On Sat, Oct 04, 2008 at 01:14:59PM +0100, Nick Kew wrote:
> >Note also that (with no disrespect meant to Nick) a common newbie
> >behavior is to latch onto some random interface and attempt to bend it
> >to solve the problem at hand, whether or not it's the intended way to
> >solve that problem.
> That may indeed be the case.  Though I should add, my newbiedom
> applies to Solaris kernel goodies, not to Apache or web-serving
> (guess it's time to attach my apache book .sig:-)  I'm exploring
> (or, if you prefer, latching on to) the possibility of a strong solution
> to a long-standing problem.

[Responding out of order...]

Let's start with a definition of the problem, then we can gather
requirements and design a solution.

> >Remember that "user" is a relative term.  The "user" of a hosting
> >company is the hosting customer, *not* the guy behind the web browser.
> Exactly.  The zone_enter will happen at server startup.  To have it
> happen per-request in the server would imply an enormous overhead,
> because it's a complete misfit to the Apache architecture.  CGI could
> perhaps  do it in a similar manner to the existing setuid wrapper, but
> that's a lesser solution to a less-interesting problem.

OK, so this is about website virtualization.

A couple things:

1) Today the only reliable way to do website virtualization is to give
   each site its own IP address(es).

   That's because both, TLS and HTTP originally did not have a way for
   the client to tell the server what name the client used for it.

   Both TLS and HTTP have that now, but you can't necessarily count on
   all clients having that support, particularly for TLS.

2) Assuming that you can demand clients that speak HTTP/1.1 and TLS
   1.1+, then you could avoid (1) and still use zones for isolation.

   It sounds to me like that's what you're trying to do, that this is
   your problem definition: "Web server virtualization without requiring
   per-site IP addressing."

Assuming that I guessed your problem definition more or less correctly,
and assuming you can get away with the TLS/HTTP client requirement
(particularly the TLS requirement) then this would be very, very cool.

It'd be a feature that no other {OS, web server} pair has, and it might
help us gain more traction in the web hosting business.

This feature will be somewhat tricky.

Ideally you'd not go anywhere near zone_enter().

Instead you'd have the primary web server zone use IPC to get per-site
zones to execute a request and return the response to the primary web
server zone, which would then send it back to the client.

What's tricky here is getting the web server code to support this IPC

 - The GZ needs to arrange for the IPC end-points (doors, probably) to
   be available in the primary web server zone to talk to the per-site

 - The web server needs to learn how to use that IPC, including passing
   all relevant information to the per-site servers;

 - The zoned web server code needs to know how to fake the environment
   to the server application (CGI, ...);

 - It's possible that some apps might need changes to run in this zoning

zones-discuss mailing list

Reply via email to