LXC 1.0 released
| From: | Stéphane Graber <stgraber-AT-ubuntu.com> | |
| To: | lxc-devel-AT-lists.linuxcontainers.org, lxc-users-AT-lists.linuxcontainers.org, containers-AT-lists.linux-foundation.org | |
| Subject: | LXC 1.0 has been released! | |
| Date: | Thu, 20 Feb 2014 14:20:09 -0500 | |
| Message-ID: | <20140220192009.GT2689@castiana> |
Hello everyone, It's with great pleasure that the LXC development team is announcing the release of LXC 1.0! This release is a significant milestone for us as it is the first release we consider to be production ready. It is also the fruit of 10 months of effort by over 60 different contributors (over 1000 commits). LXC 1.0 features a wide variety of improvements to container security, a consistent set of tools, updated documentation and an API with multiple bindings. We are confident that this is the best LXC release yet and that our users will find it reliable and easy to use. A series of blog posts on LXC and LXC 1.0 features is also available: https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series We intend to provide bugfix and security updates on this release for the coming 5 years, cherry-picking and backporting fixes from our master branch as they come. We will also do further releases in the 1.0 series as those fixes start to accumulate in our stable branch. A detailed release announcement may be found here: https://linuxcontainers.org/news The release tarballs may be found at https://linuxcontainers.org/downloads or you may just wait a few days for your favorite distribution to package this new LXC release. Our git repository and bug tracker are on Github: https://github.com/lxc/lxc Additional information on LXC itself may be found on our website: https://linuxcontainers.org And we have mailing-lists for user questions and for development (patches): https://lists.linuxcontainers.org We hope you'll enjoy this new release as much as we do! Stéphane Graber On behalf of the LXC development team
Posted Feb 21, 2014 16:35 UTC (Fri)
by arekm (guest, #4846)
[Link] (10 responses)
Posted Feb 21, 2014 16:48 UTC (Fri)
by stgraber (subscriber, #57367)
[Link]
I guess a patch adding another option to the proc filesystem allowing you to hide those processes would be fine, though I'm not sure of the exact consequences this would have on the various userspace tools.
Posted Feb 21, 2014 18:34 UTC (Fri)
by dowdle (subscriber, #659)
[Link] (4 responses)
Posted Feb 21, 2014 18:42 UTC (Fri)
by arekm (guest, #4846)
[Link] (3 responses)
Anyway I miss this feature...
Posted Feb 21, 2014 19:05 UTC (Fri)
by hamjudo (guest, #363)
[Link] (2 responses)
The only problem here is that parent namespaces can see into their children's namespaces. A child can't see the parent's namespace or their sibling's.
Use the parent namespace only for creating children. Do all of the dangerous work in a child container. Where "dangerous" means, any time you might send a signal to the wrong process.
Posted Feb 22, 2014 3:03 UTC (Sat)
by drag (guest, #31333)
[Link] (1 responses)
This.
For security and sanity sake any sort of vm host running important guests should be kept as minimal as possible. Nobody should be logging into it all once it is setup.
Posted Feb 22, 2014 5:56 UTC (Sat)
by deepfire (guest, #26138)
[Link]
It appears to me that container virtualisation is hopeless wrt. security -- its attack surface is more or less the whole kernel -- without the clear (and, even so, still problematic) syscall boundary.
Posted Feb 21, 2014 23:58 UTC (Fri)
by ebiederm (subscriber, #35028)
[Link] (3 responses)
Unless you are looking for rootkits made easy I don't see the value in making processes unkillable by root. What am I missing?
Posted Feb 22, 2014 3:05 UTC (Sat)
by drag (guest, #31333)
[Link]
Posted Feb 22, 2014 20:37 UTC (Sat)
by clopez (guest, #66009)
[Link] (1 responses)
ps on the host will only show host pids, but you have the tool vps that shows also guest pids
Posted Feb 23, 2014 2:11 UTC (Sun)
by undefined (guest, #40876)
[Link]
the "host" processes reside in context 0, from which you cannot see processes/threads in other contexts. privileged processes (can't remember if it is just "root" or tied to a capability) in context 0 can enter context 1, from which all the processes/threads can be seen, a management context of sorts.
there's even a wrapper, "chcontext" from util-vserver, that can execute commands in any context which i use on the host for executing htop and iotop in context 1 for having system-wide visibility.
Posted Feb 21, 2014 16:37 UTC (Fri)
by Wummel (guest, #7591)
[Link] (1 responses)
Posted Feb 21, 2014 21:41 UTC (Fri)
by Lennie (subscriber, #49641)
[Link]
Posted Feb 22, 2014 9:30 UTC (Sat)
by littlesandra88 (guest, #64017)
[Link] (1 responses)
Such an example is this
http://blog.bofh.it/debian/id_413
Posted Feb 22, 2014 18:08 UTC (Sat)
by richard_weinberger (subscriber, #38938)
[Link]
Posted Feb 22, 2014 10:38 UTC (Sat)
by lbt (subscriber, #29672)
[Link]
LXC 1.0 released
LXC 1.0 released
LXC 1.0 released
LXC 1.0 released
I'm probably missing something important here, but it seems like a slight change to how you work would make this "problem" go away. Feel free to enlighten me on what I'm missing.LXC 1.0 released
LXC 1.0 released
LXC 1.0 released
> should be kept as minimal as possible.
LXC 1.0 released
LXC 1.0 released
LXC 1.0 released
linux-vserver: host visibility into guest
LXC 1.0 released
LXC 1.0 released
LXC 1.0 released
LXC 1.0 released
Systemd sharing?
I have some systems which are not systemd and using lxc on all of them would be useful.