[lxc-users] Network isolation in unprivileged containers

Fajar A. Nugraha list at fajar.net
Tue Oct 20 11:22:57 UTC 2015


On Tue, Oct 20, 2015 at 6:11 PM, Akshay Karle <akshay.a.karle at gmail.com>
wrote:

> It would help to know, what level of isolation you're thinking about?
>> What is the final end goal?
>>
>
> I'm currently looking at ways to prevent any container from having the
> ability to discover other containers in the network and sniff their packets
> sent, which if sent over an unencrypted protocol (http for example) might
> be harmful as it could expose data.
>
>
"Discover" and "sniff other container's packets" are two different things.

For example, on a routed setup where each container gets a /32 address,
they can still ping each other (thus discovering the others exist), but
they can't sniff traffic other than their own



> I'm now considering setting up iptable rules on the host to achieve this
> but don't have much experience with iptables so will do my research now to
> see what is needed to setup the right iptable rules.
>
>
You mentioned you tried creating bridges for each container?

Combine that with direct /32 routing and proxyarp, and you pretty much
confine each container to their own /32 address space. They will not be
able to sniff other containers traffic. They won't even be able to use
another IP address other than the one assigned to them.

I believe there was also similar-resultng technique with openvswitch(?)
discussed some time ago on this list. Perhaps you can find it on the list
archives, I don't have the link handy right now.

-- 
Fajar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20151020/402d8da7/attachment.html>


More information about the lxc-users mailing list