[Lxc-users] Lxc and security

Stéphane Graber stgraber at ubuntu.com
Wed Mar 27 19:14:36 UTC 2013


On 03/27/2013 01:49 PM, Jean-François Leroux wrote:
> Thanks for your input.
> So basically, if I can define cgroup.limits, drop capabilities, etc. I
> shall have about the same security as with Ubuntu ?
> 
> JFL

The main addition Ubuntu does to securing apparmor, outside of trying to
lead the work to get user namespaces is the apparmor integration.

You won't be able to get safe LXC containers if you don't have apparmor
support in your kernel and use something based on the apparmor profiles
we ship in Ubuntu.

Assuming that just using cgroup limits and dropping capabilities will
give you secure container is wrong, until we get user namespaces, you
need something like apparmor before you can call a container as safe.

I'm not sure what's the state of apparmor in Debian nowadays but last I
checked, LXC in Debian wasn't shipping with the apparmor integration.


> Le 27/03/2013 01:32, Fajar A. Nugraha a écrit :
>> On Wed, Mar 27, 2013 at 10:56 AM, Jean-François Leroux
>> <leroux.jeanfrancois at gmail.com <mailto:leroux.jeanfrancois at gmail.com>>
>> wrote:
>>
>>     Hi all,
>>     I'm rather new to LXC (although I've been using it for two years now)
>>     and have some questions about security. I know many of these have been
>>     discussed in various websites, but I'd like to get advice from real
>>     users - and many articles I've read may be outdated.
>>
>>     1) I've read that lxc wasn't secure because anyone with root access on
>>     the container might have access to the host. Is it true with ssh
>>     access
>>     (I mean no console)?
>>
>>
>> Distros like Ubuntu overcome that problem using cgroups limits,
>> capability drop, and apparmor. When setup properly (e.g. created using
>> default template with distro-bundled kernel and tools), AFAIK it
>> should be secure-enough.
>>
>> Note that the above might not apply on manual installation. For
>> example, if you install lxc on top of Centos6 with custom kernel and
>> hand-made container config file.
>>  
>>
>>     2) Which capabilities would you drop for web servers were users have
>>     www-data access?
>>
>>
>> No idea. The defaults works for me.
>>  
>>
>>     3) What are/would be the danger of running lxc in production servers?
>>
>>
>> I'd say it's roughly the same "danger" as running your production
>> servers on top any virtualization products.
>>  
>>
>>     Many thanks for your input. :-)
>>
>>     JFL
>>
>>     PS: I'm planning on running lxc (squeeze) containers inside debian
>>     hosts.
>>
>>
>> I'd suggest Ubuntu instead. It's more integrated and easier. Of course
>> if you're familiar-enough and know how to make the necessary changes,
>> any distro will do.
>>
>> -- 
>> Fajar
> 
> 
> 
> ------------------------------------------------------------------------------
> Own the Future-Intel® Level Up Game Demo Contest 2013
> Rise to greatness in Intel's independent game demo contest.
> Compete for recognition, cash, and the chance to get your game 
> on Steam. $5K grand prize plus 10 genre and skill prizes. 
> Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
> 
> 
> 
> _______________________________________________
> Lxc-users mailing list
> Lxc-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-users
> 


-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20130327/6046093e/attachment.pgp>


More information about the lxc-users mailing list