m...@linux.it (Marco d'Itri) writes:
> On Jan 30, Holger Levsen wrote:
>
>> > http://blog.bofh.it/debian/id_413
>> would you mind filing a bug about this?! Refering to your blog post is nice,
> Yes, since the upstream maintainers do not consider this to be a bug.
>
> --
> ciao,
> Marco
There a
On Tue, 07 Feb 2012, Marco d'Itri wrote:
> On Feb 07, Thomas Goirand wrote:
> > Are you trying to make the point that, with containers,
> > you wouldn't need ssh, and you would with VMs? If so,
> With *OpenVZ* I do not need sshd, ftpd and cron in the guest because
> I can use the one in the host.
On Tue, Feb 07, 2012 at 06:09:40PM +0100, Vincent Bernat wrote:
[...]
> It applies. The major point is that with containers, RAM is shared
> accross containers (the same kernel is used for all containers). If one
> container needs for a few seconds 200 MB, it can just use them. No
> me
OoO En ce début d'après-midi nuageux du mardi 07 février 2012, vers
14:00, Thomas Goirand disait :
>> With vservers and OpenVZ you can run each service in its own container
>> with a small memory footprint. With Xen/KVM, you will need to allocate
>> at least 128 MB for each container.
>>
On Feb 07, Thomas Goirand wrote:
> Are you trying to make the point that, with containers,
> you wouldn't need ssh, and you would with VMs? If so,
With *OpenVZ* I do not need sshd, ftpd and cron in the guest because
I can use the one in the host.
It's a custom environment, but I have no way to d
On Wed, 8 Feb 2012, Thomas Goirand wrote:
> With Etch, 48 MB was enough. With Lenny, 64 MB was enough.
> With Squeeze, 96 MB is enough (the minimum is between 64 and
> 96 MB, I didn't care investigating). And with 96 MB, you can already
> run a DNS server, OpenVPN, or a (very basic) mail server. T
On 02/03/2012 08:53 PM, Adam Borowski wrote:
>> ssh works.
>>
> It triples the memory footprint of an empty Debian container (init + syslogd +
> cron[1]), and adds a new daemon that can be potentially subverted.
>
> Of course, usually sshd is strongly preferred (so much better than needing
> n
On 02/03/2012 01:55 AM, Vincent Bernat wrote:
> With vservers and OpenVZ you can run each service in its own container
> with a small memory footprint. With Xen/KVM, you will need to allocate
> at least 128 MB for each container.
>
NO ! The limit isn't that great.
With Etch, 48 MB was enoug
On Sat, Feb 04, 2012 at 05:15:26PM +0100, Marco d'Itri wrote:
> On Feb 03, Bastian Blank wrote:
>
> > > http://blog.bofh.it/debian/id_413
> > This example shows nothing new. If you have CAP_SYS_MOUNT, you can also
> > just mount the root filesystem into your own tree.
> >
> > Linux-VServer does
On Feb 03, Bastian Blank wrote:
> > http://blog.bofh.it/debian/id_413
> This example shows nothing new. If you have CAP_SYS_MOUNT, you can also
> just mount the root filesystem into your own tree.
>
> Linux-VServer does not help against processes with too much
> capabilities, not sure about Open
On Fri, Feb 03, 2012 at 12:31:03PM +0100, Bastian Blank wrote:
> On Mon, Jan 30, 2012 at 02:31:15AM +0100, Marco d'Itri wrote:
> > On Jan 30, Adam Borowski wrote:
> > > It would be nice to have some documentation about how lxc is different
> > > from
> > > them, and how to work around bugs and li
On Wed, Feb 01, 2012 at 07:37:38PM +, Moritz Naumann wrote:
> So there are obvious issues with LXC as a container solution for Linux, such
> as
> lacking actual containment (for the root user)
No, it is not obvious. If you give a process a certain permission, it
can use it. If you remove this
On Mon, Jan 30, 2012 at 02:31:15AM +0100, Marco d'Itri wrote:
> On Jan 30, Adam Borowski wrote:
> > It would be nice to have some documentation about how lxc is different from
> > them, and how to work around bugs and limitations. I for one spent ~10
> Let's start with this: in its current form,
unsubscribe
On Sun, Jan 29, 2012 at 1:22 PM, Ben Hutchings wrote:
> Debian 7.0 'wheezy' will include Linux 3.2. This is currently in
> unstable and will soon enter testing.
>
> The kernel team is open to backporting some features from later kernel
> versions, particularly to support newer hardw
OoO En cette nuit striée d'éclairs du jeudi 02 février 2012, vers 02:21,
Russell Coker disait :
>> However, a low profile container/virtualization solution is needed, and I
>> know there is quite some demand for it: both some larger scale
>> organisations and several smaller/non-profit organisati
On Thu, 2012-02-02 at 09:29 +0200, Jonathan Carter (highvoltage) wrote:
[...]
> We tried the 2.6.32 VZ kernel on squeeze / wheezy / lucid / precise -
> and it works.
That's what I would expect, but it's good to know.
> We have a PPA[1] for our experimental packages too. We
> might run into bugs
On 02.02.2012 02:21 Russell Coker wrote:
> Are there many users who need root containment but who won't have the
> resources to run Xen or KVM when the support for Squeeze ends?
I am convinced there are several hosting providers and NGOs who use
linux-vservers for (amongst other) the purpose of r
Hi Russell
On 02/02/2012 03:21, Russell Coker wrote:
However, a low profile container/virtualization solution is needed, and I
know there is quite some demand for it: both some larger scale
organisations and several smaller/non-profit organisations I am acquainted
with use either OpenVZ or linux
On Feb 02, Russell Coker wrote:
> Are there many users who need root containment but who won't have the
> resources to run Xen or KVM when the support for Squeeze ends?
