Date: Tue, 14 Oct 1997 09:29:41 -0700 (PDT) From: Doug Ambrisko <ambrisko@whistle.com> To: julian@whistle.com (Julian Elischer) Cc: tim@futuresouth.com, questions@FreeBSD.ORG Subject: Re: Virtual machine environment? Message-ID: <199710141629.JAA17642@crab.whistle.com> In-Reply-To: <34439220.446B9B3D@whistle.com> from Julian Elischer at "Oct 14, 97 08:39:12 am"
next in thread | previous in thread | raw e-mail | index | archive | help
Julian Elischer writes: | Tim Tsai wrote: | > | > Just curious, but has anybody ever taken the concept of "chroot" but | > extended it to all areas of the system? For example, a virtual host | > would have it's own file system area, processes, IP addresses, etc. | | we have done SOME of this for testing.. | (using different porta ddresses in /etc/services inthe chroot area etc.) | Doug Ambrisko (CC'd) can probably give more details. Yep we did it, which was kind-of cool. They way we went about it was to make common services "well behaved", that is to bind and use ports as defined via /etc/services instead of hard-coded values. "bind" was a mis-behaving package that I patched. (I need to check to see if this is required for the 8.X stuff). Since some of this stuff is including in libc (the resolver code) I further patched ld.so to be more Solaris like in that setuid programs will honour LD_PRELOAD if the lib is in /usr/lib so I could patch without rebuilding it all. It was good for testing and I need to send to jdp. Then I made a script that renumber services in /etc/server in the chroot environment by adding an offset. With the network services allocated in a safe range of ports. Services talk to each other fine in this virtual machine. The problem is that they can't talk to other machines since the ports are all shifted up. So using Archie's divert feature of IPFW we made another user-level daemon that translated ports, basically like what natd does except instead of translating IPs it translated ports. This worked by defining a two translations in that any connection that came in through an certain IP (I used a virtual IP for each machine) got shift up if it was in the range and any outgoing connection got shifted down if it was in the range. The details get a little tricky but this is the basic idea. Then I added a patch to the procfs to be able to identify chroot'ed processes so I could "halt" a virtual machine by killing all processes in this chroot. I did this by displaying the chroot'ed base vnode as part of the status entry. I really wanted to print out the directory as ascii but I did have the knowledge to quickly do it. When I get time to do it I will submit it. Then it was a matter of removing some stuff from /etc/rc and I could boot a virtual machine via chroot <dir> /etc/rc and watch it boot. Another issue was having separate hostname reported, which I just worked around. Doug A.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199710141629.JAA17642>