providingpermissiondenied

permissiondenied  时间:2021-03-17  阅读:()
CopyrightIBMCorporation2009TrademarksSecureLinuxcontainerscookbookPage1of12SecureLinuxcontainerscookbookStrengthenlightweightcontainerswithSELinuxandSmackSergeE.
HallynFebruary03,2009Lightweightcontainers,otherwiseknownasVirtualPrivateServers(VPS)orJails,areoftenthoughtofasasecuritytoolsdesignedtoconfineuntrustedapplicationsorusers;butaspresentlyconstructed,thesecontainersdonotprovideadequatesecurityguarantees.
BystrengtheningthesecontainersusingSELinuxorSmackpolicy,amuchmoresecurecontainercanbeimplementedinLinux.
ThisarticleshowsyouhowtocreateamoresecureLinux-Security-Modules-protectedcontainer.
BoththeSELinuxandSmackpolicyareconsideredworksinprogress,tobeimproveduponwithhelpfromtheirrespectivecommunities.
Acommonresponsewhensomeonefirsthearsaboutcontainersis"HowdoIcreateasecurecontainer"ThisarticleanswersthatquestionbyshowingyouhowtouseLinuxSecurityModules(LSM)toimprovethesecurityofcontainers.
Inparticular,itshowsyouhowtospecifyasecuritygoalandmeetitwithboththeSmackandSELinuxsecuritymodules.
ForbackgroundreadingonLinuxContainers,see"LXC:Linuxcontainertools"(developerWorks,February2009).
LinuxcontainersarereallyaconceptualartificebuiltatopseveralLinuxtechnologies:Resourcenamespacesallowthemanipulationoflookupsofprocesses,files,SYSVIPCresources,networkinterfaces,andmore,allinsideofcontainers.
Controlgroupsallowresourcelimitstobeplacedoncontainers.
Capabilityboundingsetslimittheprivilegeavailabletocontainers.
Thesetechnologiesmustbecoordinatedinordertoprovidetheillusionofcontainers.
Twoprojectsalreadyprovidethisfunctionality:LibvirtisalargeprojectthatcancreatevirtualmachinesusingtheXenhypervisor,qemuemulator,andkvm,andalsousinglightweightcontainers.
Liblxcisasmallersetoflibrariesanduserspacecommandswritteninparttohelpkerneldevelopersquicklyandeasilytestthecontainersfunctionality.
developerWorksibm.
com/developerWorks/SecureLinuxcontainerscookbookPage2of12Because"LXC:Linuxcontainertools"waswrittenusingliblxcasitsfoundation,Iwillcontinuewithliblxchere;however,anythingwedoherecanjustaseasilybedoneusinglibvirt'scontainersupport.
Majorplayer1:LSMBeforewestart,ifyouknowlittleabouttheLSM,hereisaquickreview.
AccordingtotheWikipediaentry:LinuxSecurityModules(LSM)isaframeworkthatallowstheLinuxkerneltosupportavarietyofcomputersecuritymodelswhileavoidingfavoritismtowardanysinglesecurityimplementation.
TheframeworkislicensedunderthetermsoftheGNUGeneralPublicLicenseandisstandardpartoftheLinuxkernelsinceLinux2.
6.
.
.
.
LSMwasdesignedtoprovidethespecificneedsofeverythingneededtosuccessfullyimplementamandatoryaccesscontrolmodule,whileimposingthefewestpossiblechangestotheLinuxkernel.
LSMavoidstheapproachofsystemcallinterpositionasusedinSystracebecauseitdoesnotscaletomultiprocessorkernelsandissubjecttoTOCTTOU(race)attacks.
Instead,LSMinserts"hooks"(upcallstothemodule)ateverypointinthekernelwhereauser-levelsystemcallisabouttoresultinaccesstoanimportantinternalkernelobjectsuchasinodesandtaskcontrolblocks.
.
.
.
Theprojectisnarrowlyscopedtosolvetheproblemofaccesscontroltoavoidimposingalargeandcomplexchangepatchonthemainstreamkernel.
Itisnotintendedasageneral"hook"or"upcall"mechanism,nordoesitsupportvirtualization.
.
.
.
