Mac OS X Jails
z3r0_...@mac.com
Zones?
I haven't found any information on this.
Thanks,
Juan
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-dev mailing list (Darwi...@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/darwin-dev/darwin-dev-garchive-73044%40googlegroups.com
This email sent to darwin-dev-g...@googlegroups.com
Tim Murison
On 30/07/09 11:33 AM, "z3r0_...@mac.com" <z3r0_...@mac.com> wrote:
> Is it possible to create Jails in Mac OS X like in FreeBSD or Solaris
> Zones?
>
> I haven't found any information on this.
Are the sandbox_* functions what you mean?
***********************************************************************
This e-mail and its attachments are confidential, legally privileged, may be subject to copyright and sent solely for the attention of the addressee(s).
Any unauthorized use or disclosure is prohibited. Statements and opinions expressed in this e-mail may not represent those of Radialpoint.
Le contenu de ce courriel est confidentiel, privilégié et peut être soumis à des droits d'auteur. Il est envoyé à l'intention exclusive de son ou de ses
destinataires. Il est interdit de l'utiliser ou de le divulguer sans autorisation. Les opinions exprimées dans le présent courriel peuvent diverger de celles de Radialpoint.
Brian Mastenbrook
> Is it possible to create Jails in Mac OS X like in FreeBSD or
> Solaris Zones?
No. The closest you can get is a heavyweight (and costly)
virtualization solution such as Parallels Server.
http://www.parallels.com/products/server/mac/
--
Brian Mastenbrook
br...@mastenbrook.net
http://brian.mastenbrook.net/
Mo McRoberts
> Is it possible to create Jails in Mac OS X like in FreeBSD or Solaris Zones?
>
> I haven't found any information on this.
Darwin doesn't include the jail() syscall, nor zones, but sandboxing
in 10.5+ may let you achieve the same thing (I haven't looked deeply
at it)—sandboxing seems to be mostly designed as a more advanced form
a chroot(), rather than a way to run a pseudo-virtualised environment
(possibly with its own IP or dedicated NIC assigned, along with other
selected physical resources).
M.
Juan Madrigal
and don't want
to trash the default Mac OS X installs of apache etc...
A Jail would simplify things considerably.
I hope Mac OS X ports over FreeBSD Jails or Solaris Zones as soon as
possible! Its sorely needed.
Parallels or VMWare is over kill and resource intensive. Jails are
lightweight.
I really can't believe Jails aren't in Mac OS X. What a shock!
How about Xen? Maybe thats feasible if Jails are missing.
-Juan
z3r0_...@mac.com
to trash the default Mac OS X installs of apache etc...
A Jail would simplify things considerably.
I hope Mac OS X ports over FreeBSD Jails or Solaris Zones as soon as possible! Its sorely needed.
Parallels or VMWare is over kill and resource intensive. Jails are lightweight.
I really can't believe Jails aren't in Mac OS X. What a shock!
How about Xen? Maybe thats feasible if Jails are missing.
-Juan
Alexander von Below
Alex
> http://lists.apple.com/mailman/options/darwin-dev/below%40mac.com
>
> This email sent to be...@mac.com
z3r0_...@mac.com
Jails are lightweight one kernel multiple virtual environments. You only need to duplicate the required directory structure versus the entire OS.
http://en.wikipedia.org/wiki/Operating_system-level_virtualization
I need to setup 8 different environments on my laptop, Jails would do the trick with low overhead. VMWare etc... would be sluggish.
-Juan
Terry Lambert
> Is it possible to create Jails in Mac OS X like in FreeBSD or
> Solaris Zones?
>
> I haven't found any information on this.
The answer is no.
OS level virtualization requires a multiplication of already
constrained resources and internal interposition of all calls across
protection domain boundaries which deal with potentially conflicting
resource namespaces: authentication tokens, security identifiers,
network interfaces, IPC identifiers, file system namespaces, devices,
etc.. This partitioning is a basic tenet of the jails/zones security
models.
Given your description of your problem space, you don't need
partitioning of additional resource namespaces for security reasons,
so you could simply use chroot instead and handle it as a filesystem/
security identifier namespace issue.
