From owner-freebsd-virtualization@FreeBSD.ORG Wed Nov 20 19:18:01 2013 Return-Path: Delivered-To: freebsd-virtualization@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 61109E08 for ; Wed, 20 Nov 2013 19:18:01 +0000 (UTC) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 365CB22BA for ; Wed, 20 Nov 2013 19:18:00 +0000 (UTC) Received: from julian-mbp3.pixel8networks.com (50-196-156-133-static.hfc.comcastbusiness.net [50.196.156.133]) (authenticated bits=0) by vps1.elischer.org (8.14.7/8.14.7) with ESMTP id rAKJHrGi005667 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Wed, 20 Nov 2013 11:17:54 -0800 (PST) (envelope-from julian@freebsd.org) Message-ID: <528D0ADC.1010600@freebsd.org> Date: Wed, 20 Nov 2013 11:17:48 -0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.1.1 MIME-Version: 1.0 To: freebsd-virtualization@freebsd.org Subject: Re: VPS / Jail / Bhyve File System isolation References: <528CF986.2000003@quip.cz> In-Reply-To: <528CF986.2000003@quip.cz> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-virtualization@freebsd.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: "Discussion of various virtualization techniques FreeBSD supports." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Nov 2013 19:18:01 -0000 On 11/20/13, 10:03 AM, Miroslav Lachman wrote: > Bruno Lauzé wrote: >> >> Using jails, customers are uncomfortable with the fact documents >> can be accessed from the host with root access.Project VPS seems to >> isolate more the guest from the host but not as well as an >> hypervisor like bhyve. With an hypervisor what the client have is >> private, as long as the host can manage the disk, delete it, but >> the information is kept private from the host. >> Any suggestions how to offer jail, vps, or anything containers >> techniques with total file system isolation from the host, or the >> only way is to go hypervisor, with the performance and instances >> count penalty that goes with it? > > There is the same problem with all hypervisors. Nothing prevents > hypervisor admin to do a snapshot image and mount it as another disk > to other OS and access the data. > So nothing is private at this virtualisation level. (without > encrypted disks) and even then that is not true because root of the host system can recover the disk contents if he knows where to get the key from. (terminal snooping etc.) > Miroslav Lachman > _______________________________________________ > freebsd-virtualization@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-virtualization > To unsubscribe, send any mail to > "freebsd-virtualization-unsubscribe@freebsd.org" > >