COPR

[Daniel P. Berrange]

On Fri, Aug 30, 2013 at 11:57:19AM +0200, 80 wrote:
> Hi,
> 
> if you have a grudge against our infra team, OBS is the best option.
> More seriously, OBS has a major flaw: it's a pain to deploy or update and
> we need to have people able to fix bugs in a rails app.
> 
> I advise you to discuss this with infra team before considering further
> this option.
> 
> 
> One quick remark:
> > build package in VM, which is safer then Koji (just chroot in Koji)
> 
> Safer, but it has an overhead. I'd rather add LXC support to Koji (much
> less overhead and pretty much as safe as heavier virtualization solutions).

That statement about security is absolutely not the case. 

With a shared kernel for LXC there is significantly higher security risk.
A local root exploit will let a container take over the entire host, and
there's nothing we can do with namespaces or selinux to prevent that
attack vector. With KVM, a local root exploit only lets you compromise
the one VM, they then still need to exploit QEMU/KVM and then get another
local root exploit for the host.

Even ignoring the shared kernel aspects, having a secure LXC deployment
requires use of user namespaces which are a new feature not yet available
in Fedora since the conflict with XFS. With the user namespace feature
enabled, many types of kernel flaw will have increased severity because
functionality that was previously restricted to root, is now available to
non-root process which have started a new user namespace. eg crashes that
could be triggered by root only and thus not be classed as security flaws,
could now become privilege escalation flaws.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|