Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

With the disclaimer that I very much have a dog in the fight, you might want to look at illumos[1] and its distributions like SmartOS[2] and OmniOS[3]. It has a secure, robust container model (with a hat tip to FreeBSD jails for providing inspiration over a decade ago) and a mature least-privilege model that minimizes attack surface -- not to mention ZFS, DTrace, KVM and other goodies. At the very least, you can take solace in knowing that others share your desire for cleaner alternatives...

[1] http://smartos.org/2011/12/15/fork-yeah-the-rise-and-develop...

[2] http://smartos.org/

[3] http://omnios.omniti.com/



Thanks for the links; I had heard of SmartOS but not known much about the technology.

What sort of disappointed me about LXC is that you end up with an init process and 7 or 8 children of it in each container. I am more interested in sandboxing at the level of a single process. In a lot of cases you just want to run somebody else's Python code and look at its stdout; you don't need to spin up init and family do that.

There are a hundred and one projects like this but most of them seem half-baked.

Capsicum [1] looks like what I'm interested in; there seemed to be effort around a Linux port a couple years ago but I don't think it happened. Does Illumos/SmartOS provide anything like this?

http://www.cl.cam.ac.uk/research/security/capsicum/


You don't need init in each container, and the encouraged model of having a whole distro in a container is bonkers. Play around with clone(2)/unshare(2) directly, and it is fairly simple. All you need to know about pid 1 is if it terminates your namespace goes, and orphan processes will reparent to it (and some signals are blocked). If you have a single process then this doesn't matter really. You can do all this from Python I expect, I have done it all from Lua with no issues.


OK from what I understand "LXC" is basically the user space tools that give you the distro in the container... it's more of a VM model.

But yeah I think I just need the underlying cgroups, and possibly some of the namespaces. Although I don't car aell that much if untrusted code can see what processes are running; just as long as it can't affect them.

Just curious what you were using containers for from Lua? Sounds interesting.


I started using them largely for testing netlink code, as it is much easier to create some isolated network devices than risk messing about with the real ones. This is part of a fairly comprehensive Linux binding for Lua https://github.com/justincormack/ljsyscall




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: