[Lxc-users] Usabilty of LXC containers as security containers?
Serge Hallyn
serge.hallyn at canonical.com
Thu Jan 17 14:36:35 UTC 2013
Quoting Michael Holmes (holmesmich at gmail.com):
> Hello,
>
> I've read some older posts on the internet that suggested that the current
> state of LXC at the time rendered LXC unsuitable for use as security
> containers. Is this still the case? I'm interested in migrating a server
> from FreeBSD which currently uses a similar setup with jails for app
> isolation.
We're just about at the stage where you can use seccomp, LSM
(apparmor for now, waiting on selinux), user namespaces and
cgroups all together to restrict workloads. Full system
containers will want a lot of syscalls meaning the seccomp
restrictions will mainly be useful in restricting the compat_
syscalls (which tend to be problematic, so that's still useful),
but for app isolation in particular you should definately be
able, with proper configuration, to very strongly protect the
host from the app.
-serge
More information about the lxc-users
mailing list