Are there many users who like to waste resources (mostly RAM, here) for
no good reason?
--
ciao,
Marco
signature.asc
Descri
On Thu, 2 Feb 2012, Moritz Naumann
wrote:
> So there are obvious issues with LXC as a container solution for Linux,
> such as lacking actual containment (for the root user), which defeat sits
> purpose in production environments as a linux-vserver or OpenVZ
> replacement.
>
> However, a low prof
On 02/02/2012 03:37 AM, Moritz Naumann wrote:
> So there are obvious issues with LXC as a container solution for Linux, such
> as
> lacking actual containment (for the root user), which defeat sits purpose in
> production environments as a linux-vserver or OpenVZ replacement.
>
> However, a low p
So there are obvious issues with LXC as a container solution for Linux, such as
lacking actual containment (for the root user), which defeat sits purpose in
production environments as a linux-vserver or OpenVZ replacement.
However, a low profile container/virtualization solution is needed, and I
On Mon, 2012-01-30 at 08:02 -0500, Brad Spengler wrote:
> Frankly it makes more sense for me to offer .debs myself than to deal
> with a bureaucracy and non-standard kernel in Debian. It contains
> who-knows-what extra code, and I doubt anyone looked at any of it to see if
> it allows for some
Am Montag, 30. Januar 2012, 11:44:10 schrieb Marco d'Itri:
> On Jan 30, Holger Levsen wrote:
> > > http://blog.bofh.it/debian/id_413
> >
> > would you mind filing a bug about this?! Refering to your blog post is
> > nice,
>
> Yes, since the upstream maintainers do not consider this to be a bug.
[Brad Spengler]
> Frankly it makes more sense for me to offer .debs myself than to deal
> with a bureaucracy and non-standard kernel in Debian. It contains
> who-knows-what extra code, and I doubt anyone looked at any of it to
> see if it allows for some way to leak information I prevent against
On Mon, 2012-01-30 at 11:05 +0100, Yves-Alexis Perez wrote:
> (adding few CC:s to keep track on the bug)
>
> On dim., 2012-01-29 at 21:26 +, Ben Hutchings wrote:
> > On Sun, 2012-01-29 at 20:57 +0100, Yves-Alexis Perez wrote:
> > > On dim., 2012-01-29 at 18:22 +, Ben Hutchings wrote:
> > >
> Indeed. Brad, I'm not sure if you received the initial mail, so if you
> have any comment???
It looks like there were quite a few messages I wasn't involved in ;)
Regarding minimizing the patchset, we do that already where we see
opportunities to do so. We used to carry a large constifying
On 01/30/2012 01:44 AM, Adam Borowski wrote:
[...]
> * how to ensure good isolation while still being able to do useful work?
> The point of vserver is that even root inside a VM shouldn't be able to
> affect the host, on lxc you keep hurting the host by accident. Messing
> with capabiliti
On Jan 30, Holger Levsen wrote:
> > http://blog.bofh.it/debian/id_413
> would you mind filing a bug about this?! Refering to your blog post is nice,
Yes, since the upstream maintainers do not consider this to be a bug.
--
ciao,
Marco
signature.asc
Description: Digital signature
(adding few CC:s to keep track on the bug)
On dim., 2012-01-29 at 21:26 +, Ben Hutchings wrote:
> On Sun, 2012-01-29 at 20:57 +0100, Yves-Alexis Perez wrote:
> > On dim., 2012-01-29 at 18:22 +, Ben Hutchings wrote:
> > > Featuresets
> > > ---
> > >
> > > The only featureset provid
Hi Marco,
thanks for these infos!
On Montag, 30. Januar 2012, Marco d'Itri wrote:
> Let's start with this: in its current form, it is not designed to
> protect the host system from an untrusted root user in a guest.
> So far lxc is nice for testing, but not much more.
> http://blog.bofh.it/debian
On Jan 30, Adam Borowski wrote:
> lxc wasn't anywhere near feature parity with vserver/openvz then.
And it still isn't.
> It would be nice to have some documentation about how lxc is different from
> them, and how to work around bugs and limitations. I for one spent ~10
Let's start with this: i
On Sun, Jan 29, 2012 at 09:26:11PM +, Ben Hutchings wrote:
> On Sun, 2012-01-29 at 20:57 +0100, Yves-Alexis Perez wrote:
> > On dim., 2012-01-29 at 18:22 +, Ben Hutchings wrote:
> > > Featuresets
> > > ---
> > >
> > > The only featureset provided will be 'rt' (realtime)
> > >
> >
On Sun, 2012-01-29 at 21:26 +, Ben Hutchings wrote:
> > So in the end what are the reasons for not trying the grsecurity
> > featureset? #605090 lacks any reply from the kernel team since quite a
> > while, and especially after answers were provided to question asked.
Whew I'd also be waiti
On Sun, 2012-01-29 at 20:57 +0100, Yves-Alexis Perez wrote:
> On dim., 2012-01-29 at 18:22 +, Ben Hutchings wrote:
> > Featuresets
> > ---
> >
> > The only featureset provided will be 'rt' (realtime), currently built
> > for amd64 only. If there is interest in realtime support for oth
On dim., 2012-01-29 at 18:22 +, Ben Hutchings wrote:
> Featuresets
> ---
>
> The only featureset provided will be 'rt' (realtime), currently built
> for amd64 only. If there is interest in realtime support for other
> architectures, we may be able to add that. However, we do need to
36 matches
Mail list logo
