New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
It is not Ubuntu's and it is popular, just not here due to preference for OpenVZ.
Yeah it's a bit more than that, but I won't offer any spoilers
Why nobody use LXC??
I do. I'm using it on a budget dedicated server with no VT-x support and since I'm more of a Debian/Ubuntu server guy -> LXC was the logical choice. The containers run on their own IP addresses. There still needs some kernel work to be done for better/more secure namespace-isolation so unlike OpenVZ it's not yet ready for (commercial) prime time.
I see. Is there other OS VM that runs on Ubuntu ready for commercial deployment?
Sure, KVM.
We don't need your antiquated 2009 era FUD.
In fact, the last exploit for LXC that I know of was spoken about during the 2011 era and patched for the 3.6 kernel line.
Seriously, "Fully UnDetectable", that term is completely irrelevant to kernels, + your avatar it is a clear story; you are a skid
But you do have a point, why work on a kernel virt when KVM is already getting almost native performance
No, someone just registered a gravitar against my email account. I'm too lazy to recover it.
I beg to differ.
http://en.wikipedia.org/wiki/Fear,_uncertainty_and_doubt
KVM is full virtualization right?
Right.
LXC is shoved into a recent kernel along with all of the other crap Ubuntu is going to put in there. Bottom line is a base OpenVZ installation is going to be more secure and less subject to flavor of the month vulnerabilities in unnecessary drivers and other kernel modules that would no doubt be enabled or left in place by the type of person who would use a base Ubuntu installation to host virtual machines. KVM at least has true isolation, encouraging LXC startups around here would be disastrous.
So yes, @Rallias, you may not have significant new exploits in LXC, but you have to consider the entire kernel to be a potential vulnerability and not just this package. Also, your avatar does kind of scream skiddie, you should try a different email
Mainline kernel is not the choice for someone who values security.
Edit: this works or worked recently in LXC http://mainisusuallyafunction.blogspot.com/2012/11/attacking-hardened-linux-systems-with.html
My apologies, funny situation more or less :-)
Also I haven't tried this but apparently you can use openvz without the kernel now? Oh boy...
http://openvz.livejournal.com/42793.html
Am I reading that wrong? I rarely visit the blog.
there... I recovered and changed it.
It's got just as many unknown vulnerabilities as OpenVZ has.
From what I'm reading, the VZCTL command works, but is gimped.
So you're saying RHEL 2.6.32 kernel has as many vulnerabilities as the mainline kernel as compiled for Ubuntu base installation? Care to bet?
It's impossible to know how many vulnerabilities exist without detection.
It's typically understood in the IT industry that the most problems are had with bleeding edge, not tried and true. Of course any generalization could be wrong at any given point, but ubuntu kernels have vulnerabilities dated as recent as Feb 2013. I believe there was a mild RHEL vulnerability in December, but I would be glad to place a bet on which has more security vulnerabilities this year between RHEL and the mainline kernel.
@jarland You still have to consider, which one has more people looking at it?
The one shipped with RHEL and stable Debian I would bet. I don't use other distros, is there another shipping 3.x with a server based flavor out of the box besides Ubuntu? I don't know the numbers, but I highly doubt they have been around long enough to be the new enterprise standard.
Well, RHEL7 is due out q3 this year with a 3.6 kernel (from what I heard).
https://wiki.ubuntu.com/LxcSecurity
Btw. 12.04 kept crashing my server, I had to update to 12.10 with the 3.5 kernel to get LXC running.
And to address Rallias' 2009 FUD claim:
"NOTE: Until we have user namespaces implemented in the kernel and used by the LXC we will NOT say that LXC is root safe, however the default apparmor profile as shipped in Ubuntu 12.04 LTS is blocking any armful action that we are aware of."
LXC is part of mainline Linux kernel now, as far as I am aware.
Do you read?
And has been since 2.6.29. It's not been fully robust until the 3.6 series.
OpenVZ only runs on deprecated, unsupported kernels. And from what I get, OpenVZ has to maintain it's own kernel (and merge from upstream) to get it to work, whereas LXC is part of the mainline kernel and just works. Even more so, OpenVZ is using more and more of the functionality LXC is also using. They're contributing code to the mainline kernel and eventually will have to rely on the same code LXC uses. Also, LXC isn't "shoved" into a kernel, it is built on top of functionality inside the kernel.
So, theoretically, OpenVZ is more vulnerable to security exploits and weird shit than LXC (though LXC is far from finished). It's just that their ancient kernel has been so well-tested, less security exploits are likely to exist in it than in the mainline kernel (except, perhaps, for the LTS kernels).
Sorry if I sound like an ass, just trying to make a point here, nothing personal
So? KVM is in the main kernel as well, just use that...
Point taken, but I disagree. I wouldn't call 2.6.32-279.22.1.el6 deprecated and unsupported. Red hat is still supporting 2.6.32-279, they just patched it. Mainline kernel isn't the only one updated and patched. Red hat has a history with servers that Ubuntu just doesn't have. Ubuntu isn't following Debian here either, they're on their own pushing 3.x on a server OS. At the end of the day, do you really trust Ubuntu to provide you with a more solid kernel than red hat? The convenience OS over the enterprise OS? I'm just not sold on it. If newer is better and more secure then why isn't everyone flocking to Windows 8, Ubuntu 12.10/13, and Debian 7?
Just my opinion.
+1 for KVM. True isolation is better if you're going to virtualize for clients over bleeding edge software.
Didn't know that
On Wikipedia, all kernels supporting OpenVZ are listed as unsupported, which is what I based my post on 
True, but they're not exactly new to this either. They've been around some time now.
I personally trust Ubuntu, but I'm a fan, so I'm tainted. I do think, however, that with the LTS they make a very stable server OS and, with the paid support they offer, are a good competitor to Red Hat. All my servers run Ubuntu 12.04 LTS and I've never had any issues. I'm not doing much kernel stuff, but still
Yeah, +1 for KVM from me as well
I wanted to note, @jarland, that as part of what you said I've been reading up on OpenVZ with CentOS and well, here's the story:
I wanted a personal dev server where I could create containers. I had a rather large KVM which I could use for this. My first try was Proxmox with OpenVZ on Debian Squeeze. The installation wasn't hard but did have some quirks. After that, I had to get IPv6 going. All in all, it didn't feel very stable and there was a lack of Promox-specific documentation. So I went with LXC, which had my preference anyway since I could run Ubuntu, play around with more recent technology and you have your first server up almost instantly (it's just to commands to install LXC and get your server up and running, no reboots required). However, the lack of the documentation for LXC and the fact that I had to invest quite some time to get everything configured the way I want, made me doubt my choice.
So, after reading your response here I discovered that Proxmox is using a different kernel than CentOS is, and that the RHEL kernel OpenVZ offers is actually quite recent. So, I took a jump into the deep and installed CentOS (I'm and Ubuntu-fanboy here) and it actually surprised me how easy it was to get it up and running. I went with OVZ web panel, since I don't want to sponsor Solus with $10 a month for my personal dev server, and even that's running very well.
So, long story short: thanks for pointing me to the recent/maintained kernel
I'm still going to play with LXC on another server, by the way, but more about that in the future.
Honestly I don't see a single issue with LXC or it's design that makes me shy away from it for personal use. Sharing it still worries me some.
As for the new openvz kernel, so far so good with the latest release here. The 072.10 was a nightmare for me, but 074.10 has been a bit smoother in my brief tests. I went ahead and rolled it out on DallasTwo. I need to be more careful running the latest kernel in the future though, but many of the issues don't present themselves on small personal nodes.