[one-dev] OpenNebula LXC Addon

Simon Boulet simon at nostalgeek.com
Mon Oct 28 08:42:36 PDT 2013


Hi Valentin, James,

On Sat, Oct 26, 2013 at 7:12 AM, Jaime Melis <jmelis at opennebula.org> wrote:
>
> thanks a lot for the detailed recap of the opennebula-lxc situation! I'm
> personally very interested in making lxc work with OpenNebula.

I'm very interested in the LXC driver development as well. I don't
have a lot of spare time at the moment though, but let me know if I
can help.

>From what I know of the OpenNebula XML representation passed to the
drivers it should be enough for implementing a LXC driver, at least
for the basic functionality.

> There are also a lot of security considerations which I have not brought
> in the discussion just yet. I have to do some more reading on this topic.

One major concern I had 1-2 years ago when I looked at LXC was that it
was possible for any root user inside a container to escape the
container and gain root on the host as well [1][2]. I'm not sure of
the status of these issues in LXC, but I've heard you can use SELinux
to further limit LXC containers and prevent this.

[1] http://blog.bofh.it/debian/id_413
[2] http://seclists.org/oss-sec/2011/q4/158

Simon


More information about the Dev mailing list