[gentoo-user] Re: Layman and Git branch

2016-06-17 Thread James 
  nucleus.it> writes:


> I have a profile for my config , additional ebuilds , packages etc but
> i'm looking for the best way to have a production-profile and a
> devel-profile.

Your not alone.

> Better have two separeted git , one for production and one for devel ?
> or better one git and use branch functions ?

Good question.

> With Layman and two git repo i can sync each repo when i want and i can
> enable/disable one of them to switch from/to production/devel .

> I don't know how to do that directly with git.

OK, so I have mentioned the need for a structured (preferred or suggested)
pathway for users to use git, in all of the common needs, the gentoo-way.
Aka, a document or collection of docs in the gentoo-wiki, related to common
user usages all the way through becoming a 'stong-user' and into the
proxy-maint system. I think it is time to file a bug (documentation
requests) @ bugs.gentoo.org formally requesting some documentation on
git(hub) that is gentoo specific.

That way everyone with questions, ideas and antedotes can 'pile on' and 
so the process get's started to document preferred/supported ways to use git
with gentoo. There are lots of hints floating around so a FAQ or basic
document is in order, imho. But, being so vocal on this topic, I'd really
be encouraged if someone else opened up a formal (bug) request for some
basic git documentation, that is gentoo centric. Posting the bug number
back to this list could then encourage construction ideas and antedotes.


hth,
James




> 
> Best regards
> Marco
> 
> On Thu, 16 Jun 2016 11:46:12 -0700
> Bryan Gardiner  khumba.net> wrote:
> 
> > On Thu, 16 Jun 2016 17:52:26 +0200
> > marco  nucleus.it wrote:
> > 
> > > Hi,
> > > i have a layman git profile to store my stuff.
> > > 
> > > Is possible to force layman -S to sync a specific branch ?  
> > 
> > This is speculation (and a bit of looking at Portage code), since I
> > haven't tried this.  Ignoring Layman, repos.conf repositories support
> > syncing[1], so does it work to create:
> > 
> > /etc/portage/repos.conf/myrepo.conf:
> > 
> > [myrepo]
> > location = /path/to/local/repo
> > sync-type = git
> > sync-uri = git://...
> > auto-sync = yes
> > 
> > and just emerge --sync?  If you didn't have the local repo already
> > then it would clone and use master, but I suspect that you can switch
> > branches afterward, and Portage will simply call "git pull".
> > 
> > There also seem to be extra options "sync-git-clone-extra-opts" and
> > "sync-git-pull-extra-opts" for git modules, so you might be able to
> > set:
> > 
> > sync-git-clone-extra-opts = --branch somebranch
> > 
> > to fix initially checking out master.
> > 
> > HTH,
> > Bryan
> > 
> > [1] https://wiki.gentoo.org/wiki/Project:Portage/Sync
> > 
> 
>

Re: [gentoo-user] media-fonts/urw-fonts-2.4.9 - problem with the tar archive ?

2016-06-17 Thread Hogren 

Le 2016-06-17 15:05, Zhu Sha Zang a écrit :


Please, open a bug report: bugs.gentoo.org



I reported :
https://bugs.gentoo.org/show_bug.cgi?id=586188

Thank you Zhu Sha Zang for your response.



Regards.

Regards,

Hogren





On Fri, 17 Jun 2016 13:45:42 +0200
Hogren  wrote:

Hey Hey, I found !

I emerge cpio an re-emerge gzip.

I am not a very experimented gentoo user. Do I have to alert the gzip
maintener(s) ?
There is may be a USE flag (cpio) to add (by default or not) to gzip.

Thanks for your help.

Hogren

Le 2016-06-17 10:08, Hogren a écrit :

Hello,

I have a problem when I try to emerge media-fonts/urw-fonts-2.4.9.

my build log :

[32;01m * [39;49;00mPackage:media-fonts/urw-fonts-2.4.9
[32;01m * [39;49;00mRepository: gentoo
[32;01m * [39;49;00mMaintainer: fo...@gentoo.org
[32;01m * [39;49;00mUSE:X abi_x86_64 amd64 elibc_glibc
kernel_linux userland_GNU
[32;01m * [39;49;00mFEATURES:   preserve-libs sandbox userpriv
usersandbox   Unpacking source...
Unpacking urw-fonts-2.4-9.fc13.src.rpm to
/var/tmp/portage/media-fonts/urw-fonts-2.4.9/work

