vserver Howto/FAQ

Howto index

How does this differs from the BSD jail system call

It differs a little. It is somewhat more flexible because it uses 3 system calls (chroot, set_ipv4root, new_s_context) to achieve the job. So each system call may be used independently.

For example, if you want to limit xinetd service in the root server to a single IP, you can do

	/usr/sbin/chbind --ip eth0 /etc/rc.d/init.d/xinetd restart

The package provides the v_xinetd for this purpose. So to get this going, you need very little reconfiguration. No fiddling in configuration files and so on.

I am unsure about the jail system call and the new_s_context() I have implemented though. The later is used to isolate the process in a private world where it can't see and interact with other processes in the box, except itself. The new_s_context is not privileged, so a normal user can use this to, for example, setup a personal security box before executing a not-so-trusted game.

Also the new_s_context() syscall allow root user in the root server to "enter" a running vserver, unlike the jail syscall (which can't add new processes to a running "jail"). On this side, the implementation is also more flexible. This is very useful, because it allows the root server to monitor the vservers and to start and stop them very easily, in a clean way.