Domain: freebsd.dk
Stories and comments across the archive that link to freebsd.dk.
Comments · 16
-
So.... thin jails
iocage create -c
Congratulations, you've just (almost) caught up to decade old technology.
-
Re: Complicated
FreeBSD introduced jails in 2000. Solaris gained support for Zones (jails, but rebranded) in 2004. Linux still has a load of competing solution and no sensible management interface, hence Docker exists to add them as a third party thing.
-
Re:VM Replication
This is how the FreeBSD kernel devs describe BSD Jails. Each jail get's it's own kernel network stack, kernel memory allocator, and almost every other kernel datastructure.
What you are describing is VPS (Virtual Private System), not Jails. VPS is the successor to Jails, written to address some of the shortcomings of Jails and make them more useful in situations where you want true virtual environments, rather than just the extra security that Jails has to offer. Incidentally, the mechanisms used to implement VPS in FreeBSD are nearly identical to the mechanisms for implementing containers on linux. Here is the relevant description from the whitepaper (http://2010.eurobsdcon.org/fileadmin/fe_user/klaus/37R5uB.pdf):
3.4 Multiplexing global variables
A FreeBSD kernel without VPS maintains global variables like the process table, the hostname, number of currently existing processes, and much more.
In a VPS enabled kernel, global variables are replaced by variables private to a VPS instance. Therefore even if no VPS instance is explicitly created, the
system knows the instance “vps0”, which is the “main system”. This instance is created very early at kernel boot and has all privileges. VPS instances can be created in a hierarchical way, allowing one VPS instance to manage its child instances and pass on part of their resource quotas. Each “struct ucred” keeps a pointer to the real VPS instance, and each “struct thread” keeps the pointer to the effective VPS instance. A “struct ucred” contains user credentials and is referenced by threads, processes, sockets, some devices as well as some other resources.Sounds familiar? That is basically how linux namespaces work. The primary difference is that on linux you have several independent namespaces (cpu, mem, ipc, net, etc) that must be used together to create a container, whereas with VPS they are integrated more-or-less. On linux you have the flexibility to use namespaces for other purposes besides containers, on BSD you have VPS and only VPS.
BSD Jails do not use anything like chroot. "chroot" is being used as a verb that described the intention, but not the implementation.
For VPS, you are correct. For Jails it is a chroot, albeit a hardened version of the chroot system call, not chroot the userspace program. Read about it here in the whitepaper written by the author of Jails,
http://phk.freebsd.dk/pubs/san...They said this is nearly identical to paravirtualization.
This is not true at all. For Jails there are two principle isolation features. Once a process is jailed, the "struct proc" has a copy of the "prison" data structure and a reference counter. Every child process that it creates references this data structure in its own "struct proc" and increments the reference counter. In this way, the processes that belong to a jail are tracked by their references to the "prison" data structure owned by the root jailed process. Various kernel systems are then altered to block messages between processes not in the same jail, to limit process listing to the tree described by references to the root railed process (via the sysctl interface, for example), to limit pty access to processes in the same jail, etc. Among the things recorded in the "prison" data structure are the ip address and hostname, and the kernel blocks attempts to bind an ip address or hostname that does not fall in this specified range.
Despite these mechanisms to isolate processes, there is still one global process table and one network stack. The partitioning is effected by hiding parts of the process table and making every attempt to block communication outside of the allowed process list, but it is a fairly blunt instrument. For example, IPC is completely blocked by default in a Jail because this is th
-
Re:Bus Factor
Linux Foundation sponsored developer who has extraordinary knowledge of NTP and time issues: http://phk.freebsd.dk/time/ind...
But apparently something went iffy between them, as last commit to https://github.com/bsdphk/Ntim... was over a half year ago. -
Re:/. is not kickstarter
And if spend money, spend it on this guy, because this is the leading expert on ntpd and time setting issues who actually works on the problem and who you can trust to make it right.
