[svlug] segregate GUI rubbish was: Migration to Debian

Ivan Sergio Borgonovo mail at webthatworks.it
Tue Jan 6 17:53:26 PST 2015


On 01/07/2015 02:01 AM, Scott DuBois wrote:
> On Mon, Jan 05, 2015 at 12:43:33PM +0100, Ivan Sergio Borgonovo wrote:
>>
>> I just walked into this while I was trying to remember how lxc works:
>> https://www.stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/
>>
>> lxc had (and maybe still have) its containment problems, but it is very
>> light, and fast to setup, start and clone being a container and it could
>> really come handy for your use case.
>> Acroread has an awful security history and eg. skype pollute your system
>> with i386 dependencies that are anachronistic on a Linux system and that
>> may keep back updates that you may find interesting once you move to sid.

> Yes, unfortunately I had to install _all_ that i386 bs to get acroread to fly.
> It might have been more worth it to just install all of it on a disposable VM.

lxc is very very light. You can keep an instance always running and
unless you started a lot of daemons inside you'll hardly notice you're
running a container.
Even launching an instance "on demand" is very fast compared to a VM
(especially if you're runing systemd <g>) since the kernel is already
loaded.

As I anticipated the level of containment is/was a bit "faulty" since
lxc is relatively new. This is more true if you're running on stable
where there are higher chances that the version included still suffer
from some of those problems.

I really don't care that much, I mostly use lxc to do tests, not for
containment.
Anyway if you're not as interesting as to make you a "Tailored Access
Operation" target or as boring as a Sony's high level executive [1] I
think the stuff that automatically crawl the internet in search of
victims will be much busier with lower hanging fruits.

> That way, I keep my 'base' system clean of all that 'nastyware' and put the
> disposable VM's to good use (as containers).

Having i386 package around is a pain if you're on sid, since well sid is
unstable and sometimes you may actually find some bugs in newer
packages, that you generally can easily "fix" downgrading.
Sometimes i386 packages hold you back to update to a newer version that
could resolve those bugs for longer.

[1]
http://sony.attributed.to/

http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361.html

-- 
Ivan Sergio Borgonovo
http://www.webthatworks.it




More information about the svlug mailing list