LSM'saccesscontrolgoalisverycloselyrelatedtotheproblemofsystemauditing,butissubtlydifferent.
Auditingrequiresthateveryattemptataccessberecorded.
LSMcannotdeliverthat,becauseitwouldrequireagreatmanymorehooks,soastodetectcaseswherethekernel"shortcircuits"failingsystemcallsandreturnsanerrorcodebeforegettingnearsignificantobjects.
Systemsecurityconsistsoftwosomewhatcontradictorygoals.
Thefirstistoachievecompleteandfine-grainedaccesscontrol.
Ateverypointthatinformationcanbeleakedorcorrupted,youmustbeabletoexertcontrol.
Controlsthataretoocoarseisthesameasbeinguncontrolled.
Forinstance,if(attheextreme)allfilesmustbeclassifiedasonetypeandanyonefilemustbeworld-readable,thenallfilesmustbeworld-readable.
Ontheotherhand,configurationmustalsobesimple,otherwiseadministratorswilloftendefaulttogivingtoomuchaccess(andIcan'temphasizethisenough--thisisthesameasbeinguncontrolled).
Forinstance,ifmakingaprogramworkrequiresthousandsofaccessrules,thenchancesareanadminwillgivetheprogramtoomanyaccessrightsratherthantestingwhethereachaccessrulewasreallyneeded.
ThetwoprimarysecuritymodulesinLinuxeachtakeadifferentviewonhowtohandlethisbalance.
SELinuxbeginsbycontrollingeverythingwhileusinganimpressivepolicylanguagetosimplifypolicymanagement.
Smackisprimarilyconcernedwithprovidingasimpleaccesscontrol.
ibm.
com/developerWorks/developerWorksSecureLinuxcontainerscookbookPage3of12Majorplayer2:SELinuxSELinuxisbyfarthemostwell-knownMACsystemforLinux(mandatoryaccesscontrol).
Whileitcertainlystillhasitsdetractors,thefactthatthepopularFedoradistributionhasbeendeployedwithSELinuxenforcingforyearsisatremendoustestamenttoitssuccess.
SELinuxisconfiguredusingamodularpolicylanguagewhichallowsaninstalledpolicytobeeasilyupdatedbyusers.
Thelanguagealsoprovidesinterfaces,allowingmorehigh-levelstatementstobeusedtorepresentacollectionoflow-level"allow"statements.
Inthisarticle,wewillbeusinganewinterfacetodefinecontainers.
Whiletheinterfaceitselfwillbequitelargeduetothemanyaccessrightsyoumustgivethecontainer,usingtheinterfacetocreateanewcontainerwillbeverysimple.
Hopefullytheinterfacecanbecomeapartofthecoredistributedpolicy.
Majorplayer3:SmackSmackistheSimplifiedMandatoryAccessControlKernel.
Itbeginsbylabelingallprocesses,files,andnetworktrafficwithsimpletextlabels.
Newlycreatedfilesarecreatedwiththelabelofthecreatingprocess.
Afewdefaulttypesalwaysexistwithclearlydefinedaccessrules.
Aprocesscanalwaysreadandwriteobjectsofthesamelabel.
PrivilegetobypasstheSmackaccessrulesarecontrolledusingPOSIXcapabilities,soataskcarryingCAP_MAC_OVERRIDEcanoverridetherules;ataskcarryingCAP_MAC_ADMINcanchangetherulesandlabels.
"POSIXfilecapabilities:Parcelingthepowerofroot"(Relatedtopics)demonstratestheseprivileges.
OursecuritygoalInsteadofsimplyblindlyapplyingpolicyandhopingtoendupwithsomethinguseful,let'sbeginbydefiningaclearsecuritygoal.
ThesimplicityofSmackactuallylimitsthegoalswecanachieve,butwe'llpursuethefollowinggoal:1.
CreatecontainerswithsegregatedfilesystemsprovidingWebandsshservices.
2.
Containerswillbeprotectedfromeachother.
Acontainerdesignatedvs1cannotreadfilesownedbyanothercontainervs2orkillitstasks.
3.
Thehostcanprotectitskeyfilesfromcontainers.
4.
TheoutsideworldcanreachtheWebserversandsshserversonthecontainers.
