[lxc-users] Running unprotected system container
Koehler, Yannick
yannick.koehler at hpe.com
Mon Jun 15 23:25:28 UTC 2020
Hi,
But I do not want kernel virtualization, not sure where you saw me ask for that, I want the exact opposite, I want the kernel to be share, meaning same kernel, same instance, with just layers on top, exactly as system containers do.
It is unconventional to run a system container without any security and such, yet, as seen in the thread I am not alone, but very few.
--
Yannick Koehler
________________________________
From: lxc-users <lxc-users-bounces at lists.linuxcontainers.org> on behalf of Andrey Repin <anrdaemon at yandex.ru>
Sent: June 15, 2020 7:11 PM
To: Yannick Koehler <lxc-users at lists.linuxcontainers.org>; All <lxc-users at lists.linuxcontainers.org>
Subject: Re: [lxc-users] Running unprotected system container
Greetings, Koehler!
> I am unclear how this answers my current questions. System containers are
> marketed as being very close to a faster VM, as such, since I do have
> control over the OS I am trying to run on top, I would need more details as
> to why and which areas would cause the technical issues to achieve such
> thing.
System container != kernel virtualization.
> The fact that the System container shares the kernel here is totally
> what I am looking for, there is also no other application running on the
> host except that container and snapd itself which should not be a problem
> as it removes any race where one app may changes kernel-related
> configuration from under the OS within the container.
They aren't "sharing kernel", they are layer on top of it.
> I do understand that this is unconventional and doesn't appear to fall
> under the supported scenarios. Yet, so far the issue I am facing does not
> appear related to my final goal.
It's not "unconventional", it's not intended and contradictory.
> Can't execute any command within container -> permission denied (files are
> all uid/gid 0) this is a busybox type of OS on same CPU architecture (both
> armhf where host is arm64, yet metadata provided indicate that container
> should be armhf)Still seeing issue trying to write /proc and even though I
> say mount rw I get read-only errorsFail to load the kernel module even
> though I have clear the cap.drop as to keep cap_sys_modules.
See above. If you want kernel virtualization, use a VM.
QEMU/KVM is there for you.
--
With best regards,
Andrey Repin
Tuesday, June 16, 2020 2:07:03
Sorry for my terrible english...
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20200615/a16bcf21/attachment.htm>
More information about the lxc-users
mailing list