[Lxc-users] security question
Ulli Horlacher
framstag at rus.uni-stuttgart.de
Fri Aug 19 22:54:03 UTC 2011
On Fri 2011-08-19 (15:38), Dong-In David Kang wrote:
> We've found out that inside of an LXC instance, root can insert/remove modules of the host.
> Is it normal?
> If it is doable, an LXC image may corrupt the host system, which is not good in terms of security.
Put:
lxc.cap.drop = sys_module
to your LXC container config file.
And by the way:
lxc.cap.drop = sys_admin
is also a good idea, to prevent that the container root can modify mount
options, for example set the container filesystem to read-only, which can
effect ALL containers!
--
Ullrich Horlacher Server- und Arbeitsplatzsysteme
Rechenzentrum E-Mail: horlacher at rus.uni-stuttgart.de
Universitaet Stuttgart Tel: ++49-711-685-65868
Allmandring 30 Fax: ++49-711-682357
70550 Stuttgart (Germany) WWW: http://www.rus.uni-stuttgart.de/
More information about the lxc-users
mailing list