From owner-freebsd-virtualization@FreeBSD.ORG Mon Dec 8 06:18:31 2014 Return-Path: Delivered-To: freebsd-virtualization@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2868CDD9; Mon, 8 Dec 2014 06:18:31 +0000 (UTC) Received: from mail1.chu658.uecomm.net.au (mail1.chu658.uecomm.net.au [218.185.10.246]) by mx1.freebsd.org (Postfix) with ESMTP id CEECECB0; Mon, 8 Dec 2014 06:18:30 +0000 (UTC) Received: from mail.flexibledrive.com.au (unknown [115.186.196.106]) by mail1.chu658.uecomm.net.au (Postfix) with ESMTP id 59B5F19A0; Mon, 8 Dec 2014 16:57:37 +1100 (EST) Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.flexibledrive.com.au (Postfix) with ESMTP id 96BB7E6F93; Mon, 8 Dec 2014 16:57:37 +1100 (EST) X-Virus-Scanned: amavisd-new at fdrive.com.au Received: from mail.flexibledrive.com.au ([127.0.0.1]) by localhost (mail.flexibledrive.com.au [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I4eIR1ag32cg; Mon, 8 Dec 2014 16:57:29 +1100 (EST) Received: from ws-pross.vv.fda (ws-pross.vv.fda [192.168.50.199]) by mail.flexibledrive.com.au (Postfix) with ESMTPS id 26CD4E6E0D; Mon, 8 Dec 2014 16:57:29 +1100 (EST) Date: Mon, 8 Dec 2014 16:57:28 +1100 (AEDT) From: Peter Ross X-X-Sender: petros@linux-vic-05.vv.fda To: Tinker Subject: Re: Can a host OS user process create a zillion BHyVe VM:s and microcontrol them? In-Reply-To: <0fd8dd84712a2d78e4397ac89d78326c@openmailbox.org> Message-ID: References: <1423616F-F44D-47E5-8595-DE862DC04464@bsdimp.com> <546A34C8.6060004@freebsd.org> <546C8812.2070904@FreeBSD.org> <20141119195923.GS24601@funkthat.com> <69A8C06F-A7F6-49EC-8601-91AC4CDBFB13@FreeBSD.org> <547364EB.7090505@freebsd.org> <547AEB93.3050600@freebsd.org> <5fa49b79a601363b471babbfc577590d@openmailbox.org> <5483BA9F.2000905@freebsd.org> <0fd8dd84712a2d78e4397ac89d78326c@openmailbox.org> User-Agent: Alpine 2.11 (LRH 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-virtualization@freebsd.org X-BeenThere: freebsd-virtualization@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Discussion of various virtualization techniques FreeBSD supports." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2014 06:18:31 -0000 On Mon, 8 Dec 2014, Tinker wrote: > Looking at Capsicum, I think it has an even lower safety profile than NaCl - > my usecase might just run any beastly binary code, so the sandbox wall needs > to be the toughest you got, so using BHyVe here makes sense. You could use jails.. - The kernel is booted in zero seconds;-), - you could use nullfs mounts to create a read-only filesystem tree - have one location read-write for your result - use a devfs mount for needed device nodes (see rule set 4) - and than run the command in a simple jail (directly from command line). - Afterwards you delete the mounts. Well, in fact you could prepare many many read-only jail file system trees and reuse them for the jail command again and again (minus the read-writre area for the output) It has much less overhead than starting a VM every time, I guess. Regards Peter