Sandboxes

 
 
By Jason Brooks  |  Posted 2005-11-07 Email Print this article Print
 
 
 
 
 
 
 


On one end of the virtualization spectrum, theres chroot, a venerable Unix utility that specifies a new root directory for a process and its children, thereby giving chrooted applications a separate place to work where the potential damage they can do is limited.

The simplest places to use chroot are with applications that are preconfigured to work with chroot. For instance, the version of the BIND (Berkeley Internet Name Domain) DNS (Domain Name System) service that Red Hat Inc. ships with its Linux distributions runs by default within a chroot. This means no management resources are necessary beyond the standard host package requirement.

Since Version 4.0, FreeBSD has shipped with a similar feature called Jail, which expands on chroot by enforcing partitioning beyond the file system limits that chroot sets to include separate process spaces and network resources as well.

Sun Microsystems Inc.s Containers feature in Solaris 10 is similar to FreeBSDs Jail, but Sun has paired the Containers feature with compelling resource management facilities.

The Linux Vserver project is another interesting-looking alternative that allows for multiple Linux distributions to run on a single box under the same kernel. Unlike Containers and Jail, however, which are well-integrated with their respective host operating systems, Vserver (which we havent tested) isnt part of the default Linux kernel. It must be implemented with a kernel patch and additional software utilities.

One good thing about the sandbox approach is that it cuts down on overhead. These strategies dont require virtualizing entire systems; rather, they share system calls with the host operating system, so they perform faster than whole-machine-virtualization approaches.

One bad thing about the sandbox approach, at least potentially, follows from the above—the applications youre running in your virtual instance must run on the host system. If your service runs on Linux or Windows, Solaris Containers arent going to do you much good.

Another related drawback of this approach, particularly with Linux, is that applications often require a particular version of the Linux kernel on which to run, and applications that you want to run together on a single machine might have conflicting needs.

However, you can provide applications running in separate sandboxes with separate versions of particular libraries or other system files. For example, we have run 32-bit applications on AMDs AMD64 hardware running a 64-bit operating system by installing those applications in a chroot.

Next Page: Virtual machines.



 
 
 
 
As Editor in Chief of eWEEK Labs, Jason Brooks manages the Labs team and is responsible for eWEEK's print edition. Brooks joined eWEEK in 1999, and has covered wireless networking, office productivity suites, mobile devices, Windows, virtualization, and desktops and notebooks. JasonÔÇÖs coverage is currently focused on Linux and Unix operating systems, open-source software and licensing, cloud computing and Software as a Service. Follow Jason on Twitter at jasonbrooks, or reach him by email at jbrooks@eweek.com.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel