Re: [Lxc-users] LXC on RHEL/CenOS 5.5 Host?
On Fri, 2011-01-14 at 09:58 -0800, Noah Campbell wrote: > I was also looking at a similar configuration. > > If you can upgrade your kernel, you have a shot. > http://lxc.sourceforge.net/index.php/about/kernel-namespaces/ gives the > minimum kernel for a particular configuration. > > -Noah Thanks for the reply, Noah. I cannot use kernels from the "upstream" source tree or those that are based upon it because RHEL kernels don't track directly with the latest kernel source. I'm hoping that either someone has ported LXC features and tools to RHEL/CentOS 5 or patches exist for the RHEL/CentOS 5 kernels. RHEL/CentOS kernels, as well as the software within the distro, cannot necessarily be judged by their version numbers. As any RHEL maintainer will tell you, Red Hat back-ports all security and bug fixes, and many feature updates to the version that existed when the major version was released. Very few applications, servers, or utilities are upgraded to current version numbers. Instead, after an update minor revision numbers are incremented and/or appended to the package name. For example, Red Hat just released its 6th maintenance update to RHEL 5 yesterday containing a pile of security updates, bug-fixes, and enhancements to over 150 applications, including the kernel and gcc tools and libs. While the version numbers bear no resemblance to the latest kernel, tools and apps, all security security flaws, important bugs have been resolved and some upstream features included. With the release of RHEL 6, RHEL 5 has entered production phase 2. At the end of production phase 3 in March 2014 security patches and bug fixes will stop. So there are at least 3 more years of life. I'm sure our organization will be required to support it even beyond that time, though. Regards, Cal Webster -- Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] LXC on RHEL/CenOS 5.5 Host?
Quoting Cal Webster (cwebs...@ec.rr.com): > On Fri, 2011-01-14 at 11:59 -0600, Serge E. Hallyn wrote: > > Quoting Cal Webster (cwebs...@ec.rr.com): > > > I've looked at OpenVZ but it apparently cannot coexist with SELinux, > > > > Do you know why? Do you have any references for this? > > None of the OpenVZ forum members could cite any references or explain > this. None of the on-line documentation goes into detail. The only > references to SELinux I could find said the SELinux _must_ be disabled > before bringing up the OpenVZ kernel, which is compliled without SELinux > support. > > The only forum member that answered my post just said that "OpenVZ > introduces many hacks to the kernel. If you read the code, you'll know > what this is about." That's when he suggested I look at LXC. Before I > spent the time to read through their kernel hacks I decided to see what > LXC offered. That's when I discovered the problem with available kernel > versions. Hmm - well selinux isn't magic - it does need its hooks to be in the right places, so if openvz is providing ways around the hooks, then yeah it might "work" but not actually be enforcing anything effectively. So, not having looked at the openvz patch myself recently, I guess I'd take their word for it :) -serge -- Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] LXC on RHEL/CenOS 5.5 Host?
On Fri, 2011-01-14 at 11:59 -0600, Serge E. Hallyn wrote: > Quoting Cal Webster (cwebs...@ec.rr.com): > > I've looked at OpenVZ but it apparently cannot coexist with SELinux, > > Do you know why? Do you have any references for this? None of the OpenVZ forum members could cite any references or explain this. None of the on-line documentation goes into detail. The only references to SELinux I could find said the SELinux _must_ be disabled before bringing up the OpenVZ kernel, which is compliled without SELinux support. The only forum member that answered my post just said that "OpenVZ introduces many hacks to the kernel. If you read the code, you'll know what this is about." That's when he suggested I look at LXC. Before I spent the time to read through their kernel hacks I decided to see what LXC offered. That's when I discovered the problem with available kernel versions. -- Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] LXC on RHEL/CenOS 5.5 Host?
Quoting Cal Webster (cwebs...@ec.rr.com): > I've looked at OpenVZ but it apparently cannot coexist with SELinux, Do you know why? Do you have any references for this? -serge -- Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] LXC on RHEL/CenOS 5.5 Host?
I was also looking at a similar configuration. If you can upgrade your kernel, you have a shot. http://lxc.sourceforge.net/index.php/about/kernel-namespaces/ gives the minimum kernel for a particular configuration. -Noah On Jan 14, 2011, at 8:59 AM, Cal Webster wrote: > > [Platform] > > Hardware: > > Dell PowerEdge T300 > --- > CPU: Core Duo 1.86 GHz w/ 1066 FSB, 2M cache > Memory: 4G DIMM RAM 667MHz > Storage: 1 TB RAID 5 > --- > > Software: > > OS: CentOS 5.5 > kernel-2.6.18-194.26.1.el5 > gcc-4.1.2-48.el5 > glibc-2.5-49.el5_5.7 > > > [Background] > > I've got a "svelt" CentOS 5 development server (outlined above) where as > many as five developers need to periodically run instances of a > real-time application, possibly as many as 3 or 4 simultaneously. Each > instance expects to be the only one running on the machine. Multiple > instances will collide. > > I've looked at OpenVZ but it apparently cannot coexist with SELinux, > which is a deal-breaker for us. Our security policy requires an active, > targeted and customized SELinux policy. I have been unable to get any > OpenVZ users or developers to explain the nature of the SELinux > compatibility issues, however. Instead they suggested I look at LXC. > > LXC appears to have everything we need, including isolation of resources > and processes as well as SELinux protection. After looking over the LXC > project it appears that it is available only to kernels starting with > 2.6.29. CentOS 5.5 is currently running 2.6.18-194.26.1.el5. > > > [Questions] > > First, can anyone tell me if it's possible to install and use Linux > Containers on a RHEL/CentOS 5 host? > > Next, are there RPMs, SRPMs, or even kernel patches and tar-ball sources > available to accomplish this? > > Finally, if it is not possible (or reasonably feasable) to host LXC on > CentOS 5, can someone tell me whether it might be possible to develop a > functional SELinux policy within which OpenVZ could operate? If not, why > not? > > Otherwise, I'll probably have to settle for KVM virtual machines and > just try to minimize their resource footprint. > > > Thanks in advance for any information, suggestions, useful links, etc. > > Cal Webster > > > > -- > Protect Your Site and Customers from Malware Attacks > Learn about various malware tactics and how to avoid them. Understand > malware threats, the impact they can have on your business, and how you > can protect your company and customers by using code signing. > http://p.sf.net/sfu/oracle-sfdevnl > ___ > Lxc-users mailing list > Lxc-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/lxc-users -- Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
