[Lxc-users] sandbox config file

Serge Hallyn serge.hallyn at canonical.com
Tue Jan 29 15:25:28 UTC 2013


Quoting pablo platt (pablo.platt at gmail.com):
> On Tue, Jan 29, 2013 at 5:10 PM, Serge Hallyn <serge.hallyn at canonical.com>wrote:
> 
> > Quoting pablo platt (pablo.platt at gmail.com):
> > > I'll be happy to be the driving force but I need info from experts.
> > >
> > > Let's say the command will look like this:
> > > lxc-sandbox -n mybox /bin/bash
> > > Do you think that lxc-sandbox can use an API similar to libvirt-sandbox?
> > >
> > http://rpm.pbone.net/index.php3/stat/45/idpl/19820275/numer/1/nazwa/virt-sandbox
> > >
> > > Will lxc-sandbox need to call lxc-execute with a predefined secure
> > config?
> > > Will it need to use seccomp, apparmor, selinux or something else?
> >
> > Thinking about it, I think it would look more like lxc-start-ephemeral.
> >
> > In fact, perhaps it could take the form of a '-f <extra-config-file>'
> > flag to lxc-start-ephemeral, where we ship an example extra-config-file
> > with commented apparmor, capabilities and seccomp configuration.
> >
> 
> You mean that it will be based on lxc-start-ephermeral or only use the same
> structure?
> I think that lxc-start-ephermeral use OS container while a sandbox is
> easier to use and more efficient as an application container.

Yes, but on the other hand the full OS container gives you more
isolation.  By using either ephemeral containers, or cloned containers,
the overhead could be very much minimized.

Anyway, it's just a thought.  I'm not saying you have to do it that
way :)  Basing it on lxc-execute is definately also doable.

> > Note also that if at all possible, you'll probably want to be on the
> > bleeding edge of both kernel and userspace and use user namespaces
> > to rob the container of all privilege on the host.
> >
> 
> Will ubuntu 13.04 support it or only 13.10?

Not yet certain - I'm still hoping for 13.04.

-serge




More information about the lxc-users mailing list