On 03/02/2015 10:03 AM, Mauricio Tavares wrote: > On Mon, Mar 2, 2015 at 9:42 AM, Lennart Poettering <mzerqung@xxxxxxxxxxx> wrote: >> On Mon, 02.03.15 09:17, Daniel J Walsh (dwalsh@xxxxxxxxxx) wrote: >> >>> On 03/01/2015 10:41 PM, Michael DePaulo wrote: >>>> Hi, >>>> >>>> I am developing a Dockerfile for X2Go. I intend to submit a PR to >>>> fedora-Dockerfiles within a week. >>>> >>>> https://github.com/mikedep333/Fedora-Dockerfiles/tree/add-x2go >>>> >>>> (X2Go was already added in F20) >>>> https://fedoraproject.org/wiki/Changes/X2Go >>>> >>>> Example Dockerfile with systemd: >>>> https://github.com/fedora-cloud/Fedora-Dockerfiles/blob/master/systemd/apache/Dockerfile >>>> >>>> However, I would like to know if the Fedora project still recommends >>>> that I use systemd, or if I should resort to using supervisord or a >>>> shell script. >>>> >>>> I merely need to start sshd and x2gocleansessions. Both have systemd >>>> unit files, but can be run via an init script too. >>>> >>>> When I do try systemd, I am experiencing known issues with cgroups and >>>> with mounting /run, unless I run a privileged container. It has been a >>>> while since there were any comments on the CLOSED NOTABUG bz on these >>>> issues. >>>> https://bugzilla.redhat.com/show_bug.cgi?id=1033604 >>>> >>>> -Mike >>> We are continuing to work on making running systemd within a container >>> better. >>> I am trying to get a /run on tmpfs patch to be acceptable upstream. But >>> we still >>> have a problem with systemd requiring /sys/fs/cgroup to be mounted >>> inside the container >>> to run. Which allows for an information leak. >> You'd have to get the kernel changed for that "information leak" to be >> fixed. >> >> That said, containers on Linux are not really about security, the >> whole thing has more holes than a swiss cheese. Maybe one day the >> security holes can be fixed, but as of now, it's simply not >> secure. And this "information leak" is certainly the least of your >> problems... >> > What would then be the recommended solution if containers are insecure? Well we are trying to fix this, but as Lennart says, there are many holes in the strategy at this point. I am working on a presentation that talks about different levels of security. As soon as you get to Virtualization you get less security. I would say running each service on an individual machine is the most secure. Running Each Service on a separate VM is the second most, especially if you are using SELInux/Svirt for separation of your VM's. Third level is running each Service in a different container, (Again you want SELinux for some separation). Fourth is each Service running on the host, (Wrapped with SELinux). Fifth setenforce 0. >> Lennart >> >> -- >> Lennart Poettering, Red Hat >> -- >> devel mailing list >> devel@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/devel >> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
