NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: NetBSD Jails

On Fri, 15 May 2020 15:23:32 -0700
"Greg A. Woods" <> wrote:

> I'm curious about what this means to you -- what do you need/want in
> addition to the chroot environments you now have?

The filesystems of different containers are well isolated thanks to
chroot, and occasional use of null mounts to bring in outside data. But

- Processes can "see" each other; I have to be careful not to reuse
UID numbers. For example: if I build a chroot with an instance of nginx
that runs as UID 2505, and then deploy multiple copies of that chroot,
all of them can call kill(2) on a process in a different chroot.

- All chroots share the same network stack. If I tell nginx to bind to
'' or '::', the first instance will startup fine, the others
will fail with "address already in use." The wiki's projects list has a
clean solution to this particular point, which may or may not be within
scope of jails:

- Some way to set per-chroot resource limits would be helpful. I can
manipulate ulimits, but that is basically driving screws with a hammer.
It's simply the wrong tool. 

Aaron B. <>

Home | Main Index | Thread Index | Old Index