[Freedombox-discuss] Should we use LXC in Freedombox?

Rob van der Hoeven robvanderhoeven at ziggo.nl
Mon Oct 7 09:24:16 UTC 2013 

> While I would prefer if you worked in the open I do have some suggestions
> on what other things/frameworks/ideas people have some what recently been
> doing with containers and container like things for 'application deployment'.
> 

Hi Leen,

I will release a demo as soon as possible. Once the demo is released
suggestions from potential users will be welcome!

> One thing I do wonder is: what is the goal of isolation ? Just to make sure
> applictions can't trample over each other or to prevent attackers from gaining
> access to the rest of the system ('host') or other applications. Or maybe for
> easier deployment ?

Ideally a program should only have access to its own data, that is the
ultimate goal of isolation. If an isolated program is compromised the
damage does not spread to other programs and/or data.

In Linux a program runs under a user account and has all the privileges
of that user. For example: your webbrowser can access all files under
your account. Once compromised it can upload any of your files (example:
private ssh keys) or run any program that the account allows. You can
restrict what a program can do by using SELinux or another mandatory
access control (MAC) tool but these tools are difficult to configure and
not as effective as isolation. With MAC a program can for example detect
that there is a file called all_my_passwords.txt, but it is not allowed
to access this file. With proper isolation a program can not detect that
the all_my_passwords.txt file exists.

An extra benefit of isolation is easier deployment and backup/restore.
For example: I can deploy a full LAMP stack by copy/paste deployment,
for a backup I gzip the containers rootfs after a shutdown.

> 
> I suggest you look at how http://docker.io/ is using LXC-containers and the
> kinds of features they've created around it (and especially what they did not do).
> 

An excellent suggestion. I think the people at http://dotcloud.com (the
company behind docker) are real experts. They make a living using LXC
container technology for years now. I have been following their blog for
quite some time and they have written some excellent articles about the
technology behind LXC which you can read here:

http://blog.dotcloud.com/tag/underthehood

Rob.
http://freedomboxblog.nl

More information about the Freedombox-discuss mailing list