Re: [Lxc-users] lxc-execute and isolation approaches

Serge Hallyn Mon, 06 May 2013 17:16:10 -0700

Quoting Vladimir (m...@foomx.de):
> Hi everybody,
> 
> I'm trying to get application containers running. Everything works so
> far, but there are still some aspects which are not clear to me.
> 
> To explain what I'm trying to do here a little example:
> 
> root@server:~
> #> lsb_release -d
> Description:  Ubuntu 12.04.2 LTS
> root@server:~
> #> uname -r
> 3.2.0-41-generic
> root@server:~
> #> cat lxc.conf 
> lxc.utsname = testcase
> root@server:~
> #> lxc-execute -n testcase -f lxc.conf /bin/bash
> root@testcase:~
> #> ps fax
>   PID TTY      STAT   TIME COMMAND
>     1 pts/8    S      0:00 /usr/lib/lxc/lxc-init -- /bin/bash
>     2 pts/8    S      0:00 /bin/bash
>    83 pts/8    R+     0:00  \_ ps fax
> 
> So far everything is fine. The container knows only about its own
> process environment (namespace). But it is still possible to see and
> access all files like I would operate on the host system.


What this gives you is a fresh mount namespace, but not different
files.  If you only want a few different directories you can bind
mount them in using the config file, but it sounds to me like you
actually want a system container.  i.e.

        cat > /tmp/lxc.conf << EOF
lxc.network.type=empty
EOF
        sudo lxc-create -t ubuntu -f /tmp/lxc.conf -n c1
        sudo lxc-start -n c1

> Maybe I haven't got the concept of lxc but is there an option to also
> isolate the acces on filesystem?

You haven't given it a private rootfs.

> What are in general the possiblities to isolate the application
> containers? proc fs is also an issue. Dropping capability sys_boot
> haven't worked for me up to now. I read about lxc.mount.entry option
> but this seems only to work if I have a rootfs

No that should work without having a rootfs.

> and application container
> initialized via lxc-exectue don't use a rootfs. Or is the only
> approach to use SELinux or apparmor? 
> 
> Thanks and best regards
> Vladimir
> 
> 
> 
> 
> ------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite
> It's a free troubleshooting tool designed for production
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
> http://p.sf.net/sfu/appdyn_d2d_ap2
> _______________________________________________
> Lxc-users mailing list
> Lxc-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-users

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users

Re: [Lxc-users] lxc-execute and isolation approaches

Reply via email to