Continuing the discussion from Multiple virtual servers (LXC containers) possible?:
Seccomp is used for container security (mostly sand boxing them - by limiting system calls). But on (older) ARM systems and/or average routing OS software it it is not (out of the box) offered / set in kernels.
How will it work on the Turris Omnia (seeing cz.nic promised LXC containerization out of the box)?
Will the kernel of the Turris Omnia be compiled having: LXC_SECCOMP
, CONFIG_SECCOMP_FILTER
and CONFIG_HAVE_ARCH_SECCOMP_FILTER
modules to set in its configuration?
Good to know! So from a practical point of view there is no need to give that much thought than. Could you nevertheless elaborate on that (understanding helps me reach peace of mind ); i.e. where should the code that is arch-specific be present in order for the module to get set in the kernel?
[quote=āadminX, post:56, topic:443ā]LXC_SECCOMP gets selected by default if KERNEL_SECCOMP is set.
KERNEL_SECCOMP seems to not be set by default. This makes sense for OpenWRT in general but hinders secure usage of LXC.OpenWRT will never enable it by default as it costs some cpu time.[/quote]
- Is it safe to assume that the official (Omnia) development involves altering the openWRT software/kernel as such that all necessary kernel modules are active for LXC to safely (on the level that can be expected from containers in general) work out of the box?
[quote=āadminX, post:56, topic:443ā]Iām trying to recompile OpenWRT with SECCOMP enabled for the ARMv6-RPI. This is based on the current (2 weeks old) development code for the Omnia and the 4.4 kernel from LEDE and some shortcuts like editing system headers.
There are still some build errors currently but these get ironed out or the packages disabled.
[/quote]
That would be frieak-kin awesome, as than (having installed that OpenWRT on the Rpi1) one could start playing with the software that is gong to run on the Omnia, on the Rpi, right (ofc. many routing stuff will not workā¦ no wifi/ethernet ports etc.), right?
What about the third one: CONFIG_SECCOMP_FILTER
; should/will it be set on the Omnia?
Iām sorry if I am over-asking / sound newbish here, but I have little to no kernel knowledge yet (and while googling it all it seems fairly complex / a lot to take in at once), and the LXC containerization is one of the main features why I backed this project (next to the safe/transparant routing and supporting the open-source community orc.).
Any other knowledgeable people care to shine their light on the matter (Iām thinking "the usual suspects here; @miska, @bernstein, @nerdpunk, etc.)?