2017-07-27 22:51:04
good
Start of the LXC0 project
We were planning from the start to use containers to isolate all components from each other. The
container technology is called LXC (Linux Container)
? https://linuxcontainers.org
.
We had almost 20 years of experience with the original vserver
system. It was time to experiment with new stuff.

One idea we had in mind was to make the most minimalist containers. The project docker
? https://www.docker.com
is one concept of this idea. Instead of viewing a container as a Linux server with all
the bells and whistles, you see it as an isolated sandbox running only one service.

Each container has to be assembled/designed, removing all the extra stuff not need
in our project. Most packages out there are fairly complete and iron out. And sometime
a contains a little too much.

The lxc0 project aimed at creating the most minimal containers in an automated way. The trick is simple.
You execute your program with strace (for example, strace -f -o /tmp/log.web /usr/sbin/httpd). Then you know
every files read and written. Using a simple tool, you can extract the smallest set of files required
to run a given service. If an attacker abuse a service, he will end up in a very strange environment. For
example, most services out there don't even need a shell to start and operate.

So to maintain all your containers, you maintain (keep up to date) one reference server and assemble
your containers from it.