Date: Wed, 20 Nov 2013 21:48:06 -0500 From: Eitan Adler <lists@eitanadler.com> To: =?UTF-8?B?QnJ1bm8gTGF1esOp?= <brunolauze@msn.com> Cc: "freebsd-virtualization@freebsd.org" <freebsd-virtualization@freebsd.org> Subject: Re: VPS / Jail / Bhyve File System isolation Message-ID: <CAF6rxgmkUnyENS=_y-jCjnQdBqgeDX4K2xJh6SSJ=7syss3T=A@mail.gmail.com> In-Reply-To: <BLU179-W2710DC567151403C38377AC6E60@phx.gbl> References: <BLU179-W2710DC567151403C38377AC6E60@phx.gbl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Nov 20, 2013 at 12:55 PM, Bruno Lauz=C3=A9 <brunolauze@msn.com> wro= te: > > Using jails, customers are uncomfortable with the fact documents can be a= ccessed from the host with root access.Project VPS seems to isolate more th= e guest from the host but not as well as an hypervisor like bhyve. With an = hypervisor what the client have is private, as long as the host can manage = the disk, delete it, but the information is kept private from the host. > Any suggestions how to offer jail, vps, or anything containers techniques= with total file system isolation from the host, or the only way is to go h= ypervisor, with the performance and instances count penalty that goes with = it? Untrusted hypervisors is an active area of academic research. However, any such scheme requires additional hardware support. If you are interested I can give you some papers to look at. --=20 Eitan Adler
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAF6rxgmkUnyENS=_y-jCjnQdBqgeDX4K2xJh6SSJ=7syss3T=A>