[Lxc-users] LXC a feature complete replacement of OpenVZ?

Daniel Lezcano daniel.lezcano at free.fr
Wed Jun 2 09:25:10 UTC 2010 

On 06/01/2010 11:26 PM, Christian Haintz wrote:
> Hi,
>
> At first, thanks for all the great feedback and the quickly ongoing 
> development to lxc.
>
> On May 13, 2010, at 11:22 PM, Daniel Lezcano wrote:
>
>> On 05/13/2010 06:17 PM, Christian Haintz wrote:
>>> 6) is LXC production ready?
>>
>> yes and no :)
>>
>> If you plan to run several webserver (not a full system) or non-root 
>> applications, then yes IMHO it is ready for production.
>>
>> If you plan to run a full system and you have very aggressive users 
>> inside with root privilege then it may not be ready yet. If you setup 
>> a full system and you plan to have only the administrator of the host 
>> to be the administrator of the containers, and the users inside the 
>> container are never root, then IMHO it ready if you accept for 
>> example to have the iptables logs to go to the host system.
>
> In my opinion there is not a big different if i run some software 
> which might have a security bug which people could exploit or if i 
> have a root user who trys to escape the container. In both ways i need 
> isolation which i can trust.
> For me this is the main reason doing things in isolation like lxc or 
> openvz, because i don't need the overhead of kvm or xen but i still 
> need isolation which jail a software or a system - root users inside 
> or not.
>
> It looks to me like you already know a way how to escape from a 
> container, don't you? 

No, you can't escape the container. I meant a root user in a container 
has a nuisance power for the host system, eg. send falsified packets to 
the network.

> And if so, is that a desired behavior or just a bug?
> The point i'd like to come: Is one goal of lxc to make it a container 
> where nothing/nobody can escape or is this feature just "nice-to-have" 
> but not a "must have" on the roadmap?
>
>>
>> Really, it depends of what you want to do ...
>>
>> I don't know OpenVZ very well, but AFAIK it is focused on system 
>> container while LXC can setup different level of isolation allowing 
>> to run an application sharing a filesystem or a network for example, 
>> as well as running a full system. But this flexibility is a drawback 
>> too because the administrator of the container needs a bit of 
>> knowledge on the system administration and the container technology.
>
> For me, all aspects of lxc are interesting, I am not only focused to 
> full system virtualization. I am also thinking of jailing just some 
> apps with some libs in containers (e.g. python). But in the end, for 
> me it is about encapsulation with no escape :-)

 From a design POV with the namespaces, an application can't escape.

Thanks
   -- Daniel

More information about the lxc-users mailing list