<div dir="ltr"><br><br><div class="gmail_quote">On Tue, Jan 29, 2013 at 5:10 PM, Serge Hallyn <span dir="ltr"><<a href="mailto:serge.hallyn@canonical.com" target="_blank">serge.hallyn@canonical.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">Quoting pablo platt (<a href="mailto:pablo.platt@gmail.com">pablo.platt@gmail.com</a>):<br>
> I'll be happy to be the driving force but I need info from experts.<br>
><br>
> Let's say the command will look like this:<br>
> lxc-sandbox -n mybox /bin/bash<br>
> Do you think that lxc-sandbox can use an API similar to libvirt-sandbox?<br>
> <a href="http://rpm.pbone.net/index.php3/stat/45/idpl/19820275/numer/1/nazwa/virt-sandbox" target="_blank">http://rpm.pbone.net/index.php3/stat/45/idpl/19820275/numer/1/nazwa/virt-sandbox</a><br>
><br>
> Will lxc-sandbox need to call lxc-execute with a predefined secure config?<br>
> Will it need to use seccomp, apparmor, selinux or something else?<br>
<br>
</div>Thinking about it, I think it would look more like lxc-start-ephemeral.<br>
<br>
In fact, perhaps it could take the form of a '-f <extra-config-file>'<br>
flag to lxc-start-ephemeral, where we ship an example extra-config-file<br>
with commented apparmor, capabilities and seccomp configuration.<br></blockquote><div><br>You mean that it will be based on lxc-start-ephermeral or only use the same structure?<br>I think that lxc-start-ephermeral use OS container while a sandbox is easier to use and more efficient as an application container.<br>
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Note also that if at all possible, you'll probably want to be on the<br>
bleeding edge of both kernel and userspace and use user namespaces<br>
to rob the container of all privilege on the host.<br></blockquote><div><br>Will ubuntu 13.04 support it or only 13.10?<br> <br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<span class="HOEnZb"><font color="#888888"><br>
-serge<br>
</font></span></blockquote></div><br></div>