ThegeneralsetupInthisarticlewe'lldotwoexperiments--firstwe'llsetupcontainersprotectedbySELinux,thencontainersprotectedbySmack.
Theexperimentswillsharemuchofthepreliminarysetup.
Youcanusearealmachinetodotheseexperiments,butyoumayfinditeasierormorecomfortingtouseavirtualmachine.
Touseqemuorkvm,youcancreateaharddiskusingqemu-imgcreatevm.
img10G.
BootthevirtualmachinefromCDROMusingacommandlikekvm-hdavm.
img-cdromcdrom.
iso-bootd-m512M.
AgoodchoiceforaCDROMimageistogotofedoraproject.
org/get-fedoraanddownloadaninstallationDVDforFedora10fori386.
SubstitutethefilenameyoudownloadfordeveloperWorksibm.
com/developerWorks/SecureLinuxcontainerscookbookPage4of12cdrom.
isointhepreviouscommand.
Youcanmostlyusetheinstallationdefaults,butmakesuretounselectofficeandproductivityandselectsoftwaredevelopment.
You'llalsowanttoinstallthebridge-utils,debootstrap,andncurses-develrpms,probablyusingtheyumpackagemanager.
Nowyouneedtocompileacustomkernel.
Downloadthekernel-sourcesrpm,patchitwithenable-netns.
patch(seetheDownloadsection)toprovidenetworknamespaces(whichwillbeupstreamasof2.
6.
29butnotinFedora10),changetheconfiguration,thencompletethecompilationandinstallation,byfollowingthefollowinginstructionsasroot:yumdownloader--sourcekernelrpm-ikernel*cdrpmbuildrpmbuild-bcSPECS/kernel-*cdBUILD/kernel-2.
6.
27/linux-2.
6*patch-p1Networkingoptionsmenus).
FortheSmackexperiment,alsogointotheSecurityoptionsmenu,deselectSELinux,andselectthenextoption,Smack.
Youmayalsoneedtoswitchthedefaultbootentryin/boot/grub/grub.
confbackto0insteadof1.
Nowwewanttotryoutliblxc.
"LXC:Linuxcontainertools"describesthebasicusageofliblxcindetail,sowe'llglossoverithere.
Simplyusethecontainer_setup.
shscript(seetheDownloadsection)tosetupthebridgeonwhichcontainernetworkdeviceswilltalk.
Itwillalsoclearyourfirewall,whichbydefaultisn'tsetuptohandlethebridge,aswellassetuptheSmackpolicy(whichwe'llcreatelaterinthefile/etc/smackaccesses)ifyouaredoingtheSmackexperiment.
You'llneedtoruncontainer_setup.
shaftereachrebootorifyouknowhow,makeitrunatbootautomatically.
Nowyourmachineisready!
Let'stryoutliblxc.
Youcandownloadthelatestsourceusingcvsfromlxc.
sf.
netandcompileitusingthefollowing:cvs-d:pserver:anonymous@lxc.
cvs.
sourceforge.
net:/cvsroot/lxclogincvs-z3-d:pserver:anonymous@lxc.
cvs.
sourceforge.
net:/cvsroot/lxcco-Plxccdlxc.
/bootstrap&&.
/configure&&make&&makeinstallNowifyoulookattheREADME,you'llseetherearequiteafewoptionsforgettingstarted.
Containerscanbeextremelylightweightbecausetheycansharemanyresourceswithyoursystem--includingthefilesystem.
Butourgoalistoprovidesomesimpleisolationsowewillusethescriptlxc-debiantocreateafulldebianchrootimageforeachcontainer.
Beginbycreatingacontainernamedvsplain:ibm.
com/developerWorks/developerWorksSecureLinuxcontainerscookbookPage5of12mkdir/vsplaincd/vsplainlxc-debiancreatecontainername:vsplainhostname:vsplainIP10.
0.
2.
20gateway:10.
0.
2.
2Theconfigurationforthiscontainerisstoredunderthedirectory/usr/local/var/lxc/vsplain.
Ifyoulookatthefilecalledcgroup,you'llseesomelinesbeginningwithdevices.
.
Thesearedirectivestothedeviceswhitelistcgroupwhichwillmediatedevicecreation,read,andwritebythecontainer.
