd64, beyond the os-specific software or testing issues, is a gimmick. It may provide one extra layer for someone to try to break out of but it also adds an extra layer to hold bugs. Doug. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org There is nothing like LPAR in x86/amd64 architecture. Totally different arch. Believe me I work for the eye bee m company. -- It is human nature to think wisely and act in an absurd fashion. Todo el desorden del mundo proviene de las profesiones mal o mediocremente servidas
Re: Operating system-level virtualization: how to make it?
Thank You for Your time and answer, Sylvain: Use a chroot (standard) or a vserver (search for vserver in debian AFAIK, it is not safe to use chroot - for an evil doer can logout from chroot once it detects it. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Operating system-level virtualization: how to make it?
In 4a1c2c45.1c05d00a.3255.5...@mx.google.com, Sthu Deus wrote: Thank You for Your time and answer, Sylvain: Use a chroot (standard) or a vserver (search for vserver in debian AFAIK, it is not safe to use chroot - for an evil doer can logout from chroot once it detects it. Escaping a good chroot is difficult as a non-root user. However, I'm not sure it is worth worrying about. There have been exploits to escape UML, VServer, Xen, KVM, and KQemu, too. Of course, chroot isn't really virtualization in the modern sense. Xen, KVM, or VServer are. I don't like VServer personally. Xen has backing from Novell and KVM has backing from RedHat, so I'd choose one of those and go googling for a HOWTO. -- Boyd Stephen Smith Jr. ,= ,-_-. =. b...@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/\_/ signature.asc Description: This is a digitally signed message part.
Re: Operating system-level virtualization: how to make it?
On Tue, May 26, 2009 at 1:08 PM, Boyd Stephen Smith Jr. b...@iguanasuicide.net wrote: In 4a1c2c45.1c05d00a.3255.5...@mx.google.com, Sthu Deus wrote: Thank You for Your time and answer, Sylvain: Use a chroot (standard) or a vserver (search for vserver in debian AFAIK, it is not safe to use chroot - for an evil doer can logout from chroot once it detects it. Escaping a good chroot is difficult as a non-root user. However, I'm not sure it is worth worrying about. There have been exploits to escape UML, VServer, Xen, KVM, and KQemu, too. Of course, chroot isn't really virtualization in the modern sense. Xen, KVM, or VServer are. I don't like VServer personally. Xen has backing from Novell and KVM has backing from RedHat, so I'd choose one of those and go googling for a HOWTO. -- Boyd Stephen Smith Jr. ,= ,-_-. =. b...@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/\_/ OpenVZ is the best alternative for operating system level virtualization, like Boyd I don't like VServer either. BTW Boyd, Xen is backed up by Citrix, not Novell. ;-) KVM and Xen are hardware virtualization technologies. -- It is human nature to think wisely and act in an absurd fashion. Todo el desorden del mundo proviene de las profesiones mal o mediocremente servidas
Re: Operating system-level virtualization: how to make it?
On Fri, 22 May 2009 18:02:27 +, Sylvain Le Gall wrote: Hello, On 22-05-2009, Sthu Deus sthu.d...@gmail.com wrote: Good day. How I can organize a Operating system-level virtualization on a server for every service I would isolate? Thank You for Your time. Use a chroot (standard) or a vserver (search for vserver in debian archives there is a kernel version and two packages for userland tools). vserver is more flexible and allow you to assign IP address et al. Regards, Sylvain Le Gall Hello, Beyond the question, what is the interest to virtualize services. I understand the need to virtualize different machine for OS specific server software, tests and so on. Is there anywhere to find when virtualization is the best way to solve a problem and when it isn't ? Thanks in advance, Regards, Laurent -- Laurent Guignard, Registered as user #301590 with the Linux Counter Site : http://www.famille-guignard.org Blog : http://blog.famille-guignard.org Projet : http://sicontact.sourceforge.net GULL de Villefranche sur SaƓne : http://www.cagull.org -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Operating system-level virtualization: how to make it?
Good day. How I can organize a Operating system-level virtualization on a server for every service I would isolate? Thank You for Your time. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Operating system-level virtualization: how to make it?
Hello, On 22-05-2009, Sthu Deus sthu.d...@gmail.com wrote: Good day. How I can organize a Operating system-level virtualization on a server for every service I would isolate? Thank You for Your time. Use a chroot (standard) or a vserver (search for vserver in debian archives there is a kernel version and two packages for userland tools). vserver is more flexible and allow you to assign IP address et al. Regards, Sylvain Le Gall -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org