[Lxc-users] LXC a feature complete replacement of OpenVZ?

Christian Haintz christian.haintz at gmail.com
Tue Jun 1 21:26:52 UTC 2010


Hi,

At first, thanks for all the great feedback and the quickly ongoing  
development to lxc.

On May 13, 2010, at 11:22 PM, Daniel Lezcano wrote:

> On 05/13/2010 06:17 PM, Christian Haintz wrote:
>> 6) is LXC production ready?
>
> yes and no :)
>
> If you plan to run several webserver (not a full system) or non-root  
> applications, then yes IMHO it is ready for production.
>
> If you plan to run a full system and you have very aggressive users  
> inside with root privilege then it may not be ready yet. If you  
> setup a full system and you plan to have only the administrator of  
> the host to be the administrator of the containers, and the users  
> inside the container are never root, then IMHO it ready if you  
> accept for example to have the iptables logs to go to the host system.

In my opinion there is not a big different if i run some software  
which might have a security bug which people could exploit or if i  
have a root user who trys to escape the container. In both ways i need  
isolation which i can trust.
For me this is the main reason doing things in isolation like lxc or  
openvz, because i don't need the overhead of kvm or xen but i still  
need isolation which jail a software or a system - root users inside  
or not.

It looks to me like you already know a way how to escape from a  
container, don't you? And if so, is that a desired behavior or just a  
bug?
The point i'd like to come: Is one goal of lxc to make it a container  
where nothing/nobody can escape or is this feature just "nice-to-have"  
but not a "must have" on the roadmap?

>
> Really, it depends of what you want to do ...
>
> I don't know OpenVZ very well, but AFAIK it is focused on system  
> container while LXC can setup different level of isolation allowing  
> to run an application sharing a filesystem or a network for example,  
> as well as running a full system. But this flexibility is a drawback  
> too because the administrator of the container needs a bit of  
> knowledge on the system administration and the container technology.

For me, all aspects of lxc are interesting, I am not only focused to  
full system virtualization. I am also thinking of jailing just some  
apps with some libs in containers (e.g. python). But in the end, for  
me it is about encapsulation with no escape :-)

Regards,
Christian

--
Christian Haintz
Student of Software Development and Business Management
Graz, University of Technology

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20100601/44e08552/attachment.html>


More information about the lxc-users mailing list