[Lxc-users] Network interface isolation

jeetu.golani at gmail.com jeetu.golani at gmail.com
Tue May 15 18:07:56 UTC 2012


Hi Serge,

>
> the devices cgroup only prevents access to block and character device
> nodes in the filesystem.  (i.e. /dev/loop0 which is block maj 7 minor 0)
>

>
> Plenty.  Containers are not root-secure.  See
> https://wiki.ubuntu.com/LxcSecurity for starters.
>

Awesome :)....thanks so much :)

Bye for now
Jeetu
ebrain.in | Beehive Computing
Discover and run software from devices around you - share your
software and computing resources. A GPLv3 licensed project.
On Tue, May 15, 2012 at 10:31 PM, Serge Hallyn
<serge.hallyn at canonical.com> wrote:
> Quoting jeetu.golani at gmail.com (jeetu.golani at gmail.com):
>> Hi Serge,
>>
>> Thanks for taking the time  :)
>>
>> >
>> > Note you can of course just add the network lines to this file by
>> > yourself, you don't have to create a whole new container right now  :)
>> >
>>
>> > No, the automatic use of a system lxc.conf is just an ubuntu thing.  Can't
>> > really go upstream because it's pretty distro-specific.
>>
>> That explains that :)
>>
>> >From my limited knowledge though it seems that lxc.cgroup.devices.deny
>> = a would deny access to all devices and shouldn't this therefore
>> isolate network interfaces in the host from the container? As I
>
> the devices cgroup only prevents access to block and character device
> nodes in the filesystem.  (i.e. /dev/loop0 which is block maj 7 minor 0)
>
>> mentioned in spite of this setting my container can see and operate on
>> interfaces in the host. Explicitly adding the network stanza to config
>> as recommended solves that however I'm wondering if this is deliberate
>> by design and if so the rationale behind this - just trying to get a
>> deeper understanding of design considerations of lxc.
>>
>> I'm also concerned that similarly there could be other devices /
>> resources not automatically isolated and that require explicity
>> configuration.
>
> Plenty.  Containers are not root-secure.  See
> https://wiki.ubuntu.com/LxcSecurity for starters.
>
> -serge




More information about the lxc-users mailing list