[gentoo-user] Virtual machines, and creating bootable images
I am looking at creating a gentoo install which I can use for my hosted servers. The documentation I have seen about doing so is to mount an "ISO" and then dd the mounted device to a data drive, make the data drive bootable (set it in the settings for hosting provider) and attach it to a server. I want to be able to build these images and test them in a virtual machine on my local server, then end up doing what I need on the hosting provider to get them in place. Quick research hasn't given me any clear guidance as to how I can export the virtual machine (ie. what even can do this) to an image that can be copied to a drive to produce a bootable drive. Anyone have some good starting points to think about this? Jigme Datse Yli-Rasku -- Jigme Datse Yli-Rasku jigme.da...@datsemultimedia.com (Preferred address for new messages) 250-505-6117 Jigme Datse Yli-Rasku PO Box 270 Rossland, BC V0G 1Y0 Canada ... ... This message should be electronically signed, and if the sender ... ... has your public key, may also be encrypted. ... ... If you have any questions about this, please email, or call.... ... ... ... Note, unknown calls likely will go to voicemail.... ... Please leave a message if you get voicemail.... ... signature.asc Description: OpenPGP digital signature
[gentoo-user] Re: Layman and Git branch
nucleus.it> writes: > I have a profile for my config , additional ebuilds , packages etc but > i'm looking for the best way to have a production-profile and a > devel-profile. Your not alone. > Better have two separeted git , one for production and one for devel ? > or better one git and use branch functions ? Good question. > With Layman and two git repo i can sync each repo when i want and i can > enable/disable one of them to switch from/to production/devel . > I don't know how to do that directly with git. OK, so I have mentioned the need for a structured (preferred or suggested) pathway for users to use git, in all of the common needs, the gentoo-way. Aka, a document or collection of docs in the gentoo-wiki, related to common user usages all the way through becoming a 'stong-user' and into the proxy-maint system. I think it is time to file a bug (documentation requests) @ bugs.gentoo.org formally requesting some documentation on git(hub) that is gentoo specific. That way everyone with questions, ideas and antedotes can 'pile on' and so the process get's started to document preferred/supported ways to use git with gentoo. There are lots of hints floating around so a FAQ or basic document is in order, imho. But, being so vocal on this topic, I'd really be encouraged if someone else opened up a formal (bug) request for some basic git documentation, that is gentoo centric. Posting the bug number back to this list could then encourage construction ideas and antedotes. hth, James > > Best regards > Marco > > On Thu, 16 Jun 2016 11:46:12 -0700 > Bryan Gardiner khumba.net> wrote: > > > On Thu, 16 Jun 2016 17:52:26 +0200 > > marco nucleus.it wrote: > > > > > Hi, > > > i have a layman git profile to store my stuff. > > > > > > Is possible to force layman -S to sync a specific branch ? > > > > This is speculation (and a bit of looking at Portage code), since I > > haven't tried this. Ignoring Layman, repos.conf repositories support > > syncing[1], so does it work to create: > > > > /etc/portage/repos.conf/myrepo.conf: > > > > [myrepo] > > location = /path/to/local/repo > > sync-type = git > > sync-uri = git://... > > auto-sync = yes > > > > and just emerge --sync? If you didn't have the local repo already > > then it would clone and use master, but I suspect that you can switch > > branches afterward, and Portage will simply call "git pull". > > > > There also seem to be extra options "sync-git-clone-extra-opts" and > > "sync-git-pull-extra-opts" for git modules, so you might be able to > > set: > > > > sync-git-clone-extra-opts = --branch somebranch > > > > to fix initially checking out master. > > > > HTH, > > Bryan > > > > [1] https://wiki.gentoo.org/wiki/Project:Portage/Sync > > > >
Re: [gentoo-user] media-fonts/urw-fonts-2.4.9 - problem with the tar archive ?
