[lxc-users] How to disable 32bit emulation within a 64bit container

Stéphane Graber stgraber at ubuntu.com
Sun May 10 15:08:39 UTC 2015 

On Sun, May 10, 2015 at 09:00:22AM -0400, Michael H. Warfield wrote:
> On Sun, 2015-05-10 at 14:54 +1000, Boyok Mad wrote:
> > Hi
> > 
> > 
> > I want to disable 32bit emulation within my ubuntu container. I think
> > this can be achieved by setting seccomp filter or cap.drop config (I
> > may be wrong as I am very new to both of features)
> > https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html
> 
> I don't believe that is even conceptually possible.  The 64 bit x86
> instruction set is an inclusive superset of the 32 bit instruction set.
> Any 32 bit assembly language instruction will run on a 64 bit CPU.
> That's the very nature of "backward compatibility" in the CPU
> architecture.  The 32 bit instructions are not being emulated at all.
> They run native on the iron.

You can however use seccomp to block all 32bit syscalls.

> > 
> > Is it possible to disable specific system calls to disallow a
> > container run any 32bit executable? if so, how the seccom/cap.drop
> > config should look like? if not, is there anyway to disable 32bit
> > emulation within a lxc container?
> > 
> > 
> > P.S. I tried removing support for i386 packages within a container,
> > but it still runs 32bit binaries.
> > 
> > 
> > Cheers,
> > 
> > Boy
> 
> Regards,
> Mike
> -- 
> Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
>    /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
>    NIC whois: MHW9          | An optimist believes we live in the best of all
>  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
> 



> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users


-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150510/2554bb9d/attachment.sig>

More information about the lxc-users mailing list