Sandcastles - (LXC) Containers & Security

Been trying out the Sandbox code. Seeing it in action is, for us, a dream come true.

For a long while now, the need to isolate the applications being started has been high on the agenda. Thanks to a load of work by Jeetu to integrate the awesome LXC code into our ebrainpool client, the client now starts every application in its own container.

Performance of the LXC container, is feature worth mentioning. In all my tests so far, the load overhead has been <3%. For the most part, it hovers around 1%. This is exciting, since one of our concerns was un-necessary overloading the host system with an additional layer/overhead. To the entire LXC bunch, Great Great Stuff.

There are loads of performance tweaks which can be introduced depending on the actual real world usage of our client. A great degree of control lies firmly in the hands of the person hosting the ebrainpool client, with cgroups et al, lxc allows for a large degree of flexiblity. This code is currently in the repository,in a separate branch called 'sandbox'. Grab it and have a go, and let us know how it goes for you. Any issues? Let us know that too.

Have a look at Installing the Sandbox to get up and running with the Sandbox code and also getting started...if you have not tried out any version yet The LXC integration marks a major milestone, in our march towards a public binary downloadable release.

What does this affect ? Well, a user starts the application, he does not see the hot machines directory and files, but a completely clean system. Isolated and more secure. Good things for everyone involved. A nice and important additional layer of security.

Previous Post Next Post