Startthiscontainerusingthecommandlxc-start-nvsplain.
You'llbepresentedwithaloginprompt.
Logintothecontainerusingusernamerootwithnopassword.
Finally,whenyourcontainerisupandrunning,youwillwanttoapt-getinstallopenssh-serverapt-getinstallapacheNowyoucansshfromthekvmhosttothecontainerandlookatitsWebpageusing10.
0.
2.
20forvsplain'sipaddressand10.
0.
2.
15forthehost's.
Youcanshutthecontainerdownatanytimefromarootterminalonthekvmhostusingthecommandlxc-stop-nvsplain.
Atthispoint,youmaywanttosaveyourselfsometimebycloningtwonewvirtualmachinesfromthistemplate.
Shutdownyourvmanddo:cpvm.
imgselinux.
imgcpvm.
imgsmack.
imgSELinux-protectedcontainersTheSELinuxpolicyforcontainerswe'llusewillconsistofapolicymodule;themodulehasbeenpostedtorefpolicy--SELinuxReferencePolicydevelopmentmaillist.
Downloadthepolicyintoadirectory/root/vs,intofilescalledvs.
if,vs.
fc,andvs.
terespectively.
Compileandinstallthenewmoduleasfollows:cp-r/usr/share/selinux/devel/usr/share/selinux/vscp/root/vs.
/usr/share/selinux/vs/cd/usr/share/selinux/vsmake&&semodule-ivs.
ppThencreatecontainers/vs1and/vs2usinglxc-debianandrelabeltheirfilesystemsusingdeveloperWorksibm.
com/developerWorks/SecureLinuxcontainerscookbookPage6of12mkdir/vs1;cd/vs1lxc-debiancreatecontainername:vs1hostname:vs1address:10.
0.
2.
21gateway:10.
0.
2.
2arch:2(i386)mkdir/vs2;cd/vs2lxc-debiancreatecontainername:vs2hostname:vs2address:10.
0.
2.
22gateway:10.
0.
2.
2arch:2(i386)fixfilesrelabel/vs1fixfilesrelabel/vs2Whenyoustartyourcontainers(forinstancebyusinglxc-start-nvs1),you'lllikelygetafewauditmessagesaboutSELinuxaccessdenials.
Don'tworry--thecontainerstartsupfinewithnetworkservicesenabledandthecontainersarenowisolated.
Ifyouhelpcontainervs1cheatusingmount--bind//vs1/rootfs.
vs1/mntbeforestartingthecontainer,you'llfindthateventhoughyouaretherootuser,ls/mnt/rootwillberefused.
Toseehowthisworks,let'slookatthevs.
ifinterfacefile.
Thisdefinesaninterfacecalledcontainerwhichtakesoneargument,thebasenameforthecontainertodefine.
Thevs.
tefilecallsthisfunctiontwicewiththecontainernamesvs1,vs2.
Intheinterface,$1isexpandedtotheargument,so$1_tbecomesvs1_twhenwecallcontainer(vs1).
(Fromhereonlet'sassumewearedefiningvs1).
Themostimportantlinesarethoseinvolvingvs1_exec_t.
Thecontainerrunsintypevs1_t.
Itentersthistypewhenunconfined_texecutesthecontainer's/sbin/initwhichisoftypevs1_exec_t.
Mostoftherestofthepolicymerelyistheretograntthecontainersufficientprivilegetoaccessbitsofthesystem:networkports,devices,consoles,etc.
Theinterfaceisaslongasitisduetothefine-grainednatureoftheexistingSELinuxreferencepolicy.
Aswe'reabouttosee,theSmack-protectedcontainerwillhaveamuchsimplerpolicy;inreturn,itwillpromisemuchlessflexibleprotectionfrommisbehavingsystemservices.
Thereisonemorethingyouneedtodo.
Youmayhavenotedthatwhilethecontainerisnotabletooverwriteits$1_exec_t,thatis/sbin/init.
Butwhatitcandoissomethinglikemv/sbin/sbin.
bakmkdir/sbintouch/sbin/initTheresulting/sbin/initwillbeoftypevs1_file_t.
