>> The quality of container isolation in LXC heavily depends on implementation. >> While >> pure LXC is generally well-isolated through various mechanisms (for example >> AppArmor >> in Ubuntu), LXC through libvirt is not. A guest who operates within one >> container is >> able to affect another containers cpu share, memory limit and block devices >> among other >> issues. > > This is really wrong / misleading. <snip> > > Although initial user namespace support was merged in Linux 3.8, it is not > yet complete, or mature enough to be considered secure. Work is ongoing to > finish the kernel namespace support and enhance libvirt LXC to take > advantage > of it."
Point taken and thank you for the clarification. As you note, doing lxc securely is basically not possible on a current OpenStack deployment. This was the main take home point of the security note. I'm happy to see that work is ongoing to help improve this feature, and look forward to reviewing it when it is stable. If you'd like to help with the wording of future notes, I encourage you to take part in the weekly OSSG meetings: https://wiki.openstack.org/wiki/Meetings/OpenStackSecurity Cheers, -bryan _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
