Whitelist Fedora mirrors

[techtonik]

Being able to execute Fedora in Ubuntu is a killer feature, IMHO. )

But there is nothing to test even if container started. It comes even without Python. I can not copy/paste code to prove that, because of #5, but it would be much better experience being able to install some packages, and for that at least https://mirrors.fedoraproject.org/ should be whitelisted.

[stgraber]

As I mentioned in the linuxcontainers.org issue, Internet access is blocked on purpose for security reason.

It is possible for someone to create a fedora container or any distro for that matter in the try-it environment and to then get a shell inside it, proving that it does work. Installing packages in there is out of scope and allowing it would be a potential security and legal risk for us.

[techtonik]

But Ubuntu http://archive.ubuntu.com/ works. Why not allow the same with official Fedora path?

[stgraber]

As mentioned in the other issue, the reason why some servers under ubuntu.com and canonical.com are reachable from try-it is because I'm either the one in charge of those services or I've worked with the sysadmins that do and so in the event that someone is using tryit to attack any of those services, they know what this is and how to reach me.

[techtonik]

But package service is only used to fetch software. Everything else will be done from LXD server. It is also possible to pipe bad shellcode to terminal.

[techtonik]

Or you mean that LXD can be then used to attack those servers? Then any host can be used to do so.

[stgraber]

Yes, any host can be used to do so, but the problem here is that it's my IP address which would be used for such an attack and so would legally be my responsibility.

[techtonik]

That's not right. Any host can be hacked. Making best known efforts to secure the site should be enough to be clean from accusation.

1. Whitelist Fedora mirror with limiting requests by request/second
2. Get stats about container traffic patterns
3. Provide a DNS record that allows to contact you (automatically?) in case of DoS or other incident

Why it is not possible?

[stgraber]

It's possible, I just have no intention of doing any of it. I'm the one providing the service and so I get to make the decision on what I find acceptable to allow and what I don't.

This service is provided as a way to try LXD by following a set of step by step instructions. Those instructions work perfectly fine with the current network restrictions so there's really no reason to open things up any more than they are today.

[techtonik]

So somebody should take the task of creating a LXD solution with explanation how to secure it and monitor incidents so that it can be deployed as a backend to various online tutorials like Katacoda instead of Docker.