CopyrightIBMCorporation2009TrademarksSecureLinuxcontainerscookbookPage1of12SecureLinuxcontainerscookbookStrengthenlightweightcontainerswithSELinuxandSmackSergeE.
HallynFebruary03,2009Lightweightcontainers,otherwiseknownasVirtualPrivateServers(VPS)orJails,areoftenthoughtofasasecuritytoolsdesignedtoconfineuntrustedapplicationsorusers;butaspresentlyconstructed,thesecontainersdonotprovideadequatesecurityguarantees.
BystrengtheningthesecontainersusingSELinuxorSmackpolicy,amuchmoresecurecontainercanbeimplementedinLinux.
ThisarticleshowsyouhowtocreateamoresecureLinux-Security-Modules-protectedcontainer.
BoththeSELinuxandSmackpolicyareconsideredworksinprogress,tobeimproveduponwithhelpfromtheirrespectivecommunities.
Acommonresponsewhensomeonefirsthearsaboutcontainersis"HowdoIcreateasecurecontainer"ThisarticleanswersthatquestionbyshowingyouhowtouseLinuxSecurityModules(LSM)toimprovethesecurityofcontainers.
Inparticular,itshowsyouhowtospecifyasecuritygoalandmeetitwithboththeSmackandSELinuxsecuritymodules.
ForbackgroundreadingonLinuxContainers,see"LXC:Linuxcontainertools"(developerWorks,February2009).
LinuxcontainersarereallyaconceptualartificebuiltatopseveralLinuxtechnologies:Resourcenamespacesallowthemanipulationoflookupsofprocesses,files,SYSVIPCresources,networkinterfaces,andmore,allinsideofcontainers.
Controlgroupsallowresourcelimitstobeplacedoncontainers.
Capabilityboundingsetslimittheprivilegeavailabletocontainers.
Thesetechnologiesmustbecoordinatedinordertoprovidetheillusionofcontainers.
Twoprojectsalreadyprovidethisfunctionality:LibvirtisalargeprojectthatcancreatevirtualmachinesusingtheXenhypervisor,qemuemulator,andkvm,andalsousinglightweightcontainers.
Liblxcisasmallersetoflibrariesanduserspacecommandswritteninparttohelpkerneldevelopersquicklyandeasilytestthecontainersfunctionality.
developerWorksibm.
com/developerWorks/SecureLinuxcontainerscookbookPage2of12Because"LXC:Linuxcontainertools"waswrittenusingliblxcasitsfoundation,Iwillcontinuewithliblxchere;however,anythingwedoherecanjustaseasilybedoneusinglibvirt'scontainersupport.
Majorplayer1:LSMBeforewestart,ifyouknowlittleabouttheLSM,hereisaquickreview.
AccordingtotheWikipediaentry:LinuxSecurityModules(LSM)isaframeworkthatallowstheLinuxkerneltosupportavarietyofcomputersecuritymodelswhileavoidingfavoritismtowardanysinglesecurityimplementation.
TheframeworkislicensedunderthetermsoftheGNUGeneralPublicLicenseandisstandardpartoftheLinuxkernelsinceLinux2.
6.
.
.
.
LSMwasdesignedtoprovidethespecificneedsofeverythingneededtosuccessfullyimplementamandatoryaccesscontrolmodule,whileimposingthefewestpossiblechangestotheLinuxkernel.
LSMavoidstheapproachofsystemcallinterpositionasusedinSystracebecauseitdoesnotscaletomultiprocessorkernelsandissubjecttoTOCTTOU(race)attacks.
Instead,LSMinserts"hooks"(upcallstothemodule)ateverypointinthekernelwhereauser-levelsystemcallisabouttoresultinaccesstoanimportantinternalkernelobjectsuchasinodesandtaskcontrolblocks.
.
.
.
Theprojectisnarrowlyscopedtosolvetheproblemofaccesscontroltoavoidimposingalargeandcomplexchangepatchonthemainstreamkernel.
Itisnotintendedasageneral"hook"or"upcall"mechanism,nordoesitsupportvirtualization.
.
.
.
LSM'saccesscontrolgoalisverycloselyrelatedtotheproblemofsystemauditing,butissubtlydifferent.