WhydoyouthinkthecontaineradminwouldwanttodothisBecauseitwouldlaunchthecontainer,includingthesshdaemon,intheunconfined_tdomain,givinghimaprivilegedshellandallowinghimtoescapetheSELinuxconstraintsweweretryingtoenforce.
Topreventthis,youactuallywanttostartthecontainerthroughacustomscriptandrelabelsbin/inittovs1_exec_tbeforestartingthecontainer.
Infact,youcancopyapristinecopyofinitbackintoibm.
com/developerWorks/developerWorksSecureLinuxcontainerscookbookPage7of12thecontainerandrelabelthatifthecontaineradministratordidn'tmind.
Butwe'lljustrelabeltheexistinginit:cat>>/vs1/vs1.
sh>/vs1/vs1.
sh/proc/self/attr/currentlxc-start-nvs1/bin/dropmacadmin/sbin/initEOFchmodu+x/vs1/vs1.
shOnemorethingwillletvs1writetothetmpfsfilesystemitisgoingtomount:sed-i's/defaults/defaults,smackfsroot=vs1,smackfsdef=vs1/'\/vs1/rootfs.
vs1/etc/fstabThiswillcausethetmpfsfilesystemmountedat/dev/shmtocarrythevs1labelsothatvs1canwritetoit.
Otherwise,vs1initscriptswon'tbeabletocreatethe/dev/shm/networkdirectoryituseswhilesettingupthenetwork.
Similarly,ifyouwanttousearam-based/tmp,you'llwantthosesameoptions.
Nowagainlet'shelpvs1cheat.
Createvs2thesamewayyoucreatedvs1,substitutingvs2forvs1ateachstep.
Thenbind-mounttherootfilesystemundervs1's/mnt:mount--bind/vs1/vs1mount--make-runbindable/vs1mount--rbind//vs1/rootfs.
vs1/mntibm.
com/developerWorks/developerWorksSecureLinuxcontainerscookbookPage9of12Startthecontainerusingvs1.
sh.
NotethatyoucanstillseetheWebpageonvs1andvs2fromthekvmhost.
Notealsothatvs1cannotaccessvs2overthenetwork.
Italsocan'tlookthroughvs2'sfiles:vs1:~#ls/mnt/(directorylisting)vs1:~#ls/mnt/vs2/rootfs.
vs2ls:/mnt/vs2/rootfs.
vs2:Permissiondeniedvs1:~#mkdir/cgroupvs1:~#mount-tcgroupcgroup/cgroupvs1:~#ls/cgroupls:/mnt/vs3:Permissiondeniedvs1:~#mknod/dev/sda1b81mknod:`/dev/sda1':Operationnotpermittedvs1:~#mount/mnt/dev/sda1/tmpmount:permissiondeniedItcanlookthroughthehostfilesystem.
Anythingwewanttoprotectagainst,wecanlabelwiththehostlabel.
That'swhatwedidwiththecgroupfilesystemwhichiswhyls/cgroupfailed.
Finally,thedeviceswhitelistcgroupispreventingusfromcreatingadiskdevice,aswellasmountingitifitexists(asitdoesthrough/mnt).
Ofcourse,thewaywe'vesetthisup,thecontaineradmincanremove/mnt/dev/sda1,aswellmessupthehostinanynumberofways,sootherthanasdemonstrationthisbindmountisobviouslynotdesirable!
NotethatwhileontheSELinuxsystem,thedefault(andeasy)routewastoallowthecontainerstotalktoeachotheroverthenetwork,theinverseistrueinSmack.
Allowingcontainerstotalktoeachotheriscurrentlyveryhardtodo.
AnabilitytosetlabelsonIPaddressesiscomingsoonthoughandshouldallowustosetuppolicytoallowcontainerstocommunicate.
RelatedtohowwesetupSmacknetworking,wehaveanotherproblem.
Thecommandkill-9-1killseverytaskonthesystem.
Whendonebyataskinacontainer,thisshouldonlykilltasksinthesamecontainer.
Thatbehaviorisnowfixedintheupstreamkernel,butnotintheFedora10kernelweareusing.
Soeverytaskwillbesenta-9signal.
IntheSELinux-protectedcontainers,SELinuxstopsthesignalsfrompassingthecontainerboundary,sokill-9-1isactuallysafe.
