I can find plenty of documentation for using zones, but none for programming with them. The best I can get is the .h files (undocumented), and random snippets from googling.
In the Apache webserver community, we have a lot of demand from hosting companies and their users for better separation of different users and virtual hosts - for example, strong protection of a user's database access from other users of a (physical) host. I'm looking at a virtualised version of the server based on zones. The basic idea is that apache will run in different zones, which are then protected from each other. At the same time, it should be lighter-weight than a full-blown virtualbox, with code and static non-sensitive data (configuration read at startup) shared, but all per-request data private. In normal operation, copy-on-write gives us this model for free. Does copy-on-write work across a zone_enter()? Currently the Apache httpd model includes: * Server starts up, reads general configuration, loads modules, etc. * Apache forks one or worker children, each with one or more threads. * Worker processes drop privileges before accepting connections from the 'net. * There's no association between workers and hosts or users. Workers are shared between all users. In the past, we've had some efforts to improve separation, based on worker children running under different user IDs. See for example the perchild MPM at apache.org. There's a lot of demand for perchild-like solutions, but no really satisfactory solution. My proposal is to provide an option whereby worker children perform a zone_enter before accepting connections or reading application- sensitive data. This of course assumes apache is started up in the root zone. Each zone will be the home for one or more virtualhost. It should be possible for zones to have different sizes (numbers of worker threads) and bandwidths (through crossbow), and other customisations. But the primary purpose - and I believe a huge selling-point - is the increased security of this virtualisation. Is there anywhere I can get the programmer documentation to get started on this work, beyond dabbling blindly with examples found on the 'net? -- Nick Kew _______________________________________________ zones-discuss mailing list email@example.com