danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Add to Memories Share Next Entry
SELinux & PaaS: Deep Dive on Multi-tenancy, Containers & Security with Dan Walsh, Red Hat
danwalsh

SELinux & PaaS: Deep Dive on Multi-tenancy, Containers & Security with Dan Walsh, Red Hat

Last week I went to Portland, OR for the OpenShift Origin Day.
I gave a talk about SELinux and OpenShift.

The talk covered  the importance of MAC and container/namespaces when using a multi-tenant environment like OpenShift.

The talk also covers enhancements I want to make to OpenShift gears (containers) and additional features that we will be adding.

The video has been posted to youtube.


Red Hat vs. OpenVZ?

dowdle

2013-04-24 01:47 am (UTC)

Greetings,

I've been a Red Hat fan since 1996... and I started using OpenVZ in 2005. I've gotten so deep into both of them over the years... that I almost feel married to them both... but my two "wives" don't seem to acknowledge either other... or at least not in important ways.

SWsoft created Virtuozzo Containers for Linux in 2001. In 2005 they released the underlying kernel source/bits and command line tools under the GPL v2. Then they merged with Parallels and changed their name combined named to Parallels.

The problem with OpenVZ is that it was made independently of the mainline kernel, was around for several years, and was huge and mature... and there was no way to get it added to the mainline... since it was/is intrusive and touches so many sub-systems. As you surely know, there is also the Linux-VServer project which is yet another full-blow container implementation for the Linux kernel which is also a third-party patch that really isn't trying to get into the mainline kernel.

My question is, since all of the code is GPL'ed can we all just get along... and try to come up with a way to get all of the container features into the mainline... by working together... sharing ideas... making a consensus... and then trying to execute on it? Do we really need a third (or fourth if you count the bits and pieces that exist and are collectively referred to as LXC) implementation of containers for Linux?

My guess is that your answer would be that Red Hat is the only one of the three trying to do it within the mainline... and utilizing SELinux... and libvirt... and you would be right... but can't we get along? Can't we work together (note, I'm NOT a developer)? Can't Red Hat acknowledge that OpenVZ and Linux-VServer exist?

It is hard to put my feelings and ideas into this comment but I'm trying.

TYL,
Scott Dowdle (dowdle@montanalinux.org)

Re: Red Hat vs. OpenVZ?

danwalsh

2013-04-24 01:50 pm (UTC)

Well Red Hat/Fedora is focused on what is in the upstream kernel. I have no problem with these other technologies.

(Unless they require Disabling SELinux)

I which the developers of these technolgies would work harder to either use the new technology or get missing componants into the upstream kernel.

Also for Full OS/CHroot Containers, Red Hat is still focusing on a KVM solution.

My goal with SELinux is to take the technology available in the Kernel and add security to it for all environments including Multi-Tenant environments.


You are viewing danwalsh