[lxc-users] Running unprotected system container

Koehler, Yannick yannick.koehler at hpe.com
Mon Jun 15 15:01:05 UTC 2020


Greetings, Repin,

I am unclear how this answers my current questions.  System containers are marketed as being very close to a faster VM, as such, since I do have control over the OS I am trying to run on top, I would need more details as to why and which areas would cause the technical issues to achieve such thing.  The fact that the System container shares the kernel here is totally what I am looking for, there is also no other application running on the host except that container and snapd itself which should not be a problem as it removes any race where one app may changes kernel-related configuration from under the OS within the container.

I do understand that this is unconventional and doesn't appear to fall under the supported scenarios.  Yet, so far the issue I am facing does not appear related to my final goal.

  *   Can't execute any command within container -> permission denied (files are all uid/gid 0) this is a busybox type of OS on same CPU architecture (both armhf where host is arm64, yet metadata provided indicate that container should be armhf)
  *   Still seeing issue trying to write /proc and even though I say mount rw I get read-only errors
  *   Fail to load the kernel module even though I have clear the cap.drop as to keep cap_sys_modules.

I am currently doing those evaluations under Ubuntu Core 18.04 with lxd installed as a snap.

--
Yannick Koehler
________________________________
From: lxc-users <lxc-users-bounces at lists.linuxcontainers.org> on behalf of Andrey Repin <anrdaemon at yandex.ru>
Sent: June 15, 2020 10:49 AM
To: Yannick Koehler <lxc-users at lists.linuxcontainers.org>; All <lxc-users at lists.linuxcontainers.org>
Subject: Re: [lxc-users] Running unprotected system container

Greetings, Koehler!

> As indicated, the code that will run inside that container is our previous
> OS and if it does bad things, well, that means it was doing so previously so
> not a "bigger" issue than it was before.  Since if that works, we will move
> more towards snap we will then  have a better security system (AppArmor,
> SecComp, better app separation, etc) in place to remove trust for each app
> and get rid eventually of that container which purpose as indicated is to
> ease the transition and get some of the features we want from Ubuntu  Core
> in an early release, if we do get this to work.

If your intent is to run specifically **operating system**, then there's no way
around a virtual machine.

Containers is NOT the right choice for your task.


--
With best regards,
Andrey Repin
Monday, June 15, 2020 17:47:30

Sorry for my terrible english...

_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20200615/d575a1b2/attachment.htm>


More information about the lxc-users mailing list