Linux-VServer-replacement without patches?
As Linux-VServer is currently asleep, I thought about what may be possible only with the functionality the upstream Linux kernel provides and a helper module.
Process isolation
Isolation is the important feature VServer provides. Linux supports isolation of processes also in form of user, PID and IPC namespaces. User namespaces allows the same UID to be different. PID namespaces restricts the view of the available processes and allows the process only to address PIDs within it's own namespace.
Migration
VServer allows processes to enter a guest after it have been created, this is not possible without help.
fakeinit
Each PID namespace needs a child reaper (with PID 1).
Network isolation
VServer currently uses a layer 3 isolation model which assigns access to a specific list of IP addresses to a guest. It can be replaced by network namespaces and the accepted veth driver which provides a ethernet device.
Filesystem isolation
VServer uses FS namespaces in a way which allows processes in the FS namespace to access the host filesystem. This needs the chroot barier to make breakouts impossible.
I'm not sure if
mount --rbind $newroot / chdir /
will also properly prevent this.
