Support virtualization Zones in JNode
| Project: | JNode Core |
| Component: | Code |
| Category: | feature request |
| Priority: | minor |
| Assigned: | Unassigned |
| Status: | postponed |
Jump to:
Description
Hi to all,
what do you think about the concept of Protect a JNode System by Virtualization "Zones", like in Solaris 10 or Xen for Linux ...
For example:
- installation of Jnode from the local Console.
- after this, config the accessibility polices of the default zone ("zone0" ?), for ex. from the LAN or leave it reachable only from the local console (maximun security)
- opt., later configure 1 or more other zones with own virtual resources: network addresses/masks/gateways, disk space, memory/cpu/io quotas, users, etc , and then install (or better, copy inside) applications from the real JNode System inside it
Any zone is isolated completely from any other zona,
and also from the main JNode System: important !!
At disk level this is equivalent to a chroot environment, but from the resource management point of view this is a virtualization tecnique.
In this way I could use a virtual zone to go to Internet, another to serve applications (for ex. a Tomcat Web Site) to the network, etc. And a crash/exploit wuold break only that zone. But I could restore a zone simply restoring a previous backup or by deleting and creating as new, like in VMWare.
I know that it's a hard question to implement, but in a future release ...
Comments ?
Bye,
Sandro
- Login to post comments
Zones vs. Isolates
Could you please point out the difference between Isolates and Zones? I think Ewout is currently working on implementing Isolates which are a to-be-standard Java feature for separating different applications running in the same JVM.
References:
http://www.jnode.org/node/593 - the issue corresponding to the implementation of Isolates in Jnode
http://www.jnode.org/node/713 - a discussion about whether Isolates are really needed
http://www.jcp.org/en/jsr/detail?id=121 - the homepage of the Isolates API JSR
Regards.
Sebastian
Isolates vz Zones
Hi, i think that Isolates is mailny target at running different Applications inside one JVM, like a multi-tasking os.
The concept of Zones is focused to mask (virtualize) the access to all physical resources of the Pc in a managed environment. like VmWare, Qemu, VirtualPc, etc. In this way we could have more instances of JNode inside of JNode itself (default zone).
IBM used these techniques in Mainframes and also today, partitioning the Host in many Virtual Servers (also with the ability to run different OS, one per Virtual Server).
Think at an Internet Service Provider where he sell Virtual Servers:
I could have a JNode Pc and create (virtual partition) a zone for any customer, with custom Disk/Network/Memory/Cpu Quotas and any Zone with a different subset of Applications.
Last example, for a normal Pc user:
work in a zone (the default or another), but Browse in Internet in another (as before with different network/disk/applications settings). This is a lot more secure.
This is a trend where all modern (and future) Operating Systems are directed, but adding this feature later is a big pain.
I know that this is a very difficult thing to implement, but start to integrate this from the current releases would give us a major benefit later. An initial implementation could be the manage of the default zone, but with all the hooks in JNode. Later implement the multi-zone features (that could become a System Service) with all the infrastructure already done.
I hope this will explain better my idea, but otherwise write to me ... or comment here.
Bye,
Sandro
Re: Isolates vs. Zones
Thanks for explaining the difference. After reading your explanation, I think Jnode won't be able to profit from this feature very soon. I my view Zones only make sense to ISPs who provide virtual servers. I think no normal user would be interested in using different virtual computers for browsing and word processing. Users are normally glad to know how to use one physical computer.
Even if Jnode doesn't provide Zones on its own, it might be installed in a Zone provided by another OS (just guessing).
Regards.
Sebastian
Zones for a future release
Hi Sebastian,
all you said is true,
the concept of "Zones" is mainly targeted at High-end Servers (for ISP etc).
My trouble was to propose this feature for a future release of JNode, but having in mind this the main developers of JNode could now project the API having these features open (mainly in the low-level classes of JNode), and not using them until that future release ... disabling them.
Hope this (idea) will be useful.
Bye,
Sandro
#1
I personally don't think there is much chance of this issue being addressed in the short or medium term. Marking as postponed.