| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 25 Aug 2013 17:16:17 +0000 From: James Bottomley <jbottomley@...allels.com> To: Kay Sievers <kay@...y.org> CC: Gao feng <gaofeng@...fujitsu.com>, "systemd-devel@...ts.freedesktop.org" <systemd-devel@...ts.freedesktop.org>, "libvir-list@...hat.com" <libvir-list@...hat.com>, "netdev@...r.kernel.org" <netdev@...r.kernel.org>, Linux Containers <containers@...ts.linux-foundation.org>, "Eric W. Biederman" <ebiederm@...ssion.com>, "lxc-devel@...ts.sourceforge.net" <lxc-devel@...ts.sourceforge.net>, "davem@...emloft.net" <davem@...emloft.net> Subject: Re: [systemd-devel] [PATCH] netns: unix: only allow to find out unix socket in same net namespace On Wed, 2013-08-21 at 11:51 +0200, Kay Sievers wrote: > On Wed, Aug 21, 2013 at 9:22 AM, Gao feng <gaofeng@...fujitsu.com> wrote: > > On 08/21/2013 03:06 PM, Eric W. Biederman wrote: > > >> I suspect libvirt should simply not share /run or any other normally > >> writable directory with the host. Sharing /run /var/run or even /tmp > >> seems extremely dubious if you want some kind of containment, and > >> without strange things spilling through. > > Right, /run or /var cannot be shared. It's not only about sockets, > many other things will also go really wrong that way. This is very narrow thinking about what a container might be and will cause trouble as people start to create novel uses for containers in the cloud if you try to impose this on our current infrastructure. One of the cgroup only container uses we see at Parallels (so no separate filesystem and no net namespaces) is pure apache load balancer type shared hosting. In this scenario, base apache is effectively brought up in the host environment, but then spawned instances are resource limited using cgroups according to what the customer has paid. Obviously all apache instances are sharing /var and /run from the host (mostly for logging and pid storage and static pages). The reason some hosters do this is that it allows much higher density simple web serving (either static pages from quota limited chroots or dynamic pages limited by database space constraints) because each "instance" shares so much from the host. The service is obviously much more basic than giving each customer a container running apache, but it's much easier for the hoster to administer and it serves the customer just as well for a large cross section of use cases and for those it doesn't serve, the hoster usually has separate container hosting (for a higher price, of course). James -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists