[Lxc-users] LXC a feature complete replacement of OpenVZ?
Christian Haintz
christian.haintz at gmail.com
Tue Jun 1 21:26:52 UTC 2010
Hi,
At first, thanks for all the great feedback and the quickly ongoing
development to lxc.
On May 13, 2010, at 11:22 PM, Daniel Lezcano wrote:
> On 05/13/2010 06:17 PM, Christian Haintz wrote:
>> 6) is LXC production ready?
>
> yes and no :)
>
> If you plan to run several webserver (not a full system) or non-root
> applications, then yes IMHO it is ready for production.
>
> If you plan to run a full system and you have very aggressive users
> inside with root privilege then it may not be ready yet. If you
> setup a full system and you plan to have only the administrator of
> the host to be the administrator of the containers, and the users
> inside the container are never root, then IMHO it ready if you
> accept for example to have the iptables logs to go to the host system.
In my opinion there is not a big different if i run some software
which might have a security bug which people could exploit or if i
have a root user who trys to escape the container. In both ways i need
isolation which i can trust.
For me this is the main reason doing things in isolation like lxc or
openvz, because i don't need the overhead of kvm or xen but i still
need isolation which jail a software or a system - root users inside
or not.
It looks to me like you already know a way how to escape from a
container, don't you? And if so, is that a desired behavior or just a
bug?
The point i'd like to come: Is one goal of lxc to make it a container
where nothing/nobody can escape or is this feature just "nice-to-have"
but not a "must have" on the roadmap?
>
> Really, it depends of what you want to do ...
>
> I don't know OpenVZ very well, but AFAIK it is focused on system
> container while LXC can setup different level of isolation allowing
> to run an application sharing a filesystem or a network for example,
> as well as running a full system. But this flexibility is a drawback
> too because the administrator of the container needs a bit of
> knowledge on the system administration and the container technology.
For me, all aspects of lxc are interesting, I am not only focused to
full system virtualization. I am also thinking of jailing just some
apps with some libs in containers (e.g. python). But in the end, for
me it is about encapsulation with no escape :-)
Regards,
Christian
--
Christian Haintz
Student of Software Development and Business Management
Graz, University of Technology
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20100601/44e08552/attachment.html>
More information about the lxc-users
mailing list