Le 2016-06-17 15:05, Zhu Sha Zang a écrit : Please, open a bug report: bugs.gentoo.org I reported : https://bugs.gentoo.org/show_bug.cgi?id=586188 Thank you Zhu Sha Zang for your response. Regards. Regards, Hogren On Fri, 17 Jun 2016 13:45:42 +0200 Hogren wrote: Hey Hey, I found ! I emerge cpio an re-emerge gzip. I am not a very experimented gentoo user. Do I have to alert the gzip maintener(s) ? There is may be a USE flag (cpio) to add (by default or not) to gzip. Thanks for your help. Hogren Le 2016-06-17 10:08, Hogren a écrit : Hello, I have a problem when I try to emerge media-fonts/urw-fonts-2.4.9. my build log : [32;01m * [39;49;00mPackage:media-fonts/urw-fonts-2.4.9 [32;01m * [39;49;00mRepository: gentoo [32;01m * [39;49;00mMaintainer: fo...@gentoo.org [32;01m * [39;49;00mUSE:X abi_x86_64 amd64 elibc_glibc kernel_linux userland_GNU [32;01m * [39;49;00mFEATURES: preserve-libs sandbox userpriv usersandbox Unpacking source... Unpacking urw-fonts-2.4-9.fc13.src.rpm to /var/tmp/portage/media-fonts/urw-fonts-2.4.9/work rpm2tar: /var/tmp/portage/media-fonts/urw-fonts-2.4.9/distdir/urw-fonts-2.4-9.fc13.src.rpm: failed to extract cpio via gzip (not actually an RPM?) tar: This does not look like a tar archive tar: Exiting with failure status due to previous errors [31;01m*[0m ERROR: media-fonts/urw-fonts-2.4.9::gentoo failed (unpack phase): [31;01m*[0m failure unpacking /var/tmp/portage/media-fonts/urw-fonts-2.4.9/distdir/urw-fonts-2.4-9.fc13.src.rpm [31;01m*[0m [31;01m*[0m Call stack: [31;01m*[0m ebuild.sh, line 133: Called src_unpack [31;01m*[0m environment, line 2295: Called rpm_src_unpack [31;01m*[0m environment, line 2250: Called srcrpm_unpack 'urw-fonts-2.4-9.fc13.src.rpm' [31;01m*[0m environment, line 2300: Called rpm_unpack 'urw-fonts-2.4-9.fc13.src.rpm' [31;01m*[0m environment, line 2278: Called die [31;01m*[0m The specific snippet of code: [31;01m*[0m rpm2tar -O "${a}" | tar xf - || die "failure unpacking ${a}"; [31;01m*[0m [31;01m*[0m If you need support, post the output of `emerge --info '=media-fonts/urw-fonts-2.4.9::gentoo'`, [31;01m*[0m the complete build log and the output of `emerge -pqv '=media-fonts/urw-fonts-2.4.9::gentoo'`. [31;01m*[0m The complete build log is located at '/var/tmp/portage/media-fonts/urw-fonts-2.4.9/temp/build.log'. [31;01m*[0m The ebuild environment file is located at '/var/tmp/portage/media-fonts/urw-fonts-2.4.9/temp/environment'. [31;01m*[0m Working directory: '/var/tmp/portage/media-fonts/urw-fonts-2.4.9/work' [31;01m*[0m S: '/var/tmp/portage/media-fonts/urw-fonts-2.4.9/work' It sounds that is problem with the rpm file. Anybody has the same problem or do I have to search about rpm2tar ? Thank you very much !!! Hogren
Re: [gentoo-user] media-fonts/urw-fonts-2.4.9 - problem with the tar archive ?
