[IPython-dev] Notebook kernels + LXC
Wed Oct 24 21:52:52 CDT 2012
On 10/24/12 11:48 AM, Thomas Kluyver wrote:
> A question on SO  got me thinking again about security in
> multi-user cases. I've read recently about LXC , which provides
> lightweight isolated environments for a set of processes.
> Is there mileage in an option for the notebook server to start each
> kernel in a new LXC container? That would give OS-level limitations on
> what a remote user can do, without the overhead of running full
> virtual machines. I imagine this could be paired with a way to share
> access to a particular notebook or session, so a malicious user
> getting access can only damage files in that project. It could
> probably also be set up so that file access is read-only.
> Of course, I may be on completely the wrong track. But the notebook is
> clearly going to be used in cases where the 'all or nothing' access to
> the underlying system is too coarse. Maybe this is one way to offer
> finer-grained control.
>  http://stackoverflow.com/questions/13044921/prevent-user-del-files-in-ipython-notebook-environment/13053501#13053501
>  http://lxc.sourceforge.net/
The wikipedia article has some interesting links, like:
that indicate that (at least a year ago) things were not finished enough
to be really secure.
might be a good read for ways to isolate processes.
More information about the IPython-dev