| |||||||||||||
The isolate utilityThe isolate utilityPosted Jan 5, 2010 17:38 UTC (Tue) by brouhaha (guest, #1698)Parent article: The isolate utility There's been a Linux implementation of the BSD Jail functionality for many years, though it was never merged. Is this better?
(Log in to post comments)
The isolate utility Posted Jan 5, 2010 21:34 UTC (Tue) by drag (subscriber, #31333) [Link] No.If you want BSD Jail style functionality with Linux then you'll want to use LXC or use 'Vserver' or 'OpenVZ' kernel patches. These are proper things designed to compartmentalize the OS and setup light weight virtualization that is intended to be used for security reasons. LXC has the ability to create isolated PID namespaces, allow secure access to /proc. and all that sort of thing for the purpose of creating virtual machines. Allows for a high degree of application compatibility and effective can make root (running in those VMs) a unprivileged user. They are similar to the 'Solaris Containers' type thing. As far as I can tell this project depends on chroot, which is not really a proper security tool. It never was intended to be.
The isolate utility Posted Jan 5, 2010 22:07 UTC (Tue) by drag (subscriber, #31333) [Link]
This page has a nice overview of LXC and how to use it to isolate a
application:
http://lxc.sourceforge.net/lxc.html
If you go to the sourceforge page it'll tell you what part of the LXC
With Linux 2.6.29 LXC should be fully functional.
Besides the whole isolation aspect of it you can use it for freezing and
|
|||||||||||||