[lxc-users] Running unprotected system container
Andrey Repin
anrdaemon at yandex.ru
Mon Jun 15 23:11:19 UTC 2020
Greetings, Koehler!
> I am unclear how this answers my current questions. System containers are
> marketed as being very close to a faster VM, as such, since I do have
> control over the OS I am trying to run on top, I would need more details as
> to why and which areas would cause the technical issues to achieve such
> thing.
System container != kernel virtualization.
> The fact that the System container shares the kernel here is totally
> what I am looking for, there is also no other application running on the
> host except that container and snapd itself which should not be a problem
> as it removes any race where one app may changes kernel-related
> configuration from under the OS within the container.
They aren't "sharing kernel", they are layer on top of it.
> I do understand that this is unconventional and doesn't appear to fall
> under the supported scenarios. Yet, so far the issue I am facing does not
> appear related to my final goal.
It's not "unconventional", it's not intended and contradictory.
> Can't execute any command within container -> permission denied (files are
> all uid/gid 0) this is a busybox type of OS on same CPU architecture (both
> armhf where host is arm64, yet metadata provided indicate that container
> should be armhf)Still seeing issue trying to write /proc and even though I
> say mount rw I get read-only errorsFail to load the kernel module even
> though I have clear the cap.drop as to keep cap_sys_modules.
See above. If you want kernel virtualization, use a VM.
QEMU/KVM is there for you.
--
With best regards,
Andrey Repin
Tuesday, June 16, 2020 2:07:03
Sorry for my terrible english...
More information about the lxc-users
mailing list