On Mon, Mar 2, 2015 at 9:42 AM, Lennart Poettering <mzerqung@xxxxxxxxxxx> wrote: > On Mon, 02.03.15 09:17, Daniel J Walsh (dwalsh@xxxxxxxxxx) wrote: > >> >> On 03/01/2015 10:41 PM, Michael DePaulo wrote: >> > Hi, >> > >> > I am developing a Dockerfile for X2Go. I intend to submit a PR to >> > fedora-Dockerfiles within a week. >> > >> > https://github.com/mikedep333/Fedora-Dockerfiles/tree/add-x2go >> > >> > (X2Go was already added in F20) >> > https://fedoraproject.org/wiki/Changes/X2Go >> > >> > Example Dockerfile with systemd: >> > https://github.com/fedora-cloud/Fedora-Dockerfiles/blob/master/systemd/apache/Dockerfile >> > >> > However, I would like to know if the Fedora project still recommends >> > that I use systemd, or if I should resort to using supervisord or a >> > shell script. >> > >> > I merely need to start sshd and x2gocleansessions. Both have systemd >> > unit files, but can be run via an init script too. >> > >> > When I do try systemd, I am experiencing known issues with cgroups and >> > with mounting /run, unless I run a privileged container. It has been a >> > while since there were any comments on the CLOSED NOTABUG bz on these >> > issues. >> > https://bugzilla.redhat.com/show_bug.cgi?id=1033604 >> > >> > -Mike >> We are continuing to work on making running systemd within a container >> better. >> I am trying to get a /run on tmpfs patch to be acceptable upstream. But >> we still >> have a problem with systemd requiring /sys/fs/cgroup to be mounted >> inside the container >> to run. Which allows for an information leak. > > You'd have to get the kernel changed for that "information leak" to be > fixed. > > That said, containers on Linux are not really about security, the > whole thing has more holes than a swiss cheese. Maybe one day the > security holes can be fixed, but as of now, it's simply not > secure. And this "information leak" is certainly the least of your > problems... > What would then be the recommended solution if containers are insecure? > Lennart > > -- > Lennart Poettering, Red Hat > -- > devel mailing list > devel@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/devel > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