Auditingrequiresthateveryattemptataccessberecorded.
LSMcannotdeliverthat,becauseitwouldrequireagreatmanymorehooks,soastodetectcaseswherethekernel"shortcircuits"failingsystemcallsandreturnsanerrorcodebeforegettingnearsignificantobjects.
Systemsecurityconsistsoftwosomewhatcontradictorygoals.
Thefirstistoachievecompleteandfine-grainedaccesscontrol.
Ateverypointthatinformationcanbeleakedorcorrupted,youmustbeabletoexertcontrol.
Controlsthataretoocoarseisthesameasbeinguncontrolled.
Forinstance,if(attheextreme)allfilesmustbeclassifiedasonetypeandanyonefilemustbeworld-readable,thenallfilesmustbeworld-readable.
Ontheotherhand,configurationmustalsobesimple,otherwiseadministratorswilloftendefaulttogivingtoomuchaccess(andIcan'temphasizethisenough--thisisthesameasbeinguncontrolled).
Forinstance,ifmakingaprogramworkrequiresthousandsofaccessrules,thenchancesareanadminwillgivetheprogramtoomanyaccessrightsratherthantestingwhethereachaccessrulewasreallyneeded.
ThetwoprimarysecuritymodulesinLinuxeachtakeadifferentviewonhowtohandlethisbalance.
SELinuxbeginsbycontrollingeverythingwhileusinganimpressivepolicylanguagetosimplifypolicymanagement.
Smackisprimarilyconcernedwithprovidingasimpleaccesscontrol.
ibm.
com/developerWorks/developerWorksSecureLinuxcontainerscookbookPage3of12Majorplayer2:SELinuxSELinuxisbyfarthemostwell-knownMACsystemforLinux(mandatoryaccesscontrol).
Whileitcertainlystillhasitsdetractors,thefactthatthepopularFedoradistributionhasbeendeployedwithSELinuxenforcingforyearsisatremendoustestamenttoitssuccess.
SELinuxisconfiguredusingamodularpolicylanguagewhichallowsaninstalledpolicytobeeasilyupdatedbyusers.
Thelanguagealsoprovidesinterfaces,allowingmorehigh-levelstatementstobeusedtorepresentacollectionoflow-level"allow"statements.
Inthisarticle,wewillbeusinganewinterfacetodefinecontainers.
Whiletheinterfaceitselfwillbequitelargeduetothemanyaccessrightsyoumustgivethecontainer,usingtheinterfacetocreateanewcontainerwillbeverysimple.
Hopefullytheinterfacecanbecomeapartofthecoredistributedpolicy.
Majorplayer3:SmackSmackistheSimplifiedMandatoryAccessControlKernel.
Itbeginsbylabelingallprocesses,files,andnetworktrafficwithsimpletextlabels.
Newlycreatedfilesarecreatedwiththelabelofthecreatingprocess.
Afewdefaulttypesalwaysexistwithclearlydefinedaccessrules.
Aprocesscanalwaysreadandwriteobjectsofthesamelabel.
PrivilegetobypasstheSmackaccessrulesarecontrolledusingPOSIXcapabilities,soataskcarryingCAP_MAC_OVERRIDEcanoverridetherules;ataskcarryingCAP_MAC_ADMINcanchangetherulesandlabels.
"POSIXfilecapabilities:Parcelingthepowerofroot"(Relatedtopics)demonstratestheseprivileges.
OursecuritygoalInsteadofsimplyblindlyapplyingpolicyandhopingtoendupwithsomethinguseful,let'sbeginbydefiningaclearsecuritygoal.
ThesimplicityofSmackactuallylimitsthegoalswecanachieve,butwe'llpursuethefollowinggoal:1.
CreatecontainerswithsegregatedfilesystemsprovidingWebandsshservices.
2.
Containerswillbeprotectedfromeachother.
Acontainerdesignatedvs1cannotreadfilesownedbyanothercontainervs2orkillitstasks.
3.
Thehostcanprotectitskeyfilesfromcontainers.
4.
TheoutsideworldcanreachtheWebserversandsshserversonthecontainers.
