The libvirt-sandbox project[1] is providing an API and command line tools for constructing application sandboxes. It uses either LXC or KVM virtualization via libvirt, to confine execution of an application binary, giving it a read-only view of the host root filesystem, with custom writable areas grafted onto selected paths. eg if running httpd inside a sandbox, we give it a private /etc/httpd and /var/www, etc.
The idea is to get the security isolation benefits of virtualization technology, without the administrative burden of extra OS installs that it normally entails. As such the only processes running inside each sandbox are the application being confined, and a minimal custom "init" binary provided by libvirt-sandbox itself. As we expand our use cases though, particularly to cover the "secure containers" feature[2] in Feora 17, it is clear that if we're not careful, our miniml "libvirt-sandbox-init-common" binary is going turn into a poor mans' copy of systemd. We want to avoid that, and instead actually make use of systemd directly. Since the sandbox shares the same root filesystem as the host, we can't simply exec 'systemd' as is. We'll need to setup a few custom writable mounts, where we write out custom units / targets, and let systemd keep any state. So I'm trying to figure out just what is the absolute minimal setup we can configure for systemd. Our primary target for development is to sandbox apache. So I'd like to figure out what minimal config / directory structure I need to create to run systemd and have it only run apache, and a login shell (for debug inside the sandbox). I'm guessing that I can perhaps get away with setting up an override of the host's /etc/systemd, and writing out custom basic.target and default.target unit files, which merely running httpd.unit and a shell ? Regards, Daniel [1] http://berrange.com/tags/libvirt-sandbox/ http://libvirt.org/git/?p=libvirt-sandbox.git;a=summary https://fedoraproject.org/wiki/Features/VirtSandbox [2] https://fedoraproject.org/wiki/Features/SecureContainers -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
