> While I would prefer if you worked in the open I do have some suggestions > on what other things/frameworks/ideas people have some what recently been > doing with containers and container like things for 'application deployment'. >
Hi Leen, I will release a demo as soon as possible. Once the demo is released suggestions from potential users will be welcome! > One thing I do wonder is: what is the goal of isolation ? Just to make sure > applictions can't trample over each other or to prevent attackers from gaining > access to the rest of the system ('host') or other applications. Or maybe for > easier deployment ? Ideally a program should only have access to its own data, that is the ultimate goal of isolation. If an isolated program is compromised the damage does not spread to other programs and/or data. In Linux a program runs under a user account and has all the privileges of that user. For example: your webbrowser can access all files under your account. Once compromised it can upload any of your files (example: private ssh keys) or run any program that the account allows. You can restrict what a program can do by using SELinux or another mandatory access control (MAC) tool but these tools are difficult to configure and not as effective as isolation. With MAC a program can for example detect that there is a file called all_my_passwords.txt, but it is not allowed to access this file. With proper isolation a program can not detect that the all_my_passwords.txt file exists. An extra benefit of isolation is easier deployment and backup/restore. For example: I can deploy a full LAMP stack by copy/paste deployment, for a backup I gzip the containers rootfs after a shutdown. > > I suggest you look at how http://docker.io/ is using LXC-containers and the > kinds of features they've created around it (and especially what they did not > do). > An excellent suggestion. I think the people at http://dotcloud.com (the company behind docker) are real experts. They make a living using LXC container technology for years now. I have been following their blog for quite some time and they have written some excellent articles about the technology behind LXC which you can read here: http://blog.dotcloud.com/tag/underthehood Rob. http://freedomboxblog.nl _______________________________________________ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss