On Fri, Mar 15, 2013 at 09:05:30AM -0700, Bryan D. Payne wrote: > >> The quality of container isolation in LXC heavily depends on > >> implementation. While > >> pure LXC is generally well-isolated through various mechanisms (for > >> example AppArmor > >> in Ubuntu), LXC through libvirt is not. A guest who operates within one > >> container is > >> able to affect another containers cpu share, memory limit and block > >> devices among other > >> issues. > > > > This is really wrong / misleading. <snip> > > > > Although initial user namespace support was merged in Linux 3.8, it is not > > yet complete, or mature enough to be considered secure. Work is ongoing to > > finish the kernel namespace support and enhance libvirt LXC to take > > advantage > > of it." > > Point taken and thank you for the clarification. As you note, doing > lxc securely is basically not possible on a current OpenStack > deployment. This was the main take home point of the security note. > I'm happy to see that work is ongoing to help improve this feature, > and look forward to reviewing it when it is stable. > > If you'd like to help with the wording of future notes, I encourage > you to take part in the weekly OSSG meetings:
Where/when was this wording discussed though ? I don't see anything about LXC mentioned in the logs of the last two meetings in March ? While IRC may be a good place for ad-hoc discussions around an issue, I don't really think it is a good forum for reviewing of these final notices prior to an announcement. Due to its real-time nature, IRC hits timezone problems which can prevent relevant from people attending. A posting to an email list gives time for all relevant parties to provide feedback. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
