[lxc-users] Multitenant & baremetal with LXD
Remzi AKYÜZ
linuxliste at gmail.com
Mon Mar 7 19:24:33 UTC 2016
Hi,
03/07/2016 07:55 PM tarihinde Rahul Rege yazdı:
> Hi,
>
> While this is not a question specifically for LXC/LXD, I thought I'd
> ask to get the general opinion about the multi-tenancy and its support
> in LXD (the nova-compute for same already gives some good ground).
>
> Its my understanding from the general reading that the Linux kernel is
> not made for multitenancy, so if I am to implement a solution with say
> LXD to run on baremetal servers, ideally I cannot put different
> customers containers on the same host because of the potential
> security issues (I fully don't understand what those are)
>
Why do you think lxc/lxd has of the potential security issues?
Please look at proxmox container!
http://www.proxmox.com/en/proxmox-ve/features
It use lxc for container.
I am thinking lxc + apparmor + cgroups + lvm or raw image file(for
container file system) are enough for security.
we know setup is not easy therefore we use proxmox for lxc management . :-)
If you have experience with " lxc + apparmor + cgroups + lvm or raw
image file(for container file system)", you can try proxmox.
> While different security techniques like Apparmor, selinux and some
> capability restriction can achieve what we want ultimately, I wanted
> to understand if people are generally doing it with LXD or would
> potentially do it OR ultimately it'd follow the pattern of running
> them on the VMs which provide the needed isolation.
>
> Companies like Joyent with their Triton containers do it I believe and
> claim some really awesome performance with their SmartOS as the
> special os.
>
> PS - This might be a well known consideration in container world, so
> pardon me if this is something trivial and already discussed.
>
>
> Thanks
> Rahul Rege
>
>
>
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160307/0a41adc8/attachment.html>
More information about the lxc-users
mailing list