brainstorming for UDS-N - Cloud Infrastructure
jamie at canonical.com
Wed Sep 29 15:25:43 BST 2010
On Tue, 2010-09-28 at 20:05 -0400, Stéphane Graber wrote:
> On Tue, 2010-09-28 at 21:59 +0200, Allison Randal wrote:
> > Server topics are included in all the other tracks, but the UDS team
> > called out cloud technology for special attention. It's an area where
> > Ubuntu is one of the leading players in driving innovation, which means
> > it's a big opportunity for us as a community to make a difference in the
> > world at large. This includes being a good guest and being a good host,
> > as well as evaluating new technologies.
> > What's high on your list for this area?
> > Allison
> I guess an important topic when thinking of server is virtualization and
> contextualization both for flexibility and security.
> I believe we can greatly improve our VM server solution (my biggest wish
> at the moment is for some kind of ACLs on VMs running in libvirt) and
> prepare to have a rocking solution for the next LTS.
When using qemu/kvm, libvirt can use the AppArmor security driver to
confine VMs to only the files they need. This provides guest isolation
and userspace host protection. This is on by default in Ubuntu's libvirt
since Karmic and is also upstream.
> Contextualization is also something I use everyday as the current policy
> at my employer is to have a full container per service. That means that
> I currently administer a few hundreds VZ containers just for our
> internal infrastructure (a few thousands if including customers).
> Containers offer a lot of flexibility at a very low cost and can be used
> to greatly improve everyone's security even on the desktop.
> That's really something I believe we should focus more on and I know
> there's an existing interest from both the Server and Security team.
> We also have the chance to have Daniel Lezcano (upstream for LXC) at UDS
> this time.
AIUI, containers as currently implemented in the vanilla kernel should
not be considered secure at this point (at least for root). There are
apparently rather large patchsets that the different container upstreams
use to address these issues. I'm not up on all the details though, but
they can surely be googled.
Jamie Strandboge | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 198 bytes
Desc: This is a digitally signed message part
Url : https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20100929/cf99754e/attachment.pgp
More information about the ubuntu-devel