[klaruz]

"LXC used as a container for all dynos running on Celadon Cedar"

Has anybody published a complete SELinux or SMACK policy to use LXC with untrusted users? Last I checked LXC wasn't fully ready yet.

[peregrinari]

Very interested to hear this as well. Anyone from Heroku can comment?

[mmcgrana]

LXC is one of several isolation layers used in the Heroku dyno manifold to ensure process security and resource guarantees. Here is a more in-depth discussion of Heroku dyno isolation: http://devcenter.heroku.com/articles/dyno-isolation.

[klaruz]

So LXC is fully secure now if you stick to chroot?

http://www.mail-archive.com/lxc-users@lists.sourceforge.net/...

[shykes]

You can't contain root in lxc. It's great for unprivileged users, though.