However, since your stated goal is simply multiple development
environments, you probably don't even need that; even chroot is
probably overkill, since all you need to control is really only your
command and object paths, and you can pretty much do that with
environment variables.
-- Terry
Brian Mastenbrook
> Given your description of your problem space, you don't need
> partitioning of additional resource namespaces for security reasons,
> so you could simply use chroot instead and handle it as a filesystem/
> security identifier namespace issue.
IANAL, but if you do decide to go down this route keep in mind that
from a license perspective chroot is the same as virtualization, which
is not allowed for non-server versions of OS X [1]. If you violate
this condition of the license, your license to use that copy of OS X
is automatically terminated, and you must destroy your copies of the
software.
Nothing permits you to have more than one copy at a time of any
portion of the Apple Software [2], and not even buying additional
licenses will allow you to run multiple copies of the operating system
at the same time. For Server, you'll need to have one license per
chroot. For your 8-environment configuration, this works out to the
cost of the base license ($499) plus $499 per chroot, totaling $4491.
You'd probably be better off with a stack of Mac Minis at that point.
You may be able to build enough of a chroot environment out of
darwinbuild for your application, which would get around these issues.
Or you could make directories of hardlinks for your chroot, but any
file modifications would be shared across chroots.
You might be able to do something with union mounts as well, but I
think you'd still need at least one independent copy of the operating
system, which would still require Server.
Historically developers have simply installed multiple copies of OS X
in separate partitions on the same machine, but this probably also
violates the agreement for non-Server. The same clause that prohibits
running multiple copies of the operating at the same time also
prohibits having multiple copies of the operating system installed at
the same time.
As I said, I'm not a lawyer; I'm simply going on Apple's own
interpretation of the license agreement as forbidding VMware to
virtualize client versions of OS X.
For reference:
http://images.apple.com/legal/sla/docs/macosx105.pdf
http://images.apple.com/legal/sla/docs/macosxserver105.pdf
[1] "This License allows you to install, use and run one (1) copy of
the Apple Software on a single Apple-labeled computer at a time."
[2] Except for a single copy made for backup purposes. I'm sure many
Time Machine users have already violated this stipulation accidentally
as well.
--
Brian Mastenbrook
br...@mastenbrook.net
http://brian.mastenbrook.net/
z3r0_...@mac.com
With Jails resources can be assigned IP's, CPU's etc... I'm not certain chroot can handle this.
I'm think I'm going to have to be forced do this with FreeBSD on another box as I don't have the luxury
of Jails on Mac OS X. That or OpenSolaris.
Hopefully Jails will be built into OS X natively to handle these situations
It is supposed to be the "most advanced operating system" right? Seems lacking in important areas.
Regards,
Juan
Jean-Daniel Dupas
prevent you to run multiple instance of apache (just pass different
config file as argument).
Le 30 juil. 09 à 22:03, z3r0_...@mac.com a écrit :
> http://lists.apple.com/mailman/options/darwin-dev/devlists%40shadowlab.org
>
> This email sent to devl...@shadowlab.org
Eli Bach
On Jul 30, 2009, at 1:03 PM, z3r0_...@mac.com wrote:
> Well the idea is set up multiple servers on my laptop communicate
> with each other so I can simulate a network of servers. This calls
> for multiple custom apache installs (virtual hosts wont do the
> trick), haproxy, varnish, lighttpd, and some other software packages
> with different internal IP's.
>
> With Jails resources can be assigned IP's, CPU's etc... I'm not
> certain chroot can handle this.
>
> I'm think I'm going to have to be forced do this with FreeBSD on
> another box as I don't have the luxury
> of Jails on Mac OS X. That or OpenSolaris.
>
> Hopefully Jails will be built into OS X natively to handle these
> situations
>
> It is supposed to be the "most advanced operating system" right?
> Seems lacking in important areas.
>
> Regards,
> Juan
Juan,
Pretty much everybody thinks (for their own X) "well, if the OS
doesn't have support for X, then it is lacking".
Different OS's are targeted at different markets.
