Those facilities are used together to create a runtime
environment for virtual servers. But they can be used
independently to achieve various goals.
- File system
The vserver is trapped into a sub-directory of the
main server and can't escape. This is done by the
standard chroot() system call found on all Unix and
The vserver can only see the processes in the same
security context. Even the root server can't see
the processes in vservers, making the root
server less "dangerous" to use. A special
mechanism (context number 1) exists to view all
processes though (Limited to root in the root server).
The vserver is assigned a host name and an IP
number. The server can only use this IP number to
establish services and client connection. Further, this
restriction is transparent.
- Super user capabilities
The super user running in a vserver has less
privileges than the normal Linux root user. For
example, it can't reconfigure the networking and
many aspect of the system. It can't mount devices, can't
access block devices and so on.
Roughly. the vserver super-user has full control
over all files and processes in the vserver and that's
pretty much it.
- System V inter process communications
Sysv IPC resources are private to each vserver.
The security context is used as an extra key to
select and assign resources.