On Fri, Feb 28, 2014 at 02:56:52PM +0100, drago01 wrote:
> On Fri, Feb 28, 2014 at 2:43 PM, Stephen Gallagher <sgallagh@xxxxxxxxxx> wrote:
[. . .]
> SELinux working with it now.
> <mclasen> dargo01: I think that statement may be evolving ?
> <sgallagh> And Docker is moving to systemd-nspawn and away from lxc
> <mclasen> but certainly valuable to raise the question on the list,
> and see if lennart, dan or dan want to chime in
> <drago01> sgallagh: "Note that even though these security precautions
> are taken systemd-nspawn is not suitable for secure container setups.
> Many of the security features may be circumvented and are hence
> primarily useful to avoid accidental changes to the host system from
> the container. The intended use of this program is debugging and
> testing as well as building of packages, distributions and software
> involved with boot and systems mana
> <drago01> gement." [1]
Just to note - recently I did a test to compile libguestfs in a
`systemd-nspawn` container. Details here[1]
A single `make` job timing to compile everything on a systemd-nspawn:
real 31m9.792s
user 17m18.359s
sys 13m17.868s
For comparison, on the _host_, the same single `make` job timing:
real 13m41.440s
user 13m5.816s
sys 1m9.911s
Notes:
- The above was with systemd-208-9.fc20.x86_64. Current systemd in
Rawhide (systemd-210-2.fc21) has a lot more improvements
- Host and guest are both running Btrfs on Fedora-20
- I'm yet to test with libvirt-lxc tooling
[1] https://www.redhat.com/archives/libguestfs/2014-January/msg00290.html
--
/kashyap
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
