import site.body

Containerization on Linux

After doing a presentation for asylum for a local tech company, i was presented with the question 'do you have any one using this project or is it just a personal project'. after saying 'no', i realized that while i had a couple of people use my code as reference material, unfortunately i had no users other than myself. not being one seek the approval of others for my tinkering i dismissed this question as nothing more than a future TODO item

with the announcement of Docker i realized that this TODO item had been at the back of my mind for nearly 3 years and came tot he realization after seeing the response on hacker news that this is actually a useful project and having it just sitting on blitz.works only being viewed by bots was not productive

With everything going on i decided to add the talks and the demo scripts to the repository and finally sign up for an account on pypi and publicly list the code. with this i hope to ride on the coattails of the docker.io announcement and get some more visibility for the project. luckily for me there appears to be few projects in this space (keywords: containerization, openVZ, LXC, virtualisation)

I am hopping to see more people using the project and asking for features. if i get people submitting patches then i would be happy with that however my primary aim is to make things simpler for people

The Linux kernel has rapidly changed since i started this project and nearly all the parts required to start a container on Linux have since been merged, with the remaining core features due to come out in the 3.9 Linux kernel (User namespaces) and with this it should be possible to launch a container without becoming root. this is the primary reason for the lack of updates and patches coming in small bursts

What does this mean for asylum? well it means i need to catch up. the current code works for launching containers for all existing namespaces (IPC, Mount, PID, UTS and Net) and the UID namespace is already wired up however asylum was more than just enabling these modules. cgroups, rlimits, seccomp and other linux security subsystems need to be wired up so that we can have not just containers under Linux but secure, isolated containers that are unable to affect the security of other services and programs not inside the container

the other item that needs to be completed and polished is the config file support so that things such as having asylum premount all the filesystems for your container can be done by simply specifying them in the config file

The only release blocker i am concerned about at the moment is getting the network interfaces up and running (TODO File here) and getting some documentation for the user on usages done with sphinx. once this is done i think a v1.0 release is in order and i can then look at building a management daemon of sorts to make things like reattaching to a running session a lot nicer

If you are interested take a look at the code online and take it for a test drive. almost all the information you need should be in the README file as well as contact info and if you have any questions feel free to contact me here or joint the chat room here