[Lxc-users] Lxc and security
Jean-François Leroux
leroux.jeanfrancois at gmail.com
Wed Mar 27 17:49:07 UTC 2013
Thanks for your input.
So basically, if I can define cgroup.limits, drop capabilities, etc. I
shall have about the same security as with Ubuntu ?
JFL
Le 27/03/2013 01:32, Fajar A. Nugraha a écrit :
> On Wed, Mar 27, 2013 at 10:56 AM, Jean-François Leroux
> <leroux.jeanfrancois at gmail.com <mailto:leroux.jeanfrancois at gmail.com>>
> wrote:
>
> Hi all,
> I'm rather new to LXC (although I've been using it for two years now)
> and have some questions about security. I know many of these have been
> discussed in various websites, but I'd like to get advice from real
> users - and many articles I've read may be outdated.
>
> 1) I've read that lxc wasn't secure because anyone with root access on
> the container might have access to the host. Is it true with ssh
> access
> (I mean no console)?
>
>
> Distros like Ubuntu overcome that problem using cgroups limits,
> capability drop, and apparmor. When setup properly (e.g. created using
> default template with distro-bundled kernel and tools), AFAIK it
> should be secure-enough.
>
> Note that the above might not apply on manual installation. For
> example, if you install lxc on top of Centos6 with custom kernel and
> hand-made container config file.
>
> 2) Which capabilities would you drop for web servers were users have
> www-data access?
>
>
> No idea. The defaults works for me.
>
> 3) What are/would be the danger of running lxc in production servers?
>
>
> I'd say it's roughly the same "danger" as running your production
> servers on top any virtualization products.
>
> Many thanks for your input. :-)
>
> JFL
>
> PS: I'm planning on running lxc (squeeze) containers inside debian
> hosts.
>
>
> I'd suggest Ubuntu instead. It's more integrated and easier. Of course
> if you're familiar-enough and know how to make the necessary changes,
> any distro will do.
>
> --
> Fajar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20130327/a5a9f73e/attachment.html>
More information about the lxc-users
mailing list