Date: Mon, 8 Dec 2014 16:57:28 +1100 (AEDT) From: Peter Ross <Peter.Ross@alumni.tu-berlin.de> To: Tinker <tinkr@openmailbox.org> Cc: freebsd-virtualization@freebsd.org Subject: Re: Can a host OS user process create a zillion BHyVe VM:s and microcontrol them? Message-ID: <alpine.LRH.2.11.1412081644090.4767@linux-vic-05.vv.fda> In-Reply-To: <0fd8dd84712a2d78e4397ac89d78326c@openmailbox.org> References: <CAG=rPVccq7R5%2Bcbm6nR1WCZDM=-xwwkmF=cw8PCuk58oHPA-gQ@mail.gmail.com> <1423616F-F44D-47E5-8595-DE862DC04464@bsdimp.com> <546A34C8.6060004@freebsd.org> <CAG=rPVeEEuK874g6%2BfVpHa5J_4V%2BA%2BQNbB5bCpXiS86jZW_U3Q@mail.gmail.com> <546C8812.2070904@FreeBSD.org> <20141119195923.GS24601@funkthat.com> <CAG=rPVdrjim_28ntxUv6qJxb-_bGhGabZipFyYzNuydZ2XPm5Q@mail.gmail.com> <69A8C06F-A7F6-49EC-8601-91AC4CDBFB13@FreeBSD.org> <547364EB.7090505@freebsd.org> <CAG=rPVeAM2_EEVYyhQiuXV7i%2Bpvw-uPYRBbjXeZhZKbrZzHRMg@mail.gmail.com> <547AEB93.3050600@freebsd.org> <CAF05609-FCB4-4CB6-9533-A1F32A7F3F22@neville-neil.com> <alpine.BSF.2.11.1412041456190.87680@fledge.watson.org> <5fa49b79a601363b471babbfc577590d@openmailbox.org> <5483BA9F.2000905@freebsd.org> <0fd8dd84712a2d78e4397ac89d78326c@openmailbox.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 8 Dec 2014, Tinker wrote: > Looking at Capsicum, I think it has an even lower safety profile than NaCl - > my usecase might just run any beastly binary code, so the sandbox wall needs > to be the toughest you got, so using BHyVe here makes sense. You could use jails.. - The kernel is booted in zero seconds;-), - you could use nullfs mounts to create a read-only filesystem tree - have one location read-write for your result - use a devfs mount for needed device nodes (see rule set 4) - and than run the command in a simple jail (directly from command line). - Afterwards you delete the mounts. Well, in fact you could prepare many many read-only jail file system trees and reuse them for the jail command again and again (minus the read-writre area for the output) It has much less overhead than starting a VM every time, I guess. Regards Peter
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.LRH.2.11.1412081644090.4767>