LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

LSS: Secure Linux containers

LSS: Secure Linux containers

Posted Sep 8, 2012 8:02 UTC (Sat) by thomas.poulsen (subscriber, #22480)
Parent article: LSS: Secure Linux containers

Thanks for a great article.
I for one would be thrilled by a LWN article on the current status of the available sandboxing / container / jail solutions on Linux from a user / administrator point of view. Perhaps with a view to freeBSD jails as well.

(Log in to post comments)

LSS: Secure Linux containers

Posted Sep 8, 2012 19:44 UTC (Sat) by mezcalero (subscriber, #45103) [Link]

I think the whole container story on Linux is full of confusing bits. For example, "libvirt-lxc" does not share any code with "lxc", it just happens to use the same kernel interfaces. The fact that two userspace projects carry the same name but share not a single line of code is really hard to grok, especially given that one is backed primarily by RH and friends and the other by Canonical and friends.

And then there is some additional confusion about how far the containerization goes. For example, there is container as in "run a more or less complete OS that is installed in a subdirectory of the FS tree", i.e. a chroot() on steroids. And then there is container as in "share the same root dir as the host OS but hide stuff/make things read-only but boot up the more or less full OS in it". And then there is container as in "share the same root dir as the host OS and hide stuff/make things ready only but do not boot an OS up in the container, just run one service".

And then there is confusion about who implements the containerization bits. For example, systemd service files can do the "shared root dir" containerization (i.e. the third kind) out-of-the-box but we never use the term "container" for that. LSS is an implementation of the second kind. libvirt and systemd-nspawn can be used for the first kind.

Summary: the term "container" on Linux means many different things, and there are many different implementations of them. I am sorry for the admins who have to deal with all this confusion. Some overview documentation would be good I guess, and maybe finding better terminology for these three kinds of containers, and maybe trying to consolidate more of these techs.

LSS: Secure Linux containers

Posted Sep 27, 2012 8:21 UTC (Thu) by justincormack (subscriber, #70439) [Link]

True yes, but in many ways it is a good thing. namespaces are really useful for all sorts of things (eg testing networking code) that is not a full container. The jail-style just have a container model is much less flexible as it makes assumptions as to how you work. There are only 2 major projects so far (even if confusingly named), so most people find one or the other I think. The issues are more to do with documentation and bugginess particularly if eg you dont run lxc on up to date Ubuntu but try to run it say on Debian, which is not well supported yet due to versions.

I suspect most serious users (ie not just running for testing and so on) will probably have to dive in and customise the setup to run the kind of container they want, depending on what they want to share, as clearly one policy does not fit all.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds