unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Running services in containers
@ 2017-02-07 14:25 Ludovic Courtès
  2017-02-07 17:25 ` Ricardo Wurmus
  2017-05-19 17:52 ` Pjotr Prins
  0 siblings, 2 replies; 7+ messages in thread
From: Ludovic Courtès @ 2017-02-07 14:25 UTC (permalink / raw)
  To: guix-devel

Hi Guix!

Those who didn’t have the luck to be at FOSDEM missed this not-so-visual
demo I made of a Shepherd service running in a container.  :-)

I’ve polished the thing on my way back and pushed the result, using
BitlBee as an example:

  http://git.savannah.gnu.org/cgit/guix.git/commit/?id=63302a4e55241a41eab4c21d7af9fbd0d5817459
  http://git.savannah.gnu.org/cgit/guix.git/commit/?id=a062b6ca99ad61c9df473fe49a93d69f9698c59d

It works nicely!  The BitlBee daemon shares its network and user
namespaces with the system but otherwise has a private /tmp and a
private /var/run and only has access to /var/lib/bitlbee and /gnu/store.

It should make it harder for an attacker to usefully exploit a remote
code execution vulnerability such as the one recently reported¹.

Of course BitlBee is a simple example, but I think it’d be nice to
investigate what it takes to do the same for other services in the
future.  I’d like to write a post about it at some point.

Ludo’.

¹ https://bugs.bitlbee.org/ticket/1281

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2017-05-19 17:52 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-02-07 14:25 Running services in containers Ludovic Courtès
2017-02-07 17:25 ` Ricardo Wurmus
2017-02-08 11:28   ` Ludovic Courtès
2017-02-13  1:15   ` Maxim Cournoyer
2017-02-13 14:29     ` Ludovic Courtès
2017-02-14  6:01       ` Maxim Cournoyer
2017-05-19 17:52 ` Pjotr Prins

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).