ThegeneralsetupInthisarticlewe'lldotwoexperiments--firstwe'llsetupcontainersprotectedbySELinux,thencontainersprotectedbySmack.
Theexperimentswillsharemuchofthepreliminarysetup.
Youcanusearealmachinetodotheseexperiments,butyoumayfinditeasierormorecomfortingtouseavirtualmachine.
Touseqemuorkvm,youcancreateaharddiskusingqemu-imgcreatevm.
img10G.
BootthevirtualmachinefromCDROMusingacommandlikekvm-hdavm.
img-cdromcdrom.
iso-bootd-m512M.
AgoodchoiceforaCDROMimageistogotofedoraproject.
org/get-fedoraanddownloadaninstallationDVDforFedora10fori386.
SubstitutethefilenameyoudownloadfordeveloperWorksibm.
com/developerWorks/SecureLinuxcontainerscookbookPage4of12cdrom.
isointhepreviouscommand.
Youcanmostlyusetheinstallationdefaults,butmakesuretounselectofficeandproductivityandselectsoftwaredevelopment.
You'llalsowanttoinstallthebridge-utils,debootstrap,andncurses-develrpms,probablyusingtheyumpackagemanager.
Nowyouneedtocompileacustomkernel.
Downloadthekernel-sourcesrpm,patchitwithenable-netns.
patch(seetheDownloadsection)toprovidenetworknamespaces(whichwillbeupstreamasof2.
6.
29butnotinFedora10),changetheconfiguration,thencompletethecompilationandinstallation,byfollowingthefollowinginstructionsasroot:yumdownloader--sourcekernelrpm-ikernel*cdrpmbuildrpmbuild-bcSPECS/kernel-*cdBUILD/kernel-2.
6.
27/linux-2.
6*patch-p1Networkingoptionsmenus).
FortheSmackexperiment,alsogointotheSecurityoptionsmenu,deselectSELinux,andselectthenextoption,Smack.
Youmayalsoneedtoswitchthedefaultbootentryin/boot/grub/grub.
confbackto0insteadof1.
Nowwewanttotryoutliblxc.
"LXC:Linuxcontainertools"describesthebasicusageofliblxcindetail,sowe'llglossoverithere.
Simplyusethecontainer_setup.
shscript(seetheDownloadsection)tosetupthebridgeonwhichcontainernetworkdeviceswilltalk.
Itwillalsoclearyourfirewall,whichbydefaultisn'tsetuptohandlethebridge,aswellassetuptheSmackpolicy(whichwe'llcreatelaterinthefile/etc/smackaccesses)ifyouaredoingtheSmackexperiment.
You'llneedtoruncontainer_setup.
shaftereachrebootorifyouknowhow,makeitrunatbootautomatically.
Nowyourmachineisready!
Let'stryoutliblxc.
Youcandownloadthelatestsourceusingcvsfromlxc.
sf.
netandcompileitusingthefollowing:cvs-d:pserver:anonymous@lxc.
cvs.
sourceforge.
net:/cvsroot/lxclogincvs-z3-d:pserver:anonymous@lxc.
cvs.
sourceforge.
net:/cvsroot/lxcco-Plxccdlxc.
/bootstrap&&.
/configure&&make&&makeinstallNowifyoulookattheREADME,you'llseetherearequiteafewoptionsforgettingstarted.
Containerscanbeextremelylightweightbecausetheycansharemanyresourceswithyoursystem--includingthefilesystem.
Butourgoalistoprovidesomesimpleisolationsowewillusethescriptlxc-debiantocreateafulldebianchrootimageforeachcontainer.
Beginbycreatingacontainernamedvsplain:ibm.
com/developerWorks/developerWorksSecureLinuxcontainerscookbookPage5of12mkdir/vsplaincd/vsplainlxc-debiancreatecontainername:vsplainhostname:vsplainIP10.
0.
2.
20gateway:10.
0.
2.
2Theconfigurationforthiscontainerisstoredunderthedirectory/usr/local/var/lxc/vsplain.
Ifyoulookatthefilecalledcgroup,you'llseesomelinesbeginningwithdevices.
.
Thesearedirectivestothedeviceswhitelistcgroupwhichwillmediatedevicecreation,read,andwritebythecontainer.
