[lxc-users] Linuxcontainers security?

Stéphane Graber stgraber at ubuntu.com
Sun Mar 19 16:43:45 UTC 2017


On Sun, Mar 19, 2017 at 05:08:24PM +0100, Ingo Baab wrote:
> Hi LXD/LXC Users,
> 
>  today I read that at the hacking contest "Pwn2Own" 'they' escaped from a
> VMWare
> (running Windows10) using three exploits together (exploiting Edge and using
> a windows-
> 10-kernel-hack..) [1].
> 
> I asked myself, how secure is a (my) LXD/LXC container system?
> 
> How do you 'estimate' the security running a webhosting-container as I do
> getting compromised?
> I do successfully setup and run nginx, php7, redis-server, mysql-server on
> my linux-containers.
> 
> Any information or links are highly apreciated,
> Ingo Baab
> ___
> [1] https://arstechnica.com/security/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/

See https://linuxcontainers.org/lxc/security/

So it depends on:
 - Container is unprivileged or not
 - If unprivileged, uses dedicated id map
 - Container uses secure network
 - Resource limits applied to the container

If all of that is done properly, then you're fine so long as there
aren't any kernel issue allowing privilege escalation. Which would be a
big problem regardless of whether you're running things in a container
or not.


One thing that tends to always be true is that running the same code
inside a container instead of directly on the host will not make things
any worse.

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20170319/be15b92d/attachment.sig>


More information about the lxc-users mailing list