Vserver workshop

Herbert Poetzl, vserver author

Saturday/Sobota 14:00 - 15:30

Abstract:

A soft partitioning concept based on 'Security Contexts' which allows to create many independent Virtual Private Servers (VPS), similar to normal Linux Servers, which can be run simultaneously on one box at full speed, sharing the hardware resources. All services, such as ssh, mail, web and databases, can be started on such a VPS, without (or in special cases with only minimal) modification, just like on any real server. Each virtual server has its own user account database and root password and doesn't interfere with other virtual servers, except for the fact that they share the same hardware resources.

Contents:

Linux Capability System, what is it, how can it be used to improve system security, with some examples.

Linux File System Attributes and Isolation Concepts.

• chroot() namespace restrictions
• chcontext() process space restrictions
• chbind() network restrictions

Kernel space implementation, including a short overview how the Linux Kernel works regarding processes, namespace and network. Impact on performance and possible changes in behaviour, especially regarding the network and the scheduler.

Basic examples how to use the Core Tools to create VServer Security Contexts and Network Contexts.

Further aspects of the virtualization like:

• uts_name() machine/node/domain-name
• uptime VPS system uptime
• reboot VPS system reboot
• ipc/tgid namespace separation

Resource Limits

• process limits
• scheduler limits
• memory limits
• per context disk limits
• per context user/group quota

and of course, recent development including CoW link breaking and BME extensions ...