[Lxc-users] Lxc and security

Jean-François Leroux leroux.jeanfrancois at gmail.com
Thu Mar 28 11:52:09 UTC 2013 

Thanks for this detailed information, Stéphane.
Well, it seems I'm heading towards Ubuntu :-)

Cheers,
JFL
Le 27/03/2013 20:14, Stéphane Graber a écrit :
> On 03/27/2013 01:49 PM, Jean-François Leroux wrote:
>> Thanks for your input.
>> So basically, if I can define cgroup.limits, drop capabilities, etc. I
>> shall have about the same security as with Ubuntu ?
>>
>> JFL
> The main addition Ubuntu does to securing apparmor, outside of trying to
> lead the work to get user namespaces is the apparmor integration.
>
> You won't be able to get safe LXC containers if you don't have apparmor
> support in your kernel and use something based on the apparmor profiles
> we ship in Ubuntu.
>
> Assuming that just using cgroup limits and dropping capabilities will
> give you secure container is wrong, until we get user namespaces, you
> need something like apparmor before you can call a container as safe.
>
> I'm not sure what's the state of apparmor in Debian nowadays but last I
> checked, LXC in Debian wasn't shipping with the apparmor integration.
>
>
>> Le 27/03/2013 01:32, Fajar A. Nugraha a écrit :
>>> On Wed, Mar 27, 2013 at 10:56 AM, Jean-François Leroux
>>> <leroux.jeanfrancois at gmail.com <mailto:leroux.jeanfrancois at gmail.com>>
>>> wrote:
>>>
>>>      Hi all,
>>>      I'm rather new to LXC (although I've been using it for two years now)
>>>      and have some questions about security. I know many of these have been
>>>      discussed in various websites, but I'd like to get advice from real
>>>      users - and many articles I've read may be outdated.
>>>
>>>      1) I've read that lxc wasn't secure because anyone with root access on
>>>      the container might have access to the host. Is it true with ssh
>>>      access
>>>      (I mean no console)?
>>>
>>>
>>> Distros like Ubuntu overcome that problem using cgroups limits,
>>> capability drop, and apparmor. When setup properly (e.g. created using
>>> default template with distro-bundled kernel and tools), AFAIK it
>>> should be secure-enough.
>>>
>>> Note that the above might not apply on manual installation. For
>>> example, if you install lxc on top of Centos6 with custom kernel and
>>> hand-made container config file.
>>>   
>>>
>>>      2) Which capabilities would you drop for web servers were users have
>>>      www-data access?
>>>
>>>
>>> No idea. The defaults works for me.
>>>   
>>>
>>>      3) What are/would be the danger of running lxc in production servers?
>>>
>>>
>>> I'd say it's roughly the same "danger" as running your production
>>> servers on top any virtualization products.
>>>   
>>>
>>>      Many thanks for your input. :-)
>>>
>>>      JFL
>>>
>>>      PS: I'm planning on running lxc (squeeze) containers inside debian
>>>      hosts.
>>>
>>>
>>> I'd suggest Ubuntu instead. It's more integrated and easier. Of course
>>> if you're familiar-enough and know how to make the necessary changes,
>>> any distro will do.
>>>
>>> -- 
>>> Fajar
>>
>>
>> ------------------------------------------------------------------------------
>> Own the Future-Intel® Level Up Game Demo Contest 2013
>> Rise to greatness in Intel's independent game demo contest.
>> Compete for recognition, cash, and the chance to get your game
>> on Steam. $5K grand prize plus 10 genre and skill prizes.
>> Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
>>
>>
>>
>> _______________________________________________
>> Lxc-users mailing list
>> Lxc-users at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/lxc-users
>>
>
>
>
> ------------------------------------------------------------------------------
> Own the Future-Intel® Level Up Game Demo Contest 2013
> Rise to greatness in Intel's independent game demo contest.
> Compete for recognition, cash, and the chance to get your game
> on Steam. $5K grand prize plus 10 genre and skill prizes.
> Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
>
>
> _______________________________________________
> Lxc-users mailing list
> Lxc-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20130328/34a3a167/attachment.html>

More information about the lxc-users mailing list