[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Running services in containers
|
From: |
Ludovic Courtès |
|
Subject: |
Running services in containers |
|
Date: |
Tue, 07 Feb 2017 15:25:15 +0100 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) |
Hi Guix!
Those who didn’t have the luck to be at FOSDEM missed this not-so-visual
demo I made of a Shepherd service running in a container. :-)
I’ve polished the thing on my way back and pushed the result, using
BitlBee as an example:
http://git.savannah.gnu.org/cgit/guix.git/commit/?id=63302a4e55241a41eab4c21d7af9fbd0d5817459
http://git.savannah.gnu.org/cgit/guix.git/commit/?id=a062b6ca99ad61c9df473fe49a93d69f9698c59d
It works nicely! The BitlBee daemon shares its network and user
namespaces with the system but otherwise has a private /tmp and a
private /var/run and only has access to /var/lib/bitlbee and /gnu/store.
It should make it harder for an attacker to usefully exploit a remote
code execution vulnerability such as the one recently reported¹.
Of course BitlBee is a simple example, but I think it’d be nice to
investigate what it takes to do the same for other services in the
future. I’d like to write a post about it at some point.
Ludo’.
¹ https://bugs.bitlbee.org/ticket/1281
- Running services in containers,
Ludovic Courtès <=