[Lxc-users] systemd inside LXC

Stéphane Graber stgraber at ubuntu.com
Tue Oct 23 15:22:54 UTC 2012 

On 10/23/2012 12:05 AM, Michael H. Warfield wrote:
> On Mon, 2012-10-22 at 16:21 -0500, Serge Hallyn wrote:
>> Quoting Michael H. Warfield (mhw at WittsEnd.com):
>>> On Mon, 2012-10-22 at 15:14 -0500, Serge Hallyn wrote:
> 
> <Trimming some overhead we've seen enough of...>
> 
>>>> How about just a devtmpfs?  We actually now do this by default (as of very
>>>> recently) in ubuntu by adding
>>>
>>>> devtmpfs        dev          devtmpfs defaults 0 0
>>>
>>> NO!  That's the problem!  That leads to the container connecting to the
>>> hosts console and other devices and committing random acts of terrorism.
> 
>> No, it shouldn't, because lxc sets up the console after doing the mounts.
> 
> Damn, dude!  That worked!  That kludge rang da bell.  Of course, I also
> discovered the boneheaded typo I had in attempting the tmpfs mount in
> the process.  :-P  I now have a container running systemd up and running
> with Fedora 17 in it.
> 
> I'm not sure I'm totally happy with it.
> 
> Because of doing the devtmpfs thing, the guest can immediately see
> things like removable drives coming and going and might, presumably, be
> able to mount them.  Not thrilled with that from a security standpoint.
> Would also mean the guests could access things like my permanent
> forensic CDs that are in the CD drives.  I guess that can be restricted
> in the config but still makes me a bit uncomfortable that the guest has
> complete visibility into the hosts dev system.

That's actually similar to what Ubuntu has had for the past few releases
as we're running udevd in the container.

Basically all the block devices of the host and any hotplugged device
will appear in /dev but our default configuration is to only allow
"mknod"ing them, not read or write to them.

So the end result is basically the same as if they weren't there to
start with, except that for those that are actually allowed, they then
behave like they'd on the host by showing up when added and disappearing
when removed without any manual interaction.

It's not ideal, but it's safe. For the ideal implementation, we'll need
to wait for the device namespace.

> Another gotcha, albeit a much more minor one...  When systemd drops into
> this mode, you no longer have vty consoles available so lxc-console
> won't work.  That's actually on their page.
> 
> I remember seeing this:
> 
> 
> 
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_sfd2d_oct
> 
> 
> 
> _______________________________________________
> Lxc-users mailing list
> Lxc-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-users
> 


-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20121023/67ac829f/attachment.pgp>

More information about the lxc-users mailing list