Quoting Michael Holmes (holmesm...@gmail.com): > Hello, > > I've read some older posts on the internet that suggested that the current > state of LXC at the time rendered LXC unsuitable for use as security > containers. Is this still the case? I'm interested in migrating a server > from FreeBSD which currently uses a similar setup with jails for app > isolation.
We're just about at the stage where you can use seccomp, LSM (apparmor for now, waiting on selinux), user namespaces and cgroups all together to restrict workloads. Full system containers will want a lot of syscalls meaning the seccomp restrictions will mainly be useful in restricting the compat_ syscalls (which tend to be problematic, so that's still useful), but for app isolation in particular you should definately be able, with proper configuration, to very strongly protect the host from the app. -serge ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnmore_122712 _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
