<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Thanks for your input.<br>
So basically, if I can define cgroup.limits, drop capabilities,
etc. I shall have about the same security as with Ubuntu ?<br>
<br>
JFL<br>
<br>
<br>
Le 27/03/2013 01:32, Fajar A. Nugraha a écrit :<br>
</div>
<blockquote
cite="mid:CAG1y0sdHU9AZdnmDfKW0eL8YS13Rx0GyQx+egg8cXPw_8P8jTw@mail.gmail.com"
type="cite">
<div dir="ltr">On Wed, Mar 27, 2013 at 10:56 AM, Jean-François
Leroux <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:leroux.jeanfrancois@gmail.com" target="_blank">leroux.jeanfrancois@gmail.com</a>></span>
wrote:<br>
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Hi all,<br>
I'm rather new to LXC (although I've been using it for two
years now)<br>
and have some questions about security. I know many of
these have been<br>
discussed in various websites, but I'd like to get advice
from real<br>
users - and many articles I've read may be outdated.<br>
<br>
1) I've read that lxc wasn't secure because anyone with
root access on<br>
the container might have access to the host. Is it true
with ssh access<br>
(I mean no console)?<br>
</blockquote>
<div><br>
</div>
<div style="">Distros like Ubuntu overcome that problem
using cgroups limits, capability drop, and apparmor. When
setup properly (e.g. created using default template with
distro-bundled kernel and tools), AFAIK it should be
secure-enough.</div>
<div style=""><br>
</div>
<div style="">Note that the above might not apply on manual
installation. For example, if you install lxc on top of
Centos6 with custom kernel and hand-made container config
file.</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
2) Which capabilities would you drop for web servers were
users have<br>
www-data access?<br>
</blockquote>
<div><br>
</div>
<div style="">No idea. The defaults works for me.</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
3) What are/would be the danger of running lxc in
production servers?<br>
<br>
</blockquote>
<div><br>
</div>
<div style="">I'd say it's roughly the same "danger" as
running your production servers on top any virtualization
products.</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
Many thanks for your input. :-)<br>
<br>
JFL<br>
<br>
PS: I'm planning on running lxc (squeeze) containers
inside debian hosts.<br>
<br>
</blockquote>
<div><br>
</div>
<div style="">I'd suggest Ubuntu instead. It's more
integrated and easier. Of course if you're familiar-enough
and know how to make the necessary changes, any distro
will do.</div>
<div style=""><br>
</div>
<div style="">-- </div>
<div style="">Fajar</div>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>