[lxc-users] How to disable 32bit emulation within a 64bit container

Michael H. Warfield mhw at WittsEnd.com
Sun May 10 20:13:56 UTC 2015


On Sun, 2015-05-10 at 11:08 -0400, Stéphane Graber wrote:
> On Sun, May 10, 2015 at 09:00:22AM -0400, Michael H. Warfield wrote:
> > On Sun, 2015-05-10 at 14:54 +1000, Boyok Mad wrote:
> > > Hi
> > > 
> > > 
> > > I want to disable 32bit emulation within my ubuntu container. I think
> > > this can be achieved by setting seccomp filter or cap.drop config (I
> > > may be wrong as I am very new to both of features)
> > > https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html
> > 
> > I don't believe that is even conceptually possible.  The 64 bit x86
> > instruction set is an inclusive superset of the 32 bit instruction set.
> > Any 32 bit assembly language instruction will run on a 64 bit CPU.
> > That's the very nature of "backward compatibility" in the CPU
> > architecture.  The 32 bit instructions are not being emulated at all.
> > They run native on the iron.

> You can however use seccomp to block all 32bit syscalls.

True.  Syscalls are a horse of a different color since that's OS based
not CPU based.  Still, its not an emulation as the OP seem to be
implying.

> > > Is it possible to disable specific system calls to disallow a
> > > container run any 32bit executable? if so, how the seccom/cap.drop
> > > config should look like? if not, is there anyway to disable 32bit
> > > emulation within a lxc container?
> > > 
> > > 
> > > P.S. I tried removing support for i386 packages within a container,
> > > but it still runs 32bit binaries.
> > > 
> > > 
> > > Cheers,
> > > 
> > > Boy
> > 
> > Regards,
> > Mike
> > -- 
> > Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
> >    /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
> >    NIC whois: MHW9          | An optimist believes we live in the best of all
> >  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
> > 

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 465 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150510/b979ee5e/attachment.sig>


More information about the lxc-users mailing list