On Sun, Feb 22, 2004 at 08:56:06PM +0200, Alex Lyahkov wrote: > ? ???, 22.02.2004, ? 19:27, Herbert Poetzl ?????: > > Hi Folks! > > > > some people asked me about the 'advanced' features > > FreeVPS provides over the Linux-Vserver patches ... > > > > so here is the 'list' provided at the FreeVPS site > > http://www.freevps.com/docs/faq.html#General3 > > and my comments/questions to that ... > > > > > FreeVPS extends the original Linux VServer functionality. > > > FreeVPS implementation include FreeVPS kernel patch and FreeVPS > > > tools. Together they add the following new features to VPS: > > > > > * Limits on: > > > - total memory usage > > > - resident memory size > > > > in Linux-VServer, VM is accounted and enforced, RSS only accounted, > > I don't know what 'total memory usage' means ... > Current version (that in release candidate state, release been in few > days later) implement new variant memory accounting - based on rmaps. > Old variant implement has same with VServer model memory accounting - > count total address space.
this is for 2.6.x or 2.4.x with or without the rmap patches? > > > - number of processes > > > > is accounted and enforced, as all limits, can be changed at runtime > > > > > - disk usage quota > > > > this is handled by the Quota Disk Limit (included in the quota patch) > > > > > - file handles > > > - tcp sockets > > > > both are not accounted yet, and not limited. > > > > > * Advanced context management: > > > - create/destroy a context > > > - enter a context > > > > well, that is basic functionality ... > > > > > - running status > > > > vserver-stat and /proc/virtual provide this ... > > > > > - enable/disable creating new processes in a context > > > - send signal to all processes in context > > > > this is done with the vkill command (via syscall since 1.1.6) > > > > > * inodes attributes management: > > > - context tag > > > > xid tagging is used by Quota Disk Limits and Per Context Quota > > and it comes in 3 flavours (UID32/GID16, UID24/GID24 and UID32/GID32) > > > > > - flag for files shared between contexts > > > > don't know what this is, but might be the IUNLINK flag > Not. This flag allow read owned by other context when reader. Base > functionality for uninfected vps. I don`t know how you have read inode > from context 0 in context 5, for example. xid=0 files are visible and accessable for xid!=0 only xid=N (with N>0) files are not accessible in context M (N != M) > > > - immutable flag > > > > well if that is what it says, then it's basic linux stuff > > > > --- > > > > so after this shoot out ;) the following differences > > seem to remain: > > > > > * Limits on: > > > - resident memory size > > > - file handles > > > - tcp sockets > > > > > * Advanced context management: > > > - enable/disable creating new processes in a context > > > > and I don't know the FreeVPS status of the following > > Linux-VServer features: > > > > - vroot device (security) > What ? only for diskquota? FreeVPS have correctly virtual root, and not > affected with all chroot atacks. well, that won't help much to prevent the direct access to a shared block device, you wan't to run quota tools on, but I assume you do something else to prevent unwanted access ... > > - Token Bucket scheduler stuff (Sam) > FreeVPS have load balacer and planig add CPU QoS. any details about those plans? > > - uts_name modifications (stealth) > FreeVPS have it more above with VServer. > > - procfs security > > - uptime virtualization > > - reboot userspace helper > > > Linux VServer not have > 1) virtual network devices with bandwidth shaper that is correct, but similar can be done with tc and iptables/netfilter > 2) private routing tables includes private loopback. > 3) private routing caches correct > (2 and 3 need for correctly select packet source address.) hmm, well, it seems that isn't an issue anymore .. > 4) Correctly (rmap based) memory accounting. Herbert please try use you > memory accounting at high load web server with apache1 or other fork > based programs. will/should this change anything? what do you expect? what did your 'test' show in this regard? > 5) Correctly created private namespace - not affected with any chroot > exploit. this is done in experimental (with alpha tools) and mostly in userspace (only the enter requires kernel help) > 6) CAP_NET_ADMIN/CAP_SYS_RESOURCE can be used inside vps without > security problems. which means? TIA, Herbert PS: did you change your last name from Lyashkov to Lyahkov or is/was it 'just' incorrectly spelled? PPS: would like to have a look at a recent FreeVPS version, what do I need and where do I get it? > -- > Alex Lyahkov <[EMAIL PROTECTED]> > _______________________________________________ > Vserver mailing list > [EMAIL PROTECTED] > http://list.linux-vserver.org/mailman/listinfo/vserver _______________________________________________ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
