tech-kern: NetBSD & multiplicity

Subject: NetBSD & multiplicity
To: None <tech-kern@NetBSD.org>
From: Kristaps Dzonsons <kristaps@kth.se>
List: tech-kern
Date: 12/26/2007 14:28:03
Hello everybody, perhaps this may be of interest to you:

  http://mult.bsd.lv

Essentially, it's a forked NetBSD-3.1 kernel that isolates resource
contexts into "instances", allowing multiple (e.g.) non-conflicting
init(8) process trees.  Jail machines are fun hacks, but don't have
provable isolation and scatter cruft around the kernel.  This is another
(I think more elegant) approach:

"Resource isolation is a strategy of multiplicity, the state of many
isolated contexts within a single environment.  Isolated resource
contexts have functionally non-isomorphic resource mappings: contexts
with equivalent domain identities map to non-intersecting ranges in the
resource co-domain.  Thus, in practise, if processes a and b return
different values to an equivalent identity (say, for the hostname), then
the callee context, for this identity, demonstrates resource
non-isomorphism.  Although isolation is by no means a new study in
operating systems, the BSD family offers few implementations, at this
time limited to FreeBSD's Jail and the up-coming kauth(9) subsystem in
NetBSD.  These systems provide frameworks with which one may orchestrate
isolated environments by cross-checking and switching over credentials
at the kernel's boundary.  In this document, we consider a radically
different approach to resource isolation:  instead of isolating at the
kernel boundary, we consider a strategy of collecting entire kernel
sub-systems into contexts, effecting bottom-up resource isolation.  This
document describes a work-in-progress, although a considerable
implementation exists."

This has been under development for a few months and I now feel it's
time to start getting feedback on the implementation.  It only has "soft
resource" appropriation.  "Hard resource" appropriation is still
underway; I want to save that until the soft resources are demonstrably
stable.  If this interests you, then please, test and enjoy!  I'm
looking to stabilise the "jail" concept while delving into network
appropriation (which may either inherit from Zec's vimage approach or a
straight-up ifalias).

Have fun and happy holidays!
  --Kristaps

PS, if you have comments, please CC me, as I'm not subscribed.