Date: Wed, 7 Jun 2006 12:03:12 -0700 From: Brooks Davis <brooks@one-eyed-alien.net> To: Alex Lyashkov <shadow@psoft.net> Cc: Robert Watson <rwatson@freebsd.org>, Julian Elischer <julian@elischer.org>, freebsd-arch@freebsd.org Subject: Re: jail extensions Message-ID: <20060607190312.GA1267@odin.ac.hmc.edu> In-Reply-To: <1149692184.3224.208.camel@berloga.shadowland> References: <1149610678.4074.42.camel@berloga.shadowland> <448633F2.7030902@elischer.org> <20060607095824.W53690@fledge.watson.org> <200606070819.04301.jhb@freebsd.org> <4486E41B.4000003@elischer.org> <1149692184.3224.208.camel@berloga.shadowland>
next in thread | previous in thread | raw e-mail | index | archive | help
--0F1p//8PRICkK4MW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jun 07, 2006 at 05:56:24PM +0300, Alex Lyashkov wrote: >=20 > >=20 > >=20 > > Marco's work is somewhat similar. > > All globals related to the network are moved to structures that can be = =20 > > duplicated. > >=20 > > The base system also uses this structure so that in effect the base=20 > > system is just another instance > > of the virtual machines. The biggest obstacle is that the 4.x based=20 > > version just put everything > > into one structure, meaning that it only worked when all the components= =20 > > effected were > > compiled into the kernel. None of them could be implemented as a=20 > > loadable kernel module. > > This has become much more important in 6.x. > >=20 > > Ther is a way to allow this to work but it would require that we=20 > > implement a kernel version of > > the idea used for TLS (Thread Local Storage), so that modules being=20 > > loaded could be added > > to all the existing VMs and new VMs could get instances of all loaded= =20 > > modules. > > (and so that a module could not be unloaded until all VMS have destroye= d=20 > > their instance > It`s can be created easy. each module can be full own private data and > register init/destroy methods, similar SYSINIT macro. > prison will need add array for store pointers to modules data. > yes, it possible need lost more memory - but easy for implementation. Even blowing a page or two per prison probably doesn't matter. It seems unlikely anyone is going to run large numbers of them on very small platforms and it's no as if you can run a process that takes less than 3-4 pages anyway. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --0F1p//8PRICkK4MW Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFEhyLvXY6L6fI4GtQRAof2AJ9HRMIE0QfyNbTjTWd0ahgJVZUcPACguRUS 4W/Xtq8nFuLrvwFWE9DnuJQ= =27xr -----END PGP SIGNATURE----- --0F1p//8PRICkK4MW--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060607190312.GA1267>