The idea that Mac OS X doesn't directly support the level of
virtualization you happen to desire, for how you have decided to
approach the task you are trying to accomplish, and therefore is
lacking in important areas, is (IMHO) naive.
Since this is a simulation, you could just use multiple virtual
network interfaces (which you can directly create in the Network
control panel), and you can install multiple copies of the software
packages you want in different directories and attach them to specific
IP addresses, and most support configuring how many processes and/or
threads they will use, so maybe if you more fully explain what you are
trying to simulate, people may be able to suggest how to do it on Mac
OS X.
Eli
z3r0_...@mac.com
If I were to go with the multiple software installation scenario I will end up with a management headache, I would have to do
a lot more configuration versus creating jails for each to get it to work.
I don't want to trash my Mac OS X install, that is why I would prefer jailed environments as I am testing a lot of different
open source packages and sometimes uninstalling is a pain along with tracking down bugs if some packages conflict with each
other or libraries.
FreeBSD, Linux, Solaris, AIX, and other flavors of UNIX like systems have OS level virtualization built in. Standard. This isn't an arcane
feature. Its an important feature the Mac OS X currently does not have. I'll respect your opinion of thinking its naive, but don't brush
it off (look at bitfrost for example). Major resources are being pushed into the virtualization space by major companies. Hopefully Mac OS X wont be playing catch up.
For now I think its best that I setup a FreeBSD server with the appropriate jailed environments and connect to it to get work done.
Regards,
Juan
>http://lists.apple.com/mailman/options/darwin-dev/z3r0_f4ct0r%40mac.com
>
>This email sent to z3r0_...@mac.com
Bill Northcott
> I need to set up multiple development environments on my Macbook Pro
> and don't want
> to trash the default Mac OS X installs of apache etc...
>
> A Jail would simplify things considerably.
> I hope Mac OS X ports over FreeBSD Jails or Solaris Zones as soon as
> possible! Its sorely needed.
>
> Parallels or VMWare is over kill and resource intensive. Jails are
> lightweight.
>
> I really can't believe Jails aren't in Mac OS X. What a shock!
Horror horror horror: Darwin/MacOS is NOT Linux. Get used to it! ;-)
That does not mean you cannot do what you you are trying to do. It
just means you might need to think different.
The big difference between Darwin and all the other UNIXen that I have
used: Linux, Solaris, HP-UX, True64..., is in the shared library
arrangement.
At runtime other systems search some sort of shared library path to
find an appropriate library to link. Darwin is different. The path
to the linked shared libraries is written into an executable at static
link time. At runtime, dyld (the launcher) will always look at that
path first. It only uses the DYLD_LIBRARY_PATH if the library is not
found at the right path. (do an 'otool -L' on any library or
executable) So you can have as many virtual systems as you like, build
and run using them and almost the only thing they need in common is
the kernel (and maybe some GUI stuff if you use it). Look at the way
Xcode uses SDKs and the systemroot and other useful compiler and
linker options. (the linker is very different RTFM)
So you see jails are not there, because you don't need them.
Hope that helps you not to go off on some wild goose chase.
Bill Northcott
Juan Madrigal
I prefer the BSD's. Though Solaris, AIX, and z/OS are quite interesting.
I'm talking about running for example apache PHP, Perl in its own
jailed environment so they think they are in their on box.
Jails duplicate the root or specified directory structure and isolates
whatever is running in it from everything else and I can assign
resources to it
Unless there's another way to replicate this. I'm going to just use
FreeBSD.
-Juan
_______________________________________________
Eli Bach
On Jul 30, 2009, at 3:39 PM, z3r0_...@mac.com wrote:
> For now I think its best that I setup a FreeBSD server with the
> appropriate jailed environments and connect to it to get work done.
Another solution that MAY work, would be to use the free VirtualBox
software. I'm not sure if it lets you run multiple vm's at a time,
but even if not, you could run just one instance of Linux/somebsd with
your Jail support...