Startthiscontainerusingthecommandlxc-start-nvsplain.
You'llbepresentedwithaloginprompt.
Logintothecontainerusingusernamerootwithnopassword.
Finally,whenyourcontainerisupandrunning,youwillwanttoapt-getinstallopenssh-serverapt-getinstallapacheNowyoucansshfromthekvmhosttothecontainerandlookatitsWebpageusing10.
0.
2.
20forvsplain'sipaddressand10.
0.
2.
15forthehost's.
Youcanshutthecontainerdownatanytimefromarootterminalonthekvmhostusingthecommandlxc-stop-nvsplain.
Atthispoint,youmaywanttosaveyourselfsometimebycloningtwonewvirtualmachinesfromthistemplate.
Shutdownyourvmanddo:cpvm.
imgselinux.
imgcpvm.
imgsmack.
imgSELinux-protectedcontainersTheSELinuxpolicyforcontainerswe'llusewillconsistofapolicymodule;themodulehasbeenpostedtorefpolicy--SELinuxReferencePolicydevelopmentmaillist.
Downloadthepolicyintoadirectory/root/vs,intofilescalledvs.
if,vs.
fc,andvs.
terespectively.
Compileandinstallthenewmoduleasfollows:cp-r/usr/share/selinux/devel/usr/share/selinux/vscp/root/vs.
/usr/share/selinux/vs/cd/usr/share/selinux/vsmake&&semodule-ivs.
ppThencreatecontainers/vs1and/vs2usinglxc-debianandrelabeltheirfilesystemsusingdeveloperWorksibm.
com/developerWorks/SecureLinuxcontainerscookbookPage6of12mkdir/vs1;cd/vs1lxc-debiancreatecontainername:vs1hostname:vs1address:10.
0.
2.
21gateway:10.
0.
2.
2arch:2(i386)mkdir/vs2;cd/vs2lxc-debiancreatecontainername:vs2hostname:vs2address:10.
0.
2.
22gateway:10.
0.
2.
2arch:2(i386)fixfilesrelabel/vs1fixfilesrelabel/vs2Whenyoustartyourcontainers(forinstancebyusinglxc-start-nvs1),you'lllikelygetafewauditmessagesaboutSELinuxaccessdenials.
Don'tworry--thecontainerstartsupfinewithnetworkservicesenabledandthecontainersarenowisolated.
Ifyouhelpcontainervs1cheatusingmount--bind//vs1/rootfs.
vs1/mntbeforestartingthecontainer,you'llfindthateventhoughyouaretherootuser,ls/mnt/rootwillberefused.
Toseehowthisworks,let'slookatthevs.
ifinterfacefile.
Thisdefinesaninterfacecalledcontainerwhichtakesoneargument,thebasenameforthecontainertodefine.
Thevs.
tefilecallsthisfunctiontwicewiththecontainernamesvs1,vs2.
Intheinterface,$1isexpandedtotheargument,so$1_tbecomesvs1_twhenwecallcontainer(vs1).
(Fromhereonlet'sassumewearedefiningvs1).
Themostimportantlinesarethoseinvolvingvs1_exec_t.
Thecontainerrunsintypevs1_t.
Itentersthistypewhenunconfined_texecutesthecontainer's/sbin/initwhichisoftypevs1_exec_t.
Mostoftherestofthepolicymerelyistheretograntthecontainersufficientprivilegetoaccessbitsofthesystem:networkports,devices,consoles,etc.
Theinterfaceisaslongasitisduetothefine-grainednatureoftheexistingSELinuxreferencepolicy.
Aswe'reabouttosee,theSmack-protectedcontainerwillhaveamuchsimplerpolicy;inreturn,itwillpromisemuchlessflexibleprotectionfrommisbehavingsystemservices.
Thereisonemorethingyouneedtodo.
Youmayhavenotedthatwhilethecontainerisnotabletooverwriteits$1_exec_t,thatis/sbin/init.
Butwhatitcandoissomethinglikemv/sbin/sbin.
bakmkdir/sbintouch/sbin/initTheresulting/sbin/initwillbeoftypevs1_file_t.
