On Mon, 2014-02-10 at 13:10 +0000, Simon McVittie wrote:
> On 09/02/14 17:41, Miguel Landaeta wrote:
> > During this weekend I was playing with Docker and since I noticed
> > there are no backports for stable right now, I decided to try to
> > backport it.
>
> Does it need a newer kernel/LXC than what's in wheezy for it to be secure?
>
> <http://blog.bofh.it/debian/id_413> was a couple of years ago, so I
> hope that improvements in the kernel mean it's no longer valid... but
> I haven't seen anything specifically say that it isn't.
>
> Similarly,
> <https://wiki.gentoo.org/wiki/LXC#MAJOR_Temporary_Problems_with_LXC_-_READ_THIS>
> and <https://wiki.ubuntu.com/UserNamespace> seem relevant, although
> they are hopefully just outdated.
>
> <http://blog.docker.io/2013/08/containers-docker-how-secure-are-they/>
> claims that the warning given in the Gentoo article is not relevant to
> Linux 3.8+, but wheezy only has 3.2.
>
> Depending on a newer kernel is awkward, unfortunately. Perhaps it'd be
> worth discussing this with the Debian kernel maintainers.
I don't know what the kernel requirements are, but since
wheezy-backports does get new kernel versions I don't think this would
be a problem.
Maye this package should include a run-time check on the kernel version.
That's just as true in sid as it is in wheezy-backports.
Ben.
--
Ben Hutchings
We get into the habit of living before acquiring the habit of thinking.
- Albert Camus
Attachment:
signature.asc
Description: This is a digitally signed message part