[Lxc-users] LXC in production envivroment
Stéphane Graber
stgraber at ubuntu.com
Thu Sep 13 23:10:48 UTC 2012
On 12-09-13 06:56 PM, Stuart Yoder wrote:
>> I would not use lxc for shared vps setup (like openvz) at this moment
>> due to some unsolved security issues.
>
> I've seen security issues with lxc mentioned in a few places, but nothing
> very specific (one thing specific was something to do with /proc
> filtering). (I've googled a bit, but it's hard to tell what is up to date)
>
> Is there a summary anywhere of potential security issues with LXC?
>
> Stuart
Serge wrote an overview of LXC security when working on Ubuntu 12.04 LTS:
https://wiki.ubuntu.com/LxcSecurity
Most of the points on there have been handled the best way we can by
using apparmor, if you're not using Ubuntu with apparmor, all of these
points are still very real issues.
Some other distros are trying to drop as many capabilities at container
boot time, it's however pretty difficult to get something usable without
having to compromise on some capabilities that essentially would let an
attacker get back to full root.
The way forward is the use of the user namespaces which are still slowly
making their way into the mainline kernel. Once fully implemented, we'll
be able to start LXC containers as non-privileged users (except for some
glue running as root) which will automatically fix all the issues listed
on that wiki page.
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20120913/f594f0d4/attachment.pgp>
More information about the lxc-users
mailing list