-
Re:Proposals and running code
But at first glace it doesn't look that bad.
I can see the appeal of rubberstamping what already exists.
That's the real problem with the proposed protocol; it solves today's problems for todays computers. It doesn't attempt to look ahead and solve problems that should be solved over the next ten years.
Seeing as it's going to take a few years and a huge amount of effort before HTTP 2 is widely adopted, we're going to need to start working on a replacement for it's even finished its rollout.
Poul-Hennings has written his thoughts on the problems that actually should be solved in the next version of HTTP: http://phk.freebsd.dk/words/ht...
The fact that the IETF has decided to ignore those problems so that HTTP 2 can be pushed out the door is what makes the situation be such a joke. Almost the only entities that will benefit from having HTTP 2 in the next 5 years are companies that have a web presence on the same scale as Google, Facebook, Twitter etc. that will save a small amount of money through reduced bandwidth costs.
For everyone else, rolling out HTTP 2 will be a massive initial and ongoing technical burden, with almost no benefit.
-
Re:Mathematics
Chrony is a complete working implementation of the NTP protocol.
You mean complete except for broadcast/multicast mode, or authentication based on public-key cryptography. Some basically it's a good client and a unauthenticated / inefficient (network) server.
It also makes some pretty misleading claims; Chrony can usually synchronise the system clock faster and with better time accuracy except it never explains how it can possibly achieve better time accuracy than NTPd.
Chrony does handle a number of client usage scenarios better than NTPD (namely non-permanent network connection, and laptop-like environments) as far as I know, but it does not achieve better accuracy for the usage scenarios NTPD was primarily designed for (e.g. network connected servers).
NTPD gets its knickers in a twist at the slightest excuse and sometimes ends up stepping the time even though it has perfectly good Internet connectivity and a reasonably good internal clock.
Yet chrony can't detect rouge or fix broken time servers. Beyond possibly having better handling for clients of dynamic clock frequencies (i.e. SpeedStep, and various other power saving features that modify one or more of the several frequency oscillators in a computer.). I say possibly because I am not certain of the state of affairs in the current NTPD code base, I know it was lacking when dynamic clock frequencies originally appeared in systems, but I am not sure that it still is naive about that.
Chrony keeps steady time even if Internet access is intermittent. It never gets confused and picks a falseticker pretending to be stratum one instead of a stratum 3 with correct time, unlike NTPD.
While it does appear Chrony has improved greatly from a simple SNTP client for intermittent network connectivity it was when I first heard about it, that is still its forté, and likely the best client for many end-users' cases. Still it is not a robust general purpose replacement of NTPD.
It even has interfaces to GPS clocks or other hardware clocks, so you can run your stratum 1 server on Chrony if you want.
And YouTube is full of people doing stupid, reckless, and/or unwise things too. That's perhaps too harsh, but that's those "features" are quite incomplete.
Having PPS (Pulse Per Second) optional support is a good start, it is not a comprehensive solution to running a quality stratum 1 server. I expect a stratum 1 server to have improved or at least quantified oscillator ("clock") parameters, such as ideally TCXO (Temperature-Compensated crystal Oscillators) or OCXO (Oven-Controlled crystal Oscillator) for the stratum 1 system's time-keeping. For commercial systems I would suggest looking at a professional NTP server network appliance, there are several vendors including Spectracom, Symmetricom, Meinberg, and others.
-
Varnish Moral Licence
Did you consider buying a Varnish Moral Licence ?
-
Summary misleading...
I know, I know, but still, the phrasing of this irked me a little: "was forced to acknowledge".
Forced by who?
It makes it sound like he reluctantly, and begrudgingly mentioned this. I'll let you judge for yourselves:
http://tech.slashdot.org/story/12/06/07/1529252/md5crypt-password-scrambler-is-no-longer-considered-safe
http://phk.freebsd.dk/sagas/md5crypt_eol.html
Keep In Touch Sidebar p6-7Anyways, what's its $2a$08$ rate? How about scrypt?
