On Mon, 2014-02-10 at 13:10 +0000, Simon McVittie wrote: > On 09/02/14 17:41, Miguel Landaeta wrote: > > During this weekend I was playing with Docker and since I noticed > > there are no backports for stable right now, I decided to try to > > backport it. > > Does it need a newer kernel/LXC than what's in wheezy for it to be secure? > > <http://blog.bofh.it/debian/id_413> was a couple of years ago, so I > hope that improvements in the kernel mean it's no longer valid... but > I haven't seen anything specifically say that it isn't. > > Similarly, > <https://wiki.gentoo.org/wiki/LXC#MAJOR_Temporary_Problems_with_LXC_-_READ_THIS> > and <https://wiki.ubuntu.com/UserNamespace> seem relevant, although > they are hopefully just outdated. > > <http://blog.docker.io/2013/08/containers-docker-how-secure-are-they/> > claims that the warning given in the Gentoo article is not relevant to > Linux 3.8+, but wheezy only has 3.2. > > Depending on a newer kernel is awkward, unfortunately. Perhaps it'd be > worth discussing this with the Debian kernel maintainers. I don't know what the kernel requirements are, but since wheezy-backports does get new kernel versions I don't think this would be a problem. Maye this package should include a run-time check on the kernel version. That's just as true in sid as it is in wheezy-backports. Ben. -- Ben Hutchings We get into the habit of living before acquiring the habit of thinking. - Albert Camus
Attachment:
signature.asc
Description: This is a digitally signed message part