« back to all changes in this revision
Viewing changes to doc/dev/architecture.rst
- browse files at revision 1164.2.35
- compare with another revision
- compare with revision 936
- download diff
- download tarball
- view history from revision 1164.2.35
- Committer: David Coles
- Date: 2009-11-27 02:13:13 UTC
- mto: This revision was merged to the branch mainline in revision 1322.
- Revision ID: coles.david@gmail.com-20091127021313-6y94j15azv5m379o
More clarification of the jail system
- files modified:
- doc/dev/architecture.rst
added
removed
doc/dev/architecture.rst
33
33
file system as well as placing basic resource limits to prevent users from
34
34
accidentally exhausting shared resources such as CPU time and memory.
35
35
36
37
Trampoline
38
----------
39
36
40
To each user, it appears that they have their own private Unix filesystem
37
41
containing software, libraries and a home directory to do with what they
38
42
please. This is mainly done by the setuid root program ``trampoline`` (See
42
46
user and group.
43
47
44
48
To prevent abuse, ``trampoline`` can only be used by root or one of the uids
45
specified when trampoline is built by ``setup.py build`` (defaults to 33,
46
Debian's www-data user which Apache runs as).
49
specified when trampoline is built by ``setup.py build`` (defaults to UID 33,
50
www-data on Debian systems). Since it's one of two C programs involved in IVLE
51
and runs setuid root it is rather secuity sensative.
47
52
48
Base Generation
49
---------------
53
Base Image Generation
54
---------------------
50
55
51
56
All user jails share a common base image that contains the files required for
52
57
both IVLE's operation and for executing user code. This base image is
83
88
the user's home directory over a read-only version of the base on demand. This
84
89
was implemented as part of ``trampoline`` and used a secondary program
85
90
``timount`` (see :file:`bin/timount/timount.c`) run at regular intervals to
86
unmount unused jails. This uses the :const:`MNT_EXPIRE` flag from
87
:manpage:`umount(2)` that only unmounts a directory if it hasn't been accessed
88
since the previous call with :const:`MNT_EXPIRE`.
91
unmount unused jails. This uses the :const:`MNT_EXPIRE` flag for
92
:manpage:`umount(2)` (available since Linux 2.6.8) that only unmounts a
93
directory if it hasn't been accessed since the previous call with
94
:const:`MNT_EXPIRE`.
89
95
90
96
While quite effective, AUFS appears to cause NFS caching issues when IVLE is
91
run as a cluster. The current system uses the much older *bind mount* feature
92
which allows directories to be accessible from another location in the file
93
system. By carefully read-only bind mounting the jail image and then bind
97
run as a cluster as well as questionable inclusion status in newer
98
distributions. The current system used in IVLE the much older *bind mount*
99
feature which allows directories to be accessible from another location in the
100
file system. By carefully read-only bind mounting the jail image and then bind
94
101
mounting the user's :file:`/home` and :file:`/tmp` directory data over the top
95
102
we can create a jail with only three bind mounts and at virtually no
96
103
filesystem overhead.
Loggerhead is a web-based interface for Breezy
Version: 2.0.1