[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

[atomic-devel] linux-user-chroot v2015.1

From: Colin Walters <walters verbum org>
To: atomic-devel projectatomic io
Subject: [atomic-devel] linux-user-chroot v2015.1
Date: Sun, 06 Sep 2015 12:46:50 -0400

Hi,

While I know it's not officially part of this effort, I'd like to crosspost the announcement of a new release of my project "linux-user-chroot" here:

https://git.gnome.org/browse/linux-user-chroot/tag/?id=v2015.1

It's focused around *non-root* containers.  In contrast to:
http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/

I believe it's an easy way to use Linux container features as non-root to enhance integrity and confidentiality.  For example, here's a bash alias I'm using:

alias make='chrt --idle 0 linux-user-chroot --unshare-ipc --unshare-net --unshare-pid --mount-devapi /dev --mount-proc /proc --seccomp-profile-version 0 --chdir $(pwd) / make'

Now, whenever I'm building a project directly on my workstation and I just type my normal "make -j 4", it's sandboxed fairly well.  Another intended use of linux-user-chroot is for robust build systems that run as non-root.  The upstream README has some links: https://git.gnome.org/browse/linux-user-chroot/tree/README?id=v2015.1

Follow-Ups:
- Re: [atomic-devel] linux-user-chroot v2015.1
  - From: James

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]