[one-dev] OpenNebula LXC Addon
valentin at databus.pro
Wed Oct 30 01:19:35 PDT 2013
On Mon, Oct 28, 2013 at 11:42:36AM -0400, Simon Boulet wrote:
> Hi Valentin, James,
> On Sat, Oct 26, 2013 at 7:12 AM, Jaime Melis <jmelis at opennebula.org> wrote:
> > thanks a lot for the detailed recap of the opennebula-lxc situation! I'm
> > personally very interested in making lxc work with OpenNebula.
> I'm very interested in the LXC driver development as well. I don't
> have a lot of spare time at the moment though, but let me know if I
> can help.
I am glad to hear that you're interested in this Simon. Your expertise
in OpenNebula and container technologies will help us in our encounter,
I am sure.
> From what I know of the OpenNebula XML representation passed to the
> drivers it should be enough for implementing a LXC driver, at least
> for the basic functionality.
> > There are also a lot of security considerations which I have not brought
> > in the discussion just yet. I have to do some more reading on this topic.
> One major concern I had 1-2 years ago when I looked at LXC was that it
> was possible for any root user inside a container to escape the
> container and gain root on the host as well . I'm not sure of
> the status of these issues in LXC, but I've heard you can use SELinux
> to further limit LXC containers and prevent this.
>  http://blog.bofh.it/debian/id_413
>  http://seclists.org/oss-sec/2011/q4/158
 still works inside an LXC container that doesn't limit capabilities.
I have also tried the second one but on my box, a Debian Wheezy, it
doesn't work at all.
SELinux, AppArmor and also Smack  can be used to secure the container. I
have found a thread  on the LXC Users mailing list that deals with
using Smack to secure the containers.
More information about the Dev