--Pd0ReVV5GZGQvF3a
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Nov 07, 2004 at 04:47:06PM -0500, Steven M. Bellovin wrote:
>=20
> >With Xen you get an entire, complete, true "virtual" host and everything
> >works exactly as anyone would expect it to.
> >
> >--=20
>=20
> Xen is great for heavy-weight confinement, but it takes a lot of effort=
=20
> -- you have to build (and maintain) an entire extra NetBSD image for=20
> each such app.
>=20
> The interesting question, of course, is whether or not there are=20
> lighter-weight solutions that will do the trick.

I guess you could (NFS-?)mount, read-only, the OS and applications,
leaving only some specific configuration per-machine, similar to what
we did here for a parallel computing lab (I didn't do that with Xen).
See my EuroBSDCon '02 paper. Other people have reported similar solutions.
(I guess you'd use a master virtual machine as the NFS server to limit=20
 access of real networks, or maybe share a disk in read-only mode... does
 Xen allow this?)

Regards,
	-is

--Pd0ReVV5GZGQvF3a
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: 2.6.i

iQEVAgUBQY80EzCn4om+4LhpAQH8Nwf8C/p2Qqi+2p/bzbPoycclzo8mctm0Vjgv
uPj4jY9OMgwg3eM2/CbV5Ejc5WH2FW8omdnIP4A3RCc8YKp8nHL3G1DUMzxKC0FZ
NuKoNEsOWcN4X0gK3Ny82OIkp5rEe3GgfybX2fV958YB2nEF0q1U5yB7VavIXFNn
gzBsGYLMd6UZAdTdR7K/65+3TghuHlgh77GjUEbhwXHhv55ExcDzN5tt3osIAvgd
IDajN3YYHaJlz5MU9s+dA+Gy3I3QyAWGz6dxJzsBCaeFARaT4o/3xjZaeaJp9DDS
hDesT7jDVXy0pARomvO2ZwwE6boR3S3Lf4AZHcZs7bRYmOPyOzKrXg==
=mKGX
-----END PGP SIGNATURE-----

--Pd0ReVV5GZGQvF3a--