 rpm2tar:
/var/tmp/portage/media-fonts/urw-fonts-2.4.9/distdir/urw-fonts-2.4-9.fc13.src.rpm:
failed to extract cpio via gzip (not actually an RPM?)
tar: This does not look like a tar archive
tar: Exiting with failure status due to previous errors
[31;01m*[0m ERROR: media-fonts/urw-fonts-2.4.9::gentoo failed (unpack
phase):
[31;01m*[0m   failure unpacking
/var/tmp/portage/media-fonts/urw-fonts-2.4.9/distdir/urw-fonts-2.4-9.fc13.src.rpm
[31;01m*[0m
[31;01m*[0m Call stack:
[31;01m*[0m ebuild.sh, line  133:  Called src_unpack
[31;01m*[0m   environment, line 2295:  Called rpm_src_unpack
[31;01m*[0m   environment, line 2250:  Called srcrpm_unpack
'urw-fonts-2.4-9.fc13.src.rpm'
[31;01m*[0m   environment, line 2300:  Called rpm_unpack
'urw-fonts-2.4-9.fc13.src.rpm'
[31;01m*[0m   environment, line 2278:  Called die
[31;01m*[0m The specific snippet of code:
[31;01m*[0m   rpm2tar -O "${a}" | tar xf - || die "failure
unpacking ${a}";
[31;01m*[0m
[31;01m*[0m If you need support, post the output of `emerge --info
'=media-fonts/urw-fonts-2.4.9::gentoo'`,
[31;01m*[0m the complete build log and the output of `emerge -pqv
'=media-fonts/urw-fonts-2.4.9::gentoo'`.
[31;01m*[0m The complete build log is located at
'/var/tmp/portage/media-fonts/urw-fonts-2.4.9/temp/build.log'.
[31;01m*[0m The ebuild environment file is located at
'/var/tmp/portage/media-fonts/urw-fonts-2.4.9/temp/environment'.
[31;01m*[0m Working directory:
'/var/tmp/portage/media-fonts/urw-fonts-2.4.9/work'
[31;01m*[0m S: '/var/tmp/portage/media-fonts/urw-fonts-2.4.9/work'

It sounds that is problem with the rpm file.

Anybody has the same problem or do I have to search about rpm2tar ?

Thank you very much !!!

Hogren

Re: [gentoo-user] media-fonts/urw-fonts-2.4.9 - problem with the tar archive ?

2016-06-17 Thread Zhu Sha Zang 
Please, open a bug report: bugs.gentoo.org

Regards.

On Fri, 17 Jun 2016 13:45:42 +0200
Hogren  wrote:

> Hey Hey, I found !
> 
> I emerge cpio an re-emerge gzip.
> 
> I am not a very experimented gentoo user. Do I have to alert the gzip 
> maintener(s) ?
> There is may be a USE flag (cpio) to add (by default or not) to gzip.
> 
> Thanks for your help.
> 
> Hogren
> 
> Le 2016-06-17 10:08, Hogren a écrit :
> 
> > Hello,
> > 
> > I have a problem when I try to emerge media-fonts/urw-fonts-2.4.9.
> > 
> > my build log :
> > 
> > [32;01m * [39;49;00mPackage:media-fonts/urw-fonts-2.4.9
> > [32;01m * [39;49;00mRepository: gentoo
> > [32;01m * [39;49;00mMaintainer: fo...@gentoo.org
> > [32;01m * [39;49;00mUSE:X abi_x86_64 amd64 elibc_glibc 
> > kernel_linux userland_GNU
> > [32;01m * [39;49;00mFEATURES:   preserve-libs sandbox userpriv 
> > usersandbox  
>  Unpacking source...
>  Unpacking urw-fonts-2.4-9.fc13.src.rpm to 
>  /var/tmp/portage/media-fonts/urw-fonts-2.4.9/work  
> > rpm2tar: 
> > /var/tmp/portage/media-fonts/urw-fonts-2.4.9/distdir/urw-fonts-2.4-9.fc13.src.rpm:
> >  
> > failed to extract cpio via gzip (not actually an RPM?)
> > tar: This does not look like a tar archive
> > tar: Exiting with failure status due to previous errors
> > [31;01m*[0m ERROR: media-fonts/urw-fonts-2.4.9::gentoo failed (unpack 
> > phase):
> > [31;01m*[0m   failure unpacking 
> > /var/tmp/portage/media-fonts/urw-fonts-2.4.9/distdir/urw-fonts-2.4-9.fc13.src.rpm
> > [31;01m*[0m
> > [31;01m*[0m Call stack:
> > [31;01m*[0m ebuild.sh, line  133:  Called src_unpack
> > [31;01m*[0m   environment, line 2295:  Called rpm_src_unpack
> > [31;01m*[0m   environment, line 2250:  Called srcrpm_unpack 
> > 'urw-fonts-2.4-9.fc13.src.rpm'
> > [31;01m*[0m   environment, line 2300:  Called rpm_unpack 
> > 'urw-fonts-2.4-9.fc13.src.rpm'
> > [31;01m*[0m   environment, line 2278:  Called die
> > [31;01m*[0m The specific snippet of code:
> > [31;01m*[0m   rpm2tar -O "${a}" | tar xf - || die "failure 
> > unpacking ${a}";
> > [31;01m*[0m
> > [31;01m*[0m If you need support, post the output of `emerge --info 
> > '=media-fonts/urw-fonts-2.4.9::gentoo'`,
> > [31;01m*[0m the complete build log and the output of `emerge -pqv 
> > '=media-fonts/urw-fonts-2.4.9::gentoo'`.
> > [31;01m*[0m The complete build log is located at 
> > '/var/tmp/portage/media-fonts/urw-fonts-2.4.9/temp/build.log'.
> > [31;01m*[0m The ebuild environment file is located at 
> > '/var/tmp/portage/media-fonts/urw-fonts-2.4.9/temp/environment'.
> > [31;01m*[0m Working directory: 
> > '/var/tmp/portage/media-fonts/urw-fonts-2.4.9/work'
> > [31;01m*[0m S: '/var/tmp/portage/media-fonts/urw-fonts-2.4.9/work'
> > 
> > It sounds that is problem with the rpm file.
> > 
> > Anybody has the same problem or do I have to search about rpm2tar ?
> > 
> > Thank you very much !!!
> > 
> > Hogren  
>

Re: [gentoo-user] media-fonts/urw-fonts-2.4.9 - problem with the tar archive ?

2016-06-17 Thread Hogren 

Hey Hey, I found !

I emerge cpio an re-emerge gzip.

I am not a very experimented gentoo user. Do I have to alert the gzip 
maintener(s) ?

There is may be a USE flag (cpio) to add (by default or not) to gzip.

Thanks for your help.

Hogren

Le 2016-06-17 10:08, Hogren a écrit :


Hello,

I have a problem when I try to emerge media-fonts/urw-fonts-2.4.9.

my build log :

[32;01m * [39;49;00mPackage:media-fonts/urw-fonts-2.4.9
[32;01m * [39;49;00mRepository: gentoo
[32;01m * [39;49;00mMaintainer: fo...@gentoo.org
[32;01m * [39;49;00mUSE:X abi_x86_64 amd64 elibc_glibc 
kernel_linux userland_GNU
[32;01m * [39;49;00mFEATURES:   preserve-libs sandbox userpriv 
usersandbox

Unpacking source...
Unpacking urw-fonts-2.4-9.fc13.src.rpm to 
/var/tmp/portage/media-fonts/urw-fonts-2.4.9/work
rpm2tar: 
/var/tmp/portage/media-fonts/urw-fonts-2.4.9/distdir/urw-fonts-2.4-9.fc13.src.rpm: 
failed to extract cpio via gzip (not actually an RPM?)

tar: This does not look like a tar archive
tar: Exiting with failure status due to previous errors
[31;01m*[0m ERROR: media-fonts/urw-fonts-2.4.9::gentoo failed (unpack 
phase):
[31;01m*[0m   failure unpacking 
/var/tmp/portage/media-fonts/urw-fonts-2.4.9/distdir/urw-fonts-2.4-9.fc13.src.rpm

[31;01m*[0m
[31;01m*[0m Call stack:
[31;01m*[0m ebuild.sh, line  133:  Called src_unpack
[31;01m*[0m   environment, line 2295:  Called rpm_src_unpack
[31;01m*[0m   environment, line 2250:  Called srcrpm_unpack 
'urw-fonts-2.4-9.fc13.src.rpm'
[31;01m*[0m   environment, line 2300:  Called rpm_unpack 
'urw-fonts-2.4-9.fc13.src.rpm'

[31;01m*[0m   environment, line 2278:  Called die
[31;01m*[0m The specific snippet of code:
[31;01m*[0m   rpm2tar -O "${a}" | tar xf - || die "failure 
unpacking ${a}";

