[Lxc-users] Network interface isolation
Serge Hallyn
serge.hallyn at canonical.com
Tue May 15 17:01:55 UTC 2012
Quoting jeetu.golani at gmail.com (jeetu.golani at gmail.com):
> Hi Serge,
>
> Thanks for taking the time :)
>
> >
> > Note you can of course just add the network lines to this file by
> > yourself, you don't have to create a whole new container right now :)
> >
>
> > No, the automatic use of a system lxc.conf is just an ubuntu thing. Can't
> > really go upstream because it's pretty distro-specific.
>
> That explains that :)
>
> >From my limited knowledge though it seems that lxc.cgroup.devices.deny
> = a would deny access to all devices and shouldn't this therefore
> isolate network interfaces in the host from the container? As I
the devices cgroup only prevents access to block and character device
nodes in the filesystem. (i.e. /dev/loop0 which is block maj 7 minor 0)
> mentioned in spite of this setting my container can see and operate on
> interfaces in the host. Explicitly adding the network stanza to config
> as recommended solves that however I'm wondering if this is deliberate
> by design and if so the rationale behind this - just trying to get a
> deeper understanding of design considerations of lxc.
>
> I'm also concerned that similarly there could be other devices /
> resources not automatically isolated and that require explicity
> configuration.
Plenty. Containers are not root-secure. See
https://wiki.ubuntu.com/LxcSecurity for starters.
-serge
More information about the lxc-users
mailing list