[Lxc-users] sandbox config file

Serge Hallyn serge.hallyn at canonical.com
Tue Jan 29 15:10:55 UTC 2013


Quoting pablo platt (pablo.platt at gmail.com):
> I'll be happy to be the driving force but I need info from experts.
> 
> Let's say the command will look like this:
> lxc-sandbox -n mybox /bin/bash
> Do you think that lxc-sandbox can use an API similar to libvirt-sandbox?
> http://rpm.pbone.net/index.php3/stat/45/idpl/19820275/numer/1/nazwa/virt-sandbox
> 
> Will lxc-sandbox need to call lxc-execute with a predefined secure config?
> Will it need to use seccomp, apparmor, selinux or something else?

Thinking about it, I think it would look more like lxc-start-ephemeral.

In fact, perhaps it could take the form of a '-f <extra-config-file>'
flag to lxc-start-ephemeral, where we ship an example extra-config-file
with commented apparmor, capabilities and seccomp configuration.

Note also that if at all possible, you'll probably want to be on the
bleeding edge of both kernel and userspace and use user namespaces
to rob the container of all privilege on the host.

-serge




More information about the lxc-users mailing list