Discussed in the past:
Bcrypt, scrypt, sha512crypt -
Summary misleading...
I know, I know, but still, the phrasing of this irked me a little: "was forced to acknowledge".
Forced by who?
It makes it sound like he reluctantly, and begrudgingly mentioned this. I'll let you judge for yourselves:
http://tech.slashdot.org/story/12/06/07/1529252/md5crypt-password-scrambler-is-no-longer-considered-safe
http://phk.freebsd.dk/sagas/md5crypt_eol.html
Keep In Touch Sidebar p6-7Anyways, what's its $2a$08$ rate? How about scrypt?
Discussed in the past:
Bcrypt, scrypt, sha512crypt -
Re:Did ZDNet buy Slashdot?
First of all, WTF is a "password scrambler"? If you feel the need to dumb down the phrase "hash algorithm", you're probably submitting to the wrong site.
Maybe you'd like to explain this to Poul-Henning Kamp, who named it so himself.
-
Re:Daft Question
There ARE libraries like that. From the article:
As I said, md5crypt [a hashing function based on MD5] is pretty much the "default" password scrambler for a lot of people, but even though it fulfilled all relevant criteria back in 1995, I no longer consider it safe enough (see: http://phk.freebsd.dk/sagas/md5crypt_eol.html).
But what was secure back in 1995, when computers had processors like Pentiums or Pentium Pros operating at around 200 MHz, is not secure in 2012, when computer processors in the Sandy Bridge family are operating between 1.6 and 3.6 GHz (1600 to 3600 MHz) and likely have GPUs they can call upon for extra computing power. [My use of the list of Intel processors only is not intended to be a slight against other processor manufacturers, but just the first list I found.]
-
seems the md5crypt guy just posted to bugtraq
Don't use his md5crypt and think you did anything useful he says. http://phk.freebsd.dk/sagas/md5crypt_eol.html
-
Do what the meter supoorts?
Often the meter supports some sort of data export mechanism, and you just need to tie into it. Hacker extraordinaire Poul-Henning Kamp did this with his gas meter.
-
Check-out the FreeBSD jail facility[I know this will cost me karma points.]
The FreeBSD operating system provides the jail(2) system call and the jail(1) command for imprisoning a process and its future decendants. The jail facility is based on the chroot(2) implementation, but prevents well-documented means to escape chroot confinement, offering partitioning of the file system, process, and networking namespaces. The facility removes all super-user privileges that would affect objects not entirely inside the jail.
For more information read:
-
Re:compaq triflex ide controllerYou might want to contact Soren Schmidt; he is currently developing the ATA driver last time I checked. His website is freebsd.dk, this is an excerpt of the relevant text:
I'm currently the author and maintainer of the FreeBSD ATA driver (disk, cdrom, DVD, ZIP, LS120 etc).
I also wrote the Linux emulator, the FreeBSD console driver syscons and libvgl graphics lib, plus various other bits and pieces, most of which I have handed over to new maintainers to concentrate on the ATA driver.
The latest patches/enhancements to the ATA driver can be found here A list over supported CDR / CDRW drives (burncd + ATA driver) is here If you have ATA/ATAPI/IDE hardware that is not supported, please contact me at sos@FreeBSD.dk
I remember one day, long ago, upgrading my FreeBSD system and noticing the hard disk names changed from
/dev/wd to /dev/ad (for ATA disk). I'm pretty sure SOS was responsible for that; today, I'm using a RAID subsystem (/dev/ar0) with a CD burner supported by the ATA driver. (/dev/acd). Very cool. I'm sure I'm not the only one that appreciates his work.Definitely get in touch with Soren, I'm sure he would be able to help. There may be licensing issues in porting the Linux driver; though. Probably best to write it from scratch (as is sadly common with BSD and GPL software today.)
Good luck...