This is a seriously beefed up chroot kind of thing. The process
is jailed along the same lines as a chroot does it, but with
additional tough restrictions imposed on what the superuser can do.
For all I know, it is safe to hand over the root bit inside a
prison to the customer living in that prison, this is what
it was developed for in fact: "real virtual servers".
Each prison has an ip number associated with it, which all IP
communications will be coerced to use and each prison has its own
hostname.
Needless to say, you need more RAM this way, but the advantage is
that each customer can run their own particular version of apache
and not stomp on the toes of their neighbors.
It generally does what one would expect, but setting up a jail
still takes a little knowledge.
A few notes:
I have no scripts for setting up a jail, don't ask me for them.
The IP number should be an alias on one of the interfaces.
mount a /proc in each jail, it will make ps more useable.
/proc/<pid>/status tells the hostname of the prison for
jailed processes.
Quotas are only sensible if you have a mountpoint per prison.
There are no privisions for stopping resource-hogging.
Some "#ifdef INET" and similar may be missing (send patches!)
If somebody wants to take it from here and develop it into
more of a "virtual machine" they should be most welcome!
Tools, comments, patches & documentation most welcome.
Have fun...
Sponsored by: http://www.rndassociates.com/
Run for almost a year by: http://www.servetheweb.com/
feature of packages now so that no version info is embedded.
o Add a default X desktop menu offering afterstep, enlightenment, KDE, GNOME
and Windowmaker desktops instead of the boring twm(1) based one if the
user so chooses. This will require a little testing.
However, it doesn't check if the remote printer name it
is sending it to is the same as the local printer name,
and so chokes 'cos "laser" is not a real printer.
PR: 7081
Submitted by: David Malone <dwmalone@maths.tcd.ie>
device per argument rather than the old way of concatenating
everything then splitting the result at commas and whitespace.
Old syntax of ``set device /dev/cuaa0, /dev/cuaa1''
may no longer contain the comma, but syntax such as
``set device "!ssh host ppp -direct label"'' is now
possible.
- make this work: options FOO123=456 *without quotes*
- grumble (but accept) vector xxxintr, and tty/net/bio/cam flags.
- complain if a device is specified twice (eg: 2 x psm0)
- don't require quotes around: port IO_COM2
- recognize negative numbers. (ie: options CAM_DEBUG_UNIT=-1)
- GC some more unused stuff (we don't have composite disks from config(8)).
- various other nits (snprintf paranoia etc)
receiver and one for the sender. This allows two simultaneous
chap conversations - something that I *thought* I was already
doing on a daily basis myself until the existence of the
problem was
Beaten into me by: sos
I zapped the MACHINE_MIPS stuff, it isn't likely to be useful apart from
recognition of the machine name. It would be reasonable to expect new
ports would look something like the alpha/i386 from a config perspective.
only worked for configurations with "swap on generic".
usr.sbin/config/config.y:
- ignore all "swap [on] device ...' specifications except for
warning about them. They haven't done anything related to swap
for almost 4 years, and were previously silently ignored,
except for "swap on generic" which stopped swap${KERNEL}.c
from being generated. Code to support swapping is now deader
than before.
usr.sbin/config/mkswapconf.c:
- don't generate a dummy setconf() function in swap${KERNEL}.c.
sys/i386/conf/files.i386:
- swapgeneric.c is now standard. It should be merged into autoconf.c
so that it doesn't conflict with swap${KERNEL}.c for kernels named
"generic".
sys/i386/i386/autoconf.c:
- don't call setroot() for mfs roots. Since setroot() doesn't do anything
harmful, this was just a waste of time, except possibly for booting with
-a it may have helped prevent an undesireable call to setconf() by
finding a bogus rootdev.
- honor -a for ffs roots. -a now overrides all other ways of specifying
the root device. Previously, -r had precedence over -a, and the -a
handling was usually a no-op.
- don't honor -a for non-ffs roots, since it would currently just get in
the way of a clean panic.
sys/i386/i386/swapgeneric.c:
- don't declare things that are now always declared in swap${KERNEL}.c.
Don't decide things that are now decided in autoconf.c. Code to
support the "generic" case is now dead instead of useless.
with our own if there are differing bits (last two revisions
of lcp.c). This change broke at least one negotiation
session.
Instead, we just use an OR of the two accmap values when
we're doing the ASYNC framing.
Requested-by: ache
bde
dg
Modify targets for debug kernels: when -g was specified, make will
now build a debug kernel called kernel.debug, and create a stripped
version called kernel at the same time. The two targets install and
install.debug are otherwise unchanged.
Requested-by: dillon
Update man page accordingly.
2. Config complains if you use -g:
Debugging is enabled by default, there is no ned to specify the -g option
3. Config warns you if you don't use -s:
Building kernel with full debugging symbols. Do
"config -s BSD" for historic partial symbolic support.
To install the debugging kernel, do make install.debug
(BSD was the name of the config file I used; I print out the same
name).
4. Modify Makefile.i386, Makefile.alpha, Makefile.pc98 and config to
work if a kernel name other than 'kernel' is specified. This is
not absolutely necessary, but useful, and it was relatively easy.
I now have a kernel called /crapshit :-)
5. Modify Makefile.i386, Makefile.alpha, Makefile.pc98 "clean" target
to remove both the debug and normal kernel.
6. Modify all to install the stripped kernel by default and the debug
kernel if you enter "make install.debug".
7. Update version number of Makefiles and config.
2. Config complains if you use -g:
Debugging is enabled by default, there is no ned to specify the -g option
3. Config warns you if you don't use -s:
Building kernel with full debugging symbols. Do
"config -s BSD" for historic partial symbolic support.
To install the debugging kernel, do make install.debug
(BSD was the name of the config file I used; I print out the same
name).
4. Modify Makefile.i386, Makefile.alpha, Makefile.pc98 and config to
work if a kernel name other than 'kernel' is specified. This is
not absolutely necessary, but useful, and it was relatively easy.
I now have a kernel called /crapshit :-)
5. Modify Makefile.i386, Makefile.alpha, Makefile.pc98 "clean" target
to remove both the debug and normal kernel.
6. Modify all to install the stripped kernel by default and the debug
kernel if you enter "make install.debug".
7. Update version number of Makefiles and config.