On 06/01/2010 11:26 PM, Christian Haintz wrote: > Hi, > > At first, thanks for all the great feedback and the quickly ongoing > development to lxc. > > On May 13, 2010, at 11:22 PM, Daniel Lezcano wrote: > >> On 05/13/2010 06:17 PM, Christian Haintz wrote: >>> 6) is LXC production ready? >> >> yes and no :) >> >> If you plan to run several webserver (not a full system) or non-root >> applications, then yes IMHO it is ready for production. >> >> If you plan to run a full system and you have very aggressive users >> inside with root privilege then it may not be ready yet. If you setup >> a full system and you plan to have only the administrator of the host >> to be the administrator of the containers, and the users inside the >> container are never root, then IMHO it ready if you accept for >> example to have the iptables logs to go to the host system. > > In my opinion there is not a big different if i run some software > which might have a security bug which people could exploit or if i > have a root user who trys to escape the container. In both ways i need > isolation which i can trust. > For me this is the main reason doing things in isolation like lxc or > openvz, because i don't need the overhead of kvm or xen but i still > need isolation which jail a software or a system - root users inside > or not. > > It looks to me like you already know a way how to escape from a > container, don't you?
No, you can't escape the container. I meant a root user in a container has a nuisance power for the host system, eg. send falsified packets to the network. > And if so, is that a desired behavior or just a bug? > The point i'd like to come: Is one goal of lxc to make it a container > where nothing/nobody can escape or is this feature just "nice-to-have" > but not a "must have" on the roadmap? > >> >> Really, it depends of what you want to do ... >> >> I don't know OpenVZ very well, but AFAIK it is focused on system >> container while LXC can setup different level of isolation allowing >> to run an application sharing a filesystem or a network for example, >> as well as running a full system. But this flexibility is a drawback >> too because the administrator of the container needs a bit of >> knowledge on the system administration and the container technology. > > For me, all aspects of lxc are interesting, I am not only focused to > full system virtualization. I am also thinking of jailing just some > apps with some libs in containers (e.g. python). But in the end, for > me it is about encapsulation with no escape :-) From a design POV with the namespaces, an application can't escape. Thanks -- Daniel ------------------------------------------------------------------------------ _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
