[PLUG] lxc containers
Jason Bergstrom
bergie at bergie.net
Wed Jan 18 21:57:14 UTC 2012
> I'm playing with Linux lxc containers, and for the most part liking what I
> see. I'm hoping someone with more experience can verify my understanding
> on two points:
>
> 1) In a conventional system, if I mount the same file system read/write on
> two different mount points, I will most likely corrupt the file system. I
> gather however that the host system can manipulate the container's file
> systems freely while the container is operating, even though both have it
> mounted, because those container mounts don't really exist. Can someone
> confirm/deny/explain that?
With LXC, the parent OS handles all filesystem activity on behalf of
the container (so consistency is covered).
> 2) The container needs a root file system in order to see all those
> important files it needs day-to-day. If I'm using the container for
> security/isolation purposes, that rootfs is separate from the host's rootfs
> (don't want them to see /etc/shadow, for example). In the case that each
> container has its own rootfs, don't I need to apply patches to all those
> containers each time I patch the host or risk lots of obscure errors due to
> the mismatch?
I think the answer is that you need to patch the container OS as well.
There may be a model where you share a read-only view of the parent OS's
/usr to the container, though that may have just been wishful thinking
based on the workings of Solaris containers.
Jason,
bergie at bergie.net
>
> -Brian Martin
>
> -------------------------------------------
> Brian P. Martin
> Martin Consulting Services, Inc.
> UNIX & Linux System Administration, Training, and Programming
> Telephone: 503 617-4500
> E-mail: Brian at MartinConsulting.com
> Web-site: www.martinconsulting.com
>
>
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>
More information about the PLUG
mailing list