ButinSmacktasksbydefaultarelabeled_justasthenetworkis,sosinceweallowedthecontainertowrite_toallowwritingtothenetwork,andsincekillingataskisconsideredawriteaccessbySmack,youarealsoallowingthecontaineradmintokillanytasksonthewholesystem.
Anothershortcoming(whichisalsopresentintheSELinuxcontainers)hastodowithUnix98pseudo-terminals.
Opentwographicalterminals.
Inthefirst,startupvs1andlookunder/dev/pts.
Youwillseeatleasttwoentries,0and1,onebelongingtoeachterminal.
Fromthevs1containeryouareabletowriteintotheentrycorrespondingtotheotherterminal.
WiththeFedorakerneltherearetwosolutions.
Youcanusethedevicewhitelistcgrouptodenythecontainertheabilitytoopenthedevices.
However,thiswillhavetobedonebyhandeachtimethedeveloperWorksibm.
com/developerWorks/SecureLinuxcontainerscookbookPage10of12containerisstartedinordertograntitaccesstoitsterminal;oryoucanachievethesameeffectbyapplyingSELinuxandSmacklabels.
Thenewer2.
6.
29kernelsupportsdevptsnamespaces.
Acontainerwillremount/dev/pts,afterwhichitwillbeunabletoaccessthedevptsentriesbelongingtothehostorothercontainers.
ConclusionThisarticleshowcasedthebasictoolsforcreatingLSM-protectedcontainers,butmuchworkremainstobedone:ForSmack,youmustchoosefilestolabelashost.
ForSELinux,youshouldfine-tuneandthenpushacontainerinterfaceintotheupstreamreferencepolicy.
Whilesuchworkisongoing,anduntilmoreexperienceisgainedwithLSM-protectedcontainers,youshouldnotputallyourtrustinthesemechanismstoprotectagainstanuntrustedrootuser.
Althoughtherearenoestablishedbestpracticesforcreatingcontainersyet(thatIknowof),thereareafewideasworthstartingwith.
First,rememberyouareconsolidatingtwosomewhatcontradictorygoals:Youwanttominimizeduplicationamongcontainers(andthehost)whileneedingtoensureisolation.
Onewaytoachievethesegoalscouldbetocreateasinglefullminimalrootfsinwhichnocontainerrunsandlabelingitatypewhichallcontainerscanread.
Thenuseacustomversionofthelxc-sshdscripttocreateeachactualcontainerbasedontheprototype,creatingread-onlymountsformostofthecontainer'sfilesystemwhileprovidingaprivatewritableplaceforthecontainertostorefiles,saylike/scratch.
Sinceeachcontainerhasaprivatemountsnamespace,itcanbind-mountanyfilesordirectorieswhichitneedstobeprivateand/orwriteablefromitsprivateshareddirectory.
Forinstance,ifitwantsaprivate/lib,itcanmount--bind/scratch/rootfs/lib/lib.
Likewise,theadmincanensurethateverycontainerdoesmount--bind/scratch/shadow/etc/shadowatstartup.
OneclearlimitationoftheapproachIdemonstratedherewithbothSELinuxandSmackisthatthecontaineradministratorcannotexploitLSMtocontrolinformationflowwithinhisowncontainer.
Rather,forsimplicity,alltasksinthecontaineraretreatedthesamebyMACpolicy.
Inanotherarticle,IhopetoexplorehowtoallowcontaineradministratorstospecifytheirownLSMpolicieswithoutallowingthemtoescapetheirowncontraints.
ThismaterialisbaseduponworksupportedbytheDefenseAdvancedResearchProjectsAgencyunderitsAgreementNo.
HR0011-07-9-0002.
AcknowledgmentsCaseySchaufler,theauthorofSmack,helpedingettingtheSmack-protectedcontainerofftheground,andDanWalshwaskindenoughtoprovidefeedbackontheSELinuxpolicy.
ibm.
com/developerWorks/developerWorksSecureLinuxcontainerscookbookPage11of12DownloadableresourcesDescriptionNameSizeCodeforthisarticlecode.
zip3KBdeveloperWorksibm.
com/developerWorks/SecureLinuxcontainerscookbookPage12of12Relatedtopics"LXC:Linuxcontainertools"(developerWorks,February2009)isastep-by-stepguidetocreatingLinuxcontainers.
