Hi everybody,
I'm trying to get application containers running. Everything works so
far, but there are still some aspects which are not clear to me.
To explain what I'm trying to do here a little example:
root@server:~
#> lsb_release -d
Description: Ubuntu 12.04.2 LTS
root@server:~
#> uname -r
3.2.0-41-generic
root@server:~
#> cat lxc.conf
lxc.utsname = testcase
root@server:~
#> lxc-execute -n testcase -f lxc.conf /bin/bash
root@testcase:~
#> ps fax
PID TTY STAT TIME COMMAND
1 pts/8 S 0:00 /usr/lib/lxc/lxc-init -- /bin/bash
2 pts/8 S 0:00 /bin/bash
83 pts/8 R+ 0:00 \_ ps fax
So far everything is fine. The container knows only about its own
process environment (namespace). But it is still possible to see and
access all files like I would operate on the host system.
Maybe I haven't got the concept of lxc but is there an option to also
isolate the acces on filesystem?
What are in general the possiblities to isolate the application
containers? proc fs is also an issue. Dropping capability sys_boot
haven't worked for me up to now. I read about lxc.mount.entry option
but this seems only to work if I have a rootfs and application container
initialized via lxc-exectue don't use a rootfs. Or is the only
approach to use SELinux or apparmor?
Thanks and best regards
Vladimir
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users