Eli
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-dev mailing list (Darwi...@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
Amanda Walker
> IANAL, but if you do decide to go down this route keep in mind that
> from a license perspective chroot is the same as virtualization,
> which is not allowed for non-server versions of OS X [1]. If you
> violate this condition of the license, your license to use that copy
> of OS X is automatically terminated, and you must destroy your
> copies of the software.
chroot() does not instantiate multiple copies of the OS. It is in no
sense like virtualization, and has no license implications.
> As I said, I'm not a lawyer; I'm simply going on Apple's own
> interpretation of the license agreement as forbidding VMware to
> virtualize client versions of OS X.
Which has nothing to do with (or in common with) using chroot() to
run, for example, multiple copies of Apache with different config files.
--Amanda
Bill Northcott
> Not a linux fan ;)
I am really fairly indifferent at the OS level. I find fun in the
higher level software.
>
> I prefer the BSD's. Though Solaris, AIX, and z/OS are quite
> interesting.
Sticking to what you know well usually works best in my experience.
>
> I'm talking about running for example apache PHP, Perl in its own
> jailed environment so they think they are in their on box.
> Jails duplicate the root or specified directory structure and
> isolates whatever is running in it from everything else and I can
> assign resources to it
>
> Unless there's another way to replicate this. I'm going to just use
> FreeBSD.
The zealots might disagree with me, but if you want BSD, just use it!
Bill
Clark Cox
Mastenbrook<br...@mastenbrook.net> wrote:
> On Jul 30, 2009, at 1:45 PM, Terry Lambert wrote:
>
>> Given your description of your problem space, you don't need partitioning
>> of additional resource namespaces for security reasons, so you could simply
>> namespace issue.
>
> IANAL, but if you do decide to go down this route keep in mind that from a
> license perspective chroot is the same as virtualization,
Huh? chroot() is nothing like virtualization. In no way does it
involve running (or even installing) multiple copies of the OS. With
that in mind, the rest of your post is moot.
--
Clark S. Cox III
clar...@gmail.com
Mo McRoberts
> At runtime other systems search some sort of shared library path to find an
> appropriate library to link. Darwin is different.
Most ELF systems can (and regularly do) encode the load-path into the
binaries. If you're using GNU libtool, the -R<path> (if memory
serves) link-time flag is translated into the appropriate link-time
magic, although I must confess I prefer Mach-O's mechanism.
While it may well be true that in this case Juan doesn't need jails in
order to accomplish his requirements, that isn't to say that a)
they're not useful, and b) existing facilities provide the same
functionality, because they don't.
jails are one of the relatively few features of FreeBSD that Darwin lacks.
M.
Brian Mastenbrook
> chroot() does not instantiate multiple copies of the OS.
Not in and of itself, no, which is why I then talked about how to
create a chroot without actually having to make a separate copy of the
OS. However, the best method I could determine to do that involved
hardlinks, and it didn't seem to provide the isolation that the OP
wanted.
If you actually copy a portion of the Apple Software into your chroot
and then run it, you are running a separate copy of the a portion
software, and thus I can't see how it's any different from what VMware
does. There is no specific anti-virtualization provision in the
license. The license specifically states that you have no rights to
the software except those granted by Apple, and that Apple only grants
you the right to use and run one copy of the software at a time. This
is the provision that Apple believes prohibits virtualization. Given
the wording and this interpretation, I can't see how running a copied
portion of the software without creating a separate instance of the
kernel is any different, as the license doesn't address such subtleties.
I'm not *trying* to be absurd here, except inasmuch as I've twisted my
thinking into the right shape to conform to what Apple believes their
agreement allows. Once I've done that, I can't really see a difference
between different forms of copying and running a portion of the Apple
Software at the same time. If you think there is a difference, I'd
love to hear your reasoning.
For what it's worth, I wouldn't be kept up at night by doing this. I
lost my license to use OS X when I made two backup copies of my hard
drive, and have been running without a license ever since. So far as
I'm aware, this hasn't yet caused the end of the world.
--
Brian Mastenbrook
br...@mastenbrook.net
http://brian.mastenbrook.net/
_______________________________________________
Brian Mastenbrook
> you are running a separate copy of the a portion software
This should say "you are running a separate copy of a portion of the
software". All the right words were present, so it looked good to my
caffeine-deprived brain.
