[lxc-users] LXD in VMs and image format stability

[jhickman at 0metasecurity.com]

Hi list.

I'm interested in using LXD in my penetration testing business to solve a couple of infrastructure issues I have, and wanted some feedback if I could get it.

I currently use XenServer 7 to run VMs for various purposes, both as a 'lab' for tesing tools and techniques, but also to host 'work' VMs for running security engagements against client systems.

I like XenServer and consider its performance quite good, but it would grant me extra flexibility if I could use LXD containers to provide isolated enviroments to run certain tools, do exploit development and reverse-engineering, etc.

Are their any particular disadvantages to having LXD itself inside a VM? Or is best practice to run it directly on bare metal? It seems like there would be some expected overhead lost in terms of CPU and some network throughput, but is there anything else I should know? 

The other concern I had was about the 'export' feature of lxc. I want to use the export functionality to provide a complete copy of the enviroment and all work (logs, bash history, command spool, etc) and all files created (source and compiled exploit code, bespoke scripts and tools, etc) inside the container. That exported image is combined with other files from the engagement and then archived in air-gapped, encrypted storage. I understand from reading that the tarball is the rootfs from the container, so the files are obviously available. However, I would prefer to have the option of launching that container and interacting with the exact versions of all tools, frameworks etc as they were at the time of that engagement.

Put simply; if I have to unseal this archive 2-3 years later, does lxc provide any guarantee that the image will still import? 

Thanks for any who take the time to read this wall of text. 

Jon Hickman
Lead Penetration Tester, OSCP
0metasecurity.com