1. Introduction

1.1 Who needs that

2.1 Non reversible isolation

2.2 Isolation areas

2.3 New system calls

2.4 Limiting super-user: The capabilities system

2.5 Enhancing the capability system

2.6 Playing with the new system calls

2.6.1 Playing with /usr/sbin/chcontext

2.6.2 Playing with /usr/sbin/chcontext as root

2.6.3 Playing with /usr/sbin/chbind

2.6.4 Playing with /usr/sbin/reducecap

2.7 Unification

3. Applications
3.1 Virtual server
3.2 Per user fire-wall

3.3 Secure server/Intrusion detection

3.4 Fail over servers

4. Installation

4.1 The packages

4.2 Setting a virtual server

4.3 Basic configuration of the virtual server

4.4 Entering the virtual server

4.5 Configuring the services

4.6 Starting/Stopping the virtual server

4.7 Starting/Stopping all the virtual servers

4.8 Restarting a virtual server from inside

4.9 Executing tasks at vserver start/stop time

4.10 Issues

4.11 How real is it ?

6. Future directions

6.1 User controlled security box

6.2 Kernel enhancements

6.2.1 Per context disk quota

6.2.2 Global limits

6.2.3 Scheduler

6.2.4 Security issues

6.2.4.1 /dev/random

6.2.4.2 /dev/pts

6.2.4.3 Network devices

7. Alternative technologies

7.1 Virtual machines

7.2 Partitioning

7.3 Limitation of those technologies

4.9 Executing tasks at vserver start/stop time

Next

You can setup a script called /etc/vservers/XX.sh where XX is the name of the virtual server. This script will be called four time:

Before starting the vserver
After starting it.
Before stopping it.
After stopping it.

You generally perform tasks such as mounting file system (mapping some directory in the vserver root using "mount --bind").

Here is an example where you map the /home directory as the vserver /home directory.

#!/bin/sh
case $1 in
pre-start)
	mount --bind /home /vservers/$2/home
	;;
post-start)
	;;
pre-stop)
	;;
post-stop)
	umount /vservers/$2/home
	;;
esac

/etc/vservers/XX.sh

Next

One big HTML document