On 01/30/2012 01:44 AM, Adam Borowski wrote: [...] > * how to ensure good isolation while still being able to do useful work? > The point of vserver is that even root inside a VM shouldn't be able to > affect the host, on lxc you keep hurting the host by accident. Messing > with capabilities blindly is trial and error, which is precisely what you > don't want to do in a system meant for security.
grsecurity helps a lot here - but I doubt we want to require knowledge of grsecurity to setup a lxc container. With vserver you were not required to have grsecurity enabled to have a more or less save-enough virtualization solution, although I'd recommend to do so. -- Bernd Zeimetz Debian GNU/Linux Developer http://bzed.de http://www.debian.org GPG Fingerprint: ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4f2678cb.6060...@bzed.de
