[one-dev] OpenNebula LXC Addon

Carlo Daffara carlo.daffara at cloudweavers.eu
Mon Oct 28 09:00:53 PDT 2013

On one hand, LXC has still some complexities in providing strong security (eg. 
http://mattoncloud.org/2012/07/16/are-lxc-containers-enough/ or
http://wiki.gentoo.org/wiki/LXC#MAJOR_Temporary_Problems_with_LXC_-_READ_THIS )
which means that you need to add substantial infrastructure to prevent LXC leaks or container spills.
As it stands, on most distributions, OpenVZ has much stronger containment properties than LXC, unless you want to spend
*substantial* effort in closing the gaps.
On the other hand, LXC is the basis of Docker ( https://www.docker.io/ ) that is quite interesting as a platform, managed
within an IaaS infrastructure, but lightweight and flexible like a PaaS.
Carlo Daffara

----- Messaggio originale -----
Da: knawnd at gmail.com
A: dev at lists.opennebula.org
Inviato: Lunedì, 28 ottobre 2013 16:51:44
Oggetto: Re: [one-dev] OpenNebula LXC Addon


If there is nostrong demand to use particular LXC then I would propose 
to have a look at such LXC alternative in terms of OS level 
virtualization as OpenVZ [1]and OpenVZ driver for OpenNebula 4.2 [2].


[1] http://openvz.org
[2] https://bitbucket.org/hpcc_kpi/opennebula-openvz/wiki/Home

Simon Boulet wrote on 28/10/13 19:42:
> Hi Valentin, James,
> On Sat, Oct 26, 2013 at 7:12 AM, Jaime Melis <jmelis at opennebula.org> wrote:
>> thanks a lot for the detailed recap of the opennebula-lxc situation! I'm
>> personally very interested in making lxc work with OpenNebula.
> I'm very interested in the LXC driver development as well. I don't
> have a lot of spare time at the moment though, but let me know if I
> can help.
>  From what I know of the OpenNebula XML representation passed to the
> drivers it should be enough for implementing a LXC driver, at least
> for the basic functionality.
>> There are also a lot of security considerations which I have not brought
>> in the discussion just yet. I have to do some more reading on this topic.
> One major concern I had 1-2 years ago when I looked at LXC was that it
> was possible for any root user inside a container to escape the
> container and gain root on the host as well [1][2]. I'm not sure of
> the status of these issues in LXC, but I've heard you can use SELinux
> to further limit LXC containers and prevent this.
> [1] http://blog.bofh.it/debian/id_413
> [2] http://seclists.org/oss-sec/2011/q4/158
> Simon
> _______________________________________________
> Dev mailing list
> Dev at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/dev-opennebula.org

Dev mailing list
Dev at lists.opennebula.org

More information about the Dev mailing list