Please, open a bug report: bugs.gentoo.org Regards. On Fri, 17 Jun 2016 13:45:42 +0200 Hogren wrote: > Hey Hey, I found ! > > I emerge cpio an re-emerge gzip. > > I am not a very experimented gentoo user. Do I have to alert the gzip > maintener(s) ? > There is may be a USE flag (cpio) to add (by default or not) to gzip. > > Thanks for your help. > > Hogren > > Le 2016-06-17 10:08, Hogren a écrit : > > > Hello, > > > > I have a problem when I try to emerge media-fonts/urw-fonts-2.4.9. > > > > my build log : > > > > [32;01m * [39;49;00mPackage:media-fonts/urw-fonts-2.4.9 > > [32;01m * [39;49;00mRepository: gentoo > > [32;01m * [39;49;00mMaintainer: fo...@gentoo.org > > [32;01m * [39;49;00mUSE:X abi_x86_64 amd64 elibc_glibc > > kernel_linux userland_GNU > > [32;01m * [39;49;00mFEATURES: preserve-libs sandbox userpriv > > usersandbox > Unpacking source... > Unpacking urw-fonts-2.4-9.fc13.src.rpm to > /var/tmp/portage/media-fonts/urw-fonts-2.4.9/work > > rpm2tar: > > /var/tmp/portage/media-fonts/urw-fonts-2.4.9/distdir/urw-fonts-2.4-9.fc13.src.rpm: > > > > failed to extract cpio via gzip (not actually an RPM?) > > tar: This does not look like a tar archive > > tar: Exiting with failure status due to previous errors > > [31;01m*[0m ERROR: media-fonts/urw-fonts-2.4.9::gentoo failed (unpack > > phase): > > [31;01m*[0m failure unpacking > > /var/tmp/portage/media-fonts/urw-fonts-2.4.9/distdir/urw-fonts-2.4-9.fc13.src.rpm > > [31;01m*[0m > > [31;01m*[0m Call stack: > > [31;01m*[0m ebuild.sh, line 133: Called src_unpack > > [31;01m*[0m environment, line 2295: Called rpm_src_unpack > > [31;01m*[0m environment, line 2250: Called srcrpm_unpack > > 'urw-fonts-2.4-9.fc13.src.rpm' > > [31;01m*[0m environment, line 2300: Called rpm_unpack > > 'urw-fonts-2.4-9.fc13.src.rpm' > > [31;01m*[0m environment, line 2278: Called die > > [31;01m*[0m The specific snippet of code: > > [31;01m*[0m rpm2tar -O "${a}" | tar xf - || die "failure > > unpacking ${a}"; > > [31;01m*[0m > > [31;01m*[0m If you need support, post the output of `emerge --info > > '=media-fonts/urw-fonts-2.4.9::gentoo'`, > > [31;01m*[0m the complete build log and the output of `emerge -pqv > > '=media-fonts/urw-fonts-2.4.9::gentoo'`. > > [31;01m*[0m The complete build log is located at > > '/var/tmp/portage/media-fonts/urw-fonts-2.4.9/temp/build.log'. > > [31;01m*[0m The ebuild environment file is located at > > '/var/tmp/portage/media-fonts/urw-fonts-2.4.9/temp/environment'. > > [31;01m*[0m Working directory: > > '/var/tmp/portage/media-fonts/urw-fonts-2.4.9/work' > > [31;01m*[0m S: '/var/tmp/portage/media-fonts/urw-fonts-2.4.9/work' > > > > It sounds that is problem with the rpm file. > > > > Anybody has the same problem or do I have to search about rpm2tar ? > > > > Thank you very much !!! > > > > Hogren >
Re: [gentoo-user] media-fonts/urw-fonts-2.4.9 - problem with the tar archive ?
Hey Hey, I found ! I emerge cpio an re-emerge gzip. I am not a very experimented gentoo user. Do I have to alert the gzip maintener(s) ? There is may be a USE flag (cpio) to add (by default or not) to gzip. Thanks for your help. Hogren Le 2016-06-17 10:08, Hogren a écrit : Hello, I have a problem when I try to emerge media-fonts/urw-fonts-2.4.9. my build log : [32;01m * [39;49;00mPackage:media-fonts/urw-fonts-2.4.9 [32;01m * [39;49;00mRepository: gentoo [32;01m * [39;49;00mMaintainer: fo...@gentoo.org [32;01m * [39;49;00mUSE:X abi_x86_64 amd64 elibc_glibc kernel_linux userland_GNU [32;01m * [39;49;00mFEATURES: preserve-libs sandbox userpriv usersandbox Unpacking source... Unpacking urw-fonts-2.4-9.fc13.src.rpm to /var/tmp/portage/media-fonts/urw-fonts-2.4.9/work rpm2tar: /var/tmp/portage/media-fonts/urw-fonts-2.4.9/distdir/urw-fonts-2.4-9.fc13.src.rpm: failed to extract cpio via gzip (not actually an RPM?) tar: This does not look like a tar archive tar: Exiting with failure status due to previous errors [31;01m*[0m ERROR: media-fonts/urw-fonts-2.4.9::gentoo failed (unpack phase): [31;01m*[0m failure unpacking /var/tmp/portage/media-fonts/urw-fonts-2.4.9/distdir/urw-fonts-2.4-9.fc13.src.rpm [31;01m*[0m [31;01m*[0m Call stack: [31;01m*[0m ebuild.sh, line 133: Called src_unpack [31;01m*[0m environment, line 2295: Called rpm_src_unpack [31;01m*[0m environment, line 2250: Called srcrpm_unpack 'urw-fonts-2.4-9.fc13.src.rpm' [31;01m*[0m environment, line 2300: Called rpm_unpack 'urw-fonts-2.4-9.fc13.src.rpm' [31;01m*[0m environment, line 2278: Called die [31;01m*[0m The specific snippet of code: [31;01m*[0m rpm2tar -O "${a}" | tar xf - || die "failure unpacking ${a}"; [31;01m*[0m [31;01m*[0m If you need support, post the output of `emerge --info '=media-fonts/urw-fonts-2.4.9::gentoo'`, [31;01m*[0m the complete build log and the output of `emerge -pqv '=media-fonts/urw-fonts-2.4.9::gentoo'`. [31;01m*[0m The complete build log is located at '/var/tmp/portage/media-fonts/urw-fonts-2.4.9/temp/build.log'. [31;01m*[0m The ebuild environment file is located at '/var/tmp/portage/media-fonts/urw-fonts-2.4.9/temp/environment'. [31;01m*[0m Working directory: '/var/tmp/portage/media-fonts/urw-fonts-2.4.9/work' [31;01m*[0m S: '/var/tmp/portage/media-fonts/urw-fonts-2.4.9/work' It sounds that is problem with the rpm file. Anybody has the same problem or do I have to search about rpm2tar ? Thank you very much !!! Hogren
Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?
On Fri, Jun 17, 2016 at 3:16 AM, Andrew Savchenko wrote: > On Thu, 16 Jun 2016 22:35:24 -0400 waltd...@waltdnes.org wrote: >> I don't follow this stuff, so this may be a stupid question... how >> does a "container" or "docker" differ from a chroot or a QEMU VM with a >> minimal set of applications? > > Due to reasons above I prefer container solutions like LXC over VM > for security: they give approximately the same level of protection > as VM, but resources cost is much lower. Of course it is still > possible to break any container through L3 cache or some kernel > bugs, so for really tight security independent hardware and OS must > be used. Containers on Linux aren't nearly as secure as a VM right now. Certainly the intent is for them to get there, and if you find a way to break out of a container the kernel team would certainly accept it as a bug and fix it. However, I don't think most of the big names in linux would rate it on the same level as a VM. As you've pointed out, VMs aren't perfect, though I'm not aware of any way to actually defeat any of the popular ones (and if there were, they'd almost certainly patch it). I'll certainly acknowledge that there is a larger attack surface than separate hosts (and it isn't like those are invulnerable either - who knows what bug exists in an ethernet card somewhere). Containers are a lot more secure than chroots though. Non-root in a container is generally considered to be fairly secure - it is an additional layer on top of normal user privilege isolation. Containers are generally a lot more convenient than chroots as well, simply because there are fewer compatibility issues and constraints inside. If you want to run sysvinit/openrc or systemd inside your container you can, and that isn't really possible inside a chroot. Of course, you don't have to, but at least you have the option. The biggest selling point for a container is the resource requirements. The overhead to run a container with systemd inside is only a few MB. If you're running a container without a service manager the overhead is even less. You could never run a VM with only a few MB of RAM. The main constraint on RAM use for a container is the fact that you're not sharing libraries with the host. Otherwise they're just processes with different namespace values in the kernel (EVERY process runs in a set of namespaces, even if you're not using containers - by default they just all have the same set of values). Any solution that bundles the libraries with the package is going to use a similar amount of RAM. Also, launching a process in a new namespace takes the same amount of time as launching a process in the same namespace, minus the trivial time required to page in libraries and such. A VM takes seconds to boot, vs the milliseconds for a container. In terms of overhead containers and chroots are almost identical. The biggest selling point for not just running everything on the host is isolation. I have a container that just runs mariadb. When I do an emerge -u world it is like updating any other Gentoo host, but when I'm done I fire off a bunch of tests to make sure mariadb is working, and if it works I know I'm done. When I was running everything on a single host I'd inevitably do an emerge -u world and occasionally have something random break. Short of testing everything every time I do an update it is hard to avoid that sort of thing. Of course, I end up having to run a lot more updates, but I don't have to do them all at once and I can update the container for each service on an appropriate schedule. -- Rich
Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?
oh yeah, forgot the catchy name. Mea culpa. 2016-06-17 10:52 GMT+02:00 Neil Bothwick : > On Fri, 17 Jun 2016 10:28:10 +0200, Volker Armin Hemmann wrote: > > > soo... why not compile everything statically in the first place? and > > put it in HOME? > > Because that's not new and shiny with a catchy name! > > > -- > Neil Bothwick > > Windows Error #02: Multitasking attempted. System confused. >
Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?