[31;01m*[0m
[31;01m*[0m If you need support, post the output of `emerge --info 
'=media-fonts/urw-fonts-2.4.9::gentoo'`,
[31;01m*[0m the complete build log and the output of `emerge -pqv 
'=media-fonts/urw-fonts-2.4.9::gentoo'`.
[31;01m*[0m The complete build log is located at 
'/var/tmp/portage/media-fonts/urw-fonts-2.4.9/temp/build.log'.
[31;01m*[0m The ebuild environment file is located at 
'/var/tmp/portage/media-fonts/urw-fonts-2.4.9/temp/environment'.
[31;01m*[0m Working directory: 
'/var/tmp/portage/media-fonts/urw-fonts-2.4.9/work'

[31;01m*[0m S: '/var/tmp/portage/media-fonts/urw-fonts-2.4.9/work'

It sounds that is problem with the rpm file.

Anybody has the same problem or do I have to search about rpm2tar ?

Thank you very much !!!

Hogren

Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?

2016-06-17 Thread Rich Freeman 
On Fri, Jun 17, 2016 at 3:16 AM, Andrew Savchenko  wrote:
> On Thu, 16 Jun 2016 22:35:24 -0400 waltd...@waltdnes.org wrote:
>>   I don't follow this stuff, so this may be a stupid question... how
>> does a "container" or "docker" differ from a chroot or a QEMU VM with a
>> minimal set of applications?
>
> Due to reasons above I prefer container solutions like LXC over VM
> for security: they give approximately the same level of protection
> as VM, but resources cost is much lower. Of course it is still
> possible to break any container through L3 cache or some kernel
> bugs, so for really tight security independent hardware and OS must
> be used.

Containers on Linux aren't nearly as secure as a VM right now.
Certainly the intent is for them to get there, and if you find a way
to break out of a container the kernel team would certainly accept it
as a bug and fix it.  However, I don't think most of the big names in
linux would rate it on the same level as a VM.  As you've pointed out,
VMs aren't perfect, though I'm not aware of any way to actually defeat
any of the popular ones (and if there were, they'd almost certainly
patch it).  I'll certainly acknowledge that there is a larger attack
surface than separate hosts (and it isn't like those are invulnerable
either - who knows what bug exists in an ethernet card somewhere).

Containers are a lot more secure than chroots though.  Non-root in a
container is generally considered to be fairly secure - it is an
additional layer on top of normal user privilege isolation.
Containers are generally a lot more convenient than chroots as well,
simply because there are fewer compatibility issues and constraints
inside.  If you want to run sysvinit/openrc or systemd inside your
container you can, and that isn't really possible inside a chroot.  Of
course, you don't have to, but at least you have the option.

The biggest selling point for a container is the resource
requirements.  The overhead to run a container with systemd inside is
only a few MB.  If you're running a container without a service
manager the overhead is even less.  You could never run a VM with only
a few MB of RAM.  The main constraint on RAM use for a container is
the fact that you're not sharing libraries with the host.  Otherwise
they're just processes with different namespace values in the kernel
(EVERY process runs in a set of namespaces, even if you're not using
containers - by default they just all have the same set of values).
Any solution that bundles the libraries with the package is going to
use a similar amount of RAM.  Also, launching a process in a new
namespace takes the same amount of time as launching a process in the
same namespace, minus the trivial time required to page in libraries
and such.  A VM takes seconds to boot, vs the milliseconds for a
container.  In terms of overhead containers and chroots are almost
identical.

The biggest selling point for not just running everything on the host
is isolation.  I have a container that just runs mariadb.  When I do
an emerge -u world it is like updating any other Gentoo host, but when
I'm done I fire off a bunch of tests to make sure mariadb is working,
and if it works I know I'm done.  When I was running everything on a
single host I'd inevitably do an emerge -u world and occasionally have
something random break.  Short of testing everything every time I do
an update it is hard to avoid that sort of thing.  Of course, I end up
having to run a lot more updates, but I don't have to do them all at
once and I can update the container for each service on an appropriate
schedule.

-- 
Rich

Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?

2016-06-17 Thread Volker Armin Hemmann 
oh yeah, forgot the catchy name. Mea culpa.

2016-06-17 10:52 GMT+02:00 Neil Bothwick :

> On Fri, 17 Jun 2016 10:28:10 +0200, Volker Armin Hemmann wrote:
>
> > soo... why not compile everything statically in the first place? and
> > put it in HOME?
>
> Because that's not new and shiny with a catchy name!
>
>
> --
> Neil Bothwick
>
> Windows Error #02: Multitasking attempted. System confused.
>

Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?

2016-06-17 Thread Neil Bothwick 
On Fri, 17 Jun 2016 10:28:10 +0200, Volker Armin Hemmann wrote:

> soo... why not compile everything statically in the first place? and
> put it in HOME?

Because that's not new and shiny with a catchy name!


-- 
Neil Bothwick

Windows Error #02: Multitasking attempted. System confused.


pgpxMIMMyyWcD.pgp
Description: OpenPGP digital signature

Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?

2016-06-17 Thread Volker Armin Hemmann 
soo... why not compile everything statically in the first place? and put it
in HOME?

2016-06-17 9:18 GMT+02:00 Andrew Savchenko :

> On Thu, 16 Jun 2016 19:30:49 -0400 José Maldonado wrote:
> >
> >
> > El 16/06/16 a las 11:27, James escribió:
> > > One word SECURITY?  Trust but verify does come to mind.
> > >
> >
> > The snaps come to "replace" a lack of security that is in Linux, in
> > addition to facilitating the installation of all applications from the
> > user-space without root privileges.
>
> Replace lack of security, really? It will create it in the long
> run due to outdated unmaintained third-party bundled software.
>
> Best regards,
> Andrew Savchenko
>

Re: [gentoo-user] Layman and Git branch

2016-06-17 Thread marco 
I have a profile for my config , additional ebuilds , packages etc but
i'm looking for the best way to have a production-profile and a
devel-profile.

Better have two separeted git , one for production and one for devel ?
or better one git and use branch functions ?

With Layman and two git repo i can sync each repo when i want and i can
enable/disable one of them to switch from/to production/devel .


I don't know how to do that directly with git.

Best regards
Marco




On Thu, 16 Jun 2016 11:46:12 -0700
Bryan Gardiner  wrote:

> On Thu, 16 Jun 2016 17:52:26 +0200
> ma...@nucleus.it wrote:
> 
> > Hi,
> > i have a layman git profile to store my stuff.
> > 
> > Is possible to force layman -S to sync a specific branch ?  
> 
> This is speculation (and a bit of looking at Portage code), since I
> haven't tried this.  Ignoring Layman, repos.conf repositories support
> syncing[1], so does it work to create:
> 
> /etc/portage/repos.conf/myrepo.conf:
> 
> [myrepo]
> location = /path/to/local/repo
> sync-type = git
> sync-uri = git://...
> auto-sync = yes
> 
> and just emerge --sync?  If you didn't have the local repo already
> then it would clone and use master, but I suspect that you can switch
> branches afterward, and Portage will simply call "git pull".
> 
> There also seem to be extra options "sync-git-clone-extra-opts" and
> "sync-git-pull-extra-opts" for git modules, so you might be able to
> set:
> 
> sync-git-clone-extra-opts = --branch somebranch
> 
> to fix initially checking out master.
> 
> HTH,
> Bryan
> 
> [1] https://wiki.gentoo.org/wiki/Project:Portage/Sync
>

[gentoo-user] media-fonts/urw-fonts-2.4.9 - problem with the tar archive ?

2016-06-17 Thread Hogren 
 

Hello,

I have a problem when I try to emerge media-fonts/urw-fonts-2.4.9.

my build log :

[32;01m * Package:media-fonts/urw-fonts-2.4.9
 * Repository: gentoo
 * Maintainer: fo...@gentoo.org
 * USE:X abi_x86_64 amd64 elibc_glibc
kernel_linux userland_GNU
 * FEATURES:   preserve-libs sandbox userpriv
usersandbox
>>> Unpacking source...
>>> Unpacking urw-fonts-2.4-9.fc13.src.rpm to 
>>> /var/tmp/portage/media-fonts/urw-fonts-2.4.9/work
rpm2tar:
/var/tmp/portage/media-fonts/urw-fonts-2.4.9/distdir/urw-fonts-2.4-9.fc13.src.rpm:
failed to extract cpio via gzip (not actually an RPM?)
tar: This does not look like a tar archive
tar: Exiting with failure status due to previous errors
 * ERROR: media-fonts/urw-fonts-2.4.9::gentoo failed (unpack
phase):
 *   failure unpacking
/var/tmp/portage/media-fonts/urw-fonts-2.4.9/distdir/urw-fonts-2.4-9.fc13.src.rpm
 * 
 * Call stack:
 * ebuild.sh, line  133:  Called src_unpack
 *   environment, line 2295:  Called rpm_src_unpack
 *   environment, line 2250:  Called srcrpm_unpack
'urw-fonts-2.4-9.fc13.src.rpm'
 *   environment, line 2300:  Called rpm_unpack
'urw-fonts-2.4-9.fc13.src.rpm'
 *   environment, line 2278:  Called die
 * The specific snippet of code:
 *   rpm2tar -O "${a}" | tar xf - || die "failure
unpacking ${a}";
 * 
 * If you need support, post the output of `emerge --info
'=media-fonts/urw-fonts-2.4.9::gentoo'`,
 * the complete build log and the output of `emerge -pqv
'=media-fonts/urw-fonts-2.4.9::gentoo'`.
 * The complete build log is located at
'/var/tmp/portage/media-fonts/urw-fonts-2.4.9/temp/build.log'.
 * The ebuild environment file is located at
'/var/tmp/portage/media-fonts/urw-fonts-2.4.9/temp/environment'.
 * Working directory:
'/var/tmp/portage/media-fonts/urw-fonts-2.4.9/work'
 * S: '/var/tmp/portage/media-fonts/urw-fonts-2.4.9/work'

