[Lxc-users] Lxc and security

Fajar A. Nugraha list at fajar.net
Wed Mar 27 00:32:56 UTC 2013


On Wed, Mar 27, 2013 at 10:56 AM, Jean-François Leroux <
leroux.jeanfrancois at gmail.com> wrote:

> Hi all,
> I'm rather new to LXC (although I've been using it for two years now)
> and have some questions about security. I know many of these have been
> discussed in various websites, but I'd like to get advice from real
> users - and many articles I've read may be outdated.
>
> 1) I've read that lxc wasn't secure because anyone with root access on
> the container might have access to the host. Is it true with ssh access
> (I mean no console)?
>

Distros like Ubuntu overcome that problem using cgroups limits, capability
drop, and apparmor. When setup properly (e.g. created using default
template with distro-bundled kernel and tools), AFAIK it should be
secure-enough.

Note that the above might not apply on manual installation. For example, if
you install lxc on top of Centos6 with custom kernel and hand-made
container config file.


> 2) Which capabilities would you drop for web servers were users have
> www-data access?
>

No idea. The defaults works for me.


> 3) What are/would be the danger of running lxc in production servers?
>
>
I'd say it's roughly the same "danger" as running your production servers
on top any virtualization products.


> Many thanks for your input. :-)
>
> JFL
>
> PS: I'm planning on running lxc (squeeze) containers inside debian hosts.
>
>
I'd suggest Ubuntu instead. It's more integrated and easier. Of course if
you're familiar-enough and know how to make the necessary changes, any
distro will do.

-- 
Fajar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20130327/efc91f3f/attachment.html>


More information about the lxc-users mailing list