On Fri, 17 Jun 2016 10:28:10 +0200, Volker Armin Hemmann wrote: > soo... why not compile everything statically in the first place? and > put it in HOME? Because that's not new and shiny with a catchy name! -- Neil Bothwick Windows Error #02: Multitasking attempted. System confused. pgpxMIMMyyWcD.pgp Description: OpenPGP digital signature
Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?
soo... why not compile everything statically in the first place? and put it in HOME? 2016-06-17 9:18 GMT+02:00 Andrew Savchenko : > On Thu, 16 Jun 2016 19:30:49 -0400 José Maldonado wrote: > > > > > > El 16/06/16 a las 11:27, James escribió: > > > One word SECURITY? Trust but verify does come to mind. > > > > > > > The snaps come to "replace" a lack of security that is in Linux, in > > addition to facilitating the installation of all applications from the > > user-space without root privileges. > > Replace lack of security, really? It will create it in the long > run due to outdated unmaintained third-party bundled software. > > Best regards, > Andrew Savchenko >
Re: [gentoo-user] Layman and Git branch
I have a profile for my config , additional ebuilds , packages etc but i'm looking for the best way to have a production-profile and a devel-profile. Better have two separeted git , one for production and one for devel ? or better one git and use branch functions ? With Layman and two git repo i can sync each repo when i want and i can enable/disable one of them to switch from/to production/devel . I don't know how to do that directly with git. Best regards Marco On Thu, 16 Jun 2016 11:46:12 -0700 Bryan Gardiner wrote: > On Thu, 16 Jun 2016 17:52:26 +0200 > ma...@nucleus.it wrote: > > > Hi, > > i have a layman git profile to store my stuff. > > > > Is possible to force layman -S to sync a specific branch ? > > This is speculation (and a bit of looking at Portage code), since I > haven't tried this. Ignoring Layman, repos.conf repositories support > syncing[1], so does it work to create: > > /etc/portage/repos.conf/myrepo.conf: > > [myrepo] > location = /path/to/local/repo > sync-type = git > sync-uri = git://... > auto-sync = yes > > and just emerge --sync? If you didn't have the local repo already > then it would clone and use master, but I suspect that you can switch > branches afterward, and Portage will simply call "git pull". > > There also seem to be extra options "sync-git-clone-extra-opts" and > "sync-git-pull-extra-opts" for git modules, so you might be able to > set: > > sync-git-clone-extra-opts = --branch somebranch > > to fix initially checking out master. > > HTH, > Bryan > > [1] https://wiki.gentoo.org/wiki/Project:Portage/Sync >
[gentoo-user] media-fonts/urw-fonts-2.4.9 - problem with the tar archive ?
Hello, I have a problem when I try to emerge media-fonts/urw-fonts-2.4.9. my build log : [32;01m * [39;49;00mPackage:media-fonts/urw-fonts-2.4.9 [32;01m * [39;49;00mRepository: gentoo [32;01m * [39;49;00mMaintainer: fo...@gentoo.org [32;01m * [39;49;00mUSE:X abi_x86_64 amd64 elibc_glibc kernel_linux userland_GNU [32;01m * [39;49;00mFEATURES: preserve-libs sandbox userpriv usersandbox >>> Unpacking source... >>> Unpacking urw-fonts-2.4-9.fc13.src.rpm to >>> /var/tmp/portage/media-fonts/urw-fonts-2.4.9/work rpm2tar: /var/tmp/portage/media-fonts/urw-fonts-2.4.9/distdir/urw-fonts-2.4-9.fc13.src.rpm: failed to extract cpio via gzip (not actually an RPM?) tar: This does not look like a tar archive tar: Exiting with failure status due to previous errors [31;01m*[0m ERROR: media-fonts/urw-fonts-2.4.9::gentoo failed (unpack phase): [31;01m*[0m failure unpacking /var/tmp/portage/media-fonts/urw-fonts-2.4.9/distdir/urw-fonts-2.4-9.fc13.src.rpm [31;01m*[0m [31;01m*[0m Call stack: [31;01m*[0m ebuild.sh, line 133: Called src_unpack [31;01m*[0m environment, line 2295: Called rpm_src_unpack [31;01m*[0m environment, line 2250: Called srcrpm_unpack 'urw-fonts-2.4-9.fc13.src.rpm' [31;01m*[0m environment, line 2300: Called rpm_unpack 'urw-fonts-2.4-9.fc13.src.rpm' [31;01m*[0m environment, line 2278: Called die [31;01m*[0m The specific snippet of code: [31;01m*[0m