Future directions for Fedora Cloud

Daniel J Walsh dwalsh at redhat.com
Tue Sep 17 12:52:33 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/16/2013 04:57 PM, Colin Walters wrote:
> On Wed, 2013-09-11 at 12:01 -0400, Matthew Miller wrote:
> 
>> So, idea one is to make something like CoreOS (http://coreos.com/): a 
>> lightweight distribution made for running containers on top of. We
>> wouldn't attempt to be _as_ lightweight as CoreOS (for that, there's
>> CoreOS), but aim to be small while still providing key features like
>> SELinux.
> 
> How SELinux would work in a coreos/container deployment setup is an 
> interesting question.  One could imagine docker containers coming with 
> policy modules, but that ends up tying them to a specific host version, 
> which is kind of against the point of containers.
> 
> More realistically I think one would have a relatively permissive domain 
> (generic_container_t), and use something like MCS labels to restrict the 
> flow of information between containers and the host.
> 
Currently that is what we do with virt-sandbox containers.  svirt_lxc_net_t
and svirt_qemu_net_t is very loose, Full Network, Full Capabilities,
Read/Execute everything in /usr and most of /etc, no access to content in
/root, /home, /var (We bind mount containers content over /root, /home, and
/var)  And separate them from MCS.  They are only allowed to write to
svirt_sandbox_file_t.

I have setup the policy to allow policy writers to create limited network
privs container domains, fairly easily.  Perhaps we should do the same for
capabilities.

One concept I have built for OpenShift is the idea of an Admin of a container
versus the application within the container.  So a user joining a container
might have full access to all file types owned by the container, but the
applicagtion/service within the container would only be allowed to write to
the svirt_sandbox_file_rw_t content and read/exec svirt_sandbox_file_t content.


>> Perhaps this could be built with Colin Walter's OSTree (see 
>> https://wiki.gnome.org/OSTree) for atomic updates.
> 
> To follow up on this, I have been working slowly on this tool called 
> "yum-ostree" which is designed to capture packages as OSTree commits. At
> the moment it's just a lame python script, but it's nearly to the point of
> being useful.  I'll post to the generic fedora-devel-list when it's ready.
> 
> As far as OSTree compared to CoreOS; the biggest difference is that the 
> CoreOS updater mandates a particular filesystem chosen on the build server,
> because it sends block-level diffs.  OSTree operates at the filesystem
> layer (like rsync), and this allows more flexibility.  (At the moment
> though, OSTree is significantly less efficient on the network side).
> 
> 
> _______________________________________________ cloud mailing list 
> cloud at lists.fedoraproject.org 
> https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code of
> Conduct: http://fedoraproject.org/code-of-conduct
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlI4UJEACgkQrlYvE4MpobN+6gCgz6dHVm8kDHFLHJss6vLt7QaT
b2cAnRhr3ODzKRz9HUQrspruwAI8Sq7+
=xqk7
-----END PGP SIGNATURE-----

More information about the cloud mailing list