[lxc-users] LXC Security?
Benoit GEORGELIN - Association Web4all
benoit.georgelin at web4all.fr
Wed Mar 2 20:42:10 UTC 2016
hi think what you mentioned here is quite important and relevant :
The legacy lxc-* utilities are a separate system. In my opinion the
"lxc" command is very, VERY poorly named, because it actually serves
as a client for lxd, which is a userspace layer on top of the base lxc
(which is built on a whole set of kernel features, and some very low
level support). I'd call it lxd-client or lxdc or something *other
than* "lxc", unless the long-term plan is to deprecate all the lxc
userspace utilities in favor of lxd's client utility and subsume lxd
into the lxc project as the supported way forward.
The legacy utilities manage container storage and metadata differently
than the lxd system does. The data is in different directories and
stored in incompatible formats.
Cordialement,
Benoît
De: "Sean McNamara" <smcnam at gmail.com>
À: "lxc-users" <lxc-users at lists.linuxcontainers.org>
Envoyé: Mercredi 2 Mars 2016 14:58:07
Objet: Re: [lxc-users] LXC Security?
On Wed, Mar 2, 2016 at 2:37 PM, Ingo Baab <ib at baab.de> wrote:
> Hello LXC-Users,
>
> I just started to experiment with LXC/LXD and now I am looking for a good
> starting point (some kind of "cookbook") to get UN-priviledged containers
> managed. I am a little confused by lxc versus the (older?) lxc-* commands.
> Are they "different systems"? How are they related?
The legacy lxc-* utilities are a separate system. In my opinion the
"lxc" command is very, VERY poorly named, because it actually serves
as a client for lxd, which is a userspace layer on top of the base lxc
(which is built on a whole set of kernel features, and some very low
level support). I'd call it lxd-client or lxdc or something *other
than* "lxc", unless the long-term plan is to deprecate all the lxc
userspace utilities in favor of lxd's client utility and subsume lxd
into the lxc project as the supported way forward.
The legacy utilities manage container storage and metadata differently
than the lxd system does. The data is in different directories and
stored in incompatible formats.
>
> I need:
> - A Cookbook for securing LXC
The cookbook for securing LXC is basically to use *LXD* (through,
confusingly, the lxc command) and run unprivileged containers. In
theory, the latest version of LXD on an OS with it fully integrated
into the distro (like the upcoming Ubuntu 16.04) should be pretty
secure.
...Though if production-grade, multi-tenant boxes where the tenants
are mutually untrusting is part of your use case, you might want to
seriously consider holding off on lxd until at least a few CVEs have
been filed against it. Given the codebase size, probability favors at
least a few vulns that will probably be shaken out over time.
> - How are (the older) lxc-* and lxc/lxd related?
>
> Thynk you in advance,
> Ingo Baab
>
> _____
> Already read here and there..
> https://wiki.ubuntu.com/LxcSecurity
> https://help.ubuntu.com/lts/serverguide/lxc.html#lxc-security
> https://linuxcontainers.org/lxc/security/
> https://www.sans.org/reading-room/whitepapers/linux/securing-linux-containers-36142
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160302/f5f5edc4/attachment-0001.html>
More information about the lxc-users
mailing list