Andrew Gallatin
>
> jails are one of the relatively few features of FreeBSD that Darwin
lacks.
Few!?!? Just off the top of my head:
- TSO (Tcp Segmentation Offload)
- efficient (no copy) TCP sendfile support
- Multiple MSI-X interrupt vectors (enabling RSS)
- Multiple Transmit Queues per NIC
- 64-bit kernel
- Usable ZFS support
- Dtrace works on loadable kernel modules
- usable support for non-x86 / ppc arches
- Local Crashdumps & "mini-dumps"
- Linux binary compatibility
- User controllable CPU affinity for processes and IRQ vectors
Drew
Mo McRoberts
> Mo McRoberts wrote:
>
>>
>> jails are one of the relatively few features of FreeBSD that Darwin lacks.
>
> Few!?!? Just off the top of my head:
>
> - TSO (Tcp Segmentation Offload)
> - efficient (no copy) TCP sendfile support
> - Multiple MSI-X interrupt vectors (enabling RSS)
> - Multiple Transmit Queues per NIC
> - 64-bit kernel
> - Usable ZFS support
> - Dtrace works on loadable kernel modules
> - usable support for non-x86 / ppc arches
> - Local Crashdumps & "mini-dumps"
> - Linux binary compatibility
> - User controllable CPU affinity for processes and IRQ vectors
That's not exactly a huge list. Out of curiosity… how many of those
were added to FreeBSD after 10.5 was released, and how many are likely
to appear in 10.6 (we know “64-bit kernel” definitely will, for a
start)?
I know Linux binary compat is pretty old (though NetBSD’s the king of
binary compat modules), and the state of ZFS on Darwin is anybody’s
guess… curious about the others, though.
M.
Andrew Gallatin
> On Fri, Jul 31, 2009 at 15:05, Andrew Gallatin<gall...@cs.duke.edu> wrote:
>> Mo McRoberts wrote:
>>
>>> jails are one of the relatively few features of FreeBSD that Darwin lacks.
>> Few!?!? Just off the top of my head:
>>
>> - TSO (Tcp Segmentation Offload)
>> - efficient (no copy) TCP sendfile support
>> - Multiple MSI-X interrupt vectors (enabling RSS)
>> - Multiple Transmit Queues per NIC
>> - 64-bit kernel
>> - Usable ZFS support
>> - Dtrace works on loadable kernel modules
>> - usable support for non-x86 / ppc arches
>> - Local Crashdumps & "mini-dumps"
>> - Linux binary compatibility
>> - User controllable CPU affinity for processes and IRQ vectors
>
> That's not exactly a huge list. Out of curiosity… how many of those
It represents a huge amount of missing functionality that Darwin
is missing, and most of other *nixes have.
> were added to FreeBSD after 10.5 was released, and how many are likely
You seem to be under the (common) misconception that FreeBSD and
Darwin share kernel code. For the most part, they do not.
Implementing MSI-X support in Darwin would be totally different
than in FreeBSD, for example.
> to appear in 10.6 (we know “64-bit kernel” definitely will, for a
> start)?
If I knew (which I do, since I'm an ADC member, and have been running
the 10.6 seeds) I could not tell you due to NDA.
Drew
Mo McRoberts
> You seem to be under the (common) misconception that FreeBSD and
> Darwin share kernel code. For the most part, they do not.
> Implementing MSI-X support in Darwin would be totally different
> than in FreeBSD, for example.
No, I'm not. I'm well aware that, although FreeBSD and XNU share some
BSD heritage (as Mach 2 was comingled with a BSD Unix kernel), they
have diverged significantly internally.
>> to appear in 10.6 (we know “64-bit kernel” definitely will, for a
>> start)?
>
> If I knew (which I do, since I'm an ADC member, and have been running
> the 10.6 seeds) I could not tell you due to NDA.
…which is why I said “likely”. many rumours are circulating, and Apple
has released quite a lot of information publicly now.
M.
Juan Manuel Palacios
On Jul 31, 2009, at 7:54 AM, Brian Mastenbrook wrote:
>
>
> I lost my license to use OS X when I made two backup copies of my
> hard drive, and have been running without a license ever since.
