Re: lxc / vserver / openvz (was: systemd flamage)

To: debian-devel@lists.debian.org
Subject: Re: lxc / vserver / openvz (was: systemd flamage)
From: Adam Borowski <kilobyte@angband.pl>
Date: Thu, 24 Oct 2013 16:44:35 +0200
Message-id: <[🔎] 20131024144435.GA19333@angband.pl>
In-reply-to: <[🔎] 20131024134004.GA32645@bongo.bofh.it>
References: <[🔎] 1382560241.6924.6.camel@heisenberg.scientia.net> <[🔎] 52683A5F.3090500@physik.fu-berlin.de> <[🔎] 20131023213915.GA12515@virgil.dodds.net> <[🔎] 20131024000946.GA26100@angband.pl> <[🔎] 20131024081123.GB28398@bryant.redmars.org> <[🔎] 20131024095931.GA13411@angband.pl> <[🔎] CANBHLUiYf+GJ=e-OmXiRNA+nfvuw1vgGj=cGHLB7QukFwav5+w@mail.gmail.com> <[🔎] 20131024134004.GA32645@bongo.bofh.it>

On Thu, Oct 24, 2013 at 03:40:04PM +0200, Marco d'Itri wrote:
> On Oct 24, Dmitrijs Ledkovs <xnox@debian.org> wrote:
> 
> > What do you mean by "holding hostile root." ?
> http://blog.bofh.it/debian/id_413
> 
> The missing parts (UID virtualization IIRC) are upstream now, and should 
> be ready for jessie.

If I read Ubuntu documentation correctly, you also need a large complex
apparmor policy to block sensitive /proc and /sys files from being messed
with by guest systems.  vserver does this internally based on its system
of capability bits.  It also censors misc syscalls; I can't seem to find
this part being done by lxc.

> Until then if you do not trust containers then the best choice is to
> use openvz with Parallel's 2.6.32 kernel.

As Ben Hutchings just told us, openvz has been merged upstream in 3.12. 
Interestingly, that bit (CONFIG_USER_NS) just happens to be the same thing
the blog post you pointed to described as the main problem that needs to
be solved for lxc.

Let's see how complete this is in practice.  So far, vserver works for me
but upstreamed stuff has obvious upsides.

-- 
ᛊᚨᚾᛁᛏᚣ᛫ᛁᛊ᛫ᚠᛟᚱ᛫ᚦᛖ᛫ᚹᛖᚨᚲ

Reply to:

Follow-Ups:
- Re: lxc / vserver / openvz (was: systemd flamage)
  - From: Serge Hallyn <serge.hallyn@ubuntu.com>

References:
- systemd effectively mandatory now due to GNOME
  - From: Christoph Anton Mitterer <calestyo@scientia.net>
- Re: systemd effectively mandatory now due to GNOME
  - From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
- Re: systemd effectively mandatory now due to GNOME
  - From: Steve Langasek <vorlon@debian.org>
- Re: systemd effectively mandatory now due to GNOME
  - From: Adam Borowski <kilobyte@angband.pl>
- Re: systemd effectively mandatory now due to GNOME
  - From: Jonathan Dowland <jmtd@debian.org>
- Re: systemd effectively mandatory now due to GNOME
  - From: Adam Borowski <kilobyte@angband.pl>
- Re: systemd effectively mandatory now due to GNOME
  - From: Dmitrijs Ledkovs <xnox@debian.org>
- Re: systemd effectively mandatory now due to GNOME
  - From: md@Linux.IT (Marco d'Itri)

Prev by Date: Re: let's split the systemd binary package
Next by Date: Re: systemd effectively mandatory now due to GNOME
Previous by thread: Re: systemd effectively mandatory now due to GNOME
Next by thread: Re: lxc / vserver / openvz (was: systemd flamage)
Index(es):
- Date
- Thread