Hi,
At first, thanks for all the great feedback and the quickly ongoing
development to lxc.
On May 13, 2010, at 11:22 PM, Daniel Lezcano wrote:
On 05/13/2010 06:17 PM, Christian Haintz wrote:
6) is LXC production ready?
yes and no :)
If you plan to run several webserver (not a full system) or non-root
applications, then yes IMHO it is ready for production.
If you plan to run a full system and you have very aggressive users
inside with root privilege then it may not be ready yet. If you
setup a full system and you plan to have only the administrator of
the host to be the administrator of the containers, and the users
inside the container are never root, then IMHO it ready if you
accept for example to have the iptables logs to go to the host system.
In my opinion there is not a big different if i run some software
which might have a security bug which people could exploit or if i
have a root user who trys to escape the container. In both ways i need
isolation which i can trust.
For me this is the main reason doing things in isolation like lxc or
openvz, because i don't need the overhead of kvm or xen but i still
need isolation which jail a software or a system - root users inside
or not.
It looks to me like you already know a way how to escape from a
container, don't you? And if so, is that a desired behavior or just a
bug?
The point i'd like to come: Is one goal of lxc to make it a container
where nothing/nobody can escape or is this feature just "nice-to-have"
but not a "must have" on the roadmap?
Really, it depends of what you want to do ...
I don't know OpenVZ very well, but AFAIK it is focused on system
container while LXC can setup different level of isolation allowing
to run an application sharing a filesystem or a network for example,
as well as running a full system. But this flexibility is a drawback
too because the administrator of the container needs a bit of
knowledge on the system administration and the container technology.
For me, all aspects of lxc are interesting, I am not only focused to
full system virtualization. I am also thinking of jailing just some
apps with some libs in containers (e.g. python). But in the end, for
me it is about encapsulation with no escape :-)
Regards,
Christian
--
Christian Haintz
Student of Software Development and Business Management
Graz, University of Technology
------------------------------------------------------------------------------
_______________________________________________
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users