WhydoyouthinkthecontaineradminwouldwanttodothisBecauseitwouldlaunchthecontainer,includingthesshdaemon,intheunconfined_tdomain,givinghimaprivilegedshellandallowinghimtoescapetheSELinuxconstraintsweweretryingtoenforce.
Topreventthis,youactuallywanttostartthecontainerthroughacustomscriptandrelabelsbin/inittovs1_exec_tbeforestartingthecontainer.
Infact,youcancopyapristinecopyofinitbackintoibm.
com/developerWorks/developerWorksSecureLinuxcontainerscookbookPage7of12thecontainerandrelabelthatifthecontaineradministratordidn'tmind.
Butwe'lljustrelabeltheexistinginit:cat>>/vs1/vs1.
sh>/vs1/vs1.
sh/proc/self/attr/currentlxc-start-nvs1/bin/dropmacadmin/sbin/initEOFchmodu+x/vs1/vs1.
shOnemorethingwillletvs1writetothetmpfsfilesystemitisgoingtomount:sed-i's/defaults/defaults,smackfsroot=vs1,smackfsdef=vs1/'\/vs1/rootfs.
vs1/etc/fstabThiswillcausethetmpfsfilesystemmountedat/dev/shmtocarrythevs1labelsothatvs1canwritetoit.
Otherwise,vs1initscriptswon'tbeabletocreatethe/dev/shm/networkdirectoryituseswhilesettingupthenetwork.
Similarly,ifyouwanttousearam-based/tmp,you'llwantthosesameoptions.
Nowagainlet'shelpvs1cheat.
Createvs2thesamewayyoucreatedvs1,substitutingvs2forvs1ateachstep.
Thenbind-mounttherootfilesystemundervs1's/mnt:mount--bind/vs1/vs1mount--make-runbindable/vs1mount--rbind//vs1/rootfs.
vs1/mntibm.
com/developerWorks/developerWorksSecureLinuxcontainerscookbookPage9of12Startthecontainerusingvs1.
sh.
NotethatyoucanstillseetheWebpageonvs1andvs2fromthekvmhost.
Notealsothatvs1cannotaccessvs2overthenetwork.
Italsocan'tlookthroughvs2'sfiles:vs1:~#ls/mnt/(directorylisting)vs1:~#ls/mnt/vs2/rootfs.
vs2ls:/mnt/vs2/rootfs.
vs2:Permissiondeniedvs1:~#mkdir/cgroupvs1:~#mount-tcgroupcgroup/cgroupvs1:~#ls/cgroupls:/mnt/vs3:Permissiondeniedvs1:~#mknod/dev/sda1b81mknod:`/dev/sda1':Operationnotpermittedvs1:~#mount/mnt/dev/sda1/tmpmount:permissiondeniedItcanlookthroughthehostfilesystem.
Anythingwewanttoprotectagainst,wecanlabelwiththehostlabel.
That'swhatwedidwiththecgroupfilesystemwhichiswhyls/cgroupfailed.
Finally,thedeviceswhitelistcgroupispreventingusfromcreatingadiskdevice,aswellasmountingitifitexists(asitdoesthrough/mnt).
Ofcourse,thewaywe'vesetthisup,thecontaineradmincanremove/mnt/dev/sda1,aswellmessupthehostinanynumberofways,sootherthanasdemonstrationthisbindmountisobviouslynotdesirable!
NotethatwhileontheSELinuxsystem,thedefault(andeasy)routewastoallowthecontainerstotalktoeachotheroverthenetwork,theinverseistrueinSmack.
Allowingcontainerstotalktoeachotheriscurrentlyveryhardtodo.
AnabilitytosetlabelsonIPaddressesiscomingsoonthoughandshouldallowustosetuppolicytoallowcontainerstocommunicate.
RelatedtohowwesetupSmacknetworking,wehaveanotherproblem.
Thecommandkill-9-1killseverytaskonthesystem.
Whendonebyataskinacontainer,thisshouldonlykilltasksinthesamecontainer.
Thatbehaviorisnowfixedintheupstreamkernel,butnotintheFedora10kernelweareusing.
Soeverytaskwillbesenta-9signal.
IntheSELinux-protectedcontainers,SELinuxstopsthesignalsfrompassingthecontainerboundary,sokill-9-1isactuallysafe.
