[lxc-users] More secure container

Fajar A. Nugraha list at fajar.net
Wed May 10 03:24:05 UTC 2017

On Wed, May 10, 2017 at 4:22 AM, Andrey Repin <anrdaemon at yandex.ru> wrote:

> Greetings, T.C 吳天健!
> > Its said privileged container is unsecured . For example, if a user in
> the
> > container (suppose it's running a service toward the public) hack the
> system
> > with some kind of root kit.
> This is not specifically correct. The road to compromising the container is
> rather thorny.
> Even if container is privileged and the container owner has root access
> inside
> the container, gaining any host advantage would be hard if not impossible,
> unless the host configuration is far from sane.
> > I am thinking of building a more secure container.  The first idea is to
> > use unprivileged container;  Second is apply cgroup to limit viewing of
> some
> > sensitive /dev files, and any recommendation?
> LXD by default is "secure" in sense that even if container is compromised,
> the
> effective UID the container user is running from has no rights on the host.
... and there's also the option in lxd to use separate u/gid range for each
container (by default all unpriv lxd containers share the same u/gid range).

> > Summary
> > -use unprivileged container
> Right.
> > -cgroup to limit viewing of some /dev files
> Unnecessary in real-world application.
lxc and lxd already limits which device nodes (block and char) allowed in
the container.

@T.C, what are your requirements/ideas that isn't already available in lxd?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20170510/263aa7be/attachment.html>

More information about the lxc-users mailing list