On Sun, Sep 6, 2015 at 6:00 PM, Lennart Poettering <[email protected]> wrote: > On Sun, 06.09.15 17:49, Michał Zegan ([email protected]) wrote: > >> Hello. >> >> Is systemd-nspawn intended to eventually become usable for full system >> containers/general use with enough security to run things like vps hosting? >> How much is missing to be able to do that, or maybe it already can? Like you >> have user namespaces support that probably adds more security in addition to >> other namespaces, not sure though. > > Well, Linux containers are currently not a security technology, and > you really shouldn't mistake them for one. > > But yes, we'll close the biggest holes as we can, and the intention is > certainly to make it hard to escape containers. > > nspawn supports user namespaces, but I don't think they are > practically usable, since there's no logic for automatically > allocating user id ranges, and file systems have to be altered to make > them compatible with user namespacing. We'd like to improve the > situation there, but this requires more kernel work. > > The focus with nspawn is indeed on full system containers > (i.e. containers running an init system in them), and explicitly not > so much "micro service" virtualization a la docker. > > To dogfood myself I run my own dedicated server in an nspawn-based > solution, and I am pretty happy with it.
Same here with a Fedora 22 server. Lots of web services/web apps runing very fine and quickly. > > Note that nspawn + machined is not supposed to be a complete > deployment solution, it focuses on the execution runtime of the > container locally and it does not and will not do orchestration of > containers across a whole cluster, or update/lifecycle management. Use > rkt (which builds on nspawn) for that. > > Lennart > > -- > Lennart Poettering, Red Hat > _______________________________________________ > systemd-devel mailing list > [email protected] > http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- google.com/+arnaudgabourygabx _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
