LSS: Secure Linux containers

First of all let me thank those involved with LXC and LSS for all of the work they have done thus far and hopefully will continue with. Having said that, the pattern is that from here on I become critical of LSS.

LSS = Linux Secure Containers BUT later in the article it says that it isn't about security... and that root in a container can always break out. What?

I'm a long time OpenVZ user... since 2005 and I use it on a daily basis. OpenVZ isn't the only virtualization solution I use because containers don't fit every use case. I also use KVM. Anyway, Virtuozzo (the commercial parent product of OpenVZ) started in 2001 but was born, developed and matured as an out-of-mainline aka third-party kernel patch. OpenVZ was born as an open source project in 2005... and has been widely deployed by hobbyists and large hosting companies alike. It allows chopping up a single system into containers and giving root access to the containers to untrusted parties... like a customer in another country... or your brother-in-law. It has had live and offline migration features since 2008. I've not seen nor heard about OpenVZ being the cause of a system compromise where a container root user got out and had access to either the host node nor other containers... not in the 7 years it has been widely deployed.

SWsoft later became Parallels and along the way invested considerable effort into kernel development with a lot of bug fixes actually making it upstream. The dream of Parallels has always been that LXC would eventually mature and that they could drop their kernel patches and focus their management tools on LXC. Unfortunately that hasn't happened. LXC seems to be a combination of a bunch of container related features that are developed separately by sponsoring companies who only care about their sub-set of features / use cases... without much in the way of co-ordination to build a complete container solution. There are a handful of people who work on LXC trying to bring it all together and they have been somewhat successful, but here we are years later... and it looks like LXC hasn't even gotten to the 50 yard line yet... and that OpenVZ will be around for several years yet. Parallels noticed and has been trying to liberate more of their code both into the mainline kernel and as userspace.

First they were called a VE (Virtual Environments), then the name changed to VPS (Virtual Private Servers) and finally... now we call them a container. In the case of OpenVZ, each container is a stand alone distribution. There can be some sharing with the host and among containers but most people don't do it that way. LSS seems to be focusing on making their containers, so far as the filesystem is concerned, as light-weight as possible by sharing as much with the host and among containers as possible. While that might be an admirable goal... containers, being primarily server / text-only oriented, aren't really bulky to begin with. A typical container is well under CD size and usually takes less than a minute to create... and a few seconds to start. Updating the host and having that cascade out to the containers might sound great but it also means there is a single point of failure too... and a single failed upgrade (admittedly quite rare) breaks everything. It isn't really difficult to loop through a set of containers to update them. What if a container user doesn't want to switch to a new version? Keeping containers autonomous also means they are easier to migrate from one host to another in that your hosts don't have to be exactly alike. As I said, I've been running OpenVZ for a long time and I have some older containers that have been on RHEL4-based hosts, moved to RHEL5-based hosts, and are now on RHEL6-based hosts. That was possible and painless because the containers aren't tied to the host.

Wow, I think I've been rambling for a while now. Sorry. My point is that it is sad that when most people think of containers (according to this article) they think of LXC... because when I think of LXC I think of how incomplete it is... and that I long for the day when I can have a completely functional container using LXC. For the foreseeable future though, I'll happily live in sin with OpenVZ.