Unprivileged LXC -- opinions?
by Gerard Lally from LinuxQuestions.org on (#6MCDB)
Hi all.
Back to Slackware after a prolonged absence. Health issues -- my own and serious illnesses among family members too. Still affecting us all but life must go on.
I'm about to get a VPS and I'm in two minds whether to install NetBSD 10 with Xen or Slackware 15 with unprivileged containers. I don't have any experience with the latter. Is it secure? Stable? Space constraints on the server make LXC more attractive, since I wouldn't have to second guess how much space to assign, as I would with full-blown virtual machines like Xen. And as far as I can tell the containers run fully unprivileged in $HOME. Thanks by the way to Chris Willing for the great instructions and information covering all this.
I would prefer also to connect a dummy network interface on the host to the bridge instead of connecting the physical interface. My memory is a bit rusty here, and it seems Slackware has a way of setting up a bridge in rc.inet now. Is tun/tap still the way to set up virtual or dummy interfaces? Obviously I would enable routing to the external interface. I would also firewall on the external interface. Don't ask why : I just never liked bridging the physical interface.
Last but not least, I hope to encrypt all but the boot partition. The host, that is ; I won't be encrypting guests. The VPS host provider tells me their machines are BIOS boot, so I don't anticipate too many problems. Thanks to those involved for the excellent write up on LUKS + LVM too.
I'm looking forward to doing this. It's a small project, 90 percent for personal use but there will eventually be a container serving web content for my brother. So security and stability are vital.
Looking forward to your views and opinions.
Back to Slackware after a prolonged absence. Health issues -- my own and serious illnesses among family members too. Still affecting us all but life must go on.
I'm about to get a VPS and I'm in two minds whether to install NetBSD 10 with Xen or Slackware 15 with unprivileged containers. I don't have any experience with the latter. Is it secure? Stable? Space constraints on the server make LXC more attractive, since I wouldn't have to second guess how much space to assign, as I would with full-blown virtual machines like Xen. And as far as I can tell the containers run fully unprivileged in $HOME. Thanks by the way to Chris Willing for the great instructions and information covering all this.
I would prefer also to connect a dummy network interface on the host to the bridge instead of connecting the physical interface. My memory is a bit rusty here, and it seems Slackware has a way of setting up a bridge in rc.inet now. Is tun/tap still the way to set up virtual or dummy interfaces? Obviously I would enable routing to the external interface. I would also firewall on the external interface. Don't ask why : I just never liked bridging the physical interface.
Last but not least, I hope to encrypt all but the boot partition. The host, that is ; I won't be encrypting guests. The VPS host provider tells me their machines are BIOS boot, so I don't anticipate too many problems. Thanks to those involved for the excellent write up on LUKS + LVM too.
I'm looking forward to doing this. It's a small project, 90 percent for personal use but there will eventually be a container serving web content for my brother. So security and stability are vital.
Looking forward to your views and opinions.