[Lxc-users] lxc-execute and isolation approaches
Vladimir
ml at foomx.de
Sun May 5 15:25:43 UTC 2013
Hi everybody,
I'm trying to get application containers running. Everything works so
far, but there are still some aspects which are not clear to me.
To explain what I'm trying to do here a little example:
root at server:~
#> lsb_release -d
Description: Ubuntu 12.04.2 LTS
root at server:~
#> uname -r
3.2.0-41-generic
root at server:~
#> cat lxc.conf
lxc.utsname = testcase
root at server:~
#> lxc-execute -n testcase -f lxc.conf /bin/bash
root at testcase:~
#> ps fax
PID TTY STAT TIME COMMAND
1 pts/8 S 0:00 /usr/lib/lxc/lxc-init -- /bin/bash
2 pts/8 S 0:00 /bin/bash
83 pts/8 R+ 0:00 \_ ps fax
So far everything is fine. The container knows only about its own
process environment (namespace). But it is still possible to see and
access all files like I would operate on the host system.
Maybe I haven't got the concept of lxc but is there an option to also
isolate the acces on filesystem?
What are in general the possiblities to isolate the application
containers? proc fs is also an issue. Dropping capability sys_boot
haven't worked for me up to now. I read about lxc.mount.entry option
but this seems only to work if I have a rootfs and application container
initialized via lxc-exectue don't use a rootfs. Or is the only
approach to use SELinux or apparmor?
Thanks and best regards
Vladimir
More information about the lxc-users
mailing list