Can a host OS user process create a zillion BHyVe VM:s and microcontrol them?
Peter Ross
Peter.Ross at alumni.tu-berlin.de
Mon Dec 8 06:18:31 UTC 2014
On Mon, 8 Dec 2014, Tinker wrote:
> Looking at Capsicum, I think it has an even lower safety profile than NaCl -
> my usecase might just run any beastly binary code, so the sandbox wall needs
> to be the toughest you got, so using BHyVe here makes sense.
You could use jails..
- The kernel is booted in zero seconds;-),
- you could use nullfs mounts to create a read-only filesystem tree
- have one location read-write for your result
- use a devfs mount for needed device nodes (see rule set 4)
- and than run the command in a simple jail (directly from command line).
- Afterwards you delete the mounts.
Well, in fact you could prepare many many read-only jail file system trees
and reuse them for the jail command again and again (minus the read-writre
area for the output)
It has much less overhead than starting a VM every time, I guess.
Regards
Peter
More information about the freebsd-virtualization
mailing list