Hi all, what about offering the vserver user (=administrator) to select between two possible ways of using networking:
- first, the traditional way: interface aliases, allowing maximum per- formance with the limitation that vserver's root should either be very trustful or "a little bit" limited in his networking possibilities. This is no problem for companies using vserver as an easy to implement "warm-stand-by"-solution - being root on both the vserver and the host server. but it IS a problem for webhosting companies offering "virtual root servers" as there customers will often run into trouble, getting angry about things not working the way they like it. - second, the in my opinion easiest way to offer full access to a network interface: giving the vserver full access to only one or to a small set of interfaces on the host (not aliases). a simple way to do this would be, as stated before, using a virtual bridge inside the host server, tun/tap devices (one or more for each vserver) and a small modification to the vserver patches allowing to give a vserver limited view and full access to one or more the hosts interfaces - nothing more. something like this will be the only "non-very-intrusive" solution to allow full network support inside a vserver. everything else would mean hard work to implement some wicked workaround to separate per context networking - probably creating security problems. is it a big problem to implement the second way (in addition to the currently working first one)? herbert? (I haven't been here this weekend so no irc - sorry). vserver administrator would have the choice of which solution the would use, may be even for different vservers on the same host. the only thing that still remains: virtual loopback support... ciao thomas -- Thomas Gelf <[EMAIL PROTECTED]> _______________________________________________ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
