Re: Linux 3.2 in wheezy
On 01/30/2012 01:44 AM, Adam Borowski wrote:
[...]
> * how to ensure good isolation while still being able to do useful work?
> The point of vserver is that even root inside a VM shouldn't be able to
> affect the host, on lxc you keep hurting the host by accident. Messing
> with capabilities blindly is trial and error, which is precisely what you
> don't want to do in a system meant for security.
grsecurity helps a lot here - but I doubt we want to require knowledge
of grsecurity to setup a lxc container. With vserver you were not
required to have grsecurity enabled to have a more or less save-enough
virtualization solution, although I'd recommend to do so.
--
Bernd Zeimetz Debian GNU/Linux Developer
http://bzed.de http://www.debian.org
GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F
Reply to: