unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Running services in containers
@ 2017-02-07 14:25 Ludovic Courtès
  2017-02-07 17:25 ` Ricardo Wurmus
  2017-05-19 17:52 ` Pjotr Prins
  0 siblings, 2 replies; 7+ messages in thread
From: Ludovic Courtès @ 2017-02-07 14:25 UTC (permalink / raw)
  To: guix-devel

Hi Guix!

Those who didn’t have the luck to be at FOSDEM missed this not-so-visual
demo I made of a Shepherd service running in a container.  :-)

I’ve polished the thing on my way back and pushed the result, using
BitlBee as an example:

  http://git.savannah.gnu.org/cgit/guix.git/commit/?id=63302a4e55241a41eab4c21d7af9fbd0d5817459
  http://git.savannah.gnu.org/cgit/guix.git/commit/?id=a062b6ca99ad61c9df473fe49a93d69f9698c59d

It works nicely!  The BitlBee daemon shares its network and user
namespaces with the system but otherwise has a private /tmp and a
private /var/run and only has access to /var/lib/bitlbee and /gnu/store.

It should make it harder for an attacker to usefully exploit a remote
code execution vulnerability such as the one recently reported¹.

Of course BitlBee is a simple example, but I think it’d be nice to
investigate what it takes to do the same for other services in the
future.  I’d like to write a post about it at some point.

Ludo’.

¹ https://bugs.bitlbee.org/ticket/1281

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Running services in containers
  2017-02-07 14:25 Running services in containers Ludovic Courtès
@ 2017-02-07 17:25 ` Ricardo Wurmus
  2017-02-08 11:28   ` Ludovic Courtès
  2017-02-13  1:15   ` Maxim Cournoyer
  2017-05-19 17:52 ` Pjotr Prins
  1 sibling, 2 replies; 7+ messages in thread
From: Ricardo Wurmus @ 2017-02-07 17:25 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel


Ludovic Courtès <ludo@gnu.org> writes:

> Those who didn’t have the luck to be at FOSDEM missed this not-so-visual
> demo I made of a Shepherd service running in a container.  :-)
>
> I’ve polished the thing on my way back and pushed the result, using
> BitlBee as an example:
>
>   http://git.savannah.gnu.org/cgit/guix.git/commit/?id=63302a4e55241a41eab4c21d7af9fbd0d5817459
>   http://git.savannah.gnu.org/cgit/guix.git/commit/?id=a062b6ca99ad61c9df473fe49a93d69f9698c59d
>

This is very cool!  I’m amazed at how you got this ready in time for
your talk.  I’m sure you didn’t just keep this under wraps for weeks :)

--
Ricardo

GPG: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
https://elephly.net

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Running services in containers
  2017-02-07 17:25 ` Ricardo Wurmus
@ 2017-02-08 11:28   ` Ludovic Courtès
  2017-02-13  1:15   ` Maxim Cournoyer
  1 sibling, 0 replies; 7+ messages in thread
From: Ludovic Courtès @ 2017-02-08 11:28 UTC (permalink / raw)
  To: Ricardo Wurmus; +Cc: guix-devel

Ricardo Wurmus <rekado@elephly.net> skribis:

> Ludovic Courtès <ludo@gnu.org> writes:
>
>> Those who didn’t have the luck to be at FOSDEM missed this not-so-visual
>> demo I made of a Shepherd service running in a container.  :-)
>>
>> I’ve polished the thing on my way back and pushed the result, using
>> BitlBee as an example:
>>
>>   http://git.savannah.gnu.org/cgit/guix.git/commit/?id=63302a4e55241a41eab4c21d7af9fbd0d5817459
>>   http://git.savannah.gnu.org/cgit/guix.git/commit/?id=a062b6ca99ad61c9df473fe49a93d69f9698c59d
>>
>
> This is very cool!  I’m amazed at how you got this ready in time for
> your talk.  I’m sure you didn’t just keep this under wraps for weeks :)

I had a long train trip and also the version I demoed on Sunday was much
less polished than this—but nobody could see that.  :-)

Ludo’.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Running services in containers
  2017-02-07 17:25 ` Ricardo Wurmus
  2017-02-08 11:28   ` Ludovic Courtès
@ 2017-02-13  1:15   ` Maxim Cournoyer
  2017-02-13 14:29     ` Ludovic Courtès
  1 sibling, 1 reply; 7+ messages in thread
From: Maxim Cournoyer @ 2017-02-13  1:15 UTC (permalink / raw)
  To: Ricardo Wurmus; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 853 bytes --]

Hi!

Ricardo Wurmus <rekado@elephly.net> writes:

> Ludovic Courtès <ludo@gnu.org> writes:
>
>> Those who didn’t have the luck to be at FOSDEM missed this not-so-visual
>> demo I made of a Shepherd service running in a container.  :-)
>>
>> I’ve polished the thing on my way back and pushed the result, using
>> BitlBee as an example:
>>
>>   http://git.savannah.gnu.org/cgit/guix.git/commit/?id=63302a4e55241a41eab4c21d7af9fbd0d5817459
>>   http://git.savannah.gnu.org/cgit/guix.git/commit/?id=a062b6ca99ad61c9df473fe49a93d69f9698c59d
>>
>
> This is very cool!  I’m amazed at how you got this ready in time for
> your talk.  I’m sure you didn’t just keep this under wraps for weeks :)
>

+1. I can see myself experimenting with this for SSH soon. Thanks for
providing the bits required to do this and sharing!

Maxim

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Running services in containers
  2017-02-13  1:15   ` Maxim Cournoyer
@ 2017-02-13 14:29     ` Ludovic Courtès
  2017-02-14  6:01       ` Maxim Cournoyer
  0 siblings, 1 reply; 7+ messages in thread
From: Ludovic Courtès @ 2017-02-13 14:29 UTC (permalink / raw)
  To: Maxim Cournoyer; +Cc: guix-devel

Howdy!

Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:

> Ricardo Wurmus <rekado@elephly.net> writes:
>
>> Ludovic Courtès <ludo@gnu.org> writes:
>>
>>> Those who didn’t have the luck to be at FOSDEM missed this not-so-visual
>>> demo I made of a Shepherd service running in a container.  :-)
>>>
>>> I’ve polished the thing on my way back and pushed the result, using
>>> BitlBee as an example:
>>>
>>>   http://git.savannah.gnu.org/cgit/guix.git/commit/?id=63302a4e55241a41eab4c21d7af9fbd0d5817459
>>>   http://git.savannah.gnu.org/cgit/guix.git/commit/?id=a062b6ca99ad61c9df473fe49a93d69f9698c59d
>>>
>>
>> This is very cool!  I’m amazed at how you got this ready in time for
>> your talk.  I’m sure you didn’t just keep this under wraps for weeks :)
>>
>
> +1. I can see myself experimenting with this for SSH soon. Thanks for
> providing the bits required to do this and sharing!

SSH may be more difficult because (1) sshd (OpenSSH) already does a good
job at isolating itself, and (2) user who log in want to have the full
authority of their account.

Anyway, it’d be nice to see how much we can get from this!

Ludo’.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Running services in containers
  2017-02-13 14:29     ` Ludovic Courtès
@ 2017-02-14  6:01       ` Maxim Cournoyer
  0 siblings, 0 replies; 7+ messages in thread
From: Maxim Cournoyer @ 2017-02-14  6:01 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 1582 bytes --]

Hi again :)

ludo@gnu.org (Ludovic Courtès) writes:

> Howdy!
>
> Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
>
>> Ricardo Wurmus <rekado@elephly.net> writes:
>>
>>> Ludovic Courtès <ludo@gnu.org> writes:
>>>
>>>> Those who didn’t have the luck to be at FOSDEM missed this not-so-visual
>>>> demo I made of a Shepherd service running in a container.  :-)
>>>>
>>>> I’ve polished the thing on my way back and pushed the result, using
>>>> BitlBee as an example:
>>>>
>>>>   http://git.savannah.gnu.org/cgit/guix.git/commit/?id=63302a4e55241a41eab4c21d7af9fbd0d5817459
>>>>   http://git.savannah.gnu.org/cgit/guix.git/commit/?id=a062b6ca99ad61c9df473fe49a93d69f9698c59d
>>>>
>>>
>>> This is very cool!  I’m amazed at how you got this ready in time for
>>> your talk.  I’m sure you didn’t just keep this under wraps for weeks :)
>>>
>>
>> +1. I can see myself experimenting with this for SSH soon. Thanks for
>> providing the bits required to do this and sharing!
>
> SSH may be more difficult because (1) sshd (OpenSSH) already does a good
> job at isolating itself, and (2) user who log in want to have the full
> authority of their account.
>

I'm looking at a very simple use case which shouldn't require access to
much outside of the network: reverse port forwarding. For this specific
use case, I'd rather have a specific instance of SSHD serving that
purpose and not having access to my full system.

> Anyway, it’d be nice to see how much we can get from this!
>
> Ludo’.

Thanks for your response,

Maxim

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Running services in containers
  2017-02-07 14:25 Running services in containers Ludovic Courtès
  2017-02-07 17:25 ` Ricardo Wurmus
@ 2017-05-19 17:52 ` Pjotr Prins
  1 sibling, 0 replies; 7+ messages in thread
From: Pjotr Prins @ 2017-05-19 17:52 UTC (permalink / raw)
  To: Ludovic Courtes; +Cc: guix-devel

A bit late, but the work you and others have done (Dave comes to mind)
is simply amazing. I am running and testing a very complex webservice
in a container and it runs like a charm. Very quick to start up too
since it shares the resources on the host. It is very very good.

Thanks! 

Next stop services.

Pj.

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2017-05-19 17:52 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-02-07 14:25 Running services in containers Ludovic Courtès
2017-02-07 17:25 ` Ricardo Wurmus
2017-02-08 11:28   ` Ludovic Courtès
2017-02-13  1:15   ` Maxim Cournoyer
2017-02-13 14:29     ` Ludovic Courtès
2017-02-14  6:01       ` Maxim Cournoyer
2017-05-19 17:52 ` Pjotr Prins

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).