jail extensions

[Brooks Davis]

On Wed, Jun 07, 2006 at 05:56:24PM +0300, Alex Lyashkov wrote:
> 
> > 
> > 
> > Marco's work is somewhat similar.
> > All globals related to the network are moved to structures that can be  
> > duplicated.
> > 
> > The base system also uses this structure so that in effect the base 
> > system is just another instance
> > of the virtual machines. The biggest obstacle is that the 4.x based 
> > version just put everything
> > into one structure, meaning that it only worked when all the components 
> > effected were
> > compiled into the kernel. None of them could be implemented as a 
> > loadable kernel module.
> > This has become much more important in 6.x.
> > 
> > Ther is a way to allow this to work but it would require that we 
> > implement a kernel version of
> > the idea used for TLS (Thread Local Storage), so that modules being 
> > loaded could be added
> > to all the existing VMs and new VMs could get instances of all loaded 
> > modules.
> > (and so that a module could not be unloaded until all VMS have destroyed 
> > their instance
> It`s can be created easy. each module can be full own private data and
> register init/destroy methods, similar SYSINIT macro.
> prison will need add array for store pointers to modules data.
> yes, it possible need lost more memory - but easy for implementation.

Even blowing a page or two per prison probably doesn't matter.  It seems
unlikely anyone is going to run large numbers of them on very small
platforms and it's no as if you can run a process that takes less than
3-4 pages anyway.

-- Brooks

-- 
Any statement of the form "X is the one, true Y" is FALSE.
PGP fingerprint 655D 519C 26A7 82E7 2529  9BF0 5D8E 8BE9 F238 1AD4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-arch/attachments/20060607/20688af9/attachment.pgp