Virtual private servers and security contexts

Top
Table of content

Introduction
    Who needs that
Principles
    Non reversible isolation
    Isolation areas
    New system calls
    Limiting super-user: The capabilities system
    Enhancing the capability system
    Playing with the new system calls
        Playing with /usr/sbin/chcontext
            Using chcontext: first window
            Using chcontext: second window
            Using chcontext several times
        Playing with /usr/sbin/chcontext as root
            chcontext as root
        Playing with /usr/sbin/chbind
            Using /usr/sbin/chbind
        Playing with /usr/sbin/reducecap
            Using /usr/sbin/reducecap
    Unification
Applications
    Virtual server
    Per user fire-wall
    Secure server/Intrusion detection
    Fail over servers
Installation
    The packages
        lilo.conf section to add
    Setting a virtual server
        Building a virtual server
    Basic configuration of the virtual server
        IPROOT using multiple devices
        IPROOT using different netmask
        Default vserver ulimit
    Entering the virtual server
    Configuring the services
    Starting/Stopping the virtual server
    Starting/Stopping all the virtual servers
    Restarting a virtual server from inside
    Executing tasks at vserver start/stop time
        /etc/vservers/XX.sh
    Issues
        Assigning on IP to a service
    How real is it ?
Features
Future directions
    User controlled security box
    Kernel enhancements
        Per context disk quota
        Global limits
        Scheduler
        Security issues
            /dev/random
            /dev/pts
            Network devices
Alternative technologies
    Virtual machines
    Partitioning
    Limitation of those technologies
Conclusion
Download
References