[lxc-devel] TODO list?

Serge Hallyn serge.hallyn at ubuntu.com
Mon Jun 9 16:21:09 UTC 2014


Quoting Stéphane Graber (stgraber at ubuntu.com):
> On Mon, Jun 09, 2014 at 04:01:22PM +0000, Serge Hallyn wrote:
> > Quoting Christian Evans (Frodox at zoho.com):
> > > Hi folks!
> > > 
> > > I am looking for a way to improve [security of] Linux Containers.
> > > 
> > > Where I can find any ToDo/features list, so I could help the project?
> > 
> > Hm, there isn't one right now that is uptodate, especially pertaining
> > to security.  If security is what you are particularly interested in,
> > then some areas where you could help are
> > 
> > 1. implement lxc support for Smack
> > 
> > 2. work on some usable seccomp policies - with the new personality and
> > blacklist policy support we should be able to get some policies for
> > standard workloads that are actually useful, i.e. refusing compat calls
> > in x86-64 containers, etc.
> > 
> > 3. work on selinux container policies
> > 
> > 4. test out mountlo and other of the fuse filesystems that Eric
> > mentioned should allow mounting from an unprivileged user namespace.
> > (I gave it a 0% effort attempt, got an EPERM, and moved on to higher
> > prio things;  it should be fun to figure out)
> 
> 5)
> Maybe look into getting a fuse proc filesystem hook for those who want
> meminfo/cpuinfo to be based on the cgroup values.

5b) join the effort to write a new globally consumable library to wrap
/proc and cgroup info for use by programs like top and free.

> 6)
> Help with getting CRIU to work with LXC (one of the expected main features
> of LXC 1.1).

Tycho is diving into that, so anyone interested in that please hop
onto freenode#criu and coordinate.


More information about the lxc-devel mailing list