[lxc-users] More secure container

Andrey Repin anrdaemon at yandex.ru
Tue May 9 21:22:54 UTC 2017

Greetings, T.C 吳天健!

> Its said privileged container is unsecured . For example, if a user in the
> container (suppose it's running a service toward the public) hack the system
> with some kind of root kit.

This is not specifically correct. The road to compromising the container is
rather thorny.
Even if container is privileged and the container owner has root access inside
the container, gaining any host advantage would be hard if not impossible,
unless the host configuration is far from sane.

> I am thinking of building a more secure container.  The first idea is to
> use unprivileged container;  Second is apply cgroup to limit viewing of some
> sensitive /dev files, and any recommendation?

LXD by default is "secure" in sense that even if container is compromised, the
effective UID the container user is running from has no rights on the host.

> Summary
> -use unprivileged container


> -cgroup to limit viewing of some /dev files

Unnecessary in real-world application.

With best regards,
Andrey Repin
Wednesday, May 10, 2017 00:17:31

Sorry for my terrible english...

More information about the lxc-users mailing list