Therefpolicy--SELinuxReferencePolicydevelopmentmaillistiswhereyou'llfindthepolicymoduleweusedinthisarticle.
"SELinuxfromscratch"(developerWorks,May2006)isadetailedintroductiontoSELinux.
PlanetSELinuxisanaggregationofblogpostsfrommembersoftheSELinuxdevelopmentcommunity.
"Smackforsimplifiedaccesscontrol"(LWN.
net,August2007)isanearlywriteupontheSmacksubmission.
LinuxResourceContainersprojectonSourceForge.
netisarepositoryofcodeforapplicationcontainerimplementationintheLinuxkernel,astagingareaforcodethatmaybesenttothelinux-kernelmailinglist.
OthercontainertechnologiesincludeSolarisZones(Solaris)BSDjails(FreeBSD)Linux-Vserver(Linux)OpenVZ(Linux)InthedeveloperWorksLinuxzone,findmoreresourcesforLinuxdevelopers(includingdeveloperswhoarenewtoLinux),andscanourmostpopulararticlesandtutorials.
SeeallLinuxtipsandLinuxtutorialsondeveloperWorks.
SELinuxcontainerspolicyCopyrightIBMCorporation2009(www.
ibm.
com/legal/copytrade.
shtml)Trademarks(www.
ibm.
com/developerworks/ibm/trademarks/)

美国服务器20G防御 50G防御 688元CN2回国

全球领先的IDC服务商华纳云“美国服务器”正式发售啦~~~~此次上线的美国服务器包含美国云服务器、美国服务器、美国高防服务器以及美国高防云服务器。针对此次美国服务器新品上线,华纳云也推出了史无前例的超低活动力度。美国云服务器低至3折,1核1G5M低至24元/月,20G DDos防御的美国服务器低至688元/月,年付再送2个月,两年送4个月,三年送6个月,且永久续费同价,更多款高性价比配置供您选择。...

Boomer.Host(年付3.5美)休斯敦便宜VPS

Boomer.Host是一家比较新的国外主机商,虽然LEB自述 we’re now more than 2 year old,商家提供虚拟主机和VPS,其中VPS主机基于OpenVZ架构,数据中心为美国得克萨斯州休斯敦。目前,商家在LET发了两款特别促销套餐,年付最低3.5美元起,特别提醒:低价低配,且必须年付,请务必自行斟酌确定需求再入手。下面列出几款促销套餐的配置信息。CPU:1core内存:...

湖北22元/月(昔日数据)云服务器,国内湖北十堰云服务器,首月6折

昔日数据怎么样?昔日数据新上了湖北十堰云服务器,湖北十堰市IDC数据中心 母鸡采用e5 2651v2 SSD MLC企业硬盘 rdid5阵列为数据护航 100G高防 超出防御峰值空路由2小时 不限制流量。目前,国内湖北十堰云服务器,首月6折火热销售限量30台价格低至22元/月。(注意:之前有个xrhost.cn也叫昔日数据,已经打不开了,一看网站LOGO和名称为同一家,有一定风险,所以尽量不要选择...

permissiondenied为你推荐
微盟赔付方案商品房的赔付办法是什么firetrap我淘宝店还是卖二单就被删,怎么回事!mathplayer如何学好理科原代码源代码是什么意思啊psbc.com邮政储蓄卡如何激活曹谷兰曹谷兰事件 有吧友知道吗partnersonline电脑内一切浏览器无法打开www.gogo.com哪种丰胸产品是不含激素的?www.1diaocha.com请问网络上可以做兼职赚钱吗?现在骗子比较多,不敢盲目相信。请大家推荐下woshiheida这个左下角水印woshiheida的gif出处在哪呢?急!!!!!
合租服务器 主机测评网 locvps arvixe 轻博客 英文简历模板word NetSpeeder 搜狗抢票助手 搜狗12306抢票助手 193邮箱 刀片服务器的优势 100m空间 asp免费空间申请 adroit 世界测速 空间合租 百度云1t hdd 卡巴斯基是免费的吗 登陆空间 更多