Re: [tlug] Dealing with software with wide attack surface

[Jens John <lists@example.com>]

On Tue, Sep 07, 2021 at 10:58:22PM +0900, Curt J. Sampson wrote:
> The core of containerisation, which you didn't mention, is simply
> being able to configure processes to have different views of the
> system. This is a pretty old idea (...)

As far as Linux and the concept of "chroot() with more advanced
unsharing of resources" goes, which arguably was present in many
enterprise-class operating systems well before it arrived in Linux,
VServer [1] deserves to be mentioned, which was one of the first
attempts to make the concept working on Linux but got superceeded by
other implementation directions. It still exists as franken-patches
delivered by a single remaining active maintainer and a group of user
enthusiasts who cling to the old ways.

I mention this because one hosting company I did work at work some time
switched to containers on Linux w/ VServer before containers were cool
--- ending up having to support a server and service landscape based on
pretty much unsupported code, having to patch and build kernels manually
to keep it working instead of using distro upstream kernels, that is,
supporting it for a fortune (in work). Debian keeping this legacy way
too long in its repos was partly to blame for that.

The current (relatively good) state of containers on Linux
is a relief in many ways compared to "that".

---
[1] http://linux-vserver.org/Welcome_to_Linux-VServer.org