LXC

Next time I need to play around with a possibly messy web app installation, I'm going to skip KVM and fire up LXC. I tried it recently to test a PostgreSQL migration strategy on my laptop, and setting up a container (even with all the software I needed to download) didn't take much time at all, even with the crappy Internet connection I was on. Cloning the container was really quick and easy, too.

I was surprised to see that Ubuntu's LXC packages come with a fairly wide variety of scripts for installing other Linux distributions inside an LXC container: Arch, Fedora, Debian, OpenSuSE, and a customized Ubuntu install designed for doing cloud stuff. Neat!

Since LXC isn't a full virtualization platform, you can't run a custom kernel, and you don't (yet) have as high a degree of isolation, so a malicious root user in a container is (at least theoretically) a threat to the host system, but it's a lot more light-weight, since it basically just uses cgroups to present a constrained view of the system to processes inside the container. Arkose uses LXC in a really neat way: it confines programs to limit the damage they can do. I might try that with Google's music uploader, which I want to use but don't entirely trust. I wonder how well it could confine an application that needs 3D? I'd be inclined to do that with Minecraft, especially if mods are involved.

In short, LXC is a really neat piece of technology, and it's fairly easy to use. If you need to try something messy on a Linux system, I absolutely recommend it.