From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1OjzeN-0004tJ-6G for garchives@archives.gentoo.org; Fri, 13 Aug 2010 19:10:43 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id F12AFE0B2F for ; Fri, 13 Aug 2010 19:10:41 +0000 (UTC) Received: from mailgate.caprica.metux.de (caprica.metux.de [82.165.128.25]) by pigeon.gentoo.org (Postfix) with ESMTP id 464D6E0A40 for ; Fri, 13 Aug 2010 19:07:21 +0000 (UTC) Received: from mailgate.caprica.metux.de (localhost.localdomain [127.0.0.1]) by mailgate.caprica.metux.de (8.14.4/8.14.4) with ESMTP id o7DJ716F025176 for ; Fri, 13 Aug 2010 21:07:01 +0200 Received: (from uucp@localhost) by mailgate.caprica.metux.de (8.14.4/8.14.4/Submit) with UUCP id o7DJ6j2v025152 for gentoo-user@lists.gentoo.org; Fri, 13 Aug 2010 21:06:45 +0200 Received: (from weigelt@localhost) by nibiru.metux.de (8.12.10/8.12.10) id o7DIwhLs005033 for gentoo-user@lists.gentoo.org; Fri, 13 Aug 2010 20:58:43 +0200 Date: Fri, 13 Aug 2010 20:58:43 +0200 From: Enrico Weigelt To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Increasing security [WAS: Rooted/compromised Gentoo, seeking advice [Solved?] Message-ID: <20100813185843.GA26738@nibiru.local> References: <20100813152553.GB21326@nibiru.local> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i X-Terror: bin laden, kill bush, Briefbombe, Massenvernichtung, KZ, X-Nazi: Weisse Rasse, Hitlers Wiederauferstehung, 42, X-Antichrist: weg mit schaeuble, ausrotten, heiliger krieg, al quaida, X-Killer: 23, endloesung, Weltuntergang, X-Doof: wer das liest ist doof X-Archives-Salt: 0a2d07e6-4e2a-45b2-bd46-6691ddf9a43e X-Archives-Hash: f5cdbad57070068ffaa032667c543630 * Mark Knecht wrote: Hi, > Since I'm not an IT guy could you please explain this just a bit > more? What is 'a container'? Is it a chroot running on the same > machine? A different machine? Something completely different? http://lxc.sourceforge.net/ http://wiki.openvz.org/Main_Page Unlike VM solutions like kvm, vmware, etc, these (OS-side) container implementations split off the operating system resources (filesystem, network interfaces, process-IDs, ...) into namespaces, so each container only sees its own resources, not those of the host system or other containers. That's essentially what's behind the "virtual private server" solutions offered by various ISPs. > In the OP's case (I believe) he thought a personal machine at home > was compromised. If that's the case then without doubling my > electrical bill (2 computers) how would I implement your containers? He would have several virtual servers running on just one metal. If the host system is not accessible from the outside world, just the virtual servers - an attacker could probably highjack what's inside the virtual servers, but cant get to the host system. cu -- ---------------------------------------------------------------------- Enrico Weigelt, metux IT service -- http://www.metux.de/ phone: +49 36207 519931 email: weigelt@metux.de mobile: +49 151 27565287 icq: 210169427 skype: nekrad666 ---------------------------------------------------------------------- Embedded-Linux / Portierung / Opensource-QM / Verteilte Systeme ----------------------------------------------------------------------