Current-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Status of NetBSD virtualization roadmap - support jails like features?
Hello all,
this mail is more or less my personal reflection on the virtualization
capabilities of NetBSD combined with the question where the journey
could go.
I basically use all virtualization technologies offered on NetBSD:
* Xen for virtualizing entire servers on production environments.
* Qemu/nvmm for virtualization currently on the desktop (playground)
* Chroots for administrative isolation of services - I use these like
jails with the knowledge that they don't provide the same security.
My motivation: I am looking for a particularly high performance
virtualization solution on NetBSD. Especially disk and network IO plays
a role for me.
So far I thought that nvmm could play a bigger role in the future,
because there are some interesting approaches, for example [1].
However, this week I read a post on Reddit[2] that was a bit disturbing
to me. Meaningfully, it proclaims that the main development platform for
nvmm is now DragonflyBSD rather than NetBSD. It also claims that the
implementation in NetBSD is now "stale and broken". Comparing the
timestamps of the last commits in the repositories [3] and [4], the last
activities are only three months apart. The nature and extent of the
respective changes is difficult for me to evaluate. Is anyone here
deeper into this and can say what the general state of nvmm in NetBSD is?
Regardless, I still think it wouldn't hurt if NetBSD could implement
some sort of jail. There have been promising projects in the past [5]
and [6] that seem to have put a lot of thought into a clean integration
with the NetBSD APIs kauth and the secmodels. So far, however, none of
these approaches has made it beyond prototype status. Does anyone know
if there is a code repository for [5]? I would be interested to see the
implementation or the approaches to it. I realize that a complete jail
implementation comparable to FreeBSD is not an easy task. However, for
certain use cases, it would be helpful to be able to take away some of
the privileges of a process running as root in a chroot jail, such as
sending signals to processes outside the jail. Are there any examples of
this available?
Kind regards
Matthias
[1]
https://imil.net/blog/posts/2020/fakecracker-netbsd-as-a-function-based-microvm/
[2] https://www.reddit.com/r/NetBSD/comments/sq62bc/nvmm_status/
[3] http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/dev/nvmm/?only_with_tag=MAIN
[4]
https://github.com/DragonFlyBSD/DragonFlyBSD/tree/master/sys/dev/virtual/nvmm
[5] http://2008.asiabsdcon.org/papers/P3A-paper.pdf
[6] https://github.com/smherwig/netbsd-sandbox
Home |
Main Index |
Thread Index |
Old Index