[Lxc-users] Network interface isolation
jeetu.golani at gmail.com
jeetu.golani at gmail.com
Tue May 15 18:07:56 UTC 2012
Hi Serge,
>
> the devices cgroup only prevents access to block and character device
> nodes in the filesystem. (i.e. /dev/loop0 which is block maj 7 minor 0)
>
>
> Plenty. Containers are not root-secure. See
> https://wiki.ubuntu.com/LxcSecurity for starters.
>
Awesome :)....thanks so much :)
Bye for now
Jeetu
ebrain.in | Beehive Computing
Discover and run software from devices around you - share your
software and computing resources. A GPLv3 licensed project.
On Tue, May 15, 2012 at 10:31 PM, Serge Hallyn
<serge.hallyn at canonical.com> wrote:
> Quoting jeetu.golani at gmail.com (jeetu.golani at gmail.com):
>> Hi Serge,
>>
>> Thanks for taking the time :)
>>
>> >
>> > Note you can of course just add the network lines to this file by
>> > yourself, you don't have to create a whole new container right now :)
>> >
>>
>> > No, the automatic use of a system lxc.conf is just an ubuntu thing. Can't
>> > really go upstream because it's pretty distro-specific.
>>
>> That explains that :)
>>
>> >From my limited knowledge though it seems that lxc.cgroup.devices.deny
>> = a would deny access to all devices and shouldn't this therefore
>> isolate network interfaces in the host from the container? As I
>
> the devices cgroup only prevents access to block and character device
> nodes in the filesystem. (i.e. /dev/loop0 which is block maj 7 minor 0)
>
>> mentioned in spite of this setting my container can see and operate on
>> interfaces in the host. Explicitly adding the network stanza to config
>> as recommended solves that however I'm wondering if this is deliberate
>> by design and if so the rationale behind this - just trying to get a
>> deeper understanding of design considerations of lxc.
>>
>> I'm also concerned that similarly there could be other devices /
>> resources not automatically isolated and that require explicity
>> configuration.
>
> Plenty. Containers are not root-secure. See
> https://wiki.ubuntu.com/LxcSecurity for starters.
>
> -serge
More information about the lxc-users
mailing list