rpm2tar -O "${a}" | tar xf - || die "failure unpacking ${a}"; [31;01m*[0m [31;01m*[0m If you need support, post the output of `emerge --info '=media-fonts/urw-fonts-2.4.9::gentoo'`, [31;01m*[0m the complete build log and the output of `emerge -pqv '=media-fonts/urw-fonts-2.4.9::gentoo'`. [31;01m*[0m The complete build log is located at '/var/tmp/portage/media-fonts/urw-fonts-2.4.9/temp/build.log'. [31;01m*[0m The ebuild environment file is located at '/var/tmp/portage/media-fonts/urw-fonts-2.4.9/temp/environment'. [31;01m*[0m Working directory: '/var/tmp/portage/media-fonts/urw-fonts-2.4.9/work' [31;01m*[0m S: '/var/tmp/portage/media-fonts/urw-fonts-2.4.9/work' It sounds that is problem with the rpm file. Anybody has the same problem or do I have to search about rpm2tar ? Thank you very much !!! Hogren
Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?
On Thu, 16 Jun 2016 19:30:49 -0400 José Maldonado wrote: > > > El 16/06/16 a las 11:27, James escribió: > > One word SECURITY? Trust but verify does come to mind. > > > > The snaps come to "replace" a lack of security that is in Linux, in > addition to facilitating the installation of all applications from the > user-space without root privileges. Replace lack of security, really? It will create it in the long run due to outdated unmaintained third-party bundled software. Best regards, Andrew Savchenko pgpoy4EWTrn3I.pgp Description: PGP signature
Re: [gentoo-user] Re: Gentoo is supporting officially Snap packages?
On Thu, 16 Jun 2016 22:35:24 -0400 waltd...@waltdnes.org wrote: > On Thu, Jun 16, 2016 at 04:33:12PM -0400, Rich Freeman wrote > > On Thu, Jun 16, 2016 at 4:11 PM, Alan McKinnon > > wrote: > > > > > > I don't see the part where all these latest fancy container thingymagicies > > > are not really just "embed everything in everything" > > > > > > We've known for years the dangers of embedding stuff in packages (it > > > hardly > > > ever gets updated properly) > > > > > > > Well, that strikes me as being true of these self-contained packages, > > but it isn't necessarily true of containers in general. > > > > I run most of my services in containers, and they're just Gentoo > > installations with a really small world file. Things are just as > > up-to-date as they would be if I ran it all in a single host. > > > > Now, if you're the sort of person who just grabs some random docker > > image from who knows where, then sure you're getting a big bundle of > > stuff that may or may not be maintained for security. This is no > > different. > > I don't follow this stuff, so this may be a stupid question... how > does a "container" or "docker" differ from a chroot or a QEMU VM with a > minimal set of applications? There is one common misconception, that chroot is security measure. This is wrong! Chroot is not a security function at all. It is extremely easy to exit chroot [1] if you have root access inside chroot (AFAIK with PAX/GRSecurity it is possible to deny this, but this is another story.) So if you are using chroot for security, forget about security, you have no security at all. This syscall was designed for another needs. Tl;dr; Inside chroot do as a root: mkdir foo; chroot foo; cd .. QEMU VM (as well as other VM) can provide you some degree of security at the cost of performance and system resources. Inside VM you have independent (fully or paravirtualized) kernel and environment. But it is still possible to exit it using hypervisor bugs or hardware-based attacks like L3 cache attack[2]. Yes, if one have modern Intel or AMD CPU with SSE2 and L3 cache enabled, forget about tight security too. Due to reasons above I prefer container solutions like LXC over VM for security: they give approximately the same level of protection as VM, but resources cost is much lower. Of course it is still possible to break any container through L3 cache or some kernel bugs, so for really tight security independent hardware and OS must be used. [1] https://lwn.net/Articles/252794/ [2] https://www.usenix.org/node/184416 Best regards, Andrew Savchenko pgpqsUrMrvX2K.pgp Description: PGP signature