[ajray]

I've actually heard this question asked a lot in a bunch of different forms, and (to me) it basically comes down to: How do I use virtualization to provide additional security to processes?

The advantage of virtualization is that it provides a very strong statement of security (if a lesser statement of performance). On the other hand Jails/Containers (see LXC) have a strong statement of performance and a lesser statment of security.

For you, I'd recommend checking out Linux Containers, because it does provide more protection than just a process, but is faster and uses less resources than a whole VM.

[mhd]

Well, if the VM has security issues, you'll have to update all the VMs running, never mind that I think it's possible to get to the core OS from a VM.

This is definitely a case to look at OS level virtualization[1], running a dedicated VM just for jailing a process seems a bit overengineered. SmartOS[2] might be interesting for this[2].

[1](http://en.wikipedia.org/wiki/Operating_system-level_virtuali...)

[2](http://smartos.org/)