|Anonymous | Login | Signup for a new account||04-14-2021 09:10 PDT|
|Main | My View | View Issues | Change Log | Docs|
|Viewing Issue Simple Details [ Jump to Notes ]||[ View Advanced ] [ Issue History ] [ Print ]|
|ID||Category||Severity||Reproducibility||Date Submitted||Last Update|
|0002426||[Resin]||minor||always||02-11-08 16:57||03-05-08 14:23|
|Summary||0002426: add chroot|
1.) Will this bug be for chroot for the host/webapp/server? Will it be a way to prevent JRE from accessing server wide resources similar to chroot'ing the entire application?
2.) If possible I would request to have it be effective at the host level.
3.) Will this be available in 3.1.5?
Always impressed and grateful for the Caucho Team.
See http://caucho.com/resin/doc/resin-watchdog.xtp [^] and look at the ISP section, particularly the <watchdog-manager> section.
It would be a true chroot, not a virtual one, at the <watchdog> level, something like:
<open-port address="host1.com" port="80"/>
chrooting is pretty severe. You need to add a copy of the JDK and Resin and stuff like /etc/resolv.conf if the application uses it.
If the application binds to port 80 or 8080 it would need its own IP, although you could set up a Resin load balancer on a web-tier and dispatch to different chrooted virtual hosts.
Unfortunately, 3.1.5 might not be possible. (Depending... it might be easier to implement than it would be to document or configure. The complication is all on the administrator's end.)
So, for lack of a better term, this would end up being a virtualized instance? The install would be with separate JRE files, resin app, etc? However sharing the same OS?
We would run a load balancer to destribute to the backend JVMs or backend virtual instances. We would also start each host instance with a separate JVM and hence different chroot location.
If unable roll this out with 3.1.5, we will start with using the new securitymanager changes and monitor server performance. However, as you suggested I think a better way is with chroot and separate JVM instances.
This does seem like a great feature once completed and a real good move in helping to make ISP environment more secure. And once again thanks, tons of thanks for providing a great product.
|02-11-08 16:57||ferg||New Issue|
|02-14-08 20:11||norlab||Note Added: 0002780|
|02-14-08 20:24||ferg||Note Added: 0002781|
|02-15-08 14:45||norlab||Note Added: 0002783|
|03-05-08 14:23||ferg||Assigned To||=> ferg|
|03-05-08 14:23||ferg||Status||new => closed|
|03-05-08 14:23||ferg||Resolution||open => fixed|
|03-05-08 14:23||ferg||Fixed in Version||=> 3.1.6|
| Mantis 1.0.0rc3[^]
Copyright © 2000 - 2005 Mantis Group
33 total queries executed.|
28 unique queries executed.