* Running services in containers @ 2017-02-07 14:25 Ludovic Courtès 2017-02-07 17:25 ` Ricardo Wurmus 2017-05-19 17:52 ` Pjotr Prins 0 siblings, 2 replies; 7+ messages in thread From: Ludovic Courtès @ 2017-02-07 14:25 UTC (permalink / raw) To: guix-devel Hi Guix! Those who didn’t have the luck to be at FOSDEM missed this not-so-visual demo I made of a Shepherd service running in a container. :-) I’ve polished the thing on my way back and pushed the result, using BitlBee as an example: http://git.savannah.gnu.org/cgit/guix.git/commit/?id=63302a4e55241a41eab4c21d7af9fbd0d5817459 http://git.savannah.gnu.org/cgit/guix.git/commit/?id=a062b6ca99ad61c9df473fe49a93d69f9698c59d It works nicely! The BitlBee daemon shares its network and user namespaces with the system but otherwise has a private /tmp and a private /var/run and only has access to /var/lib/bitlbee and /gnu/store. It should make it harder for an attacker to usefully exploit a remote code execution vulnerability such as the one recently reported¹. Of course BitlBee is a simple example, but I think it’d be nice to investigate what it takes to do the same for other services in the future. I’d like to write a post about it at some point. Ludo’. ¹ https://bugs.bitlbee.org/ticket/1281 ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Running services in containers 2017-02-07 14:25 Running services in containers Ludovic Courtès @ 2017-02-07 17:25 ` Ricardo Wurmus 2017-02-08 11:28 ` Ludovic Courtès 2017-02-13 1:15 ` Maxim Cournoyer 2017-05-19 17:52 ` Pjotr Prins 1 sibling, 2 replies; 7+ messages in thread From: Ricardo Wurmus @ 2017-02-07 17:25 UTC (permalink / raw) To: Ludovic Courtès; +Cc: guix-devel Ludovic Courtès <ludo@gnu.org> writes: > Those who didn’t have the luck to be at FOSDEM missed this not-so-visual > demo I made of a Shepherd service running in a container. :-) > > I’ve polished the thing on my way back and pushed the result, using > BitlBee as an example: > > http://git.savannah.gnu.org/cgit/guix.git/commit/?id=63302a4e55241a41eab4c21d7af9fbd0d5817459 > http://git.savannah.gnu.org/cgit/guix.git/commit/?id=a062b6ca99ad61c9df473fe49a93d69f9698c59d > This is very cool! I’m amazed at how you got this ready in time for your talk. I’m sure you didn’t just keep this under wraps for weeks :) -- Ricardo GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC https://elephly.net ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Running services in containers 2017-02-07 17:25 ` Ricardo Wurmus @ 2017-02-08 11:28 ` Ludovic Courtès 2017-02-13 1:15 ` Maxim Cournoyer 1 sibling, 0 replies; 7+ messages in thread From: Ludovic Courtès @ 2017-02-08 11:28 UTC (permalink / raw) To: Ricardo Wurmus; +Cc: guix-devel Ricardo Wurmus <rekado@elephly.net> skribis: > Ludovic Courtès <ludo@gnu.org> writes: > >> Those who didn’t have the luck to be at FOSDEM missed this not-so-visual >> demo I made of a Shepherd service running in a container. :-) >> >> I’ve polished the thing on my way back and pushed the result, using >> BitlBee as an example: >> >> http://git.savannah.gnu.org/cgit/guix.git/commit/?id=63302a4e55241a41eab4c21d7af9fbd0d5817459 >> http://git.savannah.gnu.org/cgit/guix.git/commit/?id=a062b6ca99ad61c9df473fe49a93d69f9698c59d >> > > This is very cool! I’m amazed at how you got this ready in time for > your talk. I’m sure you didn’t just keep this under wraps for weeks :) I had a long train trip and also the version I demoed on Sunday was much less polished than this—but nobody could see that. :-) Ludo’. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Running services in containers 2017-02-07 17:25 ` Ricardo Wurmus 2017-02-08 11:28 ` Ludovic Courtès @ 2017-02-13 1:15 ` Maxim Cournoyer 2017-02-13 14:29 ` Ludovic Courtès 1 sibling, 1 reply; 7+ messages in thread From: Maxim Cournoyer @ 2017-02-13 1:15 UTC (permalink / raw) To: Ricardo Wurmus; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 853 bytes --] Hi! Ricardo Wurmus <rekado@elephly.net> writes: > Ludovic Courtès <ludo@gnu.org> writes: > >> Those who didn’t have the luck to be at FOSDEM missed this not-so-visual >> demo I made of a Shepherd service running in a container. :-) >> >> I’ve polished the thing on my way back and pushed the result, using >> BitlBee as an example: >> >> http://git.savannah.gnu.org/cgit/guix.git/commit/?id=63302a4e55241a41eab4c21d7af9fbd0d5817459 >> http://git.savannah.gnu.org/cgit/guix.git/commit/?id=a062b6ca99ad61c9df473fe49a93d69f9698c59d >> > > This is very cool! I’m amazed at how you got this ready in time for > your talk. I’m sure you didn’t just keep this under wraps for weeks :) > +1. I can see myself experimenting with this for SSH soon. Thanks for providing the bits required to do this and sharing! Maxim [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 832 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Running services in containers 2017-02-13 1:15 ` Maxim Cournoyer @ 2017-02-13 14:29 ` Ludovic Courtès 2017-02-14 6:01 ` Maxim Cournoyer 0 siblings, 1 reply; 7+ messages in thread From: Ludovic Courtès @ 2017-02-13 14:29 UTC (permalink / raw) To: Maxim Cournoyer; +Cc: guix-devel Howdy! Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis: > Ricardo Wurmus <rekado@elephly.net> writes: > >> Ludovic Courtès <ludo@gnu.org> writes: >> >>> Those who didn’t have the luck to be at FOSDEM missed this not-so-visual >>> demo I made of a Shepherd service running in a container. :-) >>> >>> I’ve polished the thing on my way back and pushed the result, using >>> BitlBee as an example: >>> >>> http://git.savannah.gnu.org/cgit/guix.git/commit/?id=63302a4e55241a41eab4c21d7af9fbd0d5817459 >>> http://git.savannah.gnu.org/cgit/guix.git/commit/?id=a062b6ca99ad61c9df473fe49a93d69f9698c59d >>> >> >> This is very cool! I’m amazed at how you got this ready in time for >> your talk. I’m sure you didn’t just keep this under wraps for weeks :) >> > > +1. I can see myself experimenting with this for SSH soon. Thanks for > providing the bits required to do this and sharing! SSH may be more difficult because (1) sshd (OpenSSH) already does a good job at isolating itself, and (2) user who log in want to have the full authority of their account. Anyway, it’d be nice to see how much we can get from this! Ludo’. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Running services in containers 2017-02-13 14:29 ` Ludovic Courtès @ 2017-02-14 6:01 ` Maxim Cournoyer 0 siblings, 0 replies; 7+ messages in thread From: Maxim Cournoyer @ 2017-02-14 6:01 UTC (permalink / raw) To: Ludovic Courtès; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 1582 bytes --] Hi again :) ludo@gnu.org (Ludovic Courtès) writes: > Howdy! > > Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis: > >> Ricardo Wurmus <rekado@elephly.net> writes: >> >>> Ludovic Courtès <ludo@gnu.org> writes: >>> >>>> Those who didn’t have the luck to be at FOSDEM missed this not-so-visual >>>> demo I made of a Shepherd service running in a container. :-) >>>> >>>> I’ve polished the thing on my way back and pushed the result, using >>>> BitlBee as an example: >>>> >>>> http://git.savannah.gnu.org/cgit/guix.git/commit/?id=63302a4e55241a41eab4c21d7af9fbd0d5817459 >>>> http://git.savannah.gnu.org/cgit/guix.git/commit/?id=a062b6ca99ad61c9df473fe49a93d69f9698c59d >>>> >>> >>> This is very cool! I’m amazed at how you got this ready in time for >>> your talk. I’m sure you didn’t just keep this under wraps for weeks :) >>> >> >> +1. I can see myself experimenting with this for SSH soon. Thanks for >> providing the bits required to do this and sharing! > > SSH may be more difficult because (1) sshd (OpenSSH) already does a good > job at isolating itself, and (2) user who log in want to have the full > authority of their account. > I'm looking at a very simple use case which shouldn't require access to much outside of the network: reverse port forwarding. For this specific use case, I'd rather have a specific instance of SSHD serving that purpose and not having access to my full system. > Anyway, it’d be nice to see how much we can get from this! > > Ludo’. Thanks for your response, Maxim [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 832 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Running services in containers 2017-02-07 14:25 Running services in containers Ludovic Courtès 2017-02-07 17:25 ` Ricardo Wurmus @ 2017-05-19 17:52 ` Pjotr Prins 1 sibling, 0 replies; 7+ messages in thread From: Pjotr Prins @ 2017-05-19 17:52 UTC (permalink / raw) To: Ludovic Courtes; +Cc: guix-devel A bit late, but the work you and others have done (Dave comes to mind) is simply amazing. I am running and testing a very complex webservice in a container and it runs like a charm. Very quick to start up too since it shares the resources on the host. It is very very good. Thanks! Next stop services. Pj. ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2017-05-19 17:52 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-02-07 14:25 Running services in containers Ludovic Courtès 2017-02-07 17:25 ` Ricardo Wurmus 2017-02-08 11:28 ` Ludovic Courtès 2017-02-13 1:15 ` Maxim Cournoyer 2017-02-13 14:29 ` Ludovic Courtès 2017-02-14 6:01 ` Maxim Cournoyer 2017-05-19 17:52 ` Pjotr Prins
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/guix.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).