[systemd-devel] containers

[Lennart Poettering]

On Sun, 06.09.15 17:49, Michał Zegan (webczat_200 at poczta.onet.pl) wrote:

> Hello.
> 
> Is systemd-nspawn intended to eventually become usable for full system
> containers/general use with enough security to run things like vps hosting?
> How much is missing to be able to do that, or maybe it already can? Like you
> have user namespaces support that probably adds more security in addition to
> other namespaces, not sure though.

Well, Linux containers are currently not a security technology, and
you really shouldn't mistake them for one.

But yes, we'll close the biggest holes as we can, and the intention is
certainly to make it hard to escape containers.

nspawn supports user namespaces, but I don't think they are
practically usable, since there's no logic for automatically
allocating user id ranges, and file systems have to be altered to make
them compatible with user namespacing. We'd like to improve the
situation there, but this requires more kernel work.

The focus with nspawn is indeed on full system containers
(i.e. containers running an init system in them), and explicitly not
so much "micro service" virtualization a la docker.

To dogfood myself I run my own dedicated server in an nspawn-based
solution, and I am pretty happy with it.

Note that nspawn + machined is not supposed to be a complete
deployment solution, it focuses on the execution runtime of the
container locally and it does not and will not do orchestration of
containers across a whole cluster, or update/lifecycle management. Use
rkt (which builds on nspawn) for that.

Lennart

-- 
Lennart Poettering, Red Hat