On Mon, 15.06.15 21:15, Chris Morgan ([email protected]) wrote: > On a somewhat related topic, are many people making use of nspawn > containers in production or test environments? I was a little surprised by > the issues I had when trying them out with f21. f22 seems smoother but > still required the audit=0 and I think I had to disable selinux to set the > password but I was trying for a while with a blank password so... > > But yeah, was wondering if there were known users of nspawn containers that > discussed their use cases.
Until recently the man page clarified that it was a tool for debugging things only. However, we removed that recently, because I noticed that people *are* using it in production now. Also, the rkt guys use it as backend for their stuff these days. Turning off audit is not necessary anymore since we did the seccomp hack, at least on x86-64. It's still necessary to turn it off explicitly on i386. Also note, that even in i386 it's also not necessary to turn off auditing when you use debian or ubuntu in the container, only running fedora/redhat inside a container requires this (because only Fedora's PAM is weird). My guess is that most people who run nspawn turn off selinux though, or don't use Fedora, since SELinux appears to be pretty much a fedora/redhat-only thing. Both the selinux and audit issues apply to all container managers that are supposed to run full distros inside, not only nspawn. Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
