Herbert Poetzl wrote:
On Wed, May 10, 2006 at 02:46:34PM -0400, Fareha Shafique wrote:
After asking various questions about unification, I don't think vhashify
quite supports what I have in mind. I wanted to get some opinions/ideas
from the users of this mailing list.
I am thinking if vservers can somehow be used to provide MAC (Mandatory
Access Control) through containers. For example, a vserver shares the
same filesystem as the host server, with read and write access to the
host files being defined through a set of MAC policies. In this way,
different policies can be defined for different vservers. Also, writes
can be contained within a vserver (so that if a file is written to, a
copy is made in the vserver's space) and integrated with the host only
through explicit 'commits' to allow, for example, new configurations to
be tested in an environment exactly the same as the host server and then
transferred to the host using a commit.
Any comments please?
sounds interesting, any ideas how to realize this?
Well, my first impression of vservers was that it provided a kind of
containment that I have mentioned. I mean after quickly going over the
short introduction, I thought that a vserver has read only access to the
host server's files and CoW is used whenever the vserver modifes a file.
However, after installing a vserver, I realized this was not the case.
And after asking a few questions on the mailing list, I learnt that
there is no direct way to do this. I was hoping to find out what some of
those involved in the development of linux-vserver thought about the
feasibility of this idea.
So basically, at the moment, I don't really have much idea how to
realize this, but I am hoping those more involved with vserver will some
ideas to share :)
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver