[lxc-users] Running unprotected system container

Koehler, Yannick yannick.koehler at hpe.com
Mon Jun 15 23:25:28 UTC 2020


Hi,

But I do not want kernel virtualization, not sure where you saw me ask for that, I want the exact opposite, I want the kernel to be share, meaning same kernel, same instance, with just layers on top, exactly as system containers do.

It is unconventional to run a system container without any security and such, yet, as seen in the thread I am not alone, but very few.

--
Yannick Koehler
________________________________
From: lxc-users <lxc-users-bounces at lists.linuxcontainers.org> on behalf of Andrey Repin <anrdaemon at yandex.ru>
Sent: June 15, 2020 7:11 PM
To: Yannick Koehler <lxc-users at lists.linuxcontainers.org>; All <lxc-users at lists.linuxcontainers.org>
Subject: Re: [lxc-users] Running unprotected system container

Greetings, Koehler!

>  I am unclear how this answers my current questions.  System containers are
> marketed as being very close to a faster VM, as such, since I do have
> control over the OS I am trying to run on top, I would need more details as
> to why and which areas would cause the  technical issues to achieve such
> thing.

System container != kernel virtualization.

> The fact that the System container shares the kernel here is totally
> what I am looking for, there is also no other application running on the
> host except that container and snapd itself which should not be a problem
> as it removes any race where one app may changes kernel-related
> configuration from under the OS within the container.

They aren't "sharing kernel", they are layer on top of it.

>  I do understand that this is unconventional and doesn't appear to fall
> under the supported scenarios.  Yet, so far the issue I am facing does not
> appear related to my final goal.

It's not "unconventional", it's not intended and contradictory.

> Can't execute any command within container -> permission denied (files are
> all uid/gid 0) this is a busybox type of OS on same CPU architecture (both
> armhf where host is arm64, yet metadata provided indicate that container
> should be armhf)Still seeing issue trying to write /proc and even though I
> say mount rw I get read-only errorsFail to load the kernel module even
> though I have clear the cap.drop as to keep cap_sys_modules.

See above. If you want kernel virtualization, use a VM.
QEMU/KVM is there for you.


--
With best regards,
Andrey Repin
Tuesday, June 16, 2020 2:07:03

Sorry for my terrible english...

_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20200615/a16bcf21/attachment.htm>


More information about the lxc-users mailing list