container userspace tools

Serge E. Hallyn serue at us.ibm.com
Mon Oct 27 09:53:28 PDT 2008


Quoting Ian jonhson (jonhson.ian at gmail.com):
> >>
> >> hmm.... then, how to configure the container to get the isolation of
> >> pid, ipc and
> >> mount points?
> >
> > This is done automatically, with or without configuration.
> >
> > For examples:
> >
> >        lxc-execute -n foo -- ps -ef --forest
> >
> > UID        PID  PPID  C STIME TTY          TIME CMD
> > root         1     0  0 16:55 ?        00:00:00 lxc-execute -n foo -- ps -ef
> > --forest
> > root         2     1  0 16:55 pts/6    00:00:00 ps -ef --forest
> >
> >
> >        lxc-execute -n foo ls /proc
> >
> > will only show process 1 and 2, showing the /proc fs has been remount inside
> > the container without interfering with your own /proc.
> >
> > You can do the same check by looking at the ipcs inside and outside the
> > container  (assuming they are different).
> >
> 
> Is it possible to isolate processes in two different containers when they access
> given local file. For example, I run a process_A in container_A to create a
> file named "shared_file". Then, another process (for example, process_B)
> in container_A can access the "shared_file", but another process, named
> process_C in container_B can not access the same file. The process_A,
> process_B, and process_C are run with same uid/gid. how to set the
> configurations of container_A and container_B to achieve the isolation?
> Is is possible to do this?

1. You can put them in each a different chroot.  For instance, extract
the debian.tar.gz which Daniel has pointed you to before into both
/vs1 and /vs2.  Put container_A in /vs1 and container_B in /vs2.

2. You can use SELinux or Smack.  Details for now left as an excercise
to the reader.

3. One day you'll be able to use user namespaces.  In that case, even
though process_{A,B,C} are all running with the same integer uid/gid,
process_C will be in a different different user namespace than
process_{A,B}.  So the file created by process_A will be accessed by
process_C as though they were different userids.  Which means if
process_A set permissions on the file as rwxr-xr-x, then process_c
will get r-x permissions.  If process_A set the permissions to
rwxr-xr-x, then process_c will have no permissions.

-serge


More information about the Containers mailing list