Re: [PATCH] Make linux-user-chroot useable inside vServer guests

[Colin Walters <walters verbum org>]

On Thu, 2012-09-06 at 06:08 +0300, Adrian Perez wrote:

>  and the linux-user-chroot tool won't work as some operations
> are forbidden.

So there are two independent technologies: virtualization, and
containers.  Even though Wikipedia calls containers "Operating
system-level virtualization", it's a lot less confusing to say
"containers".

Conceptually linux-user-chroot is a "container" system.

Now, it often makes sense to combine virtualization and containers:

virtualization-inside-container: Running qemu-kvm inside a container in
the host (cgroups for CPU/memory constraints, security hardening with
CLONE_NEWPID, read-only bind mounts).

container-inside-virtualization: This is the way ostree.gnome.org works
now - it's a regular RHEL6 VM that uses linux-user-chroot inside it.
This is the use case that I designed linux-user-chroot for.

But both technologies are kind of hostile to *nesting*, i.e.
virtualization-inside-virtualization or container-inside-container.

You can do VMs inside VMs as of very recent versions of KVM as I
understand it, but with caveats.

Finally, what we're talking about here is nested containers - two
different kinds of container.

Given that linux-user-chroot is a security-sensitive setuid binary, I'm
really wary of adding hacks to it.

What about writing instead a fork of the tool designed to nest inside
vserver, and patching gnome-ostree to use it?  I'd be happy to make this
part more configurable/pluggable.

I think it's clearly a vServer bug that you can't call
PR_SET_NO_NEW_PRIVS by the way.  Someone should ping them about that.