And did you destroy your copies of the software due to such
violation....? Or at least that's what you stated should be done in
case of license violation in your original message....
Sorry, really, I didn't mean to retort, tried really hard to keep
quiet but it was stronger than me, sorry!
Regards,
- jmpp
Clark Cox
> On Fri, Jul 31, 2009 at 15:26, Andrew Gallatin<gall...@cs.duke.edu> wrote:
>
>> You seem to be under the (common) misconception that FreeBSD and
>> Darwin share kernel code. For the most part, they do not.
>> Implementing MSI-X support in Darwin would be totally different
>> than in FreeBSD, for example.
>
> No, I'm not. I'm well aware that, although FreeBSD and XNU share some
> BSD heritage (as Mach 2 was comingled with a BSD Unix kernel), they
> have diverged significantly internally.
>
>>> to appear in 10.6 (we know “64-bit kernel” definitely will, for a
>>> start)?
>>
>> If I knew (which I do, since I'm an ADC member, and have been running
>> the 10.6 seeds) I could not tell you due to NDA.
>
> …which is why I said “likely”. many rumours are circulating, and Apple
> has released quite a lot of information publicly now.
No need for rumors. From
<http://www.apple.com/server/macosx/technology/sixtyfour-bit.html>:
"Snow Leopard Server uses 64-bit kernel technology to support
breakthrough amounts of RAM — up to a theoretical 16TB. With more RAM,
server applications can utilize more physical memory and in turn run
faster and more efficiently. In addition, the 64-bit kernel
dramatically increases the total number of simultaneous system
processes, threads, and network connections that the server can
utilize."
--
Clark S. Cox III
clar...@gmail.com
Dan Shoop
On Jul 30, 2009, at 10:37 PM, Eli Bach wrote:
>
> On Jul 30, 2009, at 3:39 PM, z3r0_...@mac.com wrote:
>
>> For now I think its best that I setup a FreeBSD server with the
>> appropriate jailed environments and connect to it to get work done.
>
> Another solution that MAY work, would be to use the free VirtualBox
> software. I'm not sure if it lets you run multiple vm's at a time,
> but even if not, you could run just one instance of Linux/somebsd
> with your Jail support...
Sun's VirtualBox allows you to run as many VMs at the same time as
your hw can stand. I currently use a MacMini to set up and run
multiple RHEL and Solaris instances which I then test together and
deploy on real hw.
In addition to Sun's xVM VirtualBox there's also Sun's xVM Server for
bare hardware virtualization, Sun xVM Ops Center tools for management
of multiple VMs and Sun technologies for management of clouds of
servers (which may or may not be further virtualized.) These do not
necessarily imply using Solaris, but work with a wide array of OSen.
However these are all much heavier weight solutions than things like
Solaris Zones or even LDOMs. If that's what you want, then use
Solaris. It's robust, mature, enterprise class and targeted quite
differently than Mac OS X and OS X Server.
However none of this seems to be what the OP is describing in his needs.
On Jul 30, 2009, at 10:25 PM, Juan Madrigal wrote:
> I'm talking about running for example apache PHP, Perl in its own
> jailed environment so they think they are in their on box.
> Jails duplicate the root or specified directory structure and
> isolates whatever is running in it from everything else and I can
> assign resources to it
[chroot jails] and BSD Jails are not really analogous to Zones however
and your comparisons and interchangabilities of them as being similar
is confusing.
> Unless there's another way to replicate this. I'm going to just use
> FreeBSD.
Well, as pointed out, TMTOWTDI and you could implement what you're
trying to do, multiple test web servers that can talk to one another
and have their own environments, all on one system, even w/o any
chroots, BSD Jails or Zones. And you can implement chroot jails in OS X.
But as pointed out, use what you know. Mac OS X was never designed to
do everything, nor should it be.
-d
------------------------------------------------------------------------
Dan Shoop
Computer Scientist
sh...@iwiring.net
GoogleVoice: 1-646-402-5293
aim: iWiring
twitter: @colonelmode