[one-dev] OpenNebula LXC Addon

[Valentin Bud]

Hi Simon,

On Mon, Oct 28, 2013 at 11:42:36AM -0400, Simon Boulet wrote:
> Hi Valentin, James,
> 
> On Sat, Oct 26, 2013 at 7:12 AM, Jaime Melis <jmelis at opennebula.org> wrote:
> >
> > thanks a lot for the detailed recap of the opennebula-lxc situation! I'm
> > personally very interested in making lxc work with OpenNebula.
> 
> I'm very interested in the LXC driver development as well. I don't
> have a lot of spare time at the moment though, but let me know if I
> can help.

I am glad to hear that you're interested in this Simon. Your expertise
in OpenNebula and container technologies will help us in our encounter,
I am sure.

> 
> From what I know of the OpenNebula XML representation passed to the
> drivers it should be enough for implementing a LXC driver, at least
> for the basic functionality.
> 
> > There are also a lot of security considerations which I have not brought
> > in the discussion just yet. I have to do some more reading on this topic.
> 
> One major concern I had 1-2 years ago when I looked at LXC was that it
> was possible for any root user inside a container to escape the
> container and gain root on the host as well [1][2]. I'm not sure of
> the status of these issues in LXC, but I've heard you can use SELinux
> to further limit LXC containers and prevent this.
> 
> [1] http://blog.bofh.it/debian/id_413
> [2] http://seclists.org/oss-sec/2011/q4/158

[1] still works inside an LXC container that doesn't limit capabilities. 
I have also tried the second one but on my box, a Debian Wheezy, it
doesn't work at all.

SELinux, AppArmor and also Smack [1] can be used to secure the container. I
have found a thread [2] on the LXC Users mailing list that deals with
using Smack to secure the containers.

[1]: http://en.wikipedia.org/wiki/Smack
[2]: http://www.mail-archive.com/lxc-users@lists.sourceforge.net/msg02368.html

Good Will,
--