1 |
Hans-Thomas Mueller wrote: |
2 |
> Another option instead of Xen or SELinux is to set up vservers_, with |
3 |
> Grsec+Pax. The performance impact is minimal but you still get clean |
4 |
> and isolated environments for your services. |
5 |
|
6 |
I have a test server running under vserver and it was very easy to get |
7 |
it up and running, and although there appear to be some slight |
8 |
complications with networking, it's a really cool system. Thumbs up |
9 |
|
10 |
I look forward to flexing this system a bit more, but the big win seems |
11 |
to be that all the memory and disk is still shared, unlike under Xen |
12 |
where you allocate it out and have to live with your decisions. |
13 |
|
14 |
In the case where you don't normally expect hostile users to be trying |
15 |
to run more CPU or disk than they should then this is an enormously more |
16 |
flexible solution. For sure Xen may make more sense for certain hosted |
17 |
environments though (and you can pin VM machines down to certain limits |
18 |
even on vserver) |
19 |
|
20 |
Give it a whirl - there are pre-merged patch sets for vserver + grsec + |
21 |
pax. |
22 |
|
23 |
Ed W |
24 |
-- |
25 |
gentoo-hardened@g.o mailing list |