[lxc-devel] a newbie question about loading kernel modules in container
cheetah
xuwh06 at gmail.com
Sun Jun 17 10:13:33 UTC 2012
Richard, thanks a lot for the clear answer. ;p. Would you recommend openvz
if it is a hostile environment? What is the answer to the above two
questions if it is openvz?
Regards,
Peter
On Sun, Jun 17, 2012 at 6:09 PM, richard -rw- weinberger <
richard.weinberger at gmail.com> wrote:
> On Sun, Jun 17, 2012 at 11:46 AM, cheetah <xuwh06 at gmail.com> wrote:
> > Hi guys,
> >
> > I am a newbie to lxc and preparing to deploy it in my production
> environment
> > to give each user a container. I have the following two concerns now.
> >
> > 1. Can user load kernel modules in the guest container without
> influencing
> > the host kernel or other container's kernel? As far as I understand, all
> the
> > lxc containers share the same kernel of the host. So I am wondering if
> this
> > is possible?
>
> He can if the user is root and has the proper capability.
> But then your are screwed.
>
> > 2. Or how is the container's security isolation? Can I give user root
> access
> > in the container? Is there any hack that he/she can use root in the
> > container to attack the host or other containers?
>
> For now it's not recommend.
> The user namespace is not complete.
> Eric is working in that.
>
> IOW in hostile hosting environments LXC is not a good idea.
> That may be change in 3.6.
>
> --
> Thanks,
> //richard
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20120617/0d9235c7/attachment.html>
More information about the lxc-devel
mailing list