[Lxc-users] lxc container proc and sysfs ro and not rw?

Wed Sep 4 14:28:17 UTC 2013

The funny part is that the container user root isn't able to remount 
proc und sysfs read-write. Tested this already.
We are also looking at common ways like appamor and seLinux. :)
But if this quick and dirty thing works why not using it?

Am 04.09.2013 16:02, schrieb Serge Hallyn:
> Quoting Andreas Laut (andreas.laut at spark5.de):
>> Hi list,
>>
>> usually lxc container mounting proc and sysfs read-write. With this
>> configuration one container can easily kill the host system and all the
>> running containers on it. (as both are global)
>>
>> So we think about mounting proc and sysfs read-only.
>> Our test server/container runs smoothly and doesn't show any problems
>> until now.
>>
>> Has someone testing this already or productive in use? Why is the
>> default to mount both read-write?
> Because you're only looking at part of the problem.  In your test, did
> you prevent root from being able to remount /proc and /sys/rw?
>
> In Ubuntu we prevent writing to dangerous /proc and /sys paths using
> apparmor, and don't allow mounting proc and sys to anyplace but /proc
> and /sys.  The same could be done using selinux and smack.  You can
> also enable user namespaces (see lxc.idmap in lxc.conf manpage) after
> which files under /proc and /sys will be owned by users not mapped into
> the container's user ns, which will prevent the container writing to
> theose files.
>
>> Your help and ideas are appreciate,
>>
>> Regards
>> Andreas
>>
>> ------------------------------------------------------------------------------
>> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
>> Discover the easy way to master current and previous Microsoft technologies
>> and advance your career. Get an incredible 1,500+ hours of step-by-step
>> tutorial videos with LearnDevNow. Subscribe today and save!
>> http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Lxc-users mailing list
>> Lxc-users at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/lxc-users

-- 
--

Andreas Laut
Systemadministrator

--

Aus eGENTIC Systems wird Spark 5!

Vier Jahre nach der Übernahme durch die eGENTIC GmbH öffnen wir uns wieder mehr dem freien Markt. Wir positionieren uns als Partner des gehobenen Mittelstands für Web-Applikationen.
Ein Aufbruch in eine neue Ära unserer Geschäftsentwicklung, dokumentiert durch einen neuen Namen.

eGENTIC Systems becomes Spark 5!

In the past few years our work was mainly focused on business volume within the eGENTIC group. Now, four years after the integration, we want to explore free competition and tap new markets once again.
The new name reflects the beginning of a new era.

--

Spark 5 GmbH
Rheinstr. 97
64295 Darmstadt
Germany

--

Fon: +49-6151-8508-
Fax: +49-6151-8508-111
Mail: andreas.laut at spark5.de
Web: http://www.spark5.de

--

Geschäftsführer:
Dipl. Designer Till Middelhauve
Dipl. Informatiker Witold Wegner
Amtsgericht Darmstadt, HRB 7809

--

Diese E-Mail könnte vertrauliche und/oder rechtlich geschützte Informationen enthalten. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail sind nicht gestattet.
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.