Re: lxc / vserver / openvz (was: systemd flamage)

To: Adam Borowski <kilobyte@angband.pl>
Cc: debian-devel@lists.debian.org
Subject: Re: lxc / vserver / openvz (was: systemd flamage)
From: Serge Hallyn <serge.hallyn@ubuntu.com>
Date: Thu, 24 Oct 2013 11:53:17 -0500
Message-id: <[🔎] 20131024165316.GB2226@ac100>
In-reply-to: <[🔎] 20131024144435.GA19333@angband.pl>
References: <[🔎] 1382560241.6924.6.camel@heisenberg.scientia.net> <[🔎] 52683A5F.3090500@physik.fu-berlin.de> <[🔎] 20131023213915.GA12515@virgil.dodds.net> <[🔎] 20131024000946.GA26100@angband.pl> <[🔎] 20131024081123.GB28398@bryant.redmars.org> <[🔎] 20131024095931.GA13411@angband.pl> <[🔎] CANBHLUiYf+GJ=e-OmXiRNA+nfvuw1vgGj=cGHLB7QukFwav5+w@mail.gmail.com> <[🔎] 20131024134004.GA32645@bongo.bofh.it> <[🔎] 20131024144435.GA19333@angband.pl>

Quoting Adam Borowski (kilobyte@angband.pl):
> On Thu, Oct 24, 2013 at 03:40:04PM +0200, Marco d'Itri wrote:
> > On Oct 24, Dmitrijs Ledkovs <xnox@debian.org> wrote:
> > 
> > > What do you mean by "holding hostile root." ?
> > http://blog.bofh.it/debian/id_413
> > 
> > The missing parts (UID virtualization IIRC) are upstream now, and should 
> > be ready for jessie.
> 
> If I read Ubuntu documentation correctly, you also need a large complex
> apparmor policy to block sensitive /proc and /sys files from being messed
> with by guest systems.  vserver does this internally based on its system
> of capability bits.  It also censors misc syscalls; I can't seem to find
> this part being done by lxc.
> 
> > Until then if you do not trust containers then the best choice is to
> > use openvz with Parallel's 2.6.32 kernel.
> 
> As Ben Hutchings just told us, openvz has been merged upstream in 3.12. 

The openvz and container communities worked together on the kernel
features.  vzctl has been updated to use the kernel features that were
upstream-acceptable.

So 'openvz has been merged upstream' is technically false, as it implies
that the patches as they stood were merged.  But openvz developers
played a huge part in what made it upstream.

-serge

Reply to:

References:
- systemd effectively mandatory now due to GNOME
  - From: Christoph Anton Mitterer <calestyo@scientia.net>
- Re: systemd effectively mandatory now due to GNOME
  - From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
- Re: systemd effectively mandatory now due to GNOME
  - From: Steve Langasek <vorlon@debian.org>
- Re: systemd effectively mandatory now due to GNOME
  - From: Adam Borowski <kilobyte@angband.pl>
- Re: systemd effectively mandatory now due to GNOME
  - From: Jonathan Dowland <jmtd@debian.org>
- Re: systemd effectively mandatory now due to GNOME
  - From: Adam Borowski <kilobyte@angband.pl>
- Re: systemd effectively mandatory now due to GNOME
  - From: Dmitrijs Ledkovs <xnox@debian.org>
- Re: systemd effectively mandatory now due to GNOME
  - From: md@Linux.IT (Marco d'Itri)
- Re: lxc / vserver / openvz (was: systemd flamage)
  - From: Adam Borowski <kilobyte@angband.pl>

Prev by Date: Re: Proposal: switch default desktop to xfce
Next by Date: GNOME upstream portability [was: Re: Proposal: switch default desktop to xfce]
Previous by thread: Re: lxc / vserver / openvz (was: systemd flamage)
Next by thread: Re: systemd effectively mandatory now due to GNOME
Index(es):
- Date
- Thread