[Lxc-users] LXC a feature complete replacement of OpenVZ?
Daniel Lezcano
daniel.lezcano at free.fr
Wed Jun 2 09:25:10 UTC 2010
On 06/01/2010 11:26 PM, Christian Haintz wrote:
> Hi,
>
> At first, thanks for all the great feedback and the quickly ongoing
> development to lxc.
>
> On May 13, 2010, at 11:22 PM, Daniel Lezcano wrote:
>
>> On 05/13/2010 06:17 PM, Christian Haintz wrote:
>>> 6) is LXC production ready?
>>
>> yes and no :)
>>
>> If you plan to run several webserver (not a full system) or non-root
>> applications, then yes IMHO it is ready for production.
>>
>> If you plan to run a full system and you have very aggressive users
>> inside with root privilege then it may not be ready yet. If you setup
>> a full system and you plan to have only the administrator of the host
>> to be the administrator of the containers, and the users inside the
>> container are never root, then IMHO it ready if you accept for
>> example to have the iptables logs to go to the host system.
>
> In my opinion there is not a big different if i run some software
> which might have a security bug which people could exploit or if i
> have a root user who trys to escape the container. In both ways i need
> isolation which i can trust.
> For me this is the main reason doing things in isolation like lxc or
> openvz, because i don't need the overhead of kvm or xen but i still
> need isolation which jail a software or a system - root users inside
> or not.
>
> It looks to me like you already know a way how to escape from a
> container, don't you?
No, you can't escape the container. I meant a root user in a container
has a nuisance power for the host system, eg. send falsified packets to
the network.
> And if so, is that a desired behavior or just a bug?
> The point i'd like to come: Is one goal of lxc to make it a container
> where nothing/nobody can escape or is this feature just "nice-to-have"
> but not a "must have" on the roadmap?
>
>>
>> Really, it depends of what you want to do ...
>>
>> I don't know OpenVZ very well, but AFAIK it is focused on system
>> container while LXC can setup different level of isolation allowing
>> to run an application sharing a filesystem or a network for example,
>> as well as running a full system. But this flexibility is a drawback
>> too because the administrator of the container needs a bit of
>> knowledge on the system administration and the container technology.
>
> For me, all aspects of lxc are interesting, I am not only focused to
> full system virtualization. I am also thinking of jailing just some
> apps with some libs in containers (e.g. python). But in the end, for
> me it is about encapsulation with no escape :-)
From a design POV with the namespaces, an application can't escape.
Thanks
-- Daniel
More information about the lxc-users
mailing list