Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Status of NetBSD virtualization roadmap - support jails like features?



Hello all,

this mail is more or less my personal reflection on the virtualization capabilities of NetBSD combined with the question where the journey could go.

I basically use all virtualization technologies offered on NetBSD:

* Xen for virtualizing entire servers on production environments.
* Qemu/nvmm for virtualization currently on the desktop (playground)
* Chroots for administrative isolation of services - I use these like jails with the knowledge that they don't provide the same security.

My motivation: I am looking for a particularly high performance virtualization solution on NetBSD. Especially disk and network IO plays a role for me.

So far I thought that nvmm could play a bigger role in the future, because there are some interesting approaches, for example [1].

However, this week I read a post on Reddit[2] that was a bit disturbing to me. Meaningfully, it proclaims that the main development platform for nvmm is now DragonflyBSD rather than NetBSD. It also claims that the implementation in NetBSD is now "stale and broken". Comparing the timestamps of the last commits in the repositories [3] and [4], the last activities are only three months apart. The nature and extent of the respective changes is difficult for me to evaluate. Is anyone here deeper into this and can say what the general state of nvmm in NetBSD is?

Regardless, I still think it wouldn't hurt if NetBSD could implement some sort of jail. There have been promising projects in the past [5] and [6] that seem to have put a lot of thought into a clean integration with the NetBSD APIs kauth and the secmodels. So far, however, none of these approaches has made it beyond prototype status. Does anyone know if there is a code repository for [5]? I would be interested to see the implementation or the approaches to it. I realize that a complete jail implementation comparable to FreeBSD is not an easy task. However, for certain use cases, it would be helpful to be able to take away some of the privileges of a process running as root in a chroot jail, such as sending signals to processes outside the jail. Are there any examples of this available?

Kind regards
Matthias

[1] https://imil.net/blog/posts/2020/fakecracker-netbsd-as-a-function-based-microvm/

[2] https://www.reddit.com/r/NetBSD/comments/sq62bc/nvmm_status/

[3] http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/dev/nvmm/?only_with_tag=MAIN

[4] https://github.com/DragonFlyBSD/DragonFlyBSD/tree/master/sys/dev/virtual/nvmm

[5] http://2008.asiabsdcon.org/papers/P3A-paper.pdf

[6] https://github.com/smherwig/netbsd-sandbox



Home | Main Index | Thread Index | Old Index