[Lxc-users] lxc container proc and sysfs ro and not rw?
Serge Hallyn
serge.hallyn at ubuntu.com
Wed Sep 4 14:02:28 UTC 2013
Quoting Andreas Laut (andreas.laut at spark5.de):
> Hi list,
>
> usually lxc container mounting proc and sysfs read-write. With this
> configuration one container can easily kill the host system and all the
> running containers on it. (as both are global)
>
> So we think about mounting proc and sysfs read-only.
> Our test server/container runs smoothly and doesn't show any problems
> until now.
>
> Has someone testing this already or productive in use? Why is the
> default to mount both read-write?
Because you're only looking at part of the problem. In your test, did
you prevent root from being able to remount /proc and /sys/rw?
In Ubuntu we prevent writing to dangerous /proc and /sys paths using
apparmor, and don't allow mounting proc and sys to anyplace but /proc
and /sys. The same could be done using selinux and smack. You can
also enable user namespaces (see lxc.idmap in lxc.conf manpage) after
which files under /proc and /sys will be owned by users not mapped into
the container's user ns, which will prevent the container writing to
theose files.
> Your help and ideas are appreciate,
>
> Regards
> Andreas
>
> ------------------------------------------------------------------------------
> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
> Discover the easy way to master current and previous Microsoft technologies
> and advance your career. Get an incredible 1,500+ hours of step-by-step
> tutorial videos with LearnDevNow. Subscribe today and save!
> http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
> _______________________________________________
> Lxc-users mailing list
> Lxc-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-users
More information about the lxc-users
mailing list