| 1 |
Hans-Thomas Mueller wrote: |
| 2 |
> Another option instead of Xen or SELinux is to set up vservers_, with |
| 3 |
> Grsec+Pax. The performance impact is minimal but you still get clean |
| 4 |
> and isolated environments for your services. |
| 5 |
|
| 6 |
I have a test server running under vserver and it was very easy to get |
| 7 |
it up and running, and although there appear to be some slight |
| 8 |
complications with networking, it's a really cool system. Thumbs up |
| 9 |
|
| 10 |
I look forward to flexing this system a bit more, but the big win seems |
| 11 |
to be that all the memory and disk is still shared, unlike under Xen |
| 12 |
where you allocate it out and have to live with your decisions. |
| 13 |
|
| 14 |
In the case where you don't normally expect hostile users to be trying |
| 15 |
to run more CPU or disk than they should then this is an enormously more |
| 16 |
flexible solution. For sure Xen may make more sense for certain hosted |
| 17 |
environments though (and you can pin VM machines down to certain limits |
| 18 |
even on vserver) |
| 19 |
|
| 20 |
Give it a whirl - there are pre-merged patch sets for vserver + grsec + |
| 21 |
pax. |
| 22 |
|
| 23 |
Ed W |
| 24 |
-- |
| 25 |
gentoo-hardened@g.o mailing list |
Archives