[systemd-devel] What makes systemd-nspawn "not suitable for secure container setups"?
Lennart Poettering
lennart at poettering.net
Sun Apr 24 13:59:09 PDT 2011
On Sat, 23.04.11 13:29, microcai (microcai at fedoraproject.org) wrote:
> > Ah, good point. So, root inside the container can trivially circumvent
> > the container that way. Any way to prevent that with current kernel
> > support, or would fixing this require additional kernel changes to lock
> > down other /proc and /sys mounts?
>
>
> OpenVZ is what you need that way. OpenVZ is much like systemd-nspawn,
> but with more secure. So it can be used to provide VPS ;)
I never looked in much detail into OpenVZ but quite honestly I have my
doubts that it is completely sealed off and really doesn't suffer by any
of the vulnerabilities I pointed out in my other mail.
OpenVZ is probably at a better spot than the vanilla kernel whith
container virtualization, but I think they define "secure" much more
losely than some folks are aware of.
Lennart
--
Lennart Poettering - Red Hat, Inc.
More information about the systemd-devel
mailing list