Re: [SAGE] JAILS (Re: Respondents needed for article on sysadmin survival)

[Mason Schmitt <hr824@sunwave.net>]

On January 17, 2004 12:58 pm, Dustin Puryear wrote:
> But can it be done even better?
>
> With virtual servers (however implemented) I can usually bring a "server"
> up a lot faster (as opposed to a system--the hardware/OS), and I can run
> several services/servers on the same piece of hardware even though each
> service may normally interfere with one another (i.e., if each service
> required a difference version of a system library or something, say if for
> example one package wants mysql323-server while another wants
> mysql40-server).
>
I am inclined to agree with you.  I am very interested in this method of 
managing services especially with security in mind.  By using any of the 
methods discussed, vmware, vserver (the one that I find most appealing), UML, 
Jails, and some appropriate measures to really seal that service inside its 
compartment, such as grsecurity or other mandatory access scheme, you should 
be able to have a base host that runs no services, except perhaps ssh, and is 
locked down very tightly.  This also allows you to use the host to monitor 
the service, collect logs, watch for changes in file checksums, etc with far 
less concern for an attacker being able to get in under your nose.

In terms of simplicity of management, I would think that one would be able to 
transport these encapsulated services around without much difficulty at all 
in order to move a service to a less loaded box or to a larger box to 
accommodate greater demands on the service.

Mason