Date: Thu, 21 Nov 2013 18:16:35 -0500 From: Aryeh Friedman <aryeh.friedman@gmail.com> To: Miroslav Lachman <000.fbsd@quip.cz> Cc: "freebsd-virtualization@freebsd.org" <freebsd-virtualization@freebsd.org> Subject: Re: VPS / Jail / Bhyve File System isolation Message-ID: <CAGBxaX=JsrT=%2B%2BsLU9Z2gomhbrj9OgeWG6W%2B9f84vZK78qdM8w@mail.gmail.com> In-Reply-To: <528CF986.2000003@quip.cz> References: <BLU179-W2710DC567151403C38377AC6E60@phx.gbl> <528CF986.2000003@quip.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Nov 20, 2013 at 1:03 PM, Miroslav Lachman <000.fbsd@quip.cz> wrote: > Bruno Lauz=E9 wrote: > >> >> Using jails, customers are uncomfortable with the fact documents can be >> accessed from the host with root access.Project VPS seems to isolate mor= e >> the guest from the host but not as well as an hypervisor like bhyve. Wit= h >> an hypervisor what the client have is private, as long as the host can >> manage the disk, delete it, but the information is kept private from th= e >> host. >> Any suggestions how to offer jail, vps, or anything containers technique= s >> with total file system isolation from the host, or the only way is to go >> hypervisor, with the performance and instances count penalty that goes w= ith >> it? >> > > There is the same problem with all hypervisors. Nothing prevents > hypervisor admin to do a snapshot image and mount it as another disk to > other OS and access the data. > So nothing is private at this virtualisation level. (without encrypted > disks) To make matters worse many hypervisors (including bhyve) use raw image files (in bhyve's case md(4) mountable ones)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGBxaX=JsrT=%2B%2BsLU9Z2gomhbrj9OgeWG6W%2B9f84vZK78qdM8w>