[Lxc-users] Network interface isolation

Serge Hallyn serge.hallyn at canonical.com
Tue May 15 17:01:55 UTC 2012


Quoting jeetu.golani at gmail.com (jeetu.golani at gmail.com):
> Hi Serge,
> 
> Thanks for taking the time  :)
> 
> >
> > Note you can of course just add the network lines to this file by
> > yourself, you don't have to create a whole new container right now  :)
> >
> 
> > No, the automatic use of a system lxc.conf is just an ubuntu thing.  Can't
> > really go upstream because it's pretty distro-specific.
> 
> That explains that :)
> 
> >From my limited knowledge though it seems that lxc.cgroup.devices.deny
> = a would deny access to all devices and shouldn't this therefore
> isolate network interfaces in the host from the container? As I

the devices cgroup only prevents access to block and character device
nodes in the filesystem.  (i.e. /dev/loop0 which is block maj 7 minor 0)

> mentioned in spite of this setting my container can see and operate on
> interfaces in the host. Explicitly adding the network stanza to config
> as recommended solves that however I'm wondering if this is deliberate
> by design and if so the rationale behind this - just trying to get a
> deeper understanding of design considerations of lxc.
> 
> I'm also concerned that similarly there could be other devices /
> resources not automatically isolated and that require explicity
> configuration.

Plenty.  Containers are not root-secure.  See
https://wiki.ubuntu.com/LxcSecurity for starters.

-serge




More information about the lxc-users mailing list