User: Password:
|
|
Subscribe / Log in / New account

CRtools 0.1 released

CRtools 0.1 released

Posted Jul 25, 2012 1:46 UTC (Wed) by TRS-80 (subscriber, #1804)
In reply to: CRtools 0.1 released by price
Parent article: CRtools 0.1 released

Who uses KVM then? Linux shops? REHV?


(Log in to post comments)

CRtools 0.1 released

Posted Jul 25, 2012 1:53 UTC (Wed) by theophrastus (guest, #80847) [Link]

and, dammit [wink], what specific use of they making of these? give me the name of a program/process/"application" that one is running in one image and another name (which i suppose could be the same) that's running in another image and how that's useful relative to just two processes in a single image.
(thankee!) (just trying to understand how multiple kernel images that are nearly the same are used)

CRtools 0.1 released

Posted Jul 25, 2012 2:09 UTC (Wed) by dskoll (subscriber, #1630) [Link]

OpenVZ containers are quite isolated. So you can give someone root in one container and that doesn't allow him/her any access in another container or in the host system (barring bugs, of course.)

You can also apply resource limits to OpenVZ containers so a fork bomb in one container doesn't bring down the system or affect other containers.

OpenVZ is analogous to Solaris Zones with similar use cases.

CRtools 0.1 released

Posted Jul 25, 2012 2:55 UTC (Wed) by theophrastus (guest, #80847) [Link]

ah. so it's "security". protecting the system (as a whole) against users who have root access. thank you! i think that answers my question as well as i've been able to express it.

CRtools 0.1 released

Posted Jul 25, 2012 12:17 UTC (Wed) by Lennie (guest, #49641) [Link]

It is like chroot yes.

LXC is a bit more flexible in what it can be I believe, but normally OpenVZ, Linux V-Server and other are like a seperate process- and filesystem-namespace with sometimes a seperate network stack (in the case of the filesystem, that just means, each container is a seperate directory).

Or as Jonathan Corbet described it on this site:

"Containers" can be thought of as a lightweight form of virtualization. Virtualized guests appear to be running on their own dedicated hardware; containers, instead, run on the host's kernel, but in an environment where they appear to have that kernel to themselves. The result is more efficient; it is typically possible to run quite a few more containerized guests than virtualized guests on a given system. The cost, from the user's point of view, is flexibility; since virtualized guests can run their own kernel, they can run any operating system while containerized guests are stuck with what the host is running."

CRtools 0.1 released

Posted Jul 25, 2012 15:04 UTC (Wed) by mathstuf (subscriber, #69389) [Link]

> So you can give someone root in one container and that doesn't allow him/her any access in another container or in the host system (barring bugs, of course.)

You can't give root to A in a container and access to the filesystem from the main system as any user. Simply make a suid executable in the container and execute from the main system. Unless uids are jailed as well (and appear on disk as some offset from "root" permissions).

CRtools 0.1 released

Posted Jul 25, 2012 16:22 UTC (Wed) by josh (subscriber, #17465) [Link]

Containers handle UIDs, yes; root in a container does not necessarily correspond to root in the parent container.

CRtools 0.1 released

Posted Jul 25, 2012 2:30 UTC (Wed) by cmccabe (guest, #60281) [Link]

You can think of openVZ and lxc as better versions of chroot. Unlike chroot, they were designed to be secure against root inside the container.

I know that shared hosting providers use openVZ to give multiple users accounts on the same machine that look like root, but which can't interfere with the other users too much.

You could use virtual machines for the same thing, but it isn't as efficient. The main advantage is that with VMs you can offer Windows hosting, or hosting on more than one Linux kernel version.

I don't know exactly why Amazon still uses Xen instead of KVM, but I think at least part of it has to do with the fact that Xen came out first.

CRtools 0.1 released

Posted Jul 25, 2012 2:00 UTC (Wed) by miguelzinho (guest, #40535) [Link]


Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds