[Lxc-users] lxc-execute and isolation approaches

Serge Hallyn serge.hallyn at ubuntu.com
Tue May 7 00:14:06 UTC 2013 

Quoting Vladimir (ml at foomx.de):
> Hi everybody,
> 
> I'm trying to get application containers running. Everything works so
> far, but there are still some aspects which are not clear to me.
> 
> To explain what I'm trying to do here a little example:
> 
> root at server:~
> #> lsb_release -d
> Description:	Ubuntu 12.04.2 LTS
> root at server:~
> #> uname -r
> 3.2.0-41-generic
> root at server:~
> #> cat lxc.conf 
> lxc.utsname = testcase
> root at server:~
> #> lxc-execute -n testcase -f lxc.conf /bin/bash
> root at testcase:~
> #> ps fax
>   PID TTY      STAT   TIME COMMAND
>     1 pts/8    S      0:00 /usr/lib/lxc/lxc-init -- /bin/bash
>     2 pts/8    S      0:00 /bin/bash
>    83 pts/8    R+     0:00  \_ ps fax
> 
> So far everything is fine. The container knows only about its own
> process environment (namespace). But it is still possible to see and
> access all files like I would operate on the host system.

What this gives you is a fresh mount namespace, but not different
files.  If you only want a few different directories you can bind
mount them in using the config file, but it sounds to me like you
actually want a system container.  i.e.

	cat > /tmp/lxc.conf << EOF
lxc.network.type=empty
EOF
	sudo lxc-create -t ubuntu -f /tmp/lxc.conf -n c1
	sudo lxc-start -n c1

> Maybe I haven't got the concept of lxc but is there an option to also
> isolate the acces on filesystem?

You haven't given it a private rootfs.

> What are in general the possiblities to isolate the application
> containers? proc fs is also an issue. Dropping capability sys_boot
> haven't worked for me up to now. I read about lxc.mount.entry option
> but this seems only to work if I have a rootfs

No that should work without having a rootfs.

> and application container
> initialized via lxc-exectue don't use a rootfs. Or is the only
> approach to use SELinux or apparmor? 
> 
> Thanks and best regards
> Vladimir
> 
> 
> 
> 
> ------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite
> It's a free troubleshooting tool designed for production
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
> http://p.sf.net/sfu/appdyn_d2d_ap2
> _______________________________________________
> Lxc-users mailing list
> Lxc-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-users

More information about the lxc-users mailing list