All,
For those interested in giving the OpenSolaris-based Immutable Service
Containers a try, I would encourage you to try out the latest version
of the code posted to the Kenai site:
http://kenai.com/projects/isc/pages/OpenSolaris
The Mercurial repository is at:
http://kenai.com/projects/isc/sources/source/show
In a nutshell, the functionality provided by this technology preview
includes:
* built upon the OpenSolaris 2009.06 release
* NEW: (optional) loose minimization support to help those building
and sharing images
* security hardening of the operating system
o based upon the OpenSolaris VMI Hardening project
* non-executable stack functionality enabled (on systems supporting
this functionality)
* encrypted swap enabled
* encrypted scratch space enabled
o default size is 100 Mbytes (customize as needed)
* kernel-level auditing enabled
o default policy audits login/logouts, administrative events,
and all commands executed on the system
o audit syslog plugin configured (/var/log/auditlog)
* stateful packet filtering enabled
o packet filtering syslog plugin configured (/var/log/ipflog)
o in-bound network access denied by default (except SSH)
o out-bound network access permitted by default (customize as
needed)
* a single non-global zone installed
o NEW: gzip compressed root file system
o building upon default non-global zone security capabilities
o unique VNIC limiting visibility of unintended network traffic
o encrypted scratch space
o stateful packet filtering and NAT to restrict network-access
o network access denied if IP address is changed
o in-bound network access denied by default (customize for your
service)
o out-bound network access permitted by default (customize as
needed)
o DNS and auditing configurations inherited from the global zone
I am working on publishing a pre-configured OVF image that includes all
of the above + Apache pre-configured and running in the non-global zone.
I will send an update once I have found a home for it (it is about
1.4 GB). You can create your own however using the steps documented at
the URL above.
I also would like to thank everyone who has provided feedback thus far!
It has been great! Keep it coming!
I am starting to work on an update that will support ZFS crypto so let
me know if there are other things that you would like to see added!
g
