What Linux-on-Linux virtualization technologies provide user isolation? Specifically, I want root in the virtual machine not to have any privilege on the host.
This was not the case for LXC, but was a long-term goal. Is root isolation available in recent versions? If so, which?
Apart from LXC, what is the status of root isolation for OpenVZ, VServer and any other contender?
Most "lightweight" virtualization solutions are more or less based on the chroot-idea - with hidden processes from the "master". I did not see any CERTs about problems there but this does not seem to be what you are searching for.
A Hypervisor approach might be more the direction you are looking for - but I would not count that as "lightweight" (also a PV XEN DomU is pretty fast). Strictly speaking the Dom0 does not start the DomU - it tells the Hypervisor to do so - but there have beens CERTs about priviledge escalation (VMWare ESX and XEN). I don`t know about Hyper-V though.
For a better isolation of user rights - where there is a user-space process spawning an "isolated" VM there is VirtualBox - but again - not lightweight. This is full virtualization, but the VMs can be started as "normal" user. The user has to have access to the underlying disk - and if you want/need to - usb-devices.
Apart from that there is a kernel module for the networking stuff, which seems to work quite well (using DKMS).
