[Freedombox-discuss] Should we use LXC in Freedombox?
Leen Besselink
leen at consolejunkie.net
Sun Oct 6 11:16:45 UTC 2013
> > > At the moment I'm working on my own software to isolate programs
> > > running on the FreedomBox. This software does not use LXC anymore
> > > and will be *much* more lightweight. So keep in mind that although
> > > my setup served me well over the past years it will be replaced in
> > > the near future.
> >
> > What are you going to use instead? Perhaps the official Freedombox
> > from Debian should use this new mechanism instead?
>
> I am writing a new program to replace LXC. This program is part of my
> new software architecture for the FreedomBox and I hope that in the
> future this architecture will be used in an official FreedomBox release.
> Can not say much more about this because there are "bold and brave"
> ideas behind this new architecture that must be tested first. If things
> work I will write an article about it on my blog.
>
> Rob.
> http://freedomboxblog.nl
>
Hi list/Rob,
While I would prefer if you worked in the open I do have some suggestions
on what other things/frameworks/ideas people have some what recently been
doing with containers and container like things for 'application deployment'.
One thing I do wonder is: what is the goal of isolation ? Just to make sure
applictions can't trample over each other or to prevent attackers from gaining
access to the rest of the system ('host') or other applications. Or maybe for
easier deployment ?
I suggest you look at how http://docker.io/ is using LXC-containers and the
kinds of features they've created around it (and especially what they did not do).
Especially in the way they define ports as the portal for the users to talk
to the application. How this does not need a public IP-address, just a
loadbalancer or webserver in front of it.
There is an article about the security of containers as well:
http://blog.docker.io/2013/08/containers-docker-how-secure-are-they/
And also look at OpenShift Origin is doing with SELinux for their 'gears':
https://www.openshift.com/blogs/technical-thoughts-on-openshift-and-docker
They want to start to work with the Docker community.
Seems to me you probably need AppArmor or SELinux with some cgroups and a
description file or API to describe how an application should be deployed
and what ports it exposes.
And a seperation at the filesystem level between data and application(code).
I would also look at http://criu.org/ and how that might fit into the picture
in the long run.
It's all just suggestions of course and I hope it is useful.
Have a good day,
Leen.
More information about the Freedombox-discuss
mailing list