It sounds that is problem with the rpm file.

Anybody has the same problem or do I have to search about rpm2tar ? 

Thank you very much !!!

Hogren

Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?

2016-06-17 Thread Andrew Savchenko 
On Thu, 16 Jun 2016 19:30:49 -0400 José Maldonado wrote:
> 
> 
> El 16/06/16 a las 11:27, James escribió:
> > One word SECURITY?  Trust but verify does come to mind.
> > 
> 
> The snaps come to "replace" a lack of security that is in Linux, in
> addition to facilitating the installation of all applications from the
> user-space without root privileges.

Replace lack of security, really? It will create it in the long
run due to outdated unmaintained third-party bundled software.

Best regards,
Andrew Savchenko


pgpoy4EWTrn3I.pgp
Description: PGP signature

Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?

2016-06-17 Thread Andrew Savchenko 
On Thu, 16 Jun 2016 22:35:24 -0400 waltd...@waltdnes.org wrote:
> On Thu, Jun 16, 2016 at 04:33:12PM -0400, Rich Freeman wrote
> > On Thu, Jun 16, 2016 at 4:11 PM, Alan McKinnon  
> > wrote:
> > >
> > > I don't see the part where all these latest fancy container thingymagicies
> > > are not really just "embed everything in everything"
> > >
> > > We've known for years the dangers of embedding stuff in packages (it 
> > > hardly
> > > ever gets updated properly)
> > >
> > 
> > Well, that strikes me as being true of these self-contained packages,
> > but it isn't necessarily true of containers in general.
> > 
> > I run most of my services in containers, and they're just Gentoo
> > installations with a really small world file.  Things are just as
> > up-to-date as they would be if I ran it all in a single host.
> > 
> > Now, if you're the sort of person who just grabs some random docker
> > image from who knows where, then sure you're getting a big bundle of
> > stuff that may or may not be maintained for security.  This is no
> > different.
> 
>   I don't follow this stuff, so this may be a stupid question... how
> does a "container" or "docker" differ from a chroot or a QEMU VM with a
> minimal set of applications?

There is one common misconception, that chroot is security measure.
This is wrong! Chroot is not a security function at all. It is
extremely easy to exit chroot [1] if you have root access inside
chroot (AFAIK with PAX/GRSecurity it is possible to deny this, but
this is another story.) So if you are using chroot for security,
forget about security, you have no security at all. This syscall was
designed for another needs.
Tl;dr; Inside chroot do as a root:
  mkdir foo; chroot foo; cd ..

QEMU VM (as well as other VM) can provide you some degree of
security at the cost of performance and system resources. Inside VM
you have independent (fully or paravirtualized) kernel and
environment. But it is still possible to exit it using hypervisor
bugs or hardware-based attacks like L3 cache attack[2]. Yes, if one
have modern Intel or AMD CPU with SSE2 and L3 cache enabled, forget
about tight security too.

Due to reasons above I prefer container solutions like LXC over VM
for security: they give approximately the same level of protection
as VM, but resources cost is much lower. Of course it is still
possible to break any container through L3 cache or some kernel
bugs, so for really tight security independent hardware and OS must
be used.

[1] https://lwn.net/Articles/252794/
[2] https://www.usenix.org/node/184416

Best regards,
Andrew Savchenko


pgpqsUrMrvX2K.pgp
Description: PGP signature