VPS / Jail / Bhyve File System isolation
Aryeh Friedman
aryeh.friedman at gmail.com
Thu Nov 21 23:16:36 UTC 2013
On Wed, Nov 20, 2013 at 1:03 PM, Miroslav Lachman <000.fbsd at quip.cz> wrote:
> Bruno Lauzé wrote:
>
>>
>> Using jails, customers are uncomfortable with the fact documents can be
>> accessed from the host with root access.Project VPS seems to isolate more
>> the guest from the host but not as well as an hypervisor like bhyve. With
>> an hypervisor what the client have is private, as long as the host can
>> manage the disk, delete it, but the information is kept private from the
>> host.
>> Any suggestions how to offer jail, vps, or anything containers techniques
>> with total file system isolation from the host, or the only way is to go
>> hypervisor, with the performance and instances count penalty that goes with
>> it?
>>
>
> There is the same problem with all hypervisors. Nothing prevents
> hypervisor admin to do a snapshot image and mount it as another disk to
> other OS and access the data.
> So nothing is private at this virtualisation level. (without encrypted
> disks)
To make matters worse many hypervisors (including bhyve) use raw image
files (in bhyve's case md(4) mountable ones)
More information about the freebsd-virtualization
mailing list