Date: Wed, 20 Nov 2013 21:48:06 -0500 From: Eitan Adler <lists@eitanadler.com> To: =?UTF-8?B?QnJ1bm8gTGF1esOp?= <brunolauze@msn.com> Cc: "freebsd-virtualization@freebsd.org" <freebsd-virtualization@freebsd.org> Subject: Re: VPS / Jail / Bhyve File System isolation Message-ID: <CAF6rxgmkUnyENS=_y-jCjnQdBqgeDX4K2xJh6SSJ=7syss3T=A@mail.gmail.com> In-Reply-To: <BLU179-W2710DC567151403C38377AC6E60@phx.gbl> References: <BLU179-W2710DC567151403C38377AC6E60@phx.gbl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Nov 20, 2013 at 12:55 PM, Bruno Lauzé <brunolauze@msn.com> wrote: > > Using jails, customers are uncomfortable with the fact documents can be accessed from the host with root access.Project VPS seems to isolate more the guest from the host but not as well as an hypervisor like bhyve. With an hypervisor what the client have is private, as long as the host can manage the disk, delete it, but the information is kept private from the host. > Any suggestions how to offer jail, vps, or anything containers techniques with total file system isolation from the host, or the only way is to go hypervisor, with the performance and instances count penalty that goes with it? Untrusted hypervisors is an active area of academic research. However, any such scheme requires additional hardware support. If you are interested I can give you some papers to look at. -- Eitan Adler
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAF6rxgmkUnyENS=_y-jCjnQdBqgeDX4K2xJh6SSJ=7syss3T=A>