Today a number of OS provide some form of kernel-level virtualization that offer better isolation mechanisms that the traditional (yet more portable) &chroot(2). Currently, NetBSD lacks functionality in this field; there have been multiple attempts (gaols, mult) to implement a jails-like system, but none so far has been integrated in base.

The purpose of this project is to study the various implementations found elsewhere (FreeBSD Jails, Solaris Zones, Linux Containers/VServers, ...), and eventually see their plus/minus points. An additional step would be to see how this can be implemented the various architectural improvements NetBSD gained, especially rump(3) and kauth(9).

Caution: this is a research project.

I found your thread about kernel-level virtualization because I was trying to find some article or any information related to kernel-level virtualization o NetBSD. I found the NetBSD as a Dom0 privileged OS. It seems pretty much interesting. It's not a kernel-level virt but it is a real good choice in terms of virtualization. I have experience with Solaris Zones, FreeBSD jails and HP-UX vpar... In fact I have worked a lot with these technologies. The must interesting aspect on solaris zones and the others I listed is that you don't have to chop down my system to have more control over system resources (if your using high-end hardware partitioning you have to electric split your systems, like IBM pSeries, Sun Enterprise Servers, HP-UX Integrity e Superdome) and it's pretty flexible. I'm telling this because I had a pain in the as project of performance and tuning, I had a Java system that do not scale very well on thread oriented cpu (I only know one, but I suposed that there's a couple of them on the market now) the T2 processor. The alternative was to split my solaris system into several zones and each one with it's specific cpu pool. The result was a almost linear performance increase. The system performed 80 operations per second and it scale up to 120 operations. It was using only 2 zones with minimal tuning configurations on the system and database and ZERO changing on the code of the application. So based on that I would feel very comfortable using a netbsd xen/dom0 solutions rather them a kernel-level virt. It's a pretty different solutons since it's use an hipervisor to administrate the hardware comunication and abstraction but it gives more power to sys admins.

I'm just sharing my thoughts with you since I have a point of view from someone that work with expensive and enterprise/license cemented paid operating systems.

ps.: Even our linux solutinons are expensive, since WE HAVE to work with licensed software to have support background. We use online Enterprise branded linuxs (Red Hat and SuSE)

Comment by Leonardo Thursday afternoon, June 21st, 2012

"sailor's goal is not to provide bullet-proof security, chroot is definitely not a trustable isolator; instead, sailor is a really convenient way of trying / testing an evironment without compromising your workstation filesystem." As of 6/30/17 It's under heavy development.

Comment by Sean Plank late Friday evening, June 30th, 2017