Re: NetBSD Jails

["Aaron B." <aaron%zadzmo.org@localhost>]

On Fri, 15 May 2020 15:23:32 -0700
"Greg A. Woods" <woods%planix.com@localhost> wrote:

> I'm curious about what this means to you -- what do you need/want in
> addition to the chroot environments you now have?
> 

The filesystems of different containers are well isolated thanks to
chroot, and occasional use of null mounts to bring in outside data. But
currently:


- Processes can "see" each other; I have to be careful not to reuse
UID numbers. For example: if I build a chroot with an instance of nginx
that runs as UID 2505, and then deploy multiple copies of that chroot,
all of them can call kill(2) on a process in a different chroot.


- All chroots share the same network stack. If I tell nginx to bind to
'0.0.0.0' or '::', the first instance will startup fine, the others
will fail with "address already in use." The wiki's projects list has a
clean solution to this particular point, which may or may not be within
scope of jails:

https://wiki.netbsd.org/projects/project/virtual_network_stacks/


- Some way to set per-chroot resource limits would be helpful. I can
manipulate ulimits, but that is basically driving screws with a hammer.
It's simply the wrong tool. 


-- 
Aaron B. <aaron%zadzmo.org@localhost>