Quoting pablo platt (pablo.pl...@gmail.com): > I'll be happy to be the driving force but I need info from experts. > > Let's say the command will look like this: > lxc-sandbox -n mybox /bin/bash > Do you think that lxc-sandbox can use an API similar to libvirt-sandbox? > http://rpm.pbone.net/index.php3/stat/45/idpl/19820275/numer/1/nazwa/virt-sandbox > > Will lxc-sandbox need to call lxc-execute with a predefined secure config? > Will it need to use seccomp, apparmor, selinux or something else?
Thinking about it, I think it would look more like lxc-start-ephemeral. In fact, perhaps it could take the form of a '-f <extra-config-file>' flag to lxc-start-ephemeral, where we ship an example extra-config-file with commented apparmor, capabilities and seccomp configuration. Note also that if at all possible, you'll probably want to be on the bleeding edge of both kernel and userspace and use user namespaces to rob the container of all privilege on the host. -serge ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
