[lxc-users] Network isolation in unprivileged containers
Fajar A. Nugraha
list at fajar.net
Tue Oct 20 11:22:57 UTC 2015
On Tue, Oct 20, 2015 at 6:11 PM, Akshay Karle <akshay.a.karle at gmail.com>
> It would help to know, what level of isolation you're thinking about?
>> What is the final end goal?
> I'm currently looking at ways to prevent any container from having the
> ability to discover other containers in the network and sniff their packets
> sent, which if sent over an unencrypted protocol (http for example) might
> be harmful as it could expose data.
"Discover" and "sniff other container's packets" are two different things.
For example, on a routed setup where each container gets a /32 address,
they can still ping each other (thus discovering the others exist), but
they can't sniff traffic other than their own
> I'm now considering setting up iptable rules on the host to achieve this
> but don't have much experience with iptables so will do my research now to
> see what is needed to setup the right iptable rules.
You mentioned you tried creating bridges for each container?
Combine that with direct /32 routing and proxyarp, and you pretty much
confine each container to their own /32 address space. They will not be
able to sniff other containers traffic. They won't even be able to use
another IP address other than the one assigned to them.
I believe there was also similar-resultng technique with openvswitch(?)
discussed some time ago on this list. Perhaps you can find it on the list
archives, I don't have the link handy right now.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the lxc-users