ButinSmacktasksbydefaultarelabeled_justasthenetworkis,sosinceweallowedthecontainertowrite_toallowwritingtothenetwork,andsincekillingataskisconsideredawriteaccessbySmack,youarealsoallowingthecontaineradmintokillanytasksonthewholesystem.
Anothershortcoming(whichisalsopresentintheSELinuxcontainers)hastodowithUnix98pseudo-terminals.
Opentwographicalterminals.
Inthefirst,startupvs1andlookunder/dev/pts.
Youwillseeatleasttwoentries,0and1,onebelongingtoeachterminal.
Fromthevs1containeryouareabletowriteintotheentrycorrespondingtotheotherterminal.
WiththeFedorakerneltherearetwosolutions.
Youcanusethedevicewhitelistcgrouptodenythecontainertheabilitytoopenthedevices.
However,thiswillhavetobedonebyhandeachtimethedeveloperWorksibm.
com/developerWorks/SecureLinuxcontainerscookbookPage10of12containerisstartedinordertograntitaccesstoitsterminal;oryoucanachievethesameeffectbyapplyingSELinuxandSmacklabels.
Thenewer2.
6.
29kernelsupportsdevptsnamespaces.
Acontainerwillremount/dev/pts,afterwhichitwillbeunabletoaccessthedevptsentriesbelongingtothehostorothercontainers.
ConclusionThisarticleshowcasedthebasictoolsforcreatingLSM-protectedcontainers,butmuchworkremainstobedone:ForSmack,youmustchoosefilestolabelashost.
ForSELinux,youshouldfine-tuneandthenpushacontainerinterfaceintotheupstreamreferencepolicy.
Whilesuchworkisongoing,anduntilmoreexperienceisgainedwithLSM-protectedcontainers,youshouldnotputallyourtrustinthesemechanismstoprotectagainstanuntrustedrootuser.
Althoughtherearenoestablishedbestpracticesforcreatingcontainersyet(thatIknowof),thereareafewideasworthstartingwith.
First,rememberyouareconsolidatingtwosomewhatcontradictorygoals:Youwanttominimizeduplicationamongcontainers(andthehost)whileneedingtoensureisolation.
Onewaytoachievethesegoalscouldbetocreateasinglefullminimalrootfsinwhichnocontainerrunsandlabelingitatypewhichallcontainerscanread.
Thenuseacustomversionofthelxc-sshdscripttocreateeachactualcontainerbasedontheprototype,creatingread-onlymountsformostofthecontainer'sfilesystemwhileprovidingaprivatewritableplaceforthecontainertostorefiles,saylike/scratch.
Sinceeachcontainerhasaprivatemountsnamespace,itcanbind-mountanyfilesordirectorieswhichitneedstobeprivateand/orwriteablefromitsprivateshareddirectory.
Forinstance,ifitwantsaprivate/lib,itcanmount--bind/scratch/rootfs/lib/lib.
Likewise,theadmincanensurethateverycontainerdoesmount--bind/scratch/shadow/etc/shadowatstartup.
OneclearlimitationoftheapproachIdemonstratedherewithbothSELinuxandSmackisthatthecontaineradministratorcannotexploitLSMtocontrolinformationflowwithinhisowncontainer.
Rather,forsimplicity,alltasksinthecontaineraretreatedthesamebyMACpolicy.
Inanotherarticle,IhopetoexplorehowtoallowcontaineradministratorstospecifytheirownLSMpolicieswithoutallowingthemtoescapetheirowncontraints.
ThismaterialisbaseduponworksupportedbytheDefenseAdvancedResearchProjectsAgencyunderitsAgreementNo.
HR0011-07-9-0002.
AcknowledgmentsCaseySchaufler,theauthorofSmack,helpedingettingtheSmack-protectedcontainerofftheground,andDanWalshwaskindenoughtoprovidefeedbackontheSELinuxpolicy.
ibm.
com/developerWorks/developerWorksSecureLinuxcontainerscookbookPage11of12DownloadableresourcesDescriptionNameSizeCodeforthisarticlecode.
zip3KBdeveloperWorksibm.
com/developerWorks/SecureLinuxcontainerscookbookPage12of12Relatedtopics"LXC:Linuxcontainertools"(developerWorks,February2009)isastep-by-stepguidetocreatingLinuxcontainers.
