[lxc-devel] LXC on PlanetLab

[Sapan Bhatia]

Hi everyone,

PlanetLab is a global research network consisting of over 1000 nodes
at 545 sites around the world. We are pleased to announce that we are
in the process of migrating our resource allocation and isolation
mechanisms to LXC. While prototyping our new environment, we
encountered some difficulties, which we addressed by implementing a
library of tools. We are posting a link to the library here for anyone
else with comparable needs [1].

There are two main components of this library: 1) procprotect - a
kernel module for protecting entries in /proc via simple ACLs. Simply
echo /proc/sysrq-trigger > /proc/procprotect to prevent processes in
containers from accessing that entry. 2) transforward - a kernel
module that implements lightweight IP address sharing by letting a
container bind to select whitelisted IP addresses of devices in other
containers via setns-like functionality. The main use case for this
module is for users to be able to easily bind to public IP addresses,
which is needed by a large number of PlanetLab services [2][3].

We realize that efforts are on to develop more formal methods such as
ones based on Mandatory Access Control for addressing these problems,
but in the meantime, we are going to use these in our deployment.

Sapan

[1] www.cs.princeton.edu/~sapanb/lxckit
[2] http://codeen.cs.princeton.edu/
[3] http://www.coralcdn.org/