Re: lxc / vserver / openvz (was: systemd flamage)
On Thu, Oct 24, 2013 at 03:40:04PM +0200, Marco d'Itri wrote: On Oct 24, Dmitrijs Ledkovs x...@debian.org wrote: What do you mean by holding hostile root. ? http://blog.bofh.it/debian/id_413 The missing parts (UID virtualization IIRC) are upstream now, and should be ready for jessie. If I read Ubuntu documentation correctly, you also need a large complex apparmor policy to block sensitive /proc and /sys files from being messed with by guest systems. vserver does this internally based on its system of capability bits. It also censors misc syscalls; I can't seem to find this part being done by lxc. Until then if you do not trust containers then the best choice is to use openvz with Parallel's 2.6.32 kernel. As Ben Hutchings just told us, openvz has been merged upstream in 3.12. Interestingly, that bit (CONFIG_USER_NS) just happens to be the same thing the blog post you pointed to described as the main problem that needs to be solved for lxc. Let's see how complete this is in practice. So far, vserver works for me but upstreamed stuff has obvious upsides. -- ᛊᚨᚾᛁᛏᚣ᛫ᛁᛊ᛫ᚠᛟᚱ᛫ᚦᛖ᛫ᚹᛖᚨᚲ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131024144435.ga19...@angband.pl
Re: lxc / vserver / openvz (was: systemd flamage)
Quoting Adam Borowski (kilob...@angband.pl): On Thu, Oct 24, 2013 at 03:40:04PM +0200, Marco d'Itri wrote: On Oct 24, Dmitrijs Ledkovs x...@debian.org wrote: What do you mean by holding hostile root. ? http://blog.bofh.it/debian/id_413 The missing parts (UID virtualization IIRC) are upstream now, and should be ready for jessie. If I read Ubuntu documentation correctly, you also need a large complex apparmor policy to block sensitive /proc and /sys files from being messed with by guest systems. vserver does this internally based on its system of capability bits. It also censors misc syscalls; I can't seem to find this part being done by lxc. Until then if you do not trust containers then the best choice is to use openvz with Parallel's 2.6.32 kernel. As Ben Hutchings just told us, openvz has been merged upstream in 3.12. The openvz and container communities worked together on the kernel features. vzctl has been updated to use the kernel features that were upstream-acceptable. So 'openvz has been merged upstream' is technically false, as it implies that the patches as they stood were merged. But openvz developers played a huge part in what made it upstream. -serge -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131024165316.GB2226@ac100