Therefpolicy--SELinuxReferencePolicydevelopmentmaillistiswhereyou'llfindthepolicymoduleweusedinthisarticle.
"SELinuxfromscratch"(developerWorks,May2006)isadetailedintroductiontoSELinux.
PlanetSELinuxisanaggregationofblogpostsfrommembersoftheSELinuxdevelopmentcommunity.
"Smackforsimplifiedaccesscontrol"(LWN.
net,August2007)isanearlywriteupontheSmacksubmission.
LinuxResourceContainersprojectonSourceForge.
netisarepositoryofcodeforapplicationcontainerimplementationintheLinuxkernel,astagingareaforcodethatmaybesenttothelinux-kernelmailinglist.
OthercontainertechnologiesincludeSolarisZones(Solaris)BSDjails(FreeBSD)Linux-Vserver(Linux)OpenVZ(Linux)InthedeveloperWorksLinuxzone,findmoreresourcesforLinuxdevelopers(includingdeveloperswhoarenewtoLinux),andscanourmostpopulararticlesandtutorials.
SeeallLinuxtipsandLinuxtutorialsondeveloperWorks.
SELinuxcontainerspolicyCopyrightIBMCorporation2009(www.
ibm.
com/legal/copytrade.
shtml)Trademarks(www.
ibm.
com/developerworks/ibm/trademarks/)
优林怎么样?优林好不好?优林 是一家国人VPS主机商,成立于2016年,主营国内外服务器产品。云服务器基于hyper-v和kvm虚拟架构,国内速度还不错。今天优林给我们带来促销的是国内东北地区哈尔滨云服务器!全部是独享带宽!首月5折 续费5折续费!地区CPU内存硬盘带宽价格购买哈尔滨电信2核2G50G1M53元直达链接哈尔滨电信4核4G50G1M83元直达链接哈尔滨电信8核8G50G1M131元直...
? ? ? ?创梦网络怎么样,创梦网络公司位于四川省达州市,属于四川本地企业,资质齐全,IDC/ISP均有,从创梦网络这边租的服务器均可以****,属于一手资源,高防机柜、大带宽、高防IP业务,另外创梦网络近期还会上线四川联通大带宽,四川联通高防IP,一手整CIP段,四川电信,联通高防机柜,CN2专线相关业务。成都优化线路,机柜租用、服务器云服务器租用,适合建站做游戏,不须要在套CDN,全国访问快...
ZJI发布了9月份促销信息,针对香港华为云线路物理服务器华为一型提供立减300元优惠码,优惠后香港华为一型月付仅450元起。ZJI是原来Wordpress圈知名主机商家:维翔主机,成立于2011年,2018年9月更名为ZJI,提供中国香港、台湾、日本、美国独立服务器(自营/数据中心直营)租用及VDS、虚拟主机空间、域名注册等业务,商家所选数据中心均为国内访问质量高的机房和线路,比如香港阿里云、华为...
permissiondenied为你推荐
蓝瘦香菇被抢注最近玩网络上流传的难受香菇是什么典故网易网盘关闭入口网易网盘 怎么没有了哈利波特罗恩升级当爸哈利波特中的赫敏为什么要喜欢罗恩,不喜欢哈利h连锁酒店连锁酒店有哪些原代码什么叫源代码,源代码有什么作用xyq.163.cbg.com『梦幻西游』那藏宝阁怎么登录?百花百游百花净斑方效果怎么样?同ip站点查询如何查看几个站是不是同IPwww.vtigu.com初三了,为什么考试的数学题都那么难,我最多也就135,最后一道选择,填空啊根本没法做,最后几道大题倒javbibi日文里的bibi是什么意思
海外域名 万网域名查询 高防服务器租用选锐一 免费域名申请 免费动态域名解析 重庆服务器托管 128m内存 tk域名 xen 网页背景图片 qq数据库 嘉洲服务器 台湾谷歌地址 193邮箱 hostloc 吉林铁通 双12 四川电信商城 外贸空间 河南移动梦网 更多