On Fri, Feb 28, 2014 at 02:56:52PM +0100, drago01 wrote:
On Fri, Feb 28, 2014 at 2:43 PM, Stephen Gallagher
<sgallagh(a)redhat.com> wrote:
[. . .]
SELinux working with it now.
<mclasen> dargo01: I think that statement may be evolving ?
<sgallagh> And Docker is moving to systemd-nspawn and away from lxc
<mclasen> but certainly valuable to raise the question on the list,
and see if lennart, dan or dan want to chime in
<drago01> sgallagh: "Note that even though these security precautions
are taken systemd-nspawn is not suitable for secure container setups.
Many of the security features may be circumvented and are hence
primarily useful to avoid accidental changes to the host system from
the container. The intended use of this program is debugging and
testing as well as building of packages, distributions and software
involved with boot and systems mana
<drago01> gement." [1]
Just to note - recently I did a test to compile libguestfs in a
`systemd-nspawn` container. Details here[1]
A single `make` job timing to compile everything on a systemd-nspawn:
real 31m9.792s
user 17m18.359s
sys 13m17.868s
For comparison, on the _host_, the same single `make` job timing:
real 13m41.440s
user 13m5.816s
sys 1m9.911s
Notes:
- The above was with systemd-208-9.fc20.x86_64. Current systemd in
Rawhide (systemd-210-2.fc21) has a lot more improvements
- Host and guest are both running Btrfs on Fedora-20
- I'm yet to test with libvirt-lxc tooling
[1]
https://www.redhat.com/archives/libguestfs/2014-January/msg00290.html
--
/kashyap