[Lxc-users] Lxc and security

Jean-François Leroux leroux.jeanfrancois at gmail.com
Wed Mar 27 17:49:07 UTC 2013


Thanks for your input.
So basically, if I can define cgroup.limits, drop capabilities, etc. I 
shall have about the same security as with Ubuntu ?

JFL


Le 27/03/2013 01:32, Fajar A. Nugraha a écrit :
> On Wed, Mar 27, 2013 at 10:56 AM, Jean-François Leroux 
> <leroux.jeanfrancois at gmail.com <mailto:leroux.jeanfrancois at gmail.com>> 
> wrote:
>
>     Hi all,
>     I'm rather new to LXC (although I've been using it for two years now)
>     and have some questions about security. I know many of these have been
>     discussed in various websites, but I'd like to get advice from real
>     users - and many articles I've read may be outdated.
>
>     1) I've read that lxc wasn't secure because anyone with root access on
>     the container might have access to the host. Is it true with ssh
>     access
>     (I mean no console)?
>
>
> Distros like Ubuntu overcome that problem using cgroups limits, 
> capability drop, and apparmor. When setup properly (e.g. created using 
> default template with distro-bundled kernel and tools), AFAIK it 
> should be secure-enough.
>
> Note that the above might not apply on manual installation. For 
> example, if you install lxc on top of Centos6 with custom kernel and 
> hand-made container config file.
>
>     2) Which capabilities would you drop for web servers were users have
>     www-data access?
>
>
> No idea. The defaults works for me.
>
>     3) What are/would be the danger of running lxc in production servers?
>
>
> I'd say it's roughly the same "danger" as running your production 
> servers on top any virtualization products.
>
>     Many thanks for your input. :-)
>
>     JFL
>
>     PS: I'm planning on running lxc (squeeze) containers inside debian
>     hosts.
>
>
> I'd suggest Ubuntu instead. It's more integrated and easier. Of course 
> if you're familiar-enough and know how to make the necessary changes, 
> any distro will do.
>
> -- 
> Fajar

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20130327/a5a9f73e/attachment.html>


More information about the lxc-users mailing list