On Sun, 06.09.15 17:49, Michał Zegan (webczat_...@poczta.onet.pl) wrote: > Hello. > > Is systemd-nspawn intended to eventually become usable for full system > containers/general use with enough security to run things like vps hosting? > How much is missing to be able to do that, or maybe it already can? Like you > have user namespaces support that probably adds more security in addition to > other namespaces, not sure though.
Well, Linux containers are currently not a security technology, and you really shouldn't mistake them for one. But yes, we'll close the biggest holes as we can, and the intention is certainly to make it hard to escape containers. nspawn supports user namespaces, but I don't think they are practically usable, since there's no logic for automatically allocating user id ranges, and file systems have to be altered to make them compatible with user namespacing. We'd like to improve the situation there, but this requires more kernel work. The focus with nspawn is indeed on full system containers (i.e. containers running an init system in them), and explicitly not so much "micro service" virtualization a la docker. To dogfood myself I run my own dedicated server in an nspawn-based solution, and I am pretty happy with it. Note that nspawn + machined is not supposed to be a complete deployment solution, it focuses on the execution runtime of the container locally and it does not and will not do orchestration of containers across a whole cluster, or update/lifecycle management. Use rkt (which builds on nspawn) for that. Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel