Open GoogleCodeExporter opened 9 years ago
control groups (cgroups) could be used for better resource isolation
you would likely want a unique root filesystem mounted for each user
still, the LXC / Linux container approach is not nearly as hardened as other
virtualization technologies such as OpenVZ, Xen, etc.; CORE has some support
for Xen but it requires much greater resources (CPU/RAM per VM)
each student could be given their own CORE Virtual Machine to keep experiments
self-contained (again requires more resources...)
Original comment by ahrenh...@gmail.com
on 3 Jun 2013 at 6:30
How would cgroups help here and what is the approach that CORE currently uses?
Original comment by riva...@gmail.com
on 3 Jun 2013 at 8:25
cgroups could help isolate e.g. CPU/memory usage, to limit the max CPU that one
vnoded (LXC / container) could use
currently CORE's approach is to just provide the most lightweight node
possible, which is why there is no security/permissions controls
Original comment by ahrenh...@gmail.com
on 3 Jun 2013 at 8:35
Yeah, I'm concerned about changing system configuration, rebooting or so.
Resource usage control is a nice thing, but certainly not too high on my
priorities list.
What's the situation on BSD side?
Original comment by riva...@gmail.com
on 3 Jun 2013 at 8:39
For BSD CORE uses jails. We haven't tested the FreeBSD support lately (lack of
user interest.) With FreeBSD it is possible to use a ZFS root filesystem but
CORE hasn't been updated to support this. Since jails were originally a
security mechanism (versus namespaces/containers), I'm guessing you could
achieve better isolation.
Original comment by ahrenh...@gmail.com
on 24 Jun 2013 at 5:11
Original issue reported on code.google.com by
riva...@gmail.com
on 1 Jun 2013 at 8:24