[Lxc-users] sandbox config file
pablo platt
pablo.platt at gmail.com
Tue Jan 29 15:14:46 UTC 2013
On Tue, Jan 29, 2013 at 5:10 PM, Serge Hallyn <serge.hallyn at canonical.com>wrote:
> Quoting pablo platt (pablo.platt at gmail.com):
> > I'll be happy to be the driving force but I need info from experts.
> >
> > Let's say the command will look like this:
> > lxc-sandbox -n mybox /bin/bash
> > Do you think that lxc-sandbox can use an API similar to libvirt-sandbox?
> >
> http://rpm.pbone.net/index.php3/stat/45/idpl/19820275/numer/1/nazwa/virt-sandbox
> >
> > Will lxc-sandbox need to call lxc-execute with a predefined secure
> config?
> > Will it need to use seccomp, apparmor, selinux or something else?
>
> Thinking about it, I think it would look more like lxc-start-ephemeral.
>
> In fact, perhaps it could take the form of a '-f <extra-config-file>'
> flag to lxc-start-ephemeral, where we ship an example extra-config-file
> with commented apparmor, capabilities and seccomp configuration.
>
You mean that it will be based on lxc-start-ephermeral or only use the same
structure?
I think that lxc-start-ephermeral use OS container while a sandbox is
easier to use and more efficient as an application container.
>
> Note also that if at all possible, you'll probably want to be on the
> bleeding edge of both kernel and userspace and use user namespaces
> to rob the container of all privilege on the host.
>
Will ubuntu 13.04 support it or only 13.10?
>
> -serge
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20130129/93b2b08f/attachment.html>
More information about the lxc-users
mailing list