From owner-freebsd-questions Tue Oct 14 09:30:20 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id JAA28303 for questions-outgoing; Tue, 14 Oct 1997 09:30:20 -0700 (PDT) (envelope-from owner-freebsd-questions) Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id JAA28291 for ; Tue, 14 Oct 1997 09:30:17 -0700 (PDT) (envelope-from ambrisko@whistle.com) Received: (from daemon@localhost) by alpo.whistle.com (8.8.5/8.8.5) id JAA11571; Tue, 14 Oct 1997 09:29:55 -0700 (PDT) Received: from crab.whistle.com(207.76.205.112) via SMTP by alpo.whistle.com, id smtpd011566; Tue Oct 14 16:29:47 1997 Received: (from ambrisko@localhost) by crab.whistle.com (8.8.7/8.6.12) id JAA17642; Tue, 14 Oct 1997 09:29:41 -0700 (PDT) From: Doug Ambrisko Message-Id: <199710141629.JAA17642@crab.whistle.com> Subject: Re: Virtual machine environment? In-Reply-To: <34439220.446B9B3D@whistle.com> from Julian Elischer at "Oct 14, 97 08:39:12 am" To: julian@whistle.com (Julian Elischer) Date: Tue, 14 Oct 1997 09:29:41 -0700 (PDT) Cc: tim@futuresouth.com, questions@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL29 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Julian Elischer writes: | Tim Tsai wrote: | > | > Just curious, but has anybody ever taken the concept of "chroot" but | > extended it to all areas of the system? For example, a virtual host | > would have it's own file system area, processes, IP addresses, etc. | | we have done SOME of this for testing.. | (using different porta ddresses in /etc/services inthe chroot area etc.) | Doug Ambrisko (CC'd) can probably give more details. Yep we did it, which was kind-of cool. They way we went about it was to make common services "well behaved", that is to bind and use ports as defined via /etc/services instead of hard-coded values. "bind" was a mis-behaving package that I patched. (I need to check to see if this is required for the 8.X stuff). Since some of this stuff is including in libc (the resolver code) I further patched ld.so to be more Solaris like in that setuid programs will honour LD_PRELOAD if the lib is in /usr/lib so I could patch without rebuilding it all. It was good for testing and I need to send to jdp. Then I made a script that renumber services in /etc/server in the chroot environment by adding an offset. With the network services allocated in a safe range of ports. Services talk to each other fine in this virtual machine. The problem is that they can't talk to other machines since the ports are all shifted up. So using Archie's divert feature of IPFW we made another user-level daemon that translated ports, basically like what natd does except instead of translating IPs it translated ports. This worked by defining a two translations in that any connection that came in through an certain IP (I used a virtual IP for each machine) got shift up if it was in the range and any outgoing connection got shifted down if it was in the range. The details get a little tricky but this is the basic idea. Then I added a patch to the procfs to be able to identify chroot'ed processes so I could "halt" a virtual machine by killing all processes in this chroot. I did this by displaying the chroot'ed base vnode as part of the status entry. I really wanted to print out the directory as ascii but I did have the knowledge to quickly do it. When I get time to do it I will submit it. Then it was a matter of removing some stuff from /etc/rc and I could boot a virtual machine via chroot /etc/rc and watch it boot. Another issue was having separate hostname reported, which I just worked around. Doug A.