Hi everyone, PlanetLab is a global research network consisting of over 1000 nodes at 545 sites around the world. We are pleased to announce that we are in the process of migrating our resource allocation and isolation mechanisms to LXC. While prototyping our new environment, we encountered some difficulties, which we addressed by implementing a library of tools. We are posting a link to the library here for anyone else with comparable needs [1].
There are two main components of this library: 1) procprotect - a kernel module for protecting entries in /proc via simple ACLs. Simply echo /proc/sysrq-trigger > /proc/procprotect to prevent processes in containers from accessing that entry. 2) transforward - a kernel module that implements lightweight IP address sharing by letting a container bind to select whitelisted IP addresses of devices in other containers via setns-like functionality. The main use case for this module is for users to be able to easily bind to public IP addresses, which is needed by a large number of PlanetLab services [2][3]. We realize that efforts are on to develop more formal methods such as ones based on Mandatory Access Control for addressing these problems, but in the meantime, we are going to use these in our deployment. Sapan [1] www.cs.princeton.edu/~sapanb/lxckit [2] http://codeen.cs.princeton.edu/ [3] http://www.coralcdn.org/ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
