[Lxc-users] lxc container proc and sysfs ro and not rw?

Serge Hallyn serge.hallyn at ubuntu.com
Wed Sep 4 14:02:28 UTC 2013


Quoting Andreas Laut (andreas.laut at spark5.de):
> Hi list,
> 
> usually lxc container mounting proc and sysfs read-write. With this 
> configuration one container can easily kill the host system and all the 
> running containers on it. (as both are global)
> 
> So we think about mounting proc and sysfs read-only.
> Our test server/container runs smoothly and doesn't show any problems 
> until now.
> 
> Has someone testing this already or productive in use? Why is the 
> default to mount both read-write?

Because you're only looking at part of the problem.  In your test, did
you prevent root from being able to remount /proc and /sys/rw?

In Ubuntu we prevent writing to dangerous /proc and /sys paths using
apparmor, and don't allow mounting proc and sys to anyplace but /proc
and /sys.  The same could be done using selinux and smack.  You can
also enable user namespaces (see lxc.idmap in lxc.conf manpage) after
which files under /proc and /sys will be owned by users not mapped into
the container's user ns, which will prevent the container writing to
theose files.

> Your help and ideas are appreciate,
> 
> Regards
> Andreas
> 
> ------------------------------------------------------------------------------
> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
> Discover the easy way to master current and previous Microsoft technologies
> and advance your career. Get an incredible 1,500+ hours of step-by-step
> tutorial videos with LearnDevNow. Subscribe today and save!
> http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
> _______________________________________________
> Lxc-users mailing list
> Lxc-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-users




More information about the lxc-users mailing list