[lxc-users] LXC Security?

Sean McNamara smcnam at gmail.com
Wed Mar 2 19:58:07 UTC 2016


On Wed, Mar 2, 2016 at 2:37 PM, Ingo Baab <ib at baab.de> wrote:
> Hello LXC-Users,
>
>  I just started to experiment with LXC/LXD and now I am looking for a good
> starting point (some kind of "cookbook") to get UN-priviledged containers
> managed. I am a little confused by lxc versus the (older?) lxc-* commands.
> Are they "different systems"? How are they related?

The legacy lxc-* utilities are a separate system. In my opinion the
"lxc" command is very, VERY poorly named, because it actually serves
as a client for lxd, which is a userspace layer on top of the base lxc
(which is built on a whole set of kernel features, and some very low
level support). I'd call it lxd-client or lxdc or something *other
than* "lxc", unless the long-term plan is to deprecate all the lxc
userspace utilities in favor of lxd's client utility and subsume lxd
into the lxc project as the supported way forward.

The legacy utilities manage container storage and metadata differently
than the lxd system does. The data is in different directories and
stored in incompatible formats.


>
> I need:
>     - A Cookbook for securing LXC

The cookbook for securing LXC is basically to use *LXD* (through,
confusingly, the lxc command) and run unprivileged containers. In
theory, the latest version of LXD on an OS with it fully integrated
into the distro (like the upcoming Ubuntu 16.04) should be pretty
secure.

...Though if production-grade, multi-tenant boxes where the tenants
are mutually untrusting is part of your use case, you might want to
seriously consider holding off on lxd until at least a few CVEs have
been filed against it. Given the codebase size, probability favors at
least a few vulns that will probably be shaken out over time.


>     - How are (the older) lxc-* and lxc/lxd related?
>
> Thynk you in advance,
> Ingo Baab
>
> _____
> Already read here and there..
> https://wiki.ubuntu.com/LxcSecurity
> https://help.ubuntu.com/lts/serverguide/lxc.html#lxc-security
> https://linuxcontainers.org/lxc/security/
> https://www.sans.org/reading-room/whitepapers/linux/securing-linux-containers-36142
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users


More information about the lxc-users mailing list