On Sat, Oct 04, 2008 at 01:14:59PM +0100, Nick Kew wrote:
Note also that (with no disrespect meant to Nick) a common newbie
behavior is to latch onto some random interface and attempt to bend it
to solve the problem at hand, whether or not it's the intended way to
solve that problem.
That
On 3 Oct 2008, at 21:46, Dan Price wrote:
Nick, I think this is an interesting idea, but I must caution you
that zone_enter(2) isn't a public API, and using it correctly is
truly non-trivial.
Indeed, that's the impression I have, and seems to be a dominant theme
in other replies to my post.
On 3 Oct 2008, at 23:02, Jordan Brown wrote:
Nicolas Williams wrote:
On Fri, Oct 03, 2008 at 02:37:28PM -0700, Jordan Brown wrote:
Nick is trying to isolate virtual systems, not users. I've seen
this
That was, obviously, not the impression tat I got. It's trivial to
separate virtual
On 3 Oct 2008, at 22:37, Jordan Brown wrote:
Nick is trying to isolate virtual systems, not users. I've seen this
problem on my personal hosting providers - my CGI scripts run as the
same user as everybody else's, in the same file system. We'd
better all
trust each other. That's OK for
Nick Kew wrote:
(Note, incidentally, that the picture might be different for a Java
server, where the Java byte code for the application and a bunch of
overhead objects might well fall into that sharable bucket.)
Would that apply to similar bytecode like Python, which is commonly
run
I can find plenty of documentation for using zones, but none
for programming with them. The best I can get is the .h files
(undocumented), and random snippets from googling.
In the Apache webserver community, we have a lot of demand from
hosting companies and their users for better separation of
Hi Nic,
I have the feeling you are on the wrong track, if you want to start and
maintain a apache server from the global zone and then fork worker procs
into the zones.
This is not intended and also not needed - and here is why:
Security:
From the zones point of view, it cannot see the
On Fri 03 Oct 2008 at 03:27PM, Nick Kew wrote:
In normal operation, copy-on-write gives us this model for free.
Does copy-on-write work across a zone_enter()?
Yes.
In the past, we've had some efforts to improve separation, based on
worker children running under different user IDs. See for
On Fri, Oct 03, 2008 at 03:27:38PM +0100, Nick Kew wrote:
In the past, we've had some efforts to improve separation, based on
worker children running under different user IDs. See for example
the perchild MPM at apache.org. There's a lot of demand for
perchild-like solutions, but no really
You and Dan both talked about user authentication and therefore the need
for the zone_enter to happen late, but I don't think that's part of
the picture here at all.
Nick is trying to isolate virtual systems, not users. I've seen this
problem on my personal hosting providers - my CGI scripts
On Fri, Oct 03, 2008 at 04:18:23PM -0500, Nicolas Williams wrote:
- You probably don't actually need zones for this. Just being able to
isolate processes by making them run as different UIDs will suffice.
- Though, of course, to the extent that different sites hosted on
the
On Fri, Oct 03, 2008 at 02:37:28PM -0700, Jordan Brown wrote:
Nick is trying to isolate virtual systems, not users. I've seen this
That was, obviously, not the impression tat I got. It's trivial to
separate virtual systems by just running them in zones. But if I
misread what Nick was asking,
Nicolas Williams wrote:
On Fri, Oct 03, 2008 at 02:37:28PM -0700, Jordan Brown wrote:
Nick is trying to isolate virtual systems, not users. I've seen this
That was, obviously, not the impression tat I got. It's trivial to
separate virtual systems by just running them in zones. But if I
13 matches
Mail list logo