[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20111011032523.GB7948@thunk.org>
Date: Mon, 10 Oct 2011 23:25:23 -0400
From: Ted Ts'o <tytso@....edu>
To: Matt Helsley <matthltc@...ibm.com>
Cc: "Eric W. Biederman" <ebiederm@...ssion.com>,
Lennart Poettering <mzxreary@...inter.de>,
Kay Sievers <kay.sievers@...y.org>,
linux-kernel@...r.kernel.org, harald@...hat.com, david@...ar.dk,
greg@...ah.com, Linux Containers <containers@...ts.osdl.org>,
Linux Containers <lxc-devel@...ts.sourceforge.net>,
"Serge E. Hallyn" <serge@...lyn.com>,
Daniel Lezcano <daniel.lezcano@...e.fr>,
Paul Menage <paul@...lmenage.org>
Subject: Re: Detecting if you are running in a container
On Mon, Oct 10, 2011 at 07:05:30PM -0700, Matt Helsley wrote:
> Yes, it does detract from the unique advantages of using a container.
> However, I think the value here is not the effeciency of the initial
> system configuration but the fact that it gives users a better place to
> start.
>
> Right now we're effectively asking users to start with non-working
> and/or unfamiliar systems and repair them until they work.
If things are not working with containers, I would submit to you that
we're doing something wrong(tm). Things should just work, except that
processes in one container can't use more than their fair share (as
dictated by policy) of memory, CPU, networking, and I/O bandwidth.
Something which is baked in my world view of containers (which I
suspect is not shared by other people who are interested in using
containers) is that given that kernel is shared, trying to use
containers to provide better security isolation between mutually
suspicious users is hopeless. That is, it's pretty much impossible to
prevent a user from finding one or more zero day local privilege
escalation bugs that will allow a user to break root. And at that
point, they will be able to penetrate the kernel, and from there,
break security of other processes.
So if you want that kind of security isolation, you shouldn't be using
containers in the first place. You should be using KVM or Xen, and
then only after spending a huge amount of effort fuzz testing the
KVM/Xen paravirtualization interfaces. So at least in my mind, adding
vast amounts of complexities to try to provide security isolation via
containers is really not worth it. And if that's the model, then it's
a lot easier to make containers to run jobs in containers that don't
require changes to the distro plus huge increase of complexity for
containers in the kernel....
- Ted
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists